npm - varlock - Versions diffs - 0.9.1 → 1.0.0 - Mend

varlock 0.9.1 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (103) hide show

package/dist/{chunk-FWJAZMC7.js → chunk-2ABRAKHE.js} RENAMED Viewed

@@ -1,5 +1,5 @@
-import { CliExitError } from './chunk-QHIRGHGG.js';
-import { detectWorkspaceInfo, ansis_default } from './chunk-W3GUFLIV.js';
+import { CliExitError } from './chunk-GBCB7Y3B.js';
+import { detectWorkspaceInfo, ansis_default } from './chunk-U7RQPX5K.js';
 import { __name } from './chunk-6PEHRAEP.js';
 import path from 'path';
 import fs, { existsSync } from 'fs';
@@ -64,5 +64,5 @@ var logLines = /* @__PURE__ */ __name((lines) => {
 }, "logLines");
 export { detectJsPackageManager, fmt, installJsDependency, logLines };
-//# sourceMappingURL=chunk-FWJAZMC7.js.map
-//# sourceMappingURL=chunk-FWJAZMC7.js.map
+//# sourceMappingURL=chunk-2ABRAKHE.js.map
+//# sourceMappingURL=chunk-2ABRAKHE.js.map

package/dist/{chunk-FWJAZMC7.js.map → chunk-2ABRAKHE.js.map} RENAMED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/cli/helpers/js-package-manager-utils.ts","../src/cli/helpers/pretty-format.ts"],"names":[],"mappings":";;;;;;;AAkBO,SAAS,uBAAuB,IAAA,EAGpC;AACD,EAAA,MAAM,OAAO,mBAAA,CAAoB,EAAE,GAAA,EAAK,IAAA,EAAM,KAAK,CAAA;AACnD,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,MAAA,MAAM,IAAI,aAAa,mDAAA,EAAqD;AAAA,QAC1E,UAAA,EAAY,oHAAA;AAAA,QACZ,SAAA,EAAW;AAAA,OACZ,CAAA;AAAA,IACH;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAA,CAAK,cAAA;AACd;AAfgB,MAAA,CAAA,sBAAA,EAAA,wBAAA,CAAA;AAiBT,SAAS,oBAAoB,IAAA,EAKjC;AACD,EAAA,MAAM,eAAA,GAAkB,KAAK,IAAA,CAAK,IAAA,CAAK,eAAe,OAAA,CAAQ,GAAA,IAAO,cAAc,CAAA;AAGnF,EAAA,IAAI,CAAC,UAAA,CAAW,eAAe,CAAA,EAAG,OAAO,KAAA;AAEzC,EAAA,MAAM,cAAc,IAAA,CAAK,KAAA,CAAM,GAAG,YAAA,CAAa,eAAA,EAAiB,MAAM,CAAC,CAAA;AAEvE,EAAA,IAAI,WAAA,CAAY,YAAA,EAAc,OAAA,EAAS,OAAO,KAAA;AAG9C,EAAA,QAAA,CAAS;AAAA;AAAA,IAEP,IAAA,CAAK,WAAA,IAAe,CAAA,GAAA,EAAM,IAAA,CAAK,WAAW,CAAA,GAAA,CAAA;AAAA;AAAA,IAE1C,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA,KAAA,EAAQ,KAAK,WAAW,CAAA,CAAA;AAAA;AAAA;AAAA,IAG9C,IAAA,CAAK,cAAA,KAAmB,MAAA,KAAW,IAAA,CAAK,iBAAiB,IAAA,GAAO,+BAAA;AAAA,IAChE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA;AAE3B,EAAA,OAAO,IAAA;AACT;AA3BgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;;;AC/BT,IAAM,GAAA,GAAM;AAAA,EACjB,2BAAW,MAAA,CAAA,CAAC,CAAA,KAAc,aAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,EAA9B,WAAA,CAAA;AAAA,EACX,QAAA,0BAAW,CAAA,KAAc,CAAA,UAAA,EAAM,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAzC,UAAA,CAAA;AAAA,EACV,QAAA,0BAAW,CAAA,KAAc,CAAA,EAAG,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAtC,UAAA,CAAA;AAAA,EACV,OAAA,kBAAS,MAAA,CAAA,CAAC,CAAA,EAAW,IAAA,KAA8D;AACjF,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,IAAA,EAAM,qBAAqB,IAAA,EAAM;AACnC,MAAA,gBAAA,GAAmB,sBAAA,EAAuB;AAAA,IAC5C,CAAA,MAAA,IAAW,MAAM,gBAAA,EAAkB;AACjC,MAAA,gBAAA,GAAmB,IAAA,CAAK,gBAAA;AAAA,IAC1B;AACA,IAAA,IAAI,gBAAA,EAAkB;AACpB,MAAA,CAAA,GAAI,CAAA,EAAG,gBAAA,CAAiB,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA;AAAA,IACnC;AACA,IAAA,OAAO,aAAA,CAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA;AAAA,EAC7B,CAAA,EAXS,SAAA,CAAA;AAAA,EAYT,6BAAa,MAAA,CAAA,CAAC,CAAA,KAAc,cAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,EAAnC,aAAA;AACf;AAEO,IAAM,QAAA,2BAAY,KAAA,KAA6C;AACpE,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AAExB,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI;AAC1B,IAAA,OAAA,CAAQ,IAAI,IAAI,CAAA;AAAA,EAClB;AACF,CAAA,EANwB,UAAA","file":"chunk-~~FWJAZMC7~~.js","sourcesContent":["// Re-exports for backward compatibility - prefer importing from lib/workspace-utils directly\nexport {\n JS_PACKAGE_MANAGERS,\n detectWorkspaceInfo,\n getWorkspaceInfo,\n runWithWorkspaceInfo,\n