feat: adds file system-supported version and updates appropriate exports

.secrets/.secrets.enc.js

@@ -0,0 +1,3 @@
+This file was auto-generated by @jacobwolf/gitops-secrets
+const CIPHER_TEXT = undefined;
+module.exports = { CIPHER_TEXT };

__mocks__/.secrets.enc.js

@@ -0,0 +1,3 @@
+module.exports = {
+   loadSecrets: () => ({ key: 'loaded-value' }),
+};

__mocks__/fs.cjs

@@ -0,0 +1,2 @@
+const { fs } = require('memfs');
+module.exports = { ...fs, default: fs };

__mocks__/fs/promises.cjs

@@ -0,0 +1,2 @@
+const { fs } = require('memfs');
+module.exports = fs.promises;

__mocks__/secrets.js

@@ -0,0 +1,5 @@
+module.exports = {
+   encrypt: vi.fn().mockResolvedValue('encrypted-content'),
+   decrypt: vi.fn().mockResolvedValue('{"key":"decrypted-value"}'),
+   mergeSecrets: vi.fn(),
+};

biome.json

@@ -8,7 +8,7 @@
    },
    "files": {
       "ignoreUnknown": false,
-      "include": ["src/**/*"]
+      "include": ["src/**/*", "tests/**/*", "__mocks__/**/*"]
    },
    "formatter": {
       "enabled": true,

package.json

@@ -37,6 +37,7 @@
       "@types/node": "^22.13.11",
       "husky": "^9.1.7",
       "lint-staged": "^15.5.0",
+      "memfs": "^4.17.0",
       "msw": "^2.7.3",
       "tsup": "^8.4.0",
       "typescript": "^5.8.2",

src/index.ts

@@ -1,5 +1,11 @@
-async function main() {
-   console.log('Hello, world!');
-}
+import * as doppler from './providers/doppler';
+import * as secrets from './secrets';
+import * as secretsFiles from './secrets-files';
 
-main();
+export const providers = { doppler };
+
+export default {
+   ...secrets,
+   ...secretsFiles,
+   providers,
+};

src/no-fs.ts

@@ -0,0 +1,14 @@
+import * as doppler from './providers/doppler';
+import * as secrets from './secrets';
+
+const noFs = {
+   ...secrets,
+   providers: {
+      doppler,
+   },
+};
+
+export default noFs;
+
+export * from './secrets';
+export const providers = { doppler };

