sandstream-kit 1.0.0

package/dist/secrets-sync.js

@@ -0,0 +1,215 @@
+import { writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { generateSecrets } from "./secrets.js";
+import { exec } from "./utils/exec.js";
+/**
+ * Resolve secret values from the configured store, then push them to the
+ * requested target (GitHub Actions secrets, .env.ci, or stdout export lines).
+ */
+export async function syncSecrets(secrets, options) {
+    const { target, dryRun = false, projectPath = process.cwd() } = options;
+    // Resolve all secrets using the existing generate logic (reads from stores)
+    const { results } = await generateSecrets(secrets, "/dev/null");
+    const resolved = {};
+    for (const r of results) {
+        if (r.resolved && r.value !== null && !r.value.startsWith("(")) {
+            resolved[r.name] = r.value;
+        }
+    }
+    const synced = [];
+    const skipped = [];
+    const failed = [];
+    switch (target) {
+        case "github":
+            return syncToGitHub(resolved, dryRun, synced, skipped, failed);
+        case "dotenv-ci": {
+            const outPath = resolve(projectPath, ".env.ci");
+            const lines = Object.entries(resolved).map(([k, v]) => `${k}=${v}`);
+            if (!dryRun) {
+                await writeFile(outPath, lines.join("\n") + "\n", "utf8");
+                synced.push(...Object.keys(resolved));
+            }
+            else {
+                skipped.push(...Object.keys(resolved));
+            }
+            return {
+                target,
+                synced,
+                skipped,
+                failed,
+                dryRun,
+                message: dryRun
+                    ? `Would write ${lines.length} secrets to .env.ci`
+                    : `Wrote ${synced.length} secrets to ${outPath}`,
+            };
+        }
+        case "stdout": {
+            const lines = Object.entries(resolved).map(([k, v]) => `export ${k}='${v.replace(/'/g, "'\\''")}'`);
+            if (!dryRun) {
+                process.stdout.write(lines.join("\n") + "\n");
+                synced.push(...Object.keys(resolved));
+            }
+            else {
+                skipped.push(...Object.keys(resolved));
+            }
+            return {
+                target,
+                synced,
+                skipped,
+                failed,
+                dryRun,
+                message: dryRun
+                    ? `Would export ${lines.length} secrets`
+                    : `Exported ${synced.length} secrets`,
+            };
+        }
+        default:
+            return {
+                target,
+                synced: [],
+                skipped: [],
+                failed: [`Unknown target: ${target}`],
+                dryRun,
+                message: `Unknown sync target: ${target}. Use: github, dotenv-ci, stdout`,
+            };
+    }
+}
+async function syncToGitHub(secrets, dryRun, synced, skipped, failed) {
+    const token = process.env.GITHUB_TOKEN;
+    if (!token) {
+        return {
+            target: "github",
+            synced: [],
+            skipped: [],
+            failed: ["GITHUB_TOKEN not set"],
+            dryRun,
+            message: "Set GITHUB_TOKEN with repo scope to sync secrets to GitHub Actions",
+        };
+    }
+    // Detect repo from git remote
+    let owner, repo;
+    try {
+        const { stdout } = await exec("git", ["remote", "get-url", "origin"], {
+            timeout: 5_000,
+        });
+        const remote = stdout.trim();
+        const match = remote.match(/github\.com[:/]([^/]+)\/(.+?)(?:\.git)?$/) ??