type JsPackageManager,\n type JsPackageManagerMeta,\n type WorkspaceInfo,\n type MonorepoTool,\n} from '../../lib/workspace-utils';\n\nimport path from 'node:path';\nimport fs, { existsSync } from 'node:fs';\nimport { execSync } from 'node:child_process';\nimport { CliExitError } from './exit-error';\nimport { detectWorkspaceInfo, type JsPackageManager } from '../../lib/workspace-utils';\n\nexport function detectJsPackageManager(opts?: {\n cwd?: string,\n exitIfNotFound?: boolean,\n}) {\n const info = detectWorkspaceInfo({ cwd: opts?.cwd });\n if (!info) {\n if (opts?.exitIfNotFound) {\n throw new CliExitError('Unable to detect your JavaScript package manager!', {\n suggestion: 'We look for lock files (ex: package-lock.json) so you may just need to run a dependency install (ie `npm install`)',\n forceExit: true,\n });\n }\n return undefined;\n }\n return info.packageManager;\n}\n\nexport function installJsDependency(opts: {\n packageName: string,\n packageManager: JsPackageManager,\n packagePath?: string,\n isMonoRepoRoot?: boolean,\n}) {\n const packageJsonPath = path.join(opts.packagePath \|\| process.cwd(), 'package.json');\n\n // for now, we'll just bail if we dont see a package.json\n if (!existsSync(packageJsonPath)) return false;\n\n const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));\n // bail if already installed\n if (packageJson.dependencies?.varlock) return false;\n\n // TODO: might want to check first if it's already installed?\n execSync([\n // move to the correct directory if needed\n opts.packagePath && `cd ${opts.packagePath} &&`,\n // `add` works in all of them\n `${opts.packageManager} add ${opts.packageName}`,\n // tells pnpm to either install in the workspace root explicitly\n // or to not check if we are the in the root\n opts.packageManager === 'pnpm' && (opts.isMonoRepoRoot ? '-w' : '--ignore-workspace-root-check'),\n ].filter(Boolean).join(' '));\n\n return true;\n}\n","import ansis from 'ansis';\nimport { detectJsPackageManager, type JsPackageManagerMeta } from './js-package-manager-utils';\n\n\nexport const fmt = {\n decorator: (s: string) => ansis.magenta(s),\n filePath: (s: string) => `📂 ${ansis.cyan.italic(s)}`,\n fileName: (s: string) => `${ansis.cyan.italic(s)}`,\n command: (s: string, opts?: { jsPackageManager?: JsPackageManagerMeta \| true }) => {\n let jsPackageManager: JsPackageManagerMeta \| undefined;\n if (opts?.jsPackageManager === true) {\n jsPackageManager = detectJsPackageManager();\n } else if (opts?.jsPackageManager) {\n jsPackageManager = opts.jsPackageManager;\n }\n if (jsPackageManager) {\n s = `${jsPackageManager.exec} ${s}`;\n }\n return ansis.green.italic(s);\n },\n packageName: (s: string) => ansis.green.italic(s),\n};\n\nexport const logLines = (lines: Array<string \| false \| undefined>) => {\n for (const line of lines) {\n // skip false, null, undefined, but not empty strings\n if (!line && line !== '') continue;\n console.log(line);\n }\n};\n"]}
1	+ {"version":3,"sources":["../src/cli/helpers/js-package-manager-utils.ts","../src/cli/helpers/pretty-format.ts"],"names":[],"mappings":";;;;;;;AAkBO,SAAS,uBAAuB,IAAA,EAGpC;AACD,EAAA,MAAM,OAAO,mBAAA,CAAoB,EAAE,GAAA,EAAK,IAAA,EAAM,KAAK,CAAA;AACnD,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,MAAA,MAAM,IAAI,aAAa,mDAAA,EAAqD;AAAA,QAC1E,UAAA,EAAY,oHAAA;AAAA,QACZ,SAAA,EAAW;AAAA,OACZ,CAAA;AAAA,IACH;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAA,CAAK,cAAA;AACd;AAfgB,MAAA,CAAA,sBAAA,EAAA,wBAAA,CAAA;AAiBT,SAAS,oBAAoB,IAAA,EAKjC;AACD,EAAA,MAAM,eAAA,GAAkB,KAAK,IAAA,CAAK,IAAA,CAAK,eAAe,OAAA,CAAQ,GAAA,IAAO,cAAc,CAAA;AAGnF,EAAA,IAAI,CAAC,UAAA,CAAW,eAAe,CAAA,EAAG,OAAO,KAAA;AAEzC,EAAA,MAAM,cAAc,IAAA,CAAK,KAAA,CAAM,GAAG,YAAA,CAAa