secretless-ai 0.3.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/backends/env.d.ts +11 -0
- package/dist/backends/env.d.ts.map +1 -0
- package/dist/backends/env.js +26 -0
- package/dist/backends/env.js.map +1 -0
- package/dist/backends/local.d.ts +18 -0
- package/dist/backends/local.d.ts.map +1 -0
- package/dist/backends/local.js +133 -0
- package/dist/backends/local.js.map +1 -0
- package/dist/backends/types.d.ts +40 -0
- package/dist/backends/types.d.ts.map +1 -0
- package/dist/backends/types.js +3 -0
- package/dist/backends/types.js.map +1 -0
- package/dist/backends/vault.d.ts +28 -0
- package/dist/backends/vault.d.ts.map +1 -0
- package/dist/backends/vault.js +157 -0
- package/dist/backends/vault.js.map +1 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +167 -9
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +3 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +9 -1
- package/dist/index.js.map +1 -1
- package/dist/init.d.ts.map +1 -1
- package/dist/init.js +44 -0
- package/dist/init.js.map +1 -1
- package/dist/patterns.d.ts +10 -0
- package/dist/patterns.d.ts.map +1 -1
- package/dist/patterns.js +93 -13
- package/dist/patterns.js.map +1 -1
- package/dist/scan.js +2 -2
- package/dist/scan.js.map +1 -1
- package/dist/status.d.ts +6 -0
- package/dist/status.d.ts.map +1 -1
- package/dist/status.js +28 -1
- package/dist/status.js.map +1 -1
- package/dist/transcript.d.ts.map +1 -1
- package/dist/transcript.js +15 -9
- package/dist/transcript.js.map +1 -1
- package/dist/verify.d.ts +7 -0
- package/dist/verify.d.ts.map +1 -1
- package/dist/verify.js +24 -3
- package/dist/verify.js.map +1 -1
- package/dist/watch.d.ts.map +1 -1
- package/dist/watch.js +84 -11
- package/dist/watch.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { SecretBackend, BackendHealth } from './types';
|
|
2
|
+
/**
|
|
3
|
+
* Environment variable backend — resolves secrets from process.env.
|
|
4
|
+
* The simplest backend. Zero dependencies. Always available.
|
|
5
|
+
*/
|
|
6
|
+
export declare class EnvBackend implements SecretBackend {
|
|
7
|
+
readonly name = "env";
|
|
8
|
+
resolve(path: string): Promise<Record<string, string>>;
|
|
9
|
+
healthCheck(): Promise<BackendHealth>;
|
|
10
|
+
}
|
|
11
|
+
//# sourceMappingURL=env.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/backends/env.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE5D;;;GAGG;AACH,qBAAa,UAAW,YAAW,aAAa;IAC9C,QAAQ,CAAC,IAAI,SAAS;IAEhB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAYtD,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;CAG5C"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.EnvBackend = void 0;
|
|
4
|
+
/**
|
|
5
|
+
* Environment variable backend — resolves secrets from process.env.
|
|
6
|
+
* The simplest backend. Zero dependencies. Always available.
|
|
7
|
+
*/
|
|
8
|
+
class EnvBackend {
|
|
9
|
+
constructor() {
|
|
10
|
+
this.name = 'env';
|
|
11
|
+
}
|
|
12
|
+
async resolve(path) {
|
|
13
|
+
// Path format: "ENV_VAR_NAME" or "prefix/ENV_VAR_NAME"
|
|
14
|
+
const varName = path.includes('/') ? path.split('/').pop() : path;
|
|
15
|
+
const value = process.env[varName];
|
|
16
|
+
if (value === undefined) {
|
|
17
|
+
return {};
|
|
18
|
+
}
|
|
19
|
+
return { [varName]: value };
|
|
20
|
+
}
|
|
21
|
+
async healthCheck() {
|
|
22
|
+
return { healthy: true, latencyMs: 0, message: 'Environment variables always available' };
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
exports.EnvBackend = EnvBackend;
|
|
26
|
+
//# sourceMappingURL=env.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/backends/env.ts"],"names":[],"mappings":";;;AAEA;;;GAGG;AACH,MAAa,UAAU;IAAvB;QACW,SAAI,GAAG,KAAK,CAAC;IAiBxB,CAAC;IAfC,KAAK,CAAC,OAAO,CAAC,IAAY;QACxB,uDAAuD;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QACnE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEnC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,WAAW;QACf,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,wCAAwC,EAAE,CAAC;IAC5F,CAAC;CACF;AAlBD,gCAkBC"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import type { SecretBackend, BackendHealth } from './types';
|
|
2
|
+
/**
|
|
3
|
+
* Local encrypted store backend — resolves secrets from a local AES-256-GCM encrypted file.
