sandstream-kit 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +617 -0
- package/dist/adapters/api-key-adapter.d.ts +35 -0
- package/dist/adapters/api-key-adapter.js +46 -0
- package/dist/adapters/api-key-adapter.js.map +1 -0
- package/dist/adapters/clerk-auth.d.ts +6 -0
- package/dist/adapters/clerk-auth.js +20 -0
- package/dist/adapters/clerk-auth.js.map +1 -0
- package/dist/adapters/cloudflare-r2.d.ts +6 -0
- package/dist/adapters/cloudflare-r2.js +136 -0
- package/dist/adapters/cloudflare-r2.js.map +1 -0
- package/dist/adapters/expo-eas.d.ts +6 -0
- package/dist/adapters/expo-eas.js +129 -0
- package/dist/adapters/expo-eas.js.map +1 -0
- package/dist/adapters/flagsmith-flags.d.ts +5 -0
- package/dist/adapters/flagsmith-flags.js +20 -0
- package/dist/adapters/flagsmith-flags.js.map +1 -0
- package/dist/adapters/flyio-hosting.d.ts +2 -0
- package/dist/adapters/flyio-hosting.js +143 -0
- package/dist/adapters/flyio-hosting.js.map +1 -0
- package/dist/adapters/index.d.ts +6 -0
- package/dist/adapters/index.js +48 -0
- package/dist/adapters/index.js.map +1 -0
- package/dist/adapters/inngest-background.d.ts +5 -0
- package/dist/adapters/inngest-background.js +19 -0
- package/dist/adapters/inngest-background.js.map +1 -0
- package/dist/adapters/liveblocks-realtime.d.ts +11 -0
- package/dist/adapters/liveblocks-realtime.js +62 -0
- package/dist/adapters/liveblocks-realtime.js.map +1 -0
- package/dist/adapters/loops-email.d.ts +6 -0
- package/dist/adapters/loops-email.js +18 -0
- package/dist/adapters/loops-email.js.map +1 -0
- package/dist/adapters/neon-db.d.ts +10 -0
- package/dist/adapters/neon-db.js +94 -0
- package/dist/adapters/neon-db.js.map +1 -0
- package/dist/adapters/planetscale-db.d.ts +11 -0
- package/dist/adapters/planetscale-db.js +134 -0
- package/dist/adapters/planetscale-db.js.map +1 -0
- package/dist/adapters/posthog-analytics.d.ts +6 -0
- package/dist/adapters/posthog-analytics.js +22 -0
- package/dist/adapters/posthog-analytics.js.map +1 -0
- package/dist/adapters/railway-hosting.d.ts +2 -0
- package/dist/adapters/railway-hosting.js +136 -0
- package/dist/adapters/railway-hosting.js.map +1 -0
- package/dist/adapters/resend-email.d.ts +35 -0
- package/dist/adapters/resend-email.js +109 -0
- package/dist/adapters/resend-email.js.map +1 -0
- package/dist/adapters/searxng-instance.d.ts +6 -0
- package/dist/adapters/searxng-instance.js +240 -0
- package/dist/adapters/searxng-instance.js.map +1 -0
- package/dist/adapters/sentry-monitoring.d.ts +7 -0
- package/dist/adapters/sentry-monitoring.js +27 -0
- package/dist/adapters/sentry-monitoring.js.map +1 -0
- package/dist/adapters/stripe-payments.d.ts +6 -0
- package/dist/adapters/stripe-payments.js +134 -0
- package/dist/adapters/stripe-payments.js.map +1 -0
- package/dist/adapters/supabase-db.d.ts +6 -0
- package/dist/adapters/supabase-db.js +130 -0
- package/dist/adapters/supabase-db.js.map +1 -0
- package/dist/adapters/tinybird-analytics.d.ts +5 -0
- package/dist/adapters/tinybird-analytics.js +20 -0
- package/dist/adapters/tinybird-analytics.js.map +1 -0
- package/dist/adapters/trigger-background.d.ts +6 -0
- package/dist/adapters/trigger-background.js +20 -0
- package/dist/adapters/trigger-background.js.map +1 -0
- package/dist/adapters/types.d.ts +7 -0
- package/dist/adapters/types.js +2 -0
- package/dist/adapters/types.js.map +1 -0
- package/dist/adapters/upstash-redis.d.ts +6 -0
- package/dist/adapters/upstash-redis.js +88 -0
- package/dist/adapters/upstash-redis.js.map +1 -0
- package/dist/adapters/vercel-hosting.d.ts +6 -0
- package/dist/adapters/vercel-hosting.js +112 -0
- package/dist/adapters/vercel-hosting.js.map +1 -0
- package/dist/agent-adapter-model.d.ts +108 -0
- package/dist/agent-adapter-model.js +6 -0
- package/dist/agent-adapter-model.js.map +1 -0
- package/dist/agent-adapter-service.d.ts +67 -0
- package/dist/agent-adapter-service.js +299 -0
- package/dist/agent-adapter-service.js.map +1 -0
- package/dist/agent-config.d.ts +56 -0
- package/dist/agent-config.js +129 -0
- package/dist/agent-config.js.map +1 -0
- package/dist/agent-governance-model.d.ts +128 -0
- package/dist/agent-governance-model.js +6 -0
- package/dist/agent-governance-model.js.map +1 -0
- package/dist/agent-governance-service.d.ts +101 -0
- package/dist/agent-governance-service.js +319 -0
- package/dist/agent-governance-service.js.map +1 -0
- package/dist/alert-rules-engine.d.ts +102 -0
- package/dist/alert-rules-engine.js +210 -0
- package/dist/alert-rules-engine.js.map +1 -0
- package/dist/analytics-service.d.ts +126 -0
- package/dist/analytics-service.js +318 -0
- package/dist/analytics-service.js.map +1 -0
- package/dist/analyze.d.ts +19 -0
- package/dist/analyze.js +311 -0
- package/dist/analyze.js.map +1 -0
- package/dist/apm-instrumentor.d.ts +119 -0
- package/dist/apm-instrumentor.js +225 -0
- package/dist/apm-instrumentor.js.map +1 -0
- package/dist/approval-model.d.ts +82 -0
- package/dist/approval-model.js +6 -0
- package/dist/approval-model.js.map +1 -0
- package/dist/approval-service.d.ts +39 -0
- package/dist/approval-service.js +236 -0
- package/dist/approval-service.js.map +1 -0
- package/dist/approval.d.ts +22 -0
- package/dist/approval.js +148 -0
- package/dist/approval.js.map +1 -0
- package/dist/audit-logging-model.d.ts +157 -0
- package/dist/audit-logging-model.js +6 -0
- package/dist/audit-logging-model.js.map +1 -0
- package/dist/audit-logging-service.d.ts +89 -0
- package/dist/audit-logging-service.js +367 -0
- package/dist/audit-logging-service.js.map +1 -0
- package/dist/audit-secrets.d.ts +42 -0
- package/dist/audit-secrets.js +126 -0
- package/dist/audit-secrets.js.map +1 -0
- package/dist/audit.d.ts +43 -0
- package/dist/audit.js +286 -0
- package/dist/audit.js.map +1 -0
- package/dist/author-dashboard.d.ts +84 -0
- package/dist/author-dashboard.js +204 -0
- package/dist/author-dashboard.js.map +1 -0
- package/dist/author-notifications.d.ts +130 -0
- package/dist/author-notifications.js +261 -0
- package/dist/author-notifications.js.map +1 -0
- package/dist/author-verification.d.ts +79 -0
- package/dist/author-verification.js +257 -0
- package/dist/author-verification.js.map +1 -0
- package/dist/autonomous-setup-model.d.ts +117 -0
- package/dist/autonomous-setup-model.js +6 -0
- package/dist/autonomous-setup-model.js.map +1 -0
- package/dist/autonomous-setup-service.d.ts +74 -0
- package/dist/autonomous-setup-service.js +325 -0
- package/dist/autonomous-setup-service.js.map +1 -0
- package/dist/badge-system.d.ts +70 -0
- package/dist/badge-system.js +210 -0
- package/dist/badge-system.js.map +1 -0
- package/dist/baseline.d.ts +34 -0
- package/dist/baseline.js +78 -0
- package/dist/baseline.js.map +1 -0
- package/dist/beta-program-service.d.ts +112 -0
- package/dist/beta-program-service.js +240 -0
- package/dist/beta-program-service.js.map +1 -0
- package/dist/budget.d.ts +34 -0
- package/dist/budget.js +159 -0
- package/dist/budget.js.map +1 -0
- package/dist/bumblebee.d.ts +143 -0
- package/dist/bumblebee.js +384 -0
- package/dist/bumblebee.js.map +1 -0
- package/dist/cache-manager.d.ts +97 -0
- package/dist/cache-manager.js +244 -0
- package/dist/cache-manager.js.map +1 -0
- package/dist/cdn-adapter.d.ts +64 -0
- package/dist/cdn-adapter.js +263 -0
- package/dist/cdn-adapter.js.map +1 -0
- package/dist/certification-workflow-model.d.ts +95 -0
- package/dist/certification-workflow-model.js +6 -0
