project-devkit 2.0.0

package/plugins/docker/index.mjs

@@ -0,0 +1,42 @@
+import chalk from 'chalk';
+
+function handleError(e) {
+  console.error(`Error: ${e.message}`);
+  process.exit(1);
+}
+
+/**
+ * Register docker plugin commands.
+ * @param {import('commander').Command} program
+ * @param {object} context
+ */
+export function register(program, { config, utils, projectRoot, devkitRoot }) {
+  const dockerCmd = program
+    .command('docker')
+    .description(config.description || 'Docker environment management');
+
+  dockerCmd
+    .command('setup')
+    .description('Create required Docker networks (external networks from compose)')
+    .action(() => {
+      try {
+        const composeFile = config.compose_file || 'docker-compose.dev.yml';
+        const networks = utils.getComposeExternalNetworks(projectRoot, composeFile);
+        if (networks.length === 0) {
+          console.log('No external networks found in compose file.');
+          return;
+        }
+        const created = utils.ensureDockerNetworks(projectRoot, composeFile);
+        for (const net of networks) {
+          if (created.includes(net)) {
+            console.log(chalk.green(`  Created network: ${net}`));
+          } else {
+            console.log(`  Network exists: ${net}`);
+          }
+        }
+        console.log(chalk.green('Done!'));
+      } catch (e) {
+        handleError(e);
+      }
+    });
+}

package/plugins/env/config.yml

@@ -0,0 +1,40 @@
+name: env
+description: Manage .env files from examples + Infisical secrets
+
+# Infisical configuration — override in .devkit.d/env.yml
+infisical:
+  project_id: ~
+  site_url: ~
+  client_id_env: INFISICAL_UNIVERSAL_AUTH_CLIENT_ID
+  client_secret_env: INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET
+
+# Subprojects — override in .devkit.d/env.yml
+# Example:
+#   subprojects:
+#     myproject:
+#       path: .
+#       variants: [inner, outer]
+#       config_dir: config
+#       infisical_path: "/{project}/{variant}"
+subprojects: {}
+
+# Servers for deploy command — override in .devkit.d/env.yml
+# Example:
+#   servers:
+#     test:
+#       ssh: user@host
+#       projects_path: /opt/projects
+#       confirm: false
+#     stage:
+#       ssh: user@host
+#       projects_path: /opt/projects
+#       confirm: true
+servers: {}
+
+# Containers for deploy — override in .devkit.d/env.yml
+# Example:
+#   containers:
+#     myproject:
+#       inner: container-inner
+#       outer: container-outer
+containers: {}

