sandstream-kit 1.0.0

package/dist/secrets-vault-migrate.js

@@ -0,0 +1,258 @@
+/**
+ * Cross-vault secret migration.
+ *
+ * `kit secrets migrate` covers plaintext-→-vault. This module covers the
+ * harder case: moving every key defined in `.kit.toml` from one configured
+ * backend to another (e.g. 1password → infisical) without ever printing the
+ * value to a console and without leaving a half-migrated state on failure.
+ *
+ * Flow per key:
+ *   1. Read value from source backend (no log echo).
+ *   2. Write value to target backend.
+ *   3. Rewrite the `.kit.toml` entry in place — `source = "target"`,
+ *      `ref`/`name` updated to the new backend's convention.
+ *   4. Audit-log the move (operation: "vault-migrate", success: bool).
+ *
+ * Errors at step 2 leave step 3 untouched — the source vault remains the
+ * authoritative store. The user is told which keys succeeded so they can
+ * re-run for the rest.
+ *
+ * NOT included by design:
+ *   - Deleting the value from the source vault. That's a separate
+ *     `kit secrets revoke-old` call (already exists). Keeping the old
+ *     copy until rotation lets the operator roll back if the target is
+ *     misconfigured.
+ *   - Rotation. Migration moves the SAME value. Use `secrets rotate` after
+ *     migration if you also want to mint fresh credentials.
+ */
+import { readFile, writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { writeSecretToBackend, isValidKeyName, escapeRegex } from "./secrets-migrate.js";
+import { redactSecrets } from "./utils/redactSecrets.js";
+import { appendAuditEventDirect } from "./audit.js";
+import { exec } from "./utils/exec.js";
+/**
+ * Reads a single secret value from the configured source backend. Returns
+ * `{ ok: false }` and never the value when reading fails, so the caller
+ * cannot accidentally write an empty string to the target.
+ */
+export async function readSecretFromBackend(source, config, topLevel) {
+    try {
+        switch (source) {
+            case "1password": {
+                if (!config.ref)
+                    return { ok: false, detail: "no 1Password ref" };
+                // Pre-flight: refuse to call `op read` without an account configured.
+                // Otherwise op prompts "Do you want to add an account?" on every call
+                // and the migration emits 12 vague "Command failed" lines per key.
+                const { check1PasswordStatus } = await import("./onepassword.js");
+                const opStatus = await check1PasswordStatus();
+                if (!opStatus.installed) {
+                    return { ok: false, detail: "1Password CLI not installed" };
+                }
+                if (!opStatus.authenticated) {
+                    return {
+                        ok: false,
+                        detail: "1Password CLI present but no account configured — run 'op account add', enable desktop-app CLI integration, or set OP_SERVICE_ACCOUNT_TOKEN",
+                    };
+                }
+                const { stdout } = await exec("op", ["read", config.ref, "--no-newline"], {
+                    timeout: 15_000,
+                });
+                return { ok: true, value: stdout, detail: "read from 1Password" };
+            }
+            case "infisical": {
+                const name = config.name;
+                if (!name)
+                    return { ok: false, detail: "no Infisical name" };
+                const args = ["secrets", "get", name, "--plain"];
+                if (topLevel.infisical?.project_id)
+                    args.push("--projectId", topLevel.infisical.project_id);
+                if (topLevel.infisical?.environment)
+                    args.push("--env", topLevel.infisical.environment);
+                const { stdout } = await exec("infisical", args, { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from Infisical" };
+            }
+            case "bitwarden": {
+                const field = config.name || config.ref;
+                if (!field)
+                    return { ok: false, detail: "no Bitwarden field" };
+                const { stdout } = await exec("bw", ["get", field], { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from Bitwarden" };
+            }
+            case "doppler": {
+                if (!config.name)
