npm - @apicircle/core - Versions diffs - 1.0.8 → 1.1.0 - Mend

@apicircle/core 1.0.8 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/README.md +4 -4
package/dist/{chunk-L5DQT7V6.js → chunk-T6A4ICRL.js} +5 -5
package/dist/chunk-T6A4ICRL.js.map +1 -0
package/dist/index.cjs +995 -87
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +219 -8
package/dist/index.d.ts +219 -8
package/dist/index.js +965 -77
package/dist/index.js.map +1 -1
package/dist/{patches-ysO3y8pG.d.cts → patches-B3VGNVgf.d.cts} +74 -1
package/dist/{patches-ysO3y8pG.d.ts → patches-B3VGNVgf.d.ts} +74 -1
package/dist/workspace/file-backed.cjs +4 -4
package/dist/workspace/file-backed.cjs.map +1 -1
package/dist/workspace/file-backed.d.cts +5 -1
package/dist/workspace/file-backed.d.ts +5 -1
package/dist/workspace/file-backed.js +1 -1
package/dist/workspace/registry.cjs +13 -33
package/dist/workspace/registry.cjs.map +1 -1
package/dist/workspace/registry.d.cts +13 -26
package/dist/workspace/registry.d.ts +13 -26
package/dist/workspace/registry.js +9 -30
package/dist/workspace/registry.js.map +1 -1
package/package.json +3 -2
package/dist/chunk-L5DQT7V6.js.map +0 -1

package/dist/index.js CHANGED Viewed

@@ -1054,8 +1054,7 @@ async function importPkcs8(pem, algorithm) {
       "JWT: PKCS#1 RSA PEM (`BEGIN RSA PRIVATE KEY`) is not supported. Convert with `openssl pkcs8 -topk8 -in key.pem -out pkcs8.pem -nocrypt`."
     );
   }
-  const envelope = /-----BEGIN [A-Z ]+-----([\s\S]*?)-----END [A-Z ]+-----/.exec(pem);
-  const body = envelope ? envelope[1] : pem;
+  const body = extractPemBody(pem);
   const stripped = body.replace(/\s+/g, "");
   if (!stripped) {
     throw new Error("JWT: PEM key is empty after stripping headers/whitespace");
@@ -1076,6 +1075,19 @@ async function importPkcs8(pem, algorithm) {
     ["sign"]
   );
 }
+function extractPemBody(pem) {
+  const BEGIN = "-----BEGIN ";
+  const END = "-----END ";
+  const FENCE = "-----";
+  const beginAt = pem.indexOf(BEGIN);
+  if (beginAt === -1) return pem;
+  const beginHeaderEnd = pem.indexOf(FENCE, beginAt + BEGIN.length);
+  if (beginHeaderEnd === -1) return pem;
+  const bodyStart = beginHeaderEnd + FENCE.length;
+  const endAt = pem.indexOf(END, bodyStart);
+  if (endAt === -1) return pem;
+  return pem.slice(bodyStart, endAt);
+}
 function base64UrlEncode(bytes) {
   let s = "";
   for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
@@ -1530,6 +1542,10 @@ async function fetchOAuth2Token(args) {
   if (args.extraParams) {
     for (const [k, v] of Object.entries(args.extraParams)) body.set(k, v);
   }
+  const tokenUrlParsed = new URL(args.tokenUrl);
+  if (tokenUrlParsed.protocol !== "https:" && tokenUrlParsed.protocol !== "http:") {
+    throw new Error(`Token URL must use HTTP or HTTPS, got ${tokenUrlParsed.protocol}`);
+  }
   const response = await fetchImpl(args.tokenUrl, {
     method: "POST",
     headers,
@@ -2476,6 +2492,30 @@ function getVariableAutocomplete(text, cursorPosition, scope) {
   );
 }
+// src/request/resolveInheritedAuth.ts
+var NONE = { type: "none" };
+function resolveInheritedAuth({
+  requestAuth,
+  folderId,
+  folders
+}) {
+  if (requestAuth.type !== "inherit") return requestAuth;
+  let cursor = folderId;
+  const visited = /* @__PURE__ */ new Set();
+  while (cursor !== null) {
+    if (visited.has(cursor)) {
+      break;
+    }
+    visited.add(cursor);
+    const folder = folders[cursor];
+    if (!folder) break;
+    const auth = folder.auth;
+    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
+    cursor = folder.parentId;
+  }
+  return NONE;
+}
 // src/request/preSendValidation.ts
 var TYPED_BODY_CT = {
   json: ["application/json", "application/ld+json", "application/vnd.api+json"],
@@ -2488,7 +2528,8 @@ function collectMissing(value, scope) {
 }
 function preSendValidation({
   request,
-  scope
+  scope,
+  folders
 }) {
   const warnings = [];
   const blockers = [];
@@ -2563,29 +2604,43 @@ function preSendValidation({
       });
     }
   }
-  const auth = request.auth;
+  let effectiveAuth = request.auth;
+  let resolvedFromInherit = false;
+  if (folders && effectiveAuth?.type === "inherit") {
+    effectiveAuth = resolveInheritedAuth({
+      requestAuth: { type: "inherit" },
+      folderId: request.folderId,
+      folders
+    });
+    resolvedFromInherit = true;
+  }
+  const auth = effectiveAuth;
+  const inheritedNote = resolvedFromInherit ? " (resolved from folder-level auth)" : "";
   if (auth) {
     if (auth.type === "bearer" && !auth.token?.trim()) {
-      blockers.push({ kind: "auth-fields-missing", message: "Bearer token is empty." });
+      blockers.push({
+        kind: "auth-fields-missing",
+        message: `Bearer token is empty.${inheritedNote}`
+      });
     } else if (auth.type === "basic") {
       if (!auth.username?.trim() || !auth.password?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Basic auth requires both username and password."
+          message: `Basic auth requires both username and password.${inheritedNote}`
         });
       }
     } else if (auth.type === "api-key") {
       if (!auth.key?.trim() || !auth.value?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "API key auth requires both name and value."
+          message: `API key auth requires both name and value.${inheritedNote}`
         });
       }
     } else if (auth.type === "custom-header") {
       if (!auth.key?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Custom header auth requires a header name."
