react-native-secreton 1.0.0

package/LICENSE

@@ -0,0 +1,20 @@
+MIT License
+
+Copyright (c) 2026 Sarli Wariali
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,44 @@
+# react-native-secreton
+Config secret variables for React Native apps
+
+## Installation
+```sh
+npm install react-native-secreton
+```
+
+## Generate secret key
+Command line random key:
+```
+openssl rand -hex 32
+```
+
+## Native Usage
+
+### Android
+Config **android/app/build.gradle**
+```groovy
+...
+apply from: new File(rootProject.projectDir.parentFile.parentFile, "android/secreton.gradle")
+loadEnvFromSecretonCliSync(project)
+...
+react {
+    ...
+    nodeExecutableAndArgs = [
+        project.findProperty("NODE_BINARY") ?: "/usr/local/bin/node"
+    ]
+    ...
+}
+android {
+    defaultConfig {
+        manifestPlaceholders = [
+            geoApiKey           : project.ext.env?.get('GEO_APK_API_KEY')
+        ]
+    }
+}
+```
+
+### iOS / macOS
+- Manual Link
+```
+pod 'react-native-secreton', :path => '../node_modules/react-native-secreton'
+```

package/android/build.gradle

@@ -0,0 +1,77 @@
+buildscript {
+  ext.getExtOrDefault = {name ->
+    return rootProject.ext.has(name) ? rootProject.ext.get(name) : project.properties['Secreton_' + name]
+  }
+
+  repositories {
+    google()
+    mavenCentral()
+  }
+
+  dependencies {
+    classpath "com.android.tools.build:gradle:8.7.2"
+    // noinspection DifferentKotlinGradleVersion
+    classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:${getExtOrDefault('kotlinVersion')}"
+  }
+}
+
+
+apply plugin: "com.android.library"
+apply plugin: "kotlin-android"
+
+apply plugin: "com.facebook.react"
+
+def getExtOrIntegerDefault(name) {
+  return rootProject.ext.has(name) ? rootProject.ext.get(name) : (project.properties["Secreton_" + name]).toInteger()
+}
+
+android {
+  namespace "com.secreton"
+
+  compileSdkVersion getExtOrIntegerDefault("compileSdkVersion")
+
+  defaultConfig {
+    minSdkVersion getExtOrIntegerDefault("minSdkVersion")
+    targetSdkVersion getExtOrIntegerDefault("targetSdkVersion")
+  }
+
+  buildFeatures {
+    buildConfig true
+  }
+
+  buildTypes {
+    release {
+      minifyEnabled false
+    }
+  }
+
+  lintOptions {
+    disable "GradleCompatible"
+  }
+
+  compileOptions {
+    sourceCompatibility JavaVersion.VERSION_1_8
+    targetCompatibility JavaVersion.VERSION_1_8
+  }
+
+  sourceSets {
+    main {
+      java.srcDirs += [
+        "generated/java",
+        "generated/jni"
+      ]
+    }
+  }
+}
+
+repositories {
+  mavenCentral()
+  google()
+}
+
+def kotlin_version = getExtOrDefault("kotlinVersion")
+
+dependencies {
+  implementation "com.facebook.react:react-android"
+  implementation "org.jetbrains.kotlin:kotlin-stdlib:$kotlin_version"
+}

package/android/gradle.properties

@@ -0,0 +1,5 @@
+Secreton_kotlinVersion=2.0.21
+Secreton_minSdkVersion=24
+Secreton_targetSdkVersion=34
+Secreton_compileSdkVersion=35
+Secreton_ndkVersion=27.1.12297006