- package/dist/certification-workflow-model.js.map +1 -0
- package/dist/certification-workflow-service.d.ts +72 -0
- package/dist/certification-workflow-service.js +305 -0
- package/dist/certification-workflow-service.js.map +1 -0
- package/dist/check-design.d.ts +38 -0
- package/dist/check-design.js +256 -0
- package/dist/check-design.js.map +1 -0
- package/dist/check-gitignore.d.ts +39 -0
- package/dist/check-gitignore.js +156 -0
- package/dist/check-gitignore.js.map +1 -0
- package/dist/check-hooks.d.ts +15 -0
- package/dist/check-hooks.js +72 -0
- package/dist/check-hooks.js.map +1 -0
- package/dist/check-lock.d.ts +16 -0
- package/dist/check-lock.js +94 -0
- package/dist/check-lock.js.map +1 -0
- package/dist/check-secrets.d.ts +11 -0
- package/dist/check-secrets.js +320 -0
- package/dist/check-secrets.js.map +1 -0
- package/dist/check-security.d.ts +13 -0
- package/dist/check-security.js +887 -0
- package/dist/check-security.js.map +1 -0
- package/dist/check-services.d.ts +10 -0
- package/dist/check-services.js +44 -0
- package/dist/check-services.js.map +1 -0
- package/dist/check-skills.d.ts +8 -0
- package/dist/check-skills.js +26 -0
- package/dist/check-skills.js.map +1 -0
- package/dist/check-tests.d.ts +43 -0
- package/dist/check-tests.js +175 -0
- package/dist/check-tests.js.map +1 -0
- package/dist/check-tools.d.ts +8 -0
- package/dist/check-tools.js +42 -0
- package/dist/check-tools.js.map +1 -0
- package/dist/check-web-search.d.ts +12 -0
- package/dist/check-web-search.js +168 -0
- package/dist/check-web-search.js.map +1 -0
- package/dist/ci-cd-publisher.d.ts +162 -0
- package/dist/ci-cd-publisher.js +319 -0
- package/dist/ci-cd-publisher.js.map +1 -0
- package/dist/cli.d.ts +2 -0
- package/dist/cli.js +4074 -0
- package/dist/cli.js.map +1 -0
- package/dist/clone.d.ts +25 -0
- package/dist/clone.js +73 -0
- package/dist/clone.js.map +1 -0
- package/dist/completions.d.ts +8 -0
- package/dist/completions.js +250 -0
- package/dist/completions.js.map +1 -0
- package/dist/compression-manager.d.ts +107 -0
- package/dist/compression-manager.js +250 -0
- package/dist/compression-manager.js.map +1 -0
- package/dist/config.d.ts +233 -0
- package/dist/config.js +255 -0
- package/dist/config.js.map +1 -0
- package/dist/context.d.ts +38 -0
- package/dist/context.js +86 -0
- package/dist/context.js.map +1 -0
- package/dist/cost-monitor.d.ts +72 -0
- package/dist/cost-monitor.js +218 -0
- package/dist/cost-monitor.js.map +1 -0
- package/dist/create-plugin.d.ts +22 -0
- package/dist/create-plugin.js +266 -0
- package/dist/create-plugin.js.map +1 -0
- package/dist/database.d.ts +123 -0
- package/dist/database.js +354 -0
- package/dist/database.js.map +1 -0
- package/dist/datadog-adapter.d.ts +60 -0
- package/dist/datadog-adapter.js +245 -0
- package/dist/datadog-adapter.js.map +1 -0
- package/dist/doctor.d.ts +15 -0
- package/dist/doctor.js +131 -0
- package/dist/doctor.js.map +1 -0
- package/dist/documentation-generator.d.ts +226 -0
- package/dist/documentation-generator.js +348 -0
- package/dist/documentation-generator.js.map +1 -0
- package/dist/elevation-scopes.d.ts +40 -0
- package/dist/elevation-scopes.js +110 -0
- package/dist/elevation-scopes.js.map +1 -0
- package/dist/elevation.d.ts +102 -0
- package/dist/elevation.js +449 -0
- package/dist/elevation.js.map +1 -0
- package/dist/env-diff.d.ts +27 -0
- package/dist/env-diff.js +104 -0
- package/dist/env-diff.js.map +1 -0
- package/dist/env-inspect.d.ts +28 -0
- package/dist/env-inspect.js +81 -0
- package/dist/env-inspect.js.map +1 -0
- package/dist/env-switch.d.ts +37 -0
- package/dist/env-switch.js +102 -0
- package/dist/env-switch.js.map +1 -0
- package/dist/environment.d.ts +27 -0
- package/dist/environment.js +148 -0
- package/dist/environment.js.map +1 -0
- package/dist/error-tracker.d.ts +92 -0
- package/dist/error-tracker.js +206 -0
- package/dist/error-tracker.js.map +1 -0
- package/dist/escalate.d.ts +11 -0
- package/dist/escalate.js +73 -0
- package/dist/escalate.js.map +1 -0
- package/dist/event-stream.d.ts +81 -0
- package/dist/event-stream.js +161 -0
- package/dist/event-stream.js.map +1 -0
- package/dist/fix.d.ts +42 -0
- package/dist/fix.js +419 -0
- package/dist/fix.js.map +1 -0
- package/dist/governance-middleware.d.ts +22 -0
- package/dist/governance-middleware.js +173 -0
- package/dist/governance-middleware.js.map +1 -0
- package/dist/governance.d.ts +44 -0
- package/dist/governance.js +236 -0
- package/dist/governance.js.map +1 -0
- package/dist/hooks.d.ts +25 -0
- package/dist/hooks.js +281 -0
- package/dist/hooks.js.map +1 -0
- package/dist/id-generator.d.ts +43 -0
- package/dist/id-generator.js +47 -0
- package/dist/id-generator.js.map +1 -0
- package/dist/image-optimizer.d.ts +92 -0
- package/dist/image-optimizer.js +202 -0
- package/dist/image-optimizer.js.map +1 -0
- package/dist/install.d.ts +15 -0
- package/dist/install.js +59 -0
- package/dist/install.js.map +1 -0
- package/dist/lock.d.ts +82 -0
- package/dist/lock.js +264 -0
- package/dist/lock.js.map +1 -0
- package/dist/login.d.ts +23 -0
- package/dist/login.js +132 -0
- package/dist/login.js.map +1 -0
- package/dist/mcp-kit-tools-model.d.ts +195 -0
- package/dist/mcp-kit-tools-model.js +6 -0
- package/dist/mcp-kit-tools-model.js.map +1 -0
- package/dist/mcp-kit-tools-service.d.ts +127 -0
- package/dist/mcp-kit-tools-service.js +943 -0
- package/dist/mcp-kit-tools-service.js.map +1 -0
- package/dist/mcp-orchestrator.d.ts +70 -0
- package/dist/mcp-orchestrator.js +175 -0
- package/dist/mcp-orchestrator.js.map +1 -0
- package/dist/mcp-server.d.ts +3 -0
- package/dist/mcp-server.js +722 -0
- package/dist/mcp-server.js.map +1 -0
- package/dist/middleware/rate-limiter.d.ts +74 -0
- package/dist/middleware/rate-limiter.js +342 -0
- package/dist/middleware/rate-limiter.js.map +1 -0
- package/dist/migration-runner.d.ts +66 -0
- package/dist/migration-runner.js +192 -0
- package/dist/migration-runner.js.map +1 -0
- package/dist/migrations.d.ts +25 -0
- package/dist/migrations.js +530 -0
- package/dist/migrations.js.map +1 -0
- package/dist/moderation-system.d.ts +153 -0
- package/dist/moderation-system.js +338 -0
- package/dist/moderation-system.js.map +1 -0
- package/dist/multi-agent-workflow-model.d.ts +125 -0
- package/dist/multi-agent-workflow-model.js +6 -0
- package/dist/multi-agent-workflow-model.js.map +1 -0
- package/dist/multi-agent-workflow-service.d.ts +102 -0
- package/dist/multi-agent-workflow-service.js +452 -0
- package/dist/multi-agent-workflow-service.js.map +1 -0
- package/dist/onepassword.d.ts +75 -0
- package/dist/onepassword.js +140 -0
- package/dist/onepassword.js.map +1 -0
- package/dist/open.d.ts +30 -0
- package/dist/open.js +166 -0
- package/dist/open.js.map +1 -0
- package/dist/output.d.ts +32 -0
- package/dist/output.js +295 -0
- package/dist/output.js.map +1 -0
- package/dist/partner-service.d.ts +101 -0
- package/dist/partner-service.js +191 -0
- package/dist/partner-service.js.map +1 -0
- package/dist/payout-service.d.ts +136 -0
- package/dist/payout-service.js +293 -0
- package/dist/payout-service.js.map +1 -0
- package/dist/pkg.d.ts +30 -0
- package/dist/pkg.js +162 -0
- package/dist/pkg.js.map +1 -0
- package/dist/plugin-loader.d.ts +16 -0
- package/dist/plugin-loader.js +124 -0
- package/dist/plugin-loader.js.map +1 -0
- package/dist/plugin-registry-model.d.ts +133 -0
- package/dist/plugin-registry-model.js +6 -0