+                    return { ok: false, detail: "no Doppler name" };
+                const { stdout } = await exec("doppler", ["secrets", "get", config.name, "--plain"], { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from Doppler" };
+            }
+            case "vault": {
+                const path = config.vault_path || "secret/data/kit";
+                const field = config.name || "value";
+                const { stdout } = await exec("vault", ["kv", "get", "-field", field, path], { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: `read from Vault ${path}` };
+            }
+            case "aws-sm": {
+                const args = ["secretsmanager", "get-secret-value", "--secret-id", config.name || ""];
+                if (config.aws_region)
+                    args.push("--region", config.aws_region);
+                args.push("--query", "SecretString", "--output", "text");
+                const { stdout } = await exec("aws", args, { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from AWS Secrets Manager" };
+            }
+            case "gcp-sm": {
+                const args = ["secrets", "versions", "access", "latest", "--secret", config.name || ""];
+                if (config.gcp_project)
+                    args.push("--project", config.gcp_project);
+                const { stdout } = await exec("gcloud", args, { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from GCP Secret Manager" };
+            }
+            case "azure-kv": {
+                const vault = config.azure_vault;
+                if (!vault)
+                    return { ok: false, detail: "no Azure vault" };
+                const { stdout } = await exec("az", ["keyvault", "secret", "show", "--vault-name", vault, "--name", config.name || "", "--query", "value", "-o", "tsv"], { timeout: 15_000 });
+                return { ok: true, value: stdout.trim(), detail: "read from Azure Key Vault" };
+            }
+            case "env":
+            case "config":
+                return {
+                    ok: false,
+                    detail: `source "${source}" is plaintext-resident — use 'kit secrets migrate' (env/.env → vault) instead`,
+                };
+            default:
+                return { ok: false, detail: `read from "${source}" not supported` };
+        }
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message.split("\n")[0] : String(err);
+        return { ok: false, detail: `read failed: ${redactSecrets(msg)}` };
+    }
+}
+/**
+ * Rewrites `.kit.toml` in place so the named key's `source` / `ref` /
+ * `name` reflect the new backend. Conservative regex-based edit — we only
+ * touch lines that match the `<KEY> = { source = "<from>", ...` shape so
+ * unrelated TOML structure is preserved exactly as the user wrote it.
+ */
+async function rewriteConfigRef(cwd, keyName, to, newRef) {
+    if (!isValidKeyName(keyName)) {
+        return { ok: false, detail: `invalid key name "${keyName}"` };
+    }
+    const path = resolve(cwd, ".kit.toml");
+    let text;
+    try {
+        text = await readFile(path, "utf-8");
+    }
+    catch {
+        return { ok: false, detail: ".kit.toml not readable" };
+    }
+    // Match the whole inline-table line for this key. keyName is already
+    // validated by isValidKeyName above; escapeRegex is defense-in-depth.
+    const lineRe = new RegExp(`^(\\s*${escapeRegex(keyName)}\\s*=\\s*\\{)[^}\\n]*(\\}\\s*)$`, "m");
+    const match = text.match(lineRe);
+    if (!match) {
+        return { ok: false, detail: `key "${keyName}" not found in .kit.toml or shape unexpected` };
+    }
+    // Pick the right inline-table key for the target backend.
+    const inline = to === "1password"
+        ? `source = "1password", ref = "${newRef}"`
+        : to === "vault"
+            ? `source = "vault", vault_path = "${newRef}"`
+            : `source = "${to}", name = "${newRef}"`;
+    const replaced = text.replace(lineRe, `$1 ${inline} $2`);
+    if (replaced === text) {
+        return { ok: false, detail: `no change written for "${keyName}"` };
+    }
+    await writeFile(path, replaced, "utf-8");
+    return { ok: true, detail: "rewrote .kit.toml" };
+}
+/**
+ * Orchestrates the migration. Caller is responsible for elevation (call
+ * `consumeElevation("vault-migrate")` first) so we don't double-prompt.
+ */
+export async function vaultMigrate(config, opts) {
+    const items = [];
+    const cwd = opts.cwd ?? process.cwd();
+    const entries = Object.entries(config.secrets?.keys ?? {});
+    const targeted = entries.filter(([, c]) => c.source === opts.from);
+    for (const [name, keyConfig] of targeted) {
+        const read = await readSecretFromBackend(opts.from, keyConfig, config.secrets ?? {});
+        if (!read.ok || !read.value) {
+            items.push({ name, ok: false, detail: `read: ${read.detail}` });
+            await appendAuditEventDirect({
+                operation: "vault-migrate",
+                environment: process.env.KIT_ENV ?? "unknown",
+                success: false,
+                error: read.detail,
+                metadata: { key: name, from: opts.from, to: opts.to, stage: "read" },
+            }, { cwd });
+            continue;
+        }
+        if (opts.dryRun) {
+            items.push({
+                name,
+                ok: true,
+                detail: `would migrate to ${opts.to} (dry-run, ${read.value.length} chars)`,
+            });
+            continue;
+        }
+        // writeSecretToBackend's `store` parameter is narrower than BackendSource
+        // (excludes "config" / "eas" — neither makes sense as a write target).
+        // The reader returned !ok above for those cases, so this assertion is safe.
+        const writeStore = opts.to;
+        const write = await writeSecretToBackend(writeStore, name, read.value, {
+            vault: keyConfig.azure_vault,
+            project: keyConfig.gcp_project,
+            region: keyConfig.aws_region,
+            vaultPath: keyConfig.vault_path,
+        });
+        if (!write.ok) {
+            items.push({ name, ok: false, detail: `write: ${write.detail}` });
+            await appendAuditEventDirect({
+                operation: "vault-migrate",
+                environment: process.env.KIT_ENV ?? "unknown",
+                success: false,
+                error: write.detail,
+                metadata: { key: name, from: opts.from, to: opts.to, stage: "write" },
+            }, { cwd });
+            continue;
+        }
+        // Determine the new ref the target backend uses. 1password gives us
+        // `op://...`; others store under name = "<KEY>" or vault-path.
+        const newRef = write.ref ??
+            (opts.to === "vault"
+                ? keyConfig.vault_path || `secret/data/kit#${name}`
+                : name);
+        const rewrite = await rewriteConfigRef(cwd, name, opts.to, newRef);
+        if (!rewrite.ok) {
+            items.push({
+                name,
+                ok: false,
+                detail: `write OK but config rewrite failed: ${rewrite.detail}`,
+                newRef,
+            });
+            await appendAuditEventDirect({
+                operation: "vault-migrate",
+                environment: process.env.KIT_ENV ?? "unknown",
+                success: false,
+                error: rewrite.detail,
+                metadata: { key: name, from: opts.from, to: opts.to, stage: "rewrite", newRef },
+            }, { cwd });
+            continue;
+        }
+        items.push({ name, ok: true, detail: `migrated to ${opts.to}`, newRef });
+        await appendAuditEventDirect({
+            operation: "vault-migrate",
+            environment: process.env.KIT_ENV ?? "unknown",
+            success: true,
+            metadata: { key: name, from: opts.from, to: opts.to, newRef },
+        }, { cwd });
+    }
+    return {
+        items,
+        discovered: targeted.length,
+        succeeded: items.filter((i) => i.ok).length,
+    };
+}
+//# sourceMappingURL=secrets-vault-migrate.js.map

package/dist/secrets-vault-migrate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-vault-migrate.js","sourceRoot":"","sources":["../src/secrets-vault-migrate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,oBAAoB,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AACpD,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAgCvC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAqB,EACrB,MAAuB,EACvB,QAAuB;IAEvB,IAAI,CAAC;QACH,QAAQ,MAAM,EAAE,CAAC;YACf,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,IAAI,CAAC,MAAM,CAAC,GAAG;oBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAC;gBAClE,sEAAsE;gBACtE,sEAAsE;gBACtE,mEAAmE;gBACnE,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,kBAAkB,CAAC,CAAC;gBAClE,MAAM,QAAQ,GAAG,MAAM,oBAAoB,EAAE,CAAC;gBAC9C,