+            remote.match(/github\.com\/([^/]+)\/(.+?)(?:\.git)?$/);
+        if (!match)
+            throw new Error(`Cannot parse GitHub remote: ${remote}`);
+        [, owner, repo] = match;
+    }
+    catch (err) {
+        return {
+            target: "github",
+            synced: [],
+            skipped: [],
+            failed: [`Could not determine GitHub repo: ${err.message}`],
+            dryRun,
+            message: "Run kit secrets sync --target=github from inside a GitHub repo",
+        };
+    }
+    // Fetch repo public key for encryption
+    const keyResp = await fetch(`https://api.github.com/repos/${owner}/${repo}/actions/secrets/public-key`, { headers: { Authorization: `Bearer ${token}`, Accept: "application/vnd.github+json" } });
+    if (!keyResp.ok) {
+        return {
+            target: "github",
+            synced: [],
+            skipped: [],
+            failed: [`GitHub API error ${keyResp.status}: ${await keyResp.text()}`],
+            dryRun,
+            message: "Failed to fetch GitHub repo public key",
+        };
+    }
+    const { key, key_id } = (await keyResp.json());
+    if (dryRun) {
+        skipped.push(...Object.keys(secrets));
+        return {
+            target: "github",
+            synced,
+            skipped,
+            failed,
+            dryRun: true,
+            message: `Would sync ${skipped.length} secrets to ${owner}/${repo} GitHub Actions`,
+        };
+    }
+    // Encrypt and push each secret using sodium (libsodium-wrappers)
+    // Attempt to use libsodium-wrappers for native encryption.
+    // It's an optional peer dependency — fall back to gh CLI if absent.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    let sodium = null;
+    try {
+        sodium = await import("libsodium-wrappers");
+        await sodium.ready;
+    }
+    catch {
+        return syncToGitHubViaCli(secrets, owner, repo, synced, skipped, failed, dryRun);
+    }
+    const repoKey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL);
+    for (const [name, value] of Object.entries(secrets)) {
+        try {
+            const encrypted = sodium.crypto_box_seal(new TextEncoder().encode(value), repoKey);
+            const encryptedB64 = sodium.to_base64(encrypted, sodium.base64_variants.ORIGINAL);
+            const putResp = await fetch(`https://api.github.com/repos/${owner}/${repo}/actions/secrets/${name}`, {
+                method: "PUT",
+                headers: {
+                    Authorization: `Bearer ${token}`,
+                    Accept: "application/vnd.github+json",
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify({ encrypted_value: encryptedB64, key_id }),
+            });
+            if (putResp.ok || putResp.status === 201 || putResp.status === 204) {
+                synced.push(name);
+            }
+            else {
+                failed.push(`${name}: ${putResp.status}`);
+            }
+        }
+        catch (err) {
+            failed.push(`${name}: ${err.message}`);
+        }
+    }
+    return {
+        target: "github",
+        synced,
+        skipped,
+        failed,
+        dryRun: false,
+        message: `Synced ${synced.length}/${Object.keys(secrets).length} secrets to ${owner}/${repo} GitHub Actions${failed.length ? ` (${failed.length} failed)` : ""}`,
+    };
+}
+async function syncToGitHubViaCli(secrets, owner, repo, synced, skipped, failed, dryRun) {
+    // Fall back to `gh secret set` CLI if libsodium is unavailable
+    try {
+        await exec("gh", ["--version"], { timeout: 5_000 });
+    }
+    catch {
+        return {
+            target: "github",
+            synced: [],
+            skipped: [],
+            failed: ["Neither libsodium-wrappers nor gh CLI available"],
+            dryRun,
+            message: "Install gh CLI (brew install gh) or add libsodium-wrappers to package.json",
+        };
+    }
+    for (const [name, value] of Object.entries(secrets)) {
+        try {
+            await exec("gh", ["secret", "set", name, "--repo", `${owner}/${repo}`, "--body", value], { timeout: 15_000 });
+            synced.push(name);
+        }
+        catch (err) {
+            failed.push(`${name}: ${err.message}`);
+        }
+    }
+    return {
+        target: "github",
+        synced,
+        skipped,
+        failed,
+        dryRun: false,
+        message: `Synced ${synced.length}/${Object.keys(secrets).length} secrets to ${owner}/${repo} via gh CLI${failed.length ? ` (${failed.length} failed)` : ""}`,
+    };
+}
+//# sourceMappingURL=secrets-sync.js.map

