@aigne/afs-cli 1.11.0-beta.11 → 1.11.0-beta.12

package/dist/config/credential-helpers.cjs

@@ -0,0 +1,291 @@
+const require_rolldown_runtime = require('../_virtual/rolldown_runtime.cjs');
+let _aigne_afs = require("@aigne/afs");
+let _aigne_afs_utils_uri = require("@aigne/afs/utils/uri");
+
+//#region src/config/credential-helpers.ts
+/**
+* Extract env query params from MCP URIs for secure credential storage.
+*
+* MCP servers receive secrets via env vars (e.g., `mcp+stdio://npx?env=API_KEY=sk-xxx`).
+* This function extracts env params from the URI so they can be stored in credentials.toml
+* instead of being persisted in plaintext in config.toml.
+*
+* Only applies to MCP schemes (mcp://, mcp+stdio://, mcp+sse://).
+* Non-MCP URIs are returned unchanged.
+*/
+function extractEnvFromURI(uri) {
+	const parsed = (0, _aigne_afs_utils_uri.parseURI)(uri);
+	const envRecord = {};
+	if (!parsed.scheme.startsWith("mcp")) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const envValues = parsed.query.env;
+	if (!envValues) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const envList = Array.isArray(envValues) ? envValues : [envValues];
+	for (const entry of envList) {
+		const eqIdx = entry.indexOf("=");
+		if (eqIdx > 0) envRecord[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);
+	}
+	const queryIndex = uri.indexOf("?");
+	if (queryIndex < 0) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const rawQuery = uri.slice(queryIndex + 1);
+	const params = new URLSearchParams(rawQuery);
+	params.delete("env");
+	const newQuery = params.toString();
+	const base = uri.slice(0, queryIndex);
+	return {
+		cleanUri: newQuery ? `${base}?${newQuery}` : base,
+		envRecord
+	};
+}
+/**
+* Extract template variables from mount.uri using the manifest's uriTemplate
+* and merge them into mount.options so the credential resolver sees them as "known".
+*/
+function mergeTemplateVarsIntoMount(mount, manifest) {
+	if (!manifest?.uriTemplate) return;
+	const { parseTemplate } = require("@aigne/afs/utils/uri-template");
+	const parsed = (0, _aigne_afs_utils_uri.parseURI)(mount.uri);
+	let templateVars;
+	try {
+		templateVars = parseTemplate(manifest.uriTemplate, parsed.body);
+	} catch {
+		return;
+	}
+	for (const [key, value] of Object.entries(templateVars)) if (value !== void 0) {
+		if (!mount.options) mount.options = {};
+		if (mount.options[key] === void 0) mount.options[key] = value;
+	}
+}
+/**
+* After credential resolution, rebuild mount.uri from the template if the
+* current URI body is empty/incomplete and resolved options can fill template vars.
+*/
+function rebuildURIFromTemplate(mount, manifest) {
+	if (!manifest?.uriTemplate) return;
+	const { buildURI, getTemplateVariableNames } = require("@aigne/afs/utils/uri-template");
+	const varNames = getTemplateVariableNames(manifest.uriTemplate);
+	if (varNames.length === 0) return;
+	const parsed = (0, _aigne_afs_utils_uri.parseURI)(mount.uri);
+	const { parseTemplate } = require("@aigne/afs/utils/uri-template");
+	let existingVars;
+	try {
+		existingVars = parseTemplate(manifest.uriTemplate, parsed.body);
+	} catch {
+		existingVars = {};
+	}
+	const allVars = { ...existingVars };
+	for (const name of varNames) if (!allVars[name] && mount.options?.[name] != null) allVars[name] = String(mount.options[name]);
+	try {
+		const newURI = buildURI(manifest.uriTemplate, allVars);
+		if (newURI !== mount.uri) mount.uri = newURI;
+	} catch {}
+}
+/**
+* Attempt credential resolution for a mount, merging resolved values into mount.options.
+*
+* Returns the credential result if any fields were collected interactively,
+* or null if no interactive collection was needed (or no schema/authContext).
+*
+* This function mutates mount.options and mount.auth/mount.token when credentials
+* are resolved, so the subsequent registry.createProvider(mount) receives complete values.
+*/
+async function resolveAndMergeCredentials(mount, authContext, credentialStore, registry, opts) {
+	const info = await registry.getProviderInfo(mount.uri);
+	const schema = info?.schema ?? null;
+	const providerAuth = info?.auth;
+	if (!schema) return null;
+	mergeTemplateVarsIntoMount(mount, info?.manifest);
+	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
+	const sensitiveFieldsInSchema = getSensitiveFields(schema);
+	const schemaProps = schema.properties ?? {};
+	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
+	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !providerAuth) return null;
+	const { resolveCredentials } = await Promise.resolve().then(() => require("../credential/resolver.cjs"));
+	const result = await resolveCredentials({
+		mount,
+		schema,
+		authContext,
+		credentialStore,
+		providerAuth,
+		forceCollect: opts?.forceCollect
+	});
+	if (!result) {
+		const fieldNames = Object.keys(schema.properties ?? {});
+		const known = /* @__PURE__ */ new Set();
+		if (mount.auth !== void 0) known.add("auth");
+		if (mount.token !== void 0) known.add("token");
+		if (mount.options) for (const k of Object.keys(mount.options)) known.add(k);
+		const missing = fieldNames.filter((f) => !known.has(f));
+		const fieldList = missing.length > 0 ? missing.join(", ") : fieldNames.join(", ");
+		throw new Error(`Missing credentials: ${fieldList}. Retry with them as args, e.g. { "uri": "${mount.uri}", "path": "${mount.path}", ${missing.map((f) => `"${f}": "..."`).join(", ")} }`);
+	}
+	if (Object.keys(result.values).length > 0) {
+		if (result.values.token !== void 0 && mount.token === void 0) mount.token = String(result.values.token);
+		if (result.values.auth !== void 0 && mount.auth === void 0) mount.auth = String(result.values.auth);
+		const mergedOpts = mount.options ?? {};
+		for (const [key, value] of Object.entries(result.values)) if (key !== "token" && key !== "auth" && mergedOpts[key] === void 0) mergedOpts[key] = value;
+		if (Object.keys(mergedOpts).length > 0) mount.options = mergedOpts;
+	}
+	rebuildURIFromTemplate(mount, info?.manifest);
+	return result.collected ? result : null;
+}
+/**
+* Persist credential resolution result (sensitive → credentials.toml).
+*/
+async function persistCredentialResult(mount, result) {
+	if (Object.keys(result.sensitive).length > 0) try {
+		const { createCredentialStore } = await Promise.resolve().then(() => require("../credential/store.cjs"));
+		await createCredentialStore().set(mount.uri, result.sensitive);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.warn(`[mount] credential persistence failed: ${msg}`);
+	}
+}
+/**
+* Load stored credentials and merge into mount options during startup.
+*/
+async function mergeStoredCredentials(mounts, _mountSources, store) {
+	for (const mount of mounts) try {
+		const stored = await store.get(mount.uri);
+		if (stored) {
+			const opts = mount.options ?? {};
+			for (const [key, value] of Object.entries(stored)) if (key.startsWith("env:")) {
+				if (!opts.env) opts.env = {};
+				opts.env[key.slice(4)] = value;
+			} else if (opts[key] === void 0) opts[key] = value;
+			if (Object.keys(opts).length > 0) mount.options = opts;
+		}
+	} catch {}
+}
+/**
+* Resolve and persist credentials for a mount configuration.