|
|
4
|
+
* Used for development/local setups. Zero network dependencies.
|
|
5
|
+
*/
|
|
6
|
+
export declare class LocalBackend implements SecretBackend {
|
|
7
|
+
readonly name = "local";
|
|
8
|
+
private readonly storeDir;
|
|
9
|
+
private readonly encryptionKey;
|
|
10
|
+
constructor(config?: Record<string, unknown>);
|
|
11
|
+
resolve(secretPath: string): Promise<Record<string, string>>;
|
|
12
|
+
healthCheck(): Promise<BackendHealth>;
|
|
13
|
+
/** Store a secret locally */
|
|
14
|
+
store(key: string, value: string): Promise<void>;
|
|
15
|
+
private encrypt;
|
|
16
|
+
private decrypt;
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=local.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"local.d.ts","sourceRoot":"","sources":["../../src/backends/local.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAU5D;;;GAGG;AACH,qBAAa,YAAa,YAAW,aAAa;IAChD,QAAQ,CAAC,IAAI,WAAW;IACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;gBAE3B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAStC,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAsB5D,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;IAW3C,6BAA6B;IACvB,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgCtD,OAAO,CAAC,OAAO;IASf,OAAO,CAAC,OAAO;CAQhB"}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.LocalBackend = void 0;
|
|
37
|
+
const fs = __importStar(require("fs"));
|
|
38
|
+
const path = __importStar(require("path"));
|
|
39
|
+
const crypto = __importStar(require("crypto"));
|
|
40
|
+
const STORE_FILE = 'secrets.enc';
|
|
41
|
+
const META_FILE = 'secrets.meta.json';
|
|
42
|
+
/**
|
|
43
|
+
* Local encrypted store backend — resolves secrets from a local AES-256-GCM encrypted file.
|
|
44
|
+
* Used for development/local setups. Zero network dependencies.
|
|
45
|
+
*/
|
|
46
|
+
class LocalBackend {
|
|
47
|
+
constructor(config) {
|
|
48
|
+
this.name = 'local';
|
|
49
|
+
const home = process.env.HOME ?? process.env.USERPROFILE ?? '/tmp';
|
|
50
|
+
this.storeDir = config?.storeDir ?? path.join(home, '.secretless-ai', 'store');
|
|
51
|
+
// Derive key from machine-specific data (not perfect, but better than plaintext)
|
|
52
|
+
const keyMaterial = config?.key ?? `${home}-secretless-${process.env.USER ?? 'default'}`;
|
|
53
|
+
this.encryptionKey = crypto.createHash('sha256').update(keyMaterial).digest();
|
|
54
|
+
}
|
|
55
|
+
async resolve(secretPath) {
|
|
56
|
+
const storePath = path.join(this.storeDir, STORE_FILE);
|
|
57
|
+
if (!fs.existsSync(storePath))
|
|
58
|
+
return {};
|
|
59
|
+
try {
|
|
60
|
+
const encrypted = fs.readFileSync(storePath);
|
|
61
|
+
const decrypted = this.decrypt(encrypted);
|
|
62
|
+
const store = JSON.parse(decrypted);
|
|
63
|
+
// Path can be a key name or a glob pattern
|
|
64
|
+
const results = {};
|
|
65
|
+
for (const [key, value] of Object.entries(store)) {
|
|
66
|
+
if (key === secretPath || key.startsWith(secretPath + '/')) {
|
|
67
|
+
results[key] = value;
|
|
68
|
+
}
|
|
69
|
+
}
|
|
70
|
+
return results;
|
|
71
|
+
}
|
|
72
|
+
catch {
|
|
73
|
+
return {};
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
async healthCheck() {
|
|
77
|
+
const start = Date.now();
|
|
78
|
+
const storePath = path.join(this.storeDir, STORE_FILE);
|
|
79
|
+
const exists = fs.existsSync(storePath);
|
|
80
|
+
return {
|
|
81
|
+
healthy: exists,
|
|
82
|
+
latencyMs: Date.now() - start,
|
|
83
|
+
message: exists ? 'Local store available' : 'No local store found',
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
/** Store a secret locally */
|
|
87
|
+
async store(key, value) {
|
|
88
|
+
fs.mkdirSync(this.storeDir, { recursive: true, mode: 0o700 });
|
|
89
|
+
const storePath = path.join(this.storeDir, STORE_FILE);
|
|
90
|
+
let store = {};
|
|
91
|
+
if (fs.existsSync(storePath)) {
|
|
92
|
+
try {
|
|
93
|
+
const encrypted = fs.readFileSync(storePath);
|
|
94
|
+
store = JSON.parse(this.decrypt(encrypted));
|
|
95
|
+
}
|
|
96
|
+
catch {
|
|
97
|
+
// Corrupted store — start fresh
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
store[key] = value;
|
|
101
|
+
const encrypted = this.encrypt(JSON.stringify(store));
|
|
102
|
+
fs.writeFileSync(storePath, encrypted, { mode: 0o600 });
|
|
