keyway_validate
Validate required secrets exist in a specified environment for pre-deployment checks. Use auto-detection to scan codebases or manually list secrets to verify availability.
Instructions
Validate that required secrets exist in an environment. Useful for pre-deployment checks.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| environment | Yes | Environment to validate (e.g., "production") | |
| required | No | List of required secret names to check | |
| autoDetect | No | Auto-detect required secrets from codebase (default: false) | |
| path | No | Path to scan for auto-detection (default: current directory) |
Implementation Reference
- src/tools/validate.ts:204-314 (handler)The `validate` function implements the core logic for the 'keyway_validate' tool, which scans for environment variable references and checks if they exist in a repository environment.
export async function validate(args: ValidateArgs): Promise<CallToolResult> { const { environment, required = [], autoDetect = false, path = process.cwd() } = args; if (!environment) { return { content: [{ type: 'text', text: 'Error: Environment is required' }], isError: true, }; } try { const token = await getToken(); const repository = getRepository(); // Get required secrets list let requiredSecrets: string[] = [...required]; // Auto-detect from codebase if requested if (autoDetect) { const detected = scanDirectoryForEnvVars(path); const filtered = filterNonSecrets(detected); requiredSecrets = [...new Set([...requiredSecrets, ...filtered])]; } if (requiredSecrets.length === 0) { return { content: [ { type: 'text', text: 'Error: No required secrets specified. Provide a "required" array or set "autoDetect: true"', }, ], isError: true, }; } // Pull existing secrets let existingSecrets: Record<string, string> = {}; try { const content = await pullSecrets(repository, environment, token); existingSecrets = parseEnvContent(content); } catch { // Environment might not exist } const existingKeys = new Set(Object.keys(existingSecrets)); // Categorize secrets const missing: string[] = []; const present: string[] = []; for (const secret of requiredSecrets) { if (existingKeys.has(secret)) { present.push(secret); } else { missing.push(secret); } } // Find extra secrets (in vault but not required) const requiredSet = new Set(requiredSecrets); const extra = Array.from(existingKeys) .filter((k) => !requiredSet.has(k)) .sort(); const coverage = requiredSecrets.length > 0 ? ((present.length / requiredSecrets.length) * 100).toFixed(1) : '100.0'; const result: ValidationResult = { valid: missing.length === 0, environment, repository, required: requiredSecrets.sort(), missing: missing.sort(), present: present.sort(), extra, stats: { requiredCount: requiredSecrets.length, presentCount: present.length, missingCount: missing.length, coverage: `${coverage}%`, }, }; // Add helpful message let message: string; if (result.valid) { message = `✓ All ${requiredSecrets.length} required secrets are present in "${environment}"`; } else { message = `✗ Missing ${missing.length} required secret${missing.length > 1 ? 's' : ''} in "${environment}": ${missing.join(', ')}`; } const response = { ...result, message, }; return { content: [{ type: 'text', text: JSON.stringify(response, null, 2) }], isError: false, }; } catch (error) { const errorMessage = error instanceof Error ? error.message : 'Unknown error'; return { content: [{ type: 'text', text: `Error validating secrets: ${errorMessage}` }], isError: true, }; } } - src/tools/validate.ts:15-20 (schema)Schema definition for the arguments expected by the 'keyway_validate' tool.
interface ValidateArgs { environment: string; required?: string[]; autoDetect?: boolean; path?: string; }