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;oBACxB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAC;gBAC9D,CAAC;gBACD,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;oBAC5B,OAAO;wBACL,EAAE,EAAE,KAAK;wBACT,MAAM,EACJ,6IAA6I;qBAChJ,CAAC;gBACJ,CAAC;gBACD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE;oBACxE,OAAO,EAAE,MAAM;iBAChB,CAAC,CAAC;gBACH,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YACpE,CAAC;YACD,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;gBACzB,IAAI,CAAC,IAAI;oBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;gBAC7D,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,CAAC,CAAC;gBACjD,IAAI,QAAQ,CAAC,SAAS,EAAE,UAAU;oBAAE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;gBAC5F,IAAI,QAAQ,CAAC,SAAS,EAAE,WAAW;oBAAE,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;gBACxF,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBACtE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAC3E,CAAC;YACD,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,GAAG,CAAC;gBACxC,IAAI,CAAC,KAAK;oBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC;gBAC/D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBACzE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;YAC3E,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,IAAI,CAAC,MAAM,CAAC,IAAI;oBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;gBAClE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,SAAS,EACT,CAAC,SAAS,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,EAC1C,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;gBACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;YACzE,CAAC;YACD,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,IAAI,iBAAiB,CAAC;gBACpD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC;gBACrC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,OAAO,EACP,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,EACpC,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;gBACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,mBAAmB,IAAI,EAAE,EAAE,CAAC;YAC/E,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,CAAC,gBAAgB,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;gBACtF,IAAI,MAAM,CAAC,UAAU;oBAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;gBAChE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;gBACzD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBAChE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,+BAA+B,EAAE,CAAC;YACrF,CAAC;YACD,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;gBACxF,IAAI,MAAM,CAAC,WAAW;oBAAE,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;gBACnE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;gBACnE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;YACpF,CAAC;YACD,KAAK,UAAU,CAAC,CAAC,CAAC;gBAChB,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC;gBACjC,IAAI,CAAC,KAAK;oBAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;gBAC3D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,IAAI,EACJ,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,EACnH,EAAE,OAAO,EAAE,MAAM,EAAE,CACpB,CAAC;gBACF,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;YACjF,CAAC;YACD,KAAK,KAAK,CAAC;YACX,KAAK,QAAQ;gBACX,OAAO;oBACL,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,WAAW,MAAM,gFAAgF;iBAC1G,CAAC;YACJ;gBACE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,MAAM,iBAAiB,EAAE,CAAC;QACxE,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC5E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;IACrE,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAC7B,GAAW,EACX,OAAe,EACf,EAAiB,EACjB,MAAc;IAEd,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,EAAE,CAAC;QAC7B,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,OAAO,GAAG,EAAE,CAAC;IAChE,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACvC,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAC;IACzD,CAAC;IACD,qEAAqE;IACrE,sEAAsE;IACtE,MAAM,MAAM,GAAG,IAAI,MAAM,CAAC,SAAS,WAAW,CAAC,OAAO,CAAC,iCAAiC,EAAE,GAAG,CAAC,CAAC;IAC/F,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,OAAO,8CAA8C,EAAE,CAAC;IAC9F,CAAC;IACD,0DAA0D;IAC1D,MAAM,MAAM,GACV,EAAE,KAAK,WAAW;QAChB,CAAC,CAAC,gCAAgC,MAAM,GAAG;QAC3C,CAAC,CAAC,EAAE,KAAK,OAAO;YACd,CAAC,CAAC,mCAAmC,MAAM,GAAG;YAC9C,CAAC,CAAC,aAAa,EAAE,cAAc,MAAM,GAAG,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,MAAM,KAAK,CAAC,CAAC;IACzD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,OAAO,GAAG,EAAE,CAAC;IACrE,CAAC;IACD,MAAM,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;IACzC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;AACnD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAmC,EACnC,IAAyB;IAEzB,MAAM,KAAK,GAAoB,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,IAAI,CAAC,CAAC;IAEnE,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzC,MAAM,IAAI,GAAG,MAAM,qBAAqB,CACtC,IAAI,CAAC,IAAI,EACT,SAAS,EACT,MAAM,CAAC,OAAO,IAAK,EAAoB,CACxC,CAAC;QACF,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAChE,MAAM,sBAAsB,CAAC;gBAC3B,SAAS,EAAE,eAAe;gBAC1B,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS;gBAC7C,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,IAAI,CAAC,MAAM;gBAClB,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;aACrE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,SAAS;QACX,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC;gBACT,IAAI;gBACJ,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,oBAAoB,IAAI,CAAC,EAAE,cAAc,IAAI,CAAC,KAAK,CAAC,MAAM,SAAS;aAC5E,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,4EAA4E;QAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,EAA8C,CAAC;QACvE,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,UAAU,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,EAAE;YACrE,KAAK,EAAE,SAAS,CAAC,WAAW;YAC5B,OAAO,EAAE,SAAS,CAAC,WAAW;YAC9B,MAAM,EAAE,SAAS,CAAC,UAAU;YAC5B,SAAS,EAAE,SAAS,CAAC,UAAU;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC;YACd,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAClE,MAAM,sBAAsB,CAAC;gBAC3B,SAAS,EAAE,eAAe;gBAC1B,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS;gBAC7C,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,KAAK,CAAC,MAAM;gBACnB,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE;aACtE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,SAAS;QACX,CAAC;QAED,oEAAoE;QACpE,+DAA+D;QAC/D,MAAM,MAAM,GACV,KAAK,CAAC,GAAG;YACT,CAAC,IAAI,CAAC,EAAE,KAAK,OAAO;gBAClB,CAAC,CAAC,SAAS,CAAC,UAAU,IAAI,mBAAmB,IAAI,EAAE;gBACnD,CAAC,CAAC,IAAI,CAAC,CAAC;QACZ,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACnE,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC;gBACT,IAAI;gBACJ,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,uCAAuC,OAAO,CAAC,MAAM,EAAE;gBAC/D,MAAM;aACP,CAAC,CAAC;YACH,MAAM,sBAAsB,CAAC;gBAC3B,SAAS,EAAE,eAAe;gBAC1B,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS;gBAC7C,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,OAAO,CAAC,MAAM;gBACrB,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE;aAChF,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,SAAS;QACX,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,eAAe,IAAI,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QACzE,MAAM,sBAAsB,CAAC;YAC3B,SAAS,EAAE,eAAe;YAC1B,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,SAAS;YAC7C,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE;SAC9D,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IACd,CAAC;IAED,OAAO;QACL,KAAK;QACL,UAAU,EAAE,QAAQ,CAAC,MAAM;QAC3B,SAAS,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM;KAC5C,CAAC;AACJ,CAAC"}

package/dist/secrets.d.ts

@@ -0,0 +1,16 @@
+import type { SecretsConfig } from "./config.js";
+export interface SecretResolveResult {
+    name: string;
+    resolved: boolean;
+    value: string | null;
+    detail: string;
+    /** True when the backend manages the value out-of-band (e.g. EAS) — `value`
+     *  is a display placeholder, not a real secret, so it's never written to
+     *  .env.local. Lets the writer skip these without sniffing the value string. */
+    managed?: boolean;
+}
+export declare function generateSecrets(secrets: SecretsConfig, outputPath?: string): Promise<{
+    results: SecretResolveResult[];
+    written: boolean;
+    fromTemplate: boolean;
+}>;

package/dist/secrets.js

@@ -0,0 +1,72 @@
+import { readFile, writeFile, access } from "node:fs/promises";
+import { resolveViaBackend, resetInfisicalCache } from "./secret-backends.js";
+/** Interpolate {{KEY}} placeholders in a template string with resolved values. */
+function interpolateTemplate(template, resolved) {
+    return template.replace(/\{\{(\w+)\}\}/g, (_match, key) => {
+        return resolved.get(key) ?? `{{${key}}}`;
+    });
+}
+async function loadTemplate(templatePath) {
+    try {
+        await access(templatePath);
+        return await readFile(templatePath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+}
+export async function generateSecrets(secrets, outputPath = ".env.local") {
+    const results = [];
+    if (!secrets.keys) {
+        return { results, written: false, fromTemplate: false };
+    }
+    // Reset the Infisical bulk-fetch cache for each generateSecrets call.