package/plugins/env/env.mjs

@@ -0,0 +1,249 @@
+import { resolve } from 'path';
+import { existsSync, readFileSync, copyFileSync, writeFileSync } from 'fs';
+import { execSync } from 'child_process';
+import chalk from 'chalk';
+
+/**
+ * Get Infisical credentials from config + environment variables.
+ */
+function getInfisicalCredentials(config) {
+  const infisical = config.infisical || {};
+  const clientIdEnv = infisical.client_id_env || 'INFISICAL_UNIVERSAL_AUTH_CLIENT_ID';
+  const clientSecretEnv = infisical.client_secret_env || 'INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET';
+
+  return {
+    siteUrl: infisical.site_url,
+    projectId: infisical.project_id,
+    clientId: process.env[clientIdEnv],
+    clientSecret: process.env[clientSecretEnv],
+  };
+}
+
+function hasInfisical(config) {
+  const creds = getInfisicalCredentials(config);
+  return !!(creds.siteUrl && creds.projectId && creds.clientId && creds.clientSecret);
+}
+
+/**
+ * Optionally validate .env against .env.schema if envschema is installed.
+ */
+function validateWithEnvSchema(envFile, schemaFile) {
+  if (!existsSync(schemaFile)) return;
+
+  try {
+    execSync('command -v envschema', { stdio: 'pipe' });
+  } catch {
+    console.log(chalk.dim('  hint: install envschema-dsl for .env validation'));
+    return;
+  }
+
+  try {
+    execSync(`envschema validate --schema "${schemaFile}" --env "${envFile}"`, {
+      stdio: 'pipe', encoding: 'utf-8',
+    });
+    console.log(chalk.green('  .env.schema validation passed'));
+  } catch (e) {
+    console.log(chalk.yellow(`  .env.schema validation warnings:\n${e.stdout || e.stderr || e.message}`));
+  }
+}
+
+// --- Commands ---
+
+export async function status({ config, utils, projectRoot }) {
+  const subprojects = config.subprojects || {};
+
+  if (Object.keys(subprojects).length === 0) {
+    console.log(chalk.yellow('No subprojects configured. Add them to .devkit.d/env.yml'));
+    return;
+  }
+
+  for (const [name, cfg] of Object.entries(subprojects)) {
+    console.log(chalk.cyan.bold(`\n${name}`));
+    const basePath = resolve(projectRoot, cfg.path || '.');
+    console.log(`  path: ${basePath}`);
+
+    if (!existsSync(basePath)) {
+      console.log(chalk.red('  directory not found'));
+      continue;
+    }
+
+    for (const variant of (cfg.variants || [])) {
+      const configDir = resolve(basePath, cfg.config_dir || 'config');
+      const exampleFile = resolve(configDir, `.env.${variant}.example`);
+      const envFile = resolve(configDir, `.env.${variant}`);
+
+      const parts = [];
+      parts.push(existsSync(exampleFile) ? chalk.green('example') : chalk.yellow('no example'));
+      parts.push(existsSync(envFile) ? chalk.green('.env') : chalk.red('no .env'));
+
+      console.log(`  ${variant}: ${parts.join(' | ')}`);
+    }
+  }
+}
+
+export async function init({ config, utils, projectRoot, envName = 'dev', force = false }) {
+  const subprojects = config.subprojects || {};
+
+  if (Object.keys(subprojects).length === 0) {
+    console.log(chalk.yellow('No subprojects configured. Add them to .devkit.d/env.yml'));
+    return;
+  }
+
+  // Root .env (devkit secrets from Infisical path /)
+  if (hasInfisical(config)) {
+    const exampleFile = resolve(projectRoot, '.env.example');
+    const envFile = resolve(projectRoot, '.env');
+
+    console.log(chalk.cyan.bold('\ndevkit (root)'));
+
+    if (existsSync(exampleFile)) {
+      if (!existsSync(envFile) || force) {
+        copyFileSync(exampleFile, envFile);
+        const action = force && existsSync(envFile) ? 'overwritten' : 'created';
+        console.log(`  .env ${action} from .env.example`);
+      } else {
+        console.log(`  .env exists (skip)`);
+      }
+    }
+
+    if (existsSync(envFile)) {
+      try {
+        const creds = getInfisicalCredentials(config);
+        const secrets = await utils.fetchInfisicalSecrets({
+          ...creds, envSlug: envName, secretPath: '/',
+        });
+        if (secrets.length > 0) {
+          const secretsMap = {};
+          for (const s of secrets) secretsMap[s.secretKey] = s.secretValue;
+          const envContent = readFileSync(envFile, 'utf-8');
+          const { content, updated } = utils.mergeSecretsIntoEnv(envContent, secretsMap);
+          writeFileSync(envFile, content);
+          console.log(chalk.green(`  +${updated} secrets from Infisical (/)`));
+        }
+      } catch (e) {
+        console.log(chalk.red(`  Infisical error: ${e.message}`));
+      }
+    }
+  }
+
+  for (const [name, cfg] of Object.entries(subprojects)) {
+    const basePath = resolve(projectRoot, cfg.path || '.');
+    if (!existsSync(basePath)) {
