@apicircle/core 1.0.9 → 1.1.0

package/dist/index.cjs

@@ -22,31 +22,35 @@ var src_exports = {};
 __export(src_exports, {
   ANONYMOUS_ACTOR: () => ANONYMOUS_ACTOR,
   APICIRCLE_FOLDER_EXPORT_FORMAT: () => APICIRCLE_FOLDER_EXPORT_FORMAT,
-  ATTACHMENTS_DIR: () => ATTACHMENTS_DIR,
   DESKTOP_APP_ORIGIN: () => DESKTOP_APP_ORIGIN,
   EMPTY_UNPUSHED_SUMMARY: () => EMPTY_UNPUSHED_SUMMARY,
   HTTP_HEADERS_MAP: () => HTTP_HEADERS_MAP,
   OAuth2TokenError: () => OAuth2TokenError,
   PlanRunDeniedError: () => PlanRunDeniedError,
+  REGISTRY_JSON_PATH: () => REGISTRY_JSON_PATH,
   RemoteWorkspaceParseError: () => RemoteWorkspaceParseError,
   TRANSFORM_FORMAT_LABELS: () => TRANSFORM_FORMAT_LABELS,
   WORKSPACE_DIR: () => WORKSPACE_DIR,
-  WORKSPACE_JSON_PATH: () => WORKSPACE_JSON_PATH,
+  appendReleaseEntry: () => appendReleaseEntry,
   applyAuth: () => applyAuth,
   applyAwsSigV4: () => applyAwsSigV4,
   applyContentTypeForBodyType: () => applyContentTypeForBodyType,
+  applyLinkedEnvironmentOverrides: () => applyLinkedEnvironmentOverrides,
   applyLinkedUpdate: () => applyLinkedUpdate,
   applyMerge: () => applyMerge,
   applyMutation: () => applyMutation,
   applyPathParams: () => applyPathParams,
   assertNoPlaintextCredentials: () => assertNoPlaintextCredentials,
   attachmentPath: () => attachmentPath,
+  attachmentsDir: () => attachmentsDir,
   buildAuthorizeUrl: () => buildAuthorizeUrl,
   buildAutoHeaders: () => buildAutoHeaders,
   buildDigestAuthHeader: () => buildDigestAuthHeader,
   buildHawkAuthHeader: () => buildHawkAuthHeader,
+  buildLinkedSnapshot: () => buildLinkedSnapshot,
   buildNtlmType1Negotiate: () => buildNtlmType1Negotiate,
   buildNtlmType3Authenticate: () => buildNtlmType3Authenticate,
+  buildReleaseEntry: () => buildReleaseEntry,
   buildRequest: () => buildRequest,
   buildScope: () => buildScope,
   collectAttachmentSlots: () => collectAttachmentSlots,
@@ -60,6 +64,7 @@ __export(src_exports, {
   composeUrl: () => composeUrl,
   composeUrlWithQuery: () => composeUrlWithQuery,
   computeCodeChallenge: () => computeCodeChallenge,
+  computeRequestOverridePatch: () => computeRequestOverridePatch,
   computeThreeWayDiff: () => computeThreeWayDiff,
   computeTransformSavings: () => computeTransformSavings,
   decryptString: () => decryptString,
@@ -72,6 +77,7 @@ __export(src_exports, {
   exportKey: () => exportKey,
   extractContext: () => extractContext,
   fetchOAuth2Token: () => fetchOAuth2Token,
+  fetchRemoteWorkspaceJson: () => fetchRemoteWorkspaceJson,
   findPathPlaceholders: () => findPathPlaceholders,
   generateAesKey: () => generateAesKey,
   generateCodeVerifier: () => generateCodeVerifier,
@@ -89,14 +95,18 @@ __export(src_exports, {
   hasUnpushedChanges: () => hasUnpushedChanges,
   importApicircleFolderInto: () => importApicircleFolderInto,
   importKey: () => importKey,
+  initSecretCrypto: () => initSecretCrypto,
   isApicircleEnvironment: () => isApicircleEnvironment,
   isApicircleFolderExport: () => isApicircleFolderExport,
   isDesktop: () => isDesktop,
+  isEmptyOverridePatch: () => isEmptyOverridePatch,
   isInsomniaExport: () => isInsomniaExport,
   isPostmanEnvironment: () => isPostmanEnvironment,
   isPostmanV2Collection: () => isPostmanV2Collection,
   isValidSemver: () => isValidSemver,
+  ledgerFromProbe: () => ledgerFromProbe,
   lookup: () => lookup,
+  mergeRequestOverride: () => mergeRequestOverride,
   mergeWithAutoHeaders: () => mergeWithAutoHeaders,
   normalizeContentType: () => normalizeContentType,
   parseApicircleEnvironment: () => parseApicircleEnvironment,
@@ -107,12 +117,15 @@ __export(src_exports, {
   parseDigestChallenge: () => parseDigestChallenge,
   parseGraphqlSchema: () => parseGraphqlSchema,
   parseInsomniaCollection: () => parseInsomniaCollection,
+  parseLinkedWorkspaceJson: () => parseLinkedWorkspaceJson,
   parseNtlmType2Challenge: () => parseNtlmType2Challenge,
   parsePostmanCollection: () => parsePostmanCollection,
   parsePostmanEnvironment: () => parsePostmanEnvironment,
+  parseRegistryActiveId: () => parseRegistryActiveId,
   parseSemver: () => parseSemver,
   parseUrlQuery: () => parseUrlQuery,
   parseWorkspaceJson: () => parseWorkspaceJson,
+  plaintextEnvMap: () => plaintextEnvMap,
   pollDeviceFlow: () => pollDeviceFlow,
   preSendValidation: () => preSendValidation,
   previewLinkedUpdate: () => previewLinkedUpdate,
@@ -125,6 +138,7 @@ __export(src_exports, {