103
|
+
// Update metadata
|
|
104
|
+
const metaPath = path.join(this.storeDir, META_FILE);
|
|
105
|
+
let meta = { version: '1', entries: {} };
|
|
106
|
+
try {
|
|
107
|
+
if (fs.existsSync(metaPath)) {
|
|
108
|
+
meta = JSON.parse(fs.readFileSync(metaPath, 'utf-8'));
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
catch { /* ignore */ }
|
|
112
|
+
meta.entries[key] = { createdAt: new Date().toISOString() };
|
|
113
|
+
fs.writeFileSync(metaPath, JSON.stringify(meta, null, 2), { mode: 0o600 });
|
|
114
|
+
}
|
|
115
|
+
encrypt(plaintext) {
|
|
116
|
+
const iv = crypto.randomBytes(16);
|
|
117
|
+
const cipher = crypto.createCipheriv('aes-256-gcm', this.encryptionKey, iv);
|
|
118
|
+
const encrypted = Buffer.concat([cipher.update(plaintext, 'utf-8'), cipher.final()]);
|
|
119
|
+
const tag = cipher.getAuthTag();
|
|
120
|
+
// Format: [iv(16)][tag(16)][ciphertext]
|
|
121
|
+
return Buffer.concat([iv, tag, encrypted]);
|
|
122
|
+
}
|
|
123
|
+
decrypt(data) {
|
|
124
|
+
const iv = data.subarray(0, 16);
|
|
125
|
+
const tag = data.subarray(16, 32);
|
|
126
|
+
const ciphertext = data.subarray(32);
|
|
127
|
+
const decipher = crypto.createDecipheriv('aes-256-gcm', this.encryptionKey, iv);
|
|
128
|
+
decipher.setAuthTag(tag);
|
|
129
|
+
return decipher.update(ciphertext) + decipher.final('utf-8');
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
exports.LocalBackend = LocalBackend;
|
|
133
|
+
//# sourceMappingURL=local.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"local.js","sourceRoot":"","sources":["../../src/backends/local.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAiC;AAGjC,MAAM,UAAU,GAAG,aAAa,CAAC;AACjC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAOtC;;;GAGG;AACH,MAAa,YAAY;IAKvB,YAAY,MAAgC;QAJnC,SAAI,GAAG,OAAO,CAAC;QAKtB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,MAAM,CAAC;QACnE,IAAI,CAAC,QAAQ,GAAI,MAAM,EAAE,QAAmB,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAC;QAE3F,iFAAiF;QACjF,MAAM,WAAW,GAAI,MAAM,EAAE,GAAc,IAAI,GAAG,IAAI,eAAe,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE,CAAC;QACrG,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,EAAE,CAAC;IAChF,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,OAAO,EAAE,CAAC;QAEzC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC7C,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAC1C,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEpC,2CAA2C;YAC3C,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjD,IAAI,GAAG,KAAK,UAAU,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,EAAE,CAAC;oBAC3D,OAAO,CAAC,GAAG,CAAC,GAAG,KAAe,CAAC;gBACjC,CAAC;YACH,CAAC;YACD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;QACxC,OAAO;YACL,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;YAC7B,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,sBAAsB;SACnE,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,KAAa;QACpC,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAE9D,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACvD,IAAI,KAAK,GAA2B,EAAE,CAAC;QAEvC,IAAI,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;gBAC7C,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;QACtD,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAExD,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;QACrD,IAAI,IAAI,GAAc,EAAE,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACpD,IAAI,CAAC;YACH,IAAI,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC5B,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC;QAExB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC7E,CAAC;IAEO,OAAO,CAAC,SAAiB;QAC/B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;QAClC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAC5E,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACrF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAChC,wCAAwC;QACxC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC;IAC7C,CAAC;IAEO,OAAO,CAAC,IAAY;QAC1B,MAAM,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAClC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE,CAAC,CAAC;QAChF,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/D,CAAC;CACF;AAjGD,oCAiGC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pluggable secret backend interface.