- package/dist/plugin-registry-model.js.map +1 -0
- package/dist/plugin-registry-service.d.ts +109 -0
- package/dist/plugin-registry-service.js +361 -0
- package/dist/plugin-registry-service.js.map +1 -0
- package/dist/plugin-registry.d.ts +58 -0
- package/dist/plugin-registry.js +108 -0
- package/dist/plugin-registry.js.map +1 -0
- package/dist/plugin-updates.d.ts +135 -0
- package/dist/plugin-updates.js +326 -0
- package/dist/plugin-updates.js.map +1 -0
- package/dist/plugins-cli.d.ts +7 -0
- package/dist/plugins-cli.js +157 -0
- package/dist/plugins-cli.js.map +1 -0
- package/dist/plugins.d.ts +88 -0
- package/dist/plugins.js +251 -0
- package/dist/plugins.js.map +1 -0
- package/dist/policy.d.ts +66 -0
- package/dist/policy.js +160 -0
- package/dist/policy.js.map +1 -0
- package/dist/post-pull-audit.d.ts +39 -0
- package/dist/post-pull-audit.js +151 -0
- package/dist/post-pull-audit.js.map +1 -0
- package/dist/provision.d.ts +17 -0
- package/dist/provision.js +147 -0
- package/dist/provision.js.map +1 -0
- package/dist/query-optimizer.d.ts +102 -0
- package/dist/query-optimizer.js +199 -0
- package/dist/query-optimizer.js.map +1 -0
- package/dist/read-only-mode.d.ts +46 -0
- package/dist/read-only-mode.js +71 -0
- package/dist/read-only-mode.js.map +1 -0
- package/dist/redis-adapter.d.ts +71 -0
- package/dist/redis-adapter.js +278 -0
- package/dist/redis-adapter.js.map +1 -0
- package/dist/resilience-tests.d.ts +120 -0
- package/dist/resilience-tests.js +293 -0
- package/dist/resilience-tests.js.map +1 -0
- package/dist/revocation.d.ts +22 -0
- package/dist/revocation.js +100 -0
- package/dist/revocation.js.map +1 -0
- package/dist/run.d.ts +21 -0
- package/dist/run.js +80 -0
- package/dist/run.js.map +1 -0
- package/dist/scan-build.d.ts +18 -0
- package/dist/scan-build.js +100 -0
- package/dist/scan-build.js.map +1 -0
- package/dist/scan-plaintext.d.ts +24 -0
- package/dist/scan-plaintext.js +147 -0
- package/dist/scan-plaintext.js.map +1 -0
- package/dist/scan-staged.d.ts +15 -0
- package/dist/scan-staged.js +70 -0
- package/dist/scan-staged.js.map +1 -0
- package/dist/scan-transcripts.d.ts +23 -0
- package/dist/scan-transcripts.js +93 -0
- package/dist/scan-transcripts.js.map +1 -0
- package/dist/secret-backends.d.ts +50 -0
- package/dist/secret-backends.js +510 -0
- package/dist/secret-backends.js.map +1 -0
- package/dist/secret-expiration.d.ts +46 -0
- package/dist/secret-expiration.js +172 -0
- package/dist/secret-expiration.js.map +1 -0
- package/dist/secrets-migrate.d.ts +75 -0
- package/dist/secrets-migrate.js +185 -0
- package/dist/secrets-migrate.js.map +1 -0
- package/dist/secrets-model.d.ts +77 -0
- package/dist/secrets-model.js +6 -0
- package/dist/secrets-model.js.map +1 -0
- package/dist/secrets-onecli.d.ts +65 -0
- package/dist/secrets-onecli.js +113 -0
- package/dist/secrets-onecli.js.map +1 -0
- package/dist/secrets-propagate.d.ts +48 -0
- package/dist/secrets-propagate.js +201 -0
- package/dist/secrets-propagate.js.map +1 -0
- package/dist/secrets-pull.d.ts +34 -0
- package/dist/secrets-pull.js +118 -0
- package/dist/secrets-pull.js.map +1 -0
- package/dist/secrets-purge-history.d.ts +53 -0
- package/dist/secrets-purge-history.js +144 -0
- package/dist/secrets-purge-history.js.map +1 -0
- package/dist/secrets-rotate-cli.d.ts +54 -0
- package/dist/secrets-rotate-cli.js +438 -0
- package/dist/secrets-rotate-cli.js.map +1 -0
- package/dist/secrets-rotate.d.ts +38 -0
- package/dist/secrets-rotate.js +65 -0
- package/dist/secrets-rotate.js.map +1 -0
- package/dist/secrets-service.d.ts +73 -0
- package/dist/secrets-service.js +283 -0
- package/dist/secrets-service.js.map +1 -0
- package/dist/secrets-set.d.ts +25 -0
- package/dist/secrets-set.js +33 -0
- package/dist/secrets-set.js.map +1 -0
- package/dist/secrets-sync.d.ts +21 -0
- package/dist/secrets-sync.js +215 -0
- package/dist/secrets-sync.js.map +1 -0
- package/dist/secrets-validate.d.ts +41 -0
- package/dist/secrets-validate.js +126 -0
- package/dist/secrets-validate.js.map +1 -0
- package/dist/secrets-vault-migrate.d.ts +71 -0
- package/dist/secrets-vault-migrate.js +258 -0
- package/dist/secrets-vault-migrate.js.map +1 -0
- package/dist/secrets.d.ts +16 -0
- package/dist/secrets.js +72 -0
- package/dist/secrets.js.map +1 -0
- package/dist/security-hardening.d.ts +150 -0
- package/dist/security-hardening.js +275 -0
- package/dist/security-hardening.js.map +1 -0
- package/dist/security-policy.d.ts +89 -0
- package/dist/security-policy.js +174 -0
- package/dist/security-policy.js.map +1 -0
- package/dist/security-prescan.d.ts +117 -0
- package/dist/security-prescan.js +566 -0
- package/dist/security-prescan.js.map +1 -0
- package/dist/sentry-adapter.d.ts +49 -0
- package/dist/sentry-adapter.js +227 -0
- package/dist/sentry-adapter.js.map +1 -0
- package/dist/service-adapter.d.ts +94 -0
- package/dist/service-adapter.js +162 -0
- package/dist/service-adapter.js.map +1 -0
- package/dist/skills.d.ts +13 -0
- package/dist/skills.js +17 -0
- package/dist/skills.js.map +1 -0
- package/dist/sla-monitor.d.ts +107 -0
- package/dist/sla-monitor.js +233 -0
- package/dist/sla-monitor.js.map +1 -0
- package/dist/stack-detector.d.ts +12 -0
- package/dist/stack-detector.js +251 -0
- package/dist/stack-detector.js.map +1 -0
- package/dist/team-model.d.ts +58 -0
- package/dist/team-model.js +83 -0
- package/dist/team-model.js.map +1 -0
- package/dist/team-service.d.ts +54 -0
- package/dist/team-service.js +206 -0
- package/dist/team-service.js.map +1 -0
- package/dist/toml-generator.d.ts +8 -0
- package/dist/toml-generator.js +223 -0
- package/dist/toml-generator.js.map +1 -0
- package/dist/triage-sandbox.d.ts +34 -0
- package/dist/triage-sandbox.js +167 -0
- package/dist/triage-sandbox.js.map +1 -0
- package/dist/triage.d.ts +30 -0
- package/dist/triage.js +79 -0
- package/dist/triage.js.map +1 -0
- package/dist/update-check.d.ts +13 -0
- package/dist/update-check.js +91 -0
- package/dist/update-check.js.map +1 -0
- package/dist/utils/colors.d.ts +14 -0
- package/dist/utils/colors.js +15 -0
- package/dist/utils/colors.js.map +1 -0
- package/dist/utils/didYouMean.d.ts +15 -0
- package/dist/utils/didYouMean.js +47 -0
- package/dist/utils/didYouMean.js.map +1 -0
- package/dist/utils/exec.d.ts +21 -0
- package/dist/utils/exec.js +23 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/execFileNoThrow.d.ts +14 -0
- package/dist/utils/execFileNoThrow.js +29 -0
- package/dist/utils/execFileNoThrow.js.map +1 -0
- package/dist/utils/flags.d.ts +19 -0
- package/dist/utils/flags.js +36 -0
- package/dist/utils/flags.js.map +1 -0
- package/dist/utils/parseCommand.d.ts +16 -0
- package/dist/utils/parseCommand.js +13 -0
- package/dist/utils/parseCommand.js.map +1 -0
- package/dist/utils/prompt.d.ts +13 -0
- package/dist/utils/prompt.js +35 -0
- package/dist/utils/prompt.js.map +1 -0
- package/dist/utils/promptSelect.d.ts +19 -0
- package/dist/utils/promptSelect.js +89 -0
- package/dist/utils/promptSelect.js.map +1 -0
- package/dist/utils/redactSecrets.d.ts +24 -0
- package/dist/utils/redactSecrets.js +134 -0
- package/dist/utils/redactSecrets.js.map +1 -0
- package/dist/validation/dynamic-schema.d.ts +29 -0
- package/dist/validation/dynamic-schema.js +76 -0
- package/dist/validation/dynamic-schema.js.map +1 -0
- package/package.json +52 -0
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* OneCLI integration (https://github.com/onecli/onecli).
|
|
3
|
+
*
|
|
4
|
+
* OneCLI is a local HTTP gateway that intercepts outbound agent requests and
|
|
5
|
+
* injects credentials. Agents see a placeholder; the gateway swaps it for the
|
|
6
|
+
* real value at egress. This module lets `kit secrets` register entries
|
|
7
|
+
* with OneCLI directly, so the real credential lives in OneCLI's encrypted
|
|
8
|
+
* store and never reaches the agent process.
|
|
9
|
+
*
|
|
10
|
+
* Auth: API key in `ONECLI_API_KEY` (Bearer oc_*) — generate from the web UI
|
|
11
|
+
* at http://localhost:10254/settings/api-keys before first use.
|
|
12
|
+
*/
|
|
13
|
+
import { randomBytes } from "node:crypto";
|
|
14
|
+
const DEFAULT_API_URL = "http://127.0.0.1:10254";
|
|
15
|
+
const DEFAULT_GATEWAY_URL = "http://127.0.0.1:10255";
|
|
16
|
+
export function resolveOneCliConfig() {
|
|
17
|
+
return {
|
|
18
|
+
apiUrl: process.env.ONECLI_API_URL || DEFAULT_API_URL,
|
|
19
|
+
gatewayUrl: process.env.ONECLI_GATEWAY_URL || DEFAULT_GATEWAY_URL,
|
|
20
|
+
apiKey: process.env.ONECLI_API_KEY,
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
export async function checkOneCliStatus(cfg = resolveOneCliConfig()) {
|
|
24
|
+
const status = {
|
|
25
|
+
reachable: false,
|
|
26
|
+
authenticated: false,
|
|
27
|
+
apiUrl: cfg.apiUrl,
|
|
28
|
+
gatewayUrl: cfg.gatewayUrl,
|
|
29
|
+
};
|
|
30
|
+
try {
|
|
31
|
+
const res = await fetch(`${cfg.apiUrl}/api/health`, {
|
|
32
|
+
signal: AbortSignal.timeout(3000),
|
|
33
|
+
});
|
|
34
|
+
if (!res.ok) {
|
|
35
|
+
status.error = `health check returned ${res.status}`;
|
|
36
|
+
return status;
|
|
37
|
+
}
|
|
38
|
+
status.reachable = true;
|
|
39
|
+
const body = (await res.json().catch(() => null));
|
|
40
|
+
if (body?.version)
|
|
41
|
+
status.version = body.version;
|
|
42
|
+
}
|
|
43
|
+
catch (err) {
|
|
44
|
+
status.error = err instanceof Error ? err.message : String(err);
|
|
45
|
+
return status;
|
|
46
|
+
}
|
|
47
|
+
if (!cfg.apiKey) {
|
|
48
|
+
status.error =
|
|
49
|
+
"ONECLI_API_KEY not set — generate one at /settings/api-keys";
|
|
50
|
+
return status;
|
|
51
|
+
}
|
|
52
|
+
try {
|
|
53
|
+
const res = await fetch(`${cfg.apiUrl}/api/user`, {
|
|
54
|
+
headers: { Authorization: `Bearer ${cfg.apiKey}` },
|
|
55
|
+
signal: AbortSignal.timeout(3000),
|
|
56
|
+
});
|
|
57
|
+
status.authenticated = res.ok;
|
|
58
|
+
if (!res.ok)
|
|
59
|
+
status.error = `auth check returned ${res.status}`;
|
|
60
|
+
}
|
|
61
|
+
catch (err) {
|
|
62
|
+
status.error = err instanceof Error ? err.message : String(err);
|
|
63
|
+
}
|
|
64
|
+
return status;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Registers a secret with OneCLI. Returns the created secret's id.
|
|
68
|
+
*
|
|
69
|
+
* Caller is responsible for writing a placeholder to `.env.local` separately —
|
|
70
|
+
* OneCLI doesn't generate or return one, since the gateway matches by host
|
|
71
|
+
* pattern, not by placeholder value.
|
|
72
|
+
*/
|
|
73
|
+
export async function registerSecretInOneCli(input, cfg = resolveOneCliConfig()) {
|
|
74
|
+
if (!cfg.apiKey) {
|
|
75
|
+
throw new Error("ONECLI_API_KEY not set — generate one in OneCLI's UI (Settings → API Keys)");
|
|
76
|
+
}
|
|
77
|
+
const body = {
|
|
78
|
+
name: input.name,
|
|
79
|
+
type: "generic",
|
|
80
|
+
value: input.value,
|
|
81
|
+
hostPattern: input.hostPattern,
|
|
82
|
+
pathPattern: input.pathPattern,
|
|
83
|
+
injectionConfig: input.injectionConfig ?? {
|
|
84
|
+
headerName: "Authorization",
|
|
85
|
+
valueFormat: "Bearer {value}",
|
|
86
|
+
},
|
|
87
|
+
};
|
|
88
|
+
const res = await fetch(`${cfg.apiUrl}/api/secrets`, {
|
|
89
|
+
method: "POST",
|
|
90
|
+
headers: {
|
|
91
|
+
Authorization: `Bearer ${cfg.apiKey}`,
|
|
92
|
+
"Content-Type": "application/json",
|
|
93
|
+
},
|
|
94
|
+
body: JSON.stringify(body),
|
|
95
|
+
signal: AbortSignal.timeout(10000),
|
|
96
|
+
});
|
|
97
|
+
if (!res.ok) {
|
|
98
|
+
const text = await res.text().catch(() => "");
|
|
99
|
+
throw new Error(`OneCLI POST /api/secrets returned ${res.status}: ${text}`);
|
|
100
|
+
}
|
|
101
|
+
const json = (await res.json());
|
|
102
|
+
return { id: json.id, name: json.name };
|
|
103
|
+
}
|
|
104
|
+
/**
|
|
105
|
+
* Generates a placeholder value to write into `.env.local`. The actual value
|
|
106
|
+
* is irrelevant to OneCLI — the gateway matches by host pattern — but a
|
|
107
|
+
* recognizable prefix (`PCLI_`) helps grep/audit tooling identify which
|
|
108
|
+
* env vars are gateway-routed.
|
|
109
|
+
*/
|
|
110
|
+
export function generatePlaceholder() {
|
|
111
|
+
return `PCLI_${randomBytes(12).toString("base64url")}`;
|
|
112
|
+
}
|
|
113
|
+
//# sourceMappingURL=secrets-onecli.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secrets-onecli.js","sourceRoot":"","sources":["../src/secrets-onecli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,eAAe,GAAG,wBAAwB,CAAC;AACjD,MAAM,mBAAmB,GAAG,wBAAwB,CAAC;AAQrD,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,eAAe;QACrD,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,IAAI,mBAAmB;QACjE,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc;KACnC,CAAC;AACJ,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAoB,mBAAmB,EAAE;IAEzC,MAAM,MAAM,GAAiB;QAC3B,SAAS,EAAE,KAAK;QAChB,aAAa,EAAE,KAAK;QACpB,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,UAAU,EAAE,GAAG,CAAC,UAAU;KAC3B,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,aAAa,EAAE;YAClD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,CAAC,KAAK,GAAG,yBAAyB,GAAG,CAAC,MAAM,EAAE,CAAC;YACrD,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC;QACxB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAExC,CAAC;QACT,IAAI,IAAI,EAAE,OAAO;YAAE,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IACnD,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAChE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,CAAC,KAAK;YACV,6DAA6D,CAAC;QAChE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,WAAW,EAAE;YAChD,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,GAAG,CAAC,MAAM,EAAE,EAAE;YAClD,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QACH,MAAM,CAAC,aAAa,GAAG,GAAG,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,CAAC,KAAK,GAAG,uBAAuB,GAAG,CAAC,MAAM,EAAE,CAAC;IAClE,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,CAAC,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAClE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAwBD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAA0B,EAC1B,MAAoB,mBAAmB,EAAE;IAEzC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,4EAA4E,CAC7E,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG;QACX,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,SAAkB;QACxB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,eAAe,EAAE,KAAK,CAAC,eAAe,IAAI;YACxC,UAAU,EAAE,eAAe;YAC3B,WAAW,EAAE,gBAAgB;SAC9B;KACF,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,GAAG,CAAC,MAAM,cAAc,EAAE;QACnD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,GAAG,CAAC,MAAM,EAAE;YACrC,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;QAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,KAAK,CAAC;KACnC,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiC,CAAC;IAChE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO,QAAQ,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;AACzD,CAAC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Push a credential value to one or more deploy-platform secret stores.
