vaulter 0.2.1 → 0.3.1

package/README.md

@@ -18,9 +18,11 @@ npm install -g vaulter
 # Initialize project
 vaulter init
 
-# Set some secrets
-vaulter set DATABASE_URL "postgres://localhost/mydb" -e dev
-vaulter set API_KEY "sk-secret-key" -e dev
+# Set secrets (encrypted, synced to backend)
+vaulter set DATABASE_URL="postgres://localhost/mydb" API_KEY="sk-secret-key" -e dev
+
+# Set configs (plain text, file only in split mode)
+vaulter set PORT:3000 LOG_LEVEL:debug -e dev
 
 # Export to shell
 eval $(vaulter export -e dev)
@@ -50,13 +52,41 @@ MCP server for Claude AI. Zero config for dev, production-ready.
 
 ---
 
+## Table of Contents
+
+- [Quick Start](#quick-start)
+- [What's Inside](#whats-inside)
+- [Highlights](#highlights)
+- [Commands](#commands)
+- [Configuration](#configuration)
+  - [Directory Modes](#directory-modes)
+- [Backend URLs](#backend-urls)
+- [Encryption](#encryption)
+- [Running Commands](#running-commands)
+  - [Shell Scripts](#shell-scripts)
+  - [Interactive Tools](#interactive-tools)
+- [Integrations](#integrations)
+  - [kubectl](#kubectl)
+  - [Helm & Helmfile](#helm--helmfile)
+  - [Terraform & Terragrunt](#terraform--terragrunt)
+- [Monorepo Support](#monorepo-support)
+  - [NX Monorepo](#nx-monorepo)
+  - [Turborepo](#turborepo)
+- [MCP Tools](#mcp-tools)
+- [CI/CD](#cicd)
+- [Security Best Practices](#security-best-practices)
+- [API Usage](#api-usage)
+- [Pre-built Binaries](#pre-built-binaries)
+
+---
+
 ## What's Inside
 
 | Category | Features |
 |:---------|:---------|
 | **Backends** | AWS S3, MinIO, Cloudflare R2, DigitalOcean Spaces, Backblaze B2, FileSystem, Memory |
-| **Encryption** | AES-256-GCM via s3db.js, field-level encryption, key rotation |
-| **Environments** | dev, stg, prd, sbx, dr (fully customizable) |
+| **Encryption** | AES-256-GCM via s3db.js, field-level encryption |
+| **Environments** | dev, stg, prd, sbx, dr (configurable subset) |
 | **Integrations** | Kubernetes Secret/ConfigMap, Helm values.yaml, Terraform tfvars |
 | **Monorepo** | Service discovery, batch operations, config inheritance |
 | **MCP Server** | Claude AI integration via Model Context Protocol |
@@ -141,7 +171,8 @@ loader({ path: '.env.local', override: true })
 |:--------|:------------|:--------|
 | `init` | Initialize project | `vaulter init` |
 | `get <key>` | Get a variable | `vaulter get DATABASE_URL -e prd` |
-| `set <key> <value>` | Set a variable | `vaulter set API_KEY "sk-..." -e prd` |
+| `set KEY=val ...` | Set secrets (batch) | `vaulter set KEY1=v1 KEY2=v2 -e prd` |
+| `set KEY:val ...` | Set configs (plain) | `vaulter set PORT:3000 HOST:0.0.0.0 -e dev` |
 | `delete <key>` | Delete a variable | `vaulter delete OLD_KEY -e dev` |
 | `list` | List all variables | `vaulter list -e prd` |
 | `export` | Export for shell | `eval $(vaulter export -e dev)` |
@@ -172,6 +203,33 @@ loader({ path: '.env.local', override: true })
 | `services` | List monorepo services | `vaulter services` |
 | `mcp` | Start MCP server | `vaulter mcp` |
 