package/android/secreton.gradle

@@ -0,0 +1,156 @@
+/**
+ * =========================
+ * Secreton bootstrap
+ * =========================
+ */
+
+ext.findWorkspaceRoot = { File startDir ->
+    File current = startDir
+    while (current != null) {
+        if (new File(current, "package.json").exists()) {
+            return current
+        }
+        current = current.parentFile
+    }
+    throw new RuntimeException("❌ package.json not found")
+}
+
+ext.loadEnvFile = { File file ->
+    if (!file.exists()) return [:]
+
+    def map = [:]
+    file.eachLine { line ->
+        line = line.trim()
+        if (!line || line.startsWith("#")) return
+
+        def idx = line.indexOf("=")
+        if (idx <= 0) return
+
+        def key = line.substring(0, idx)
+        def value = line.substring(idx + 1)
+
+        if (value.startsWith("\"") && value.endsWith("\"")) {
+            value = value.substring(1, value.length() - 1)
+        }
+
+        map[key] = value
+    }
+    return map
+}
+
+ext.ensureLocalEnv = { appProject ->
+    if (appProject.ext.has("localEnv")) return
+
+    appProject.ext.localEnv = [:]
+    appProject.ext.env = [:]
+
+    def androidDir = appProject.rootProject.projectDir
+    def workspaceRoot = findWorkspaceRoot(androidDir)
+    def rootDir = workspaceRoot
+
+    def envFileName = appProject.findProperty("ENVFILE") ?: System.getenv("ENVFILE") ?: ".env"
+    def envFile = new File(rootDir, envFileName)
+
+    if (envFile.exists()) {
+        appProject.ext.localEnv.putAll(loadEnvFile(envFile))
+    }
+}
+
+ext.getSecretKey = { appProject ->
+    ensureLocalEnv(appProject)
+    return appProject.ext.localEnv.get("ENV_SECRET_KEY")
+        ?: appProject.findProperty("ENV_SECRET_KEY")
+        ?: System.getenv("ENV_SECRET_KEY")
+}
+
+ext.decryptValue = { String encrypted, String secretKey ->
+    if (!encrypted) return encrypted
+    if (!secretKey) throw new RuntimeException("❌ ENV_SECRET_KEY is required for decryption")
+
+    def cmd = """printf "%s" '${encrypted}' | openssl enc -aes-256-cbc -a -A -d -salt -pbkdf2 -iter 100000 -pass pass:${secretKey}"""
+    def proc = ["bash", "-c", cmd].execute()
+    proc.waitFor()
+
+    if (proc.exitValue() != 0) {
+        throw new RuntimeException(proc.err.text)
+    }
+
+    return proc.in.text.trim()
+}
+
+ext.loadAndDecryptEnv = { appProject ->
+    ensureLocalEnv(appProject)
+
+    def androidDir = appProject.rootProject.projectDir
+    def rootDir = findWorkspaceRoot(androidDir)
+
+    def envFileName =
+        appProject.findProperty("ENVFILE")
+        ?: System.getenv("ENVFILE")
+        ?: ".env"
+    def envFile = new File(rootDir, envFileName)
+    if (!envFile.exists()) return
+
+    def secretKey = getSecretKey(appProject)
+    if (!secretKey) return
+
+    def envMap = loadEnvFile(envFile)
+    envMap.each { k, v ->
+        def value = v
+        if (v instanceof String && v.startsWith("enc:")) {
+            value = decryptValue(v.substring(4), secretKey)
+        }
+        appProject.ext.env[k] = value
+    }
+}
+
+ext.findRnSecretonCli = { appProject ->
+    def androidDir = appProject.rootProject.rootDir
+    def workspaceRoot = findWorkspaceRoot(androidDir)
+    def possibleCliBins = [
+        new File(workspaceRoot, "node_modules/.bin/rn-secreton-cli"),
+        new File(workspaceRoot.parentFile, "node_modules/.bin/rn-secreton-cli"),
+        new File(workspaceRoot, "node_modules/.bin/rn-secreton-cli.cmd"),
+        new File(workspaceRoot.parentFile, "node_modules/.bin/rn-secreton-cli.cmd")
+    ].collect { it.canonicalFile }
+    
+    def cliBin = possibleCliBins.find { it.exists() }
+    if (!cliBin) {
+        throw new RuntimeException("❌ rn-secreton-cli not found in expected paths: ${possibleCliBins*.absolutePath}")
+    }
+    return cliBin
+}
+
+ext.loadEnvFromSecretonCliSync = { appProject ->
+    def cliBin = findRnSecretonCli(appProject)
+    def workspaceRoot = findWorkspaceRoot(appProject.rootProject.rootDir)
+    def envFileName = appProject.findProperty("ENVFILE") ?: System.getenv("ENVFILE") ?: ".env"
+    def envFile = new File(workspaceRoot, envFileName)
+
+    ensureLocalEnv(appProject)
+    def secretKey = getSecretKey(appProject)
+    if (!secretKey) throw new RuntimeException("❌ ENV_SECRET_KEY not found")
+    if (!envFile.exists()) throw new RuntimeException("❌ ENV file not found: ${envFile.absolutePath}")
+
+    println "🔐 rn-secreton generating env (sync)..."
+    println "   ENV_FILE : ${envFileName}"
+    println "   CLI path : ${cliBin.absolutePath}"
+
+    def envMap = loadEnvFile(envFile)
+    def envFromFile = envMap.collect { k, v -> "${k}=${v}" }
+    def envArray = [
+        "ENV_SECRET_KEY=${secretKey}",
+        "ENV_FILE=${envFileName}",
+        "PATH=${System.getenv("PATH")}"
+    ]
+    envArray += envFromFile
+    envArray = envArray as String[]
+
+    def proc = [cliBin.absolutePath, envFile.absolutePath].execute(envArray, workspaceRoot)
+    proc.waitForProcessOutput(System.out, System.err)
+    if (proc.exitValue() != 0) {
+        throw new RuntimeException("❌ rn-secreton-cli failed")
+    }
+
+    loadAndDecryptEnv(appProject)
+}

package/android/src/main/AndroidManifest.xml

@@ -0,0 +1,2 @@
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+</manifest>

package/android/src/main/java/com/secreton/SecretonModule.kt

@@ -0,0 +1,23 @@
+package com.secreton
+
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.module.annotations.ReactModule
+
+@ReactModule(name = SecretonModule.NAME)
+class SecretonModule(reactContext: ReactApplicationContext) :
+  NativeSecretonSpec(reactContext) {
+
+  override fun getName(): String {
+    return NAME
+  }
+
+  // Example method
+  // See https://reactnative.dev/docs/native-modules-android
+  override fun multiply(a: Double, b: Double): Double {
+    return a * b
+  }
+
+  companion object {
+    const val NAME = "Secreton"
+  }
+}

package/android/src/main/java/com/secreton/SecretonPackage.kt

@@ -0,0 +1,33 @@
+package com.secreton
+
+import com.facebook.react.BaseReactPackage
+import com.facebook.react.bridge.NativeModule
+import com.facebook.react.bridge.ReactApplicationContext
+import com.facebook.react.module.model.ReactModuleInfo
+import com.facebook.react.module.model.ReactModuleInfoProvider
+import java.util.HashMap
+
+class SecretonPackage : BaseReactPackage() {
+  override fun getModule(name: String, reactContext: ReactApplicationContext): NativeModule? {
+    return if (name == SecretonModule.NAME) {
+      SecretonModule(reactContext)
+    } else {
+      null
+    }
+  }
+
+  override fun getReactModuleInfoProvider(): ReactModuleInfoProvider {
+    return ReactModuleInfoProvider {
+      val moduleInfos: MutableMap<String, ReactModuleInfo> = HashMap()
+      moduleInfos[SecretonModule.NAME] = ReactModuleInfo(
+        SecretonModule.NAME,
+        SecretonModule.NAME,
+        false,  // canOverrideExistingModule
+        false,  // needsEagerInit
+        false,  // isCxxModule
+        true // isTurboModule
+      )
+      moduleInfos
+    }
+  }
+}