package/dist/secrets-sync.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-sync.js","sourceRoot":"","sources":["../src/secrets-sync.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAoBvC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAsB,EACtB,OAA2B;IAE3B,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IAExE,4EAA4E;IAC5E,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IAEhE,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/D,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;QAC7B,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,QAAQ;YACX,OAAO,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;QAEjE,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;YAChD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACpE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;gBAC1D,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzC,CAAC;YACD,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,OAAO;gBACP,MAAM;gBACN,MAAM;gBACN,OAAO,EAAE,MAAM;oBACb,CAAC,CAAC,eAAe,KAAK,CAAC,MAAM,qBAAqB;oBAClD,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,eAAe,OAAO,EAAE;aACnD,CAAC;QACJ,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;YACpG,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;gBAC9C,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACxC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzC,CAAC;YACD,OAAO;gBACL,MAAM;gBACN,MAAM;gBACN,OAAO;gBACP,MAAM;gBACN,MAAM;gBACN,OAAO,EAAE,MAAM;oBACb,CAAC,CAAC,gBAAgB,KAAK,CAAC,MAAM,UAAU;oBACxC,CAAC,CAAC,YAAY,MAAM,CAAC,MAAM,UAAU;aACxC,CAAC;QACJ,CAAC;QAED;YACE,OAAO;gBACL,MAAM;gBACN,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,CAAC,mBAAmB,MAAM,EAAE,CAAC;gBACrC,MAAM;gBACN,OAAO,EAAE,wBAAwB,MAAM,kCAAkC;aAC1E,CAAC;IACN,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CACzB,OAA+B,EAC/B,MAAe,EACf,MAAgB,EAChB,OAAiB,EACjB,MAAgB;IAEhB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACvC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,CAAC,sBAAsB,CAAC;YAChC,MAAM;YACN,OAAO,EACL,oEAAoE;SACvE,CAAC;IACJ,CAAC;IAED,8BAA8B;IAC9B,IAAI,KAAa,EAAE,IAAY,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,EAAE;YACpE,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC7B,MAAM,KAAK,GACT,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC;YACxD,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC;IAC1B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,CAAC,oCAAqC,GAAa,CAAC,OAAO,EAAE,CAAC;YACtE,MAAM;YACN,OAAO,EAAE,gEAAgE;SAC1E,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,gCAAgC,KAAK,IAAI,IAAI,6BAA6B,EAC1E,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,MAAM,EAAE,6BAA6B,EAAE,EAAE,CACzF,CAAC;IAEF,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,CAAC,oBAAoB,OAAO,CAAC,MAAM,KAAK,MAAM,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;YACvE,MAAM;YACN,OAAO,EAAE,wCAAwC;SAClD,CAAC;IACJ,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAAoC,CAAC;IAElF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;QACtC,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM;YACN,OAAO;YACP,MAAM;YACN,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,cAAc,OAAO,CAAC,MAAM,eAAe,KAAK,IAAI,IAAI,iBAAiB;SACnF,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,2DAA2D;IAC3D,oEAAoE;IACpE,8DAA8D;IAC9D,IAAI,MAAM,GAAQ,IAAI,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,MAAM,CAAC,oBAA8B,CAAC,CAAC;QACtD,MAAM,MAAM,CAAC,KAAK,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAEzE,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,CAAC,eAAe,CACtC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,EAC/B,OAAO,CACR,CAAC;YACF,MAAM,YAAY,GAAG,MAAM,CAAC,SAAS,CAAC,SAAS,EAAE,MAAM,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;YAElF,MAAM,OAAO,GAAG,MAAM,KAAK,CACzB,gCAAgC,KAAK,IAAI,IAAI,oBAAoB,IAAI,EAAE,EACvE;gBACE,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,KAAK,EAAE;oBAChC,MAAM,EAAE,6BAA6B;oBACrC,cAAc,EAAE,kBAAkB;iBACnC;gBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC;aAChE,CACF,CAAC;YAEF,IAAI,OAAO,CAAC,EAAE,IAAI,OAAO,CAAC,MAAM,KAAK,GAAG,IAAI,OAAO,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;gBACnE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,KAAK,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,QAAQ;QAChB,MAAM;QACN,OAAO;QACP,MAAM;QACN,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,UAAU,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,eAAe,KAAK,IAAI,IAAI,kBAAkB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;KACjK,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,OAA+B,EAC/B,KAAa,EACb,IAAY,EACZ,MAAgB,EAChB,OAAiB,EACjB,MAAgB,EAChB,MAAe;IAEf,+DAA+D;IAC/D,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,CAAC,iDAAiD,CAAC;YAC3D,MAAM;YACN,OAAO,EAAE,4EAA4E;SACtF,CAAC;IACJ,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,MAAM,IAAI,CACR,IAAI,EACJ,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,KAAK,IAAI,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,CAAC,EACtE,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM,EAAE,QAAQ;QAChB,MAAM;QACN,OAAO;QACP,MAAM;QACN,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,UAAU,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,eAAe,KAAK,IAAI,IAAI,cAAc,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;KAC7J,CAAC;AACJ,CAAC"}

package/dist/secrets-validate.d.ts

@@ -0,0 +1,41 @@
+/**
+ * `kit secrets validate [--fix] [--auto]` — verify every key declared
+ * in `.kit.toml [secrets.keys]` resolves to a non-empty value in the
+ * configured vault. Surfaces drift between declaration and reality.