+### Set Command Syntax
+
+HTTPie-style separators for differentiating secrets from configs:
+
+```bash
+# Secrets (encrypted, synced to backend)
+vaulter set KEY=value                    # Single secret
+vaulter set A=1 B=2 C=3 -e dev           # Batch secrets
+vaulter set KEY:=123                     # Typed secret (number/boolean)
+
+# Configs (plain text, file only in split mode, synced in unified mode)
+vaulter set PORT::3000 HOST::localhost   # Configs
+
+# With metadata
+vaulter set DB_URL=postgres://... @tag:database,sensitive @owner:backend -e prd
+
+# Legacy syntax (still works)
+vaulter set KEY "value" -e dev           # Treated as secret
+```
+
+| Separator | Type | Backend Sync | Encryption |
+|:----------|:-----|:-------------|:-----------|
+| `=` | Secret | ✓ | ✓ |
+| `:=` | Secret (typed) | ✓ | ✓ |
+| `::` | Config | Split: ✗ / Unified: ✓ | ✗ |
+| `@key:value` | Metadata | — | — |
+
 ## Global Options
 
 ```
@@ -227,7 +285,7 @@ Sync merges local and remote variables. Conflicts are resolved by `sync.conflict
 
 ```yaml
 sync:
-  conflict: local   # local | remote | prompt | error
+  conflict: local   # local | remote | error
   ignore:
     - "PUBLIC_*"
   required:
@@ -236,9 +294,70 @@ sync:
 ```
 
 Notes:
-- `prompt` and `error` will stop the sync if conflicts are detected.
+- `local` (default): Local values win on conflict, remote-only keys are pulled to local
+- `remote`: Remote values win on conflict
+- `error`: Stop sync if any conflicts are detected
 - When reading from stdin, sync only updates the backend (local file is not changed).
 
+### Directory Modes
+
+Vaulter supports two directory structures for organizing environment files:
+
+#### Unified Mode (Default)
+
+All environment files in a single directory:
+
+```
+my-project/
+├── .vaulter/
+│   ├── config.yaml
+│   └── environments/
+│       ├── dev.env        # All vars (secrets + configs)
+│       ├── stg.env
+│       └── prd.env
+```
+
+#### Split Mode
+
+Separate directories for configs (committable) and secrets (gitignored):
+
+```
+my-project/
+├── .vaulter/
+│   └── config.yaml
+└── deploy/
+    ├── configs/           # ✅ Committable (non-sensitive)
+    │   ├── dev.env        # NODE_ENV, PORT, LOG_LEVEL
+    │   ├── stg.env
+    │   └── prd.env
+    └── secrets/           # ❌ Gitignored (sensitive)
+        ├── dev.env        # DATABASE_URL, JWT_SECRET
+        ├── stg.env
+        └── prd.env
+```
+
+Configure split mode in `config.yaml`:
+
+```yaml
+directories:
+  mode: split              # "unified" (default) or "split"
+  configs: deploy/configs  # Non-sensitive vars (committable)
+  secrets: deploy/secrets  # Sensitive vars (gitignored)
+```
+
+Tip: scaffold split mode with `vaulter init --split`.
+
+**Behavior in split mode:**
+- `sync`, `pull`, `push` operate on the **secrets** directory
+- `k8s:secret` reads from local **secrets** file (no backend fetch)
+- `k8s:configmap` reads from local **configs** file (no backend fetch)
+- Configs are managed via git, secrets via vaulter
+
+**When to use split mode:**
+- Monorepos with deploy directories per service
+- Teams that want configs reviewed in PRs
+- Environments where non-sensitive configs should be in git
+
 ### Hooks
 
 ```yaml
@@ -322,6 +441,231 @@ security:
 
 `auto_encrypt.patterns` is used to classify secrets for integrations (K8s/Helm).
 