,eAAA,EAAiB,MAAM,CAAC,CAAA;AAEvE,EAAA,IAAI,WAAA,CAAY,YAAA,EAAc,OAAA,EAAS,OAAO,KAAA;AAG9C,EAAA,QAAA,CAAS;AAAA;AAAA,IAEP,IAAA,CAAK,WAAA,IAAe,CAAA,GAAA,EAAM,IAAA,CAAK,WAAW,CAAA,GAAA,CAAA;AAAA;AAAA,IAE1C,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA,KAAA,EAAQ,KAAK,WAAW,CAAA,CAAA;AAAA;AAAA;AAAA,IAG9C,IAAA,CAAK,cAAA,KAAmB,MAAA,KAAW,IAAA,CAAK,iBAAiB,IAAA,GAAO,+BAAA;AAAA,IAChE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA;AAE3B,EAAA,OAAO,IAAA;AACT;AA3BgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;;;AC/BT,IAAM,GAAA,GAAM;AAAA,EACjB,2BAAW,MAAA,CAAA,CAAC,CAAA,KAAc,aAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,EAA9B,WAAA,CAAA;AAAA,EACX,QAAA,0BAAW,CAAA,KAAc,CAAA,UAAA,EAAM,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAzC,UAAA,CAAA;AAAA,EACV,QAAA,0BAAW,CAAA,KAAc,CAAA,EAAG,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAtC,UAAA,CAAA;AAAA,EACV,OAAA,kBAAS,MAAA,CAAA,CAAC,CAAA,EAAW,IAAA,KAA8D;AACjF,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,IAAA,EAAM,qBAAqB,IAAA,EAAM;AACnC,MAAA,gBAAA,GAAmB,sBAAA,EAAuB;AAAA,IAC5C,CAAA,MAAA,IAAW,MAAM,gBAAA,EAAkB;AACjC,MAAA,gBAAA,GAAmB,IAAA,CAAK,gBAAA;AAAA,IAC1B;AACA,IAAA,IAAI,gBAAA,EAAkB;AACpB,MAAA,CAAA,GAAI,CAAA,EAAG,gBAAA,CAAiB,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA;AAAA,IACnC;AACA,IAAA,OAAO,aAAA,CAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA;AAAA,EAC7B,CAAA,EAXS,SAAA,CAAA;AAAA,EAYT,6BAAa,MAAA,CAAA,CAAC,CAAA,KAAc,cAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,EAAnC,aAAA;AACf;AAEO,IAAM,QAAA,2BAAY,KAAA,KAA6C;AACpE,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AAExB,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI;AAC1B,IAAA,OAAA,CAAQ,IAAI,IAAI,CAAA;AAAA,EAClB;AACF,CAAA,EANwB,UAAA","file":"chunk-2ABRAKHE.js","sourcesContent":["// Re-exports for backward compatibility - prefer importing from lib/workspace-utils directly\nexport {\n JS_PACKAGE_MANAGERS,\n detectWorkspaceInfo,\n getWorkspaceInfo,\n runWithWorkspaceInfo,\n type JsPackageManager,\n type JsPackageManagerMeta,\n type WorkspaceInfo,\n type MonorepoTool,\n} from '../../lib/workspace-utils';\n\nimport path from 'node:path';\nimport fs, { existsSync } from 'node:fs';\nimport { execSync } from 'node:child_process';\nimport { CliExitError } from './exit-error';\nimport { detectWorkspaceInfo, type JsPackageManager } from '../../lib/workspace-utils';\n\nexport function detectJsPackageManager(opts?: {\n cwd?: string,\n exitIfNotFound?: boolean,\n}) {\n const info = detectWorkspaceInfo({ cwd: opts?.cwd });\n if (!info) {\n if (opts?.exitIfNotFound) {\n throw new CliExitError('Unable to detect your JavaScript package manager!', {\n suggestion: 'We look for lock files (ex: package-lock.json) so you may just need to run a dependency install (ie `npm install`)',\n forceExit: true,\n });\n }\n return undefined;\n }\n return info.packageManager;\n}\n\nexport function installJsDependency(opts: {\n packageName: string,\n packageManager: JsPackageManager,\n packagePath?: string,\n isMonoRepoRoot?: boolean,\n}) {\n const packageJsonPath = path.join(opts.packagePath \|\| process.cwd(), 'package.json');\n\n // for now, we'll just bail if we dont see a package.json\n if (!existsSync(packageJsonPath)) return false;\n\n const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));\n // bail if already installed\n if (packageJson.dependencies?.varlock) return false;\n\n // TODO: might want to check first if it's already installed?