   requestRunToExecutionResult: () => requestRunToExecutionResult,
   resolveInheritedAuth: () => resolveInheritedAuth,
   resolvePlanRef: () => resolvePlanRef,
+  resolveRequestForExecution: () => resolveRequestForExecution,
   resolveString: () => resolveString,
   resolveStringMap: () => resolveStringMap,
   runAssertions: () => runAssertions,
@@ -146,7 +160,9 @@ __export(src_exports, {
   toYaml: () => toYaml,
   tokenizeCurl: () => tokenizeCurl,
   tryParsePayload: () => tryParsePayload,
+  unlockSecretCrypto: () => unlockSecretCrypto,
   validateBranchName: () => validateBranchName,
+  workspaceJsonPath: () => workspaceJsonPath,
   yankRelease: () => yankRelease
 });
 module.exports = __toCommonJS(src_exports);
@@ -1207,8 +1223,7 @@ async function importPkcs8(pem, algorithm) {
       "JWT: PKCS#1 RSA PEM (`BEGIN RSA PRIVATE KEY`) is not supported. Convert with `openssl pkcs8 -topk8 -in key.pem -out pkcs8.pem -nocrypt`."
     );
   }
-  const envelope = /-----BEGIN [A-Z ]+-----([\s\S]*?)-----END [A-Z ]+-----/.exec(pem);
-  const body = envelope ? envelope[1] : pem;
+  const body = extractPemBody(pem);
   const stripped = body.replace(/\s+/g, "");
   if (!stripped) {
     throw new Error("JWT: PEM key is empty after stripping headers/whitespace");
@@ -1229,6 +1244,19 @@ async function importPkcs8(pem, algorithm) {
     ["sign"]
   );
 }
+function extractPemBody(pem) {
+  const BEGIN = "-----BEGIN ";
+  const END = "-----END ";
+  const FENCE = "-----";
+  const beginAt = pem.indexOf(BEGIN);
+  if (beginAt === -1) return pem;
+  const beginHeaderEnd = pem.indexOf(FENCE, beginAt + BEGIN.length);
+  if (beginHeaderEnd === -1) return pem;
+  const bodyStart = beginHeaderEnd + FENCE.length;
+  const endAt = pem.indexOf(END, bodyStart);
+  if (endAt === -1) return pem;
+  return pem.slice(bodyStart, endAt);
+}
 function base64UrlEncode(bytes) {
   let s = "";
   for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
@@ -1683,6 +1711,10 @@ async function fetchOAuth2Token(args) {
   if (args.extraParams) {
     for (const [k, v] of Object.entries(args.extraParams)) body.set(k, v);
   }
+  const tokenUrlParsed = new URL(args.tokenUrl);
+  if (tokenUrlParsed.protocol !== "https:" && tokenUrlParsed.protocol !== "http:") {
+    throw new Error(`Token URL must use HTTP or HTTPS, got ${tokenUrlParsed.protocol}`);
+  }
   const response = await fetchImpl(args.tokenUrl, {
     method: "POST",
     headers,
@@ -2629,6 +2661,30 @@ function getVariableAutocomplete(text, cursorPosition, scope) {
   );
 }
 
+// src/request/resolveInheritedAuth.ts
+var NONE = { type: "none" };
+function resolveInheritedAuth({
+  requestAuth,
+  folderId,
+  folders
+}) {
+  if (requestAuth.type !== "inherit") return requestAuth;
+  let cursor = folderId;
+  const visited = /* @__PURE__ */ new Set();
+  while (cursor !== null) {
+    if (visited.has(cursor)) {
+      break;
+    }
+    visited.add(cursor);
+    const folder = folders[cursor];
+    if (!folder) break;
+    const auth = folder.auth;
+    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
+    cursor = folder.parentId;
+  }
+  return NONE;
+}
+
 // src/request/preSendValidation.ts
 var TYPED_BODY_CT = {
   json: ["application/json", "application/ld+json", "application/vnd.api+json"],
@@ -2641,7 +2697,8 @@ function collectMissing(value, scope) {
 }
 function preSendValidation({
   request,
-  scope
+  scope,
+  folders
 }) {
   const warnings = [];
   const blockers = [];
@@ -2716,29 +2773,43 @@ function preSendValidation({
       });
     }
   }
-  const auth = request.auth;
+  let effectiveAuth = request.auth;
+  let resolvedFromInherit = false;
+  if (folders && effectiveAuth?.type === "inherit") {
+    effectiveAuth = resolveInheritedAuth({
+      requestAuth: { type: "inherit" },
+      folderId: request.folderId,
+      folders
+    });
+    resolvedFromInherit = true;
+  }
+  const auth = effectiveAuth;
+  const inheritedNote = resolvedFromInherit ? " (resolved from folder-level auth)" : "";
   if (auth) {
     if (auth.type === "bearer" && !auth.token?.trim()) {
-      blockers.push({ kind: "auth-fields-missing", message: "Bearer token is empty." });
+      blockers.push({
+        kind: "auth-fields-missing",
+        message: `Bearer token is empty.${inheritedNote}`
+      });
     } else if (auth.type === "basic") {
       if (!auth.username?.trim() || !auth.password?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Basic auth requires both username and password."