+    resetInfisicalCache();
+    for (const [name, config] of Object.entries(secrets.keys)) {
+        results.push(await resolveViaBackend(name, config, secrets.infisical));
+    }
+    // Build a lookup of resolved values
+    const resolved = new Map();
+    for (const r of results) {
+        // Skip backend-managed values (e.g. EAS) — their `value` is a display
+        // placeholder, not a real secret to write into .env.local.
+        if (r.resolved && r.value !== null && !r.managed) {
+            resolved.set(r.name, r.value);
+        }
+    }
+    let content;
+    let fromTemplate = false;
+    // If a template is configured, read it and interpolate
+    const template = secrets.template ? await loadTemplate(secrets.template) : null;
+    if (template !== null) {
+        fromTemplate = true;
+        const header = [
+            "# Generated by kit secrets from template — do not edit manually",
+            `# Template: ${secrets.template}`,
+            `# Generated at ${new Date().toISOString()}`,
+            "",
+        ].join("\n");
+        content = header + interpolateTemplate(template, resolved) + "\n";
+    }
+    else {
+        // Fallback: generate from keys
+        const lines = [
+            "# Generated by kit secrets — do not edit manually",
+            `# Generated at ${new Date().toISOString()}`,
+            "",
+        ];
+        for (const result of results) {
+            if (resolved.has(result.name)) {
+                lines.push(`${result.name}=${resolved.get(result.name)}`);
+            }
+            else {
+                lines.push(`# ${result.name}= # ${result.detail}`);
+            }
+        }
+        lines.push("");
+        content = lines.join("\n");
+    }
+    await writeFile(outputPath, content, "utf-8");
+    return { results, written: true, fromTemplate };
+}
+//# sourceMappingURL=secrets.js.map

package/dist/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE/D,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAc9E,kFAAkF;AAClF,SAAS,mBAAmB,CAC1B,QAAgB,EAChB,QAA6B;IAE7B,OAAO,QAAQ,CAAC,OAAO,CAAC,gBAAgB,EAAE,CAAC,MAAM,EAAE,GAAW,EAAE,EAAE;QAChE,OAAO,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,YAAoB;IAC9C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;QAC3B,OAAO,MAAM,QAAQ,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,OAAsB,EACtB,aAAqB,YAAY;IAEjC,MAAM,OAAO,GAA0B,EAAE,CAAC;IAE1C,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC;IAC1D,CAAC;IAED,sEAAsE;IACtE,mBAAmB,EAAE,CAAC;IAEtB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,MAAM,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;IACzE,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3C,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,sEAAsE;QACtE,2DAA2D;QAC3D,IAAI,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,KAAK,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YACjD,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,IAAI,OAAe,CAAC;IACpB,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,uDAAuD;IACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEhF,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,YAAY,GAAG,IAAI,CAAC;QACpB,MAAM,MAAM,GAAG;YACb,iEAAiE;YACjE,eAAe,OAAO,CAAC,QAAQ,EAAE;YACjC,kBAAkB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;YAC5C,EAAE;SACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACb,OAAO,GAAG,MAAM,GAAG,mBAAmB,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,IAAI,CAAC;IACpE,CAAC;SAAM,CAAC;QACN,+BAA+B;QAC/B,MAAM,KAAK,GAAa;YACtB,mDAAmD;YACnD,kBAAkB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;YAC5C,EAAE;SACH,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,CAAC,IAAI,OAAO,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,SAAS,CAAC,UAAU,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;AAClD,CAAC"}

package/dist/security-hardening.d.ts

@@ -0,0 +1,150 @@
+export type VulnerabilitySeverity = "critical" | "high" | "medium" | "low" | "info";
+export type SecurityCheckType = "dependency_scan" | "code_analysis" | "permission_check" | "rate_limit" | "encryption" | "auth_check";
+export interface Vulnerability {
+    id: string;
+    cve?: string;
+    type: string;
