npm - sandstream-kit - Versions diffs - 1.0.0 - Mend

sandstream-kit 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (519) hide show

package/LICENSE +21 -0
package/README.md +617 -0
package/dist/adapters/api-key-adapter.d.ts +35 -0
package/dist/adapters/api-key-adapter.js +46 -0
package/dist/adapters/api-key-adapter.js.map +1 -0
package/dist/adapters/clerk-auth.d.ts +6 -0
package/dist/adapters/clerk-auth.js +20 -0
package/dist/adapters/clerk-auth.js.map +1 -0
package/dist/adapters/cloudflare-r2.d.ts +6 -0
package/dist/adapters/cloudflare-r2.js +136 -0
package/dist/adapters/cloudflare-r2.js.map +1 -0
package/dist/adapters/expo-eas.d.ts +6 -0
package/dist/adapters/expo-eas.js +129 -0
package/dist/adapters/expo-eas.js.map +1 -0
package/dist/adapters/flagsmith-flags.d.ts +5 -0
package/dist/adapters/flagsmith-flags.js +20 -0
package/dist/adapters/flagsmith-flags.js.map +1 -0
package/dist/adapters/flyio-hosting.d.ts +2 -0
package/dist/adapters/flyio-hosting.js +143 -0
package/dist/adapters/flyio-hosting.js.map +1 -0
package/dist/adapters/index.d.ts +6 -0
package/dist/adapters/index.js +48 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/inngest-background.d.ts +5 -0
package/dist/adapters/inngest-background.js +19 -0
package/dist/adapters/inngest-background.js.map +1 -0
package/dist/adapters/liveblocks-realtime.d.ts +11 -0
package/dist/adapters/liveblocks-realtime.js +62 -0
package/dist/adapters/liveblocks-realtime.js.map +1 -0
package/dist/adapters/loops-email.d.ts +6 -0
package/dist/adapters/loops-email.js +18 -0
package/dist/adapters/loops-email.js.map +1 -0
package/dist/adapters/neon-db.d.ts +10 -0
package/dist/adapters/neon-db.js +94 -0
package/dist/adapters/neon-db.js.map +1 -0
package/dist/adapters/planetscale-db.d.ts +11 -0
package/dist/adapters/planetscale-db.js +134 -0
package/dist/adapters/planetscale-db.js.map +1 -0
package/dist/adapters/posthog-analytics.d.ts +6 -0
package/dist/adapters/posthog-analytics.js +22 -0
package/dist/adapters/posthog-analytics.js.map +1 -0
package/dist/adapters/railway-hosting.d.ts +2 -0
package/dist/adapters/railway-hosting.js +136 -0
package/dist/adapters/railway-hosting.js.map +1 -0
package/dist/adapters/resend-email.d.ts +35 -0
package/dist/adapters/resend-email.js +109 -0
package/dist/adapters/resend-email.js.map +1 -0
package/dist/adapters/searxng-instance.d.ts +6 -0
package/dist/adapters/searxng-instance.js +240 -0
package/dist/adapters/searxng-instance.js.map +1 -0
package/dist/adapters/sentry-monitoring.d.ts +7 -0
package/dist/adapters/sentry-monitoring.js +27 -0
package/dist/adapters/sentry-monitoring.js.map +1 -0
package/dist/adapters/stripe-payments.d.ts +6 -0
package/dist/adapters/stripe-payments.js +134 -0
package/dist/adapters/stripe-payments.js.map +1 -0
package/dist/adapters/supabase-db.d.ts +6 -0
package/dist/adapters/supabase-db.js +130 -0
package/dist/adapters/supabase-db.js.map +1 -0
package/dist/adapters/tinybird-analytics.d.ts +5 -0
package/dist/adapters/tinybird-analytics.js +20 -0
package/dist/adapters/tinybird-analytics.js.map +1 -0
package/dist/adapters/trigger-background.d.ts +6 -0
package/dist/adapters/trigger-background.js +20 -0
package/dist/adapters/trigger-background.js.map +1 -0
package/dist/adapters/types.d.ts +7 -0
package/dist/adapters/types.js +2 -0
package/dist/adapters/types.js.map +1 -0
package/dist/adapters/upstash-redis.d.ts +6 -0
package/dist/adapters/upstash-redis.js +88 -0
package/dist/adapters/upstash-redis.js.map +1 -0
package/dist/adapters/vercel-hosting.d.ts +6 -0
package/dist/adapters/vercel-hosting.js +112 -0
package/dist/adapters/vercel-hosting.js.map +1 -0
package/dist/agent-adapter-model.d.ts +108 -0
package/dist/agent-adapter-model.js +6 -0
package/dist/agent-adapter-model.js.map +1 -0
package/dist/agent-adapter-service.d.ts +67 -0
package/dist/agent-adapter-service.js +299 -0
package/dist/agent-adapter-service.js.map +1 -0
package/dist/agent-config.d.ts +56 -0
package/dist/agent-config.js +129 -0
package/dist/agent-config.js.map +1 -0
package/dist/agent-governance-model.d.ts +128 -0
package/dist/agent-governance-model.js +6 -0
package/dist/agent-governance-model.js.map +1 -0
package/dist/agent-governance-service.d.ts +101 -0
package/dist/agent-governance-service.js +319 -0
package/dist/agent-governance-service.js.map +1 -0
package/dist/alert-rules-engine.d.ts +102 -0
package/dist/alert-rules-engine.js +210 -0
package/dist/alert-rules-engine.js.map +1 -0
package/dist/analytics-service.d.ts +126 -0
package/dist/analytics-service.js +318 -0
package/dist/analytics-service.js.map +1 -0
package/dist/analyze.d.ts +19 -0
package/dist/analyze.js +311 -0
package/dist/analyze.js.map +1 -0
package/dist/apm-instrumentor.d.ts +119 -0
package/dist/apm-instrumentor.js +225 -0
package/dist/apm-instrumentor.js.map +1 -0
package/dist/approval-model.d.ts +82 -0
package/dist/approval-model.js +6 -0
package/dist/approval-model.js.map +1 -0
package/dist/approval-service.d.ts +39 -0
package/dist/approval-service.js +236 -0
package/dist/approval-service.js.map +1 -0
package/dist/approval.d.ts +22 -0
package/dist/approval.js +148 -0
package/dist/approval.js.map +1 -0
package/dist/audit-logging-model.d.ts +157 -0
package/dist/audit-logging-model.js +6 -0
package/dist/audit-logging-model.js.map +1 -0
package/dist/audit-logging-service.d.ts +89 -0
package/dist/audit-logging-service.js +367 -0
package/dist/audit-logging-service.js.map +1 -0
package/dist/audit-secrets.d.ts +42 -0
package/dist/audit-secrets.js +126 -0
package/dist/audit-secrets.js.map +1 -0
package/dist/audit.d.ts +43 -0
package/dist/audit.js +286 -0
package/dist/audit.js.map +1 -0
package/dist/author-dashboard.d.ts +84 -0