+          message: `Custom header auth requires a header name.${inheritedNote}`
         });
       }
     }
@@ -2972,6 +3027,15 @@ async function executeRequest(req, opts = {}) {
     );
     const redirectMode = isBrowserRuntime() ? "follow" : "manual";
     let currentUrl = builtRequest.url;
+    try {
+      const parsedUrl = new URL(currentUrl);
+      if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+        throw new Error(`Unsupported URL scheme: ${parsedUrl.protocol}`);
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("Unsupported URL scheme")) throw e;
+      throw new Error(`Invalid request URL: ${currentUrl}`);
+    }
     let currentHeaders = { ...builtRequest.headers };
     let currentMethod = builtRequest.method;
     let currentBody = builtRequest.body;
@@ -3270,30 +3334,6 @@ function base64UrlEncode2(bytes) {
   return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-// src/request/resolveInheritedAuth.ts
-var NONE = { type: "none" };
-function resolveInheritedAuth({
-  requestAuth,
-  folderId,
-  folders
-}) {
-  if (requestAuth.type !== "inherit") return requestAuth;
-  let cursor = folderId;
-  const visited = /* @__PURE__ */ new Set();
-  while (cursor !== null) {
-    if (visited.has(cursor)) {
-      break;
-    }
-    visited.add(cursor);
-    const folder = folders[cursor];
-    if (!folder) break;
-    const auth = folder.auth;
-    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
-    cursor = folder.parentId;
-  }
-  return NONE;
-}
 // src/request/parseCurl.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]);
 function tokenizeCurl(input) {
@@ -3595,10 +3635,12 @@ function parsePostmanCollection(input) {
     items.forEach((item, idx) => {
       const pathIds = parentPathIds ? [...parentPathIds, idx] : [idx];
       if (Array.isArray(item.item)) {
+        const folderAuth = item.auth ? parseAuth(item.auth, warnings, item.name) : void 0;
         folders.push({
           name: (item.name ?? "Untitled folder").trim() || "Untitled folder",
           pathIds,
-          parentPathIds
+          parentPathIds,
+          ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
         });
         walk(item.item, pathIds);
         return;
@@ -3839,10 +3881,12 @@ function parseInsomniaCollection(input) {
     const parentPath = r.parentId ? folderIndexById.get(r.parentId) ?? null : null;
     const ourPath = parentPath ? [...parentPath, folderCounter++] : [folderCounter++];
     folderIndexById.set(r._id ?? "", ourPath);
+    const folderAuth = r.authentication ? parseAuth2(r.authentication, warnings, r.name) : void 0;
     folders.push({
       name: (r.name ?? "Untitled folder").trim() || "Untitled folder",
       pathIds: ourPath,
-      parentPathIds: parentPath
+      parentPathIds: parentPath,
+      ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
     });
   }
   const requests = [];
@@ -4243,7 +4287,7 @@ function serializeFolderExport(envelope) {
   return JSON.stringify(envelope, null, 2);
 }
 function suggestFolderExportFilename(envelope) {
-  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-/, "").replace(/-$/, "");
   const base = slug || "folder";
   return `${base}.apicircle.json`;
 }
@@ -4869,6 +4913,140 @@ function extractContext(result, extractions) {
   return { extracted, warnings };
 }
+// src/environment/resolveRequest.ts
+import { envPriorityKey } from "@apicircle/shared";
+function resolveRequestForExecution(args) {
+  const refs = args.envPriorityOverride && args.envPriorityOverride.length > 0 ? args.envPriorityOverride : args.synced.environments.priorityOrder;
+  const flatEnvs = {};
+  for (const [name, vars] of Object.entries(args.localEnvs)) {
+    flatEnvs[envPriorityKey({ kind: "local", name })] = vars;
+  }
+  for (const [linkId, byEnv] of Object.entries(args.linkedEnvs ?? {})) {
+    for (const [envName, vars] of Object.entries(byEnv)) {
+      flatEnvs[envPriorityKey({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+    }
+  }
+  const ctxMap = { ...args.globalContext ?? {} };
+  for (const v of args.planVariables ?? []) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  for (const v of args.request.contextVars) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  const contextVars = Object.entries(ctxMap).map(([key, value]) => ({ key, value }));
+  const scope = buildScope({
+    contextVars,
+    environments: flatEnvs,
+    activeEnvName: null,
+    // priorityOrder is the sole list the resolver consults.
+    priorityOrder: refs.map(envPriorityKey),
+    secrets: args.secrets ?? {}
+  });
+  const missing = /* @__PURE__ */ new Set();
+  const interp = (s) => {
+    const r = resolveString(s, scope);
+    for (const m of r.missing) missing.add(m);
+    return r.value;
+  };
+  const url = interp(args.request.url);
+  const headers = args.request.headers.map((h) => ({
+    ...h,
+    key: interp(h.key),
+    value: interp(h.value)
+  }));
+  const query = args.request.query.map((q) => ({
+    ...q,
+    key: interp(q.key),
+    value: interp(q.value)
+  }));
+  let body = args.request.body;
+  if (body.type === "json" || body.type === "text" || body.type === "xml" || body.type === "graphql" || body.type === "urlencoded") {
+    body = { ...body, content: interp(body.content) };
+  } else if (body.type === "form-data" && body.formRows) {
+    body = {
+      ...body,
+      formRows: body.formRows.map(
+        (row) => row.kind === "text" ? { ...row, key: interp(row.key), value: interp(row.value) } : { ...row, key: interp(row.key) }
+      )
+    };
+  }
+  const inheritedAuth = resolveInheritedAuth({
+    requestAuth: args.request.auth ?? { type: "none" },
+    folderId: args.request.folderId,
+    folders: args.synced.collections.folders
+  });
+  const auth = interpolateAuthVariables(inheritedAuth, interp);
+  return {
+    request: { ...args.request, url, headers, query, body, auth },
+    scope,
+    missing: [...missing]
+  };
+}
+function interpolateAuthVariables(auth, interp) {
+  const resolved = {};
+  for (const [key, value] of Object.entries(auth)) {
+    resolved[key] = key !== "type" && typeof value === "string" ? interp(value) : value;
+  }
+  return resolved;
+}
+function applyLinkedEnvironmentOverrides(source, linkedWorkspaceId, synced) {
+  const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
+    (o) => o.linkedWorkspaceId === linkedWorkspaceId
