@apicircle/core 1.0.8 → 1.1.0

package/dist/index.d.cts

@@ -1,6 +1,6 @@
-import { BodyType, RequestAuth, Request, RequestRun, Folder, RequestBody, HttpMethod, EnvironmentVariable, Assertion, ContextExtraction, WorkspaceSynced, LinkedSnapshot, RequestOverride, EnvironmentVariableOverride, ExecutionPlan, PlanRun } from '@apicircle/shared';
-import { W as WorkspaceState, a as WorkspacePatch, P as ParsedApicircleFolderExport } from './patches-ysO3y8pG.cjs';
-export { A as APICIRCLE_FOLDER_EXPORT_FORMAT, b as ApicircleFolderExportDependencies, c as ApicircleFolderExportV1, C as CollectFolderExportArgs, d as CollectFolderExportResult, F as FolderExportCredential, e as FolderExportReport, f as WorkspacePatchKind, g as collectFolderExport, h as collectFolderExportCredentials, i as isApicircleFolderExport, p as parseApicircleFolderExport, j as parseApicircleFolderExportDoc, r as redactFolderExportCredentials, s as serializeFolderExport, k as suggestFolderExportFilename } from './patches-ysO3y8pG.cjs';
+import { BodyType, RequestAuth, Request, Folder, RequestRun, RequestBody, HttpMethod, EnvironmentVariable, Assertion, ContextExtraction, WorkspaceSynced, EnvPriorityRef, ReleaseVersion, ReleaseHistory, SecretKeyMeta, LinkedWorkspace, LinkedSnapshot, RequestOverridePatch, RequestOverride, EnvironmentVariableOverride, ExecutionPlan, PlanRun } from '@apicircle/shared';
+import { W as WorkspaceState, a as WorkspacePatch, P as ParsedApicircleFolderExport } from './patches-B3VGNVgf.cjs';
+export { A as APICIRCLE_FOLDER_EXPORT_FORMAT, b as ApicircleFolderExportDependencies, c as ApicircleFolderExportV1, C as CollectFolderExportArgs, d as CollectFolderExportResult, F as FolderExportCredential, e as FolderExportReport, f as WorkspacePatchKind, g as collectFolderExport, h as collectFolderExportCredentials, i as isApicircleFolderExport, p as parseApicircleFolderExport, j as parseApicircleFolderExportDoc, r as redactFolderExportCredentials, s as serializeFolderExport, k as suggestFolderExportFilename } from './patches-B3VGNVgf.cjs';
 
 type HeaderEntry$1 = {
     key: string;
@@ -389,8 +389,18 @@ interface PreSendValidationResult {
 interface PreSendValidationInput {
     request: Request;
     scope: ResolutionScope;
+    /**
+     * Folder map keyed by id. When provided AND the request's `auth.type` is
+     * `inherit`, the validator resolves the upward chain via
+     * `resolveInheritedAuth` and validates the EFFECTIVE auth's field
+     * completeness — so an empty-token folder bearer doesn't slip past the
+     * pre-send check. Omit for callers that don't have folder context (legacy
+     * tests, ad-hoc plan steps), and the validator falls back to checking the
+     * declared auth as-is.
+     */
+    folders?: Record<string, Folder>;
 }
-declare function preSendValidation({ request, scope, }: PreSendValidationInput): PreSendValidationResult;
+declare function preSendValidation({ request, scope, folders, }: PreSendValidationInput): PreSendValidationResult;
 
 interface ExecutionResult {
     startedAt: string;
@@ -1140,6 +1150,15 @@ interface ImportedFolder {
     /** Index path from root (deterministic id assignment is the caller's job). */
     pathIds: number[];
     parentPathIds: number[] | null;
+    /**
+     * Folder-level auth captured from the source. Postman v2.1 folders can
+     * carry an `auth` field that descendant requests inherit; Insomnia
+     * request_group resources expose the same via `authentication`. When
+     * present, the importer maps it to `Folder.auth` and descendant requests
+     * with no explicit auth resolve via `resolveInheritedAuth` instead of
+     * being wired to a duplicate copy.
+     */
+    auth?: RequestAuth;
 }
 interface ParsedPostmanCollection {
     collectionName: string;
@@ -1289,6 +1308,51 @@ interface ContextExtractionResult {
 }
 declare function extractContext(result: ExecutionResult, extractions: ReadonlyArray<ContextExtraction>): ContextExtractionResult;
 
+interface ResolveRequestArgs {
+    request: Request;
+    synced: WorkspaceSynced;
+    /** Plaintext local envs: `{ envName: { varKey: value } }`. */
+    localEnvs: Record<string, Record<string, string>>;
+    /**
+     * Plaintext linked envs keyed by linkedWorkspaceId, then envName. Caller
+     * is expected to have already applied any linkedOverrides.environmentVars
+     * (use `applyLinkedEnvironmentOverrides` from this module first).
+     */
+    linkedEnvs?: Record<string, Record<string, Record<string, string>>>;
+    /** Plaintext secrets keyed by their display label (vault-decrypted). */
+    secrets?: Record<string, string>;
+    /**
+     * `globalContext` (latest-write-wins extractions) + plan variables
+     * (optional) — sit between request.contextVars and the env layer.
+     */
+    globalContext?: Record<string, string>;
+    planVariables?: ReadonlyArray<{
+        key: string;
+        value: string;
+    }>;
+    /** Plan-level priority overrides take precedence when non-empty. */
+    envPriorityOverride?: readonly EnvPriorityRef[];
+}
+interface ResolvedRequestResult {
+    request: Request;
+    scope: ResolutionScope;
+    missing: string[];
+}
+declare function resolveRequestForExecution(args: ResolveRequestArgs): ResolvedRequestResult;
+/**
+ * Layer `synced.linkedOverrides.environmentVars` entries onto a source env
+ * map for one linked workspace. Used by the host to prepare the plaintext
+ * `linkedEnvs` argument before calling `resolveRequestForExecution`.
+ */
+declare function applyLinkedEnvironmentOverrides(source: WorkspaceSynced['environments'], linkedWorkspaceId: string, synced: WorkspaceSynced): WorkspaceSynced['environments'];
+/**
+ * Strip an envs map down to its plaintext key→value pairs, dropping any
+ * variable still marked `encrypted: true` (the host's vault layer should have
+ * decrypted those in advance). Returns the plaintext map the resolver
+ * consumes.
+ */
+declare function plaintextEnvMap(source: WorkspaceSynced['environments']): Record<string, Record<string, string>>;
+
 interface EncryptedPayload {
     iv: string;
     ciphertext: string;
@@ -1335,6 +1399,47 @@ declare function importKey(jwk: JsonWebKey): Promise<CryptoKey>;
 declare function serializePayload(payload: EncryptedPayload): string;
 declare function tryParsePayload(value: string): EncryptedPayload | null;
 