+          message: `Basic auth requires both username and password.${inheritedNote}`
         });
       }
     } else if (auth.type === "api-key") {
       if (!auth.key?.trim() || !auth.value?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "API key auth requires both name and value."
+          message: `API key auth requires both name and value.${inheritedNote}`
         });
       }
     } else if (auth.type === "custom-header") {
       if (!auth.key?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Custom header auth requires a header name."
+          message: `Custom header auth requires a header name.${inheritedNote}`
         });
       }
     }
@@ -3125,6 +3196,15 @@ async function executeRequest(req, opts = {}) {
     );
     const redirectMode = isBrowserRuntime() ? "follow" : "manual";
     let currentUrl = builtRequest.url;
+    try {
+      const parsedUrl = new URL(currentUrl);
+      if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+        throw new Error(`Unsupported URL scheme: ${parsedUrl.protocol}`);
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("Unsupported URL scheme")) throw e;
+      throw new Error(`Invalid request URL: ${currentUrl}`);
+    }
     let currentHeaders = { ...builtRequest.headers };
     let currentMethod = builtRequest.method;
     let currentBody = builtRequest.body;
@@ -3423,30 +3503,6 @@ function base64UrlEncode2(bytes) {
   return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
-// src/request/resolveInheritedAuth.ts
-var NONE = { type: "none" };
-function resolveInheritedAuth({
-  requestAuth,
-  folderId,
-  folders
-}) {
-  if (requestAuth.type !== "inherit") return requestAuth;
-  let cursor = folderId;
-  const visited = /* @__PURE__ */ new Set();
-  while (cursor !== null) {
-    if (visited.has(cursor)) {
-      break;
-    }
-    visited.add(cursor);
-    const folder = folders[cursor];
-    if (!folder) break;
-    const auth = folder.auth;
-    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
-    cursor = folder.parentId;
-  }
-  return NONE;
-}
-
 // src/request/parseCurl.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]);
 function tokenizeCurl(input) {
@@ -3748,10 +3804,12 @@ function parsePostmanCollection(input) {
     items.forEach((item, idx) => {
       const pathIds = parentPathIds ? [...parentPathIds, idx] : [idx];
       if (Array.isArray(item.item)) {
+        const folderAuth = item.auth ? parseAuth(item.auth, warnings, item.name) : void 0;
         folders.push({
           name: (item.name ?? "Untitled folder").trim() || "Untitled folder",
           pathIds,
-          parentPathIds
+          parentPathIds,
+          ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
         });
         walk(item.item, pathIds);
         return;
@@ -3992,10 +4050,12 @@ function parseInsomniaCollection(input) {
     const parentPath = r.parentId ? folderIndexById.get(r.parentId) ?? null : null;
     const ourPath = parentPath ? [...parentPath, folderCounter++] : [folderCounter++];
     folderIndexById.set(r._id ?? "", ourPath);
+    const folderAuth = r.authentication ? parseAuth2(r.authentication, warnings, r.name) : void 0;
     folders.push({
       name: (r.name ?? "Untitled folder").trim() || "Untitled folder",
       pathIds: ourPath,
-      parentPathIds: parentPath
+      parentPathIds: parentPath,
+      ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
     });
   }
   const requests = [];
@@ -4396,7 +4456,7 @@ function serializeFolderExport(envelope) {
   return JSON.stringify(envelope, null, 2);
 }
 function suggestFolderExportFilename(envelope) {
-  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-/, "").replace(/-$/, "");
   const base = slug || "folder";
   return `${base}.apicircle.json`;
 }
@@ -5022,6 +5082,140 @@ function extractContext(result, extractions) {
   return { extracted, warnings };
 }
 
+// src/environment/resolveRequest.ts
+var import_shared2 = require("@apicircle/shared");
+function resolveRequestForExecution(args) {
+  const refs = args.envPriorityOverride && args.envPriorityOverride.length > 0 ? args.envPriorityOverride : args.synced.environments.priorityOrder;
+  const flatEnvs = {};
+  for (const [name, vars] of Object.entries(args.localEnvs)) {
+    flatEnvs[(0, import_shared2.envPriorityKey)({ kind: "local", name })] = vars;
+  }
+  for (const [linkId, byEnv] of Object.entries(args.linkedEnvs ?? {})) {
+    for (const [envName, vars] of Object.entries(byEnv)) {
+      flatEnvs[(0, import_shared2.envPriorityKey)({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+    }
+  }
+  const ctxMap = { ...args.globalContext ?? {} };
+  for (const v of args.planVariables ?? []) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  for (const v of args.request.contextVars) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  const contextVars = Object.entries(ctxMap).map(([key, value]) => ({ key, value }));
+  const scope = buildScope({
+    contextVars,
+    environments: flatEnvs,
+    activeEnvName: null,
+    // priorityOrder is the sole list the resolver consults.