+## Running Commands
+
+Load environment variables into any command using `eval $(vaulter export)`.
+
+### Shell Scripts
+
+```bash
+# Run a script with environment variables
+eval $(vaulter export -e dev) ./myscript.sh
+
+# Or in two steps
+eval $(vaulter export -e dev)
+./myscript.sh
+
+# One-liner with subshell (vars don't persist after)
+(eval $(vaulter export -e prd) && ./deploy.sh)
+
+# Using env command (cleaner syntax)
+env $(vaulter export -e dev --format=shell) ./myscript.sh
+```
+
+### Interactive Tools
+
+```bash
+# k9s with production credentials
+eval $(vaulter export -e prd) k9s
+
+# psql with database URL
+eval $(vaulter export -e dev) psql $DATABASE_URL
+
+# redis-cli
+eval $(vaulter export -e dev) redis-cli -u $REDIS_URL
+
+# AWS CLI with credentials
+eval $(vaulter export -e prd) aws s3 ls
+
+# Docker run with env vars
+eval $(vaulter export -e dev) docker run --env-file <(vaulter export -e dev --format=env) myapp
+
+# Any Node.js app
+eval $(vaulter export -e dev) node server.js
+
+# Python app
+eval $(vaulter export -e dev) python app.py
+```
+
+### Shell Alias (Recommended)
+
+Add to your `~/.bashrc` or `~/.zshrc`:
+
+```bash
+# Quick alias for common environments
+alias vdev='eval $(vaulter export -e dev)'
+alias vstg='eval $(vaulter export -e stg)'
+alias vprd='eval $(vaulter export -e prd)'
+
+# Usage
+vdev ./myscript.sh
+vprd k9s
+vstg psql $DATABASE_URL
+```
+
+### One-liner Pattern
+
+```bash
+# Pattern: eval $(vaulter export -e ENV) COMMAND
+eval $(vaulter export -e dev) npm run dev
+eval $(vaulter export -e prd) kubectl get pods
+eval $(vaulter export -e stg) terraform plan
+```
+
+## Integrations
+
+### kubectl
+
+```bash
+# Create Secret from vaulter
+vaulter k8s:secret -e prd | kubectl apply -f -
+
+# Create ConfigMap (non-secret vars)
+vaulter k8s:configmap -e prd | kubectl apply -f -
+
+# With custom name and namespace
+vaulter k8s:secret -e prd -n my-namespace --name my-app-secrets | kubectl apply -f -
+
+# Dry-run to see YAML
+vaulter k8s:secret -e prd --dry-run
+
+# Create secret from export (alternative)
+vaulter export -e prd --format=env | \
+  kubectl create secret generic myapp --from-env-file=/dev/stdin --dry-run=client -o yaml | \
+  kubectl apply -f -
+
+# Run kubectl with vaulter vars
+eval $(vaulter export -e prd) kubectl exec -it deploy/myapp -- env | grep DATABASE
+```
+
+### Helm & Helmfile
+
+#### Helm
+
+```bash
+# Generate values.yaml and pipe to helm
+vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
+
+# Save values to file
+vaulter helm:values -e prd > values.prd.yaml
+helm upgrade myapp ./chart -f values.prd.yaml
+
+# With secrets separated (uses auto_encrypt.patterns)
+vaulter helm:values -e prd --secrets  # Only secret vars
+vaulter helm:values -e prd --config   # Only non-secret vars
+
+# Install with inline values
+helm install myapp ./chart \