\n execSync([\n // move to the correct directory if needed\n opts.packagePath && `cd ${opts.packagePath} &&`,\n // `add` works in all of them\n `${opts.packageManager} add ${opts.packageName}`,\n // tells pnpm to either install in the workspace root explicitly\n // or to not check if we are the in the root\n opts.packageManager === 'pnpm' && (opts.isMonoRepoRoot ? '-w' : '--ignore-workspace-root-check'),\n ].filter(Boolean).join(' '));\n\n return true;\n}\n","import ansis from 'ansis';\nimport { detectJsPackageManager, type JsPackageManagerMeta } from './js-package-manager-utils';\n\n\nexport const fmt = {\n decorator: (s: string) => ansis.magenta(s),\n filePath: (s: string) => `📂 ${ansis.cyan.italic(s)}`,\n fileName: (s: string) => `${ansis.cyan.italic(s)}`,\n command: (s: string, opts?: { jsPackageManager?: JsPackageManagerMeta \| true }) => {\n let jsPackageManager: JsPackageManagerMeta \| undefined;\n if (opts?.jsPackageManager === true) {\n jsPackageManager = detectJsPackageManager();\n } else if (opts?.jsPackageManager) {\n jsPackageManager = opts.jsPackageManager;\n }\n if (jsPackageManager) {\n s = `${jsPackageManager.exec} ${s}`;\n }\n return ansis.green.italic(s);\n },\n packageName: (s: string) => ansis.green.italic(s),\n};\n\nexport const logLines = (lines: Array<string \| false \| undefined>) => {\n for (const line of lines) {\n // skip false, null, undefined, but not empty strings\n if (!line && line !== '') continue;\n console.log(line);\n }\n};\n"]}

package/dist/chunk-2EEXFFKL.js ADDED Viewed

@@ -0,0 +1,149 @@
+import { define } from './chunk-4A54P4EM.js';
+import { loadVarlockEnvGraph, writeBackValue } from './chunk-V2MTE4J6.js';
+import { encryptValue, getBackendInfo, ensureKey, getDaemonClient } from './chunk-6DXWXIQV.js';
+import { gracefulExit } from './chunk-CHQDS2PI.js';
+import { CliExitError } from './chunk-GBCB7Y3B.js';
+import { FileBasedDataSource, ParsedEnvSpecFunctionCall, ParsedEnvSpecStaticValue, multiselect, ansis_default, password } from './chunk-U7RQPX5K.js';
+import { q } from './chunk-HDKXXS2X.js';
+import { __name } from './chunk-6PEHRAEP.js';
+import path from 'path';
+import fs from 'fs';
+var commandSpec = define({
+  name: "encrypt",
+  description: "Encrypt a value using device-local encryption",
+  args: {
+    "key-id": {
+      type: "string",
+      description: "Encryption key ID (default: varlock-default)",
+      default: "varlock-default"
+    },
+    file: {
+      type: "string",
+      description: "Path to a .env file \u2014 encrypts all sensitive plaintext values in-place"
+    }
+  }
+});
+async function encryptFile(keyId, filePath) {
+  const resolvedPath = path.resolve(filePath);
+  if (!fs.existsSync(resolvedPath)) {
+    throw new CliExitError(`File not found: ${resolvedPath}`);
+  }
+  const envGraph = await loadVarlockEnvGraph();
+  await envGraph.resolveEnvValues();
+  const targetSource = envGraph.sortedDataSources.find(
+    (s) => s instanceof FileBasedDataSource && s.fullPath === resolvedPath
+  );
+  if (!targetSource) {
+    throw new CliExitError(
+      `File "${filePath}" is not part of the loaded env graph`,
+      { suggestion: "Make sure the file is in the project directory or imported by your schema." }
+    );
+  }
+  const itemsToEncrypt = [];
+  for (const [key, itemDef] of Object.entries(targetSource.configItemDefs)) {
+    const graphItem = envGraph.configSchema[key];
+    if (!graphItem?.isSensitive) continue;
+    if (itemDef.parsedValue instanceof ParsedEnvSpecFunctionCall) continue;
+    if (!(itemDef.parsedValue instanceof ParsedEnvSpecStaticValue)) continue;
+    const val = itemDef.parsedValue.unescapedValue;
+    if (val === void 0 || val === "" || typeof val !== "string") continue;
+    itemsToEncrypt.push({ key, value: val });
+  }
+  if (itemsToEncrypt.length === 0) {
+    console.log("No sensitive plaintext values found to encrypt.");
+    return;
+  }
+  console.log("Only items marked as @sensitive in the schema are shown.");