+ *
+ *   no flag  — read-only check; exits non-zero on missing values
+ *   --fix    — interactive: prompt for value per missing key, write to vault
+ *   --auto   — non-interactive: read from .env.template (key=value) when
+ *              present, fail otherwise
+ *
+ * Read-only mode refuses --fix / --auto via the writeSecretToBackend gate.
+ */
+import type { kitConfig, SecretKeyConfig } from "./config.js";
+export interface ValidateResult {
+    key: string;
+    source: SecretKeyConfig["source"];
+    status: "present" | "missing" | "fixed" | "unfixable";
+    detail: string;
+}
+export interface ValidateOptions {
+    fix?: boolean;
+    auto?: boolean;
+    /** Prompt callback for --fix interactive flow. Test injectable. */
+    prompt?: (key: string) => Promise<string | null>;
+    /** Test override of cwd. */
+    cwd?: string;
+}
+/**
+ * Validate logic — checks for VALUE PRESENCE only. Uses an injectable
+ * `checkAvailability` so tests can mock backend resolution without touching
+ * real vaults.
+ */
+export declare function validateSecrets(config: kitConfig, opts?: ValidateOptions, checkAvailability?: (key: string, source: SecretKeyConfig["source"], cfg: SecretKeyConfig) => Promise<boolean>): Promise<ValidateResult[]>;
+export declare function summarizeValidation(results: ValidateResult[]): {
+    total: number;
+    present: number;
+    missing: number;
+    fixed: number;
+    unfixable: number;
+    ok: boolean;
+};

package/dist/secrets-validate.js

@@ -0,0 +1,126 @@
+/**
+ * `kit secrets validate [--fix] [--auto]` — verify every key declared
+ * in `.kit.toml [secrets.keys]` resolves to a non-empty value in the
+ * configured vault. Surfaces drift between declaration and reality.
+ *
+ *   no flag  — read-only check; exits non-zero on missing values
+ *   --fix    — interactive: prompt for value per missing key, write to vault
+ *   --auto   — non-interactive: read from .env.template (key=value) when
+ *              present, fail otherwise
+ *
+ * Read-only mode refuses --fix / --auto via the writeSecretToBackend gate.
+ */
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { writeSecretToBackend, isValidKeyName } from "./secrets-migrate.js";
+async function loadEnvTemplate(cwd, templatePath) {
+    const out = new Map();
+    try {
+        const text = await readFile(resolve(cwd, templatePath), "utf-8");
+        for (const rawLine of text.split("\n")) {
+            const line = rawLine.trim();
+            if (!line || line.startsWith("#"))
+                continue;
+            const eq = line.indexOf("=");
+            if (eq <= 0)
+                continue;
+            const key = line.slice(0, eq).trim();
+            let value = line.slice(eq + 1).trim();
+            if ((value.startsWith('"') && value.endsWith('"')) ||
+                (value.startsWith("'") && value.endsWith("'"))) {
+                value = value.slice(1, -1);
+            }
+            if (isValidKeyName(key))
+                out.set(key, value);
+        }
+    }
+    catch {
+        /* template missing — ok */
+    }
+    return out;
+}
+/**
+ * Validate logic — checks for VALUE PRESENCE only. Uses an injectable
+ * `checkAvailability` so tests can mock backend resolution without touching
+ * real vaults.