+interface SecretCrypto {
+    kdf: 'pbkdf2-sha256-v1';
+    /** Base64-encoded random salt; 16 bytes. */
+    salt: string;
+    /** PBKDF2 iteration count baked at workspace-creation time. */
+    iterations: number;
+    /** Base64-encoded AES-GCM(sentinel, derivedKey, zero-IV). */
+    verifier: string;
+}
+/**
+ * Initialise the workspace's secret crypto state. Called the first time
+ * the user creates a passphrase (new workspace or first secret added in
+ * a workspace that hasn't set one).
+ *
+ * Returns the SecretCrypto blob to persist in workspace.json **and** the
+ * derived key so the caller can immediately use it.
+ *
+ * The `iterations` override exists for tests — production callers should
+ * always use the default `PBKDF2_ITERATIONS` (OWASP floor). Tests pin a
+ * smaller count so the suite stays fast under parallel load; the
+ * algorithm path is identical either way.
+ */
+declare function initSecretCrypto(passphrase: string, iterations?: number): Promise<{
+    crypto: SecretCrypto;
+    key: CryptoKey;
+}>;
+/**
+ * Unlock the workspace given a passphrase + the stored SecretCrypto blob.
+ *
+ * Returns `{ ok: true, key }` on a successful passphrase match (verifier
+ * matches), `{ ok: false }` on any mismatch — wrong passphrase, corrupt
+ * blob, unsupported KDF. The caller surfaces the right UX for each.
+ */
+declare function unlockSecretCrypto(passphrase: string, blob: SecretCrypto): Promise<{
+    ok: true;
+    key: CryptoKey;
+} | {
+    ok: false;
+    reason: string;
+}>;
+
 /**
  * Validate a branch name against GitHub's ref rules. Returns null when the
  * name is acceptable, otherwise a short reason. We enforce a stricter
@@ -1360,6 +1465,43 @@ declare function generateWorkingBranchName(opts: BranchNameOptions): string;
  */
 declare function serializeWorkspaceForGit(synced: WorkspaceSynced): string;
 
+/** The dotfolder under the repo root that owns every API-Circle-managed
+ *  file in a Git-backed workspace. */
+declare const WORKSPACE_DIR = ".apicircle";
+/** Path to the workspace registry inside a repo / root. */
+declare const REGISTRY_JSON_PATH = ".apicircle/registry.json";
+/** On-disk path for the synced workspace document inside a Git repo. */
+declare function workspaceJsonPath(workspaceId: string): string;
+/** Directory holding per-attachment blob files (`<slotId>`). */
+declare function attachmentsDir(workspaceId: string): string;
+/** Build the on-disk path for a single attachment slot. Caller is
+ *  responsible for URL-encoding when this is passed to the GitHub
+ *  Contents API. */
+declare function attachmentPath(workspaceId: string, slotId: string): string;
+/**
+ * Parse a registry JSON string (fetched from a remote repo's
+ * `.apicircle/registry.json`) and return the active workspace ID.
+ * Falls back to the first entry when `activeWorkspaceId` is null.
+ * Returns `null` if the registry is empty or unparseable.
+ */
+declare function parseRegistryActiveId(registryJsonContent: string): string | null;
+/**
+ * Two-step resolution of a remote workspace.json path. Pass a generic
+ * file-fetcher so this stays decoupled from any particular API client.
+ *
+ * 1. Fetches `registry.json` from the remote `.apicircle/` dir.
+ * 2. Parses it to find the active workspace ID.
+ * 3. Fetches `workspace-<id>/workspace.json`.
+ *
+ * Returns `{ workspaceId, content }` on success, or `{ error }` on failure.
+ */
+declare function fetchRemoteWorkspaceJson(fetchFile: (repoPath: string) => Promise<string | null>): Promise<{
+    workspaceId: string;
+    content: string;
+} | {
+    error: string;
+}>;
+
 /** Error thrown when the input fails any of our checks. `code` lets the UI
  *  branch on the specific failure (oversized, bad JSON, wrong shape, etc.)
  *  without parsing the message string. */
@@ -1453,20 +1595,81 @@ interface PublishReleaseArgs {
     tagName?: string;
     publishedAt?: string;
 }
+/**
+ * Build a fully-formed `ReleaseVersion` entry for `synced` — computing the
+ * SHA-256 `workspaceSnapshot` of the canonical pre-publish workspace.json.
+ *
+ * This is the async half of publishing, split out so the sync mutation path
+ * (`applyMutation` → `appendReleaseEntry`) stays pure: headless writers
+ * (VS Code / MCP / CLI) call `buildReleaseEntry` first, then route the
+ * resulting entry through the `release.publish` patch.
+ *
+ * Throws on invalid semver.
+ */
+declare function buildReleaseEntry(synced: WorkspaceSynced, args: PublishReleaseArgs): Promise<ReleaseVersion>;
+/**
+ * Append a pre-built `ReleaseVersion` to `synced.releases.self.versions` and
+ * bump `currentVersion`. Pure + synchronous — the SHA was already computed by
+ * `buildReleaseEntry`, so this is safe to call from `applyMutation`.
+ *
+ * `now` defaults to the entry's own `publishedAt` so the convenience
+ * `publishRelease` wrapper keeps its original stamping; `applyMutation`
+ * passes its injected timestamp for deterministic batches.
+ *
+ * Throws on invalid semver or a duplicate version.
+ */
+declare function appendReleaseEntry(synced: WorkspaceSynced, entry: ReleaseVersion, now?: string): WorkspaceSynced;
 /**
  * Append a new release to `synced.releases.self.versions` and bump
- * `currentVersion`. Pure — does not touch IDB or Git.
+ * `currentVersion`. Convenience wrapper = `buildReleaseEntry` +
+ * `appendReleaseEntry`. Pure — does not touch IDB or Git.
  *
  * Throws on invalid semver, duplicate version, or invalid notes shape.
  */
 declare function publishRelease(synced: WorkspaceSynced, args: PublishReleaseArgs): Promise<WorkspaceSynced>;
 /** Flip the `deprecated` flag on a version. Soft signal — version is still installable. */
-declare function deprecateRelease(synced: WorkspaceSynced, version: string): WorkspaceSynced;
+declare function deprecateRelease(synced: WorkspaceSynced, version: string, now?: string): WorkspaceSynced;
 /**
  * Flip the `yanked` flag on a version. Hard signal — consumers should
  * be told this version is broken / unsafe and offered a different one.
  */
-declare function yankRelease(synced: WorkspaceSynced, version: string): WorkspaceSynced;
+declare function yankRelease(synced: WorkspaceSynced, version: string, now?: string): WorkspaceSynced;
+
+interface LinkedWorkspaceProbe {
+    workspaceId?: string;
+    releases?: {
+        self?: ReleaseHistory | null;
+    };
+    collections?: WorkspaceSynced['collections'];
+    environments?: WorkspaceSynced['environments'];
+    secretKeys?: Record<string, SecretKeyMeta>;
+    globalAssets?: WorkspaceSynced['globalAssets'];
+}
+/**
+ * Parse + sanitize a remote workspace.json string into the slices a linked
+ * consumer reads. Throws on oversized input, invalid JSON, or a non-object
+ * root. Prototype-pollution keys are stripped at parse time.
+ */
+declare function parseLinkedWorkspaceJson(text: string): LinkedWorkspaceProbe;
+/** The cached ledger from a probe, defaulting to an empty ledger. */
+declare function ledgerFromProbe(parsed: LinkedWorkspaceProbe): ReleaseHistory;
+/**
+ * Build the `LinkedSnapshot` cached in `WorkspaceLocal.linkedCollections` from
+ * a parsed probe + the link record. Returns null when the source has neither
+ * collections nor environments to cache.
+ */
+declare function buildLinkedSnapshot(parsed: LinkedWorkspaceProbe, link: LinkedWorkspace): LinkedSnapshot | null;
+
+/** Layer a consumer's override patch onto a source request. */
+declare function mergeRequestOverride(base: Request, patch: RequestOverridePatch): Request;
+/**
+ * Compute the minimal override patch that turns `base` into `effective` —
+ * only the overridable fields that structurally differ. Returns `{}` when the
+ * effective request is identical to the source (caller drops the override).
+ */
+declare function computeRequestOverridePatch(base: Request, effective: Request): RequestOverridePatch;
+/** True when an override patch has no diverging fields (safe to drop). */
+declare function isEmptyOverridePatch(patch: RequestOverridePatch): boolean;
 
