secenv

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 14, 2026 License: MIT Imports: 3 Imported by: 0

Documentation

Overview

Package secenv enforces a secure split between non-sensitive *vars* and *secrets*, and provides commit-safety + redaction helpers. It encodes one rule: anything not explicitly public is treated as a secret. Vars become plain_text Worker bindings (visible); secrets become secret_text (encrypted in the Worker) and are registered for log redaction.

It composes with the existing shared/secrets (encryption at rest, Doppler) and shared/sensitive (log scrubbing) packages rather than replacing them.

Index

Constants

View Source
const PublicPrefix = "NEXT_PUBLIC_"

PublicPrefix marks env vars that are intentionally public (Next.js inlines these into the client bundle, so they are never secret).

Variables

This section is empty.

Functions

func Classify

func Classify(env map[string]string, publicKeys []string) (vars, secrets map[string]string)

Classify splits env into vars (public) and secrets. A key is a var iff it has the NEXT_PUBLIC_ prefix or is listed in publicKeys; everything else is a secret. Secure-by-default: an unrecognized key is treated as a secret, not leaked as a visible plain_text binding. Returned maps are never nil.

func GitignoreCovered

func GitignoreCovered(gitignore string) bool

GitignoreCovered reports whether the given .gitignore content ignores env files. Accepts the raw file content; returns false when env files could be committed (so the caller can warn).

func IsLikelySecret

func IsLikelySecret(key string) bool

IsLikelySecret reports whether a key name looks sensitive (used for commit-safety warnings, not classification).

func PlaintextSecretWarnings

func PlaintextSecretWarnings(inline map[string]string) []string

PlaintextSecretWarnings flags keys in an inline (e.g. committed-YAML) map that look like secrets and therefore should not be stored in plaintext. Returns sorted human-readable warnings.

func Preflight

func Preflight(in PreflightInput) []string

Preflight returns non-fatal security warnings about secret hygiene: a committable .env, secret-looking values stored in plaintext, and (when neither a managed store is in use) a nudge toward Doppler or Cloudflare Secret Store. Empty slice means all clear.

func RegisterSecrets

func RegisterSecrets(secrets map[string]string)

RegisterSecrets registers every secret value with the sensitive package so it is scrubbed from any logged output. Call before any deploy logging.

Types

type PreflightInput

type PreflightInput struct {
	Gitignore        string            // .gitignore content ("" if absent)
	HasEnvFile       bool              // a .env file exists on disk
	PlainText        map[string]string // declared plain_text bindings (name→value)
	UsingDoppler     bool              // Doppler is configured/active
	UsingSecretStore bool              // a CF Secret Store binding is declared
}

PreflightInput aggregates what the secret-hygiene check needs. All fields are optional; zero values simply skip the corresponding check.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL