varlock 0.5.0 → 0.6.1

package/dist/{env-graph-BhsVU8Ff.d.ts → env-graph-Cz_c5P6Y.d.ts}

@@ -101,7 +101,7 @@ type EnvGraphDataTypeDef<CoerceReturnType, ValidateInputType = FallbackIfUnknown
      * - if validation passes, should return true
      * - if validation fails, should return a ValidationError or array of errors - or throw an error
      * */
-    validate: (value: ValidateInputType) => MaybePromise<(true | undefined | void | Error | Array<Error>)>;
+    validate?: (value: ValidateInputType) => MaybePromise<(true | undefined | void | Error | Array<Error>)>;
     /** will make items of this type sensitive, unless overridden specifically on that item */
     sensitive?: boolean;
     /** adds docs info for these  */
@@ -527,6 +527,7 @@ declare class VarlockPlugin {
     get icon(): string;
     set icon(val: string);
     loadingError?: Error;
+    warnings: Array<SchemaError>;
     readonly localPath?: string;
     /** reference to the `@plugin()` decorator instance(s) that installed the plugin  */
     installDecoratorInstances: Array<DecoratorInstance>;
@@ -551,6 +552,26 @@ declare class VarlockPlugin {
     registerItemDecorator<T>(decoratorDef: ItemDecoratorDef<T>): void;
     readonly resolverFunctions?: Array<ResolverDef<any>>;
     registerResolverFunction<T>(resolverDef: ResolverDef<T>): void;
+    /**
+     * Declare standard env vars this plugin uses.
+     * Set during plugin init — the loading infrastructure will automatically
+     * check for these vars and generate warnings if they are detected but not wired up.
+     *
+     * `key` accepts a single env var name or an array of alternatives — the first match is used.
+     * `dataType` is used to generate `# @type=...` schema lines for vars not in the schema.
+     */
+    standardVars?: {
+        initDecorator: string;
+        params: Record<string, {
+            key: string | Array<string>;
+            dataType?: string;
+        }>;
+    };
+    /** called by the loading infrastructure — checks declared standardVars against the graph */
+    _checkStandardVars(graph: {
+        overrideValues: Record<string, string | undefined>;
+        configSchema: Record<string, any>;
+    }): void;
     get pluginFilePath(): string;
     executePluginModule(): Promise<void>;
 }

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { E as EnvGraph, a as DotEnvFileDataSource, C as ConfigLoadError, b as SchemaError, d as ValidationError, e as CoercionError, f as ResolutionError } from './env-graph-BhsVU8Ff.js';
-export { D as Debugger, S as SerializedEnvGraph, c as createDebug } from './env-graph-BhsVU8Ff.js';
+import { E as EnvGraph, a as DotEnvFileDataSource, C as ConfigLoadError, b as SchemaError, d as ValidationError, e as CoercionError, f as ResolutionError } from './env-graph-Cz_c5P6Y.js';
+export { D as Debugger, S as SerializedEnvGraph, c as createDebug } from './env-graph-Cz_c5P6Y.js';
 import { initVarlockEnv } from './runtime/env.js';
 export { ENV } from './runtime/env.js';
 export { patchGlobalConsole } from './runtime/patch-console.js';

package/dist/index.js

@@ -1,15 +1,15 @@
-export { patchGlobalResponse } from './chunk-QQDWRXNU.js';
-export { patchGlobalServerResponse } from './chunk-ZXJ4CEDK.js';
-import { checkBunVersion } from './chunk-RTP55TZC.js';
-import { checkForConfigErrors } from './chunk-PESGXOZ7.js';
-import { loadVarlockEnvGraph } from './chunk-4SXLKBVL.js';
-import { loadEnvGraph } from './chunk-2VSWBSVA.js';
-import { ResolutionError, CoercionError, ValidationError, SchemaError, ConfigLoadError, DotEnvFileDataSource, EnvGraph } from './chunk-FR2ITGSD.js';
+export { patchGlobalServerResponse } from './chunk-MYHVSJ3X.js';
+import { checkBunVersion } from './chunk-KKNNZWYD.js';
+import { checkForConfigErrors } from './chunk-FYZ7LKLX.js';
+import { loadVarlockEnvGraph } from './chunk-EXG5VPNZ.js';
+import { loadEnvGraph } from './chunk-J7PA7B2U.js';
+import { ResolutionError, CoercionError, ValidationError, SchemaError, ConfigLoadError, DotEnvFileDataSource, EnvGraph } from './chunk-2AGKN64R.js';
 export { createDebug } from './chunk-QZ6HBRJC.js';
-export { patchGlobalConsole } from './chunk-TYIS6T2T.js';
-import { initVarlockEnv } from './chunk-WAMBVZL2.js';
-export { ENV } from './chunk-WAMBVZL2.js';
-import './chunk-MIBOBKI4.js';
+export { patchGlobalConsole } from './chunk-BC7LU4LG.js';
+export { patchGlobalResponse } from './chunk-LVZSZAKN.js';
+import { initVarlockEnv } from './chunk-IMB5QAZS.js';
+export { ENV } from './chunk-IMB5QAZS.js';
+import './chunk-XLYSNOR3.js';
 import { __name } from './chunk-6PEHRAEP.js';
 
 // src/index.ts

package/dist/init.command-AV4EWYIT.js

@@ -0,0 +1,12 @@
+export { commandFn, commandSpec } from './chunk-3J7BFRB4.js';
+import './chunk-Y3ITSQA4.js';
+import './chunk-TLEEAUD7.js';
+import './chunk-NPPZVF24.js';
+import './chunk-4A54P4EM.js';
+import './chunk-J7PA7B2U.js';
+import './chunk-2AGKN64R.js';
+import './chunk-QZ6HBRJC.js';
+import './chunk-XLYSNOR3.js';
+import './chunk-6PEHRAEP.js';
+//# sourceMappingURL=init.command-AV4EWYIT.js.map
+//# sourceMappingURL=init.command-AV4EWYIT.js.map

package/dist/{init.command-RB2RCZ55.js.map → init.command-AV4EWYIT.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"init.command-RB2RCZ55.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"init.command-AV4EWYIT.js"}

package/dist/load.command-5JQUW3H7.js

@@ -0,0 +1,11 @@
+export { commandFn, commandSpec } from './chunk-PMBDCWD5.js';
+import './chunk-4A54P4EM.js';
+import './chunk-FYZ7LKLX.js';
+import './chunk-EXG5VPNZ.js';
+import './chunk-J7PA7B2U.js';
+import './chunk-2AGKN64R.js';
+import './chunk-QZ6HBRJC.js';
+import './chunk-XLYSNOR3.js';
+import './chunk-6PEHRAEP.js';
+//# sourceMappingURL=load.command-5JQUW3H7.js.map
+//# sourceMappingURL=load.command-5JQUW3H7.js.map

package/dist/{load.command-JQTHKY6V.js.map → load.command-5JQUW3H7.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"load.command-JQTHKY6V.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"load.command-5JQUW3H7.js"}

package/dist/plugin-lib.d.ts

@@ -1,5 +1,5 @@
-import { V as VarlockPlugin } from './env-graph-BhsVU8Ff.js';
-export { D as Debugger, R as Resolver, c as createDebug } from './env-graph-BhsVU8Ff.js';
+import { V as VarlockPlugin } from './env-graph-Cz_c5P6Y.js';
+export { D as Debugger, R as Resolver, c as createDebug } from './env-graph-Cz_c5P6Y.js';
 import '@env-spec/parser';
 import '@env-spec/utils/type-utils';
 

package/dist/printenv.command-SBB6GVC2.js

@@ -0,0 +1,12 @@
+export { commandFn, commandSpec } from './chunk-JCJISIY6.js';
+import './chunk-NPPZVF24.js';
+import './chunk-4A54P4EM.js';
+import './chunk-FYZ7LKLX.js';
+import './chunk-EXG5VPNZ.js';
+import './chunk-J7PA7B2U.js';
+import './chunk-2AGKN64R.js';
+import './chunk-QZ6HBRJC.js';
+import './chunk-XLYSNOR3.js';
+import './chunk-6PEHRAEP.js';
+//# sourceMappingURL=printenv.command-SBB6GVC2.js.map
+//# sourceMappingURL=printenv.command-SBB6GVC2.js.map