 type MonacoLanguage = 'json' | 'xml' | 'html' | 'graphql' | 'javascript' | 'yaml' | 'plaintext';
 declare function normalizeContentType(contentType?: string): string;
@@ -1582,6 +1785,14 @@ interface LinkedUpdateEntry<TBase = unknown, TTarget = unknown, TOverride = unkn
     base: TBase | null;
     target: TTarget | null;
     override: TOverride | null;
+    /**
+     * For `both-changed` entries only: `true` when the consumer's override touches
+     * a DISJOINT set of fields from the ones the source changed — so keeping the
+     * override is a clean field-level merge that needs no user decision. `false`
+     * (or undefined) means override + source touched the same field → a real
+     * conflict the user must resolve. Other statuses leave this undefined.
+     */
+    autoMergeable?: boolean;
 }
 interface LinkedUpdatePreview {
     fromVersion: string | null;
@@ -1920,4 +2131,4 @@ interface TransformSavings {
 declare function computeTransformSavings(body: string, contentType?: string): TransformSavings;
 declare const TRANSFORM_FORMAT_LABELS: Record<TransformFormat, string>;
 
-export { ANONYMOUS_ACTOR, type ApplyMutationOptions, type ApplyMutationResult, type AssertionResult, type AttachmentResolver, type AttachmentSlotRef, type AuthApplyOptions, type AuthApplyResult, type AuthApplyTarget, type AuthApplyWarning, type AuthCodeExchangeArgs, type AutoHeaderOverrides, type BranchNameOptions, type BuildDigestArgs, type BuildNtlmType3Args, type BuildRequestOptions, type BuiltRequest, type ClientCredentialsArgs, type ConflictResolution, type HeaderEntry$1 as ContentTypeHeaderEntry, type ContextExtractionResult, DESKTOP_APP_ORIGIN, type DeviceAuthorizationArgs, type DeviceAuthorizationResponse, type DiffEntry, type DiffStatus, type DigestChallenge, EMPTY_UNPUSHED_SUMMARY, type EncryptedBindingHint, type EncryptedPayload, type EntityBucket, type ExecuteOptions, type ExecutionResult, type FetchOAuth2TokenArgs, type GraphQLField, type GraphQLSchemaInfo, HTTP_HEADERS_MAP, type HawkSignArgs, type HeaderEntry, type HeaderSuggestionMode, type ImportApicircleFolderResult, type ImportedFolder, type ImportedRequest, type JwtAlgorithm, type JwtSignArgs, type ApplyArgs as LinkedApplyArgs, type ApplyResult as LinkedApplyResult, type PreviewArgs as LinkedPreviewArgs, type LinkedUpdateBucket, type LinkedUpdateEntry, type LinkedUpdatePreview, type LinkedUpdateResolutionMap, type LinkedUpdateStatus, type MonacoLanguage, type NtlmType2Challenge, type OAuth2ErrorResponse, OAuth2TokenError, type OAuth2TokenResponse, type ParsedApicircleEnvironment, ParsedApicircleFolderExport, type ParsedCurl, type ParsedPostmanCollection, type ParsedPostmanEnvironment, type ParsedVersion, type PkceExchangeArgs, type PkceMethod, type PlanRunAuthorizationContext, PlanRunDeniedError, type PlanStepResult, type PollDeviceFlowArgs, type PreSendBlocker, type PreSendValidationInput, type PreSendValidationResult, type PreSendWarning, type PublishReleaseArgs, type RefreshTokenArgs, RemoteWorkspaceParseError, type ResolutionMap, type ResolutionScope, type ResolveInheritedAuthArgs, type ResolvePlanRefResult, type ResolveResult, type RopcArgs, type RunActor, type RunPlanOptions, type RunPlanResult, type SigV4SignArgs, type SigV4SignResult, TRANSFORM_FORMAT_LABELS, type ThreeWayDiff, type TransformCandidate, type TransformFormat, type TransformSavings, type UnpushedChange, type UnpushedSummary, type VariableSource, type VariableSuggestion, WorkspacePatch, WorkspaceState, applyAuth, applyAwsSigV4, applyContentTypeForBodyType, applyLinkedUpdate, applyMerge, applyMutation, applyPathParams, assertNoPlaintextCredentials, buildAuthorizeUrl, buildAutoHeaders, buildDigestAuthHeader, buildHawkAuthHeader, buildNtlmType1Negotiate, buildNtlmType3Authenticate, buildRequest, buildScope, collectAttachmentSlots, collectVariableSuggestions, compareSemver, composeBody, composeCookieHeader, composeHeaders, composeUrl, composeUrlWithQuery, computeCodeChallenge, computeThreeWayDiff, computeTransformSavings, decryptString, deprecateRelease, deriveKeyFromSlotValue, encryptString, exchangeAuthCode, exchangePkce, executeRequest, exportKey, extractContext, fetchOAuth2Token, findPathPlaceholders, generateAesKey, generateCodeVerifier, generateSlotSalt, generateSpanId, generateTraceParent, generateWorkingBranchName, getBodyTypeForContentType, getContentTypeForBodyType, getHeaderEntry, getHeaderValues, getLanguageFromBodyType, getLanguageFromContentType, getVariableAutocomplete, hasUnpushedChanges, importApicircleFolderInto, importKey, isApicircleEnvironment, isDesktop, isInsomniaExport, isPostmanEnvironment, isPostmanV2Collection, isValidSemver, lookup, mergeWithAutoHeaders, normalizeContentType, parseApicircleEnvironment, parseApicircleEnvironmentDoc, parseCurl, parseDigestChallenge, parseGraphqlSchema, parseInsomniaCollection, parseNtlmType2Challenge, parsePostmanCollection, parsePostmanEnvironment, parseSemver, parseUrlQuery, parseWorkspaceJson, pollDeviceFlow, preSendValidation, previewLinkedUpdate, publishRelease, readJsonPath, redactForGit, refreshToken, requestDeviceAuthorization, requestRunToExecutionResult, resolveInheritedAuth, resolvePlanRef, resolveString, resolveStringMap, runAssertions, runClientCredentials, runPlan, runRopc, serializePayload, serializeWorkspaceForGit, signJwt, slugify, sortVersionsDesc, suggestHeaders, summarizeUnpushedChanges, supportedContentTypeLanguageMap, toCsv, toToon, toYaml, tokenizeCurl, tryParsePayload, validateBranchName, yankRelease };