+    priorityOrder: refs.map(import_shared2.envPriorityKey),
+    secrets: args.secrets ?? {}
+  });
+  const missing = /* @__PURE__ */ new Set();
+  const interp = (s) => {
+    const r = resolveString(s, scope);
+    for (const m of r.missing) missing.add(m);
+    return r.value;
+  };
+  const url = interp(args.request.url);
+  const headers = args.request.headers.map((h) => ({
+    ...h,
+    key: interp(h.key),
+    value: interp(h.value)
+  }));
+  const query = args.request.query.map((q) => ({
+    ...q,
+    key: interp(q.key),
+    value: interp(q.value)
+  }));
+  let body = args.request.body;
+  if (body.type === "json" || body.type === "text" || body.type === "xml" || body.type === "graphql" || body.type === "urlencoded") {
+    body = { ...body, content: interp(body.content) };
+  } else if (body.type === "form-data" && body.formRows) {
+    body = {
+      ...body,
+      formRows: body.formRows.map(
+        (row) => row.kind === "text" ? { ...row, key: interp(row.key), value: interp(row.value) } : { ...row, key: interp(row.key) }
+      )
+    };
+  }
+  const inheritedAuth = resolveInheritedAuth({
+    requestAuth: args.request.auth ?? { type: "none" },
+    folderId: args.request.folderId,
+    folders: args.synced.collections.folders
+  });
+  const auth = interpolateAuthVariables(inheritedAuth, interp);
+  return {
+    request: { ...args.request, url, headers, query, body, auth },
+    scope,
+    missing: [...missing]
+  };
+}
+function interpolateAuthVariables(auth, interp) {
+  const resolved = {};
+  for (const [key, value] of Object.entries(auth)) {
+    resolved[key] = key !== "type" && typeof value === "string" ? interp(value) : value;
+  }
+  return resolved;
+}
+function applyLinkedEnvironmentOverrides(source, linkedWorkspaceId, synced) {
+  const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
+    (o) => o.linkedWorkspaceId === linkedWorkspaceId
+  );
+  if (overrides.length === 0) return source;
+  const items = {};
+  for (const [envName, env] of Object.entries(source.items)) {
+    const envOverrides = overrides.filter((o) => o.envName === envName);
+    if (envOverrides.length === 0) {
+      items[envName] = env;
+      continue;
+    }
+    const removed = new Set(envOverrides.filter((o) => o.removed).map((o) => o.varKey));
+    const replaceMap = new Map(envOverrides.filter((o) => !o.removed).map((o) => [o.varKey, o]));
+    const variables = [];
+    const seenKeys = /* @__PURE__ */ new Set();
+    for (const v of env.variables) {
+      if (removed.has(v.key)) continue;
+      const ov = replaceMap.get(v.key);
+      if (ov) {
+        variables.push({
+          key: v.key,
+          value: ov.value ?? v.value,
+          encrypted: ov.encrypted ?? v.encrypted,
+          ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : v.secretKeyId !== void 0 ? { secretKeyId: v.secretKeyId } : {}
+        });
+      } else {
+        variables.push(v);
+      }
+      seenKeys.add(v.key);
+    }
+    for (const ov of envOverrides) {
+      if (ov.removed) continue;
+      if (seenKeys.has(ov.varKey)) continue;
+      variables.push({
+        key: ov.varKey,
+        value: ov.value ?? "",
+        encrypted: ov.encrypted ?? false,
+        ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : {}
+      });
+    }
+    items[envName] = { ...env, variables };
+  }
+  return { ...source, items };
+}
+function plaintextEnvMap(source) {
+  const out = {};
+  for (const [name, env] of Object.entries(source.items)) {
+    const vars = {};
+    for (const v of env.variables) {
+      if (v.encrypted) continue;
+      vars[v.key] = v.value;
+    }
+    out[name] = vars;
+  }
+  return out;
+}
+
 // src/secrets/crypto.ts
 var IV_BYTES = 12;
 var SALT_BYTES = 16;
@@ -5106,6 +5300,95 @@ function base64ToBytes(b64) {
   return out;
 }
 
+// src/secrets/passphraseKey.ts
+var PBKDF2_HASH = "SHA-256";
+var PBKDF2_ITERATIONS2 = 12e5;
+var SALT_BYTES2 = 16;
+var VERIFIER_SENTINEL = "apicircle/passphrase-verifier/v1";
+function base64Encode2(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64Decode2(b64) {
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+function utf8Bytes(s) {
+  return new TextEncoder().encode(s);
+}
+async function deriveKey(passphrase, salt, iterations) {
+  const baseKey = await crypto.subtle.importKey(
+    "raw",
+    utf8Bytes(passphrase),
+    { name: "PBKDF2" },
+    false,
+    ["deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations,
+      hash: PBKDF2_HASH
+    },
+    baseKey,
+    { name: "AES-GCM", length: 256 },
+    /* extractable */
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function computeVerifier(key) {