+  console.log("If a key is missing, add @sensitive to it in your schema file.\n");
+  const selected = await multiselect({
+    message: `Confirm values to encrypt in ${filePath} ${ansis_default.gray("(use arrows, space to toggle, enter to confirm)")}`,
+    options: itemsToEncrypt.map((item) => ({
+      value: item.key,
+      label: item.key
+    })),
+    initialValues: itemsToEncrypt.map((item) => item.key)
+  });
+  if (q(selected)) return gracefulExit();
+  const selectedKeys = new Set(selected);
+  const filteredItems = itemsToEncrypt.filter((item) => selectedKeys.has(item.key));
+  if (filteredItems.length === 0) {
+    console.log("No items selected.");
+    return;
+  }
+  console.log("");
+  let encryptedCount = 0;
+  for (const item of filteredItems) {
+    const ciphertext = await encryptValue(item.value, keyId);
+    const result = writeBackValue(item.key, `varlock("local:${ciphertext}")`, resolvedPath);
+    if (result.updated) {
+      encryptedCount++;
+      console.log(`  Encrypted: ${item.key}`);
+    }
+  }
+  console.log(`
+Encrypted ${encryptedCount} value${encryptedCount !== 1 ? "s" : ""} in ${filePath}`);
+}
+__name(encryptFile, "encryptFile");
+var commandFn = /* @__PURE__ */ __name(async (ctx) => {
+  const keyId = String(ctx.values["key-id"] || "varlock-default");
+  const backend = getBackendInfo();
+  try {
+    await ensureKey(keyId);
+  } catch (err) {
+    if (err instanceof CliExitError) throw err;
+    throw new CliExitError(
+      `Failed to check/create encryption key: ${err instanceof Error ? err.message : err}`
+    );
+  }
+  console.log(`Using ${backend.type} backend (${backend.hardwareBacked ? "hardware-backed" : "file-based"})`);
+  const filePath = ctx.values.file;
+  if (filePath) {
+    await encryptFile(keyId, filePath);
+    return;
+  }
+  console.log("");
+  let ciphertext;
+  if (!process.stdin.isTTY) {
+    const chunks = [];
+    for await (const chunk of process.stdin) {
+      chunks.push(chunk);
+    }
+    const rawValue = Buffer.concat(chunks).toString("utf-8").replace(/\r?\n$/, "");
+    if (!rawValue) {
+      throw new CliExitError("No value received on stdin");
+    }
+    try {
+      ciphertext = await encryptValue(rawValue, keyId);
+    } catch (err) {
+      if (err instanceof CliExitError) throw err;
+      throw new CliExitError(
+        `Encryption failed: ${err instanceof Error ? err.message : err}`
+      );
+    }
+  } else if (backend.biometricAvailable) {
+    const client = getDaemonClient();
+    const result = await client.promptSecret({ keyId });
+    if (!result) {
+      return gracefulExit();
+    }
+    ciphertext = result;
+  } else {
+    const prompted = await password({ message: "Enter the value you want to encrypt", hint: "for multi-line values, pipe via stdin" });
+    if (q(prompted)) return gracefulExit();
+    try {
+      ciphertext = await encryptValue(prompted, keyId);
+    } catch (err) {
+      if (err instanceof CliExitError) throw err;
+      throw new CliExitError(
+        `Encryption failed: ${err instanceof Error ? err.message : err}`
+      );
+    }
+  }
+  console.log("\nCopy this into your .env.local file and rename the key appropriately:\n");
+  console.log(`SOME_SENSITIVE_KEY=varlock("local:${ciphertext}")`);
+}, "commandFn");
+export { commandFn, commandSpec };
+//# sourceMappingURL=chunk-2EEXFFKL.js.map
+//# sourceMappingURL=chunk-2EEXFFKL.js.map