+*
+* Used by `mount add` CLI command to trigger credential collection
+* at add-time rather than deferring to AFS creation.
+*/
+async function resolveCredentialsForMount(options) {
+	const { uri, mountPath, authContext, credentialStore, extraOptions, sensitiveArgs } = options;
+	const { cleanUri: configUri, envRecord } = extractEnvFromURI(uri);
+	const hasExtractedEnv = Object.keys(envRecord).length > 0;
+	const info = await (options.registry ?? new _aigne_afs.ProviderRegistry()).getProviderInfo(uri);
+	let schema = info?.schema ?? null;
+	const providerAuth = info?.auth;
+	if (!schema && extraOptions && Object.keys(extraOptions).length > 0) {
+		const { buildAdHocSchema } = await import("@aigne/afs/utils/schema");
+		schema = buildAdHocSchema(extraOptions, sensitiveArgs ?? []);
+	}
+	const envOnlyResult = () => {
+		if (!hasExtractedEnv) return null;
+		return {
+			collected: false,
+			nonSensitive: {},
+			allValues: {},
+			persistCredentials: async () => {
+				const toStore = {};
+				for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
+				if (credentialStore) try {
+					await credentialStore.set(configUri, toStore);
+				} catch (err) {
+					const msg = err instanceof Error ? err.message : String(err);
+					console.warn(`[mount add] credential persistence failed: ${msg}`);
+				}
+			},
+			sensitiveFields: [],
+			configUri
+		};
+	};
+	if (!schema) return envOnlyResult();
+	const properties = schema.properties;
+	if (!properties || Object.keys(properties).length === 0) return envOnlyResult();
+	if (sensitiveArgs && sensitiveArgs.length > 0) {
+		const mergedProps = { ...properties };
+		let changed = false;
+		for (const field of sensitiveArgs) if (mergedProps[field]) {
+			mergedProps[field] = {
+				...mergedProps[field],
+				sensitive: true
+			};
+			changed = true;
+		} else if (extraOptions?.[field] !== void 0) {
+			const value = extraOptions[field];
+			mergedProps[field] = {
+				type: typeof value === "number" ? "number" : typeof value === "boolean" ? "boolean" : "string",
+				sensitive: true
+			};
+			changed = true;
+		}
+		if (changed) schema = {
+			...schema,
+			properties: mergedProps
+		};
+	}
+	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
+	const sensitiveFieldsInSchema = getSensitiveFields(schema);
+	const schemaProps = schema.properties;
+	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
+	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !extraOptions) return envOnlyResult();
+	const mount = {
+		uri,
+		path: mountPath
+	};
+	if (extraOptions && Object.keys(extraOptions).length > 0) mount.options = {
+		...mount.options ?? {},
+		...extraOptions
+	};
+	mergeTemplateVarsIntoMount(mount, info?.manifest);
+	const { resolveCredentials } = await Promise.resolve().then(() => require("../credential/resolver.cjs"));
+	const result = await resolveCredentials({
+		mount,
+		schema,
+		authContext,
+		credentialStore,
+		providerAuth,
+		forceCollect: options.forceCollect
+	});
+	if (!result) {
+		const fieldNames = Object.keys(properties);
+		throw new Error(`Missing credentials: ${fieldNames.join(", ")}. Retry with them as args, e.g. { "uri": "${uri}", "path": "${mountPath}", ${fieldNames.map((f) => `"${f}": "..."`).join(", ")} }`);
+	}
+	const sensitiveFieldSet = new Set(sensitiveFieldsInSchema);
+	const flatSensitive = {};
+	for (const field of sensitiveFieldsInSchema) {
+		const val = result.values[field];
+		if (val === void 0) continue;
+		if (field === "env" && typeof val === "object" && val !== null) for (const [envKey, envVal] of Object.entries(val)) flatSensitive[`env:${envKey}`] = String(envVal);
+		else flatSensitive[field] = String(val);
+	}
+	const nonSensitive = result.collected ? result.nonSensitive : extraOptions ? Object.fromEntries(Object.entries(extraOptions).filter(([k]) => !sensitiveFieldSet.has(k))) : {};
+	const persistCredentials = async () => {
+		const toStore = { ...flatSensitive };
+		for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
+		if (Object.keys(toStore).length > 0 && credentialStore) try {
+			await credentialStore.set(configUri, toStore);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			console.warn(`[mount add] credential persistence failed: ${msg}`);
+		}
+	};
+	return {
+		collected: result.collected,
+		nonSensitive,
+		allValues: result.values,
+		persistCredentials,
+		sensitiveFields: sensitiveFieldsInSchema,
+		configUri: hasExtractedEnv ? configUri : void 0
+	};
+}
+
+//#endregion
+exports.extractEnvFromURI = extractEnvFromURI;
+exports.mergeStoredCredentials = mergeStoredCredentials;
+exports.persistCredentialResult = persistCredentialResult;
+exports.resolveAndMergeCredentials = resolveAndMergeCredentials;
+exports.resolveCredentialsForMount = resolveCredentialsForMount;

package/dist/config/credential-helpers.d.mts

@@ -0,0 +1,2 @@
+import "../credential/resolver.mjs";
+import { AuthContext, ProviderRegistry } from "@aigne/afs";

package/dist/config/credential-helpers.mjs

@@ -0,0 +1,288 @@
+import { __require } from "../_virtual/rolldown_runtime.mjs";
+import { ProviderRegistry } from "@aigne/afs";
+import { parseURI } from "@aigne/afs/utils/uri";
+
+//#region src/config/credential-helpers.ts
+/**
+* Extract env query params from MCP URIs for secure credential storage.
+*
+* MCP servers receive secrets via env vars (e.g., `mcp+stdio://npx?env=API_KEY=sk-xxx`).
+* This function extracts env params from the URI so they can be stored in credentials.toml
+* instead of being persisted in plaintext in config.toml.
+*
+* Only applies to MCP schemes (mcp://, mcp+stdio://, mcp+sse://).
+* Non-MCP URIs are returned unchanged.
+*/
+function extractEnvFromURI(uri) {
+	const parsed = parseURI(uri);
+	const envRecord = {};
+	if (!parsed.scheme.startsWith("mcp")) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const envValues = parsed.query.env;
+	if (!envValues) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const envList = Array.isArray(envValues) ? envValues : [envValues];
+	for (const entry of envList) {
+		const eqIdx = entry.indexOf("=");
+		if (eqIdx > 0) envRecord[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);
+	}
+	const queryIndex = uri.indexOf("?");
+	if (queryIndex < 0) return {
+		cleanUri: uri,
+		envRecord
+	};
+	const rawQuery = uri.slice(queryIndex + 1);
+	const params = new URLSearchParams(rawQuery);
+	params.delete("env");
+	const newQuery = params.toString();
+	const base = uri.slice(0, queryIndex);
+	return {
+		cleanUri: newQuery ? `${base}?${newQuery}` : base,
+		envRecord
+	};
+}
+/**
+* Extract template variables from mount.uri using the manifest's uriTemplate
+* and merge them into mount.options so the credential resolver sees them as "known".