|
|
3
|
+
*
|
|
4
|
+
* Used by `kit secrets rotate --propagate <targets>` so a rotated key
|
|
5
|
+
* lands in every place the running service reads it from, not just the
|
|
6
|
+
* upstream vault. Each adapter shells out to the platform's official CLI;
|
|
7
|
+
* the value is piped via stdin where the CLI supports it to keep it out of
|
|
8
|
+
* argv / process listings.
|
|
9
|
+
*
|
|
10
|
+
* Targets implemented:
|
|
11
|
+
* - vercel `vercel env add <name> <env>` (stdin)
|
|
12
|
+
* - github `gh secret set <name>` (stdin)
|
|
13
|
+
* - fly `fly secrets set <name>=<value> --stage` (argv — Fly has
|
|
14
|
+
* no stdin path; documented as a known leak surface)
|
|
15
|
+
* - cloudflare `wrangler secret put <name>` (stdin)
|
|
16
|
+
* - railway `railway variables --set <name>=<value>` (argv)
|
|
17
|
+
* - aws-ssm `aws ssm put-parameter --name <key> --value file:///dev/stdin
|
|
18
|
+
* --type SecureString --overwrite` (stdin via --value file://)
|
|
19
|
+
*/
|
|
20
|
+
export type PropagationTarget = "vercel" | "github" | "fly" | "cloudflare" | "railway" | "aws-ssm";
|
|
21
|
+
export declare const ALL_TARGETS: PropagationTarget[];
|
|
22
|
+
export interface PropagationResult {
|
|
23
|
+
target: PropagationTarget;
|
|
24
|
+
ok: boolean;
|
|
25
|
+
detail: string;
|
|
26
|
+
/** True if the value passed through argv at any point (informational). */
|
|
27
|
+
valueInArgv: boolean;
|
|
28
|
+
}
|
|
29
|
+
export interface PropagationOptions {
|
|
30
|
+
/** Logical env to write into (Vercel: "production"|"preview"|"development"). */
|
|
31
|
+
env?: "production" | "preview" | "development";
|
|
32
|
+
/** Vercel scope (team or user). */
|
|
33
|
+
vercelScope?: string;
|
|
34
|
+
/** GitHub repo (owner/name). Inferred from `gh repo view` when omitted. */
|
|
35
|
+
githubRepo?: string;
|
|
36
|
+
/** Fly app name. Required for fly. */
|
|
37
|
+
flyApp?: string;
|
|
38
|
+
/** Cloudflare worker name. Required for cloudflare. */
|
|
39
|
+
cfWorker?: string;
|
|
40
|
+
/** Railway service id. */
|
|
41
|
+
railwayService?: string;
|
|
42
|
+
/** AWS region for SSM. */
|
|
43
|
+
awsRegion?: string;
|
|
44
|
+
/** Optional override path prefix for SSM (default: `/kit/`). */
|
|
45
|
+
awsSsmPrefix?: string;
|
|
46
|
+
}
|
|
47
|
+
export declare function propagate(name: string, value: string, targets: PropagationTarget[], opts?: PropagationOptions): Promise<PropagationResult[]>;
|
|
48
|
+
export declare function parseTargets(spec: string): PropagationTarget[];
|
|
@@ -0,0 +1,201 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Push a credential value to one or more deploy-platform secret stores.
|
|
3
|
+
*
|
|
4
|
+
* Used by `kit secrets rotate --propagate <targets>` so a rotated key
|
|
5
|
+
* lands in every place the running service reads it from, not just the
|
|
6
|
+
* upstream vault. Each adapter shells out to the platform's official CLI;
|
|
7
|
+
* the value is piped via stdin where the CLI supports it to keep it out of
|
|
8
|
+
* argv / process listings.
|
|
9
|
+
*
|
|
10
|
+
* Targets implemented:
|
|
11
|
+
* - vercel `vercel env add <name> <env>` (stdin)
|
|
12
|
+
* - github `gh secret set <name>` (stdin)
|
|
13
|
+
* - fly `fly secrets set <name>=<value> --stage` (argv — Fly has
|
|
14
|
+
* no stdin path; documented as a known leak surface)
|
|
15
|
+
* - cloudflare `wrangler secret put <name>` (stdin)
|
|
16
|
+
* - railway `railway variables --set <name>=<value>` (argv)
|
|
17
|
+
* - aws-ssm `aws ssm put-parameter --name <key> --value file:///dev/stdin
|
|
18
|
+
* --type SecureString --overwrite` (stdin via --value file://)
|
|
19
|
+
*/
|
|
20
|
+
import { spawn } from "node:child_process";
|
|
21
|
+
export const ALL_TARGETS = [
|
|
22
|
+
"vercel",
|
|
23
|
+
"github",
|
|
24
|
+
"fly",
|
|
25
|
+
"cloudflare",
|
|
26
|
+
"railway",
|
|
27
|
+
"aws-ssm",
|
|
28
|
+
];
|
|
29
|
+
/**
|
|
30
|
+
* Spawns a CLI with the value piped via stdin. Returns the exit code +
|
|
31
|
+
* captured stderr for diagnostics. The value never appears in argv.
|
|
32
|
+
*/
|
|
33
|
+
async function spawnWithStdin(cmd, args, stdinValue) {
|
|
34
|
+
return new Promise((resolve) => {
|
|
35
|
+
const child = spawn(cmd, args, { stdio: ["pipe", "pipe", "pipe"] });
|
|
36
|
+
let stderr = "";
|
|
37
|
+
child.stderr.on("data", (chunk) => {
|
|
38
|
+
stderr += chunk.toString();
|
|
39
|
+
});
|
|
40
|
+
child.on("error", (err) => {
|
|
41
|
+
resolve({ code: 127, stderr: err.message });
|
|
42
|
+
});
|
|
43
|
+
child.on("close", (code) => {
|
|
44
|
+
resolve({ code: code ?? 1, stderr });
|
|
45
|
+
});
|
|
46
|
+
child.stdin.write(stdinValue);
|
|
47
|
+
child.stdin.end();
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
async function propagateVercel(name, value, opts) {
|
|
51
|
+
const env = opts.env ?? "production";
|
|
52
|
+
// vercel env add accepts the value via stdin when invoked non-interactively
|
|
53
|
+
// and printed to a stream that has no TTY.
|
|
54
|
+
const args = ["env", "add", name, env];
|
|
55
|
+
if (opts.vercelScope)
|
|
56
|
+
args.push("--scope", opts.vercelScope);
|
|
57
|
+
// Remove existing first so add doesn't error on duplicate.
|
|
58
|
+
await spawnWithStdin("vercel", ["env", "rm", name, env, "--yes", ...(opts.vercelScope ? ["--scope", opts.vercelScope] : [])], "");
|
|
59
|
+
const { code, stderr } = await spawnWithStdin("vercel", args, value);
|
|
60
|
+
return {
|
|
61
|
+
target: "vercel",
|
|
62
|
+
ok: code === 0,
|
|
63
|
+
detail: code === 0 ? `pushed to vercel env=${env}` : `vercel exit ${code}: ${stderr.split("\n")[0]}`,
|
|
64
|
+
valueInArgv: false,
|
|
65
|
+
};
|
|
66
|
+
}
|
|
67
|
+
async function propagateGithub(name, value, opts) {
|
|
68
|
+
const args = ["secret", "set", name];
|
|
69
|
+
if (opts.githubRepo)
|
|
70
|
+
args.push("--repo", opts.githubRepo);
|
|
71
|
+
if (opts.env === "production")
|
|
72
|
+
args.push("--env", "production");
|
|
73
|
+
if (opts.env === "preview")
|
|
74
|
+
args.push("--env", "preview");
|
|
75
|
+
// gh secret set reads value from stdin when --body is not provided.