package/dist/chunk-2EEXFFKL.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/cli/commands/encrypt.command.ts"],"names":[],"mappings":";;;;;;;;;;;AAmBO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EAAa,+CAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa,8CAAA;AAAA,MACb,OAAA,EAAS;AAAA,KACX;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa;AAAA;AACf;AAEJ,CAAC;AAED,eAAe,WAAA,CAAY,OAAe,QAAA,EAAkB;AAC1D,EAAA,MAAM,YAAA,GAAe,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA;AAC1C,EAAA,IAAI,CAAC,EAAA,CAAG,UAAA,CAAW,YAAY,CAAA,EAAG;AAChC,IAAA,MAAM,IAAI,YAAA,CAAa,CAAA,gBAAA,EAAmB,YAAY,CAAA,CAAE,CAAA;AAAA,EAC1D;AAGA,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,EAAoB;AAC3C,EAAA,MAAM,SAAS,gBAAA,EAAiB;AAGhC,EAAA,MAAM,YAAA,GAAe,SAAS,iBAAA,CAAkB,IAAA;AAAA,IAC9C,CAAC,CAAA,KAAM,CAAA,YAAa,mBAAA,IAAuB,EAAE,QAAA,KAAa;AAAA,GAC5D;AAEA,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,SAAS,QAAQ,CAAA,qCAAA,CAAA;AAAA,MACjB,EAAE,YAAY,4EAAA;AAA6E,KAC7F;AAAA,EACF;AAGA,EAAA,MAAM,iBAAwD,EAAC;AAE/D,EAAA,KAAA,MAAW,CAAC,KAAK,OAAO,CAAA,IAAK,OAAO,OAAA,CAAQ,YAAA,CAAa,cAAc,CAAA,EAAG;AACxE,IAAA,MAAM,SAAA,GAAY,QAAA,CAAS,YAAA,CAAa,GAAG,CAAA;AAC3C,IAAA,IAAI,CAAC,WAAW,WAAA,EAAa;AAG7B,IAAA,IAAI,OAAA,CAAQ,uBAAuB,yBAAA,EAA2B;AAG9D,IAAA,IAAI,EAAE,OAAA,CAAQ,WAAA,YAAuB,wBAAA,CAAA,EAA2B;AAChE,IAAA,MAAM,GAAA,GAAM,QAAQ,WAAA,CAAY,cAAA;AAChC,IAAA,IAAI,QAAQ,MAAA,IAAa,GAAA,KAAQ,EAAA,IAAM,OAAO,QAAQ,QAAA,EAAU;AAEhE,IAAA,cAAA,CAAe,IAAA,CAAK,EAAE,GAAA,EAAK,KAAA,EAAO,KAAK,CAAA;AAAA,EACzC;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,IAAI,iDAAiD,CAAA;AAC7D,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,0DAA0D,CAAA;AACtE,EAAA,OAAA,CAAQ,IAAI,kEAAkE,CAAA;AAE9E,EAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY;AAAA,IACjC,SAAS,CAAA,6BAAA,EAAgC,QAAQ,IAAI,aAAA,CAAM,IAAA,CAAK,iDAAiD,CAAC,CAAA,CAAA;AAAA,IAClH,OAAA,EAAS,cAAA,CAAe,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,MACrC,OAAO,IAAA,CAAK,GAAA;AAAA,MACZ,OAAO,IAAA,CAAK;AAAA,KACd,CAAE,CAAA;AAAA,IACF,eAAe,cAAA,CAAe,GAAA,CAAI,CAAC,IAAA,KAAS,KAAK,GAAG;AAAA,GACrD,CAAA;AAED,EAAA,IAAI,CAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,YAAA,EAAa;AAE5C,EAAA,MAAM,YAAA,GAAe,IAAI,GAAA,CAAI,QAAyB,CAAA;AACtD,EAAA,MAAM,aAAA,GAAgB,eAAe,MAAA,CAAO,CAAC,SAAS,YAAA,CAAa,GAAA,CAAI,IAAA,CAAK,GAAG,CAAC,CAAA;AAEhF,EAAA,IAAI,aAAA,CAAc,WAAW,CAAA,EAAG;AAC9B,IAAA,OAAA,CAAQ,IAAI,oBAAoB,CAAA;AAChC,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AAEd,EAAA,IAAI,cAAA,GAAiB,CAAA;AACrB,EAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,IAAA,MAAM,UAAA,GAAa,MAAmB,YAAA,CAAa,IAAA,CAAK,OAAO,KAAK,CAAA;AACpE,IAAA,MAAM,SAAS,cAAA,CAAe,IAAA,CAAK,KAAK,CAAA,eAAA,EAAkB,UAAU,MAAM,YAAY,CAAA;AAEtF,IAAA,IAAI,OAAO,OAAA,EAAS;AAClB,MAAA,cAAA,EAAA;AACA,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,aAAA,EAAgB,IAAA,CAAK,GAAG,CAAA,CAAE,CAAA;AAAA,IACxC;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,UAAA,EAAe,cAAc,SAAS,cAAA,KAAmB,CAAA,GAAI,MAAM,EAAE,CAAA,IAAA,EAAO,QAAQ,CAAA,CAAE,CAAA;AACpG;AAjFe,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AAmFR,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,QAAQ,MAAA,CAAO,GAAA,CAAI,MAAA,CAAO,QAAQ,KAAK,iBAAiB,CAAA;AAC9D,EAAA,MAAM,UAAuB,cAAA,EAAe;AAE5C,EAAA,IAAI;AACF,IAAA,MAAmB,UAAU,KAAK,CAAA;AAAA,EACpC,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,CAAA,uCAAA,EAA0C,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,KACpF;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,SAAS,OAAA,CAAQ,IAAI,aAAa,OAAA,CAAQ,cAAA,GAAiB,iBAAA,GAAoB,YAAY,CAAA,CAAA,CAAG,CAAA;AAE1G,EAAA,MAAM,QAAA,GAAW,IAAI,MAAA,CAAO,IAAA;AAG5B,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,WAAA,CAAY,OAAO,QAAQ,CAAA;AACjC,IAAA;AAAA,EACF;AAIA,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AAEd,EAAA,IAAI,UAAA;AAEJ,EAAA,IAAI,CAAC,OAAA,CAAQ,KAAA,CAAM,KAAA,EAAO;AACxB,IAAA,MAAM,SAAwB,EAAC;AAC/B,IAAA,WAAA,MAAiB,KAAA,IAAS,QAAQ,KAAA,EAAO;AACvC,MAAA,MAAA,CAAO,KAAK,KAAe,CAAA;AAAA,IAC7B;AACA,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA,CAAE,SAAS,OAAO,CAAA,CAAE,OAAA,CAAQ,QAAA,EAAU,