package/dist/CLISecreton.js

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+import path from "path";
+import { generateEnv } from './NodeSecreton.js';
+const args = process.argv.slice(2);
+const envFile = args[0] || process.env.ENV_FILE;
+const fileName = path.basename(envFile);
+(async () => {
+    try {
+        const secretKey = process.env.ENV_SECRET_KEY;
+        if (!secretKey) {
+            throw new Error('ENV_SECRET_KEY is required');
+        }
+        const fetchEnv = process.env.FETCH_ENV || 'consul';
+        await generateEnv({
+            envFile,
+            secretKey,
+            fetchEnv,
+            consul: fetchEnv === 'consul'
+                ? {
+                    addr: process.env.CONSUL_ADDR || 'http://localhost:8500',
+                    path: process.env.CONSUL_PATH || 'mobile/project-example',
+                    token: process.env.CONSUL_TOKEN,
+                }
+                : undefined,
+            vault: fetchEnv === 'vault'
+                ? {
+                    addr: process.env.VAULT_ADDR || 'http://localhost:8200',
+                    path: process.env.VAULT_PATH || 'secret/data/mobile/project-example',
+                    token: process.env.VAULT_TOKEN || '',
+                }
+                : undefined,
+        });
+        console.log(`✅ [CLI] Secreton updated safely → ${fileName}`);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : JSON.stringify(err, null, 2);
+        console.error(`❌ [CLI] Secreton failed: ${message}`);
+        process.exit(1);
+    }
+})();

package/dist/NodeSecreton.js

@@ -0,0 +1,70 @@
+import path from "node:path";
+import fs from 'node:fs';
+import { execSync } from 'node:child_process';
+export function encrypt(value, key) {
+    const cmd = `printf "%s" "${value}" | openssl enc -aes-256-cbc -a -A -salt -pbkdf2 -iter 100000 -pass pass:${key}`;
+    return execSync(cmd).toString().trim();
+}
+export function readExistingEnv(envFile) {
+    if (!fs.existsSync(envFile))
+        return new Set();
+    const content = fs.readFileSync(envFile, 'utf8');
+    return new Set(content
+        .split('\n')
+        .map((line) => line.trim())
+        .filter((line) => Boolean(line))
+        .filter((line) => !line.startsWith('#'))
+        .map((line) => line.split('=')[0])
+        .filter((key) => typeof key === 'string' && key.length > 0));
+}
+async function fetchConsul({ addr, path, token, }) {
+    const headers = {};
+    if (token)
+        headers['X-Consul-Token'] = token;
+    const res = await fetch(`${addr}/v1/kv/${path}?recurse=true`, { headers });
+    if (!res.ok)
+        throw new Error('Consul fetch failed');
+    const data = await res.json();
+    return data
+        .filter((item) => typeof item.Value === 'string')
+        .map((item) => ({
+        key: item.Key.replace(`${path}/`, ''),
+        value: Buffer.from(item.Value, 'base64').toString('utf8'),
+    }));
+}
+async function fetchVault({ addr, path, token, }) {
+    const res = await fetch(`${addr}/v1/${path}`, {
+        headers: { 'X-Vault-Token': token },
+    });
+    if (!res.ok)
+        throw new Error('Vault fetch failed');
+    const json = await res.json();
+    return Object.entries(json.data.data).map(([key, value]) => ({
+        key,
+        value: String(value),
+    }));
+}
+export async function generateEnv(options) {
+    const { envFile, secretKey, fetchEnv = 'consul', } = options;
+    const fileName = path.basename(envFile);
+    const existingKeys = readExistingEnv(envFile);
+    let entries = [];
+    if (fetchEnv === 'vault' && options.vault) {
+        entries = await fetchVault(options.vault);
+    }
+    else if (options.consul) {
+        entries = await fetchConsul(options.consul);
+    }
+    else {
+        throw new Error('No config source provided');
+    }
+    const newLines = entries
+        .filter(({ key }) => !existingKeys.has(key))
+        .map(({ key, value }) => `${key}=enc:${encrypt(value, secretKey)}`);
+    if (newLines.length === 0) {
+        console.log('ℹ️ [Node] Secreton no new env keys to add');
+        return;
+    }
+    fs.appendFileSync(envFile, (fs.existsSync(envFile) ? '\n' : '') + newLines.join('\n'));
+    console.log(`✅ [Node] Secreton updated safely → ${fileName}`);
+}

package/ios/Secreton.h

@@ -0,0 +1,5 @@
+#import <SecretonSpec/SecretonSpec.h>
+
+@interface Secreton : NSObject <NativeSecretonSpec>
+
+@end

package/ios/Secreton.mm

@@ -0,0 +1,21 @@
+#import "Secreton.h"
+
+@implementation Secreton
+- (NSNumber *)multiply:(double)a b:(double)b {
+    NSNumber *result = @(a * b);
+
+    return result;
+}
+
+- (std::shared_ptr<facebook::react::TurboModule>)getTurboModule:
+    (const facebook::react::ObjCTurboModule::InitParams &)params
+{
+    return std::make_shared<facebook::react::NativeSecretonSpecJSI>(params);
+}
+
++ (NSString *)moduleName
+{
+  return @"Secreton";
+}
+
+@end

package/lib/module/CLISecreton.js

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+"use strict";
+
+import path from "path";
+import { generateEnv } from './NodeSecreton.js';
+const args = process.argv.slice(2);
+const envFile = args[0] || process.env.ENV_FILE;
+const fileName = path.basename(envFile);
+(async () => {
+  try {
+    const secretKey = process.env.ENV_SECRET_KEY;
+    if (!secretKey) {
+      throw new Error('ENV_SECRET_KEY is required');
+    }
+    const fetchEnv = process.env.FETCH_ENV || 'consul';
+    await generateEnv({
+      envFile,
+      secretKey,
+      fetchEnv,
+      consul: fetchEnv === 'consul' ? {
+        addr: process.env.CONSUL_ADDR || 'http://localhost:8500',
+        path: process.env.CONSUL_PATH || 'mobile/project-example',
+        token: process.env.CONSUL_TOKEN
+      } : undefined,
+      vault: fetchEnv === 'vault' ? {
+        addr: process.env.VAULT_ADDR || 'http://localhost:8200',
+        path: process.env.VAULT_PATH || 'secret/data/mobile/project-example',
+        token: process.env.VAULT_TOKEN || ''
+      } : undefined
+    });
+    console.log(`✅ [CLI] Secreton updated safely → ${fileName}`);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : JSON.stringify(err, null, 2);
+    console.error(`❌ [CLI] Secreton failed: ${message}`);
+    process.exit(1);
+  }
+})();
+//# sourceMappingURL=CLISecreton.js.map