+  const iv = new Uint8Array(12);
+  const ct = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    utf8Bytes(VERIFIER_SENTINEL)
+  );
+  return base64Encode2(new Uint8Array(ct));
+}
+async function initSecretCrypto(passphrase, iterations = PBKDF2_ITERATIONS2) {
+  if (passphrase.length === 0) throw new Error("Passphrase cannot be empty");
+  if (iterations < 1) throw new Error("iterations must be >= 1");
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES2));
+  const key = await deriveKey(passphrase, salt, iterations);
+  const verifier = await computeVerifier(key);
+  return {
+    crypto: {
+      kdf: "pbkdf2-sha256-v1",
+      salt: base64Encode2(salt),
+      iterations,
+      verifier
+    },
+    key
+  };
+}
+async function unlockSecretCrypto(passphrase, blob) {
+  if (blob.kdf !== "pbkdf2-sha256-v1") {
+    return { ok: false, reason: `Unsupported KDF: ${String(blob.kdf)}` };
+  }
+  let salt;
+  try {
+    salt = base64Decode2(blob.salt);
+  } catch {
+    return { ok: false, reason: "Workspace secret salt is corrupt." };
+  }
+  let key;
+  try {
+    key = await deriveKey(passphrase, salt, blob.iterations);
+  } catch (err) {
+    return { ok: false, reason: err instanceof Error ? err.message : "Key derivation failed" };
+  }
+  const verifier = await computeVerifier(key);
+  if (verifier !== blob.verifier) {
+    return { ok: false, reason: "Wrong passphrase." };
+  }
+  return { ok: true, key };
+}
+
 // src/git/branchNames.ts
 var SLUG_FALLBACK = "workspace";
 var SUFFIX_LEN = 6;
@@ -5165,10 +5448,32 @@ function sortedReplacer(_key, value) {
 
 // src/git/repoPaths.ts
 var WORKSPACE_DIR = ".apicircle";
-var WORKSPACE_JSON_PATH = `${WORKSPACE_DIR}/workspace.json`;
-var ATTACHMENTS_DIR = `${WORKSPACE_DIR}/attachments`;
-function attachmentPath(slotId) {
-  return `${ATTACHMENTS_DIR}/${slotId}`;
+var REGISTRY_JSON_PATH = `${WORKSPACE_DIR}/registry.json`;
+function workspaceJsonPath(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/workspace.json`;
+}
+function attachmentsDir(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/attachments`;
+}
+function attachmentPath(workspaceId, slotId) {
+  return `${attachmentsDir(workspaceId)}/${slotId}`;
+}
+function parseRegistryActiveId(registryJsonContent) {
+  try {
+    const parsed = JSON.parse(registryJsonContent);
+    return parsed.activeWorkspaceId ?? parsed.workspaces?.[0]?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+async function fetchRemoteWorkspaceJson(fetchFile) {
+  const registryContent = await fetchFile(REGISTRY_JSON_PATH);
+  if (registryContent === null) return { error: "No .apicircle/registry.json found in repo" };
+  const wsId = parseRegistryActiveId(registryContent);
+  if (!wsId) return { error: "Registry is empty \u2014 no workspaces found" };
+  const wsContent = await fetchFile(workspaceJsonPath(wsId));
+  if (wsContent === null) return { error: `No workspace.json at .apicircle/workspace-${wsId}/` };
+  return { workspaceId: wsId, content: wsContent };
 }
 
 // src/git/parseWorkspaceJson.ts
@@ -5427,18 +5732,14 @@ function sortVersionsDesc(versions) {
 }
 
 // src/release/publishRelease.ts
-async function publishRelease(synced, args) {
+async function buildReleaseEntry(synced, args) {
   const version = args.version.trim();
   if (!isValidSemver(version)) {
     throw new Error(`Invalid semver: ${args.version}`);
   }
-  const ledger = synced.releases.self ?? emptyLedger();
-  if (ledger.versions.some((v) => v.version === version)) {
-    throw new Error(`Version ${version} already exists in this workspace's release ledger`);
-  }
   const snapshotSource = serializeWorkspaceForGit(synced);
   const workspaceSnapshot = await sha256Hex2(snapshotSource);
-  const entry = {
+  return {
     version,
     publishedAt: args.publishedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     notes: args.notes,
@@ -5448,23 +5749,36 @@ async function publishRelease(synced, args) {
     ...args.sha ? { sha: args.sha } : {},
     ...args.tagName ? { tagName: args.tagName } : {}
   };
+}
+function appendReleaseEntry(synced, entry, now = entry.publishedAt) {
+  if (!isValidSemver(entry.version)) {
+    throw new Error(`Invalid semver: ${entry.version}`);
+  }
+  const ledger = synced.releases.self ?? emptyLedger();
+  if (ledger.versions.some((v) => v.version === entry.version)) {
+    throw new Error(`Version ${entry.version} already exists in this workspace's release ledger`);
+  }
   const next = {
     versions: [...ledger.versions, entry],
-    currentVersion: version
+    currentVersion: entry.version
   };
   return {
     ...synced,