+  --set-string DATABASE_URL="$(vaulter get DATABASE_URL -e prd)" \
+  --set-string API_KEY="$(vaulter get API_KEY -e prd)"
+```
+
+#### Helmfile
+
+```yaml
+# helmfile.yaml
+repositories:
+  - name: bitnami
+    url: https://charts.bitnami.com/bitnami
+
+releases:
+  - name: myapp
+    namespace: production
+    chart: ./charts/myapp
+    values:
+      - values.yaml
+      - values.prd.yaml  # Generated by: vaulter helm:values -e prd > values.prd.yaml
+```
+
+```bash
+# Generate values before helmfile sync
+vaulter helm:values -e prd > values.prd.yaml
+helmfile sync
+
+# Or use process substitution
+helmfile sync --values <(vaulter helm:values -e prd)
+
+# With environment variables for helmfile
+eval $(vaulter export -e prd) helmfile apply
+```
+
+### Terraform & Terragrunt
+
+#### Terraform
+
+```bash
+# Generate .tfvars file
+vaulter tf:vars -e prd > terraform.tfvars
+terraform plan
+
+# Generate JSON format
+vaulter tf:json -e prd > terraform.tfvars.json
+terraform plan -var-file=terraform.tfvars.json
+
+# Pass vars inline
+terraform plan \
+  -var="database_url=$(vaulter get DATABASE_URL -e prd)" \
+  -var="api_key=$(vaulter get API_KEY -e prd)"
+
+# Use TF_VAR_* environment variables
+eval $(vaulter export -e prd --format=tfvars)
+terraform plan
+
+# Pipe directly (requires bash process substitution)
+terraform plan -var-file=<(vaulter tf:vars -e prd)
+```
+
+#### Terragrunt
+
+```bash
+# Set env vars for terragrunt
+eval $(vaulter export -e prd) terragrunt plan
+
+# Generate inputs file
+vaulter tf:vars -e prd > inputs.tfvars
+terragrunt plan --terragrunt-config terragrunt.hcl
+
+# In terragrunt.hcl - use environment variables
+# terragrunt.hcl
+inputs = {
+  database_url = get_env("DATABASE_URL", "")
+  api_key      = get_env("API_KEY", "")
+}
+
+# Then run:
+eval $(vaulter export -e prd) terragrunt apply
+
+# Or with inputs file
+# terragrunt.hcl
+terraform {
+  extra_arguments "custom_vars" {
+    commands = get_terraform_commands_that_need_vars()
+    arguments = [
+      "-var-file=inputs.tfvars"
+    ]
+  }
+}
+```
+
+```bash
+# Full workflow with terragrunt
+vaulter pull -e prd                    # Get latest vars
+vaulter tf:vars -e prd > inputs.tfvars # Generate tfvars
+terragrunt plan                        # Plan with vars
+terragrunt apply                       # Apply
+```
+
+### Integration Summary
+
+| Tool | Command |
+|:-----|:--------|
+| **kubectl** | `vaulter k8s:secret -e prd \| kubectl apply -f -` |
+| **helm** | `vaulter helm:values -e prd \| helm upgrade app ./chart -f -` |
+| **helmfile** | `vaulter helm:values -e prd > values.prd.yaml && helmfile sync` |
+| **terraform** | `vaulter tf:vars -e prd > terraform.tfvars && terraform plan` |
+| **terragrunt** | `eval $(vaulter export -e prd) terragrunt apply` |
+| **any command** | `eval $(vaulter export -e ENV) COMMAND` |
+
 ## Monorepo Support
 