package/lib/module/CLISecreton.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["path","generateEnv","args","process","argv","slice","envFile","env","ENV_FILE","fileName","basename","secretKey","ENV_SECRET_KEY","Error","fetchEnv","FETCH_ENV","consul","addr","CONSUL_ADDR","CONSUL_PATH","token","CONSUL_TOKEN","undefined","vault","VAULT_ADDR","VAULT_PATH","VAULT_TOKEN","console","log","err","message","JSON","stringify","error","exit"],"sourceRoot":"../../src","sources":["CLISecreton.ts"],"mappings":"AAAA;AAAmB;;AACnB,OAAOA,IAAI,MAAM,MAAM;AACvB,SAASC,WAAW,QAAQ,mBAAmB;AAE/C,MAAMC,IAAI,GAAGC,OAAO,CAACC,IAAI,CAACC,KAAK,CAAC,CAAC,CAAC;AAClC,MAAMC,OAAY,GAAGJ,IAAI,CAAC,CAAC,CAAC,IAAIC,OAAO,CAACI,GAAG,CAACC,QAAQ;AACpD,MAAMC,QAAQ,GAAGT,IAAI,CAACU,QAAQ,CAACJ,OAAO,CAAC;AAEvC,CAAC,YAAY;EACX,IAAI;IACF,MAAMK,SAAS,GAAGR,OAAO,CAACI,GAAG,CAACK,cAAc;IAC5C,IAAI,CAACD,SAAS,EAAE;MACd,MAAM,IAAIE,KAAK,CAAC,4BAA4B,CAAC;IAC/C;IAEA,MAAMC,QAAa,GAAGX,OAAO,CAACI,GAAG,CAACQ,SAAS,IAAI,QAAQ;IAEvD,MAAMd,WAAW,CAAC;MAChBK,OAAO;MACPK,SAAS;MACTG,QAAQ;MACRE,MAAM,EAAEF,QAAQ,KAAK,QAAQ,GACzB;QACEG,IAAI,EAAEd,OAAO,CAACI,GAAG,CAACW,WAAW,IAAI,uBAAuB;QACxDlB,IAAI,EAAEG,OAAO,CAACI,GAAG,CAACY,WAAW,IAAI,wBAAwB;QACzDC,KAAK,EAAEjB,OAAO,CAACI,GAAG,CAACc;MACrB,CAAC,GACDC,SAAS;MACbC,KAAK,EAAET,QAAQ,KAAK,OAAO,GACvB;QACEG,IAAI,EAAEd,OAAO,CAACI,GAAG,CAACiB,UAAU,IAAI,uBAAuB;QACvDxB,IAAI,EAAEG,OAAO,CAACI,GAAG,CAACkB,UAAU,IAAI,oCAAoC;QACpEL,KAAK,EAAEjB,OAAO,CAACI,GAAG,CAACmB,WAAW,IAAI;MACpC,CAAC,GACDJ;IACN,CAAC,CAAC;IAEFK,OAAO,CAACC,GAAG,CAAC,qCAAqCnB,QAAQ,EAAE,CAAC;EAC9D,CAAC,CAAC,OAAOoB,GAAY,EAAE;IACrB,MAAMC,OAAO,GAAGD,GAAG,YAAYhB,KAAK,GAAGgB,GAAG,CAACC,OAAO,GAAGC,IAAI,CAACC,SAAS,CAACH,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACjFF,OAAO,CAACM,KAAK,CAAC,4BAA4BH,OAAO,EAAE,CAAC;IACpD3B,OAAO,CAAC+B,IAAI,CAAC,CAAC,CAAC;EACjB;AACF,CAAC,EAAE,CAAC","ignoreList":[]}

package/lib/module/NativeSecreton.js

@@ -0,0 +1,5 @@
+"use strict";
+
+import { TurboModuleRegistry } from 'react-native';
+export default TurboModuleRegistry.getEnforcing('Secreton');
+//# sourceMappingURL=NativeSecreton.js.map

package/lib/module/NativeSecreton.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["TurboModuleRegistry","getEnforcing"],"sourceRoot":"../../src","sources":["NativeSecreton.ts"],"mappings":";;AAAA,SAASA,mBAAmB,QAA0B,cAAc;AAMpE,eAAeA,mBAAmB,CAACC,YAAY,CAAO,UAAU,CAAC","ignoreList":[]}

package/lib/module/NodeSecreton.js

@@ -0,0 +1,78 @@
+"use strict";
+
+import path from "node:path";
+import fs from 'node:fs';
+import { execSync } from 'node:child_process';
+export function encrypt(value, key) {
+  const cmd = `printf "%s" "${value}" | openssl enc -aes-256-cbc -a -A -salt -pbkdf2 -iter 100000 -pass pass:${key}`;
+  return execSync(cmd).toString().trim();
+}
+export function readExistingEnv(envFile) {
+  if (!fs.existsSync(envFile)) return new Set();
+  const content = fs.readFileSync(envFile, 'utf8');
+  return new Set(content.split('\n').map(line => line.trim()).filter(line => Boolean(line)).filter(line => !line.startsWith('#')).map(line => line.split('=')[0]).filter(key => typeof key === 'string' && key.length > 0));
+}
+async function fetchConsul({
+  addr,
+  path,
+  token
+}) {
+  const headers = {};
+  if (token) headers['X-Consul-Token'] = token;
+  const res = await fetch(`${addr}/v1/kv/${path}?recurse=true`, {
+    headers
+  });
+  if (!res.ok) throw new Error('Consul fetch failed');
+  const data = await res.json();
+  return data.filter(item => typeof item.Value === 'string').map(item => ({
+    key: item.Key.replace(`${path}/`, ''),
+    value: Buffer.from(item.Value, 'base64').toString('utf8')
+  }));
+}
+async function fetchVault({
+  addr,
+  path,
+  token
+}) {
+  const res = await fetch(`${addr}/v1/${path}`, {
+    headers: {
+      'X-Vault-Token': token
+    }
+  });
+  if (!res.ok) throw new Error('Vault fetch failed');
+  const json = await res.json();
+  return Object.entries(json.data.data).map(([key, value]) => ({
+    key,
+    value: String(value)
+  }));
+}
+export async function generateEnv(options) {
+  const {
+    envFile,
+    secretKey,
+    fetchEnv = 'consul'
+  } = options;
+  const fileName = path.basename(envFile);
+  const existingKeys = readExistingEnv(envFile);
+  let entries = [];
+  if (fetchEnv === 'vault' && options.vault) {
+    entries = await fetchVault(options.vault);
+  } else if (options.consul) {
+    entries = await fetchConsul(options.consul);
+  } else {
+    throw new Error('No config source provided');
+  }
+  const newLines = entries.filter(({
+    key
+  }) => !existingKeys.has(key)).map(({
+    key,
+    value
+  }) => `${key}=enc:${encrypt(value, secretKey)}`);
+  if (newLines.length === 0) {
+    console.log('ℹ️ [Node] Secreton no new env keys to add');
+    return;
+  }
+  fs.appendFileSync(envFile, (fs.existsSync(envFile) ? '\n' : '') + newLines.join('\n'));
+  console.log(`✅ [Node] Secreton updated safely → ${fileName}`);
+}
+//# sourceMappingURL=NodeSecreton.js.map