+  );
+  if (overrides.length === 0) return source;
+  const items = {};
+  for (const [envName, env] of Object.entries(source.items)) {
+    const envOverrides = overrides.filter((o) => o.envName === envName);
+    if (envOverrides.length === 0) {
+      items[envName] = env;
+      continue;
+    }
+    const removed = new Set(envOverrides.filter((o) => o.removed).map((o) => o.varKey));
+    const replaceMap = new Map(envOverrides.filter((o) => !o.removed).map((o) => [o.varKey, o]));
+    const variables = [];
+    const seenKeys = /* @__PURE__ */ new Set();
+    for (const v of env.variables) {
+      if (removed.has(v.key)) continue;
+      const ov = replaceMap.get(v.key);
+      if (ov) {
+        variables.push({
+          key: v.key,
+          value: ov.value ?? v.value,
+          encrypted: ov.encrypted ?? v.encrypted,
+          ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : v.secretKeyId !== void 0 ? { secretKeyId: v.secretKeyId } : {}
+        });
+      } else {
+        variables.push(v);
+      }
+      seenKeys.add(v.key);
+    }
+    for (const ov of envOverrides) {
+      if (ov.removed) continue;
+      if (seenKeys.has(ov.varKey)) continue;
+      variables.push({
+        key: ov.varKey,
+        value: ov.value ?? "",
+        encrypted: ov.encrypted ?? false,
+        ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : {}
+      });
+    }
+    items[envName] = { ...env, variables };
+  }
+  return { ...source, items };
+}
+function plaintextEnvMap(source) {
+  const out = {};
+  for (const [name, env] of Object.entries(source.items)) {
+    const vars = {};
+    for (const v of env.variables) {
+      if (v.encrypted) continue;
+      vars[v.key] = v.value;
+    }
+    out[name] = vars;
+  }
+  return out;
+}
 // src/secrets/crypto.ts
 var IV_BYTES = 12;
 var SALT_BYTES = 16;
@@ -4953,6 +5131,95 @@ function base64ToBytes(b64) {
   return out;
 }
+// src/secrets/passphraseKey.ts
+var PBKDF2_HASH = "SHA-256";
+var PBKDF2_ITERATIONS2 = 12e5;
+var SALT_BYTES2 = 16;
+var VERIFIER_SENTINEL = "apicircle/passphrase-verifier/v1";
+function base64Encode2(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64Decode2(b64) {
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+function utf8Bytes(s) {
+  return new TextEncoder().encode(s);
+}
+async function deriveKey(passphrase, salt, iterations) {
+  const baseKey = await crypto.subtle.importKey(
+    "raw",
+    utf8Bytes(passphrase),
+    { name: "PBKDF2" },
+    false,
+    ["deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations,
+      hash: PBKDF2_HASH
+    },
+    baseKey,
+    { name: "AES-GCM", length: 256 },
+    /* extractable */
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function computeVerifier(key) {
+  const iv = new Uint8Array(12);
+  const ct = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    utf8Bytes(VERIFIER_SENTINEL)
+  );
+  return base64Encode2(new Uint8Array(ct));
+}
+async function initSecretCrypto(passphrase, iterations = PBKDF2_ITERATIONS2) {
+  if (passphrase.length === 0) throw new Error("Passphrase cannot be empty");
+  if (iterations < 1) throw new Error("iterations must be >= 1");
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES2));
+  const key = await deriveKey(passphrase, salt, iterations);
+  const verifier = await computeVerifier(key);
+  return {
+    crypto: {
+      kdf: "pbkdf2-sha256-v1",
+      salt: base64Encode2(salt),
+      iterations,
+      verifier
+    },
+    key
+  };
+}
+async function unlockSecretCrypto(passphrase, blob) {
+  if (blob.kdf !== "pbkdf2-sha256-v1") {
+    return { ok: false, reason: `Unsupported KDF: ${String(blob.kdf)}` };
+  }
+  let salt;
+  try {
+    salt = base64Decode2(blob.salt);
+  } catch {
+    return { ok: false, reason: "Workspace secret salt is corrupt." };
+  }
+  let key;
+  try {
+    key = await deriveKey(passphrase, salt, blob.iterations);
+  } catch (err) {
+    return { ok: false, reason: err instanceof Error ? err.message : "Key derivation failed" };
+  }
+  const verifier = await computeVerifier(key);
+  if (verifier !== blob.verifier) {
+    return { ok: false, reason: "Wrong passphrase." };
+  }
+  return { ok: true, key };
+}
 // src/git/branchNames.ts
 var SLUG_FALLBACK = "workspace";
 var SUFFIX_LEN = 6;
@@ -5010,6 +5277,36 @@ function sortedReplacer(_key, value) {
   return out;
 }
+// src/git/repoPaths.ts
+var WORKSPACE_DIR = ".apicircle";
+var REGISTRY_JSON_PATH = `${WORKSPACE_DIR}/registry.json`;
+function workspaceJsonPath(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/workspace.json`;
+}
+function attachmentsDir(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/attachments`;
+}
+function attachmentPath(workspaceId, slotId) {
+  return `${attachmentsDir(workspaceId)}/${slotId}`;
+}
+function parseRegistryActiveId(registryJsonContent) {
+  try {
+    const parsed = JSON.parse(registryJsonContent);
+    return parsed.activeWorkspaceId ?? parsed.workspaces?.[0]?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+async function fetchRemoteWorkspaceJson(fetchFile) {
+  const registryContent = await fetchFile(REGISTRY_JSON_PATH);
+  if (registryContent === null) return { error: "No .apicircle/registry.json found in repo" };
+  const wsId = parseRegistryActiveId(registryContent);
+  if (!wsId) return { error: "Registry is empty \u2014 no workspaces found" };
+  const wsContent = await fetchFile(workspaceJsonPath(wsId));
+  if (wsContent === null) return { error: `No workspace.json at .apicircle/workspace-${wsId}/` };
+  return { workspaceId: wsId, content: wsContent };
+}
 // src/git/parseWorkspaceJson.ts
 var MAX_WORKSPACE_JSON_BYTES = 16 * 1024 * 1024;
 var FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
@@ -5266,18 +5563,14 @@ function sortVersionsDesc(versions) {
 }
 // src/release/publishRelease.ts
-async function publishRelease(synced, args) {
+async function buildReleaseEntry(synced, args) {
   const version = args.version.trim();
   if (!isValidSemver(version)) {
     throw new Error(`Invalid semver: ${args.version}`);
   }
-  const ledger = synced.releases.self ?? emptyLedger();
-  if (ledger.versions.some((v) => v.version === version)) {
-    throw new Error(`Version ${version} already exists in this workspace's release ledger`);
-  }
   const snapshotSource = serializeWorkspaceForGit(synced);