+    severity: VulnerabilitySeverity;
+    affectedPackage: string;
+    affectedVersion: string;
+    fixedVersion?: string;
+    description: string;
+    discoveredAt: string;
+    remediationSteps: string[];
+}
+export interface SecurityCheckResult {
+    type: SecurityCheckType;
+    passed: boolean;
+    message: string;
+    details: Record<string, unknown>;
+    severity: VulnerabilitySeverity;
+    timestamp: string;
+}
+export interface SecurityAuditEntry {
+    id: string;
+    action: string;
+    actor: string;
+    resource: string;
+    status: "success" | "failure";
+    details: Record<string, unknown>;
+    timestamp: string;
+    ipAddress?: string;
+}
+export interface RateLimitConfig {
+    windowMs: number;
+    maxRequests: number;
+    message?: string;
+    keyGenerator?: (req: unknown) => string;
+}
+export interface RateLimitStatus {
+    requestCount: number;
+    resetTime: Date;
+    remaining: number;
+    retryAfter?: number;
+}
+export interface SecurityPolicy {
+    id: string;
+    name: string;
+    description: string;
+    rules: Array<{
+        rule: string;
+        enabled: boolean;
+        severity: VulnerabilitySeverity;
+    }>;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface SecurityReport {
+    pluginId: string;
+    timestamp: string;
+    vulnerabilities: Vulnerability[];
+    checks: SecurityCheckResult[];
+    score: number;
+    status: "pass" | "warning" | "fail";
+}
+export declare class SecurityHardeningEngine {
+    private vulnerabilities;
+    private auditLog;
+    private rateLimiters;
+    private securityPolicies;
+    private checksResults;
+    /**
+     * Register a known vulnerability.
+     */
+    registerVulnerability(vuln: Vulnerability): void;
+    /**
+     * Scan dependencies for known vulnerabilities.
+     */
+    scanDependencies(pluginId: string, dependencies: Array<{
+        name: string;
+        version: string;
+    }>): Vulnerability[];
+    private versionMatches;
+    /**
+     * Get vulnerability by ID.
+     */
+    getVulnerability(vulnId: string): Vulnerability | null;
+    /**
+     * Get all vulnerabilities.
+     */
+    getAllVulnerabilities(): Vulnerability[];
+    /**
+     * Run a security check.
+     */
+    runSecurityCheck(type: SecurityCheckType, pluginId: string, data: Record<string, unknown>): SecurityCheckResult;
+    private checkDependencyScan;
+    private checkPermissions;
+    private checkEncryption;
+    private checkAuthentication;
+    /**
+     * Log a security audit event.
+     */
+    logAuditEvent(action: string, actor: string, resource: string, status: "success" | "failure", details?: Record<string, unknown>, ipAddress?: string): SecurityAuditEntry;
+    /**
+     * Get audit log entries.
+     */
+    getAuditLog(limit?: number, offset?: number): SecurityAuditEntry[];
+    /**
+     * Get audit log entries for actor.
+     */
+    getAuditLogForActor(actor: string): SecurityAuditEntry[];
+    /**
+     * Get failed audit events.
+     */
+    getFailedAuditEvents(): SecurityAuditEntry[];
+    /**
+     * Configure rate limiting for an endpoint.
+     */
+    configureRateLimit(endpoint: string, config: RateLimitConfig): void;
+    /**
+     * Check if a request is rate limited.
+     */
+    checkRateLimit(endpoint: string, key: string): RateLimitStatus;
+    /**
+     * Reset rate limit for a key.
+     */
+    resetRateLimit(endpoint: string, key: string): void;
+    /**
+     * Create a security policy.
+     */
+    createPolicy(name: string, description: string, rules: string[]): SecurityPolicy;
+    /**
+     * Get security policy.
+     */
+    getPolicy(policyId: string): SecurityPolicy | null;
+    /**
+     * Get all policies.
+     */
+    getAllPolicies(): SecurityPolicy[];
+    /**
+     * Generate security report for a plugin.
+     */
+    generateSecurityReport(pluginId: string): SecurityReport;
+    /**
+     * Get security score for plugin.
+     */
+    getSecurityScore(pluginId: string): number;
+    getVulnerabilitiesCache(): Map<string, Vulnerability>;
+    getAuditLogCache(): SecurityAuditEntry[];
+    getPoliciesCache(): Map<string, SecurityPolicy>;
+}