package/dist/author-dashboard.js +204 -0
package/dist/author-dashboard.js.map +1 -0
package/dist/author-notifications.d.ts +130 -0
package/dist/author-notifications.js +261 -0
package/dist/author-notifications.js.map +1 -0
package/dist/author-verification.d.ts +79 -0
package/dist/author-verification.js +257 -0
package/dist/author-verification.js.map +1 -0
package/dist/autonomous-setup-model.d.ts +117 -0
package/dist/autonomous-setup-model.js +6 -0
package/dist/autonomous-setup-model.js.map +1 -0
package/dist/autonomous-setup-service.d.ts +74 -0
package/dist/autonomous-setup-service.js +325 -0
package/dist/autonomous-setup-service.js.map +1 -0
package/dist/badge-system.d.ts +70 -0
package/dist/badge-system.js +210 -0
package/dist/badge-system.js.map +1 -0
package/dist/baseline.d.ts +34 -0
package/dist/baseline.js +78 -0
package/dist/baseline.js.map +1 -0
package/dist/beta-program-service.d.ts +112 -0
package/dist/beta-program-service.js +240 -0
package/dist/beta-program-service.js.map +1 -0
package/dist/budget.d.ts +34 -0
package/dist/budget.js +159 -0
package/dist/budget.js.map +1 -0
package/dist/bumblebee.d.ts +143 -0
package/dist/bumblebee.js +384 -0
package/dist/bumblebee.js.map +1 -0
package/dist/cache-manager.d.ts +97 -0
package/dist/cache-manager.js +244 -0
package/dist/cache-manager.js.map +1 -0
package/dist/cdn-adapter.d.ts +64 -0
package/dist/cdn-adapter.js +263 -0
package/dist/cdn-adapter.js.map +1 -0
package/dist/certification-workflow-model.d.ts +95 -0
package/dist/certification-workflow-model.js +6 -0
package/dist/certification-workflow-model.js.map +1 -0
package/dist/certification-workflow-service.d.ts +72 -0
package/dist/certification-workflow-service.js +305 -0
package/dist/certification-workflow-service.js.map +1 -0
package/dist/check-design.d.ts +38 -0
package/dist/check-design.js +256 -0
package/dist/check-design.js.map +1 -0
package/dist/check-gitignore.d.ts +39 -0
package/dist/check-gitignore.js +156 -0
package/dist/check-gitignore.js.map +1 -0
package/dist/check-hooks.d.ts +15 -0
package/dist/check-hooks.js +72 -0
package/dist/check-hooks.js.map +1 -0
package/dist/check-lock.d.ts +16 -0
package/dist/check-lock.js +94 -0
package/dist/check-lock.js.map +1 -0
package/dist/check-secrets.d.ts +11 -0
package/dist/check-secrets.js +320 -0
package/dist/check-secrets.js.map +1 -0
package/dist/check-security.d.ts +13 -0
package/dist/check-security.js +887 -0
package/dist/check-security.js.map +1 -0
package/dist/check-services.d.ts +10 -0
package/dist/check-services.js +44 -0
package/dist/check-services.js.map +1 -0
package/dist/check-skills.d.ts +8 -0
package/dist/check-skills.js +26 -0
package/dist/check-skills.js.map +1 -0
package/dist/check-tests.d.ts +43 -0
package/dist/check-tests.js +175 -0
package/dist/check-tests.js.map +1 -0
package/dist/check-tools.d.ts +8 -0
package/dist/check-tools.js +42 -0
package/dist/check-tools.js.map +1 -0
package/dist/check-web-search.d.ts +12 -0
package/dist/check-web-search.js +168 -0
package/dist/check-web-search.js.map +1 -0
package/dist/ci-cd-publisher.d.ts +162 -0
package/dist/ci-cd-publisher.js +319 -0
package/dist/ci-cd-publisher.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +4074 -0
package/dist/cli.js.map +1 -0
package/dist/clone.d.ts +25 -0
package/dist/clone.js +73 -0
package/dist/clone.js.map +1 -0
package/dist/completions.d.ts +8 -0
package/dist/completions.js +250 -0
package/dist/completions.js.map +1 -0
package/dist/compression-manager.d.ts +107 -0
package/dist/compression-manager.js +250 -0
package/dist/compression-manager.js.map +1 -0
package/dist/config.d.ts +233 -0
package/dist/config.js +255 -0
package/dist/config.js.map +1 -0
package/dist/context.d.ts +38 -0
package/dist/context.js +86 -0
package/dist/context.js.map +1 -0
package/dist/cost-monitor.d.ts +72 -0
package/dist/cost-monitor.js +218 -0
package/dist/cost-monitor.js.map +1 -0
package/dist/create-plugin.d.ts +22 -0
package/dist/create-plugin.js +266 -0
package/dist/create-plugin.js.map +1 -0
package/dist/database.d.ts +123 -0
package/dist/database.js +354 -0
package/dist/database.js.map +1 -0
package/dist/datadog-adapter.d.ts +60 -0
package/dist/datadog-adapter.js +245 -0
package/dist/datadog-adapter.js.map +1 -0
package/dist/doctor.d.ts +15 -0
package/dist/doctor.js +131 -0
package/dist/doctor.js.map +1 -0
package/dist/documentation-generator.d.ts +226 -0
package/dist/documentation-generator.js +348 -0
package/dist/documentation-generator.js.map +1 -0
package/dist/elevation-scopes.d.ts +40 -0
package/dist/elevation-scopes.js +110 -0
package/dist/elevation-scopes.js.map +1 -0
package/dist/elevation.d.ts +102 -0
package/dist/elevation.js +449 -0
package/dist/elevation.js.map +1 -0
package/dist/env-diff.d.ts +27 -0
package/dist/env-diff.js +104 -0
package/dist/env-diff.js.map +1 -0
package/dist/env-inspect.d.ts +28 -0
package/dist/env-inspect.js +81 -0
package/dist/env-inspect.js.map +1 -0
package/dist/env-switch.d.ts +37 -0
package/dist/env-switch.js +102 -0
package/dist/env-switch.js.map +1 -0
package/dist/environment.d.ts +27 -0
package/dist/environment.js +148 -0
package/dist/environment.js.map +1 -0
package/dist/error-tracker.d.ts +92 -0
package/dist/error-tracker.js +206 -0
package/dist/error-tracker.js.map +1 -0
package/dist/escalate.d.ts +11 -0
package/dist/escalate.js +73 -0
package/dist/escalate.js.map +1 -0
package/dist/event-stream.d.ts +81 -0
package/dist/event-stream.js +161 -0
package/dist/event-stream.js.map +1 -0
package/dist/fix.d.ts +42 -0
package/dist/fix.js +419 -0
package/dist/fix.js.map +1 -0
package/dist/governance-middleware.d.ts +22 -0
package/dist/governance-middleware.js +173 -0
package/dist/governance-middleware.js.map +1 -0