package/lib/module/NodeSecreton.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["path","fs","execSync","encrypt","value","key","cmd","toString","trim","readExistingEnv","envFile","existsSync","Set","content","readFileSync","split","map","line","filter","Boolean","startsWith","length","fetchConsul","addr","token","headers","res","fetch","ok","Error","data","json","item","Value","Key","replace","Buffer","from","fetchVault","Object","entries","String","generateEnv","options","secretKey","fetchEnv","fileName","basename","existingKeys","vault","consul","newLines","has","console","log","appendFileSync","join"],"sourceRoot":"../../src","sources":["NodeSecreton.ts"],"mappings":";;AAAA,OAAOA,IAAI,MAAM,WAAW;AAC5B,OAAOC,EAAE,MAAM,SAAS;AACxB,SAASC,QAAQ,QAAQ,oBAAoB;AAgC7C,OAAO,SAASC,OAAOA,CAACC,KAAa,EAAEC,GAAW,EAAE;EAClD,MAAMC,GAAG,GAAG,gBAAgBF,KAAK,4EAA4EC,GAAG,EAAE;EAClH,OAAOH,QAAQ,CAACI,GAAG,CAAC,CAACC,QAAQ,CAAC,CAAC,CAACC,IAAI,CAAC,CAAC;AACxC;AAEA,OAAO,SAASC,eAAeA,CAACC,OAAe,EAAe;EAC5D,IAAI,CAACT,EAAE,CAACU,UAAU,CAACD,OAAO,CAAC,EAAE,OAAO,IAAIE,GAAG,CAAC,CAAC;EAE7C,MAAMC,OAAO,GAAGZ,EAAE,CAACa,YAAY,CAACJ,OAAO,EAAE,MAAM,CAAC;EAEhD,OAAO,IAAIE,GAAG,CACZC,OAAO,CACJE,KAAK,CAAC,IAAI,CAAC,CACXC,GAAG,CAAEC,IAAI,IAAKA,IAAI,CAACT,IAAI,CAAC,CAAC,CAAC,CAC1BU,MAAM,CAAED,IAAI,IAAqBE,OAAO,CAACF,IAAI,CAAC,CAAC,CAC/CC,MAAM,CAAED,IAAI,IAAK,CAACA,IAAI,CAACG,UAAU,CAAC,GAAG,CAAC,CAAC,CACvCJ,GAAG,CAAEC,IAAI,IAAKA,IAAI,CAACF,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CACjCG,MAAM,CAAEb,GAAG,IAAoB,OAAOA,GAAG,KAAK,QAAQ,IAAIA,GAAG,CAACgB,MAAM,GAAG,CAAC,CAC7E,CAAC;AACH;AAEA,eAAeC,WAAWA,CAAC;EACzBC,IAAI;EACJvB,IAAI;EACJwB;AACY,CAAC,EAAuB;EACpC,MAAMC,OAA+B,GAAG,CAAC,CAAC;EAC1C,IAAID,KAAK,EAAEC,OAAO,CAAC,gBAAgB,CAAC,GAAGD,KAAK;EAE5C,MAAME,GAAG,GAAG,MAAMC,KAAK,CAAC,GAAGJ,IAAI,UAAUvB,IAAI,eAAe,EAAE;IAAEyB;EAAQ,CAAC,CAAC;EAC1E,IAAI,CAACC,GAAG,CAACE,EAAE,EAAE,MAAM,IAAIC,KAAK,CAAC,qBAAqB,CAAC;EAEnD,MAAMC,IAAgB,GAAG,MAAMJ,GAAG,CAACK,IAAI,CAAC,CAAC;EACzC,OAAOD,IAAI,CACRZ,MAAM,CAAEc,IAAS,IAAK,OAAOA,IAAI,CAACC,KAAK,KAAK,QAAQ,CAAC,CACrDjB,GAAG,CAAEgB,IAAS,KAAM;IACnB3B,GAAG,EAAE2B,IAAI,CAACE,GAAG,CAACC,OAAO,CAAC,GAAGnC,IAAI,GAAG,EAAE,EAAE,CAAC;IACrCI,KAAK,EAAEgC,MAAM,CAACC,IAAI,CAACL,IAAI,CAACC,KAAK,EAAE,QAAQ,CAAC,CAAC1B,QAAQ,CAAC,MAAM;EAC1D,CAAC,CAAC,CAAC;AACP;AAEA,eAAe+B,UAAUA,CAAC;EACxBf,IAAI;EACJvB,IAAI;EACJwB;AACW,CAAC,EAAuB;EACnC,MAAME,GAAG,GAAG,MAAMC,KAAK,CAAC,GAAGJ,IAAI,OAAOvB,IAAI,EAAE,EAAE;IAC5CyB,OAAO,EAAE;MAAE,eAAe,EAAED;IAAM;EACpC,CAAC,CAAC;EAEF,IAAI,CAACE,GAAG,CAACE,EAAE,EAAE,MAAM,IAAIC,KAAK,CAAC,oBAAoB,CAAC;EAElD,MAAME,IAAI,GAAG,MAAML,GAAG,CAACK,IAAI,CAAC,CAAC;EAC7B,OAAOQ,MAAM,CAACC,OAAO,CAACT,IAAI,CAACD,IAAI,CAACA,IAAI,CAAC,CAACd,GAAG,CAAC,CAAC,CAACX,GAAG,EAAED,KAAK,CAAC,MAAM;IAC3DC,GAAG;IACHD,KAAK,EAAEqC,MAAM,CAACrC,KAAK;EACrB,CAAC,CAAC,CAAC;AACL;AAEA,OAAO,eAAesC,WAAWA,CAACC,OAA2B,EAAE;EAC7D,MAAM;IACJjC,OAAO;IACPkC,SAAS;IACTC,QAAQ,GAAG;EACb,CAAC,GAAGF,OAAO;EAEX,MAAMG,QAAQ,GAAG9C,IAAI,CAAC+C,QAAQ,CAACrC,OAAO,CAAC;EACvC,MAAMsC,YAAY,GAAGvC,eAAe,CAACC,OAAO,CAAC;EAE7C,IAAI8B,OAAmB,GAAG,EAAE;EAE5B,IAAIK,QAAQ,KAAK,OAAO,IAAIF,OAAO,CAACM,KAAK,EAAE;IACzCT,OAAO,GAAG,MAAMF,UAAU,CAACK,OAAO,CAACM,KAAK,CAAC;EAC3C,CAAC,MAAM,IAAIN,OAAO,CAACO,MAAM,EAAE;IACzBV,OAAO,GAAG,MAAMlB,WAAW,CAACqB,OAAO,CAACO,MAAM,CAAC;EAC7C,CAAC,MAAM;IACL,MAAM,IAAIrB,KAAK,CAAC,2BAA2B,CAAC;EAC9C;EAEA,MAAMsB,QAAQ,GAAGX,OAAO,CACrBtB,MAAM,CAAC,CAAC;IAAEb;EAAI,CAAC,KAAK,CAAC2C,YAAY,CAACI,GAAG,CAAC/C,GAAG,CAAC,CAAC,CAC3CW,GAAG,CAAC,CAAC;IAAEX,GAAG;IAAED;EAAM,CAAC,KAAK,GAAGC,GAAG,QAAQF,OAAO,CAACC,KAAK,EAAEwC,SAAS,CAAC,EAAE,CAAC;EAErE,IAAIO,QAAQ,CAAC9B,MAAM,KAAK,CAAC,EAAE;IACzBgC,OAAO,CAACC,GAAG,CAAC,2CAA2C,CAAC;IACxD;EACF;EAEArD,EAAE,CAACsD,cAAc,CAAC7C,OAAO,EAAE,CAACT,EAAE,CAACU,UAAU,CAACD,OAAO,CAAC,GAAG,IAAI,GAAG,EAAE,IAAIyC,QAAQ,CAACK,IAAI,CAAC,IAAI,CAAC,CAAC;EAEtFH,OAAO,CAACC,GAAG,CAAC,sCAAsCR,QAAQ,EAAE,CAAC;AAC/D","ignoreList":[]}