+*/
+function mergeTemplateVarsIntoMount(mount, manifest) {
+	if (!manifest?.uriTemplate) return;
+	const { parseTemplate } = __require("@aigne/afs/utils/uri-template");
+	const parsed = parseURI(mount.uri);
+	let templateVars;
+	try {
+		templateVars = parseTemplate(manifest.uriTemplate, parsed.body);
+	} catch {
+		return;
+	}
+	for (const [key, value] of Object.entries(templateVars)) if (value !== void 0) {
+		if (!mount.options) mount.options = {};
+		if (mount.options[key] === void 0) mount.options[key] = value;
+	}
+}
+/**
+* After credential resolution, rebuild mount.uri from the template if the
+* current URI body is empty/incomplete and resolved options can fill template vars.
+*/
+function rebuildURIFromTemplate(mount, manifest) {
+	if (!manifest?.uriTemplate) return;
+	const { buildURI, getTemplateVariableNames } = __require("@aigne/afs/utils/uri-template");
+	const varNames = getTemplateVariableNames(manifest.uriTemplate);
+	if (varNames.length === 0) return;
+	const parsed = parseURI(mount.uri);
+	const { parseTemplate } = __require("@aigne/afs/utils/uri-template");
+	let existingVars;
+	try {
+		existingVars = parseTemplate(manifest.uriTemplate, parsed.body);
+	} catch {
+		existingVars = {};
+	}
+	const allVars = { ...existingVars };
+	for (const name of varNames) if (!allVars[name] && mount.options?.[name] != null) allVars[name] = String(mount.options[name]);
+	try {
+		const newURI = buildURI(manifest.uriTemplate, allVars);
+		if (newURI !== mount.uri) mount.uri = newURI;
+	} catch {}
+}
+/**
+* Attempt credential resolution for a mount, merging resolved values into mount.options.
+*
+* Returns the credential result if any fields were collected interactively,
+* or null if no interactive collection was needed (or no schema/authContext).
+*
+* This function mutates mount.options and mount.auth/mount.token when credentials
+* are resolved, so the subsequent registry.createProvider(mount) receives complete values.
+*/
+async function resolveAndMergeCredentials(mount, authContext, credentialStore, registry, opts) {
+	const info = await registry.getProviderInfo(mount.uri);
+	const schema = info?.schema ?? null;
+	const providerAuth = info?.auth;
+	if (!schema) return null;
+	mergeTemplateVarsIntoMount(mount, info?.manifest);
+	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
+	const sensitiveFieldsInSchema = getSensitiveFields(schema);
+	const schemaProps = schema.properties ?? {};
+	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
+	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !providerAuth) return null;
+	const { resolveCredentials } = await import("../credential/resolver.mjs");
+	const result = await resolveCredentials({
+		mount,
+		schema,
+		authContext,
+		credentialStore,
+		providerAuth,
+		forceCollect: opts?.forceCollect
+	});
+	if (!result) {
+		const fieldNames = Object.keys(schema.properties ?? {});
+		const known = /* @__PURE__ */ new Set();
+		if (mount.auth !== void 0) known.add("auth");
+		if (mount.token !== void 0) known.add("token");
+		if (mount.options) for (const k of Object.keys(mount.options)) known.add(k);
+		const missing = fieldNames.filter((f) => !known.has(f));
+		const fieldList = missing.length > 0 ? missing.join(", ") : fieldNames.join(", ");
+		throw new Error(`Missing credentials: ${fieldList}. Retry with them as args, e.g. { "uri": "${mount.uri}", "path": "${mount.path}", ${missing.map((f) => `"${f}": "..."`).join(", ")} }`);
+	}
+	if (Object.keys(result.values).length > 0) {
+		if (result.values.token !== void 0 && mount.token === void 0) mount.token = String(result.values.token);
+		if (result.values.auth !== void 0 && mount.auth === void 0) mount.auth = String(result.values.auth);
+		const mergedOpts = mount.options ?? {};
+		for (const [key, value] of Object.entries(result.values)) if (key !== "token" && key !== "auth" && mergedOpts[key] === void 0) mergedOpts[key] = value;
+		if (Object.keys(mergedOpts).length > 0) mount.options = mergedOpts;
+	}
+	rebuildURIFromTemplate(mount, info?.manifest);
+	return result.collected ? result : null;
+}
+/**
+* Persist credential resolution result (sensitive → credentials.toml).
+*/
+async function persistCredentialResult(mount, result) {
+	if (Object.keys(result.sensitive).length > 0) try {
+		const { createCredentialStore } = await import("../credential/store.mjs");
+		await createCredentialStore().set(mount.uri, result.sensitive);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.warn(`[mount] credential persistence failed: ${msg}`);
+	}
+}
+/**
+* Load stored credentials and merge into mount options during startup.
+*/
+async function mergeStoredCredentials(mounts, _mountSources, store) {
+	for (const mount of mounts) try {
+		const stored = await store.get(mount.uri);
+		if (stored) {
+			const opts = mount.options ?? {};
+			for (const [key, value] of Object.entries(stored)) if (key.startsWith("env:")) {
+				if (!opts.env) opts.env = {};
+				opts.env[key.slice(4)] = value;
+			} else if (opts[key] === void 0) opts[key] = value;
+			if (Object.keys(opts).length > 0) mount.options = opts;
+		}
+	} catch {}
+}
+/**
+* Resolve and persist credentials for a mount configuration.
+*
+* Used by `mount add` CLI command to trigger credential collection
+* at add-time rather than deferring to AFS creation.