EAAE,CAAA;AAC7E,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,aAAa,4BAA4B,CAAA;AAAA,IACrD;AACA,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAmB,YAAA,CAAa,QAAA,EAAU,KAAK,CAAA;AAAA,IAC9D,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,CAAA,mBAAA,EAAsB,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,OAChE;AAAA,IACF;AAAA,EACF,CAAA,MAAA,IAAW,QAAQ,kBAAA,EAAoB;AAErC,IAAA,MAAM,SAAsB,eAAA,EAAgB;AAC5C,IAAA,MAAM,SAAS,MAAM,MAAA,CAAO,YAAA,CAAa,EAAE,OAAO,CAAA;AAClD,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,YAAA,EAAa;AAAA,IACtB;AACA,IAAA,UAAA,GAAa,MAAA;AAAA,EACf,CAAA,MAAO;AACL,IAAA,MAAM,QAAA,GAAW,MAAM,QAAA,CAAS,EAAE,SAAS,qCAAA,EAAuC,IAAA,EAAM,yCAAyC,CAAA;AACjI,IAAA,IAAI,CAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,YAAA,EAAa;AAC5C,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAmB,YAAA,CAAa,QAAA,EAAU,KAAK,CAAA;AAAA,IAC9D,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,CAAA,mBAAA,EAAsB,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,OAChE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,2EAA2E,CAAA;AACvF,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,kCAAA,EAAqC,UAAU,CAAA,EAAA,CAAI,CAAA;AACjE,CAAA,EArEmE,WAAA","file":"chunk-2EEXFFKL.js","sourcesContent":["import { define } from 'gunshi';\nimport { isCancel } from '@clack/prompts';\nimport ansis from 'ansis';\nimport path from 'node:path';\nimport fs from 'node:fs';\n\nimport {\n ParsedEnvSpecStaticValue,\n ParsedEnvSpecFunctionCall,\n} from '@env-spec/parser';\nimport { FileBasedDataSource } from '../../env-graph';\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport { CliExitError } from '../helpers/exit-error';\nimport { multiselect, password } from '../helpers/prompts';\nimport { gracefulExit } from 'exit-hook';\nimport * as localEncrypt from '../../lib/local-encrypt';\nimport { writeBackValue } from '../../lib/local-encrypt/write-back';\n\nexport const commandSpec = define({\n name: 'encrypt',\n description: 'Encrypt a value using device-local encryption',\n args: {\n 'key-id': {\n type: 'string',\n description: 'Encryption key ID (default: varlock-default)',\n default: 'varlock-default',\n },\n file: {\n type: 'string',\n description: 'Path to a .env file — encrypts all sensitive plaintext values in-place',\n },\n },\n});\n\nasync function encryptFile(keyId: string, filePath: string) {\n const resolvedPath = path.resolve(filePath);\n if (!fs.existsSync(resolvedPath)) {\n throw new CliExitError(`File not found: ${resolvedPath}`);\n }\n\n // Load the full env graph and resolve to get sensitivity info from the schema\n const envGraph = await loadVarlockEnvGraph();\n await envGraph.resolveEnvValues();\n\n // Find the data source matching the target file\n const targetSource = envGraph.sortedDataSources.find(\n (s) => s instanceof FileBasedDataSource && s.fullPath === resolvedPath,\n ) as FileBasedDataSource | undefined;\n\n if (!targetSource) {\n throw new CliExitError(\n `File \"${filePath}\" is not part of the loaded env graph`,\n { suggestion: 'Make sure the file is in the project directory or imported by your schema.' },\n );\n }\n\n // Find sensitive items that have plaintext static values in this file\n const itemsToEncrypt: Array<{ key: string; value: string }> = [];\n\n for (const [key, itemDef] of Object.entries(targetSource.configItemDefs)) {\n const graphItem = envGraph.configSchema[key];\n if (!graphItem?.isSensitive) continue;\n\n // Skip items already using varlock() or another function call\n if (itemDef.parsedValue instanceof ParsedEnvSpecFunctionCall) continue;\n\n // Only encrypt items with actual static string values\n if (!(itemDef.parsedValue instanceof ParsedEnvSpecStaticValue)) continue;\n const val = itemDef.parsedValue.unescapedValue;\n if (val === undefined || val === '' || typeof val !