 Vaulter auto-discovers services with `.vaulter/` directories and supports config inheritance.
@@ -490,6 +834,7 @@ deploy:
 .vaulter/.key
 .vaulter/config.local.yaml
 **/config.local.yaml
+deploy/secrets/
 .env
 .env.*
 ```

package/dist/cli/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAG5D,UAAU,WAAW;IACnB,IAAI,EAAE,OAAO,CAAA;IACb,MAAM,EAAE,aAAa,GAAG,IAAI,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,OAAO,CAAA;IAChB,MAAM,EAAE,OAAO,CAAA;IACf,UAAU,EAAE,OAAO,CAAA;CACpB;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA4FjE"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAG5D,UAAU,WAAW;IACnB,IAAI,EAAE,OAAO,CAAA;IACb,MAAM,EAAE,aAAa,GAAG,IAAI,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,OAAO,CAAA;IAChB,MAAM,EAAE,OAAO,CAAA;IACf,UAAU,EAAE,OAAO,CAAA;CACpB;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAkKjE"}

package/dist/cli/commands/init.js

@@ -11,6 +11,12 @@ import { createDefaultConfig, configExists, findConfigDir } from '../../lib/conf
  */
 export async function runInit(context) {
     const { args, verbose, dryRun, jsonOutput } = context;
+    const splitMode = args.split || false;
+    const splitDirectories = {
+        mode: 'split',
+        configs: 'deploy/configs',
+        secrets: 'deploy/secrets'
+    };
     // Check if already initialized
     if (configExists()) {
         const existingDir = findConfigDir();
@@ -39,18 +45,25 @@ export async function runInit(context) {
                 action: 'init',
                 project: projectName,
                 configDir,
+                splitMode,
                 dryRun: true
             }));
         }
         else {
             console.log('Dry run - would create:');
             console.log(`  ${configDir}/config.yaml`);
-            console.log(`  ${configDir}/environments/`);
+            if (splitMode) {
+                console.log(`  ${splitDirectories.configs}/`);
+                console.log(`  ${splitDirectories.secrets}/`);
+            }
+            else {
+                console.log(`  ${configDir}/environments/`);
+            }
         }
         return;
     }
     // Create configuration
-    createDefaultConfig(configDir, projectName);
+    createDefaultConfig(configDir, projectName, splitMode ? { directories: splitDirectories } : {});
     // Create .gitignore for sensitive files
     const gitignorePath = path.join(configDir, '.gitignore');
     if (!fs.existsSync(gitignorePath)) {
@@ -61,15 +74,51 @@ export async function runInit(context) {
 `);
     }
     // Create placeholder environment files
-    const envDir = path.join(configDir, 'environments');
     const environments = ['dev', 'stg', 'prd', 'sbx', 'dr'];
-    for (const env of environments) {
-        const envFile = path.join(envDir, `${env}.env`);
-        if (!fs.existsSync(envFile)) {
-            fs.writeFileSync(envFile, `# ${env.toUpperCase()} Environment Variables
+    if (splitMode) {
+        const baseDir = path.dirname(configDir);
+        const configsDir = path.join(baseDir, splitDirectories.configs);
+        const secretsDir = path.join(baseDir, splitDirectories.secrets);
+        if (!fs.existsSync(configsDir)) {
+            fs.mkdirSync(configsDir, { recursive: true });
+        }
+        if (!fs.existsSync(secretsDir)) {
+            fs.mkdirSync(secretsDir, { recursive: true });
+        }
+        const secretsGitignore = path.join(secretsDir, '.gitignore');
+        if (!fs.existsSync(secretsGitignore)) {
+            fs.writeFileSync(secretsGitignore, `# Vaulter secrets (do not commit)
+*
+!.gitignore
+`);
+        }
+        for (const env of environments) {
+            const configsFile = path.join(configsDir, `${env}.env`);
+            if (!fs.existsSync(configsFile)) {
+                fs.writeFileSync(configsFile, `# ${env.toUpperCase()} Config Variables
+# Non-sensitive config values for ${env}
+# Example: NODE_ENV=${env}
+`);
+            }
+            const secretsFile = path.join(secretsDir, `${env}.env`);
+            if (!fs.existsSync(secretsFile)) {
+                fs.writeFileSync(secretsFile, `# ${env.toUpperCase()} Secret Variables
+# Sensitive values for ${env} (gitignored)
+# Example: DATABASE_URL=postgres://localhost/${env}_db
+`);
+            }
+        }
+    }
+    else {
+        const envDir = path.join(configDir, 'environments');
+        for (const env of environments) {
+            const envFile = path.join(envDir, `${env}.env`);
+            if (!fs.existsSync(envFile)) {
+                fs.writeFileSync(envFile, `# ${env.toUpperCase()} Environment Variables
 # Add your ${env} environment variables here
 # Example: DATABASE_URL=postgres://localhost/${env}_db
 `);
+            }
         }
     }
     if (jsonOutput) {
@@ -77,22 +126,42 @@ export async function runInit(context) {
             success: true,
             project: projectName,
             configDir,
+            splitMode,
             files: [
                 'config.yaml',
                 '.gitignore',
-                ...environments.map(e => `environments/${e}.env`)
+                ...(splitMode
+                    ? [
+                        `${splitDirectories.secrets}/.gitignore`,
+                        ...environments.map(e => `${splitDirectories.configs}/${e}.env`),
+                        ...environments.map(e => `${splitDirectories.secrets}/${e}.env`)
+                    ]
+                    : environments.map(e => `environments/${e}.env`))
             ]
         }));
     }
     else {