+*/
+async function resolveCredentialsForMount(options) {
+	const { uri, mountPath, authContext, credentialStore, extraOptions, sensitiveArgs } = options;
+	const { cleanUri: configUri, envRecord } = extractEnvFromURI(uri);
+	const hasExtractedEnv = Object.keys(envRecord).length > 0;
+	const info = await (options.registry ?? new ProviderRegistry()).getProviderInfo(uri);
+	let schema = info?.schema ?? null;
+	const providerAuth = info?.auth;
+	if (!schema && extraOptions && Object.keys(extraOptions).length > 0) {
+		const { buildAdHocSchema } = await import("@aigne/afs/utils/schema");
+		schema = buildAdHocSchema(extraOptions, sensitiveArgs ?? []);
+	}
+	const envOnlyResult = () => {
+		if (!hasExtractedEnv) return null;
+		return {
+			collected: false,
+			nonSensitive: {},
+			allValues: {},
+			persistCredentials: async () => {
+				const toStore = {};
+				for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
+				if (credentialStore) try {
+					await credentialStore.set(configUri, toStore);
+				} catch (err) {
+					const msg = err instanceof Error ? err.message : String(err);
+					console.warn(`[mount add] credential persistence failed: ${msg}`);
+				}
+			},
+			sensitiveFields: [],
+			configUri
+		};
+	};
+	if (!schema) return envOnlyResult();
+	const properties = schema.properties;
+	if (!properties || Object.keys(properties).length === 0) return envOnlyResult();
+	if (sensitiveArgs && sensitiveArgs.length > 0) {
+		const mergedProps = { ...properties };
+		let changed = false;
+		for (const field of sensitiveArgs) if (mergedProps[field]) {
+			mergedProps[field] = {
+				...mergedProps[field],
+				sensitive: true
+			};
+			changed = true;
+		} else if (extraOptions?.[field] !== void 0) {
+			const value = extraOptions[field];
+			mergedProps[field] = {
+				type: typeof value === "number" ? "number" : typeof value === "boolean" ? "boolean" : "string",
+				sensitive: true
+			};
+			changed = true;
+		}
+		if (changed) schema = {
+			...schema,
+			properties: mergedProps
+		};
+	}
+	const { getSensitiveFields } = await import("@aigne/afs/utils/schema");
+	const sensitiveFieldsInSchema = getSensitiveFields(schema);
+	const schemaProps = schema.properties;
+	const hasEnvFields = Object.values(schemaProps).some((p) => Array.isArray(p?.env));
+	if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !extraOptions) return envOnlyResult();
+	const mount = {
+		uri,
+		path: mountPath
+	};
+	if (extraOptions && Object.keys(extraOptions).length > 0) mount.options = {
+		...mount.options ?? {},
+		...extraOptions
+	};
+	mergeTemplateVarsIntoMount(mount, info?.manifest);
+	const { resolveCredentials } = await import("../credential/resolver.mjs");
+	const result = await resolveCredentials({
+		mount,
+		schema,
+		authContext,
+		credentialStore,
+		providerAuth,
+		forceCollect: options.forceCollect
+	});
+	if (!result) {
+		const fieldNames = Object.keys(properties);
+		throw new Error(`Missing credentials: ${fieldNames.join(", ")}. Retry with them as args, e.g. { "uri": "${uri}", "path": "${mountPath}", ${fieldNames.map((f) => `"${f}": "..."`).join(", ")} }`);
+	}
+	const sensitiveFieldSet = new Set(sensitiveFieldsInSchema);
+	const flatSensitive = {};
+	for (const field of sensitiveFieldsInSchema) {
+		const val = result.values[field];
+		if (val === void 0) continue;
+		if (field === "env" && typeof val === "object" && val !== null) for (const [envKey, envVal] of Object.entries(val)) flatSensitive[`env:${envKey}`] = String(envVal);
+		else flatSensitive[field] = String(val);
+	}
+	const nonSensitive = result.collected ? result.nonSensitive : extraOptions ? Object.fromEntries(Object.entries(extraOptions).filter(([k]) => !sensitiveFieldSet.has(k))) : {};
+	const persistCredentials = async () => {
+		const toStore = { ...flatSensitive };
+		for (const [key, val] of Object.entries(envRecord)) toStore[`env:${key}`] = val;
+		if (Object.keys(toStore).length > 0 && credentialStore) try {
+			await credentialStore.set(configUri, toStore);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			console.warn(`[mount add] credential persistence failed: ${msg}`);
+		}
+	};
+	return {
+		collected: result.collected,
+		nonSensitive,
+		allValues: result.values,
+		persistCredentials,
+		sensitiveFields: sensitiveFieldsInSchema,
+		configUri: hasExtractedEnv ? configUri : void 0
+	};
+}
+
+//#endregion
+export { extractEnvFromURI, mergeStoredCredentials, persistCredentialResult, resolveAndMergeCredentials, resolveCredentialsForMount };
+//# sourceMappingURL=credential-helpers.mjs.map

package/dist/config/credential-helpers.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-helpers.mjs","names":[],"sources":["../../src/config/credential-helpers.ts"],"sourcesContent":["/**\n * Credential Resolution Helpers\n *\n * Extracted from afs-loader.ts to separate credential resolution concerns\n * from AFS lifecycle management. All credential-related logic lives here:\n * - URI env extraction (MCP schemes)\n * - URI template variable merging\n * - Credential resolution + merge into mount config\n * - Credential persistence\n * - CLI mount add credential resolution\n */\n\nimport type { AuthContext, MountConfig } from \"@aigne/afs\";\nimport { ProviderRegistry } from \"@aigne/afs\";\nimport { parseURI } from \"@aigne/afs/utils/uri\";\nimport type { CredentialStore } from \"../credential/store.js\";\n\n// ─── URI & Template Manipulation ─────────────────────────────────────────\n\n/**\n * Extract env query params from MCP URIs for secure credential storage.\n *\n * MCP servers receive secrets via env vars (e.g., `mcp+stdio://npx?env=API_KEY=sk-xxx`).