   const workspaceSnapshot = await sha256Hex2(snapshotSource);
-  const entry = {
+  return {
     version,
     publishedAt: args.publishedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     notes: args.notes,
@@ -5287,23 +5580,36 @@ async function publishRelease(synced, args) {
     ...args.sha ? { sha: args.sha } : {},
     ...args.tagName ? { tagName: args.tagName } : {}
   };
+}
+function appendReleaseEntry(synced, entry, now = entry.publishedAt) {
+  if (!isValidSemver(entry.version)) {
+    throw new Error(`Invalid semver: ${entry.version}`);
+  }
+  const ledger = synced.releases.self ?? emptyLedger();
+  if (ledger.versions.some((v) => v.version === entry.version)) {
+    throw new Error(`Version ${entry.version} already exists in this workspace's release ledger`);
+  }
   const next = {
     versions: [...ledger.versions, entry],
-    currentVersion: version
+    currentVersion: entry.version
   };
   return {
     ...synced,
     releases: { ...synced.releases, self: next },
-    meta: { ...synced.meta, updatedAt: entry.publishedAt }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
-function deprecateRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }));
+async function publishRelease(synced, args) {
+  const entry = await buildReleaseEntry(synced, args);
+  return appendReleaseEntry(synced, entry);
+}
+function deprecateRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }), now);
 }
-function yankRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }));
+function yankRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }), now);
 }
-function mapReleaseVersion(synced, version, fn) {
+function mapReleaseVersion(synced, version, fn, now) {
   const ledger = synced.releases.self;
   if (!ledger) throw new Error("No releases to modify");
   const idx = ledger.versions.findIndex((v) => v.version === version);
@@ -5313,7 +5619,7 @@ function mapReleaseVersion(synced, version, fn) {
   return {
     ...synced,
     releases: { ...synced.releases, self: { ...ledger, versions } },
-    meta: { ...synced.meta, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
 function emptyLedger() {
@@ -5325,6 +5631,99 @@ async function sha256Hex2(text) {
   return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, "0")).join("");
 }
+// src/linked/linkedSnapshot.ts
+var LINKED_FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+var MAX_LINKED_JSON_BYTES = 16 * 1024 * 1024;
+function parseLinkedWorkspaceJson(text) {
+  if (text.length > MAX_LINKED_JSON_BYTES) {
+    throw new Error("Remote workspace.json exceeds 16 MiB");
+  }
+  let raw;
+  try {
+    raw = JSON.parse(
+      text,
+      (key, value) => LINKED_FORBIDDEN_KEYS.has(key) ? void 0 : value
+    );
+  } catch {
+    throw new Error("Remote workspace.json is not valid JSON");
+  }
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+    throw new Error("Remote workspace.json is not an object");
+  }
+  const obj = raw;
+  const asObject = (v) => typeof v === "object" && v !== null ? v : void 0;
+  return {
+    workspaceId: typeof obj.workspaceId === "string" ? obj.workspaceId : void 0,
+    releases: asObject(obj.releases),
+    collections: asObject(obj.collections),
+    environments: asObject(obj.environments),
+    secretKeys: asObject(obj.secretKeys),
+    globalAssets: asObject(obj.globalAssets)
+  };
+}
+function ledgerFromProbe(parsed) {
+  return parsed.releases?.self ?? { versions: [], currentVersion: null };
+}
+function buildLinkedSnapshot(parsed, link) {
+  if (!parsed.collections && !parsed.environments) return null;
+  return {
+    pulledAt: link.linkedAt,
+    ref: link.pinnedVersion ? `v${link.pinnedVersion}` : `HEAD@${link.source.branch}`,
+    collections: parsed.collections ?? {
+      tree: { id: "remote-root", type: "root", children: [] },
+      requests: {},
+      folders: {}
+    },
+    environments: parsed.environments ?? {
+      items: {},
+      activeName: null,
+      priorityOrder: []
+    },
+    ...parsed.secretKeys ? { secretKeys: parsed.secretKeys } : {},
+    ...parsed.globalAssets ? { globalAssets: parsed.globalAssets } : {}
+  };
+}
+// src/linked/requestOverride.ts
+var OVERRIDABLE_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function mergeRequestOverride(base, patch) {
+  const merged = { ...base };
+  const p = patch;
+  const target = merged;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (p[field] !== void 0) target[field] = p[field];
+  }
+  return merged;
+}
+function computeRequestOverridePatch(base, effective) {
+  const baseRec = { ...base };
+  const effRec = { ...effective };
+  const patch = {};
+  const patchRec = patch;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (JSON.stringify(baseRec[field]) !== JSON.stringify(effRec[field])) {
+      patchRec[field] = effRec[field];
+    }
+  }
+  return patch;
+}
+function isEmptyOverridePatch(patch) {
+  return Object.keys(patch).filter((k) => OVERRIDABLE_FIELDS.includes(k)).length === 0;
+}
 // src/editors/contentTypeLanguageMap.ts
 var CONTENT_TYPE_LANGUAGE_MAP = {
   "application/json": "json",
@@ -6257,7 +6656,8 @@ function previewLinkedUpdate(args) {
       status,
       base,
       target,
-      override
+      override,
+      ...status === "both-changed" && base && target && override ? { autoMergeable: requestOverrideIsDisjoint(base, target, override) } : {}
     });
   }
   const baseFolders = args.base?.collections.folders ?? {};
@@ -6337,6 +6737,34 @@ function classifyRequest(base, target, override) {
   if (sourceChanged && !hasOverride) return "source-only";
   return "both-changed";
 }
+var OVERRIDABLE_REQUEST_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function requestOverrideIsDisjoint(base, target, override) {
+  const baseRec = { ...base };
+  const targetRec = { ...target };
+  const overriddenFields = Object.keys(override.patch);
+  for (const f of overriddenFields) {
+    if (!OVERRIDABLE_REQUEST_FIELDS.includes(f)) {
+      continue;
+    }
+    if (!structurallyEqual2(baseRec[f], targetRec[f])) {
+      return false;
+    }
+  }
+  return true;
+}
 function classifyFolder(base, target) {
   if (!base && target) return "new-in-source";
   if (base && !target) return "removed-in-source";
@@ -6386,7 +6814,7 @@ function applyLinkedUpdate(args) {
       continue;
     }
     if (entry.status === "both-changed") {
-      const choice = args.resolutions[id];