+      console.log(chalk.red(`  ${name}: directory not found (${basePath})`));
+      continue;
+    }
+
+    console.log(chalk.cyan.bold(`\n${name}`));
+
+    for (const variant of (cfg.variants || [])) {
+      const configDir = resolve(basePath, cfg.config_dir || 'config');
+      const exampleFile = resolve(configDir, `.env.${variant}.example`);
+      const envFile = resolve(configDir, `.env.${variant}`);
+
+      // Step 1: copy example → .env
+      if (existsSync(exampleFile)) {
+        if (!existsSync(envFile) || force) {
+          copyFileSync(exampleFile, envFile);
+          const action = force && existsSync(envFile) ? 'overwritten' : 'created';
+          console.log(`  ${variant}: .env.${variant} ${action} from example`);
+        } else {
+          console.log(`  ${variant}: .env.${variant} exists (skip)`);
+        }
+      } else {
+        console.log(chalk.yellow(`  ${variant}: .env.${variant}.example not found`));
+        if (!existsSync(envFile)) continue;
+      }
+
+      // Step 2: pull secrets from Infisical
+      if (hasInfisical(config)) {
+        try {
+          const infisicalPath = (cfg.infisical_path || '/{project}/{variant}')
+            .replace('{project}', name)
+            .replace('{variant}', variant);
+          const creds = getInfisicalCredentials(config);
+          const secrets = await utils.fetchInfisicalSecrets({
+            ...creds, envSlug: envName, secretPath: infisicalPath,
+          });
+          if (secrets.length > 0) {
+            const secretsMap = {};
+            for (const s of secrets) secretsMap[s.secretKey] = s.secretValue;
+            if (secretsMap.DB_PASSWORD) {
+              secretsMap.POSTGRES_PASSWORD = secretsMap.DB_PASSWORD;
+            }
+            const envContent = readFileSync(envFile, 'utf-8');
+            const { content, updated } = utils.mergeSecretsIntoEnv(envContent, secretsMap);
+            writeFileSync(envFile, content);
+            console.log(chalk.green(`  ${variant}: +${updated} secrets from Infisical (${infisicalPath})`));
+          } else {
+            console.log(`  ${variant}: no secrets in Infisical (${infisicalPath})`);
+          }
+        } catch (e) {
+          console.log(chalk.red(`  ${variant}: Infisical error: ${e.message}`));
+        }
+      }
+
+      // Step 3: validate with env-schema
+      const schemaFile = resolve(configDir, '.env.schema');
+      validateWithEnvSchema(envFile, schemaFile);
+    }
+  }
+
+  console.log(chalk.green('\nDone!'));
+}
+
+export async function pullSecrets({ config, utils, projectRoot, envName = 'dev' }) {
+  const subprojects = config.subprojects || {};
+
+  if (!hasInfisical(config)) {
+    console.log(chalk.yellow('Infisical not configured. Add credentials to .devkit.d/env.yml'));
+    return;
+  }
+
+  for (const [name, cfg] of Object.entries(subprojects)) {
+    const basePath = resolve(projectRoot, cfg.path || '.');
+    if (!existsSync(basePath)) continue;
+
+    console.log(chalk.cyan.bold(`\n${name}`));
+
+    for (const variant of (cfg.variants || [])) {
+      const configDir = resolve(basePath, cfg.config_dir || 'config');
+      const envFile = resolve(configDir, `.env.${variant}`);
+
+      if (!existsSync(envFile)) {
+        console.log(chalk.yellow(`  ${variant}: .env.${variant} not found (run env init)`));
+        continue;
+      }
+
+      try {
+        const infisicalPath = (cfg.infisical_path || '/{project}/{variant}')
+          .replace('{project}', name)
+          .replace('{variant}', variant);
+        const creds = getInfisicalCredentials(config);
+        const secrets = await utils.fetchInfisicalSecrets({
+          ...creds, envSlug: envName, secretPath: infisicalPath,
+        });
+        if (secrets.length > 0) {
+          const secretsMap = {};
+          for (const s of secrets) secretsMap[s.secretKey] = s.secretValue;
+          if (secretsMap.DB_PASSWORD) {
+            secretsMap.POSTGRES_PASSWORD = secretsMap.DB_PASSWORD;
+          }
+          const envContent = readFileSync(envFile, 'utf-8');
+          const { content, updated } = utils.mergeSecretsIntoEnv(envContent, secretsMap);
+          writeFileSync(envFile, content);
+          console.log(chalk.green(`  ${variant}: updated ${updated} secrets`));
+        } else {
+          console.log(`  ${variant}: no secrets in ${infisicalPath}`);
+        }
+      } catch (e) {
+        console.log(chalk.red(`  ${variant}: error: ${e.message}`));
+      }
+
+      // Validate
+      const schemaFile = resolve(configDir, '.env.schema');
+      validateWithEnvSchema(envFile, schemaFile);
+    }
+  }
+
+  console.log(chalk.green('\nDone!'));
+}