+ */
+export async function validateSecrets(config, opts = {}, checkAvailability = async (key, source, _cfg) => {
+    if (source === "env")
+        return Boolean(process.env[key]);
+    // For all other sources we can't easily check without invoking the
+    // backend CLI here — callers in CLI surface should pass the real
+    // check function (see check-secrets.ts) so this default doesn't
+    // false-positive in unit tests.
+    return false;
+}) {
+    const cwd = opts.cwd ?? process.cwd();
+    const keys = config.secrets?.keys ?? {};
+    const results = [];
+    const templateValues = config.secrets?.template
+        ? await loadEnvTemplate(cwd, config.secrets.template)
+        : new Map();
+    for (const [key, keyConfig] of Object.entries(keys)) {
+        const present = await checkAvailability(key, keyConfig.source, keyConfig);
+        if (present) {
+            results.push({ key, source: keyConfig.source, status: "present", detail: "" });
+            continue;
+        }
+        if (!opts.fix && !opts.auto) {
+            results.push({
+                key,
+                source: keyConfig.source,
+                status: "missing",
+                detail: `not resolvable via ${keyConfig.source}`,
+            });
+            continue;
+        }
+        let value = null;
+        if (opts.auto) {
+            const candidate = templateValues.get(key);
+            if (candidate && candidate.length > 0) {
+                value = candidate;
+            }
+        }
+        else if (opts.fix && opts.prompt) {
+            value = await opts.prompt(key);
+        }
+        if (!value) {
+            results.push({
+                key,
+                source: keyConfig.source,
+                status: "unfixable",
+                detail: opts.auto
+                    ? "no value in .env.template — re-run with --fix to enter interactively"
+                    : "no value provided",
+            });
+            continue;
+        }
+        const store = config.secrets?.store;
+        if (!store || store === "env") {
+            results.push({
+                key,
+                source: keyConfig.source,
+                status: "unfixable",
+                detail: "no vault backend configured ([secrets].store)",
+            });
+            continue;
+        }
+        const write = await writeSecretToBackend(store, key, value);
+        results.push({
+            key,
+            source: keyConfig.source,
+            status: write.ok ? "fixed" : "unfixable",
+            detail: write.detail,
+        });
+    }
+    return results;
+}
+export function summarizeValidation(results) {
+    const counts = { total: results.length, present: 0, missing: 0, fixed: 0, unfixable: 0, ok: true };
+    for (const r of results) {
+        counts[r.status]++;
+    }
+    counts.ok = counts.missing === 0 && counts.unfixable === 0;
+    return counts;
+}
+//# sourceMappingURL=secrets-validate.js.map

package/dist/secrets-validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-validate.js","sourceRoot":"","sources":["../src/secrets-validate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,oBAAoB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAkB5E,KAAK,UAAU,eAAe,CAAC,GAAW,EAAE,YAAoB;IAC9D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,EAAE,OAAO,CAAC,CAAC;QACjE,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;gBAAE,SAAS;YAC5C,MAAM,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC7B,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YACtB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,IAAI,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;gBAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;gBACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,cAAc,CAAC,GAAG,CAAC;gBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAiB,EACjB,OAAwB,EAAE,EAC1B,oBAAgH,KAAK,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE;IAC1I,IAAI,MAAM,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,mEAAmE;IACnE,iEAAiE;IACjE,gEAAgE;IAChE,gCAAgC;IAChC,OAAO,KAAK,CAAC;AACf,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC;IACxC,MAAM,OAAO,GAAqB,EAAE,CAAC;IACrC,MAAM,cAAc,GAAG,MAAM,CAAC,OAAO,EAAE,QAAQ;QAC7C,CAAC,CAAC,MAAM,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;QACrD,CAAC,CAAC,IAAI,GAAG,EAAkB,CAAC;IAE9B,KAAK,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACpD,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC1E,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC;YAC/E,SAAS;QACX,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG;gBACH,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,sBAAsB,SAAS,CAAC,MAAM,EAAE;aACjD,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,IAAI,KAAK,GAAkB,IAAI,CAAC;QAChC,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtC,KAAK,GAAG,SAAS,CAAC;YACpB,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,KAAK,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG;gBACH,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,MAAM,EAAE,WAAW;gBACnB,MAAM,EAAE,IAAI,CAAC,IAAI;oBACf,CAAC,CAAC,sEAAsE;oBACxE,CAAC,CAAC,mBAAmB;aACxB,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC;QACpC,IAAI,CAAC,KAAK,IAAI,KAAK,KAAK,KAAK,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG;gBACH,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,MAAM,EAAE,WAAW;gBACnB,MAAM,EAAE,+CAA+C;aACxD,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,KAAK,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5D,OAAO,CAAC,IAAI,CAAC;YACX,GAAG;YACH,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW;YACxC,MAAM,EAAE,KAAK,CAAC,MAAM;SACrB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAyB;IAQ3D,MAAM,MAAM,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACnG,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;IACrB,CAAC;IACD,MAAM,CAAC,EAAE,GAAG,MAAM,CAAC,OAAO,KAAK,CAAC,IAAI,MAAM,CAAC,SAAS,KAAK,CAAC,CAAC;IAC3D,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/secrets-vault-migrate.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Cross-vault secret migration.
+ *
+ * `kit secrets migrate` covers plaintext-→-vault. This module covers the
+ * harder case: moving every key defined in `.kit.toml` from one configured
+ * backend to another (e.g. 1password → infisical) without ever printing the
+ * value to a console and without leaving a half-migrated state on failure.
+ *
+ * Flow per key:
+ *   1. Read value from source backend (no log echo).
+ *   2. Write value to target backend.
+ *   3. Rewrite the `.kit.toml` entry in place — `source = "target"`,
+ *      `ref`/`name` updated to the new backend's convention.
+ *   4. Audit-log the move (operation: "vault-migrate", success: bool).
+ *
+ * Errors at step 2 leave step 3 untouched — the source vault remains the
+ * authoritative store. The user is told which keys succeeded so they can
+ * re-run for the rest.
+ *
+ * NOT included by design:
+ *   - Deleting the value from the source vault. That's a separate
+ *     `kit secrets revoke-old` call (already exists). Keeping the old
+ *     copy until rotation lets the operator roll back if the target is
+ *     misconfigured.
+ *   - Rotation. Migration moves the SAME value. Use `secrets rotate` after
+ *     migration if you also want to mint fresh credentials.
+ */
+import type { SecretsConfig, SecretKeyConfig } from "./config.js";
+type BackendSource = SecretKeyConfig["source"];
+export interface VaultMigrateOptions {
+    /** Source backend currently referenced in `.kit.toml`. */
+    from: BackendSource;
+    /** Target backend to migrate to. */
+    to: BackendSource;
+    /** Show what would happen without writing anywhere. */
+    dryRun?: boolean;
+    /** cwd override (for tests). */
+    cwd?: string;
+}
+export interface MigrationItem {
+    name: string;
+    ok: boolean;
+    detail: string;
+    /** New ref written to .kit.toml on success. */
+    newRef?: string;
+}
+export interface VaultMigrateResult {
+    items: MigrationItem[];
+    /** Source keys discovered. */
+    discovered: number;
+    /** Number of items that completed all three steps. */
+    succeeded: number;
+}
+/**
+ * Reads a single secret value from the configured source backend. Returns
+ * `{ ok: false }` and never the value when reading fails, so the caller
+ * cannot accidentally write an empty string to the target.
+ */
+export declare function readSecretFromBackend(source: BackendSource, config: SecretKeyConfig, topLevel: SecretsConfig): Promise<{
+    ok: boolean;
+    value?: string;
+    detail: string;
+}>;
+/**
+ * Orchestrates the migration. Caller is responsible for elevation (call
+ * `consumeElevation("vault-migrate")` first) so we don't double-prompt.
+ */
+export declare function vaultMigrate(config: {
+    secrets?: SecretsConfig;
+}, opts: VaultMigrateOptions): Promise<VaultMigrateResult>;
+export {};