src/secrets-files.ts

@@ -0,0 +1,101 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import * as secrets from './secrets';
+import { EnvTarget } from './types';
+
+const SECRETS_FOLDER = path.join(__dirname, '../.secrets');
+const DEFAULT_JS_PATH = path.join(SECRETS_FOLDER, '.secrets.enc.js');
+const DEFAULT_JSON_PATH = path.join(SECRETS_FOLDER, '.secrets.enc.json');
+
+if (!fs.existsSync(SECRETS_FOLDER)) {
+   fs.mkdirSync(SECRETS_FOLDER, { recursive: true });
+}
+
+/**
+ * Encapsulate encrypted secrets in a JS module for easy runtime access.
+ * Use {options.path} to output module locally for when package level storage or non-literal imports are disallowed.
+ * Use {options.cipherTextOnly} to limit the JS file to only exporting `CIPHER_TEXT`.
+ * @param {<Record<string, any>>} payload
+ * @param {{path: string | null, cipherTextOnly: boolean}} options
+ */
+// biome-ignore lint/suspicious/noExplicitAny: Want to keep this flexible
+async function build(payload: Record<string, any>, options = { path: null as string | null, cipherTextOnly: false }) {
+   const cipherText = await secrets.encrypt(JSON.stringify(payload));
+   const filePath = options.path ? path.resolve(options.path) : DEFAULT_JS_PATH;
+   const packageType = process.env.npm_package_type === 'module' ? 'esm' : 'cjs';
+   const format = filePath === DEFAULT_JS_PATH ? 'cjs' : packageType;
+   const lines = ['This file was auto-generated by @jacobwolf/gitops-secrets'];
+
+   if (format === 'esm') {
+      if (!options.cipherTextOnly) {
+         lines.push(`import secrets from '@jacobwolf/gitops-secrets/no-fs';`);
+         lines.push(`const CIPHER_TEXT = ${JSON.stringify(cipherText)};`);
+         lines.push('const loadSecrets = () => secrets.loadSecretsFromCipher(CIPHER_TEXT);');
+         lines.push('export { CIPHER_TEXT, loadSecrets };');
+      } else {
+         lines.push(`const CIPHER_TEXT = ${JSON.stringify(cipherText)};`);
+         lines.push('export { CIPHER_TEXT };');
+      }
+   }
+
+   if (format === 'cjs') {
+      if (!options.cipherTextOnly) {
+         lines.push(`const secrets = require('@jacobwolf/gitops-secrets/no-fs');`);
+         lines.push(`const CIPHER_TEXT = ${JSON.stringify(cipherText)};`);
+         lines.push('const loadSecrets = () => secrets.loadSecretsFromCipher(CIPHER_TEXT);');
+         lines.push('module.exports = { CIPHER_TEXT, loadSecrets };');
+      } else {
+         lines.push(`const CIPHER_TEXT = ${JSON.stringify(cipherText)};`);
+         lines.push('module.exports = { CIPHER_TEXT };');
+      }
+   }
+
+   writeFile(filePath, lines.join('\n'));
+}
+
+/**
+ * Encrypt JSON-serializable payload to a static file.
+ * @param {<Record<string, any>>} payload
+ * @param {{path: string | null}} [options={path: null}]
+ */
+// biome-ignore lint/suspicious/noExplicitAny: Want to keep this flexible
+async function encryptToFile(payload: Record<string, any>, options = { path: null as string | null }) {
+   const cipherText = await secrets.encrypt(JSON.stringify(payload));
+   const filePath = options.path ? path.resolve(options.path) : DEFAULT_JSON_PATH;
+   writeFile(filePath, cipherText);
+}
+
+/**
+ * Decrypt JSON payload to object with option to merge with process.env.
+ * @param {string} filePath
+ * @returns
+ */
+async function decryptFromFile(filePath: string) {
+   const newFilePath = filePath ? path.resolve(filePath) : DEFAULT_JSON_PATH;
+
+   try {
+      const cipherText = fs.readFileSync(newFilePath, { encoding: 'utf-8' });
+      const decryptedText = await secrets.decrypt(cipherText);
+      const payload = JSON.parse(decryptedText);
+      return {
+         ...payload,
+         mergeSecrets: () => secrets.mergeSecrets(payload, EnvTarget.PROCESS),
+      };
+   } catch (error) {
+      throw new Error(`Failed to decrypt file ${newFilePath}: ${error}`);
+   }
+}
+
+function writeFile(filePath: string, fileContents: string) {
+   try {
+      fs.writeFileSync(filePath, fileContents, { encoding: 'utf-8' });
+   } catch (error) {
+      throw new Error(`Failed to write file ${filePath}: ${error}`);
+   }
+}
+
+function loadSecrets() {
+   return require(DEFAULT_JS_PATH).loadSecrets();
+}
+
+export { build, encryptToFile, decryptFromFile, loadSecrets };

src/secrets.ts

@@ -123,6 +123,13 @@ async function decrypt(ciphertext: string): Promise<string> {
  * @returns {EnvObject} - The environment object
  */
 function getEnvObject(target: EnvTarget): EnvObject {
+   if (typeof import.meta === 'undefined') {
+      if (typeof process !== 'undefined' && process.env) {
+         return process.env;
+      }
+      throw new Error('process.env is not available in this environment');
+   }
+
    switch (target) {
       case EnvTarget.PROCESS:
          if (typeof process !== 'undefined' && process.env) {
@@ -134,7 +141,6 @@ function getEnvObject(target: EnvTarget): EnvObject {
             return import.meta.env;
          }
          throw new Error('import.meta.env is not available in this environment');
-
       default:
          throw new Error(`Unsupported environment target: ${target}`);
    }
@@ -150,10 +156,19 @@ function getEnvObject(target: EnvTarget): EnvObject {
 function mergeSecrets(payload: Record<string, string>, target: EnvTarget): EnvObject {
    const envObject = getEnvObject(target);
 
+   if (typeof import.meta === 'undefined') {
+      if (typeof process !== 'undefined' && process.env) {
+         for (const [key, value] of Object.entries(payload)) {
+            process.env[key] = value;
+         }
+      }
+      return envObject;
+   }
+
    for (const [key, value] of Object.entries(payload)) {
       if (target === EnvTarget.PROCESS && typeof process !== 'undefined') {
          process.env[key] = value;
-      } else if (target === EnvTarget.IMPORT_META) {
+      } else if (target === EnvTarget.IMPORT_META && typeof import.meta !== 'undefined') {
          import.meta.env[key] = value;
       }
    }