\n * This function extracts env params from the URI so they can be stored in credentials.toml\n * instead of being persisted in plaintext in config.toml.\n *\n * Only applies to MCP schemes (mcp://, mcp+stdio://, mcp+sse://).\n * Non-MCP URIs are returned unchanged.\n */\nexport function extractEnvFromURI(uri: string): {\n  cleanUri: string;\n  envRecord: Record<string, string>;\n} {\n  const parsed = parseURI(uri);\n  const envRecord: Record<string, string> = {};\n\n  // Only extract env for MCP schemes\n  if (!parsed.scheme.startsWith(\"mcp\")) {\n    return { cleanUri: uri, envRecord };\n  }\n\n  const envValues = parsed.query.env;\n  if (!envValues) return { cleanUri: uri, envRecord };\n\n  // Parse env=KEY=VALUE format (split on first = only)\n  const envList = Array.isArray(envValues) ? envValues : [envValues];\n  for (const entry of envList) {\n    const eqIdx = entry.indexOf(\"=\");\n    if (eqIdx > 0) {\n      envRecord[entry.slice(0, eqIdx)] = entry.slice(eqIdx + 1);\n    }\n  }\n\n  // Rebuild URI without env params, preserving other query params\n  const queryIndex = uri.indexOf(\"?\");\n  if (queryIndex < 0) return { cleanUri: uri, envRecord };\n\n  const rawQuery = uri.slice(queryIndex + 1);\n  const params = new URLSearchParams(rawQuery);\n  params.delete(\"env\");\n  const newQuery = params.toString();\n  const base = uri.slice(0, queryIndex);\n  const cleanUri = newQuery ? `${base}?${newQuery}` : base;\n\n  return { cleanUri, envRecord };\n}\n\n/**\n * Extract template variables from mount.uri using the manifest's uriTemplate\n * and merge them into mount.options so the credential resolver sees them as \"known\".\n */\nexport function mergeTemplateVarsIntoMount(\n  mount: MountConfig,\n  manifest: import(\"@aigne/afs\").ProviderManifest | null | undefined,\n): void {\n  if (!manifest?.uriTemplate) return;\n  const { parseTemplate } =\n    require(\"@aigne/afs/utils/uri-template\") as typeof import(\"@aigne/afs/utils/uri-template\");\n  const parsed = parseURI(mount.uri);\n  let templateVars: Record<string, string | undefined>;\n  try {\n    templateVars = parseTemplate(manifest.uriTemplate, parsed.body);\n  } catch {\n    return; // Body doesn't match template yet — nothing to merge\n  }\n  for (const [key, value] of Object.entries(templateVars)) {\n    if (value !== undefined) {\n      if (!mount.options) mount.options = {};\n      if (mount.options[key] === undefined) {\n        mount.options[key] = value;\n      }\n    }\n  }\n}\n\n/**\n * After credential resolution, rebuild mount.uri from the template if the\n * current URI body is empty/incomplete and resolved options can fill template vars.\n */\nexport function rebuildURIFromTemplate(\n  mount: MountConfig,\n  manifest: import(\"@aigne/afs\").ProviderManifest | null | undefined,\n): void {\n  if (!manifest?.uriTemplate) return;\n  const { buildURI, getTemplateVariableNames } =\n    require(\"@aigne/afs/utils/uri-template\") as typeof import(\"@aigne/afs/utils/uri-template\");\n  const varNames = getTemplateVariableNames(manifest.uriTemplate);\n  if (varNames.length === 0) return;\n\n  const parsed = parseURI(mount.uri);\n  const { parseTemplate } =\n    require(\"@aigne/afs/utils/uri-template\") as typeof import(\"@aigne/afs/utils/uri-template\");\n  let existingVars: Record<string, string | undefined>;\n  try {\n    existingVars = parseTemplate(manifest.uriTemplate, parsed.body);\n  } catch {\n    existingVars = {};\n  }\n\n  const allVars: Record<string, string | undefined> = { ...existingVars };\n  for (const name of varNames) {\n    if (!allVars[name] && mount.options?.[name] != null) {\n      allVars[name] = String(mount.options[name]);\n    }\n  }\n\n  try {\n    const newURI = buildURI(manifest.uriTemplate, allVars);\n    if (newURI !== mount.uri) {\n      mount.uri = newURI;\n    }\n  } catch {\n    // Still can't build a complete URI — that's OK, createProvider will handle it\n  }\n}\n\n// ─── Credential Resolution Core ─────────────────────────────────────────\n\n/**\n * Attempt credential resolution for a mount, merging resolved values into mount.options.\n *\n * Returns the credential result if any fields were collected interactively,\n * or null if no interactive collection was needed (or no schema/authContext).\n *\n * This function mutates mount.options and mount.auth/mount.token when credentials\n * are resolved, so the subsequent registry.createProvider(mount) receives complete values.\n */\nexport async function resolveAndMergeCredentials(\n  mount: MountConfig,\n  authContext: AuthContext | undefined,\n  credentialStore: CredentialStore | undefined,\n  registry: ProviderRegistry,\n  opts?: { forceCollect?: boolean },\n): Promise<import(\"../credential/resolver.js\").ResolveCredentialsResult | null> {\n  const info = await registry.getProviderInfo(mount.uri);\n  const schema = info?.schema ?? null;\n  const providerAuth = info?.auth;\n\n  if (!schema) return null;\n\n  mergeTemplateVarsIntoMount(mount, info?.manifest);\n\n  const { getSensitiveFields } = await import(\"@aigne/afs/utils/schema\");\n  const sensitiveFieldsInSchema = getSensitiveFields(schema);\n  const schemaProps = (schema as any).properties ?? {};\n  const hasEnvFields = Object.values(schemaProps).some((p: any) => Array.isArray(p?.env));\n  if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !providerAuth) return null;\n\n  const { resolveCredentials } = await import(\"../credential/resolver.js\");\n\n  const result = await resolveCredentials({\n    mount,\n    schema,\n    authContext,\n    credentialStore,\n    providerAuth,\n    forceCollect: opts?.forceCollect,\n  });\n\n  if (!result) {\n    const fieldNames = Object.keys((schema as any).properties ?? {});\n    const known = new Set<string>();\n    if (mount.auth !== undefined) known.add(\"auth\");\n    if (mount.token !== undefined) known.add(\"token\");\n    if (mount.options) {\n      for (const k of Object.keys(mount.options)) known.add(k);\n    }\n    const missing = fieldNames.filter((f) => !known.has(f));\n    const fieldList = missing.length > 0 ? missing.join(\", \") : fieldNames.join(\", \");\n    throw new Error(\n      `Missing credentials: ${fieldList}. ` +\n        `Retry with them as args, e.g. { \"uri\": \"${mount.uri}\", \"path\": \"${mount.path}\", ${missing.map((f) => `\"${f}\": \"...\"`).join(\", \")} }`,\n    );\n  }\n\n  if (Object.keys(result.values).length > 0) {\n    if (result.values.token !== undefined && mount.token === undefined) {\n      mount.token = String(result.values.token);\n    }\n    if (result.values.auth !== undefined && mount.auth === undefined) {\n      mount.auth = String(result.values.auth);\n    }\n\n    const mergedOpts = mount.options ?? {};\n    for (const [key, value] of Object.entries(result.values)) {\n      if (key !== \"token\" && key !== \"auth\" && mergedOpts[key] === undefined) {\n        mergedOpts[key] = value;\n      }\n    }\n    if (Object.keys(mergedOpts).length > 0) {\n      mount.options = mergedOpts;\n    }\n  }\n\n  rebuildURIFromTemplate(mount, info?.manifest);\n\n  return result.collected ? result : null;\n}\n\n/**\n * Persist credential resolution result (sensitive → credentials.toml).\n */\nexport async function persistCredentialResult(\n  mount: MountConfig,\n  result: import(\"../credential/resolver.js\").ResolveCredentialsResult,\n): Promise<void> {\n  if (Object.keys(result.sensitive).length > 0) {\n    try {\n      const { createCredentialStore } = await import(\"../credential/store.js\");\n      const store = createCredentialStore();\n      await store.set(mount.uri, result.sensitive);\n    } catch (err) {\n      const msg = err instanceof Error ? err.message : String(err);\n      console.warn(`[mount] credential persistence failed: ${msg}`);\n    }\n  }\n}\n\n/**\n * Load stored credentials and merge into mount options during startup.\n */\nexport async function mergeStoredCredentials(\n  mounts: MountConfig[],\n  _mountSources: Map<string, string>,\n  store: CredentialStore,\n): Promise<void> {\n  for (const mount of mounts) {\n    try {\n      const stored = await store.get(mount.uri);\n      if (stored) {\n        const opts = mount.options ?? {};\n        for (const [key, value] of Object.entries(stored)) {\n          if (key.startsWith(\"env:\")) {\n            if (!opts.env) opts.env = {};\n            (opts.env as Record<string, string>)[key.slice(4)] = value;\n          } else if (opts[key] === undefined) {\n            opts[key] = value;\n          }\n        }\n        if (Object.keys(opts).length > 0) {\n          mount.options = opts;\n        }\n      }\n    } catch {\n      // Credential lookup failure is non-fatal\n    }\n  }\n}\n\n// ─── Exported Credential Resolution for CLI mount add ───────────────────────\n\nexport interface ResolveCredentialsForMountOptions {\n  cwd: string;\n  uri: string;\n  mountPath: string;\n  authContext?: AuthContext;\n  credentialStore?: CredentialStore;\n  extraOptions?: Record<string, unknown>;\n  sensitiveArgs?: string[];\n  registry?: ProviderRegistry;\n  forceCollect?: boolean;\n}\n\nexport interface ResolveCredentialsForMountResult {\n  collected: boolean;\n  nonSensitive: Record<string, unknown>;\n  allValues: Record<string, unknown>;\n  persistCredentials: () => Promise<void>;\n  sensitiveFields: string[];\n  configUri?: string;\n}\n\n/**\n * Resolve and persist credentials for a mount configuration.\n *\n * Used by `mount add` CLI command to trigger credential collection\n * at add-time rather than deferring to AFS creation.\n */\nexport async function resolveCredentialsForMount(\n  options: ResolveCredentialsForMountOptions,\n): Promise<ResolveCredentialsForMountResult | null> {\n  const { uri, mountPath, authContext, credentialStore, extraOptions, sensitiveArgs } = options;\n\n  const { cleanUri: configUri, envRecord } = extractEnvFromURI(uri);\n  const hasExtractedEnv = Object.keys(envRecord).length > 0;\n\n  const registry = options.registry ?? new ProviderRegistry();\n  const info = await registry.getProviderInfo(uri);\n  let schema = info?.schema ?? null;\n  const providerAuth = info?.auth;\n\n  if (!schema && extraOptions && Object.keys(extraOptions).length > 0) {\n    const { buildAdHocSchema } = await import(\"@aigne/afs/utils/schema\");\n    schema = buildAdHocSchema(extraOptions, sensitiveArgs ?? []);\n  }\n\n  const envOnlyResult = (): ResolveCredentialsForMountResult | null => {\n    if (!hasExtractedEnv) return null;\n    return {\n      collected: false,\n      nonSensitive: {},\n      allValues: {},\n      persistCredentials: async () => {\n        const toStore: Record<string, string> = {};\n        for (const [key, val] of Object.entries(envRecord)) {\n          toStore[`env:${key}`] = val;\n        }\n        if (credentialStore) {\n          try {\n            await credentialStore.set(configUri, toStore);\n          } catch (err) {\n            const msg = err instanceof Error ? err.message : String(err);\n            console.warn(`[mount add] credential persistence failed: ${msg}`);\n          }\n        }\n      },\n      sensitiveFields: [],\n      configUri,\n    };\n  };\n\n  if (!schema) return envOnlyResult();\n\n  const properties = (schema as any).properties;\n  if (!properties || Object.keys(properties).length === 0) return envOnlyResult();\n\n  if (sensitiveArgs && sensitiveArgs.length > 0) {\n    const mergedProps = { ...properties };\n    let changed = false;\n    for (const field of sensitiveArgs) {\n      if (mergedProps[field]) {\n        mergedProps[field] = { ...mergedProps[field], sensitive: true };\n        changed = true;\n      } else if (extraOptions?.