package/dist/governance.d.ts +44 -0
package/dist/governance.js +236 -0
package/dist/governance.js.map +1 -0
package/dist/hooks.d.ts +25 -0
package/dist/hooks.js +281 -0
package/dist/hooks.js.map +1 -0
package/dist/id-generator.d.ts +43 -0
package/dist/id-generator.js +47 -0
package/dist/id-generator.js.map +1 -0
package/dist/image-optimizer.d.ts +92 -0
package/dist/image-optimizer.js +202 -0
package/dist/image-optimizer.js.map +1 -0
package/dist/install.d.ts +15 -0
package/dist/install.js +59 -0
package/dist/install.js.map +1 -0
package/dist/lock.d.ts +82 -0
package/dist/lock.js +264 -0
package/dist/lock.js.map +1 -0
package/dist/login.d.ts +23 -0
package/dist/login.js +132 -0
package/dist/login.js.map +1 -0
package/dist/mcp-kit-tools-model.d.ts +195 -0
package/dist/mcp-kit-tools-model.js +6 -0
package/dist/mcp-kit-tools-model.js.map +1 -0
package/dist/mcp-kit-tools-service.d.ts +127 -0
package/dist/mcp-kit-tools-service.js +943 -0
package/dist/mcp-kit-tools-service.js.map +1 -0
package/dist/mcp-orchestrator.d.ts +70 -0
package/dist/mcp-orchestrator.js +175 -0
package/dist/mcp-orchestrator.js.map +1 -0
package/dist/mcp-server.d.ts +3 -0
package/dist/mcp-server.js +722 -0
package/dist/mcp-server.js.map +1 -0
package/dist/middleware/rate-limiter.d.ts +74 -0
package/dist/middleware/rate-limiter.js +342 -0
package/dist/middleware/rate-limiter.js.map +1 -0
package/dist/migration-runner.d.ts +66 -0
package/dist/migration-runner.js +192 -0
package/dist/migration-runner.js.map +1 -0
package/dist/migrations.d.ts +25 -0
package/dist/migrations.js +530 -0
package/dist/migrations.js.map +1 -0
package/dist/moderation-system.d.ts +153 -0
package/dist/moderation-system.js +338 -0
package/dist/moderation-system.js.map +1 -0
package/dist/multi-agent-workflow-model.d.ts +125 -0
package/dist/multi-agent-workflow-model.js +6 -0
package/dist/multi-agent-workflow-model.js.map +1 -0
package/dist/multi-agent-workflow-service.d.ts +102 -0
package/dist/multi-agent-workflow-service.js +452 -0
package/dist/multi-agent-workflow-service.js.map +1 -0
package/dist/onepassword.d.ts +75 -0
package/dist/onepassword.js +140 -0
package/dist/onepassword.js.map +1 -0
package/dist/open.d.ts +30 -0
package/dist/open.js +166 -0
package/dist/open.js.map +1 -0
package/dist/output.d.ts +32 -0
package/dist/output.js +295 -0
package/dist/output.js.map +1 -0
package/dist/partner-service.d.ts +101 -0
package/dist/partner-service.js +191 -0
package/dist/partner-service.js.map +1 -0
package/dist/payout-service.d.ts +136 -0
package/dist/payout-service.js +293 -0
package/dist/payout-service.js.map +1 -0
package/dist/pkg.d.ts +30 -0
package/dist/pkg.js +162 -0
package/dist/pkg.js.map +1 -0
package/dist/plugin-loader.d.ts +16 -0
package/dist/plugin-loader.js +124 -0
package/dist/plugin-loader.js.map +1 -0
package/dist/plugin-registry-model.d.ts +133 -0
package/dist/plugin-registry-model.js +6 -0
package/dist/plugin-registry-model.js.map +1 -0
package/dist/plugin-registry-service.d.ts +109 -0
package/dist/plugin-registry-service.js +361 -0
package/dist/plugin-registry-service.js.map +1 -0
package/dist/plugin-registry.d.ts +58 -0
package/dist/plugin-registry.js +108 -0
package/dist/plugin-registry.js.map +1 -0
package/dist/plugin-updates.d.ts +135 -0
package/dist/plugin-updates.js +326 -0
package/dist/plugin-updates.js.map +1 -0
package/dist/plugins-cli.d.ts +7 -0
package/dist/plugins-cli.js +157 -0
package/dist/plugins-cli.js.map +1 -0
package/dist/plugins.d.ts +88 -0
package/dist/plugins.js +251 -0
package/dist/plugins.js.map +1 -0
package/dist/policy.d.ts +66 -0
package/dist/policy.js +160 -0
package/dist/policy.js.map +1 -0
package/dist/post-pull-audit.d.ts +39 -0
package/dist/post-pull-audit.js +151 -0
package/dist/post-pull-audit.js.map +1 -0
package/dist/provision.d.ts +17 -0
package/dist/provision.js +147 -0
package/dist/provision.js.map +1 -0
package/dist/query-optimizer.d.ts +102 -0
package/dist/query-optimizer.js +199 -0
package/dist/query-optimizer.js.map +1 -0
package/dist/read-only-mode.d.ts +46 -0
package/dist/read-only-mode.js +71 -0
package/dist/read-only-mode.js.map +1 -0
package/dist/redis-adapter.d.ts +71 -0
package/dist/redis-adapter.js +278 -0
package/dist/redis-adapter.js.map +1 -0
package/dist/resilience-tests.d.ts +120 -0
package/dist/resilience-tests.js +293 -0
package/dist/resilience-tests.js.map +1 -0
package/dist/revocation.d.ts +22 -0
package/dist/revocation.js +100 -0
package/dist/revocation.js.map +1 -0
package/dist/run.d.ts +21 -0
package/dist/run.js +80 -0
package/dist/run.js.map +1 -0
package/dist/scan-build.d.ts +18 -0
package/dist/scan-build.js +100 -0
package/dist/scan-build.js.map +1 -0
package/dist/scan-plaintext.d.ts +24 -0
package/dist/scan-plaintext.js +147 -0
package/dist/scan-plaintext.js.map +1 -0
package/dist/scan-staged.d.ts +15 -0
package/dist/scan-staged.js +70 -0
package/dist/scan-staged.js.map +1 -0
package/dist/scan-transcripts.d.ts +23 -0
package/dist/scan-transcripts.js +93 -0
package/dist/scan-transcripts.js.map +1 -0
package/dist/secret-backends.d.ts +50 -0
package/dist/secret-backends.js +510 -0
package/dist/secret-backends.js.map +1 -0
package/dist/secret-expiration.d.ts +46 -0
package/dist/secret-expiration.js +172 -0
package/dist/secret-expiration.js.map +1 -0
package/dist/secrets-migrate.d.ts +75 -0
package/dist/secrets-migrate.js +185 -0
package/dist/secrets-migrate.js.map +1 -0
package/dist/secrets-model.d.ts +77 -0
package/dist/secrets-model.js +6 -0
package/dist/secrets-model.js.map +1 -0
package/dist/secrets-onecli.d.ts +65 -0
package/dist/secrets-onecli.js +113 -0
package/dist/secrets-onecli.js.map +1 -0
package/dist/secrets-propagate.d.ts +48 -0