     releases: { ...synced.releases, self: next },
-    meta: { ...synced.meta, updatedAt: entry.publishedAt }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
-function deprecateRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }));
+async function publishRelease(synced, args) {
+  const entry = await buildReleaseEntry(synced, args);
+  return appendReleaseEntry(synced, entry);
+}
+function deprecateRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }), now);
 }
-function yankRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }));
+function yankRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }), now);
 }
-function mapReleaseVersion(synced, version, fn) {
+function mapReleaseVersion(synced, version, fn, now) {
   const ledger = synced.releases.self;
   if (!ledger) throw new Error("No releases to modify");
   const idx = ledger.versions.findIndex((v) => v.version === version);
@@ -5474,7 +5788,7 @@ function mapReleaseVersion(synced, version, fn) {
   return {
     ...synced,
     releases: { ...synced.releases, self: { ...ledger, versions } },
-    meta: { ...synced.meta, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
 function emptyLedger() {
@@ -5486,6 +5800,99 @@ async function sha256Hex2(text) {
   return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 
+// src/linked/linkedSnapshot.ts
+var LINKED_FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+var MAX_LINKED_JSON_BYTES = 16 * 1024 * 1024;
+function parseLinkedWorkspaceJson(text) {
+  if (text.length > MAX_LINKED_JSON_BYTES) {
+    throw new Error("Remote workspace.json exceeds 16 MiB");
+  }
+  let raw;
+  try {
+    raw = JSON.parse(
+      text,
+      (key, value) => LINKED_FORBIDDEN_KEYS.has(key) ? void 0 : value
+    );
+  } catch {
+    throw new Error("Remote workspace.json is not valid JSON");
+  }
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+    throw new Error("Remote workspace.json is not an object");
+  }
+  const obj = raw;
+  const asObject = (v) => typeof v === "object" && v !== null ? v : void 0;
+  return {
+    workspaceId: typeof obj.workspaceId === "string" ? obj.workspaceId : void 0,
+    releases: asObject(obj.releases),
+    collections: asObject(obj.collections),
+    environments: asObject(obj.environments),
+    secretKeys: asObject(obj.secretKeys),
+    globalAssets: asObject(obj.globalAssets)
+  };
+}
+function ledgerFromProbe(parsed) {
+  return parsed.releases?.self ?? { versions: [], currentVersion: null };
+}
+function buildLinkedSnapshot(parsed, link) {
+  if (!parsed.collections && !parsed.environments) return null;
+  return {
+    pulledAt: link.linkedAt,
+    ref: link.pinnedVersion ? `v${link.pinnedVersion}` : `HEAD@${link.source.branch}`,
+    collections: parsed.collections ?? {
+      tree: { id: "remote-root", type: "root", children: [] },
+      requests: {},
+      folders: {}
+    },
+    environments: parsed.environments ?? {
+      items: {},
+      activeName: null,
+      priorityOrder: []
+    },
+    ...parsed.secretKeys ? { secretKeys: parsed.secretKeys } : {},
+    ...parsed.globalAssets ? { globalAssets: parsed.globalAssets } : {}
+  };
+}
+
+// src/linked/requestOverride.ts
+var OVERRIDABLE_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function mergeRequestOverride(base, patch) {
+  const merged = { ...base };
+  const p = patch;
+  const target = merged;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (p[field] !== void 0) target[field] = p[field];
+  }
+  return merged;
+}
+function computeRequestOverridePatch(base, effective) {
+  const baseRec = { ...base };
+  const effRec = { ...effective };
+  const patch = {};
+  const patchRec = patch;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (JSON.stringify(baseRec[field]) !== JSON.stringify(effRec[field])) {
+      patchRec[field] = effRec[field];
+    }
+  }
+  return patch;
+}
+function isEmptyOverridePatch(patch) {
+  return Object.keys(patch).filter((k) => OVERRIDABLE_FIELDS.includes(k)).length === 0;
+}
+
 // src/editors/contentTypeLanguageMap.ts
 var CONTENT_TYPE_LANGUAGE_MAP = {
   "application/json": "json",
@@ -6418,7 +6825,8 @@ function previewLinkedUpdate(args) {
       status,
       base,
       target,
-      override
+      override,
+      ...status === "both-changed" && base && target && override ? { autoMergeable: requestOverrideIsDisjoint(base, target, override) } : {}
     });
   }
   const baseFolders = args.base?.collections.folders ?? {};
@@ -6498,6 +6906,34 @@ function classifyRequest(base, target, override) {
   if (sourceChanged && !hasOverride) return "source-only";
   return "both-changed";
 }