+export { ANONYMOUS_ACTOR, type ApplyMutationOptions, type ApplyMutationResult, type AssertionResult, type AttachmentResolver, type AttachmentSlotRef, type AuthApplyOptions, type AuthApplyResult, type AuthApplyTarget, type AuthApplyWarning, type AuthCodeExchangeArgs, type AutoHeaderOverrides, type BranchNameOptions, type BuildDigestArgs, type BuildNtlmType3Args, type BuildRequestOptions, type BuiltRequest, type ClientCredentialsArgs, type ConflictResolution, type HeaderEntry$1 as ContentTypeHeaderEntry, type ContextExtractionResult, DESKTOP_APP_ORIGIN, type DeviceAuthorizationArgs, type DeviceAuthorizationResponse, type DiffEntry, type DiffStatus, type DigestChallenge, EMPTY_UNPUSHED_SUMMARY, type EncryptedBindingHint, type EncryptedPayload, type EntityBucket, type ExecuteOptions, type ExecutionResult, type FetchOAuth2TokenArgs, type GraphQLField, type GraphQLSchemaInfo, HTTP_HEADERS_MAP, type HawkSignArgs, type HeaderEntry, type HeaderSuggestionMode, type ImportApicircleFolderResult, type ImportedFolder, type ImportedRequest, type JwtAlgorithm, type JwtSignArgs, type ApplyArgs as LinkedApplyArgs, type ApplyResult as LinkedApplyResult, type PreviewArgs as LinkedPreviewArgs, type LinkedUpdateBucket, type LinkedUpdateEntry, type LinkedUpdatePreview, type LinkedUpdateResolutionMap, type LinkedUpdateStatus, type LinkedWorkspaceProbe, type MonacoLanguage, type NtlmType2Challenge, type OAuth2ErrorResponse, OAuth2TokenError, type OAuth2TokenResponse, type ParsedApicircleEnvironment, ParsedApicircleFolderExport, type ParsedCurl, type ParsedPostmanCollection, type ParsedPostmanEnvironment, type ParsedVersion, type PkceExchangeArgs, type PkceMethod, type PlanRunAuthorizationContext, PlanRunDeniedError, type PlanStepResult, type PollDeviceFlowArgs, type PreSendBlocker, type PreSendValidationInput, type PreSendValidationResult, type PreSendWarning, type PublishReleaseArgs, REGISTRY_JSON_PATH, type RefreshTokenArgs, RemoteWorkspaceParseError, type ResolutionMap, type ResolutionScope, type ResolveInheritedAuthArgs, type ResolvePlanRefResult, type ResolveRequestArgs, type ResolveResult, type ResolvedRequestResult, type RopcArgs, type RunActor, type RunPlanOptions, type RunPlanResult, type SecretCrypto, type SigV4SignArgs, type SigV4SignResult, TRANSFORM_FORMAT_LABELS, type ThreeWayDiff, type TransformCandidate, type TransformFormat, type TransformSavings, type UnpushedChange, type UnpushedSummary, type VariableSource, type VariableSuggestion, WORKSPACE_DIR, WorkspacePatch, WorkspaceState, appendReleaseEntry, applyAuth, applyAwsSigV4, applyContentTypeForBodyType, applyLinkedEnvironmentOverrides, applyLinkedUpdate, applyMerge, applyMutation, applyPathParams, assertNoPlaintextCredentials, attachmentPath, attachmentsDir, buildAuthorizeUrl, buildAutoHeaders, buildDigestAuthHeader, buildHawkAuthHeader, buildLinkedSnapshot, buildNtlmType1Negotiate, buildNtlmType3Authenticate, buildReleaseEntry, buildRequest, buildScope, collectAttachmentSlots, collectVariableSuggestions, compareSemver, composeBody, composeCookieHeader, composeHeaders, composeUrl, composeUrlWithQuery, computeCodeChallenge, computeRequestOverridePatch, computeThreeWayDiff, computeTransformSavings, decryptString, deprecateRelease, deriveKeyFromSlotValue, encryptString, exchangeAuthCode, exchangePkce, executeRequest, exportKey, extractContext, fetchOAuth2Token, fetchRemoteWorkspaceJson, findPathPlaceholders, generateAesKey, generateCodeVerifier, generateSlotSalt, generateSpanId, generateTraceParent, generateWorkingBranchName, getBodyTypeForContentType, getContentTypeForBodyType, getHeaderEntry, getHeaderValues, getLanguageFromBodyType, getLanguageFromContentType, getVariableAutocomplete, hasUnpushedChanges, importApicircleFolderInto, importKey, initSecretCrypto, isApicircleEnvironment, isDesktop, isEmptyOverridePatch, isInsomniaExport, isPostmanEnvironment, isPostmanV2Collection, isValidSemver, ledgerFromProbe, lookup, mergeRequestOverride, mergeWithAutoHeaders, normalizeContentType, parseApicircleEnvironment, parseApicircleEnvironmentDoc, parseCurl, parseDigestChallenge, parseGraphqlSchema, parseInsomniaCollection, parseLinkedWorkspaceJson, parseNtlmType2Challenge, parsePostmanCollection, parsePostmanEnvironment, parseRegistryActiveId, parseSemver, parseUrlQuery, parseWorkspaceJson, plaintextEnvMap, pollDeviceFlow, preSendValidation, previewLinkedUpdate, publishRelease, readJsonPath, redactForGit, refreshToken, requestDeviceAuthorization, requestRunToExecutionResult, resolveInheritedAuth, resolvePlanRef, resolveRequestForExecution, resolveString, resolveStringMap, runAssertions, runClientCredentials, runPlan, runRopc, serializePayload, serializeWorkspaceForGit, signJwt, slugify, sortVersionsDesc, suggestHeaders, summarizeUnpushedChanges, supportedContentTypeLanguageMap, toCsv, toToon, toYaml, tokenizeCurl, tryParsePayload, unlockSecretCrypto, validateBranchName, workspaceJsonPath, yankRelease };