package/dist/{printenv.command-OVRM4WEM.js.map → printenv.command-SBB6GVC2.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"printenv.command-OVRM4WEM.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"printenv.command-SBB6GVC2.js"}

package/dist/run.command-HTGTG6ER.js

@@ -0,0 +1,12 @@
+export { commandFn, commandSpec } from './chunk-ZLAUDWOL.js';
+import './chunk-4A54P4EM.js';
+import './chunk-FYZ7LKLX.js';
+import './chunk-EXG5VPNZ.js';
+import './chunk-J7PA7B2U.js';
+import './chunk-2AGKN64R.js';
+import './chunk-QZ6HBRJC.js';
+import './chunk-IMB5QAZS.js';
+import './chunk-XLYSNOR3.js';
+import './chunk-6PEHRAEP.js';
+//# sourceMappingURL=run.command-HTGTG6ER.js.map
+//# sourceMappingURL=run.command-HTGTG6ER.js.map

package/dist/{run.command-NOA2YFUR.js.map → run.command-HTGTG6ER.js.map}

@@ -1 +1 @@
-{"version":3,"sources":[],"names":[],"mappings":"","file":"run.command-NOA2YFUR.js"}
+{"version":3,"sources":[],"names":[],"mappings":"","file":"run.command-HTGTG6ER.js"}

package/dist/runtime/env.d.ts

@@ -1,8 +1,13 @@
-import { S as SerializedEnvGraph } from '../env-graph-BhsVU8Ff.js';
+import { S as SerializedEnvGraph } from '../env-graph-Cz_c5P6Y.js';
 import '@env-spec/parser';
 import '@env-spec/utils/type-utils';
 
 declare function resetRedactionMap(graph: SerializedEnvGraph): void;
+/** Returns diagnostic info about the current redaction state (safe to expose — no secrets) */
+declare function getRedactionMapInfo(): {
+    sensitiveItemCount: number;
+    hasRedactorRegex: boolean;
+};
 /**
  * Redacts senstive config values from any string/array/object/etc
  *
@@ -26,4 +31,4 @@ interface TypedEnvSchema {
 }
 declare const ENV: TypedEnvSchema;
 
-export { ENV, type TypedEnvSchema, initVarlockEnv, redactSensitiveConfig, resetRedactionMap, revealSensitiveConfig, scanForLeaks, varlockSettings };
+export { ENV, type TypedEnvSchema, getRedactionMapInfo, initVarlockEnv, redactSensitiveConfig, resetRedactionMap, revealSensitiveConfig, scanForLeaks, varlockSettings };

package/dist/runtime/env.js

@@ -1,5 +1,5 @@
-export { ENV, initVarlockEnv, redactSensitiveConfig, resetRedactionMap, revealSensitiveConfig, scanForLeaks, varlockSettings } from '../chunk-WAMBVZL2.js';
-import '../chunk-MIBOBKI4.js';
+export { ENV, getRedactionMapInfo, initVarlockEnv, redactSensitiveConfig, resetRedactionMap, revealSensitiveConfig, scanForLeaks, varlockSettings } from '../chunk-IMB5QAZS.js';
+import '../chunk-XLYSNOR3.js';
 import '../chunk-6PEHRAEP.js';
 //# sourceMappingURL=env.js.map
 //# sourceMappingURL=env.js.map

package/dist/runtime/init-edge.cjs

@@ -0,0 +1,297 @@
+'use strict';
+
+// src/runtime/lib/redaction.ts
+function redactString(valStr, modeOrOpts, hideLength = true) {
+  if (!valStr) return valStr;
+  let mode;
+  {
+    mode = modeOrOpts;
+  }
+  const hiddenLength = hideLength ? 5 : valStr.length - 2;
+  const hiddenStr = "\u2592".repeat(hiddenLength);
+  if (mode === "show_last_2") {
+    return `${hiddenStr}${valStr.substring(valStr.length - 2, valStr.length)}`;
+  } else if (mode === "show_first_last") {
+    return `${valStr.substring(0, 1)}${hiddenStr}${valStr.substring(valStr.length - 1, valStr.length)}`;
+  } else {
+    return `${valStr.substring(0, 2)}${hiddenStr}`;
+  }
+}
+
+// src/lib/detect-runtime.ts
+var versionsStr = "versions";
+var processVersions = typeof process !== "undefined" && process[versionsStr];
+processVersions && processVersions.node != null;
+typeof window !== "undefined" && window.name === "nodejs" || typeof navigator !== "undefined" && "userAgent" in navigator && typeof navigator.userAgent === "string" && (navigator.userAgent.includes("Node.js") || navigator.userAgent.includes("jsdom"));
+typeof Deno !== "undefined" && typeof Deno.version !== "undefined" && typeof Deno.version.deno !== "undefined";
+processVersions && processVersions.bun != null;
+var isBrowser = typeof window !== "undefined" && typeof window.document !== "undefined" && typeof window.document.createElement === "function" && typeof navigator !== "undefined" && typeof navigator.userAgent === "string";
+
+// src/runtime/lib/debug.ts
+function debug(...args) {
+  if (!globalThis.process?.env.DEBUG_VARLOCK) return;
+  console.log(...args);
+}
+
+// src/runtime/env.ts
+function isString(s) {
+  return Object.prototype.toString.call(s) === "[object String]";
+}
+var UNMASK_STR = "\u{1F441}";
+var REDACTION_STATE_KEY = "__varlockRedactionState";
+function getRedactionState() {
+  if (!globalThis[REDACTION_STATE_KEY]) {
+    globalThis[REDACTION_STATE_KEY] = {
+      sensitiveSecretsMap: {},
+      redactorFindReplace: void 0
+    };
+  }
+  return globalThis[REDACTION_STATE_KEY];
+}
+function resetRedactionMap(graph) {
+  const state = getRedactionState();
+  state.sensitiveSecretsMap = {};
+  for (const itemKey in graph.config) {
+    const item = graph.config[itemKey];
+    if (item.isSensitive && item.value && isString(item.value)) {
+      const redacted = redactString(item.value);
+      if (redacted) state.sensitiveSecretsMap[item.value] = { key: itemKey, redacted };
+    }
+  }
+  if (!Object.keys(state.sensitiveSecretsMap).length) {
+    state.redactorFindReplace = void 0;
+    return;
+  }
+  const findRegex = new RegExp(
+    [
+      `(${UNMASK_STR} )?`,
+      "(",
+      Object.keys(state.sensitiveSecretsMap).map((s) => s.replace(/[()[\]{}*+?^$|#.,/\\\s-]/g, "\\$&")).sort((a, b) => b.length - a.length).join("|"),
+      ")",
+      `( ${UNMASK_STR})?`
+    ].join(""),
+    "g"
+  );
+  const replaceFn = (match, pre, val, post) => {
+    if (pre && post) return match;
+    return state.sensitiveSecretsMap[val].redacted;
+  };
+  state.redactorFindReplace = { find: findRegex, replace: replaceFn };
+}
+function redactSensitiveConfig(o) {
+  const { redactorFindReplace } = getRedactionState();
+  if (!redactorFindReplace) return o;
+  if (!o) return o;
+  if (Array.isArray(o)) {
+    return o.map(redactSensitiveConfig);
+  }
+  if (o && typeof o === "object" && Object.getPrototypeOf(o) === Object.prototype) {
+    try {
+      return JSON.parse(redactSensitiveConfig(JSON.stringify(o)));
+    } catch (err) {
+      return o;
+    }
+  }
+  const type = typeof o;
+  if (type === "string" || type === "object" && Object.prototype.toString.call(o) === "[object String]") {