+      const choice = args.resolutions[id] ?? (entry.autoMergeable ? "mine" : void 0);
       if (!choice) {
         throw new Error(
           `applyLinkedUpdate: unresolved both-changed entry "${entry.label}" (${id})`
@@ -6397,7 +6825,8 @@ function applyLinkedUpdate(args) {
         else if (entry.bucket === "environment-var") envVarOverridesByKey.delete(entry.key);
         log.push({ entryKey: id, bucket: entry.bucket, action: "accept-source" });
       } else {
-        log.push({ entryKey: id, bucket: entry.bucket, action: "keep-mine" });
+        const auto = entry.autoMergeable === true && !args.resolutions[id];
+        log.push({ entryKey: id, bucket: entry.bucket, action: auto ? "auto-merge" : "keep-mine" });
       }
     }
   }
@@ -6413,7 +6842,7 @@ function structurallyEqual2(a, b) {
 }
 // src/workspace/applyMutation.ts
-import { envPriorityKey, generateId as generateId2 } from "@apicircle/shared";
+import { envPriorityKey as envPriorityKey2, generateId as generateId2 } from "@apicircle/shared";
 // src/workspace/apicircleFolderImport.ts
 function importApicircleFolderInto(synced, parsed, parentFolderId) {
@@ -6654,6 +7083,8 @@ function applyMutation(state, patch, options = {}) {
       return applyFolderDelete(state, patch.id, now);
     case "folder.move":
       return applyFolderMove(state, patch.id, patch.newParentId, now);
+    case "folder.update":
+      return applyFolderUpdate(state, patch.id, patch.patch, now);
     case "folder.import_apicircle":
       return applyFolderImportApicircle(state, patch.parsed, patch.parentFolderId, now);
     case "environment.upsert":
@@ -6666,6 +7097,10 @@ function applyMutation(state, patch, options = {}) {
       return applyEnvSetPriority(state, patch.order, now);
     case "secretKey.upsert":
       return applySecretKeyUpsert(state, patch.meta, now);
+    case "secret.crypto.set":
+      return applySecretCryptoSet(state, patch.crypto, now);
+    case "secret.crypto.clear":
+      return applySecretCryptoClear(state, now);
     case "assertion.upsert":
       return applyAssertionUpsert(state, patch.requestId, patch.assertion, now);
     case "assertion.delete":
@@ -6674,6 +7109,46 @@ function applyMutation(state, patch, options = {}) {
       return applyMockUpsert(state, patch.mock, now);
     case "mock.delete":
       return applyMockDelete(state, patch.id, now);
+    case "release.publish":
+      return applyReleasePublish(state, patch.entry, now);
+    case "release.deprecate":
+      return applyReleaseDeprecate(state, patch.version, now);
+    case "release.yank":
+      return applyReleaseYank(state, patch.version, now);
+    case "linkedWorkspace.upsert":
+      return applyLinkedWorkspaceUpsert(state, patch.link, patch.ledger, patch.snapshot, now);
+    case "linkedWorkspace.remove":
+      return applyLinkedWorkspaceRemove(state, patch.id, now);
+    case "linkedWorkspace.applyUpdate":
+      return applyLinkedWorkspaceApplyUpdate(state, patch, now);
+    case "linkedOverride.setRequest":
+      return applyLinkedOverrideSetRequest(state, patch.override, now);
+    case "linkedOverride.removeRequest":
+      return applyLinkedOverrideRemoveRequest(state, patch.linkedWorkspaceId, patch.itemId, now);
+    case "linkedOverride.setEnvVar":
+      return applyLinkedOverrideSetEnvVar(state, patch.override, now);
+    case "linkedOverride.removeEnvVar":
+      return applyLinkedOverrideRemoveEnvVar(
+        state,
+        patch.linkedWorkspaceId,
+        patch.envName,
+        patch.varKey,
+        now
+      );
+    case "linkedOverride.clearForLink":
+      return applyLinkedOverrideClearForLink(state, patch.linkedWorkspaceId, now);
+    case "globalAsset.upsertFile":
+      return applyGlobalAssetUpsertFile(state, patch.file, now);
+    case "globalAsset.removeFile":
+      return applyGlobalAssetRemoveFile(state, patch.id, now);
+    case "globalAsset.markPushed":
+      return applyGlobalAssetMarkPushed(state, patch.id, patch.ref, now);
+    case "globalAsset.markMerged":
+      return applyGlobalAssetMarkMerged(state, patch.id, patch.ref, now);
+    case "globalAsset.cleanupWorkingRef":
+      return applyGlobalAssetCleanupWorkingRef(state, patch.id, now);
+    case "globalAsset.invalidateRef":
+      return applyGlobalAssetInvalidateRef(state, patch.id, patch.which, now);
     case "plan.upsert":
       return applyPlanUpsert(state, patch.plan, now);
     case "plan.delete":
@@ -6698,12 +7173,13 @@ function applyRequestCreate(state, request, now) {
   if (state.synced.collections.requests[request.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = request.folderId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       requests: { ...state.synced.collections.requests, [request.id]: request },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6752,12 +7228,13 @@ function applyFolderCreate(state, folder, now) {
   if (state.synced.collections.folders[folder.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = folder.parentId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       folders: { ...state.synced.collections.folders, [folder.id]: folder },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6826,6 +7303,57 @@ function applyFolderMove(state, id, newParentId, now) {
   };
   return { next: { ...state, synced }, changedIds: [id] };
 }
+function applyFolderUpdate(state, id, patch, now) {
+  const folder = state.synced.collections.folders[id];
+  if (!folder) {
+    return { next: state, changedIds: [] };
+  }
+  const nameChanging = "name" in patch && patch.name !== void 0;
+  const authChanging = "auth" in patch;
+  if (!nameChanging && !authChanging) {
+    return { next: state, changedIds: [] };
+  }
+  let nextName = folder.name;
+  if (nameChanging) {
+    const trimmed = patch.name.trim();
+    if (!trimmed) {
+    } else if (trimmed === folder.name) {
+    } else if (!isFolderNameUnique(state, folder.parentId, trimmed, id)) {
+      return { next: state, changedIds: [] };
+    } else {
+      nextName = trimmed;
+    }
+  }
+  const nextFolder = { ...folder, name: nextName };
+  if (authChanging) {
+    if (patch.auth === void 0) {
+      delete nextFolder.auth;
+    } else {
+      nextFolder.auth = patch.auth;
+    }
+  }
+  if (nextFolder.name === folder.name && nextFolder.auth === folder.auth) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    collections: {