package/dist/index.d.ts

@@ -1,6 +1,6 @@
-import { BodyType, RequestAuth, Request, RequestRun, Folder, RequestBody, HttpMethod, EnvironmentVariable, Assertion, ContextExtraction, WorkspaceSynced, LinkedSnapshot, RequestOverride, EnvironmentVariableOverride, ExecutionPlan, PlanRun } from '@apicircle/shared';
-import { W as WorkspaceState, a as WorkspacePatch, P as ParsedApicircleFolderExport } from './patches-ysO3y8pG.js';
-export { A as APICIRCLE_FOLDER_EXPORT_FORMAT, b as ApicircleFolderExportDependencies, c as ApicircleFolderExportV1, C as CollectFolderExportArgs, d as CollectFolderExportResult, F as FolderExportCredential, e as FolderExportReport, f as WorkspacePatchKind, g as collectFolderExport, h as collectFolderExportCredentials, i as isApicircleFolderExport, p as parseApicircleFolderExport, j as parseApicircleFolderExportDoc, r as redactFolderExportCredentials, s as serializeFolderExport, k as suggestFolderExportFilename } from './patches-ysO3y8pG.js';
+import { BodyType, RequestAuth, Request, Folder, RequestRun, RequestBody, HttpMethod, EnvironmentVariable, Assertion, ContextExtraction, WorkspaceSynced, EnvPriorityRef, ReleaseVersion, ReleaseHistory, SecretKeyMeta, LinkedWorkspace, LinkedSnapshot, RequestOverridePatch, RequestOverride, EnvironmentVariableOverride, ExecutionPlan, PlanRun } from '@apicircle/shared';
+import { W as WorkspaceState, a as WorkspacePatch, P as ParsedApicircleFolderExport } from './patches-B3VGNVgf.js';
+export { A as APICIRCLE_FOLDER_EXPORT_FORMAT, b as ApicircleFolderExportDependencies, c as ApicircleFolderExportV1, C as CollectFolderExportArgs, d as CollectFolderExportResult, F as FolderExportCredential, e as FolderExportReport, f as WorkspacePatchKind, g as collectFolderExport, h as collectFolderExportCredentials, i as isApicircleFolderExport, p as parseApicircleFolderExport, j as parseApicircleFolderExportDoc, r as redactFolderExportCredentials, s as serializeFolderExport, k as suggestFolderExportFilename } from './patches-B3VGNVgf.js';
 
 type HeaderEntry$1 = {
     key: string;
@@ -389,8 +389,18 @@ interface PreSendValidationResult {
 interface PreSendValidationInput {
     request: Request;
     scope: ResolutionScope;
+    /**
+     * Folder map keyed by id. When provided AND the request's `auth.type` is
+     * `inherit`, the validator resolves the upward chain via
+     * `resolveInheritedAuth` and validates the EFFECTIVE auth's field
+     * completeness — so an empty-token folder bearer doesn't slip past the
+     * pre-send check. Omit for callers that don't have folder context (legacy
+     * tests, ad-hoc plan steps), and the validator falls back to checking the
+     * declared auth as-is.
+     */
+    folders?: Record<string, Folder>;
 }
-declare function preSendValidation({ request, scope, }: PreSendValidationInput): PreSendValidationResult;
+declare function preSendValidation({ request, scope, folders, }: PreSendValidationInput): PreSendValidationResult;
 
 interface ExecutionResult {
     startedAt: string;
@@ -1140,6 +1150,15 @@ interface ImportedFolder {
     /** Index path from root (deterministic id assignment is the caller's job). */
     pathIds: number[];
     parentPathIds: number[] | null;
+    /**
+     * Folder-level auth captured from the source. Postman v2.1 folders can
+     * carry an `auth` field that descendant requests inherit; Insomnia
+     * request_group resources expose the same via `authentication`. When
+     * present, the importer maps it to `Folder.auth` and descendant requests
+     * with no explicit auth resolve via `resolveInheritedAuth` instead of
+     * being wired to a duplicate copy.
+     */
+    auth?: RequestAuth;
 }
 interface ParsedPostmanCollection {
     collectionName: string;
@@ -1289,6 +1308,51 @@ interface ContextExtractionResult {
 }
 declare function extractContext(result: ExecutionResult, extractions: ReadonlyArray<ContextExtraction>): ContextExtractionResult;
 
+interface ResolveRequestArgs {
+    request: Request;
+    synced: WorkspaceSynced;
+    /** Plaintext local envs: `{ envName: { varKey: value } }`. */
+    localEnvs: Record<string, Record<string, string>>;
+    /**
+     * Plaintext linked envs keyed by linkedWorkspaceId, then envName. Caller
+     * is expected to have already applied any linkedOverrides.environmentVars
+     * (use `applyLinkedEnvironmentOverrides` from this module first).
+     */
+    linkedEnvs?: Record<string, Record<string, Record<string, string>>>;
+    /** Plaintext secrets keyed by their display label (vault-decrypted). */
+    secrets?: Record<string, string>;
+    /**
+     * `globalContext` (latest-write-wins extractions) + plan variables
+     * (optional) — sit between request.contextVars and the env layer.
+     */
+    globalContext?: Record<string, string>;
+    planVariables?: ReadonlyArray<{
+        key: string;
+        value: string;
+    }>;
+    /** Plan-level priority overrides take precedence when non-empty. */
+    envPriorityOverride?: readonly EnvPriorityRef[];
+}
+interface ResolvedRequestResult {
+    request: Request;
+    scope: ResolutionScope;
+    missing: string[];
+}
+declare function resolveRequestForExecution(args: ResolveRequestArgs): ResolvedRequestResult;
+/**
+ * Layer `synced.linkedOverrides.environmentVars` entries onto a source env
+ * map for one linked workspace. Used by the host to prepare the plaintext
+ * `linkedEnvs` argument before calling `resolveRequestForExecution`.
+ */
+declare function applyLinkedEnvironmentOverrides(source: WorkspaceSynced['environments'], linkedWorkspaceId: string, synced: WorkspaceSynced): WorkspaceSynced['environments'];
+/**
+ * Strip an envs map down to its plaintext key→value pairs, dropping any
+ * variable still marked `encrypted: true` (the host's vault layer should have
+ * decrypted those in advance). Returns the plaintext map the resolver
+ * consumes.
+ */
+declare function plaintextEnvMap(source: WorkspaceSynced['environments']): Record<string, Record<string, string>>;
+
 interface EncryptedPayload {
     iv: string;
     ciphertext: string;
@@ -1335,6 +1399,47 @@ declare function importKey(jwk: JsonWebKey): Promise<CryptoKey>;
 declare function serializePayload(payload: EncryptedPayload): string;
 declare function tryParsePayload(value: string): EncryptedPayload | null;
 