|
|
3
|
+
* Each backend resolves secrets from a different source.
|
|
4
|
+
* Zero mandatory deps — backend SDKs are optional peer dependencies.
|
|
5
|
+
*/
|
|
6
|
+
export interface SecretBackend {
|
|
7
|
+
/** Backend name (e.g., "vault", "aws-sm", "env") */
|
|
8
|
+
readonly name: string;
|
|
9
|
+
/** Resolve one or more secrets by path/name. Returns key-value pairs. */
|
|
10
|
+
resolve(path: string): Promise<Record<string, string>>;
|
|
11
|
+
/** Check if the backend is available and authenticated */
|
|
12
|
+
healthCheck(): Promise<BackendHealth>;
|
|
13
|
+
}
|
|
14
|
+
export interface BackendHealth {
|
|
15
|
+
healthy: boolean;
|
|
16
|
+
latencyMs: number;
|
|
17
|
+
message?: string;
|
|
18
|
+
}
|
|
19
|
+
/** Backend configuration from secretless config file */
|
|
20
|
+
export interface BackendConfig {
|
|
21
|
+
/** Backend type */
|
|
22
|
+
type: BackendType;
|
|
23
|
+
/** Backend-specific config */
|
|
24
|
+
config?: Record<string, unknown>;
|
|
25
|
+
/** Priority (lower = preferred, default: 100) */
|
|
26
|
+
priority?: number;
|
|
27
|
+
/** Path prefix this backend handles (e.g., "vault/", "aws/") */
|
|
28
|
+
prefix?: string;
|
|
29
|
+
}
|
|
30
|
+
export type BackendType = 'env' | 'local' | 'vault' | 'aws-sm' | '1password';
|
|
31
|
+
/** Access audit entry */
|
|
32
|
+
export interface AccessAuditEntry {
|
|
33
|
+
timestamp: string;
|
|
34
|
+
backend: string;
|
|
35
|
+
path: string;
|
|
36
|
+
action: 'resolve' | 'healthCheck' | 'migrate';
|
|
37
|
+
success: boolean;
|
|
38
|
+
latencyMs: number;
|
|
39
|
+
}
|
|
40
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/backends/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B,oDAAoD;IACpD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,yEAAyE;IACzE,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAEvD,0DAA0D;IAC1D,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC,CAAC;CACvC;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wDAAwD;AACxD,MAAM,WAAW,aAAa;IAC5B,mBAAmB;IACnB,IAAI,EAAE,WAAW,CAAC;IAClB,8BAA8B;IAC9B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,OAAO,GAAG,OAAO,GAAG,QAAQ,GAAG,WAAW,CAAC;AAE7E,yBAAyB;AACzB,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,SAAS,GAAG,aAAa,GAAG,SAAS,CAAC;IAC9C,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/backends/types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { SecretBackend, BackendHealth } from './types';
|
|
2
|
+
/**
|
|
3
|
+
* HashiCorp Vault / OpenBao backend — AppRole auth, KV v2.
|
|
4
|
+
* Zero mandatory dependencies. Uses raw HTTP.