package/dist/secrets-propagate.js +201 -0
package/dist/secrets-propagate.js.map +1 -0
package/dist/secrets-pull.d.ts +34 -0
package/dist/secrets-pull.js +118 -0
package/dist/secrets-pull.js.map +1 -0
package/dist/secrets-purge-history.d.ts +53 -0
package/dist/secrets-purge-history.js +144 -0
package/dist/secrets-purge-history.js.map +1 -0
package/dist/secrets-rotate-cli.d.ts +54 -0
package/dist/secrets-rotate-cli.js +438 -0
package/dist/secrets-rotate-cli.js.map +1 -0
package/dist/secrets-rotate.d.ts +38 -0
package/dist/secrets-rotate.js +65 -0
package/dist/secrets-rotate.js.map +1 -0
package/dist/secrets-service.d.ts +73 -0
package/dist/secrets-service.js +283 -0
package/dist/secrets-service.js.map +1 -0
package/dist/secrets-set.d.ts +25 -0
package/dist/secrets-set.js +33 -0
package/dist/secrets-set.js.map +1 -0
package/dist/secrets-sync.d.ts +21 -0
package/dist/secrets-sync.js +215 -0
package/dist/secrets-sync.js.map +1 -0
package/dist/secrets-validate.d.ts +41 -0
package/dist/secrets-validate.js +126 -0
package/dist/secrets-validate.js.map +1 -0
package/dist/secrets-vault-migrate.d.ts +71 -0
package/dist/secrets-vault-migrate.js +258 -0
package/dist/secrets-vault-migrate.js.map +1 -0
package/dist/secrets.d.ts +16 -0
package/dist/secrets.js +72 -0
package/dist/secrets.js.map +1 -0
package/dist/security-hardening.d.ts +150 -0
package/dist/security-hardening.js +275 -0
package/dist/security-hardening.js.map +1 -0
package/dist/security-policy.d.ts +89 -0
package/dist/security-policy.js +174 -0
package/dist/security-policy.js.map +1 -0
package/dist/security-prescan.d.ts +117 -0
package/dist/security-prescan.js +566 -0
package/dist/security-prescan.js.map +1 -0
package/dist/sentry-adapter.d.ts +49 -0
package/dist/sentry-adapter.js +227 -0
package/dist/sentry-adapter.js.map +1 -0
package/dist/service-adapter.d.ts +94 -0
package/dist/service-adapter.js +162 -0
package/dist/service-adapter.js.map +1 -0
package/dist/skills.d.ts +13 -0
package/dist/skills.js +17 -0
package/dist/skills.js.map +1 -0
package/dist/sla-monitor.d.ts +107 -0
package/dist/sla-monitor.js +233 -0
package/dist/sla-monitor.js.map +1 -0
package/dist/stack-detector.d.ts +12 -0
package/dist/stack-detector.js +251 -0
package/dist/stack-detector.js.map +1 -0
package/dist/team-model.d.ts +58 -0
package/dist/team-model.js +83 -0
package/dist/team-model.js.map +1 -0
package/dist/team-service.d.ts +54 -0
package/dist/team-service.js +206 -0
package/dist/team-service.js.map +1 -0
package/dist/toml-generator.d.ts +8 -0
package/dist/toml-generator.js +223 -0
package/dist/toml-generator.js.map +1 -0
package/dist/triage-sandbox.d.ts +34 -0
package/dist/triage-sandbox.js +167 -0
package/dist/triage-sandbox.js.map +1 -0
package/dist/triage.d.ts +30 -0
package/dist/triage.js +79 -0
package/dist/triage.js.map +1 -0
package/dist/update-check.d.ts +13 -0
package/dist/update-check.js +91 -0
package/dist/update-check.js.map +1 -0
package/dist/utils/colors.d.ts +14 -0
package/dist/utils/colors.js +15 -0
package/dist/utils/colors.js.map +1 -0
package/dist/utils/didYouMean.d.ts +15 -0
package/dist/utils/didYouMean.js +47 -0
package/dist/utils/didYouMean.js.map +1 -0
package/dist/utils/exec.d.ts +21 -0
package/dist/utils/exec.js +23 -0
package/dist/utils/exec.js.map +1 -0
package/dist/utils/execFileNoThrow.d.ts +14 -0
package/dist/utils/execFileNoThrow.js +29 -0
package/dist/utils/execFileNoThrow.js.map +1 -0
package/dist/utils/flags.d.ts +19 -0
package/dist/utils/flags.js +36 -0
package/dist/utils/flags.js.map +1 -0
package/dist/utils/parseCommand.d.ts +16 -0
package/dist/utils/parseCommand.js +13 -0
package/dist/utils/parseCommand.js.map +1 -0
package/dist/utils/prompt.d.ts +13 -0
package/dist/utils/prompt.js +35 -0
package/dist/utils/prompt.js.map +1 -0
package/dist/utils/promptSelect.d.ts +19 -0
package/dist/utils/promptSelect.js +89 -0
package/dist/utils/promptSelect.js.map +1 -0
package/dist/utils/redactSecrets.d.ts +24 -0
package/dist/utils/redactSecrets.js +134 -0
package/dist/utils/redactSecrets.js.map +1 -0
package/dist/validation/dynamic-schema.d.ts +29 -0
package/dist/validation/dynamic-schema.js +76 -0
package/dist/validation/dynamic-schema.js.map +1 -0
package/package.json +52 -0

package/dist/secret-expiration.js ADDED Viewed

@@ -0,0 +1,172 @@
+import { mergeGovernanceConfig } from "./governance.js";
+import { exec } from "./utils/exec.js";
+/**
+ * Check if secrets are expiring or expired.
+ * Queries expiration metadata from secret stores and config-based hints.
+ */
+export async function checkSecretExpiration(config, secretKeys, secretsConfig) {
+    const fullConfig = mergeGovernanceConfig(config);
+    if (!fullConfig.secrets?.check_expiration) {
+        return [];
+    }
+    const expirations = [];
+    const warnDays = fullConfig.secrets.warn_days_before_expiry || 30;
+    for (const key of secretKeys) {
+        const keyConfig = secretsConfig?.keys?.[key];
+        const expiration = await getSecretExpiration(key, keyConfig, secretsConfig);
+        if (expiration) {
+            const daysUntilExpiry = calculateDaysUntilExpiry(expiration);
+            const expired = daysUntilExpiry !== null && daysUntilExpiry < 0;
+            const warning = daysUntilExpiry !== null &&
+                daysUntilExpiry >= 0 &&
+                daysUntilExpiry <= warnDays;
+            expirations.push({
+                key,
+                expiry_date: expiration,
+                days_until_expiry: daysUntilExpiry ?? undefined,
+                expired,
+                warning,
+            });
+        }
+    }
+    return expirations;
+}
+/**
+ * Dispatch to the appropriate store adapter to fetch expiration metadata.