         console.log(`✓ Initialized vaulter for project: ${projectName}`);
         console.log(`  Config: ${configDir}/config.yaml`);
-        console.log(`  Environments: ${envDir}/`);
+        if (splitMode) {
+            console.log(`  Configs: ${splitDirectories.configs}/`);
+            console.log(`  Secrets: ${splitDirectories.secrets}/`);
+        }
+        else {
+            console.log(`  Environments: ${path.join(configDir, 'environments')}/`);
+        }
         console.log('');
         console.log('Next steps:');
         console.log('  1. Edit .vaulter/config.yaml to configure your backend');
-        console.log('  2. Add environment variables to .vaulter/environments/*.env');
-        console.log('  3. Run "vaulter sync -e dev" to sync with backend');
+        if (splitMode) {
+            console.log('  2. Add non-sensitive vars to deploy/configs/*.env');
+            console.log('  3. Add secrets to deploy/secrets/*.env');
+            console.log('  4. Run "vaulter sync -e dev" to sync with backend');
+        }
+        else {
+            console.log('  2. Add environment variables to .vaulter/environments/*.env');
+            console.log('  3. Run "vaulter sync -e dev" to sync with backend');
+        }
     }
 }
 //# sourceMappingURL=init.js.map

package/dist/cli/commands/init.js.map

@@ -1 +1 @@
-{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAA;AACxB,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAA;AAW7F;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAoB;IAChD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAA;IAErD,+BAA+B;IAC/B,IAAI,YAAY,EAAE,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,aAAa,EAAE,CAAA;QACnC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAA;YAClF,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,kCAAkC,WAAW,EAAE,CAAC,CAAA;gBAC9D,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAA;YAC9C,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAE1E,wBAAwB;IACxB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAA;IAEtD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,qCAAqC,WAAW,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,GAAG,CAAC,qBAAqB,SAAS,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;gBACzB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,SAAS;gBACT,MAAM,EAAE,IAAI;aACb,CAAC,CAAC,CAAA;QACL,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAA;YACtC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,cAAc,CAAC,CAAA;YACzC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,gBAAgB,CAAC,CAAA;QAC7C,CAAC;QACD,OAAM;IACR,CAAC;IAED,uBAAuB;IACvB,mBAAmB,CAAC,SAAS,EAAE,WAAW,CAAC,CAAA;IAE3C,wCAAwC;IACxC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAA;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE;;;;CAInC,CAAC,CAAA;IACA,CAAC;IAED,uCAAuC;IACvC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;IACnD,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;IAEvD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,MAAM,CAAC,CAAA;QAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5B,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE;aACzC,GAAG;+CAC+B,GAAG;CACjD,CAAC,CAAA;QACE,CAAC;IACH,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,WAAW;YACpB,SAAS;YACT,KAAK,EAAE;gBACL,aAAa;gBACb,YAAY;gBACZ,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;aAClD;SACF,CAAC,CAAC,CAAA;IACL,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,sCAAsC,WAAW,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,GAAG,CAAC,aAAa,SAAS,cAAc,CAAC,CAAA;QACjD,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,GAAG,CAAC,CAAA;QACzC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACf,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC1B,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAA;QACvE,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAA;QAC5E,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;IACpE,CAAC;AACH,CAAC"}
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../src/cli/commands/init.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAA;AACxB,OAAO,IAAI,MAAM,WAAW,CAAA;AAE5B,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAA;AAW7F;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAoB;IAChD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAA;IACrD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAA;IACrC,MAAM,gBAAgB,GAAG;QACvB,IAAI,EAAE,OAAgB;QACtB,OAAO,EAAE,gBAAgB;QACzB,OAAO,EAAE,gBAAgB;KAC1B,CAAA;IAED,+BAA+B;IAC/B,IAAI,YAAY,EAAE,EAAE,CAAC;QACnB,MAAM,WAAW,GAAG,aAAa,EAAE,CAAA;QACnC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,CAAA;YAClF,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,KAAK,CAAC,kCAAkC,WAAW,EAAE,CAAC,CAAA;gBAC9D,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAA;YAC9C,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAA;IAE1E,wBAAwB;IACxB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAA;IAEtD,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,qCAAqC,WAAW,EAAE,CAAC,CAAA;QAC/D,OAAO,CAAC,GAAG,CAAC,qBAAqB,SAAS,EAAE,CAAC,CAAA;IAC/C,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;gBACzB,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,WAAW;gBACpB,SAAS;gBACT,SAAS;gBACT,MAAM,EAAE,IAAI;aACb,CAAC,CAAC,CAAA;QACL,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAA;YACtC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,cAAc,CAAC,CAAA;YACzC,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,OAAO,GAAG,CAAC,CAAA;gBAC7C,OAAO,CAAC,GAAG,CAAC,KAAK,gBAAgB,CAAC,OAAO,GAAG,CAAC,CAAA;YAC/C,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