sync-cf-secrets 0.1.0

package/dist/providers/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/providers/types.ts"],"names":[],"mappings":""}

package/dist/utils.d.ts

@@ -0,0 +1,8 @@
+import { type ExecSyncOptions } from "node:child_process";
+export declare function exec(cmd: string, opts?: ExecSyncOptions): string;
+export declare function execSilent(cmd: string): string | null;
+export declare function cliExists(name: string): boolean;
+export declare function log(msg: string): void;
+export declare function warn(msg: string): void;
+export declare function error(msg: string): void;
+export declare function success(msg: string): void;

package/dist/utils.js

@@ -0,0 +1,29 @@
+import { execSync } from "node:child_process";
+export function exec(cmd, opts) {
+    const result = execSync(cmd, { encoding: "utf-8", ...opts });
+    return result.trim();
+}
+export function execSilent(cmd) {
+    try {
+        return exec(cmd, { stdio: ["pipe", "pipe", "pipe"] });
+    }
+    catch {
+        return null;
+    }
+}
+export function cliExists(name) {
+    return execSilent(`which ${name}`) !== null;
+}
+export function log(msg) {
+    console.log(msg);
+}
+export function warn(msg) {
+    console.error(`⚠ ${msg}`);
+}
+export function error(msg) {
+    console.error(`✘ ${msg}`);
+}
+export function success(msg) {
+    console.log(`✔ ${msg}`);
+}
+//# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAwB,MAAM,oBAAoB,CAAC;AAEpE,MAAM,UAAU,IAAI,CAClB,GAAW,EACX,IAAsB;IAEtB,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IAC7D,OAAQ,MAAiB,CAAC,IAAI,EAAE,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,GAAW;IAC7B,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,IAAI,CAAC,GAAW;IAC9B,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,KAAK,CAAC,GAAW;IAC/B,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,GAAW;IACjC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;AAC1B,CAAC"}

package/dist/wrangler.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Get var names defined in the wrangler config for a given environment.
+ * These are non-secret bindings that should NOT be stored in the password manager.
+ * Includes both top-level vars and environment-specific vars.
+ */
+export declare function getWranglerVars(env: string, wranglerConfig: string): Set<string>;
+/**
+ * Ensure wrangler CLI is available.
+ */
+export declare function validateWrangler(): void;
+/**
+ * Push a single secret to a Cloudflare Workers environment.
+ * Value is piped via stdin to avoid exposure in process args.
+ */
+export declare function putSecret(name: string, value: string, env: string, wranglerConfig: string): void;
+/**
+ * List secret names deployed to a Cloudflare Workers environment.
+ */
+export declare function listSecrets(env: string, wranglerConfig: string): string[];

package/dist/wrangler.js

@@ -0,0 +1,87 @@
+import { execSync } from "node:child_process";
+import { readFileSync } from "node:fs";
+import { cliExists, exec } from "./utils.js";
+/**
+ * Parse a JSONC wrangler config, stripping comments and trailing commas.
+ */
+function parseWranglerConfig(configPath) {
+    const raw = readFileSync(configPath, "utf-8");
+    const json = raw
+        .replace(/\/\*[\s\S]*?\*\//g, "")
+        .replace(/^(\s*)\/\/.*/gm, "$1")
+        .replace(/,(\s*[}\]])/g, "$1");
+    return JSON.parse(json);
+}
+/**
+ * Get var names defined in the wrangler config for a given environment.
+ * These are non-secret bindings that should NOT be stored in the password manager.
+ * Includes both top-level vars and environment-specific vars.
+ */
+export function getWranglerVars(env, wranglerConfig) {
+    const varNames = new Set();
+    try {
+        const config = parseWranglerConfig(wranglerConfig);
+        // Top-level vars
+        const topVars = config.vars;
+        if (topVars) {
+            for (const name of Object.keys(topVars)) {
+                varNames.add(name);
+            }
+        }
+        // Environment-specific vars
+        if (env !== "local") {
+            const envConfig = config.env?.[env];
+            const envVars = envConfig?.vars;
+            if (envVars) {
+                for (const name of Object.keys(envVars)) {
+                    varNames.add(name);
+                }
+            }
+        }
+    }
+    catch {
+        // If we can't parse, return empty — don't block operations
+    }
+    return varNames;
+}
+/**
+ * Ensure wrangler CLI is available.
+ */
+export function validateWrangler() {
+    if (!cliExists("wrangler") && !cliExists("npx")) {
+        throw new Error("Wrangler CLI not found.\n" +
+            "Install: npm install -g wrangler\n" +
+            "Or add as a devDependency: npm install -D wrangler");
+    }
+}
+function wranglerBin() {
+    return cliExists("wrangler") ? "wrangler" : "npx wrangler";
+}
+/**
+ * Push a single secret to a Cloudflare Workers environment.
+ * Value is piped via stdin to avoid exposure in process args.
+ */
+export function putSecret(name, value, env, wranglerConfig) {
+    const envFlag = env === "local" ? "" : ` --env ${env}`;
+    execSync(`${wranglerBin()} secret put ${name}${envFlag} --config "${wranglerConfig}"`, {
+        input: value,
+        stdio: ["pipe", "pipe", "pipe"],
+    });
+}
+/**
+ * List secret names deployed to a Cloudflare Workers environment.
+ */
+export function listSecrets(env, wranglerConfig) {
+    const envFlag = env === "local" ? "" : ` --env ${env}`;
+    try {
+        const raw = exec(`${wranglerBin()} secret list${envFlag} --config "${wranglerConfig}"`, { stdio: ["pipe", "pipe", "pipe"] });
+        // Wrangler outputs JSON array of { name, type }
+        const parsed = JSON.parse(raw);
+        return parsed.map((s) => s.name).sort();
+    }
+    catch {
+        // Older wrangler versions output plain text
+        return [];
+    }
+}
+//# sourceMappingURL=wrangler.js.map