+interface SecretCrypto {
+    kdf: 'pbkdf2-sha256-v1';
+    /** Base64-encoded random salt; 16 bytes. */
+    salt: string;
+    /** PBKDF2 iteration count baked at workspace-creation time. */
+    iterations: number;
+    /** Base64-encoded AES-GCM(sentinel, derivedKey, zero-IV). */
+    verifier: string;
+}
+/**
+ * Initialise the workspace's secret crypto state. Called the first time
+ * the user creates a passphrase (new workspace or first secret added in
+ * a workspace that hasn't set one).
+ *
+ * Returns the SecretCrypto blob to persist in workspace.json **and** the
+ * derived key so the caller can immediately use it.
+ *
+ * The `iterations` override exists for tests — production callers should
+ * always use the default `PBKDF2_ITERATIONS` (OWASP floor). Tests pin a
+ * smaller count so the suite stays fast under parallel load; the
+ * algorithm path is identical either way.
+ */
+declare function initSecretCrypto(passphrase: string, iterations?: number): Promise<{
+    crypto: SecretCrypto;
+    key: CryptoKey;
+}>;
+/**
+ * Unlock the workspace given a passphrase + the stored SecretCrypto blob.
+ *
+ * Returns `{ ok: true, key }` on a successful passphrase match (verifier
+ * matches), `{ ok: false }` on any mismatch — wrong passphrase, corrupt
+ * blob, unsupported KDF. The caller surfaces the right UX for each.
+ */
+declare function unlockSecretCrypto(passphrase: string, blob: SecretCrypto): Promise<{
+    ok: true;
+    key: CryptoKey;
+} | {
+    ok: false;
+    reason: string;
+}>;
+
 /**
  * Validate a branch name against GitHub's ref rules. Returns null when the
  * name is acceptable, otherwise a short reason. We enforce a stricter
@@ -1360,6 +1465,43 @@ declare function generateWorkingBranchName(opts: BranchNameOptions): string;
  */
 declare function serializeWorkspaceForGit(synced: WorkspaceSynced): string;
 
+/** The dotfolder under the repo root that owns every API-Circle-managed
+ *  file in a Git-backed workspace. */
+declare const WORKSPACE_DIR = ".apicircle";
+/** Path to the workspace registry inside a repo / root. */
+declare const REGISTRY_JSON_PATH = ".apicircle/registry.json";
+/** On-disk path for the synced workspace document inside a Git repo. */
+declare function workspaceJsonPath(workspaceId: string): string;
+/** Directory holding per-attachment blob files (`<slotId>`). */
+declare function attachmentsDir(workspaceId: string): string;
+/** Build the on-disk path for a single attachment slot. Caller is
+ *  responsible for URL-encoding when this is passed to the GitHub
+ *  Contents API. */
+declare function attachmentPath(workspaceId: string, slotId: string): string;
+/**
+ * Parse a registry JSON string (fetched from a remote repo's
+ * `.apicircle/registry.json`) and return the active workspace ID.
+ * Falls back to the first entry when `activeWorkspaceId` is null.
+ * Returns `null` if the registry is empty or unparseable.
+ */
+declare function parseRegistryActiveId(registryJsonContent: string): string | null;
+/**
+ * Two-step resolution of a remote workspace.json path. Pass a generic
+ * file-fetcher so this stays decoupled from any particular API client.
+ *
+ * 1. Fetches `registry.json` from the remote `.apicircle/` dir.
+ * 2. Parses it to find the active workspace ID.
+ * 3. Fetches `workspace-<id>/workspace.json`.
+ *
+ * Returns `{ workspaceId, content }` on success, or `{ error }` on failure.
+ */
+declare function fetchRemoteWorkspaceJson(fetchFile: (repoPath: string) => Promise<string | null>): Promise<{
+    workspaceId: string;
+    content: string;
+} | {
+    error: string;
+}>;
+
 /** Error thrown when the input fails any of our checks. `code` lets the UI
  *  branch on the specific failure (oversized, bad JSON, wrong shape, etc.)
  *  without parsing the message string. */
@@ -1453,20 +1595,81 @@ interface PublishReleaseArgs {
     tagName?: string;
     publishedAt?: string;
 }
+/**
+ * Build a fully-formed `ReleaseVersion` entry for `synced` — computing the
+ * SHA-256 `workspaceSnapshot` of the canonical pre-publish workspace.json.
+ *
+ * This is the async half of publishing, split out so the sync mutation path
+ * (`applyMutation` → `appendReleaseEntry`) stays pure: headless writers
+ * (VS Code / MCP / CLI) call `buildReleaseEntry` first, then route the
+ * resulting entry through the `release.publish` patch.
+ *
+ * Throws on invalid semver.
+ */
+declare function buildReleaseEntry(synced: WorkspaceSynced, args: PublishReleaseArgs): Promise<ReleaseVersion>;
+/**
+ * Append a pre-built `ReleaseVersion` to `synced.releases.self.versions` and
+ * bump `currentVersion`. Pure + synchronous — the SHA was already computed by
+ * `buildReleaseEntry`, so this is safe to call from `applyMutation`.
+ *
+ * `now` defaults to the entry's own `publishedAt` so the convenience
+ * `publishRelease` wrapper keeps its original stamping; `applyMutation`
+ * passes its injected timestamp for deterministic batches.
+ *
+ * Throws on invalid semver or a duplicate version.
+ */
+declare function appendReleaseEntry(synced: WorkspaceSynced, entry: ReleaseVersion, now?: string): WorkspaceSynced;
 /**
  * Append a new release to `synced.releases.self.versions` and bump
- * `currentVersion`. Pure — does not touch IDB or Git.
+ * `currentVersion`. Convenience wrapper = `buildReleaseEntry` +
+ * `appendReleaseEntry`. Pure — does not touch IDB or Git.
  *
  * Throws on invalid semver, duplicate version, or invalid notes shape.
  */
 declare function publishRelease(synced: WorkspaceSynced, args: PublishReleaseArgs): Promise<WorkspaceSynced>;
 /** Flip the `deprecated` flag on a version. Soft signal — version is still installable. */
-declare function deprecateRelease(synced: WorkspaceSynced, version: string): WorkspaceSynced;
+declare function deprecateRelease(synced: WorkspaceSynced, version: string, now?: string): WorkspaceSynced;
 /**
  * Flip the `yanked` flag on a version. Hard signal — consumers should
  * be told this version is broken / unsafe and offered a different one.
  */
-declare function yankRelease(synced: WorkspaceSynced, version: string): WorkspaceSynced;
+declare function yankRelease(synced: WorkspaceSynced, version: string, now?: string): WorkspaceSynced;
+
+interface LinkedWorkspaceProbe {
+    workspaceId?: string;
+    releases?: {
+        self?: ReleaseHistory | null;
+    };
+    collections?: WorkspaceSynced['collections'];
+    environments?: WorkspaceSynced['environments'];
+    secretKeys?: Record<string, SecretKeyMeta>;
+    globalAssets?: WorkspaceSynced['globalAssets'];
+}
+/**
+ * Parse + sanitize a remote workspace.json string into the slices a linked
+ * consumer reads. Throws on oversized input, invalid JSON, or a non-object
+ * root. Prototype-pollution keys are stripped at parse time.
+ */
+declare function parseLinkedWorkspaceJson(text: string): LinkedWorkspaceProbe;
+/** The cached ledger from a probe, defaulting to an empty ledger. */
+declare function ledgerFromProbe(parsed: LinkedWorkspaceProbe): ReleaseHistory;
+/**
+ * Build the `LinkedSnapshot` cached in `WorkspaceLocal.linkedCollections` from
+ * a parsed probe + the link record. Returns null when the source has neither
+ * collections nor environments to cache.
+ */
+declare function buildLinkedSnapshot(parsed: LinkedWorkspaceProbe, link: LinkedWorkspace): LinkedSnapshot | null;
+
+/** Layer a consumer's override patch onto a source request. */
+declare function mergeRequestOverride(base: Request, patch: RequestOverridePatch): Request;
+/**
+ * Compute the minimal override patch that turns `base` into `effective` —
+ * only the overridable fields that structurally differ. Returns `{}` when the
+ * effective request is identical to the source (caller drops the override).
+ */
+declare function computeRequestOverridePatch(base: Request, effective: Request): RequestOverridePatch;
+/** True when an override patch has no diverging fields (safe to drop). */
+declare function isEmptyOverridePatch(patch: RequestOverridePatch): boolean;
 