|
|
76
|
+
const { code, stderr } = await spawnWithStdin("gh", args, value);
|
|
77
|
+
return {
|
|
78
|
+
target: "github",
|
|
79
|
+
ok: code === 0,
|
|
80
|
+
detail: code === 0 ? `pushed to github secrets` : `gh exit ${code}: ${stderr.split("\n")[0]}`,
|
|
81
|
+
valueInArgv: false,
|
|
82
|
+
};
|
|
83
|
+
}
|
|
84
|
+
async function propagateFly(name, value, opts) {
|
|
85
|
+
if (!opts.flyApp) {
|
|
86
|
+
return {
|
|
87
|
+
target: "fly",
|
|
88
|
+
ok: false,
|
|
89
|
+
detail: "fly: --fly-app <name> required",
|
|
90
|
+
valueInArgv: false,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
// `fly secrets set` reads KEY=VALUE pairs from argv; no stdin path.
|
|
94
|
+
// Value is visible in `ps` for the duration of the call.
|
|
95
|
+
const { code, stderr } = await spawnWithStdin("fly", ["secrets", "set", `${name}=${value}`, "--app", opts.flyApp, "--stage"], "");
|
|
96
|
+
return {
|
|
97
|
+
target: "fly",
|
|
98
|
+
ok: code === 0,
|
|
99
|
+
detail: code === 0 ? `pushed to fly app=${opts.flyApp}` : `fly exit ${code}: ${stderr.split("\n")[0]}`,
|
|
100
|
+
valueInArgv: true,
|
|
101
|
+
};
|
|
102
|
+
}
|
|
103
|
+
async function propagateCloudflare(name, value, opts) {
|
|
104
|
+
if (!opts.cfWorker) {
|
|
105
|
+
return {
|
|
106
|
+
target: "cloudflare",
|
|
107
|
+
ok: false,
|
|
108
|
+
detail: "cloudflare: --cf-worker <name> required",
|
|
109
|
+
valueInArgv: false,
|
|
110
|
+
};
|
|
111
|
+
}
|
|
112
|
+
const { code, stderr } = await spawnWithStdin("wrangler", ["secret", "put", name, "--name", opts.cfWorker], value);
|
|
113
|
+
return {
|
|
114
|
+
target: "cloudflare",
|
|
115
|
+
ok: code === 0,
|
|
116
|
+
detail: code === 0 ? `pushed to cloudflare worker=${opts.cfWorker}` : `wrangler exit ${code}: ${stderr.split("\n")[0]}`,
|
|
117
|
+
valueInArgv: false,
|
|
118
|
+
};
|
|
119
|
+
}
|
|
120
|
+
async function propagateRailway(name, value, opts) {
|
|
121
|
+
// `railway variables --set KEY=VALUE` — value in argv (no stdin path).
|
|
122
|
+
const args = ["variables", "--set", `${name}=${value}`];
|
|
123
|
+
if (opts.railwayService)
|
|
124
|
+
args.push("--service", opts.railwayService);
|
|
125
|
+
const { code, stderr } = await spawnWithStdin("railway", args, "");
|
|
126
|
+
return {
|
|
127
|
+
target: "railway",
|
|
128
|
+
ok: code === 0,
|
|
129
|
+
detail: code === 0 ? `pushed to railway` : `railway exit ${code}: ${stderr.split("\n")[0]}`,
|
|
130
|
+
valueInArgv: true,
|
|
131
|
+
};
|
|
132
|
+
}
|
|
133
|
+
async function propagateAwsSsm(name, value, opts) {
|
|
134
|
+
const prefix = opts.awsSsmPrefix ?? "/kit/";
|
|
135
|
+
const paramName = `${prefix}${name}`.replace(/\/+/g, "/");
|
|
136
|
+
// `aws ssm put-parameter --value file:///dev/stdin` reads the value from
|
|
137
|
+
// stdin instead of argv.
|
|
138
|
+
const args = [
|
|
139
|
+
"ssm",
|
|
140
|
+
"put-parameter",
|
|
141
|
+
"--name",
|
|
142
|
+
paramName,
|
|
143
|
+
"--value",
|
|
144
|
+
"file:///dev/stdin",
|
|
145
|
+
"--type",
|
|
146
|
+
"SecureString",
|
|
147
|
+
"--overwrite",
|
|
148
|
+
];
|
|
149
|
+
if (opts.awsRegion)
|
|
150
|
+
args.push("--region", opts.awsRegion);
|
|
151
|
+
const { code, stderr } = await spawnWithStdin("aws", args, value);
|
|
152
|
+
return {
|
|
153
|
+
target: "aws-ssm",
|
|
154
|
+
ok: code === 0,
|
|
155
|
+
detail: code === 0 ? `pushed to aws-ssm path=${paramName}` : `aws exit ${code}: ${stderr.split("\n")[0]}`,
|
|
156
|
+
valueInArgv: false,
|
|
157
|
+
};
|
|
158
|
+
}
|
|
159
|
+
const ADAPTERS = {
|
|
160
|
+
vercel: propagateVercel,
|
|
161
|
+
github: propagateGithub,
|
|
162
|
+
fly: propagateFly,
|
|
163
|
+
cloudflare: propagateCloudflare,
|
|
164
|
+
railway: propagateRailway,
|
|
165
|
+
"aws-ssm": propagateAwsSsm,
|
|
166
|
+
};
|
|
167
|
+
export async function propagate(name, value, targets, opts = {}) {
|
|
168
|
+
const results = [];
|
|
169
|
+
for (const t of targets) {
|
|
170
|
+
const adapter = ADAPTERS[t];
|
|
171
|
+
if (!adapter) {
|
|
172
|
+
results.push({
|
|
173
|
+
target: t,
|
|
174
|
+
ok: false,
|
|
175
|
+
detail: `unknown target: ${t}`,
|
|
176
|
+
valueInArgv: false,
|
|
177
|
+
});
|
|
178
|
+
continue;
|
|
179
|
+
}
|
|
180
|
+
try {
|
|
181
|
+
results.push(await adapter(name, value, opts));
|
|
182
|
+
}
|
|
183
|
+
catch (err) {
|
|
184
|
+
results.push({
|
|
185
|
+
target: t,
|
|
186
|
+
ok: false,
|
|
187
|
+
detail: err instanceof Error ? err.message.split("\n")[0] : String(err),
|
|
188
|
+
valueInArgv: false,
|
|
189
|
+
});
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
return results;
|
|
193
|
+
}
|
|
194
|
+
export function parseTargets(spec) {
|
|
195
|
+
const known = new Set(ALL_TARGETS);
|
|
196
|
+
return spec
|
|
197
|
+
.split(",")
|
|
198
|
+
.map((t) => t.trim())
|
|
199
|
+
.filter((t) => known.has(t));
|
|
200
|
+
}
|
|
201
|
+
//# sourceMappingURL=secrets-propagate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secrets-propagate.js","sourceRoot":"","sources":["../src/secrets-propagate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAU3C,MAAM,CAAC,MAAM,WAAW,GAAwB;IAC9C,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,YAAY;IACZ,SAAS;IACT,SAAS;CACV,CAAC;AA6BF;;;GAGG;AACH,KAAK,UAAU,cAAc,CAC3B,GAAW,EACX,IAAc,EACd,UAAkB;IAElB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACpE,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YACxC,MAAM,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACxB,OAAO,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;YACzB,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QACvC,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC9B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;IACpB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,YAAY,CAAC;IACrC,4EAA4E;IAC5E,2CAA2C;IAC3C,MAAM,IAAI,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IACvC,IAAI,IAAI,CAAC,WAAW;QAAE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7D,2DAA2D;IAC3D,MAAM,cAAc,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClI,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACrE,OAAO;QACL,MAAM,EAAE,QAAQ;QAChB,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,wBAAwB,GAAG,EAAE,CAAC,CAAC,CAAC,eAAe,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QACpG,WAAW,EAAE,KAAK;KACnB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,MAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACrC,IAAI,IAAI,CAAC,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1D,IAAI,IAAI,CAAC,GAAG,KAAK,YAAY;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAChE,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;QAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAC1D,oEAAoE;IACpE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACjE,OAAO;QACL,MAAM,EAAE,QAAQ;QAChB,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC,CAAC,WAAW,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QAC7F,WAAW,EAAE,KAAK;KACnB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;QACjB,OAAO;YACL,MAAM,EAAE,KAAK;YACb,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,gCAAgC;YACxC,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IACD,oEAAoE;IACpE,yDAAyD;IACzD