|
|
5
|
+
*
|
|
6
|
+
* Config:
|
|
7
|
+
* addr: Vault address (default: VAULT_ADDR env or http://127.0.0.1:8200)
|
|
8
|
+
* token: Vault token (default: VAULT_TOKEN env)
|
|
9
|
+
* roleId: AppRole role ID (alternative to token)
|
|
10
|
+
* secretId: AppRole secret ID
|
|
11
|
+
* namespace: Vault namespace (enterprise)
|
|
12
|
+
* mountPath: KV v2 mount path (default: "secret")
|
|
13
|
+
*/
|
|
14
|
+
export declare class VaultBackend implements SecretBackend {
|
|
15
|
+
readonly name = "vault";
|
|
16
|
+
private readonly addr;
|
|
17
|
+
private readonly mountPath;
|
|
18
|
+
private readonly namespace;
|
|
19
|
+
private token;
|
|
20
|
+
private readonly roleId?;
|
|
21
|
+
private readonly secretId?;
|
|
22
|
+
constructor(config?: Record<string, unknown>);
|
|
23
|
+
resolve(secretPath: string): Promise<Record<string, string>>;
|
|
24
|
+
healthCheck(): Promise<BackendHealth>;
|
|
25
|
+
private ensureAuthenticated;
|
|
26
|
+
private request;
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=vault.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../../src/backends/vault.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE5D;;;;;;;;;;;GAWG;AACH,qBAAa,YAAa,YAAW,aAAa;IAChD,QAAQ,CAAC,IAAI,WAAW;IACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAS;IAC9B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,KAAK,CAAS;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAS;gBAEvB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAStC,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAwB5D,WAAW,IAAI,OAAO,CAAC,aAAa,CAAC;YAmB7B,mBAAmB;IAejC,OAAO,CAAC,OAAO;CAyChB"}
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.VaultBackend = void 0;
|
|
37
|
+
const https = __importStar(require("https"));
|
|
38
|
+
const http = __importStar(require("http"));
|
|
39
|
+
/**
|
|
40
|
+
* HashiCorp Vault / OpenBao backend — AppRole auth, KV v2.
|
|
41
|
+
* Zero mandatory dependencies. Uses raw HTTP.
|
|
42
|
+
*
|
|
43
|
+
* Config:
|
|
44
|
+
* addr: Vault address (default: VAULT_ADDR env or http://127.0.0.1:8200)
|
|
45
|
+
* token: Vault token (default: VAULT_TOKEN env)
|
|
46
|
+
* roleId: AppRole role ID (alternative to token)
|
|
47
|
+
* secretId: AppRole secret ID
|
|
48
|
+
* namespace: Vault namespace (enterprise)
|
|
49
|
+
* mountPath: KV v2 mount path (default: "secret")
|
|
50
|
+
*/
|
|
51
|
+
class VaultBackend {
|
|
52
|
+
constructor(config) {
|
|
53
|
+
this.name = 'vault';
|
|
54
|
+
this.addr = config?.addr ?? process.env.VAULT_ADDR ?? 'http://127.0.0.1:8200';
|
|
55
|
+
this.token = config?.token ?? process.env.VAULT_TOKEN ?? '';
|
|
56
|
+
this.mountPath = config?.mountPath ?? 'secret';
|
|
57
|
+
this.namespace = config?.namespace ?? process.env.VAULT_NAMESPACE ?? '';
|
|
58
|
+
this.roleId = config?.roleId;
|
|
59
|
+
this.secretId = config?.secretId;
|
|
60
|
+
}
|
|
61
|
+
async resolve(secretPath) {
|
|
62
|
+
await this.ensureAuthenticated();
|
|
63
|
+
// KV v2 read: GET /v1/{mount}/data/{path}
|
|
64
|
+
const apiPath = `/v1/${this.mountPath}/data/${secretPath}`;
|
|
65
|
+
try {
|
|
66
|
+
const response = await this.request('GET', apiPath);
|
|
67
|
+
const data = JSON.parse(response);
|
|
68
|
+
if (data?.data?.data) {
|
|
69
|
+
// KV v2 wraps data in data.data
|
|
70
|
+
const result = {};
|
|
71
|
+
for (const [key, value] of Object.entries(data.data.data)) {
|
|
72
|
+
result[key] = String(value);
|
|
73
|
+
}
|
|
74
|
+
return result;
|
|
75
|
+
}
|
|
76
|
+
return {};
|
|
77
|
+
}
|
|
78
|
+
catch {
|
|
79
|
+
return {};
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