 type MonacoLanguage = 'json' | 'xml' | 'html' | 'graphql' | 'javascript' | 'yaml' | 'plaintext';
 declare function normalizeContentType(contentType?: string): string;
@@ -1582,6 +1785,14 @@ interface LinkedUpdateEntry<TBase = unknown, TTarget = unknown, TOverride = unkn
     base: TBase | null;
     target: TTarget | null;
     override: TOverride | null;
+    /**
+     * For `both-changed` entries only: `true` when the consumer's override touches
+     * a DISJOINT set of fields from the ones the source changed — so keeping the
+     * override is a clean field-level merge that needs no user decision. `false`
+     * (or undefined) means override + source touched the same field → a real
+     * conflict the user must resolve. Other statuses leave this undefined.
+     */
+    autoMergeable?: boolean;
 }
 interface LinkedUpdatePreview {
     fromVersion: string | null;
@@ -1920,4 +2131,4 @@ interface TransformSavings {
 declare function computeTransformSavings(body: string, contentType?: string): TransformSavings;
 declare const TRANSFORM_FORMAT_LABELS: Record<TransformFormat, string>;
 
-export { ANONYMOUS_ACTOR, type ApplyMutationOptions, type ApplyMutationResult, type AssertionResult, type AttachmentResolver, type AttachmentSlotRef, type AuthApplyOptions, type AuthApplyResult, type AuthApplyTarget, type AuthApplyWarning, type AuthCodeExchangeArgs, type AutoHeaderOverrides, type BranchNameOptions, type BuildDigestArgs, type BuildNtlmType3Args, type BuildRequestOptions, type BuiltRequest, type ClientCredentialsArgs, type ConflictResolution, type HeaderEntry$1 as ContentTypeHeaderEntry, type ContextExtractionResult, DESKTOP_APP_ORIGIN, type DeviceAuthorizationArgs, type DeviceAuthorizationResponse, type DiffEntry, type DiffStatus, type DigestChallenge, EMPTY_UNPUSHED_SUMMARY, type EncryptedBindingHint, type EncryptedPayload, type EntityBucket, type ExecuteOptions, type ExecutionResult, type FetchOAuth2TokenArgs, type GraphQLField, type GraphQLSchemaInfo, HTTP_HEADERS_MAP, type HawkSignArgs, type HeaderEntry, type HeaderSuggestionMode, type ImportApicircleFolderResult, type ImportedFolder, type ImportedRequest, type JwtAlgorithm, type JwtSignArgs, type ApplyArgs as LinkedApplyArgs, type ApplyResult as LinkedApplyResult, type PreviewArgs as LinkedPreviewArgs, type LinkedUpdateBucket, type LinkedUpdateEntry, type LinkedUpdatePreview, type LinkedUpdateResolutionMap, type LinkedUpdateStatus, type MonacoLanguage, type NtlmType2Challenge, type OAuth2ErrorResponse, OAuth2TokenError, type OAuth2TokenResponse, type ParsedApicircleEnvironment, ParsedApicircleFolderExport, type ParsedCurl, type ParsedPostmanCollection, type ParsedPostmanEnvironment, type ParsedVersion, type PkceExchangeArgs, type PkceMethod, type PlanRunAuthorizationContext, PlanRunDeniedError, type PlanStepResult, type PollDeviceFlowArgs, type PreSendBlocker, type PreSendValidationInput, type PreSendValidationResult, type PreSendWarning, type PublishReleaseArgs, type RefreshTokenArgs, RemoteWorkspaceParseError, type ResolutionMap, type ResolutionScope, type ResolveInheritedAuthArgs, type ResolvePlanRefResult, type ResolveResult, type RopcArgs, type RunActor, type RunPlanOptions, type RunPlanResult, type SigV4SignArgs, type SigV4SignResult, TRANSFORM_FORMAT_LABELS, type ThreeWayDiff, type TransformCandidate, type TransformFormat, type TransformSavings, type UnpushedChange, type UnpushedSummary, type VariableSource, type VariableSuggestion, WorkspacePatch, WorkspaceState, applyAuth, applyAwsSigV4, applyContentTypeForBodyType, applyLinkedUpdate, applyMerge, applyMutation, applyPathParams, assertNoPlaintextCredentials, buildAuthorizeUrl, buildAutoHeaders, buildDigestAuthHeader, buildHawkAuthHeader, buildNtlmType1Negotiate, buildNtlmType3Authenticate, buildRequest, buildScope, collectAttachmentSlots, collectVariableSuggestions, compareSemver, composeBody, composeCookieHeader, composeHeaders, composeUrl, composeUrlWithQuery, computeCodeChallenge, computeThreeWayDiff, computeTransformSavings, decryptString, deprecateRelease, deriveKeyFromSlotValue, encryptString, exchangeAuthCode, exchangePkce, executeRequest, exportKey, extractContext, fetchOAuth2Token, findPathPlaceholders, generateAesKey, generateCodeVerifier, generateSlotSalt, generateSpanId, generateTraceParent, generateWorkingBranchName, getBodyTypeForContentType, getContentTypeForBodyType, getHeaderEntry, getHeaderValues, getLanguageFromBodyType, getLanguageFromContentType, getVariableAutocomplete, hasUnpushedChanges, importApicircleFolderInto, importKey, isApicircleEnvironment, isDesktop, isInsomniaExport, isPostmanEnvironment, isPostmanV2Collection, isValidSemver, lookup, mergeWithAutoHeaders, normalizeContentType, parseApicircleEnvironment, parseApicircleEnvironmentDoc, parseCurl, parseDigestChallenge, parseGraphqlSchema, parseInsomniaCollection, parseNtlmType2Challenge, parsePostmanCollection, parsePostmanEnvironment, parseSemver, parseUrlQuery, parseWorkspaceJson, pollDeviceFlow, preSendValidation, previewLinkedUpdate, publishRelease, readJsonPath, redactForGit, refreshToken, requestDeviceAuthorization, requestRunToExecutionResult, resolveInheritedAuth, resolvePlanRef, resolveString, resolveStringMap, runAssertions, runClientCredentials, runPlan, runRopc, serializePayload, serializeWorkspaceForGit, signJwt, slugify, sortVersionsDesc, suggestHeaders, summarizeUnpushedChanges, supportedContentTypeLanguageMap, toCsv, toToon, toYaml, tokenizeCurl, tryParsePayload, validateBranchName, yankRelease };