+    return o.replaceAll(redactorFindReplace.find, redactorFindReplace.replace);
+  }
+  return o;
+}
+function revealSensitiveConfig(secretStr) {
+  if (!globalThis._varlockOrigWriteToConsoleFn) return secretStr;
+  return `${UNMASK_STR} ${secretStr} ${UNMASK_STR}`;
+}
+function scanForLeaks(toScan, meta) {
+  debug("\u26A1\uFE0F varlock scanning for leaks");
+  if (!toScan) return toScan;
+  function scanStrForLeaks(strToScan) {
+    const { sensitiveSecretsMap } = getRedactionState();
+    for (const sensitiveValue in sensitiveSecretsMap) {
+      if (strToScan.includes(sensitiveValue)) {
+        const itemKey = sensitiveSecretsMap[sensitiveValue].key;
+        console.error([
+          "",
+          `\u{1F6A8} ${"DETECTED LEAKED SENSITIVE CONFIG"} \u{1F6A8}`,
+          `> Config item key: ${itemKey}`,
+          ...meta?.method ? [`> Scan method: ${meta.method}`] : [],
+          ...meta?.file ? [`> File: ${meta.file}`] : [],
+          ""
+        ].join("\n"));
+        throw new Error(`\u{1F6A8} DETECTED LEAKED SENSITIVE CONFIG - ${itemKey}`);
+      }
+    }
+  }
+  if (isString(toScan)) {
+    scanStrForLeaks(toScan);
+    return toScan;
+  } else if (typeof Buffer !== "undefined" && toScan instanceof Buffer) {
+    scanStrForLeaks(toScan.toString());
+    return toScan;
+  } else if (toScan instanceof ReadableStream) {
+    if (toScan.locked) {
+      return toScan;
+    }
+    const chunkDecoder = new TextDecoder();
+    return toScan.pipeThrough(
+      new TransformStream({
+        transform(chunk, controller) {
+          const chunkStr = chunkDecoder.decode(chunk);
+          scanStrForLeaks(chunkStr);
+          controller.enqueue(chunk);
+        }
+      })
+    );
+  }
+  return toScan;
+}
+var initializedEnv = false;
+var envValues = {};
+var varlockSettings = {};
+var processExists = !!globalThis.process;
+var originalProcessEnv = { ...processExists && process.env };
+var varlockInjectedProcessEnvKeys;
+function initVarlockEnv(opts) {
+  debug("\u26A1\uFE0F INIT VARLOCK ENV!", initializedEnv, !!globalThis.__varlockLoadedEnv, !!globalThis.process?.env.__VARLOCK_ENV);
+  if (isBrowser && !globalThis.process?.env.__VARLOCK_ENV) {
+    initializedEnv = true;
+    return;
+  }
+  let serializedEnvData;
+  if (globalThis.__varlockLoadedEnv) {
+    serializedEnvData = globalThis.__varlockLoadedEnv;
+  } else if (processExists && process.env.__VARLOCK_ENV) {
+    serializedEnvData = JSON.parse(process.env.__VARLOCK_ENV);
+  } else {
+    if (opts?.allowFail) return;
+    console.error([
+      "",
+      "\u{1F6A8} initVarlockEnv failed  \u{1F6A8}",
+      "try rerunning your command via `varlock run`",
+      ""
+    ].join("\n"));
+    throw new Error("initVarlockEnv failed");
+  }
+  Object.assign(varlockSettings, serializedEnvData.settings);
+  resetRedactionMap(serializedEnvData);
+  const setProcessEnv = processExists;
+  if (setProcessEnv) {
+    if (varlockInjectedProcessEnvKeys) {
+      for (const key of varlockInjectedProcessEnvKeys) delete process.env[key];
+      for (const key of Object.keys(originalProcessEnv)) process.env[key] = originalProcessEnv[key];
+    }
+    varlockInjectedProcessEnvKeys = [];
+  }
+  for (const itemKey in serializedEnvData.config) {
+    const itemValue = serializedEnvData.config[itemKey].value;
+    envValues[itemKey] = itemValue;
+    if (setProcessEnv) {
+      varlockInjectedProcessEnvKeys?.push(itemKey);
+      process.env[itemKey] = itemValue === void 0 ? "" : String(itemValue);
+    }
+  }
+  initializedEnv = true;
+}
+try {
+  if (!initializedEnv) {
+    initVarlockEnv({ allowFail: true });
+  }
+} catch (err) {
+}
+var IGNORED_PROXY_KEYS = [