package/lib/module/index.js

@@ -0,0 +1,7 @@
+"use strict";
+
+import Secreton from "./NativeSecreton.js";
+export function multiply(a, b) {
+  return Secreton.multiply(a, b);
+}
+//# sourceMappingURL=index.js.map

package/lib/module/index.js.map

@@ -0,0 +1 @@
+{"version":3,"names":["Secreton","multiply","a","b"],"sourceRoot":"../../src","sources":["index.tsx"],"mappings":";;AAAA,OAAOA,QAAQ,MAAM,qBAAkB;AAEvC,OAAO,SAASC,QAAQA,CAACC,CAAS,EAAEC,CAAS,EAAU;EACrD,OAAOH,QAAQ,CAACC,QAAQ,CAACC,CAAC,EAAEC,CAAC,CAAC;AAChC","ignoreList":[]}

package/lib/module/package.json

@@ -0,0 +1 @@
+{"type":"module"}

package/lib/typescript/package.json

@@ -0,0 +1 @@
+{"type":"module"}

package/lib/typescript/src/CLISecreton.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=CLISecreton.d.ts.map

package/lib/typescript/src/CLISecreton.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CLISecreton.d.ts","sourceRoot":"","sources":["../../../src/CLISecreton.ts"],"names":[],"mappings":""}

package/lib/typescript/src/NativeSecreton.d.ts

@@ -0,0 +1,7 @@
+import { type TurboModule } from 'react-native';
+export interface Spec extends TurboModule {
+    multiply(a: number, b: number): number;
+}
+declare const _default: Spec;
+export default _default;
+//# sourceMappingURL=NativeSecreton.d.ts.map

package/lib/typescript/src/NativeSecreton.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"NativeSecreton.d.ts","sourceRoot":"","sources":["../../../src/NativeSecreton.ts"],"names":[],"mappings":"AAAA,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,cAAc,CAAC;AAErE,MAAM,WAAW,IAAK,SAAQ,WAAW;IACvC,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;CACxC;;AAED,wBAAkE"}

package/lib/typescript/src/NodeSecreton.d.ts

@@ -0,0 +1,29 @@
+export interface EnvEntry {
+    key: string;
+    value: string;
+}
+export interface ConsulConfig {
+    addr: string;
+    path: string;
+    token?: string;
+}
+export type ConsulKV = {
+    Key: string;
+    Value: string | null;
+};
+export interface VaultConfig {
+    addr: string;
+    path: string;
+    token: string;
+}
+export interface GenerateEnvOptions {
+    envFile: string;
+    secretKey: string;
+    consul?: ConsulConfig;
+    vault?: VaultConfig;
+    fetchEnv?: 'consul' | 'vault';
+}
+export declare function encrypt(value: string, key: string): string;
+export declare function readExistingEnv(envFile: string): Set<string>;
+export declare function generateEnv(options: GenerateEnvOptions): Promise<void>;
+//# sourceMappingURL=NodeSecreton.d.ts.map