+export { ANONYMOUS_ACTOR, type ApplyMutationOptions, type ApplyMutationResult, type AssertionResult, type AttachmentResolver, type AttachmentSlotRef, type AuthApplyOptions, type AuthApplyResult, type AuthApplyTarget, type AuthApplyWarning, type AuthCodeExchangeArgs, type AutoHeaderOverrides, type BranchNameOptions, type BuildDigestArgs, type BuildNtlmType3Args, type BuildRequestOptions, type BuiltRequest, type ClientCredentialsArgs, type ConflictResolution, type HeaderEntry$1 as ContentTypeHeaderEntry, type ContextExtractionResult, DESKTOP_APP_ORIGIN, type DeviceAuthorizationArgs, type DeviceAuthorizationResponse, type DiffEntry, type DiffStatus, type DigestChallenge, EMPTY_UNPUSHED_SUMMARY, type EncryptedBindingHint, type EncryptedPayload, type EntityBucket, type ExecuteOptions, type ExecutionResult, type FetchOAuth2TokenArgs, type GraphQLField, type GraphQLSchemaInfo, HTTP_HEADERS_MAP, type HawkSignArgs, type HeaderEntry, type HeaderSuggestionMode, type ImportApicircleFolderResult, type ImportedFolder, type ImportedRequest, type JwtAlgorithm, type JwtSignArgs, type ApplyArgs as LinkedApplyArgs, type ApplyResult as LinkedApplyResult, type PreviewArgs as LinkedPreviewArgs, type LinkedUpdateBucket, type LinkedUpdateEntry, type LinkedUpdatePreview, type LinkedUpdateResolutionMap, type LinkedUpdateStatus, type LinkedWorkspaceProbe, type MonacoLanguage, type NtlmType2Challenge, type OAuth2ErrorResponse, OAuth2TokenError, type OAuth2TokenResponse, type ParsedApicircleEnvironment, ParsedApicircleFolderExport, type ParsedCurl, type ParsedPostmanCollection, type ParsedPostmanEnvironment, type ParsedVersion, type PkceExchangeArgs, type PkceMethod, type PlanRunAuthorizationContext, PlanRunDeniedError, type PlanStepResult, type PollDeviceFlowArgs, type PreSendBlocker, type PreSendValidationInput, type PreSendValidationResult, type PreSendWarning, type PublishReleaseArgs, REGISTRY_JSON_PATH, type RefreshTokenArgs, RemoteWorkspaceParseError, type ResolutionMap, type ResolutionScope, type ResolveInheritedAuthArgs, type ResolvePlanRefResult, type ResolveRequestArgs, type ResolveResult, type ResolvedRequestResult, type RopcArgs, type RunActor, type RunPlanOptions, type RunPlanResult, type SecretCrypto, type SigV4SignArgs, type SigV4SignResult, TRANSFORM_FORMAT_LABELS, type ThreeWayDiff, type TransformCandidate, type TransformFormat, type TransformSavings, type UnpushedChange, type UnpushedSummary, type VariableSource, type VariableSuggestion, WORKSPACE_DIR, WorkspacePatch, WorkspaceState, appendReleaseEntry, applyAuth, applyAwsSigV4, applyContentTypeForBodyType, applyLinkedEnvironmentOverrides, applyLinkedUpdate, applyMerge, applyMutation, applyPathParams, assertNoPlaintextCredentials, attachmentPath, attachmentsDir, buildAuthorizeUrl, buildAutoHeaders, buildDigestAuthHeader, buildHawkAuthHeader, buildLinkedSnapshot, buildNtlmType1Negotiate, buildNtlmType3Authenticate, buildReleaseEntry, buildRequest, buildScope, collectAttachmentSlots, collectVariableSuggestions, compareSemver, composeBody, composeCookieHeader, composeHeaders, composeUrl, composeUrlWithQuery, computeCodeChallenge, computeRequestOverridePatch, computeThreeWayDiff, computeTransformSavings, decryptString, deprecateRelease, deriveKeyFromSlotValue, encryptString, exchangeAuthCode, exchangePkce, executeRequest, exportKey, extractContext, fetchOAuth2Token, fetchRemoteWorkspaceJson, findPathPlaceholders, generateAesKey, generateCodeVerifier, generateSlotSalt, generateSpanId, generateTraceParent, generateWorkingBranchName, getBodyTypeForContentType, getContentTypeForBodyType, getHeaderEntry, getHeaderValues, getLanguageFromBodyType, getLanguageFromContentType, getVariableAutocomplete, hasUnpushedChanges, importApicircleFolderInto, importKey, initSecretCrypto, isApicircleEnvironment, isDesktop, isEmptyOverridePatch, isInsomniaExport, isPostmanEnvironment, isPostmanV2Collection, isValidSemver, ledgerFromProbe, lookup, mergeRequestOverride, mergeWithAutoHeaders, normalizeContentType, parseApicircleEnvironment, parseApicircleEnvironmentDoc, parseCurl, parseDigestChallenge, parseGraphqlSchema, parseInsomniaCollection, parseLinkedWorkspaceJson, parseNtlmType2Challenge, parsePostmanCollection, parsePostmanEnvironment, parseRegistryActiveId, parseSemver, parseUrlQuery, parseWorkspaceJson, plaintextEnvMap, pollDeviceFlow, preSendValidation, previewLinkedUpdate, publishRelease, readJsonPath, redactForGit, refreshToken, requestDeviceAuthorization, requestRunToExecutionResult, resolveInheritedAuth, resolvePlanRef, resolveRequestForExecution, resolveString, resolveStringMap, runAssertions, runClientCredentials, runPlan, runRopc, serializePayload, serializeWorkspaceForGit, signJwt, slugify, sortVersionsDesc, suggestHeaders, summarizeUnpushedChanges, supportedContentTypeLanguageMap, toCsv, toToon, toYaml, tokenizeCurl, tryParsePayload, unlockSecretCrypto, validateBranchName, workspaceJsonPath, yankRelease };