package/plugins/env/index.mjs

@@ -0,0 +1,93 @@
+import * as env from './env.mjs';
+import * as infisical from './infisical.mjs';
+
+function handleError(e) {
+  console.error(`Error: ${e.message}`);
+  process.exit(1);
+}
+
+/**
+ * Register env plugin commands.
+ * @param {import('commander').Command} program
+ * @param {object} context
+ */
+export function register(program, { config, utils, projectRoot, devkitRoot }) {
+  const envCmd = program
+    .command('env')
+    .description(config.description || 'Manage .env files');
+
+  envCmd
+    .command('status')
+    .description('Show .env file status')
+    .action(() => env.status({ config, utils, projectRoot }).catch(handleError));
+
+  envCmd
+    .command('init')
+    .description('Initialize .env from examples + Infisical secrets')
+    .option('--env-name <env>', 'Infisical environment', 'dev')
+    .option('--force', 'Overwrite existing .env')
+    .action(opts => env.init({
+      config, utils, projectRoot,
+      envName: opts.envName, force: opts.force,
+    }).catch(handleError));
+
+  envCmd
+    .command('pull-secrets')
+    .description('Update only secrets in .env files')
+    .option('--env-name <env>', 'Infisical environment', 'dev')
+    .action(opts => env.pullSecrets({
+      config, utils, projectRoot,
+      envName: opts.envName,
+    }).catch(handleError));
+
+  // --- infisical subcommand ---
+
+  const infisicalCmd = envCmd
+    .command('infisical')
+    .description('Manage Infisical secrets');
+
+  infisicalCmd
+    .command('list')
+    .description('List secrets')
+    .option('--env <env>', 'Environment', 'dev')
+    .option('--path <path>', 'Secret path', '/')
+    .action(opts => infisical.list({
+      config, utils, env: opts.env, path: opts.path,
+    }).catch(handleError));
+
+  infisicalCmd
+    .command('get <name>')
+    .description('Get secret value')
+    .option('--env <env>', 'Environment', 'dev')
+    .option('--path <path>', 'Secret path', '/')
+    .action((name, opts) => infisical.get({
+      config, utils, name, env: opts.env, path: opts.path,
+    }).catch(handleError));
+
+  infisicalCmd
+    .command('set <keyValue>')
+    .description('Set secret (KEY=VALUE)')
+    .option('--env <env>', 'Environment', 'dev')
+    .option('--path <path>', 'Secret path', '/')
+    .action((kv, opts) => infisical.set({
+      config, utils, keyValue: kv, env: opts.env, path: opts.path,
+    }).catch(handleError));
+
+  infisicalCmd
+    .command('delete <name>')
+    .description('Delete secret')
+    .option('--env <env>', 'Environment', 'dev')
+    .option('--path <path>', 'Secret path', '/')
+    .action((name, opts) => infisical.del({
+      config, utils, name, env: opts.env, path: opts.path,
+    }).catch(handleError));
+
+  infisicalCmd
+    .command('deploy')
+    .description('Deploy secrets to server')
+    .requiredOption('--env <env>', 'Environment (test or stage)')
+    .option('--yes, -y', 'Skip confirmation')
+    .action(opts => infisical.deploy({
+      config, utils, env: opts.env, yes: opts.yes,
+    }).catch(handleError));
+}