+  // vue - see https://github.com/vuejs/core/blob/70773d00985135a50556c61fb9855ed6b930cb82/packages/reactivity/src/ref.ts#L101
+  "__v_isRef"
+];
+var EnvProxy = new Proxy({}, {
+  get(target, prop) {
+    if (typeof prop === "symbol") return;
+    if (IGNORED_PROXY_KEYS.includes(prop)) return;
+    if (!initializedEnv) {
+      throw new Error("varlock ENV not initialized");
+    }
+    if (prop in envValues) return envValues[prop];
+    if (globalThis.__varlockThrowOnMissingKeys) {
+      if (globalThis.__varlockValidKeys && globalThis.__varlockValidKeys.includes(prop)) {
+        throw new Error(`\`ENV.${prop}\` exists, but is not available in this environment`);
+      } else {
+        throw new Error(`\`ENV.${prop}\` does not exist`);
+      }
+    }
+    return void 0;
+  }
+});
+var ENV = EnvProxy;
+
+// src/runtime/patch-console.ts
+function patchGlobalConsole() {
+  debug("\u26A1\uFE0F PATCHING global console methods");
+  if (console.log._varlockPatchedFn) {
+    debug("> already patched");
+    return;
+  }
+  if (varlockSettings.redactLogs === false) {
+    debug("> disabled by settings");
+    return;
+  }
+  const kWriteToConsoleSymbol = Object.getOwnPropertySymbols(globalThis.console).find((s) => s.description === "kWriteToConsole");
+  globalThis._varlockOrigWriteToConsoleFn ||= globalThis.console[kWriteToConsoleSymbol];
+  globalThis.console[kWriteToConsoleSymbol] = function() {
+    globalThis._varlockOrigWriteToConsoleFn.apply(this, [
+      arguments[0],
+      redactSensitiveConfig(arguments[1]),
+      arguments[2]
+    ]);
+  };
+  for (const logMethodName of ["trace", "debug", "info", "log", "info", "warn", "error"]) {
+    const originalLogMethod = globalThis.console[logMethodName];
+    const patchedFn = function() {
+      originalLogMethod.apply(this, Array.from(arguments).map(redactSensitiveConfig));
+    };
+    patchedFn._varlockPatchedFn = true;
+    globalThis.console[logMethodName] = patchedFn;
+  }
+}
+
+// src/runtime/patch-response.ts
+function patchGlobalResponse() {
+  debug("\u26A1\uFE0F PATCHING global Response");
+  if (globalThis.Response._patchedByVarlock) {
+    debug("> already patched");
+    return;
+  }
+  if (varlockSettings.preventLeaks === false) {
+    debug("> disabled by settings");
+    return;
+  }
+  const _UnpatchedResponse = globalThis.Response;
+  globalThis.Response = class VarlockPatchedResponse extends _UnpatchedResponse {
+    static _patchedByVarlock = true;
+    // Make native fetch() responses (which are instances of the original Response)
+    // pass instanceof checks against the patched globalThis.Response.
+    static [Symbol.hasInstance](instance) {
+      return instance instanceof _UnpatchedResponse;
+    }
+    constructor(body, init) {
+      debug("\u26A1\uFE0F patched Response constructor");
+      super(scanForLeaks(body, { method: "patched Response constructor" }), init);
+    }
+    static json(data, init) {
+      debug("\u26A1\uFE0F patched Response.json");
+      scanForLeaks(JSON.stringify(data), { method: "patched Response.json" });
+      const r = _UnpatchedResponse.json(data, init);
+      Object.setPrototypeOf(r, Response.prototype);
+      return r;
+    }
+  };
+}
+
+// src/runtime/init-edge.ts
+initVarlockEnv();
+patchGlobalConsole();
+patchGlobalResponse();
+globalThis.__varlockPatchConsole = patchGlobalConsole;
+
+exports.ENV = ENV;
+exports.redactSensitiveConfig = redactSensitiveConfig;
+exports.revealSensitiveConfig = revealSensitiveConfig;
+exports.scanForLeaks = scanForLeaks;

package/dist/runtime/init-edge.d.cts

@@ -0,0 +1 @@
+export { ENV, redactSensitiveConfig, revealSensitiveConfig, scanForLeaks } from './init-server.cjs';