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAC3C,KAAK,EACL,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,IAAI,IAAI,KAAK,EAAE,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EACvE,EAAE,CACH,CAAC;IACF,OAAO;QACL,MAAM,EAAE,KAAK;QACb,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,qBAAqB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QACtG,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;QACnB,OAAO;YACL,MAAM,EAAE,YAAY;YACpB,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,yCAAyC;YACjD,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAC3C,UAAU,EACV,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,CAAC,EAChD,KAAK,CACN,CAAC;IACF,OAAO;QACL,MAAM,EAAE,YAAY;QACpB,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,+BAA+B,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,iBAAiB,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QACvH,WAAW,EAAE,KAAK;KACnB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,uEAAuE;IACvE,MAAM,IAAI,GAAG,CAAC,WAAW,EAAE,OAAO,EAAE,GAAG,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC;IACxD,IAAI,IAAI,CAAC,cAAc;QAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;IACrE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;IACnE,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,gBAAgB,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QAC3F,WAAW,EAAE,IAAI;KAClB,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,eAAe,CAC5B,IAAY,EACZ,KAAa,EACb,IAAwB;IAExB,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,IAAI,OAAO,CAAC;IAC5C,MAAM,SAAS,GAAG,GAAG,MAAM,GAAG,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1D,yEAAyE;IACzE,yBAAyB;IACzB,MAAM,IAAI,GAAG;QACX,KAAK;QACL,eAAe;QACf,QAAQ;QACR,SAAS;QACT,SAAS;QACT,mBAAmB;QACnB,QAAQ;QACR,cAAc;QACd,aAAa;KACd,CAAC;IACF,IAAI,IAAI,CAAC,SAAS;QAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAC1D,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAClE,OAAO;QACL,MAAM,EAAE,SAAS;QACjB,EAAE,EAAE,IAAI,KAAK,CAAC;QACd,MAAM,EAAE,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,0BAA0B,SAAS,EAAE,CAAC,CAAC,CAAC,YAAY,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;QACzG,WAAW,EAAE,KAAK;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,QAAQ,GAGV;IACF,MAAM,EAAE,eAAe;IACvB,MAAM,EAAE,eAAe;IACvB,GAAG,EAAE,YAAY;IACjB,UAAU,EAAE,mBAAmB;IAC/B,OAAO,EAAE,gBAAgB;IACzB,SAAS,EAAE,eAAe;CAC3B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAY,EACZ,KAAa,EACb,OAA4B,EAC5B,OAA2B,EAAE;IAE7B,MAAM,OAAO,GAAwB,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,CAAC;gBACT,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,mBAAmB,CAAC,EAAE;gBAC9B,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,IAAI,CAAC;gBACX,MAAM,EAAE,CAAC;gBACT,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;gBACvE,WAAW,EAAE,KAAK;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,MAAM,KAAK,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,CAAC;IACnC,OAAO,IAAI;SACR,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAA0B,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAsB,CAAC,CAAC,CAAC;AAC9E,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `kit secrets pull --from <platform> --env <env>` — read env-vars
|
|
3
|
+
* from a deploy-platform (Vercel / Fly / Cloudflare / GitHub Actions)
|
|
4
|
+
* and write them into the local vault. Closes the "I forgot what
|
|
5
|
+
* value is in Vercel" gap that drove the kjorre incident.
|
|
6
|
+
*
|
|
7
|
+
* Read-only by nature of the source side (vendor REST is GET-only here).
|
|
8
|
+
* Write side honors KIT_READ_ONLY=1 via writeSecretToBackend.
|
|
9
|
+
*/
|
|
10
|
+
import type { SecretsConfig } from "./config.js";
|
|
11
|
+
export type PullSource = "vercel" | "github" | "fly" | "cloudflare";
|
|
12
|
+
export interface PullOptions {
|
|
13
|
+
source: PullSource;
|
|
14
|
+
/** Deploy-platform-specific environment name (production / preview / dev). */
|
|
15
|
+
env?: string;
|
|
16
|
+
/** Project / repo / app identifier passed to the source plugin. */
|
|
17
|
+
projectId?: string;
|
|
18
|
+
/** Skip writing to vault; just list what would be pulled. */
|
|
19
|
+
dryRun?: boolean;
|
|
20
|
+
/** Target vault store. Defaults to config.secrets.store. */
|
|
21
|
+
store?: SecretsConfig["store"];
|
|
22
|
+
}
|
|
23
|
+
export interface PullResult {
|
|
24
|
+
source: PullSource;
|
|
25
|
+
discovered: number;
|
|
26
|
+
written: number;
|
|
27
|
+
skipped: number;
|
|
28
|
+
items: Array<{
|
|
29
|
+
key: string;
|
|
30
|
+
status: "written" | "skipped" | "would-write";
|
|
31
|
+
detail: string;
|
|
32
|
+
}>;
|
|
33
|
+
}
|
|
34
|
+
export declare function pullSecrets(config: SecretsConfig | undefined, opts: PullOptions): Promise<PullResult>;
|
|
@@ -0,0 +1,118 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* `kit secrets pull --from <platform> --env <env>` — read env-vars
|
|
3
|
+
* from a deploy-platform (Vercel / Fly / Cloudflare / GitHub Actions)
|
|
4
|
+
* and write them into the local vault. Closes the "I forgot what
|
|
5
|
+
* value is in Vercel" gap that drove the kjorre incident.
|
|
6
|
+
*
|
|
7
|
+
* Read-only by nature of the source side (vendor REST is GET-only here).
|
|
8
|
+
* Write side honors KIT_READ_ONLY=1 via writeSecretToBackend.
|
|
9
|
+
*/
|
|
10
|
+
import { writeSecretToBackend } from "./secrets-migrate.js";
|
|
11
|
+
/**
|
|
12
|
+
* Fetches env-vars from the source platform. Each source uses its
|
|
13
|
+
* existing kit-plugin's read-only API. Tokens come from the operator's
|
|
14
|
+
* shell env per plugin convention (VERCEL_TOKEN, GITHUB_TOKEN, FLY_API_TOKEN,
|
|
15
|
+
* CLOUDFLARE_API_TOKEN).
|
|
16
|
+
*/
|
|
17
|
+
async function fetchFromSource(source, projectId, env) {
|
|
18
|
+
if (source === "vercel") {
|
|
19
|
+
const { makeClient, listEnvVars } = await import("sandstream-kit-plugin-vercel");
|
|
20
|
+
const client = makeClient();
|
|
21
|
+
const all = await listEnvVars(client, projectId);
|
|
22
|
+
return all
|
|
23
|
+
.filter((e) => env ? (e.target ?? []).includes(env) : true)
|
|
24
|
+
.map((e) => ({
|
|
25
|
+
key: e.key,
|
|
26
|
+
value: e.value ?? "",
|
|
27
|
+
target: e.target,
|
|
28
|
+
}))
|
|
29
|
+
.filter((e) => e.value.length > 0);
|
|
30
|
+
}
|
|
31
|
+
if (source === "github") {
|
|
32
|
+
// GitHub Actions secrets are write-only via the API (you can list names
|
|
33
|
+
// but never read values back). We surface name-only so the operator
|
|
34
|
+
// knows what's defined upstream.
|
|
35
|
+
const { makeClient, listRepoSecrets } = await import("sandstream-kit-plugin-github");
|
|
36
|
+
const [owner, repo] = projectId.split("/");
|
|
37
|
+
if (!owner || !repo) {
|
|
38
|
+
throw new Error("github source requires projectId in 'owner/repo' format");
|
|
39
|
+
}
|
|
40
|
+
const client = makeClient();
|
|
41
|
+
const secrets = await listRepoSecrets(client, owner, repo);
|
|
42
|
+
// Returning empty value — operator must hand-fill from another source.
|
|
43
|
+
return secrets.map((s) => ({ key: s.name, value: "" }));
|
|
44
|
+
}
|
|
45
|
+
if (source === "fly") {
|
|
46
|
+
// Fly secret VALUES are not retrievable via API (digest-only). Same
|
|
47
|
+
// name-only path as GitHub.