async healthCheck() {
|
|
83
|
+
const start = Date.now();
|
|
84
|
+
try {
|
|
85
|
+
const response = await this.request('GET', '/v1/sys/health');
|
|
86
|
+
const data = JSON.parse(response);
|
|
87
|
+
return {
|
|
88
|
+
healthy: data.sealed === false,
|
|
89
|
+
latencyMs: Date.now() - start,
|
|
90
|
+
message: data.sealed ? 'Vault is sealed' : `Vault ${data.version} (${data.cluster_name ?? 'standalone'})`,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
catch (err) {
|
|
94
|
+
return {
|
|
95
|
+
healthy: false,
|
|
96
|
+
latencyMs: Date.now() - start,
|
|
97
|
+
message: `Cannot reach Vault at ${this.addr}: ${err instanceof Error ? err.message : String(err)}`,
|
|
98
|
+
};
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
async ensureAuthenticated() {
|
|
102
|
+
if (this.token)
|
|
103
|
+
return;
|
|
104
|
+
// Try AppRole auth
|
|
105
|
+
if (this.roleId && this.secretId) {
|
|
106
|
+
const body = JSON.stringify({ role_id: this.roleId, secret_id: this.secretId });
|
|
107
|
+
const response = await this.request('POST', '/v1/auth/approle/login', body);
|
|
108
|
+
const data = JSON.parse(response);
|
|
109
|
+
this.token = data?.auth?.client_token ?? '';
|
|
110
|
+
return;
|
|
111
|
+
}
|
|
112
|
+
throw new Error('No Vault authentication configured. Set VAULT_TOKEN or provide roleId/secretId.');
|
|
113
|
+
}
|
|
114
|
+
request(method, apiPath, body) {
|
|
115
|
+
return new Promise((resolve, reject) => {
|
|
116
|
+
const url = new URL(apiPath, this.addr);
|
|
117
|
+
const isHttps = url.protocol === 'https:';
|
|
118
|
+
const mod = isHttps ? https : http;
|
|
119
|
+
const headers = {};
|
|
120
|
+
if (this.token)
|
|
121
|
+
headers['X-Vault-Token'] = this.token;
|
|
122
|
+
if (this.namespace)
|
|
123
|
+
headers['X-Vault-Namespace'] = this.namespace;
|
|
124
|
+
if (body) {
|
|
125
|
+
headers['Content-Type'] = 'application/json';
|
|
126
|
+
headers['Content-Length'] = String(Buffer.byteLength(body));
|
|
127
|
+
}
|
|
128
|
+
const options = {
|
|
129
|
+
hostname: url.hostname,
|
|
130
|
+
port: url.port || (isHttps ? 443 : 8200),
|
|
131
|
+
path: url.pathname,
|
|
132
|
+
method,
|
|
133
|
+
headers,
|
|
134
|
+
timeout: 10000,
|
|
135
|
+
};
|
|
136
|
+
const req = mod.request(options, (res) => {
|
|
137
|
+
let data = '';
|
|
138
|
+
res.on('data', (chunk) => { data += chunk; });
|
|
139
|
+
res.on('end', () => {
|
|
140
|
+
if (res.statusCode && res.statusCode >= 400) {
|
|
141
|
+
reject(new Error(`Vault ${res.statusCode}: ${data.slice(0, 200)}`));
|
|
142
|
+
}
|
|
143
|
+
else {
|
|
144
|
+
resolve(data);
|
|
145
|
+
}
|
|
146
|
+
});
|
|
147
|
+
});
|
|
148
|
+
req.on('error', reject);
|
|
149
|
+
req.on('timeout', () => { req.destroy(); reject(new Error('Vault request timeout')); });
|
|
150
|
+
if (body)
|
|
151
|
+
req.write(body);
|
|
152
|
+
req.end();
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
exports.VaultBackend = VaultBackend;
|
|
157
|
+
//# sourceMappingURL=vault.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../src/backends/vault.