package/lib/typescript/src/NodeSecreton.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"NodeSecreton.d.ts","sourceRoot":"","sources":["../../../src/NodeSecreton.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,QAAQ;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,MAAM,QAAQ,GAAG;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB,CAAC;AAEF,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,QAAQ,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC;CAC/B;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,UAGjD;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAc5D;AAwCD,wBAAsB,WAAW,CAAC,OAAO,EAAE,kBAAkB,iBAgC5D"}

package/lib/typescript/src/index.d.ts

@@ -0,0 +1,2 @@
+export declare function multiply(a: number, b: number): number;
+//# sourceMappingURL=index.d.ts.map

package/lib/typescript/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/index.tsx"],"names":[],"mappings":"AAEA,wBAAgB,QAAQ,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAErD"}

package/package.json

@@ -0,0 +1,178 @@
+{
+  "name": "react-native-secreton",
+  "version": "1.0.0",
+  "description": "Config secret variables for React Native apps",
+  "keywords": [
+    "react-native",
+    "ios",
+    "android",
+    "secrets",
+    "env"
+  ],
+  "main": "./lib/module/index.js",
+  "types": "./lib/typescript/src/index.d.ts",
+  "exports": {
+    ".": {
+      "source": "./src/index.tsx",
+      "types": "./lib/typescript/src/index.d.ts",
+      "default": "./lib/module/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "src",
+    "lib",
+    "dist",
+    "android",
+    "ios",
+    "cpp",
+    "*.podspec",
+    "react-native.config.js",
+    "!ios/build",
+    "!android/build",
+    "!android/gradle",
+    "!android/gradlew",
+    "!android/gradlew.bat",
+    "!android/local.properties",
+    "!**/__tests__",
+    "!**/__fixtures__",
+    "!**/__mocks__",
+    "!**/.*"
+  ],
+  "type": "module",
+  "scripts": {
+    "clean": "del-cli android/build example/android/build example/android/app/build example/ios/build lib dist",
+    "build:cli": "tsc -p tsconfig.cli.json",
+    "prepare": "bob build && npm run build:cli",
+    "nitrogen": "nitrogen",
+    "typecheck": "tsc",
+    "lint": "eslint \"src/**/*.{js,ts,tsx}\"",
+    "test": "jest",
+    "release": "release-it --only-version"
+  },
+  "bin": {
+    "rn-secreton-cli": "dist/CLISecreton.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/serldna86/react-native-secreton.git"
+  },
+  "author": "Sarli Wariali",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/serldna86/react-native-secreton/issues"
+  },
+  "homepage": "https://github.com/serldna86/react-native-secreton#readme",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  },
+  "devDependencies": {
+    "@commitlint/config-conventional": "^19.8.1",
+    "@eslint/compat": "^1.3.2",
+    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/js": "^9.35.0",
+    "@react-native/babel-preset": "0.83.0",
+    "@react-native/eslint-config": "0.83.0",
+    "@release-it/conventional-changelog": "^10.0.1",
+    "@types/jest": "^29.5.14",
+    "@types/react": "^19.2.0",
+    "commitlint": "^19.8.1",
+    "del-cli": "^6.0.0",
+    "eslint": "^9.35.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.4",
+    "globals": "^17.0.0",
+    "jest": "^29.7.0",
+    "lefthook": "^2.0.3",
+    "prettier": "^2.8.8",
+    "react": "19.2.0",
+    "react-native": "0.83.0",
+    "react-native-builder-bob": "^0.40.17",
+    "release-it": "^19.0.4",
+    "turbo": "^2.5.6",
+    "typescript": "^5.9.2"
+  },
+  "peerDependencies": {
+    "react": "*",
+    "react-native": "*"
+  },
+  "workspaces": [
+    "example"
+  ],
+  "packageManager": "yarn@4.11.0",
+  "react-native-builder-bob": {
+    "source": "src",
+    "output": "lib",
+    "targets": [
+      [
+        "module",
+        {
+          "esm": true
+        }
+      ],
+      [
+        "typescript",
+        {
+          "project": "tsconfig.build.json"
+        }
+      ]
+    ]
+  },
+  "codegenConfig": {
+    "name": "SecretonSpec",
+    "type": "modules",
+    "jsSrcsDir": "src",
+    "android": {
+      "javaPackageName": "com.secreton"
+    }
+  },
+  "prettier": {
+    "quoteProps": "consistent",
+    "singleQuote": true,
+    "tabWidth": 2,
+    "trailingComma": "es5",
+    "useTabs": false
+  },
+  "jest": {
+    "preset": "react-native",
+    "modulePathIgnorePatterns": [
+      "<rootDir>/example/node_modules",
+      "<rootDir>/lib/"
+    ]
+  },
+  "commitlint": {
+    "extends": [
+      "@commitlint/config-conventional"
+    ]
+  },
+  "release-it": {
+    "git": {
+      "commitMessage": "chore: release ${version}",
+      "tagName": "v${version}"
+    },
+    "npm": {
+      "publish": true
+    },
+    "github": {
+      "release": true
+    },
+    "plugins": {
+      "@release-it/conventional-changelog": {
+        "preset": {
+          "name": "angular"
+        }
+      }
+    }
+  },
+  "create-react-native-library": {
+    "type": "turbo-module",
+    "languages": "kotlin-objc",
+    "tools": [
+      "eslint",
+      "jest",
+      "lefthook",
+      "release-it"
+    ],
+    "version": "0.56.0"
+  }
+}

package/react-native-secreton.podspec

@@ -0,0 +1,27 @@
+require "json"
+
+package = JSON.parse(File.read(File.join(__dir__, "package.json")))
+
+Pod::Spec.new do |s|
+  s.name         = package["name"]
+  s.version      = package["version"]
+  s.summary      = package["description"]
+  s.homepage     = package["homepage"]
+  s.license      = package["license"]
+  s.authors      = package["author"]
+
+  s.platforms    = { :ios => min_ios_version_supported }
+  s.source       = { :git => "https://github.com/serldna86/react-native-secreton.git", :tag => "#{s.version}" }
+  s.requires_arc = true
+
+  s.source_files = "ios/**/*.{h,m,mm,swift,cpp}"
+  s.private_header_files = "ios/**/*.h"
+
+  s.script_phase = {
+    :name => 'Secreton Env',
+    :script => File.read(File.join(__dir__, 'scripts/secreton-ios.sh')),
+    :execution_position => :before_compile
+  }
+
+  install_modules_dependencies(s)
+end