+var OVERRIDABLE_REQUEST_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function requestOverrideIsDisjoint(base, target, override) {
+  const baseRec = { ...base };
+  const targetRec = { ...target };
+  const overriddenFields = Object.keys(override.patch);
+  for (const f of overriddenFields) {
+    if (!OVERRIDABLE_REQUEST_FIELDS.includes(f)) {
+      continue;
+    }
+    if (!structurallyEqual2(baseRec[f], targetRec[f])) {
+      return false;
+    }
+  }
+  return true;
+}
 function classifyFolder(base, target) {
   if (!base && target) return "new-in-source";
   if (base && !target) return "removed-in-source";
@@ -6547,7 +6983,7 @@ function applyLinkedUpdate(args) {
       continue;
     }
     if (entry.status === "both-changed") {
-      const choice = args.resolutions[id];
+      const choice = args.resolutions[id] ?? (entry.autoMergeable ? "mine" : void 0);
       if (!choice) {
         throw new Error(
           `applyLinkedUpdate: unresolved both-changed entry "${entry.label}" (${id})`
@@ -6558,7 +6994,8 @@ function applyLinkedUpdate(args) {
         else if (entry.bucket === "environment-var") envVarOverridesByKey.delete(entry.key);
         log.push({ entryKey: id, bucket: entry.bucket, action: "accept-source" });
       } else {
-        log.push({ entryKey: id, bucket: entry.bucket, action: "keep-mine" });
+        const auto = entry.autoMergeable === true && !args.resolutions[id];
+        log.push({ entryKey: id, bucket: entry.bucket, action: auto ? "auto-merge" : "keep-mine" });
       }
     }
   }
@@ -6574,7 +7011,7 @@ function structurallyEqual2(a, b) {
 }
 
 // src/workspace/applyMutation.ts
-var import_shared2 = require("@apicircle/shared");
+var import_shared3 = require("@apicircle/shared");
 
 // src/workspace/apicircleFolderImport.ts
 function importApicircleFolderInto(synced, parsed, parentFolderId) {
@@ -6815,6 +7252,8 @@ function applyMutation(state, patch, options = {}) {
       return applyFolderDelete(state, patch.id, now);
     case "folder.move":
       return applyFolderMove(state, patch.id, patch.newParentId, now);
+    case "folder.update":
+      return applyFolderUpdate(state, patch.id, patch.patch, now);
     case "folder.import_apicircle":
       return applyFolderImportApicircle(state, patch.parsed, patch.parentFolderId, now);
     case "environment.upsert":
@@ -6827,6 +7266,10 @@ function applyMutation(state, patch, options = {}) {
       return applyEnvSetPriority(state, patch.order, now);
     case "secretKey.upsert":
       return applySecretKeyUpsert(state, patch.meta, now);
+    case "secret.crypto.set":
+      return applySecretCryptoSet(state, patch.crypto, now);
+    case "secret.crypto.clear":
+      return applySecretCryptoClear(state, now);
     case "assertion.upsert":
       return applyAssertionUpsert(state, patch.requestId, patch.assertion, now);
     case "assertion.delete":
@@ -6835,6 +7278,34 @@ function applyMutation(state, patch, options = {}) {
       return applyMockUpsert(state, patch.mock, now);
     case "mock.delete":
       return applyMockDelete(state, patch.id, now);
+    case "release.publish":
+      return applyReleasePublish(state, patch.entry, now);
+    case "release.deprecate":
+      return applyReleaseDeprecate(state, patch.version, now);
+    case "release.yank":
+      return applyReleaseYank(state, patch.version, now);
+    case "linkedWorkspace.upsert":
+      return applyLinkedWorkspaceUpsert(state, patch.link, patch.ledger, patch.snapshot, now);
+    case "linkedWorkspace.remove":
+      return applyLinkedWorkspaceRemove(state, patch.id, now);
+    case "linkedWorkspace.applyUpdate":
+      return applyLinkedWorkspaceApplyUpdate(state, patch, now);
+    case "linkedOverride.setRequest":
+      return applyLinkedOverrideSetRequest(state, patch.override, now);
+    case "linkedOverride.removeRequest":
+      return applyLinkedOverrideRemoveRequest(state, patch.linkedWorkspaceId, patch.itemId, now);
+    case "linkedOverride.setEnvVar":
+      return applyLinkedOverrideSetEnvVar(state, patch.override, now);
+    case "linkedOverride.removeEnvVar":
+      return applyLinkedOverrideRemoveEnvVar(
+        state,
+        patch.linkedWorkspaceId,
+        patch.envName,
+        patch.varKey,
+        now
+      );
+    case "linkedOverride.clearForLink":
+      return applyLinkedOverrideClearForLink(state, patch.linkedWorkspaceId, now);
     case "globalAsset.upsertFile":
       return applyGlobalAssetUpsertFile(state, patch.file, now);
     case "globalAsset.removeFile":
@@ -6871,12 +7342,13 @@ function applyRequestCreate(state, request, now) {