+ * Falls back to config-based env var hints for stores that don't support
+ * native expiration (Infisical, Doppler, Bitwarden, env).
+ */
+async function getSecretExpiration(key, keyConfig, secretsConfig) {
+    const source = keyConfig?.source ?? secretsConfig?.store ?? "env";
+    switch (source) {
+        case "1password": {
+            const ref = keyConfig?.ref;
+            if (ref) {
+                const expires = await get1PasswordExpiration(ref);
+                if (expires !== null)
+                    return expires;
+            }
+            // Fall back to env hint if op returns no expiry data
+            return getEnvExpirationHint(key);
+        }
+        case "infisical":
+            // Infisical does not expose native per-secret expiration via CLI.
+            // Rely on the operator setting the env var hint.
+            return getEnvExpirationHint(key);
+        case "doppler":
+            // Doppler secrets do not have per-secret expiration dates.
+            // Rely on the operator setting the env var hint.
+            return getEnvExpirationHint(key);
+        case "bitwarden":
+            // Bitwarden item expiration is not exposed via CLI secret reads.
+            // Rely on the operator setting the env var hint.
+            return getEnvExpirationHint(key);
+        default:
+            // For env, config, eas, and any unknown source use env hint only.
+            return getEnvExpirationHint(key);
+    }
+}
+/**
+ * Read a config-based expiration hint from environment variable.
+ *
+ * Convention: set `<KEY>_EXPIRES_AT=<ISO-date>` to declare expiration
+ * for any secret, regardless of which store it lives in. This is the
+ * universal fallback for stores that do not expose expiration metadata.
+ *
+ * Example: API_KEY_EXPIRES_AT=2026-12-31T00:00:00Z
+ */
+export function getEnvExpirationHint(key) {
+    const envVarName = `${key.toUpperCase()}_EXPIRES_AT`;
+    const value = process.env[envVarName];
+    if (!value)
+        return null;
+    const date = new Date(value);
+    if (isNaN(date.getTime())) {
+        console.warn(`[kit] Invalid expiration date for ${key}: ${value}`);
+        return null;
+    }
+    return date.toISOString();
+}
+/**
+ * Fetch expiration date from a 1Password item.
+ *
+ * Parses refs in the format `op://vault/item/field` or `vault/item`.
+ * Calls `op item get <item> --vault <vault> --format json` and returns
+ * the `expires` field if present.
+ *
+ * Returns null if the item has no expiry, if op is unavailable, or if
+ * the ref cannot be parsed.
+ */
+export async function get1PasswordExpiration(ref) {
+    try {
+        // Parse "op://vault/item/field" or "vault/item" or "op://vault/item"
+        const cleaned = ref.startsWith("op://") ? ref.slice(5) : ref;
+        const parts = cleaned.split("/");
+        if (parts.length < 2)
+            return null;
+        const [vault, item] = parts;
+        if (!vault || !item)
+            return null;
+        const { stdout } = await exec("op", ["item", "get", item, "--vault", vault, "--format", "json"], { timeout: 10_000 });
+        const data = JSON.parse(stdout);
+        return data.expires ?? null;
+    }
+    catch {
+        // op CLI not available, not signed in, or item has no expiry field
+        return null;
+    }
+}
+/**
+ * Calculate days until expiration (negative = already expired)
+ */
+function calculateDaysUntilExpiry(expiryDate) {
+    try {
+        const expiry = new Date(expiryDate);
+        const now = new Date();
+        const diffMs = expiry.getTime() - now.getTime();
+        const diffDays = Math.ceil(diffMs / (1000 * 60 * 60 * 24));
+        return diffDays;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Format secret expiration warnings for display
+ */
+export function formatSecretExpirationWarnings(expirations) {
+    const expired = expirations.filter((e) => e.expired);
+    const warning = expirations.filter((e) => e.warning);
+    if (expired.length === 0 && warning.length === 0) {
+        return "All secrets are current (no expiration warnings).";
+    }
+    const lines = [];
+    if (expired.length > 0) {
+        lines.push("⚠️  EXPIRED SECRETS:");
+        for (const e of expired) {
+            lines.push(`  ✗ ${e.key} expired ${Math.abs(e.days_until_expiry || 0)} days ago`);
+        }
+        lines.push("");
+    }
+    if (warning.length > 0) {
+        lines.push("⚠️  EXPIRING SOON:");
+        for (const w of warning) {
+            lines.push(`  ! ${w.key} expires in ${w.days_until_expiry} days`);
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+/**
+ * Check if any secrets are expired (blocking check)
+ */
+export function hasExpiredSecrets(expirations) {
+    return expirations.some((e) => e.expired);
+}
+/**
+ * Check if any secrets have warnings
+ */
+export function hasSecretWarnings(expirations) {
+    return expirations.some((e) => e.warning);
+}
+//# sourceMappingURL=secret-expiration.js.map

package/dist/secret-expiration.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secret-expiration.js","sourceRoot":"","sources":["../src/secret-expiration.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAWvC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAoC,EACpC,UAAoB,EACpB,aAA6B;IAE7B,MAAM,UAAU,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAEjD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,gBAAgB,EAAE,CAAC;QAC1C,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,WAAW,GAAuB,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAC,uBAAuB,IAAI,EAAE,CAAC;IAElE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAG,aAAa,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,SAAS,EAAE,aAAa,CAAC,CAAC;QAE5E,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,eAAe,GAAG,wBAAwB,CAAC,UAAU,CAAC,CAAC;YAC7D,MAAM,OAAO,GAAG,eAAe,KAAK,IAAI,IAAI,eAAe,GAAG,CAAC,CAAC;YAChE,MAAM,OAAO,GACX,eAAe,KAAK,IAAI;gBACxB,eAAe,IAAI,CAAC;gBACpB,eAAe,IAAI,QAAQ,CAAC;YAE9B,WAAW,CAAC,IAAI,CAAC;gBACf,GAAG;gBACH,WAAW,EAAE,UAAU;gBACvB,iBAAiB,EAAE,eAAe,IAAI,SAAS;gBAC/C,OAAO;gBACP,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,mBAAmB,CAChC,GAAW,EACX,SAA2B,EAC3B,aAA6B;IAE7B,MAAM,MAAM,GAAG,SAAS,EAAE,MAAM,IAAI,aAAa,EAAE,KAAK,IAAI,KAAK,CAAC;IAElE,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,GAAG,GAAG,SAAS,EAAE,GAAG,CAAC;YAC3B,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,GAAG,CAAC,CAAC;gBAClD,IAAI,OAAO,KAAK,IAAI;oBAAE,OAAO,OAAO,CAAC;YACvC,CAAC;YACD,qDAAqD;YACrD,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QAED,KAAK,WAAW;YACd,kEAAkE;YAClE,iDAAiD;YACjD,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAEnC,KAAK,SAAS;YACZ,2DAA2D;YAC3D,iDAAiD;YACjD,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAEnC,KAAK,WAAW;YACd,iEAAiE;YACjE,iDAAiD;YACjD,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAEnC;YACE,kEAAkE;YAClE,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACrC,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,UAAU,GAAG,GAAG,GAAG,CAAC,WAAW,EAAE,aAAa,CAAC;IACrD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,IAAI,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,IAAI,CAAC,qCAAqC,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,GAAW;IACtD,IAAI,CAAC;QACH,qEAAqE;QACrE,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAElC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;QAC5B,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QAEjC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,IAAI,EACJ,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,CAAC,EAC3D,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;QAEF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAyB,CAAC;QACxD,OAAO,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,mEAAmE;QACnE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,UAAkB;IAClD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC;QACpC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;QAC3D,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,WAA+B;IAE/B,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IAErD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjD,OAAO,mDAAmD,CAAC;IAC7D,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QACnC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,YAAY,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC;QACpF,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QACjC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,eAAe,CAAC,CAAC,iBAAiB,OAAO,CAAC,CAAC;QACpE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAA+B;IAC/D,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,WAA+B;IAC/D,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AAC5C,CAAC"}

package/dist/secrets-migrate.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+import type { SecretsConfig } from "./config.js";
+import { type PlaintextHit } from "./scan-plaintext.js";
+import { type WriteResult } from "./secret-backends.js";
+/**
+ * Conservative env-var-style identifier check.