== 'string') continue;\n\n itemsToEncrypt.push({ key, value: val });\n }\n\n if (itemsToEncrypt.length === 0) {\n console.log('No sensitive plaintext values found to encrypt.');\n return;\n }\n\n console.log('Only items marked as @sensitive in the schema are shown.');\n console.log('If a key is missing, add @sensitive to it in your schema file.\\n');\n\n const selected = await multiselect({\n message: `Confirm values to encrypt in ${filePath} ${ansis.gray('(use arrows, space to toggle, enter to confirm)')}`,\n options: itemsToEncrypt.map((item) => ({\n value: item.key,\n label: item.key,\n })),\n initialValues: itemsToEncrypt.map((item) => item.key),\n });\n\n if (isCancel(selected)) return gracefulExit();\n\n const selectedKeys = new Set(selected as Array<string>);\n const filteredItems = itemsToEncrypt.filter((item) => selectedKeys.has(item.key));\n\n if (filteredItems.length === 0) {\n console.log('No items selected.');\n return;\n }\n\n console.log('');\n\n let encryptedCount = 0;\n for (const item of filteredItems) {\n const ciphertext = await localEncrypt.encryptValue(item.value, keyId);\n const result = writeBackValue(item.key, `varlock(\"local:${ciphertext}\")`, resolvedPath);\n\n if (result.updated) {\n encryptedCount++;\n console.log(` Encrypted: ${item.key}`);\n }\n }\n\n console.log(`\\nEncrypted ${encryptedCount} value${encryptedCount !== 1 ? 's' : ''} in ${filePath}`);\n}\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n const keyId = String(ctx.values['key-id'] || 'varlock-default');\n const backend = localEncrypt.getBackendInfo();\n\n try {\n await localEncrypt.ensureKey(keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Failed to check/create encryption key: ${err instanceof Error ? err.message : err}`,\n );\n }\n\n console.log(`Using ${backend.type} backend (${backend.hardwareBacked ? 'hardware-backed' : 'file-based'})`);\n\n const filePath = ctx.values.file;\n\n // --file mode: encrypt all sensitive plaintext values in a .env file\n if (filePath) {\n await encryptFile(keyId, filePath);\n return;\n }\n\n // Single-value mode — read from stdin if piped, otherwise prompt interactively.\n // Avoids putting secrets in shell history (e.g. `echo $SECRET | varlock encrypt`).\n console.log('');\n\n let ciphertext: string;\n\n if (!process.stdin.isTTY) {\n const chunks: Array<Buffer> = [];\n for await (const chunk of process.stdin) {\n chunks.push(chunk as Buffer);\n }\n const rawValue = Buffer.concat(chunks).toString('utf-8').replace(/\\r?\\n$/, '');\n if (!rawValue) {\n throw new CliExitError('No value received on stdin');\n }\n try {\n ciphertext = await localEncrypt.encryptValue(rawValue, keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Encryption failed: ${err instanceof Error ? err.message : err}`,\n );\n }\n } else if (backend.biometricAvailable) {\n // Use native secure input dialog (supports multi-line paste)\n const client = localEncrypt.getDaemonClient();\n const result = await client.promptSecret({ keyId });\n if (!result) {\n return gracefulExit();\n }\n ciphertext = result;\n } else {\n const prompted = await password({ message: 'Enter the value you want to encrypt', hint: 'for multi-line values, pipe via stdin' });\n if (isCancel(prompted)) return gracefulExit();\n try {\n ciphertext = await localEncrypt.encryptValue(prompted, keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Encryption failed: ${err instanceof Error ? err.message : err}`,\n );\n }\n }\n\n console.log('\\nCopy this into your .env.local file and rename the key appropriately:\\n');\n console.log(`SOME_SENSITIVE_KEY=varlock(\"local:${ciphertext}\")`);\n};\n"]}