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA+B;AAC/B,2CAA6B;AAG7B;;;;;;;;;;;GAWG;AACH,MAAa,YAAY;IASvB,YAAY,MAAgC;QARnC,SAAI,GAAG,OAAO,CAAC;QAStB,IAAI,CAAC,IAAI,GAAI,MAAM,EAAE,IAAe,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,uBAAuB,CAAC;QAC1F,IAAI,CAAC,KAAK,GAAI,MAAM,EAAE,KAAgB,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,EAAE,CAAC;QACxE,IAAI,CAAC,SAAS,GAAI,MAAM,EAAE,SAAoB,IAAI,QAAQ,CAAC;QAC3D,IAAI,CAAC,SAAS,GAAI,MAAM,EAAE,SAAoB,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,EAAE,CAAC;QACpF,IAAI,CAAC,MAAM,GAAG,MAAM,EAAE,MAAgB,CAAC;QACvC,IAAI,CAAC,QAAQ,GAAG,MAAM,EAAE,QAAkB,CAAC;IAC7C,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,UAAkB;QAC9B,MAAM,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAEjC,0CAA0C;QAC1C,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,SAAS,SAAS,UAAU,EAAE,CAAC;QAE3D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAElC,IAAI,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;gBACrB,gCAAgC;gBAChC,MAAM,MAAM,GAA2B,EAAE,CAAC;gBAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;gBAC9B,CAAC;gBACD,OAAO,MAAM,CAAC;YAChB,CAAC;YACD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;YAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAClC,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,MAAM,KAAK,KAAK;gBAC9B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC7B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,YAAY,IAAI,YAAY,GAAG;aAC1G,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;gBAC7B,OAAO,EAAE,yBAAyB,IAAI,CAAC,IAAI,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;aACnG,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,mBAAmB;QAC/B,IAAI,IAAI,CAAC,KAAK;YAAE,OAAO;QAEvB,mBAAmB;QACnB,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAChF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,wBAAwB,EAAE,IAAI,CAAC,CAAC;YAC5E,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAClC,IAAI,CAAC,KAAK,GAAG,IAAI,EAAE,IAAI,EAAE,YAAY,IAAI,EAAE,CAAC;YAC5C,OAAO;QACT,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,iFAAiF,CAAC,CAAC;IACrG,CAAC;IAEO,OAAO,CAAC,MAAc,EAAE,OAAe,EAAE,IAAa;QAC5D,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;YACrC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,OAAO,GAAG,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAC;YAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;YAEnC,MAAM,OAAO,GAA2B,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,KAAK;gBAAE,OAAO,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC;YACtD,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC;YAClE,IAAI,IAAI,EAAE,CAAC;gBACT,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;gBAC7C,OAAO,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,OAAO,GAAG;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxC,IAAI,EAAE,GAAG,CAAC,QAAQ;gBAClB,MAAM;gBACN,OAAO;gBACP,OAAO,EAAE,KAAK;aACf,CAAC;YAEF,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACvC,IAAI,IAAI,GAAG,EAAE,CAAC;gBACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC9C,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,CAAC,UAAU,IAAI,GAAG,EAAE,CAAC;wBAC5C,MAAM,CAAC,IAAI,KAAK,CAAC,SAAS,GAAG,CAAC,UAAU,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;oBACtE,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACxB,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YACxF,IAAI,IAAI;gBAAE,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAC1B,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AArHD,oCAqHC"}
|
package/dist/cli.d.ts
CHANGED
|
@@ -6,6 +6,9 @@
|
|
|
6
6
|
* npx secretless-ai init — Set up protections for detected AI tools
|
|
7
7
|
* npx secretless-ai scan — Scan for hardcoded secrets
|
|
8
8
|
* npx secretless-ai status — Show current protection status
|
|
9
|
+
* npx secretless-ai verify — Verify keys are usable but hidden from AI
|
|
10
|
+
* npx secretless-ai clean — Scan and redact credentials in transcripts
|
|
11
|
+
* npx secretless-ai watch — Monitor transcripts in real-time
|
|
9
12
|
*/
|
|
10
13
|
export {};
|
|
11
14
|
//# sourceMappingURL=cli.d.ts.map
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA;;;;;;;;;;GAUG"}
|