|
|
48
|
+
const { makeClient, listAppSecrets } = await import("sandstream-kit-plugin-fly");
|
|
49
|
+
const client = makeClient();
|
|
50
|
+
const secrets = await listAppSecrets(client, projectId);
|
|
51
|
+
return secrets.map((s) => ({ key: s.name, value: "" }));
|
|
52
|
+
}
|
|
53
|
+
if (source === "cloudflare") {
|
|
54
|
+
const { makeClient, listWorkerSecrets } = await import("sandstream-kit-plugin-cloudflare");
|
|
55
|
+
const client = makeClient();
|
|
56
|
+
const secrets = await listWorkerSecrets(client, projectId);
|
|
57
|
+
return secrets.map((s) => ({ key: s.name, value: "" }));
|
|
58
|
+
}
|
|
59
|
+
throw new Error(`Unknown pull source: ${source}`);
|
|
60
|
+
}
|
|
61
|
+
export async function pullSecrets(config, opts) {
|
|
62
|
+
if (!opts.projectId) {
|
|
63
|
+
throw new Error("--project <id> required");
|
|
64
|
+
}
|
|
65
|
+
const source = opts.source;
|
|
66
|
+
const env = opts.env;
|
|
67
|
+
const found = await fetchFromSource(source, opts.projectId, env);
|
|
68
|
+
const result = {
|
|
69
|
+
source,
|
|
70
|
+
discovered: found.length,
|
|
71
|
+
written: 0,
|
|
72
|
+
skipped: 0,
|
|
73
|
+
items: [],
|
|
74
|
+
};
|
|
75
|
+
const store = opts.store ?? config?.store;
|
|
76
|
+
for (const item of found) {
|
|
77
|
+
if (!item.value) {
|
|
78
|
+
result.items.push({
|
|
79
|
+
key: item.key,
|
|
80
|
+
status: "skipped",
|
|
81
|
+
detail: source === "github" || source === "fly" || source === "cloudflare"
|
|
82
|
+
? "vendor API does not expose secret value (name-only)"
|
|
83
|
+
: "empty value at source",
|
|
84
|
+
});
|
|
85
|
+
result.skipped++;
|
|
86
|
+
continue;
|
|
87
|
+
}
|
|
88
|
+
if (opts.dryRun) {
|
|
89
|
+
result.items.push({
|
|
90
|
+
key: item.key,
|
|
91
|
+
status: "would-write",
|
|
92
|
+
detail: `would write to ${store ?? "(no store configured)"}`,
|
|
93
|
+
});
|
|
94
|
+
continue;
|
|
95
|
+
}
|
|
96
|
+
if (!store || store === "env") {
|
|
97
|
+
result.items.push({
|
|
98
|
+
key: item.key,
|
|
99
|
+
status: "skipped",
|
|
100
|
+
detail: "no vault backend configured ([secrets].store)",
|
|
101
|
+
});
|
|
102
|
+
result.skipped++;
|
|
103
|
+
continue;
|
|
104
|
+
}
|
|
105
|
+
const write = await writeSecretToBackend(store, item.key, item.value);
|
|
106
|
+
result.items.push({
|
|
107
|
+
key: item.key,
|
|
108
|
+
status: write.ok ? "written" : "skipped",
|
|
109
|
+
detail: write.detail,
|
|
110
|
+
});
|
|
111
|
+
if (write.ok)
|
|
112
|
+
result.written++;
|
|
113
|
+
else
|
|
114
|
+
result.skipped++;
|
|
115
|
+
}
|
|
116
|
+
return result;
|
|
117
|
+
}
|
|
118
|
+
//# sourceMappingURL=secrets-pull.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secrets-pull.js","sourceRoot":"","sources":["../src/secrets-pull.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAwB5D;;;;;GAKG;AACH,KAAK,UAAU,eAAe,CAC5B,MAAkB,EAClB,SAAiB,EACjB,GAAY;IAEZ,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,EAAE,UAAU,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAC9C,8BAAwC,CACzC,CAAC;QACF,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACjD,OAAO,GAAG;aACP,MAAM,CAAC,CAAC,CAAwC,EAAE,EAAE,CACnD,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAC5C;aACA,GAAG,CAAC,CAAC,CAAqD,EAAE,EAAE,CAAC,CAAC;YAC/D,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,EAAE;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM;SACjB,CAAC,CAAC;aACF,MAAM,CAAC,CAAC,CAAoB,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,wEAAwE;QACxE,oEAAoE;QACpE,iCAAiC;QACjC,MAAM,EAAE,UAAU,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAClD,8BAAwC,CACzC,CAAC;QACF,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC3C,IAAI,CAAC,KAAK,IAAI,CAAC,IAAI,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC7E,CAAC;QACD,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;QAC3D,uEAAuE;QACvE,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,oEAAoE;QACpE,4BAA4B;QAC5B,MAAM,EAAE,UAAU,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CACjD,2BAAqC,CACtC,CAAC;QACF,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QACxD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;QAC5B,MAAM,EAAE,UAAU,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CACpD,kCAA4C,CAC7C,CAAC;QACF,MAAM,MAAM,GAAG,UAAU,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC3D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAmB,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,wBAAwB,MAAM,EAAE,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAiC,EACjC,IAAiB;IAEjB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IACrB,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IACjE,MAAM,MAAM,GAAe;QACzB,MAAM;QACN,UAAU,EAAE,KAAK,CAAC,MAAM;QACxB,OAAO,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;QACV,KAAK,EAAE,EAAE;KACV,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,MAAM,EAAE,KAAK,CAAC;IAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;gBAChB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,SAAS;gBACjB,MAAM,EACJ,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,YAAY;oBAChE,CAAC,CAAC,qDAAqD;oBACvD,CAAC,CAAC,uBAAuB;aAC9B,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;gBAChB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,aAAa;gBACrB,MAAM,EAAE,kBAAkB,KAAK,IAAI,uBAAuB,EAAE;aAC7D,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YAC9B,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;gBAChB,GAAG,EAAE,IAAI,CAAC,GAAG;gBACb,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,+CAA+C;aACxD,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QACtE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;YAChB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;YACxC,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAC;QACH,IAAI,KAAK,CAAC,EAAE;YAAE,MAAM,CAAC,OAAO,EAAE,CAAC;;YAC1B,MAAM,CAAC,OAAO,EAAE,CAAC;IACxB,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Destructive git-history secret scrubbing — opt-in only.
|
|
3
|
+
*
|
|
4
|
+
* When a credential lands in a committed file the next thing to do is
|
|
5
|
+
* rotate it; the value in `git log` keeps leaking until the history is
|
|
6
|
+
* rewritten. This module wraps `git filter-repo` (preferred) or `bfg-repo-
|
|
7
|
+
* cleaner` (fallback) to remove the value from every commit in the repo.
|
|
8
|
+
*
|
|
9
|
+
* **Destructive**: rewrites every commit hash from the first affected commit
|
|
10
|
+
* forward, force-pushing is required afterwards, and every existing clone
|
|
11
|
+
* (including CI runners, teammates' laptops, deploy pipelines that fork
|
|
12
|
+
* from the same remote) must re-clone — pulling won't catch up cleanly.
|
|
13
|
+
*
|
|
14
|
+
* For this reason the CLI surface always requires:
|
|
15
|
+
* 1. A live elevation marker (from `kit auth elevate`)
|
|
16
|
+
* 2. An explicit `--force-history` flag — no auto-run, no default
|
|
17
|
+
* 3. Confirmation prompt with the full impact spelled out, unless
|
|
18
|
+
* `--yes` is set (CI escape hatch; still requires elevation)
|
|
19
|
+
*/
|
|
20
|
+
export type Tool = "git-filter-repo" | "bfg";
|
|
21
|
+
export interface ToolStatus {
|
|
22
|
+
filterRepoAvailable: boolean;
|
|
23
|
+
bfgAvailable: boolean;
|
|
24
|
+
}
|
|
25
|
+
export declare function detectTools(): Promise<ToolStatus>;
|
|
26
|
+
export interface PurgePreview {
|
|
27
|
+
pattern: string;
|
|
28
|
+
matchedCommits: number;
|
|
29
|
+
matchedFiles: string[];
|
|
30
|
+
sampleHashes: string[];
|
|
31
|
+
}
|
|
32
|
+
/**
|
|
33
|
+
* Reports how many commits in the current branch's history reference the
|
|
34
|
+
* pattern. Useful for showing impact before the destructive step.
|
|
35
|
+
*/
|
|
36
|
+
export declare function previewMatches(pattern: string, cwd?: string): Promise<PurgePreview>;
|
|
37
|
+
export interface PurgeResult {
|
|
38
|
+
toolUsed: Tool;
|
|
39
|
+
ok: boolean;
|
|
40
|
+
detail: string;
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Runs `git filter-repo --replace-text <file>` where the replacement file
|
|
44
|
+
* contains one regex per line in `pattern==>***REDACTED***` syntax. Falls
|
|
45
|
+
* back to `bfg --replace-text` when filter-repo is missing. The replacement
|
|
46
|
+
* file is created in a tempdir and removed after the run.
|
|
47
|
+
*
|
|
48
|
+
* Caller is responsible for:
|
|
49
|
+
* - confirming the destructive action with the user
|
|
50
|
+
* - holding a fresh elevation marker
|
|
51
|
+
* - communicating "force-push + re-clone for everyone" afterwards
|
|
52
|
+
*/
|
|
53
|
+
export declare function purgeHistory(patterns: string[], cwd?: string): Promise<PurgeResult>;
|