+ *
+ * Keys from `.env*` flow straight into CLI argv (e.g. `aws secretsmanager
+ * create-secret --name <KEY>`). Without this guard a malicious or just
+ * malformed file could smuggle in `--ignore-checks` or `-i` and have the
+ * sink CLI reinterpret it as a flag. The shape we accept is exactly what
+ * env-var parsers require: leading [A-Za-z_], rest [A-Za-z0-9_].
+ */
+export declare function isValidKeyName(key: string): boolean;
+/** Escapes a string for safe embedding in a `new RegExp(...)` pattern. */
+export declare function escapeRegex(literal: string): string;
+export interface MigrationRecord {
+    key: string;
+    source: string;
+    vault: string;
+    written: boolean;
+    cleaned: boolean;
+    detail: string;
+}
+export interface MigrationPlan {
+    hits: PlaintextHit[];
+    /** Map of derived KEY-name → value as read from source file. */
+    keyValues: Map<string, {
+        value: string;
+        source: string;
+    }>;
+}
+export interface PlanMigrationOptions {
+    /** Only include keys whose VALUE matches a credential pattern. Off by default. */
+    secretsOnly?: boolean;
+}
+/**
+ * Builds a migration plan by re-scanning for plaintext, then extracting
+ * the actual VAR=VALUE pairs from .env-style files. Only KEY=VALUE lines
+ * are migratable; embedded credentials inside scripts or JSON need manual
+ * cleanup and are listed in the returned plan as `hits` only (no entry in
+ * keyValues).
+ */
+export declare function planMigration(cwd?: string, opts?: PlanMigrationOptions): Promise<MigrationPlan>;
+/**
+ * Writes a single key/value to the configured backend. Returns whether the
+ * write succeeded. Per-backend create-or-update semantics live in the
+ * {@link writeViaBackend} registry — this wrapper owns the cross-cutting
+ * guards: read-only refusal, key-name validation, and error redaction.
+ */
+export declare function writeSecretToBackend(store: SecretsConfig["store"], key: string, value: string, opts?: {
+    vault?: string;
+    project?: string;
+    region?: string;
+    vaultPath?: string;
+}): Promise<WriteResult>;
+/**
+ * Post-migration treatment for a key's line in an .env-style file.
+ *
+ *   "blank"  — replace `KEY=value` with `KEY=` so the var name is still
+ *              visible (devs see what's required) but the plaintext is
+ *              gone. Default. Closes the silent-leak hole where a
+ *              commented `# KEY=value` line still ships the secret to
+ *              backups / agent transcripts / code review tools.
+ *
+ *   "comment" — `# migrated by kit → vault: KEY=value`. Preserves the
+ *               original value for easy rollback. Use ONLY when you
+ *               actively need to revert; pass `mode: "comment"` explicitly.
+ *
+ *   "delete" — drop the line entirely. Cleanest, but devs lose the
+ *              required-var hint.
+ */
+export type PostMigrateMode = "blank" | "comment" | "delete";
+export declare function commentOutInFile(filePath: string, keys: string[], mode?: PostMigrateMode): Promise<{
+    changed: number;
+}>;

package/dist/secrets-migrate.js ADDED Viewed

@@ -0,0 +1,185 @@
+import { readFile, writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { scanPlaintextSecrets } from "./scan-plaintext.js";
+import { redactSecrets } from "./utils/redactSecrets.js";
+import { writeViaBackend } from "./secret-backends.js";
+/**
+ * Conservative env-var-style identifier check.
+ *
+ * Keys from `.env*` flow straight into CLI argv (e.g. `aws secretsmanager
+ * create-secret --name <KEY>`). Without this guard a malicious or just
+ * malformed file could smuggle in `--ignore-checks` or `-i` and have the
+ * sink CLI reinterpret it as a flag. The shape we accept is exactly what
+ * env-var parsers require: leading [A-Za-z_], rest [A-Za-z0-9_].
+ */
+export function isValidKeyName(key) {
+    return /^[A-Za-z_][A-Za-z0-9_]*$/.test(key) && key.length <= 128;
+}
+/** Escapes a string for safe embedding in a `new RegExp(...)` pattern. */
+export function escapeRegex(literal) {
+    return literal.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+/**
+ * Sanitizes the `err.message` we get from a child_process failure before
+ * surfacing it to the user. execFile errors include the full argv on the
+ * `cmd` property AND interpolate it into `err.message`, so a failed write
+ * leaks the secret unless we redact. We keep the first line for diagnostic
+ * value but strip anything matching a known secret pattern.
+ */
+function safeErrorMessage(err, knownSecrets = []) {
+    let raw = err instanceof Error ? err.message.split("\n")[0] : String(err);
+    // Exact-substring redaction for values we hold — deterministic and
+    // shape-independent. Pattern redaction alone fails open for lowercase-keyed
+    // values, bare `--value <secret>` argv tokens, and URL-shaped secrets.
+    for (const s of knownSecrets) {
+        if (s)
+            raw = raw.split(s).join("[REDACTED]");
+    }
+    // Pattern redaction as defense-in-depth for secret shapes we don't hold.
+    return redactSecrets(raw);
+}
+/**
+ * Default .env files to scan. Mirrors the file list scan-plaintext.ts
+ * targets but we walk them directly here so the plan includes EVERY
+ * env-var-shaped KEY=VALUE pair, not only the ones whose value happens
+ * to match a SECRET_PATTERN. Project-level configs like
+ * `NEXT_PUBLIC_SUPABASE_URL`, `RESEND_FROM_EMAIL`, region/IDs etc. are
+ * needed by the app even though they aren't credentials; the previous
+ * secret-only filter dropped them and left the app non-functional after
+ * migration.