+      ...state.synced.collections,
+      folders: { ...state.synced.collections.folders, [id]: nextFolder }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [id] };
+}
+function isFolderNameUnique(state, parentId, trimmedCandidate, ignoreId) {
+  const target = trimmedCandidate.toLowerCase();
+  for (const f of Object.values(state.synced.collections.folders)) {
+    if (f.id === ignoreId) continue;
+    if (f.parentId !== parentId) continue;
+    if (f.name.trim().toLowerCase() === target) return false;
+  }
+  return true;
+}
 function applyFolderImportApicircle(state, parsed, parentFolderId, now) {
   const result = importApicircleFolderInto(
     state.synced,
@@ -6905,7 +7433,7 @@ function applyEnvSetPriority(state, order, now) {
   const knownLocal = new Set(Object.keys(state.synced.environments.items));
   const seen = /* @__PURE__ */ new Set();
   const filtered = order.filter((ref) => {
-    const key = envPriorityKey(ref);
+    const key = envPriorityKey2(ref);
     if (seen.has(key)) return false;
     if (ref.kind === "local" && !knownLocal.has(ref.name)) return false;
     seen.add(key);
@@ -6916,7 +7444,7 @@ function applyEnvSetPriority(state, order, now) {
     environments: { ...state.synced.environments, priorityOrder: filtered },
     meta: { ...state.synced.meta, updatedAt: now }
   };
-  return { next: { ...state, synced }, changedIds: filtered.map(envPriorityKey) };
+  return { next: { ...state, synced }, changedIds: filtered.map(envPriorityKey2) };
 }
 function applySecretKeyUpsert(state, meta, now) {
   if (!meta.id || !meta.label.trim() || !meta.salt) {
@@ -6932,6 +7460,28 @@ function applySecretKeyUpsert(state, meta, now) {
   };
   return { next: { ...state, synced }, changedIds: [meta.id] };
 }
+function applySecretCryptoSet(state, crypto2, now) {
+  if (!crypto2 || crypto2.kdf !== "pbkdf2-sha256-v1" || !crypto2.salt || !crypto2.verifier || !(crypto2.iterations >= 1)) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: { ...crypto2 },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
+function applySecretCryptoClear(state, now) {
+  if (!state.synced.secretCrypto) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: null,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
 function applyAssertionUpsert(state, requestId, assertion, now) {
   const request = state.synced.collections.requests[requestId];
   if (!request) {
@@ -6989,6 +7539,340 @@ function applyMockDelete(state, id, now) {
   } : state.local;
   return { next: { synced, local }, changedIds: [id] };
 }
+function applyReleasePublish(state, entry, now) {
+  const synced = appendReleaseEntry(state.synced, entry, now);
+  return { next: { ...state, synced }, changedIds: [entry.version] };
+}
+function applyReleaseDeprecate(state, version, now) {
+  const synced = deprecateRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyReleaseYank(state, version, now) {
+  const synced = yankRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyLinkedWorkspaceUpsert(state, link, ledger, snapshot2, now) {
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: { ...state.synced.linkedWorkspaces, [link.id]: link },
+    releases: ledger ? {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [link.id]: ledger }
+    } : state.synced.releases,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = snapshot2 ? {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [link.id]: snapshot2 }
+  } : state.local;
+  return { next: { synced, local }, changedIds: [link.id] };
+}
+function applyLinkedWorkspaceRemove(state, id, now) {
+  if (!state.synced.linkedWorkspaces[id]) {
+    return { next: state, changedIds: [] };
+  }
+  const linkedWorkspaces = { ...state.synced.linkedWorkspaces };
+  delete linkedWorkspaces[id];
+  const perLink = { ...state.synced.releases.perLink };
+  delete perLink[id];
+  const prefix = `${id}:`;
+  const dropPrefixed = (map) => Object.fromEntries(Object.entries(map).filter(([k]) => !k.startsWith(prefix)));
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces,
+    releases: { ...state.synced.releases, perLink },
+    linkedOverrides: {
+      requests: dropPrefixed(state.synced.linkedOverrides.requests),
+      environmentVars: dropPrefixed(state.synced.linkedOverrides.environmentVars)
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const linkedCollections = { ...state.local.linkedCollections };
+  delete linkedCollections[id];
+  const githubLinks = { ...state.local.sessions.github.links };
+  delete githubLinks[id];
+  const local = {
+    ...state.local,
+    linkedCollections,
+    sessions: {
+      ...state.local.sessions,
+      github: { ...state.local.sessions.github, links: githubLinks }
+    }
+  };
+  return { next: { synced, local }, changedIds: [id] };
+}
+function applyLinkedWorkspaceApplyUpdate(state, patch, now) {
+  const link = state.synced.linkedWorkspaces[patch.id];
+  if (!link) {
+    return { next: state, changedIds: [] };
+  }
+  const prefix = `${patch.id}:`;
+  const otherRequests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  for (const o of patch.requestOverrides) {
+    otherRequests[`${o.linkedWorkspaceId}:${o.itemId}`] = o;
+  }
+  const otherEnvVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  for (const o of patch.envVarOverrides) {
+    otherEnvVars[`${o.linkedWorkspaceId}:${o.envName}:${o.varKey}`] = o;
+  }
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: {
+      ...state.synced.linkedWorkspaces,
+      [patch.id]: { ...link, pinnedVersion: patch.pinnedVersion }
+    },
+    releases: {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [patch.id]: patch.ledger }
+    },
+    linkedOverrides: { requests: otherRequests, environmentVars: otherEnvVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [patch.id]: patch.snapshot }
+  };
+  return { next: { synced, local }, changedIds: [patch.id] };
+}
+function applyLinkedOverrideSetRequest(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.itemId}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      requests: {
+        ...state.synced.linkedOverrides.requests,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveRequest(state, linkedWorkspaceId, itemId, now) {
+  const key = `${linkedWorkspaceId}:${itemId}`;
+  if (!state.synced.linkedOverrides.requests[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = { ...state.synced.linkedOverrides.requests };