[field] !== undefined) {\n        const value = extraOptions[field];\n        mergedProps[field] = {\n          type:\n            typeof value === \"number\"\n              ? \"number\"\n              : typeof value === \"boolean\"\n                ? \"boolean\"\n                : \"string\",\n          sensitive: true,\n        };\n        changed = true;\n      }\n    }\n    if (changed) {\n      schema = { ...schema, properties: mergedProps } as typeof schema;\n    }\n  }\n\n  const { getSensitiveFields } = await import(\"@aigne/afs/utils/schema\");\n  const sensitiveFieldsInSchema = getSensitiveFields(schema);\n  const schemaProps = (schema as any).properties;\n  const hasEnvFields = Object.values(schemaProps).some((p: any) => Array.isArray(p?.env));\n  if (sensitiveFieldsInSchema.length === 0 && !hasEnvFields && !extraOptions)\n    return envOnlyResult();\n\n  const mount: MountConfig = { uri, path: mountPath };\n\n  if (extraOptions && Object.keys(extraOptions).length > 0) {\n    mount.options = { ...(mount.options ?? {}), ...extraOptions };\n  }\n\n  mergeTemplateVarsIntoMount(mount, info?.manifest);\n\n  const { resolveCredentials } = await import(\"../credential/resolver.js\");\n\n  const result = await resolveCredentials({\n    mount,\n    schema,\n    authContext,\n    credentialStore,\n    providerAuth,\n    forceCollect: options.forceCollect,\n  });\n\n  if (!result) {\n    const fieldNames = Object.keys(properties);\n    throw new Error(\n      `Missing credentials: ${fieldNames.join(\", \")}. ` +\n        `Retry with them as args, e.g. { \"uri\": \"${uri}\", \"path\": \"${mountPath}\", ${fieldNames.map((f) => `\"${f}\": \"...\"`).join(\", \")} }`,\n    );\n  }\n\n  const sensitiveFieldSet = new Set(sensitiveFieldsInSchema);\n\n  const flatSensitive: Record<string, string> = {};\n  for (const field of sensitiveFieldsInSchema) {\n    const val = result.values[field];\n    if (val === undefined) continue;\n    if (field === \"env\" && typeof val === \"object\" && val !== null) {\n      for (const [envKey, envVal] of Object.entries(val as Record<string, string>)) {\n        flatSensitive[`env:${envKey}`] = String(envVal);\n      }\n    } else {\n      flatSensitive[field] = String(val);\n    }\n  }\n\n  const nonSensitive: Record<string, unknown> = result.collected\n    ? result.nonSensitive\n    : extraOptions\n      ? Object.fromEntries(Object.entries(extraOptions).filter(([k]) => !sensitiveFieldSet.has(k)))\n      : {};\n\n  const persistCredentials = async () => {\n    const toStore = { ...flatSensitive };\n    for (const [key, val] of Object.entries(envRecord)) {\n      toStore[`env:${key}`] = val;\n    }\n    if (Object.keys(toStore).length > 0 && credentialStore) {\n      try {\n        await credentialStore.set(configUri, toStore);\n      } catch (err) {\n        const msg = err instanceof Error ? err.message : String(err);\n        console.warn(`[mount add] credential persistence failed: ${msg}`);\n      }\n    }\n  };\n\n  return {\n    collected: result.collected,\n    nonSensitive,\n    allValues: result.values,\n    persistCredentials,\n    sensitiveFields: sensitiveFieldsInSchema,\n    configUri: hasExtractedEnv ? configUri : undefined,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;AA6BA,SAAgB,kBAAkB,KAGhC;CACA,MAAM,SAAS,SAAS,IAAI;CAC5B,MAAM,YAAoC,EAAE;AAG5C,KAAI,CAAC,OAAO,OAAO,WAAW,MAAM,CAClC,QAAO;EAAE,UAAU;EAAK;EAAW;CAGrC,MAAM,YAAY,OAAO,MAAM;AAC/B,KAAI,CAAC,UAAW,QAAO;EAAE,UAAU;EAAK;EAAW;CAGnD,MAAM,UAAU,MAAM,QAAQ,UAAU,GAAG,YAAY,CAAC,UAAU;AAClE,MAAK,MAAM,SAAS,SAAS;EAC3B,MAAM,QAAQ,MAAM,QAAQ,IAAI;AAChC,MAAI,QAAQ,EACV,WAAU,MAAM,MAAM,GAAG,MAAM,IAAI,MAAM,MAAM,QAAQ,EAAE;;CAK7D,MAAM,aAAa,IAAI,QAAQ,IAAI;AACnC,KAAI,aAAa,EAAG,QAAO;EAAE,UAAU;EAAK;EAAW;CAEvD,MAAM,WAAW,IAAI,MAAM,aAAa,EAAE;CAC1C,MAAM,SAAS,IAAI,gBAAgB,SAAS;AAC5C,QAAO,OAAO,MAAM;CACpB,MAAM,WAAW,OAAO,UAAU;CAClC,MAAM,OAAO,IAAI,MAAM,GAAG,WAAW;AAGrC,QAAO;EAAE,UAFQ,WAAW,GAAG,KAAK,GAAG,aAAa;EAEjC;EAAW;;;;;;AAOhC,SAAgB,2BACd,OACA,UACM;AACN,KAAI,CAAC,UAAU,YAAa;CAC5B,MAAM,EAAE,4BACE,gCAAgC;CAC1C,MAAM,SAAS,SAAS,MAAM,IAAI;CAClC,IAAI;AACJ,KAAI;AACF,iBAAe,cAAc,SAAS,aAAa,OAAO,KAAK;SACzD;AACN;;AAEF,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,aAAa,CACrD,KAAI,UAAU,QAAW;AACvB,MAAI,CAAC,MAAM,QAAS,OAAM,UAAU,EAAE;AACtC,MAAI,MAAM,QAAQ,SAAS,OACzB,OAAM,QAAQ,OAAO;;;;;;;AAU7B,SAAgB,uBACd,OACA,UACM;AACN,KAAI,CAAC,UAAU,YAAa;CAC5B,MAAM,EAAE,UAAU,uCACR,gCAAgC;CAC1C,MAAM,WAAW,yBAAyB,SAAS,YAAY;AAC/D,KAAI,SAAS,WAAW,EAAG;CAE3B,MAAM,SAAS,SAAS,MAAM,IAAI;CAClC,MAAM,EAAE,4BACE,gCAAgC;CAC1C,IAAI;AACJ,KAAI;AACF,iBAAe,cAAc,SAAS,aAAa,OAAO,KAAK;SACzD;AACN,iBAAe,EAAE;;CAGnB,MAAM,UAA8C,EAAE,GAAG,cAAc;AACvE,MAAK,MAAM,QAAQ,SACjB,KAAI,CAAC,QAAQ,SAAS,MAAM,UAAU,SAAS,KAC7C,SAAQ,QAAQ,OAAO,MAAM,QAAQ,MAAM;AAI/C,KAAI;EACF,MAAM,SAAS,SAAS,SAAS,aAAa,QAAQ;AACtD,MAAI,WAAW,MAAM,IACnB,OAAM,MAAM;SAER;;;;;;;;;;;AAgBV,eAAsB,2BACpB,OACA,aACA,iBACA,UACA,MAC8E;CAC9E,MAAM,OAAO,MAAM,SAAS,gBAAgB,MAAM,IAAI;CACtD,MAAM,SAAS,MAAM,UAAU;CAC/B,MAAM,eAAe,MAAM;AAE3B,KAAI,CAAC,OAAQ,QAAO;AAEpB,4BAA2B,OAAO,MAAM,SAAS;CAEjD,MAAM,EAAE,uBAAuB,MAAM,OAAO;CAC5C,MAAM,0BAA0B,mBAAmB,OAAO;CAC1D,MAAM,cAAe,OAAe,cAAc,EAAE;CACpD,MAAM,eAAe,OAAO,OAAO,YAAY,CAAC,MAAM,MAAW,MAAM,QAAQ,GAAG,IAAI,CAAC;AACvF,KAAI,wBAAwB,WAAW,KAAK,CAAC,gBAAgB,CAAC,aAAc,QAAO;CAEnF,MAAM,EAAE,uBAAuB,MAAM,OAAO;CAE5C,MAAM,SAAS,MAAM,mBAAmB;EACtC;EACA;EACA;EACA;EACA;EACA,cAAc,MAAM;EACrB,CAAC;AAEF,KAAI,CAAC,QAAQ;EACX,MAAM,aAAa,OAAO,KAAM,OAAe,cAAc,EAAE,CAAC;EAChE,MAAM,wBAAQ,IAAI,KAAa;AAC/B,MAAI,MAAM,SAAS,OAAW,OAAM,IAAI,OAAO;AAC/C,MAAI,MAAM,UAAU,OAAW,OAAM,IAAI,QAAQ;AACjD,MAAI,MAAM,QACR,MAAK,MAAM,KAAK,OAAO,KAAK,MAAM,QAAQ,CAAE,OAAM,IAAI,EAAE;EAE1D,MAAM,UAAU,WAAW,QAAQ,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;EACvD,MAAM,YAAY,QAAQ,SAAS,IAAI,QAAQ,KAAK,KAAK,GAAG,WAAW,KAAK,KAAK;AACjF,QAAM,IAAI,MACR,wBAAwB,UAAU,4CACW,MAAM,IAAI,cAAc,MAAM,KAAK,KAAK,QAAQ,KAAK,MAAM,IAAI,EAAE,UAAU,CAAC,KAAK,KAAK,CAAC,IACrI;;AAGH,KAAI,OAAO,KAAK,OAAO,OAAO,CAAC,SAAS,GAAG;AACzC,MAAI,OAAO,OAAO,UAAU,UAAa,MAAM,UAAU,OACvD,OAAM,QAAQ,OAAO,OAAO,OAAO,MAAM;AAE3C,MAAI,OAAO,OAAO,SAAS,UAAa,MAAM,SAAS,OACrD,OAAM,OAAO,OAAO,OAAO,OAAO,KAAK;EAGzC,MAAM,aAAa,MAAM,WAAW,EAAE;AACtC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,OAAO,OAAO,CACtD,KAAI,QAAQ,WAAW,QAAQ,UAAU,WAAW,SAAS,OAC3D,YAAW,OAAO;AAGtB,MAAI,OAAO,KAAK,WAAW,CAAC,SAAS,EACnC,OAAM,UAAU;;AAIpB,wBAAuB,OAAO,MAAM,SAAS;AAE7C,QAAO,OAAO,YAAY,SAAS;;;;;AAMrC,eAAsB,wBACpB,OACA,QACe;AACf,KAAI,OAAO,KAAK,OAAO,UAAU,CAAC,SAAS,EACzC,KAAI;EACF,MAAM,EAAE,0BAA0B,MAAM,OAAO;AAE/C,QADc,uBAAuB,CACzB,IAAI,MAAM,KAAK,OAAO,UAAU;UACrC,KAAK;EACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,UAAQ,KAAK,0CAA0C,MAAM;;;;;;AAQnE,eAAsB,uBACpB,QACA,eACA,OACe;AACf,MAAK,MAAM,SAAS,OAClB,KAAI;EACF,MAAM,SAAS,MAAM,MAAM,IAAI,MAAM,IAAI;AACzC,MAAI,QAAQ;GACV,MAAM,OAAO,MAAM,WAAW,EAAE;AAChC,QAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,OAAO,CAC/C,KAAI,IAAI,WAAW,OAAO,EAAE;AAC1B,QAAI,CAAC,KAAK,IAAK,MAAK,MAAM,EAAE;AAC5B,IAAC,KAAK,IAA+B,IAAI,MAAM,EAAE,IAAI;cAC5C,KAAK,SAAS,OACvB,MAAK,OAAO;AAGhB,OAAI,OAAO,KAAK,KAAK,CAAC,SAAS,EAC7B,OAAM,UAAU;;SAGd;;;;;;;;AAmCZ,eAAsB,2BACpB,SACkD;CAClD,MAAM,EAAE,KAAK,WAAW,aAAa,iBAAiB,cAAc,kBAAkB;CAEtF,MAAM,EAAE,UAAU,WAAW,cAAc,kBAAkB,IAAI;CACjE,MAAM,kBAAkB,OAAO,KAAK,UAAU,CAAC,SAAS;CAGxD,MAAM,OAAO,OADI,QAAQ,YAAY,IAAI,kBAAkB,EAC/B,gBAAgB,IAAI;CAChD,IAAI,SAAS,MAAM,UAAU;CAC7B,MAAM,eAAe,MAAM;AAE3B,KAAI,CAAC,UAAU,gBAAgB,OAAO,KAAK,aAAa,CAAC,SAAS,GAAG;EACnE,MAAM,EAAE,qBAAqB,MAAM,OAAO;AAC1C,WAAS,iBAAiB,cAAc,iBAAiB,EAAE,CAAC;;CAG9D,MAAM,sBAA+D;AACnE,MAAI,CAAC,gBAAiB,QAAO;AAC7B,SAAO;GACL,WAAW;GACX,cAAc,EAAE;GAChB,WAAW,EAAE;GACb,oBAAoB,YAAY;IAC9B,MAAM,UAAkC,EAAE;AAC1C,SAAK,MAAM,CAAC,KAAK,QAAQ,OAAO,QAAQ,UAAU,CAChD,SAAQ,OAAO,SAAS;AAE1B,QAAI,gBACF,KAAI;AACF,WAAM,gBAAgB,IAAI,WAAW,QAAQ;aACtC,KAAK;KACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,aAAQ,KAAK,8CAA8C,MAAM;;;GAIvE,iBAAiB,EAAE;GACnB;GACD;;AAGH,KAAI,CAAC,OAAQ,QAAO,eAAe;CAEnC,MAAM,aAAc,OAAe;AACnC,KAAI,CAAC,cAAc,OAAO,KAAK,WAAW,CAAC,WAAW,EAAG,QAAO,eAAe;AAE/E,KAAI,iBAAiB,cAAc,SAAS,GAAG;EAC7C,MAAM,cAAc,EAAE,GAAG,YAAY;EACrC,IAAI,UAAU;AACd,OAAK,MAAM,SAAS,cAClB,KAAI,YAAY,QAAQ;AACtB,eAAY,SAAS;IAAE,GAAG,YAAY;IAAQ,WAAW;IAAM;AAC/D,aAAU;aACD,eAAe,WAAW,QAAW;GAC9C,MAAM,QAAQ,aAAa;AAC3B,eAAY,SAAS;IACnB,MACE,OAAO,UAAU,WACb,WACA,OAAO,UAAU,YACf,YACA;IACR,WAAW;IACZ;AACD,aAAU;;AAGd,MAAI,QACF,UAAS;GAAE,GAAG;GAAQ,YAAY;GAAa;;CAInD,MAAM,EAAE,uBAAuB,MAAM,OAAO;CAC5C,MAAM,0BAA0B,mBAAmB,OAAO;CAC1D,MAAM,cAAe,OAAe;CACpC,MAAM,eAAe,OAAO,OAAO,YAAY,CAAC,MAAM,MAAW,MAAM,QAAQ,GAAG,IAAI,CAAC;AACvF,KAAI,wBAAwB,WAAW,KAAK,CAAC,gBAAgB,CAAC,aAC5D,QAAO,eAAe;CAExB,MAAM,QAAqB;EAAE;EAAK,MAAM;EAAW;AAEnD,KAAI,gBAAgB,OAAO,KAAK,aAAa,CAAC,SAAS,EACrD,OAAM,UAAU;EAAE,GAAI,MAAM,WAAW,EAAE;EAAG,GAAG;EAAc;AAG/D,4BAA2B,OAAO,MAAM,SAAS;CAEjD,MAAM,EAAE,uBAAuB,MAAM,OAAO;CAE5C,MAAM,SAAS,MAAM,mBAAmB;EACtC;EACA;EACA;EACA;EACA;EACA,cAAc,QAAQ;EACvB,CAAC;AAEF,KAAI,CAAC,QAAQ;EACX,MAAM,aAAa,OAAO,KAAK,WAAW;AAC1C,QAAM,IAAI,MACR,wBAAwB,WAAW,KAAK,KAAK,CAAC,4CACD,IAAI,cAAc,UAAU,KAAK,WAAW,KAAK,MAAM,IAAI,EAAE,UAAU,CAAC,KAAK,KAAK,CAAC,IACjI;;CAGH,MAAM,oBAAoB,IAAI,IAAI,wBAAwB;CAE1D,MAAM,gBAAwC,EAAE;AAChD,MAAK,MAAM,SAAS,yBAAyB;EAC3C,MAAM,MAAM,OAAO,OAAO;AAC1B,MAAI,QAAQ,OAAW;AACvB,MAAI,UAAU,SAAS,OAAO,QAAQ,YAAY,QAAQ,KACxD,MAAK,MAAM,CAAC,QAAQ,WAAW,OAAO,QAAQ,IAA8B,CAC1E,eAAc,OAAO,YAAY,OAAO,OAAO;MAGjD,eAAc,SAAS,OAAO,IAAI;;CAItC,MAAM,eAAwC,OAAO,YACjD,OAAO,eACP,eACE,OAAO,YAAY,OAAO,QAAQ,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,GAC3F,EAAE;CAER,MAAM,qBAAqB,YAAY;EACrC,MAAM,UAAU,EAAE,GAAG,eAAe;AACpC,OAAK,MAAM,CAAC,KAAK,QAAQ,OAAO,QAAQ,UAAU,CAChD,SAAQ,OAAO,SAAS;AAE1B,MAAI,OAAO,KAAK,QAAQ,CAAC,SAAS,KAAK,gBACrC,KAAI;AACF,SAAM,gBAAgB,IAAI,WAAW,QAAQ;WACtC,KAAK;GACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,WAAQ,KAAK,8CAA8C,MAAM;;;AAKvE,QAAO;EACL,WAAW,OAAO;EAClB;EACA,WAAW,OAAO;EAClB;EACA,iBAAiB;EACjB,WAAW,kBAAkB,YAAY;EAC1C"}

package/dist/config/loader.cjs

@@ -182,7 +182,8 @@ var ConfigLoader = class {
 				mounts: allMounts,
 				serve: mergedServe
 			},
-			mountSources
+			mountSources,
+			configDirs: entries.map((e) => e.configDir)
 		};
 	}
 	/**
@@ -214,6 +215,7 @@ var ConfigLoader = class {
 const configLoader = new ConfigLoader();
 
 //#endregion
+exports.AFS_USER_CONFIG_DIR_ENV = AFS_USER_CONFIG_DIR_ENV;
 exports.CONFIG_DIR_NAME = CONFIG_DIR_NAME;
 exports.CONFIG_FILE_NAME = CONFIG_FILE_NAME;
 exports.ConfigLoader = ConfigLoader;

package/dist/config/loader.mjs

@@ -181,7 +181,8 @@ var ConfigLoader = class {
 				mounts: allMounts,
 				serve: mergedServe
 			},
-			mountSources
+			mountSources,
+			configDirs: entries.map((e) => e.configDir)
 		};
 	}
 	/**
@@ -213,5 +214,5 @@ var ConfigLoader = class {
 const configLoader = new ConfigLoader();
 
 //#endregion
-export { CONFIG_DIR_NAME, CONFIG_FILE_NAME, ConfigLoader };
+export { AFS_USER_CONFIG_DIR_ENV, CONFIG_DIR_NAME, CONFIG_FILE_NAME, ConfigLoader };
 //# sourceMappingURL=loader.mjs.map