sandstream-kit 1.5.0 → 1.6.0

package/README.md

@@ -6,6 +6,8 @@ For AI agents and humans. Manages tools, auth, secrets, and project setup. Zero
 
 🌐 [sandstre.am/kit](https://sandstre.am/kit)
 
+[![Buy Me a Coffee](https://img.shields.io/badge/Buy%20Me%20a%20Coffee-support-FFDD00?logo=buymeacoffee&logoColor=black)](https://buymeacoffee.com/sandstream)
+
 ## Quick start
 
 **Prerequisites:** Node.js 22+, git, and [mise](https://mise.jdx.dev) for installing tools (`brew install mise`, or `curl https://mise.run | sh`).
@@ -708,6 +710,10 @@ For Cline, add the same config to your `cline_mcp_settings.json`.
 - 🐛 **Issues**: [github.com/sandstream/kit/issues](https://github.com/sandstream/kit/issues)
 - 🤝 **Contributing**: [CONTRIBUTING.md](CONTRIBUTING.md), [COMMUNITY.md](COMMUNITY.md)
 
+### Support
+
+kit is free and MIT-licensed. If it saved you setup time or caught a leak before it shipped, you can [buy me a coffee](https://buymeacoffee.com/sandstream). It funds development time and keeps kit free and open.
+
 ### Code of Conduct
 
 See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).

package/dist/cli.js

@@ -65,8 +65,8 @@ import { cmdHooks } from "./commands/hooks.js";
 import { resolveAllAuth } from "./service-auth.js";
 import { runDoctor } from "./doctor.js";
 import { detectStack } from "./stack-detector.js";
-import { generateToml } from "./toml-generator.js";
-import { vaultMeta } from "./vault-meta.js";
+import { generateToml, parseEnvTemplateKeys } from "./toml-generator.js";
+import { vaultMeta, detectSecretStore } from "./vault-meta.js";
 import { vaultCliInstalled } from "./secret-backends.js";
 import { createPlugin } from "./create-plugin.js";
 import { cmdPlugin } from "./plugins-cli.js";
@@ -1035,10 +1035,16 @@ async function generateConfigFile(configPath, nonInteractive) {
             `${c.bold}kit secrets migrate${c.reset}${c.yellow} after.${c.reset}\n`);
     }
     // ── Secret-backend choice (interactive) ────────────────────────────────
-    let chosenStore = "1password";
+    // Respect a backend the repo is already bound to (.infisical.json / doppler.yaml);
+    // it becomes the default (and the non-interactive choice) instead of 1Password.
+    const detectedStore = await detectSecretStore(async (p) => existsSync(resolve(process.cwd(), p)));
+    let chosenStore = detectedStore ?? "1password";
+    if (detectedStore) {
+        console.log(`  ${c.green}✓${c.reset} Detected ${c.bold}${detectedStore}${c.reset} config in repo — using it as the secret backend.\n`);
+    }
     if (!nonInteractive) {
-        chosenStore = (await promptSelect("Secret backend?", [
-            { value: "1password", label: "1Password", hint: "interactive signin via op CLI", recommended: true },
+        const opts = [
+            { value: "1password", label: "1Password", hint: "interactive signin via op CLI" },
             { value: "infisical", label: "Infisical", hint: "self-hosted or cloud, token-based" },
             { value: "vault", label: "HashiCorp Vault", hint: "KV v2 paths" },
             { value: "aws-sm", label: "AWS Secrets Manager", hint: "IAM credentials required" },
@@ -1047,7 +1053,8 @@ async function generateConfigFile(configPath, nonInteractive) {
             { value: "doppler", label: "Doppler", hint: "doppler login required" },
             { value: "bitwarden", label: "Bitwarden", hint: "bw login + unlock required" },
             { value: "env", label: "env (no vault)", hint: "not recommended — use only for local dev" },
-        ]));
+        ].map((o) => ({ ...o, recommended: o.value === chosenStore }));
+        chosenStore = (await promptSelect("Secret backend?", opts));
         console.log();
     }
     // Detect a Dockerfile so generateToml can provision the trivy container/IaC
@@ -1055,7 +1062,20 @@ async function generateConfigFile(configPath, nonInteractive) {
     const hasDockerfile = existsSync(resolve(process.cwd(), "Dockerfile")) ||
         existsSync(resolve(process.cwd(), "docker-compose.yml")) ||
         existsSync(resolve(process.cwd(), "compose.yml"));
-    const tomlContent = generateToml(stack, { secretsStore: chosenStore, hasDockerfile });
+    // Seed [secrets.keys] from an existing .env example so the project's real
+    // secret contract isn't lost to just the detected services' template keys.
+    let extraSecretKeys = [];
+    for (const f of [".env.example", ".env.template", ".env.sample"]) {
+        const p = resolve(process.cwd(), f);
+        if (existsSync(p)) {
+            extraSecretKeys = parseEnvTemplateKeys(readFileSync(p, "utf-8"));
+            if (extraSecretKeys.length > 0) {
+                console.log(`  ${c.green}✓${c.reset} Seeded ${extraSecretKeys.length} key(s) from ${c.bold}${f}${c.reset}\n`);
+            }
+            break;
+        }
+    }
+    const tomlContent = generateToml(stack, { secretsStore: chosenStore, hasDockerfile, extraSecretKeys });
     // Show diff preview
     console.log(`${c.bold}Preview — .kit.toml${c.reset}\n`);
     for (const line of tomlContent.split("\n")) {