+  delete requests[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, requests },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideSetEnvVar(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.envName}:${override.varKey}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      environmentVars: {
+        ...state.synced.linkedOverrides.environmentVars,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveEnvVar(state, linkedWorkspaceId, envName, varKey, now) {
+  const key = `${linkedWorkspaceId}:${envName}:${varKey}`;
+  if (!state.synced.linkedOverrides.environmentVars[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const environmentVars = { ...state.synced.linkedOverrides.environmentVars };
+  delete environmentVars[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideClearForLink(state, linkedWorkspaceId, now) {
+  const prefix = `${linkedWorkspaceId}:`;
+  const requestKeys = Object.keys(state.synced.linkedOverrides.requests).filter(
+    (k) => k.startsWith(prefix)
+  );
+  const envKeys = Object.keys(state.synced.linkedOverrides.environmentVars).filter(
+    (k) => k.startsWith(prefix)
+  );
+  if (requestKeys.length === 0 && envKeys.length === 0) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  const environmentVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { requests, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [...requestKeys, ...envKeys] };
+}
+function applyGlobalAssetUpsertFile(state, file, now) {
+  const files = state.synced.globalAssets.files ?? {};
+  const existing = files[file.id];
+  const next = {
+    ...file,
+    workingBranchRef: file.workingBranchRef !== void 0 ? file.workingBranchRef : existing?.workingBranchRef,
+    baseBranchRef: file.baseBranchRef !== void 0 ? file.baseBranchRef : existing?.baseBranchRef,
+    updatedAt: now
+  };
+  const synced = {
+    ...state.synced,
+    globalAssets: {
+      ...state.synced.globalAssets,
+      files: { ...files, [file.id]: next }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [file.id] };
+}
+function applyGlobalAssetRemoveFile(state, id, now) {
+  const files = state.synced.globalAssets.files ?? {};
+  if (!files[id]) {
+    return { next: state, changedIds: [] };
+  }
+  const { [id]: _drop, ...rest } = files;
+  void _drop;
+  const requests = { ...state.synced.collections.requests };
+  for (const [reqId, req] of Object.entries(requests)) {
+    const body = clearAssetFromRequestBody(req.body, id);
+    if (body !== req.body) requests[reqId] = { ...req, body, updatedAt: now };
+  }
+  const mockServers = { ...state.synced.mockServers };
+  for (const [serverId, server] of Object.entries(mockServers)) {
+    let touchedServer = false;
+    const endpoints = server.endpoints.map((endpoint) => {
+      let touched = false;
+      const defaultResponse = clearAssetFromMockResponse(endpoint.defaultResponse, id);
+      if (defaultResponse !== endpoint.defaultResponse) touched = true;
+      const requestValidation = endpoint.requestValidation.map((rule) => {
+        const failResponse = clearAssetFromMockResponse(rule.failResponse, id);
+        if (failResponse === rule.failResponse) return rule;
+        touched = true;
+        return { ...rule, failResponse };
+      });
+      const responseRules = endpoint.responseRules.map((rule) => {
+        const response = clearAssetFromMockResponse(rule.response, id);
+        if (response === rule.response) return rule;
+        touched = true;
+        return { ...rule, response };
+      });
+      if (!touched) return endpoint;
+      touchedServer = true;
+      return { ...endpoint, defaultResponse, requestValidation, responseRules };
+    });
+    if (touchedServer) {
+      const source = server.source.kind === "manual" ? { kind: "manual", endpoints } : server.source;
+      mockServers[serverId] = { ...server, source, endpoints, updatedAt: now };
+    }
+  }
+  let local = state.local;
+  if (local.pendingFileUploads && local.pendingFileUploads[id]) {
+    const nextPending = { ...local.pendingFileUploads };
+    delete nextPending[id];
+    local = { ...local, pendingFileUploads: nextPending };
+  }
+  if (local.assetUsageIndex && local.assetUsageIndex[id]) {
+    const nextUsage = { ...local.assetUsageIndex };
+    delete nextUsage[id];
+    local = { ...local, assetUsageIndex: nextUsage };
+  }
+  const existing = files[id];
+  const hadRemoteRef = Boolean(existing.workingBranchRef || existing.baseBranchRef);
+  if (hadRemoteRef && !(local.pendingAttachmentDeletes ?? []).includes(existing.slotId)) {
+    local = {
+      ...local,
+      pendingAttachmentDeletes: [...local.pendingAttachmentDeletes ?? [], existing.slotId]
+    };
+  }
+  const synced = {
+    ...state.synced,
+    collections: { ...state.synced.collections, requests },
+    mockServers,
+    globalAssets: { ...state.synced.globalAssets, files: rest },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { synced, local }, changedIds: [id] };
+}
+function applyGlobalAssetMarkPushed(state, id, ref, now) {
+  return mutateAssetRef(state, id, now, (asset) => ({ ...asset, workingBranchRef: ref }));
+}
+function applyGlobalAssetMarkMerged(state, id, ref, now) {
+  return mutateAssetRef(state, id, now, (asset) => ({ ...asset, baseBranchRef: ref }));
+}
+function applyGlobalAssetCleanupWorkingRef(state, id, now) {
+  return mutateAssetRef(state, id, now, (asset) => {
+    if (!asset.workingBranchRef) return asset;
+    return { ...asset, workingBranchRef: null };
+  });
+}
+function applyGlobalAssetInvalidateRef(state, id, which, now) {
+  return mutateAssetRef(state, id, now, (asset) => {
+    if (which === "working") {
+      if (!asset.workingBranchRef) return asset;
+      return { ...asset, workingBranchRef: null };
+    }
+    if (!asset.baseBranchRef) return asset;
+    return { ...asset, baseBranchRef: null };
+  });
+}
+function mutateAssetRef(state, id, now, transform) {
+  const files = state.synced.globalAssets.files ?? {};
+  const existing = files[id];
+  if (!existing) return { next: state, changedIds: [] };
+  const updated = transform(existing);
+  if (updated === existing) return { next: state, changedIds: [] };
+  const next = { ...updated, updatedAt: now };
+  const synced = {
+    ...state.synced,
+    globalAssets: {
+      ...state.synced.globalAssets,