+ */
+const ENV_FILES_TO_SCAN = [
+    ".env",
+    ".env.local",
+    ".env.development",
+    ".env.production",
+    ".env.staging",
+    ".env.test",
+    ".env.preview",
+];
+/**
+ * Builds a migration plan by re-scanning for plaintext, then extracting
+ * the actual VAR=VALUE pairs from .env-style files. Only KEY=VALUE lines
+ * are migratable; embedded credentials inside scripts or JSON need manual
+ * cleanup and are listed in the returned plan as `hits` only (no entry in
+ * keyValues).
+ */
+export async function planMigration(cwd = process.cwd(), opts = {}) {
+    const hits = await scanPlaintextSecrets(cwd);
+    const keyValues = new Map();
+    for (const file of ENV_FILES_TO_SCAN) {
+        let text;
+        try {
+            text = await readFile(resolve(cwd, file), "utf-8");
+        }
+        catch {
+            continue;
+        }
+        for (const rawLine of text.split("\n")) {
+            const line = rawLine.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            const eq = line.indexOf("=");
+            if (eq <= 0)
+                continue;
+            const key = line.slice(0, eq).trim();
+            let value = line.slice(eq + 1).trim();
+            // Strip simple quotes
+            if ((value.startsWith('"') && value.endsWith('"')) ||
+                (value.startsWith("'") && value.endsWith("'"))) {
+                value = value.slice(1, -1);
+            }
+            if (!value)
+                continue;
+            // Reject anything that isn't an env-var-shaped name — keeps `-x` /
+            // `--something` style identifiers out of the migration plan before
+            // they reach the sink CLI.
+            if (!isValidKeyName(key))
+                continue;
+            // Optional secrets-only filter — restores the historical behavior
+            // for callers that explicitly want it. Default migrates everything
+            // so vault becomes the single source of truth.
+            if (opts.secretsOnly && redactSecrets(value) === value)
+                continue;
+            keyValues.set(key, { value, source: file });
+        }
+    }
+    return { hits, keyValues };
+}
+/**
+ * Writes a single key/value to the configured backend. Returns whether the
+ * write succeeded. Per-backend create-or-update semantics live in the
+ * {@link writeViaBackend} registry — this wrapper owns the cross-cutting
+ * guards: read-only refusal, key-name validation, and error redaction.
+ */
+export async function writeSecretToBackend(store, key, value, opts = {}) {
+    // Read-only mode: refuse + audit-log before any backend touches the secret.
+    const { isReadOnlyMode, refuseWrite } = await import("./read-only-mode.js");
+    if (isReadOnlyMode()) {
+        const refusal = await refuseWrite("write-secret-to-backend", {
+            store,
+            key,
+        });
+        return { ok: false, detail: refusal.reason };
+    }
+    // Reject anything that doesn't look like a normal env-var name BEFORE it
+    // becomes argv. See isValidKeyName comment for rationale.
+    if (!isValidKeyName(key)) {
+        return {
+            ok: false,
+            detail: `invalid key name "${key}" — must match ^[A-Za-z_][A-Za-z0-9_]*$`,
+        };
+    }
+    try {
+        return await writeViaBackend(String(store), key, value, opts);
+    }
+    catch (err) {
+        // Pass the plaintext value so a failed backend write can't leak it verbatim,
+        // regardless of key casing or the flag shape the CLI used.
+        return { ok: false, detail: `write failed: ${safeErrorMessage(err, [value])}` };
+    }
+}
+export async function commentOutInFile(filePath, keys, mode = "blank") {
+    let text;
+    try {
+        text = await readFile(filePath, "utf-8");
+    }
+    catch {
+        return { changed: 0 };
+    }
+    let changed = 0;
+    // Only act on env-var-shaped keys; same validation we use for writeSecretToBackend.
+    const validKeys = keys.filter(isValidKeyName);
+    const out = [];
+    for (const line of text.split("\n")) {
+        let matched = false;
+        for (const key of validKeys) {
+            // Key is regex-safe after isValidKeyName, but escape defensively in
+            // case the validator is ever relaxed.
+            const re = new RegExp(`^(\\s*)${escapeRegex(key)}\\s*=`);
+            if (re.test(line)) {
+                matched = true;
+                changed++;
+                if (mode === "delete") {
+                    // Skip the line entirely.
+                }
+                else if (mode === "comment") {
+                    out.push(`# migrated by kit → vault: ${line.replace(/^\s+/, "")}`);
+                }
+                else {
+                    // "blank" — keep KEY=, drop value. Preserve leading whitespace.
+                    const prefix = line.match(/^\s*/)?.[0] ?? "";
+                    out.push(`${prefix}${key}=  # value migrated to vault`);
+                }
+                break;
+            }
+        }
+        if (!matched)
+            out.push(line);
+    }
+    if (changed > 0) {
+        await writeFile(filePath, out.join("\n"), "utf-8");
+    }
+    return { changed };
+}
+//# sourceMappingURL=secrets-migrate.js.map

package/dist/secrets-migrate.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secrets-migrate.js","sourceRoot":"","sources":["../src/secrets-migrate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,oBAAoB,EAAqB,MAAM,qBAAqB,CAAC;AAC9E,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,eAAe,EAAoB,MAAM,sBAAsB,CAAC;AAGzE;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,OAAO,0BAA0B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC;AACnE,CAAC;AAED,0EAA0E;AAC1E,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,OAAO,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,SAAS,gBAAgB,CAAC,GAAY,EAAE,eAAyB,EAAE;IACjE,IAAI,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1E,mEAAmE;IACnE,4EAA4E;IAC5E,uEAAuE;IACvE,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC;YAAE,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/C,CAAC;IACD,yEAAyE;IACzE,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAiBD;;;;;;;;;GASG;AACH,MAAM,iBAAiB,GAAG;IACxB,MAAM;IACN,YAAY;IACZ,kBAAkB;IAClB,iBAAiB;IACjB,cAAc;IACd,WAAW;IACX,cAAc;CACf,CAAC;AAOF;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAA6B,EAAE;IAE/B,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,IAAI,GAAG,EAA6C,CAAC;IAEvE,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,IAAI,IAAY,CAAC;QACjB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;QACrD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,sBAAsB;YACtB,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;gBAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;gBACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,mEAAmE;YACnE,mEAAmE;YACnE,2BAA2B;YAC3B,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC;gBAAE,SAAS;YACnC,kEAAkE;YAClE,mEAAmE;YACnE,+CAA+C;YAC/C,IAAI,IAAI,CAAC,WAAW,IAAI,aAAa,CAAC,KAAK,CAAC,KAAK,KAAK;gBAAE,SAAS;YACjE,