package/src/CLISecreton.ts

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+import path from "path";
+import { generateEnv } from './NodeSecreton.js';
+
+const args = process.argv.slice(2);
+const envFile: any = args[0] || process.env.ENV_FILE;
+const fileName = path.basename(envFile);
+
+(async () => {
+  try {
+    const secretKey = process.env.ENV_SECRET_KEY;
+    if (!secretKey) {
+      throw new Error('ENV_SECRET_KEY is required');
+    }
+
+    const fetchEnv: any = process.env.FETCH_ENV || 'consul';
+
+    await generateEnv({
+      envFile,
+      secretKey,
+      fetchEnv,
+      consul: fetchEnv === 'consul'
+        ? {
+            addr: process.env.CONSUL_ADDR || 'http://localhost:8500',
+            path: process.env.CONSUL_PATH || 'mobile/project-example',
+            token: process.env.CONSUL_TOKEN,
+          }
+        : undefined,
+      vault: fetchEnv === 'vault'
+        ? {
+            addr: process.env.VAULT_ADDR || 'http://localhost:8200',
+            path: process.env.VAULT_PATH || 'secret/data/mobile/project-example',
+            token: process.env.VAULT_TOKEN || '',
+          }
+        : undefined,
+    });
+
+    console.log(`✅ [CLI] Secreton updated safely → ${fileName}`);
+  } catch (err: unknown) {
+    const message = err instanceof Error ? err.message : JSON.stringify(err, null, 2);
+    console.error(`❌ [CLI] Secreton failed: ${message}`);
+    process.exit(1);
+  }
+})();

package/src/NativeSecreton.ts

@@ -0,0 +1,7 @@
+import { TurboModuleRegistry, type TurboModule } from 'react-native';
+
+export interface Spec extends TurboModule {
+  multiply(a: number, b: number): number;
+}
+
+export default TurboModuleRegistry.getEnforcing<Spec>('Secreton');

package/src/NodeSecreton.ts

@@ -0,0 +1,126 @@
+import path from "node:path";
+import fs from 'node:fs';
+import { execSync } from 'node:child_process';
+
+export interface EnvEntry {
+  key: string;
+  value: string;
+}
+
+export interface ConsulConfig {
+  addr: string;
+  path: string;
+  token?: string;
+}
+
+export type ConsulKV = {
+  Key: string;
+  Value: string | null;
+};
+
+export interface VaultConfig {
+  addr: string;
+  path: string;
+  token: string;
+}
+
+export interface GenerateEnvOptions {
+  envFile: string;
+  secretKey: string;
+  consul?: ConsulConfig;
+  vault?: VaultConfig;
+  fetchEnv?: 'consul' | 'vault';
+}
+
+export function encrypt(value: string, key: string) {
+  const cmd = `printf "%s" "${value}" | openssl enc -aes-256-cbc -a -A -salt -pbkdf2 -iter 100000 -pass pass:${key}`;
+  return execSync(cmd).toString().trim();
+}
+
+export function readExistingEnv(envFile: string): Set<string> {
+  if (!fs.existsSync(envFile)) return new Set();
+
+  const content = fs.readFileSync(envFile, 'utf8');
+
+  return new Set(
+    content
+      .split('\n')
+      .map((line) => line.trim())
+      .filter((line): line is string => Boolean(line))
+      .filter((line) => !line.startsWith('#'))
+      .map((line) => line.split('=')[0])
+      .filter((key): key is string => typeof key === 'string' && key.length > 0)
+  );
+}
+
+async function fetchConsul({
+  addr,
+  path,
+  token,
+}: ConsulConfig): Promise<EnvEntry[]> {
+  const headers: Record<string, string> = {};
+  if (token) headers['X-Consul-Token'] = token;
+
+  const res = await fetch(`${addr}/v1/kv/${path}?recurse=true`, { headers });
+  if (!res.ok) throw new Error('Consul fetch failed');
+
+  const data: ConsulKV[] = await res.json();
+  return data
+    .filter((item: any) => typeof item.Value === 'string')
+    .map((item: any) => ({
+      key: item.Key.replace(`${path}/`, ''),
+      value: Buffer.from(item.Value, 'base64').toString('utf8'),
+    }));
+}
+
+async function fetchVault({
+  addr,
+  path,
+  token,
+}: VaultConfig): Promise<EnvEntry[]> {
+  const res = await fetch(`${addr}/v1/${path}`, {
+    headers: { 'X-Vault-Token': token },
+  });
+
+  if (!res.ok) throw new Error('Vault fetch failed');
+
+  const json = await res.json();
+  return Object.entries(json.data.data).map(([key, value]) => ({
+    key,
+    value: String(value),
+  }));
+}
+
+export async function generateEnv(options: GenerateEnvOptions) {
+  const {
+    envFile,
+    secretKey,
+    fetchEnv = 'consul',
+  } = options;
+
+  const fileName = path.basename(envFile);
+  const existingKeys = readExistingEnv(envFile);
+
+  let entries: EnvEntry[] = [];
+
+  if (fetchEnv === 'vault' && options.vault) {
+    entries = await fetchVault(options.vault);
+  } else if (options.consul) {
+    entries = await fetchConsul(options.consul);
+  } else {
+    throw new Error('No config source provided');
+  }
+
+  const newLines = entries
+    .filter(({ key }) => !existingKeys.has(key))
+    .map(({ key, value }) => `${key}=enc:${encrypt(value, secretKey)}`);
+
+  if (newLines.length === 0) {
+    console.log('ℹ️ [Node] Secreton no new env keys to add');
+    return;
+  }
+
+  fs.appendFileSync(envFile, (fs.existsSync(envFile) ? '\n' : '') + newLines.join('\n'));
+
+  console.log(`✅ [Node] Secreton updated safely → ${fileName}`);
+}

package/src/index.tsx

@@ -0,0 +1,5 @@
+import Secreton from './NativeSecreton';
+
+export function multiply(a: number, b: number): number {
+  return Secreton.multiply(a, b);
+}