,gBAAgB,CAAC,CAAA;YAC7C,CAAC;QACH,CAAC;QACD,OAAM;IACR,CAAC;IAED,uBAAuB;IACvB,mBAAmB,CAAC,SAAS,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;IAE/F,wCAAwC;IACxC,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAA;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAClC,EAAE,CAAC,aAAa,CAAC,aAAa,EAAE;;;;CAInC,CAAC,CAAA;IACA,CAAC;IAED,uCAAuC;IACvC,MAAM,YAAY,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,CAAC,CAAA;IAEvD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAA;QAC/D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,CAAC,OAAO,CAAC,CAAA;QAE/D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAC/C,CAAC;QACD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/B,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;QAC/C,CAAC;QAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,YAAY,CAAC,CAAA;QAC5D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACrC,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE;;;CAGxC,CAAC,CAAA;QACE,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,GAAG,MAAM,CAAC,CAAA;YACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChC,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE;oCACxB,GAAG;sBACjB,GAAG;CACxB,CAAC,CAAA;YACI,CAAC;YAED,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,GAAG,MAAM,CAAC,CAAA;YACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChC,EAAE,CAAC,aAAa,CAAC,WAAW,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE;yBACnC,GAAG;+CACmB,GAAG;CACjD,CAAC,CAAA;YACI,CAAC;QACH,CAAC;IACH,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;QAEnD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,GAAG,MAAM,CAAC,CAAA;YAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5B,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,GAAG,CAAC,WAAW,EAAE;aAC3C,GAAG;+CAC+B,GAAG;CACjD,CAAC,CAAA;YACI,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;YACzB,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,WAAW;YACpB,SAAS;YACT,SAAS;YACT,KAAK,EAAE;gBACL,aAAa;gBACb,YAAY;gBACZ,GAAG,CAAC,SAAS;oBACX,CAAC,CAAC;wBACE,GAAG,gBAAgB,CAAC,OAAO,aAAa;wBACxC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,gBAAgB,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC;wBAChE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,gBAAgB,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC;qBACjE;oBACH,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;aACpD;SACF,CAAC,CAAC,CAAA;IACL,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,sCAAsC,WAAW,EAAE,CAAC,CAAA;QAChE,OAAO,CAAC,GAAG,CAAC,aAAa,SAAS,cAAc,CAAC,CAAA;QACjD,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,cAAc,gBAAgB,CAAC,OAAO,GAAG,CAAC,CAAA;YACtD,OAAO,CAAC,GAAG,CAAC,cAAc,gBAAgB,CAAC,OAAO,GAAG,CAAC,CAAA;QACxD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,GAAG,CAAC,CAAA;QACzE,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACf,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;QAC1B,OAAO,CAAC,GAAG,CAAC,0DAA0D,CAAC,CAAA;QACvE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;YAClE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAA;YACvD,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;QACpE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAA;YAC5E,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;QACpE,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/cli/commands/integrations/kubernetes.d.ts

@@ -2,6 +2,14 @@
  * Vaulter CLI - Kubernetes Integration Commands
  *
  * Generate Kubernetes Secret and ConfigMap YAML
+ *
+ * Supports two modes:
+ * - Backend mode (default): Fetch variables from backend storage
+ * - Local mode (-f/--file): Read variables from local .env file
+ *
+ * In split mode (directories.mode=split):
+ * - k8s:secret can read from deploy/secrets/<env>.env
+ * - k8s:configmap can read from deploy/configs/<env>.env
  */
 import type { CLIArgs, VaulterConfig, Environment } from '../../../types.js';
 interface K8sContext {
@@ -15,10 +23,16 @@ interface K8sContext {
 }
 /**
  * Generate Kubernetes Secret YAML
+ *
+ * In split mode (directories.mode=split), reads from local secrets file.
+ * Otherwise, fetches from backend storage.
  */
 export declare function runK8sSecret(context: K8sContext): Promise<void>;
 /**
  * Generate Kubernetes ConfigMap YAML
+ *
+ * In split mode (directories.mode=split), reads from local configs file.
+ * Otherwise, fetches from backend and filters out secrets.
  */
 export declare function runK8sConfigMap(context: K8sContext): Promise<void>;
 export {};

package/dist/cli/commands/integrations/kubernetes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"kubernetes.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/integrations/kubernetes.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAI5E,UAAU,UAAU;IAClB,IAAI,EAAE,OAAO,CAAA;IACb,MAAM,EAAE,aAAa,GAAG,IAAI,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,WAAW,CAAA;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;CACpB;AAoBD;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAkErE;AAED;;GAEG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAiExE"}
+{"version":3,"file":"kubernetes.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/integrations/kubernetes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAW5E,UAAU,UAAU;IAClB,IAAI,EAAE,OAAO,CAAA;IACb,MAAM,EAAE,aAAa,GAAG,IAAI,CAAA;IAC5B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,WAAW,EAAE,WAAW,CAAA;IACxB,OAAO,EAAE,OAAO,CAAA;IAChB,UAAU,EAAE,OAAO,CAAA;CACpB;AA0ED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAyFrE;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAgGxE"}