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;AAC7B,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,KAA6B,EAC7B,GAAW,EACX,KAAa,EACb,OAAkF,EAAE;IAEpF,4EAA4E;IAC5E,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC5E,IAAI,cAAc,EAAE,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,yBAAyB,EAAE;YAC3D,KAAK;YACL,GAAG;SACJ,CAAC,CAAC;QACH,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;IAC/C,CAAC;IACD,yEAAyE;IACzE,0DAA0D;IAC1D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,qBAAqB,GAAG,yCAAyC;SAC1E,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,eAAe,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,6EAA6E;QAC7E,2DAA2D;QAC3D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,gBAAgB,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAoBD,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,QAAgB,EAChB,IAAc,EACd,OAAwB,OAAO;IAE/B,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,oFAAoF;IACpF,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;YAC5B,oEAAoE;YACpE,sCAAsC;YACtC,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,UAAU,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACzD,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClB,OAAO,GAAG,IAAI,CAAC;gBACf,OAAO,EAAE,CAAC;gBACV,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;oBACtB,0BAA0B;gBAC5B,CAAC;qBAAM,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBAC9B,GAAG,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;gBACrE,CAAC;qBAAM,CAAC;oBACN,gEAAgE;oBAChE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,GAAG,CAAC,IAAI,CAAC,GAAG,MAAM,GAAG,GAAG,8BAA8B,CAAC,CAAC;gBAC1D,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,MAAM,SAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,CAAC;AACrB,CAAC"}

package/dist/secrets-model.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+/**
+ * Secrets Management System — data models
+ * Encrypted storage, key rotation, secret sharing, audit trails
+ */
+export type SecretType = "api_key" | "password" | "oauth_token" | "database_url" | "ssh_key" | "certificate" | "custom";
+export type RotationPolicy = "never" | "30d" | "60d" | "90d" | "manual";
+export type AccessLevel = "owner" | "admin" | "team" | "shared";
+export interface Secret {
+    id: string;
+    team_id: string;
+    name: string;
+    description?: string;
+    type: SecretType;
+    encrypted_value: string;
+    encryption_key_id: string;
+    access_level: AccessLevel;
+    created_by: string;
+    created_at: string;
+    updated_at: string;
+    expires_at?: string;
+    rotation_policy: RotationPolicy;
+    last_rotated_at?: string;
+    next_rotation_at?: string;
+    tags?: string[];
+}
+export interface EncryptionKey {
+    id: string;
+    team_id: string;
+    key_version: number;
+    algorithm: "aes-256-gcm" | "aes-256-cbc";
+    created_at: string;
+    rotated_at?: string;
+    retired_at?: string;
+    status: "active" | "retired";
+}
+export interface SecretShare {
+    id: string;
+    secret_id: string;
+    team_id: string;
+    shared_by: string;
+    shared_with_user_id?: string;
+    shared_with_team_id?: string;
+    access_expires_at?: string;
+    one_time: boolean;
+    accessed_at?: string;
+    created_at: string;
+}
+export interface SecretAccessLog {
+    id: string;
+    secret_id: string;
+    team_id: string;
+    user_id: string;
+    action: "read" | "created" | "rotated" | "shared" | "revoked" | "deleted";
+    ip_address?: string;
+    user_agent?: string;
+    status: "success" | "denied";
+    reason?: string;
+    timestamp: string;
+}
+export interface RotationHistory {
+    id: string;
+    secret_id: string;
+    team_id: string;
+    rotated_by: string;
+    old_key_id: string;
+    new_key_id: string;
+    rotated_at: string;
+    reason: "scheduled" | "manual" | "compromised";
+}
+export interface VaultMetrics {
+    total_secrets: number;
+    secrets_by_type: Record<SecretType, number>;
+    expiring_soon: number;
+    pending_rotation: number;
+    total_shares: number;
+    active_keys: number;
+}

package/dist/secrets-model.js ADDED Viewed

@@ -0,0 +1,6 @@
+/**
+ * Secrets Management System — data models
+ * Encrypted storage, key rotation, secret sharing, audit trails
+ */
+export {};
+//# sourceMappingURL=secrets-model.js.map

package/dist/secrets-model.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"secrets-model.js","sourceRoot":"","sources":["../src/secrets-model.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/secrets-onecli.d.ts ADDED Viewed

@@ -0,0 +1,65 @@
+/**
+ * OneCLI integration (https://github.com/onecli/onecli).
+ *
+ * OneCLI is a local HTTP gateway that intercepts outbound agent requests and
+ * injects credentials. Agents see a placeholder; the gateway swaps it for the
+ * real value at egress. This module lets `kit secrets` register entries
+ * with OneCLI directly, so the real credential lives in OneCLI's encrypted
+ * store and never reaches the agent process.
+ *
+ * Auth: API key in `ONECLI_API_KEY` (Bearer oc_*) — generate from the web UI
+ * at http://localhost:10254/settings/api-keys before first use.
+ */
+export interface OneCliConfig {
+    apiUrl: string;
+    gatewayUrl: string;
+    apiKey?: string;
+}
+export declare function resolveOneCliConfig(): OneCliConfig;
+export interface OneCliStatus {
+    reachable: boolean;
+    authenticated: boolean;
+    apiUrl: string;
+    gatewayUrl: string;
+    version?: string;
+    error?: string;
+}
+export declare function checkOneCliStatus(cfg?: OneCliConfig): Promise<OneCliStatus>;
+export interface RegisterSecretInput {
+    /** Display name in OneCLI (typically the env-var name, e.g. STRIPE_SECRET_KEY) */
+    name: string;
+    /** The real credential value to store encrypted */
+    value: string;
+    /** Hostname pattern (no scheme, no path) — e.g. "api.stripe.com" */
+    hostPattern: string;
+    /** Optional path pattern (e.g. "/v1/*") */
+    pathPattern?: string;
+    /**
+     * Where to inject the value. Default mirrors most APIs:
+     * `{ headerName: "Authorization", valueFormat: "Bearer {value}" }`.
+     * Pass null to use OneCLI's automatic detection.
+     */
+    injectionConfig?: {
+        headerName: string;
+        valueFormat?: string;
+    } | null;
+}
+export interface RegisterSecretResult {
+    id: string;
+    name: string;
+}
+/**
+ * Registers a secret with OneCLI. Returns the created secret's id.
+ *
+ * Caller is responsible for writing a placeholder to `.env.local` separately —
+ * OneCLI doesn't generate or return one, since the gateway matches by host
+ * pattern, not by placeholder value.
+ */
+export declare function registerSecretInOneCli(input: RegisterSecretInput, cfg?: OneCliConfig): Promise<RegisterSecretResult>;
+/**
+ * Generates a placeholder value to write into `.env.local`. The actual value
+ * is irrelevant to OneCLI — the gateway matches by host pattern — but a
+ * recognizable prefix (`PCLI_`) helps grep/audit tooling identify which
+ * env vars are gateway-routed.
+ */
+export declare function generatePlaceholder(): string;