package/plugins/env/infisical.mjs

@@ -0,0 +1,152 @@
+import chalk from 'chalk';
+import { execSync } from 'child_process';
+
+/**
+ * Get Infisical credentials from config + environment variables.
+ */
+function getInfisicalCredentials(config) {
+  const infisical = config.infisical || {};
+  const clientIdEnv = infisical.client_id_env || 'INFISICAL_UNIVERSAL_AUTH_CLIENT_ID';
+  const clientSecretEnv = infisical.client_secret_env || 'INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET';
+
+  return {
+    siteUrl: infisical.site_url,
+    projectId: infisical.project_id,
+    clientId: process.env[clientIdEnv],
+    clientSecret: process.env[clientSecretEnv],
+  };
+}
+
+export async function list({ config, utils, env = 'dev', path = '/' }) {
+  const creds = getInfisicalCredentials(config);
+  const secrets = await utils.fetchInfisicalSecrets({
+    ...creds, envSlug: env, secretPath: path,
+  });
+  if (secrets.length === 0) { console.log('No secrets.'); return; }
+
+  for (const s of secrets) {
+    console.log(`${s.secretKey}=${s.secretValue}`);
+  }
+}
+
+export async function get({ config, utils, name, env = 'dev', path = '/' }) {
+  const creds = getInfisicalCredentials(config);
+  const client = await utils.getInfisicalClient(creds);
+  const secret = await client.getSecret({
+    projectId: creds.projectId,
+    environment: env,
+    path,
+    secretName: name,
+  });
+  console.log(secret.secretValue);
+}
+
+export async function set({ config, utils, keyValue, env = 'dev', path = '/' }) {
+  const idx = keyValue.indexOf('=');
+  if (idx === -1) throw new Error('Format: KEY=VALUE');
+
+  const key = keyValue.slice(0, idx);
+  const value = keyValue.slice(idx + 1);
+
+  const creds = getInfisicalCredentials(config);
+  const client = await utils.getInfisicalClient(creds);
+
+  try {
+    await client.updateSecret({
+      projectId: creds.projectId,
+      environment: env,
+      path,
+      secretName: key,
+      secretValue: value,
+    });
+  } catch {
+    await client.createSecret({
+      projectId: creds.projectId,
+      environment: env,
+      path,
+      secretName: key,
+      secretValue: value,
+    });
+  }
+
+  console.log(chalk.green(`\u2713 ${key} updated`));
+}
+
+export async function del({ config, utils, name, env = 'dev', path = '/' }) {
+  const creds = getInfisicalCredentials(config);
+  const client = await utils.getInfisicalClient(creds);
+  await client.deleteSecret({
+    projectId: creds.projectId,
+    environment: env,
+    path,
+    secretName: name,
+  });
+  console.log(chalk.green(`\u2713 ${name} deleted`));
+}
+
+export async function deploy({ config, utils, env, yes = false }) {
+  if (!env) throw new Error('Specify --env (test or stage)');
+
+  const servers = config.servers || {};
+  const server = servers[env];
+  if (!server) throw new Error(`No server for environment '${env}' (available: ${Object.keys(servers).join(', ')})`);
+
+  if (server.confirm && !yes) {
+    const readline = await import('readline');
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    const answer = await new Promise(resolve => {
+      rl.question(chalk.yellow(`Deploy to ${env} (${server.ssh}). Continue? (y/N) `), resolve);
+    });
+    rl.close();
+    if (answer.toLowerCase() !== 'y') { console.log('Cancelled'); return; }
+  }
+
+  console.log(chalk.cyan(`\nDeploying secrets to ${env} (${server.ssh})...\n`));
+
+  const containers = config.containers || {};
+  const creds = getInfisicalCredentials(config);
+
+  for (const [project, variants] of Object.entries(containers)) {
+    for (const [variant, container] of Object.entries(variants)) {
+      const secretPath = `/${project}/${variant}`;
+      const remotePath = `${server.projects_path}/${project}/config/.env.${variant}`;
+
+      process.stdout.write(`  ${project}/${variant}: `);
+
+      try {
+        const secrets = await utils.fetchInfisicalSecrets({
+          ...creds, envSlug: env, secretPath,
+        });
+        if (secrets.length === 0) {
+          console.log(chalk.dim('no secrets — skip'));
+          continue;
+        }
+
+        const secretsMap = {};
+        for (const s of secrets) secretsMap[s.secretKey] = s.secretValue;
+
+        const currentEnv = utils.sshReadFile(server.ssh, remotePath);
+        if (!currentEnv) {
+          console.log(chalk.yellow('file not found — skip'));
+          continue;
+        }
+
+        const { content, updated } = utils.mergeSecretsIntoEnv(currentEnv, secretsMap);
+        utils.sshWriteFile(server.ssh, remotePath, content);
+
+        let restartOk = false;
+        try {
+          execSync(`ssh ${server.ssh} 'docker restart ${container}'`, { encoding: 'utf-8', timeout: 30000 });
+          restartOk = true;
+        } catch {}
+
+        const status = restartOk ? chalk.green(container) : chalk.red(`${container} not restarted`);
+        console.log(chalk.green(`${updated} secrets`) + chalk.dim(' \u2192 ') + status);
+      } catch (e) {
+        console.log(chalk.red(`error: ${e.message}`));
+      }
+    }
+  }
+
+  console.log(chalk.green('\n\u2713 Deploy complete'));
+}