+      files: { ...files, [id]: next }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [id] };
+}
+function clearAssetFromRequestBody(body, id) {
+  if (body.type === "binary" && body.attachment?.globalFileAssetId === id) {
+    return { type: "binary", content: "" };
+  }
+  if (body.type !== "form-data" || !body.formRows) return body;
+  let touched = false;
+  const formRows = body.formRows.map((row) => {
+    if (row.kind !== "file" || row.globalFileAssetId !== id) return row;
+    touched = true;
+    return { kind: "file", key: row.key, enabled: row.enabled, slotId: null };
+  });
+  return touched ? { ...body, formRows } : body;
+}
+function clearAssetFromMockResponse(response, id) {
+  const body = clearAssetFromMockBody(response.body, id);
+  return body === response.body ? response : { ...response, body };
+}
+function clearAssetFromMockBody(body, id) {
+  if (body.type === "binary" && body.attachment?.globalFileAssetId === id) {
+    return { type: "binary", content: "" };
+  }
+  return body;
+}
 function applyPlanUpsert(state, plan, now) {
   const existing = state.local.executionPlans[plan.id];
   const merged = existing ? { ...existing, ...plan, id: existing.id, createdAt: existing.createdAt, updatedAt: now } : { ...plan, updatedAt: now };
@@ -7163,7 +8047,7 @@ function applyHistoryPurge(state, olderThanMs) {
 }
 // src/workspace/runPlan.ts
-import { envPriorityKey as envPriorityKey2, generateId as generateId3, RUN_BODY_PREVIEW_LIMIT } from "@apicircle/shared";
+import { envPriorityKey as envPriorityKey3, generateId as generateId3, RUN_BODY_PREVIEW_LIMIT } from "@apicircle/shared";
 var MAX_REQUEST_RUNS = 500;
 var MAX_PLAN_RUNS = 200;
 var ANONYMOUS_ACTOR = { kind: "unknown", name: "unknown" };
@@ -7229,22 +8113,6 @@ function lookupPlanStepRequest(step, synced, local) {
     linkedGlobalAssets: snapshot2.globalAssets
   };
 }
-function mergeRequestOverride(base, patch) {
-  const merged = { ...base };
-  if (patch.name !== void 0) merged.name = patch.name;
-  if (patch.method !== void 0) merged.method = patch.method;
-  if (patch.url !== void 0) merged.url = patch.url;
-  if (patch.headers !== void 0) merged.headers = patch.headers;
-  if (patch.query !== void 0) merged.query = patch.query;
-  if (patch.pathParams !== void 0) merged.pathParams = patch.pathParams;
-  if (patch.cookies !== void 0) merged.cookies = patch.cookies;
-  if (patch.body !== void 0) merged.body = patch.body;
-  if (patch.auth !== void 0) merged.auth = patch.auth;
-  if (patch.contextVars !== void 0) merged.contextVars = patch.contextVars;
-  if (patch.extractions !== void 0) merged.extractions = patch.extractions;
-  if (patch.assertions !== void 0) merged.assertions = patch.assertions;
-  return merged;
-}
 function applyEnvironmentOverrides(source, linkedWorkspaceId, synced) {
   const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
     (override) => override.linkedWorkspaceId === linkedWorkspaceId
@@ -7461,7 +8329,7 @@ function buildEnvMaps(synced, secretsById, local) {
         vars[v.key] = v.value;
       }
     }
-    flat[envPriorityKey2({ kind: "local", name })] = vars;
+    flat[envPriorityKey3({ kind: "local", name })] = vars;
   }
   if (local) {
     for (const [linkId, snapshot2] of Object.entries(local.linkedCollections)) {
@@ -7478,7 +8346,7 @@ function buildEnvMaps(synced, secretsById, local) {
             vars[variable.key] = variable.value;
           }
         }
-        flat[envPriorityKey2({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+        flat[envPriorityKey3({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
       }
     }
   }
@@ -7505,7 +8373,7 @@ function resolveRequest(request, synced, plan, envRefs, globalContext, flatEnvs,
     contextVars: Object.entries(ctxMap).map(([key, value]) => ({ key, value })),
     environments: flatEnvs,
     activeEnvName: null,
-    priorityOrder: envRefs.map(envPriorityKey2),
+    priorityOrder: envRefs.map(envPriorityKey3),
     secrets: secretsByLabel
   });
   const missing = /* @__PURE__ */ new Set();
@@ -7887,22 +8755,30 @@ export {
   HTTP_HEADERS_MAP,
   OAuth2TokenError,
   PlanRunDeniedError,
+  REGISTRY_JSON_PATH,
   RemoteWorkspaceParseError,
   TRANSFORM_FORMAT_LABELS,
+  WORKSPACE_DIR,
+  appendReleaseEntry,
   applyAuth,
   applyAwsSigV4,
   applyContentTypeForBodyType,
+  applyLinkedEnvironmentOverrides,
   applyLinkedUpdate,
   applyMerge,
   applyMutation,
   applyPathParams,
   assertNoPlaintextCredentials,
+  attachmentPath,
+  attachmentsDir,
   buildAuthorizeUrl,
   buildAutoHeaders,
   buildDigestAuthHeader,
   buildHawkAuthHeader,
+  buildLinkedSnapshot,
   buildNtlmType1Negotiate,
   buildNtlmType3Authenticate,
+  buildReleaseEntry,
   buildRequest,
   buildScope,
   collectAttachmentSlots,
@@ -7916,6 +8792,7 @@ export {
   composeUrl,
   composeUrlWithQuery,
   computeCodeChallenge,
+  computeRequestOverridePatch,
   computeThreeWayDiff,
   computeTransformSavings,
   decryptString,
@@ -7928,6 +8805,7 @@ export {
   exportKey,
   extractContext,
   fetchOAuth2Token,
+  fetchRemoteWorkspaceJson,
   findPathPlaceholders,
   generateAesKey,
   generateCodeVerifier,
@@ -7945,14 +8823,18 @@ export {
   hasUnpushedChanges,
   importApicircleFolderInto,
   importKey,
+  initSecretCrypto,
   isApicircleEnvironment,
   isApicircleFolderExport,
   isDesktop,
+  isEmptyOverridePatch,
   isInsomniaExport,
   isPostmanEnvironment,
   isPostmanV2Collection,
   isValidSemver,
+  ledgerFromProbe,
   lookup,
+  mergeRequestOverride,
   mergeWithAutoHeaders,
   normalizeContentType,
   parseApicircleEnvironment,
@@ -7963,12 +8845,15 @@ export {
   parseDigestChallenge,
   parseGraphqlSchema,
   parseInsomniaCollection,
+  parseLinkedWorkspaceJson,
   parseNtlmType2Challenge,
   parsePostmanCollection,
   parsePostmanEnvironment,
+  parseRegistryActiveId,
   parseSemver,
   parseUrlQuery,
   parseWorkspaceJson,
+  plaintextEnvMap,
   pollDeviceFlow,
   preSendValidation,
   previewLinkedUpdate,
@@ -7981,6 +8866,7 @@ export {
   requestRunToExecutionResult,
   resolveInheritedAuth,
   resolvePlanRef,
+  resolveRequestForExecution,
   resolveString,
   resolveStringMap,
   runAssertions,
@@ -8002,7 +8888,9 @@ export {
   toYaml,
   tokenizeCurl,
   tryParsePayload,
+  unlockSecretCrypto,
   validateBranchName,
+  workspaceJsonPath,
   yankRelease
 };
 //# sourceMappingURL=index.js.map