package/dist/wrangler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wrangler.js","sourceRoot":"","sources":["../src/wrangler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAE7C;;GAEG;AACH,SAAS,mBAAmB,CAAC,UAAkB;IAC7C,MAAM,GAAG,GAAG,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC9C,MAAM,IAAI,GAAG,GAAG;SACb,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC;SAChC,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC;SAC/B,OAAO,CAAC,cAAc,EAAE,IAAI,CAAC,CAAC;IACjC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAW,EACX,cAAsB;IAEtB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,mBAAmB,CAAC,cAAc,CAAC,CAAC;QAEnD,iBAAiB;QACjB,MAAM,OAAO,GAAG,MAAM,CAAC,IAA0C,CAAC;QAClE,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,IAAI,GAAG,KAAK,OAAO,EAAE,CAAC;YACpB,MAAM,SAAS,GAAI,MAAM,CAAC,GAA+C,EAAE,CAAC,GAAG,CAAC,CAAC;YACjF,MAAM,OAAO,GAAG,SAAS,EAAE,IAA0C,CAAC;YACtE,IAAI,OAAO,EAAE,CAAC;gBACZ,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACxC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACrB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,2DAA2D;IAC7D,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB;IAC9B,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,2BAA2B;YACzB,oCAAoC;YACpC,oDAAoD,CACvD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CACvB,IAAY,EACZ,KAAa,EACb,GAAW,EACX,cAAsB;IAEtB,MAAM,OAAO,GAAG,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC;IACvD,QAAQ,CACN,GAAG,WAAW,EAAE,eAAe,IAAI,GAAG,OAAO,cAAc,cAAc,GAAG,EAC5E;QACE,KAAK,EAAE,KAAK;QACZ,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KAChC,CACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CACzB,GAAW,EACX,cAAsB;IAEtB,MAAM,OAAO,GAAG,GAAG,KAAK,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,EAAE,CAAC;IACvD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CACd,GAAG,WAAW,EAAE,eAAe,OAAO,cAAc,cAAc,GAAG,EACrE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CACpC,CAAC;QACF,gDAAgD;QAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA4B,CAAC;QAC1D,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;QAC5C,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "sync-cf-secrets",
+  "version": "0.1.0",
+  "description": "Sync Cloudflare Workers secrets from 1Password or Bitwarden. Push, pull, and diff secrets across environments.",
+  "type": "module",
+  "bin": {
+    "sync-cf-secrets": "./dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "tsc"
+  },
+  "keywords": [
+    "cloudflare",
+    "cloudflare-workers",
+    "workers",
+    "secrets",
+    "secret-management",
+    "environment-variables",
+    "env",
+    "1password",
+    "bitwarden",
+    "wrangler",
+    "password-manager",
+    "devops",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/lecstor/sync-cf-secrets"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.3.0"
+  },
+  "peerDependencies": {
+    "wrangler": ">=3.0.0"
+  },
+  "peerDependenciesMeta": {
+    "wrangler": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.2",
+    "typescript": "^5.7.0"
+  }
+}