   if (state.synced.collections.requests[request.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = request.folderId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       requests: { ...state.synced.collections.requests, [request.id]: request },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6925,12 +7397,13 @@ function applyFolderCreate(state, folder, now) {
   if (state.synced.collections.folders[folder.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = folder.parentId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       folders: { ...state.synced.collections.folders, [folder.id]: folder },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6999,6 +7472,57 @@ function applyFolderMove(state, id, newParentId, now) {
   };
   return { next: { ...state, synced }, changedIds: [id] };
 }
+function applyFolderUpdate(state, id, patch, now) {
+  const folder = state.synced.collections.folders[id];
+  if (!folder) {
+    return { next: state, changedIds: [] };
+  }
+  const nameChanging = "name" in patch && patch.name !== void 0;
+  const authChanging = "auth" in patch;
+  if (!nameChanging && !authChanging) {
+    return { next: state, changedIds: [] };
+  }
+  let nextName = folder.name;
+  if (nameChanging) {
+    const trimmed = patch.name.trim();
+    if (!trimmed) {
+    } else if (trimmed === folder.name) {
+    } else if (!isFolderNameUnique(state, folder.parentId, trimmed, id)) {
+      return { next: state, changedIds: [] };
+    } else {
+      nextName = trimmed;
+    }
+  }
+  const nextFolder = { ...folder, name: nextName };
+  if (authChanging) {
+    if (patch.auth === void 0) {
+      delete nextFolder.auth;
+    } else {
+      nextFolder.auth = patch.auth;
+    }
+  }
+  if (nextFolder.name === folder.name && nextFolder.auth === folder.auth) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    collections: {
+      ...state.synced.collections,
+      folders: { ...state.synced.collections.folders, [id]: nextFolder }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [id] };
+}
+function isFolderNameUnique(state, parentId, trimmedCandidate, ignoreId) {
+  const target = trimmedCandidate.toLowerCase();
+  for (const f of Object.values(state.synced.collections.folders)) {
+    if (f.id === ignoreId) continue;
+    if (f.parentId !== parentId) continue;
+    if (f.name.trim().toLowerCase() === target) return false;
+  }
+  return true;
+}
 function applyFolderImportApicircle(state, parsed, parentFolderId, now) {
   const result = importApicircleFolderInto(
     state.synced,
@@ -7078,7 +7602,7 @@ function applyEnvSetPriority(state, order, now) {
   const knownLocal = new Set(Object.keys(state.synced.environments.items));
   const seen = /* @__PURE__ */ new Set();
   const filtered = order.filter((ref) => {
-    const key = (0, import_shared2.envPriorityKey)(ref);
+    const key = (0, import_shared3.envPriorityKey)(ref);
     if (seen.has(key)) return false;
     if (ref.kind === "local" && !knownLocal.has(ref.name)) return false;
     seen.add(key);
@@ -7089,7 +7613,7 @@ function applyEnvSetPriority(state, order, now) {
     environments: { ...state.synced.environments, priorityOrder: filtered },
     meta: { ...state.synced.meta, updatedAt: now }
   };
-  return { next: { ...state, synced }, changedIds: filtered.map(import_shared2.envPriorityKey) };
+  return { next: { ...state, synced }, changedIds: filtered.map(import_shared3.envPriorityKey) };
 }
 function applySecretKeyUpsert(state, meta, now) {
   if (!meta.id || !meta.label.trim() || !meta.salt) {
@@ -7105,6 +7629,28 @@ function applySecretKeyUpsert(state, meta, now) {
   };
   return { next: { ...state, synced }, changedIds: [meta.id] };
 }
+function applySecretCryptoSet(state, crypto2, now) {
+  if (!crypto2 || crypto2.kdf !== "pbkdf2-sha256-v1" || !crypto2.salt || !crypto2.verifier || !(crypto2.iterations >= 1)) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: { ...crypto2 },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
+function applySecretCryptoClear(state, now) {
+  if (!state.synced.secretCrypto) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: null,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
 function applyAssertionUpsert(state, requestId, assertion, now) {
   const request = state.synced.collections.requests[requestId];
   if (!request) {
@@ -7162,6 +7708,191 @@ function applyMockDelete(state, id, now) {
   } : state.local;
   return { next: { synced, local }, changedIds: [id] };
 }
+function applyReleasePublish(state, entry, now) {
+  const synced = appendReleaseEntry(state.synced, entry, now);
+  return { next: { ...state, synced }, changedIds: [entry.version] };
+}
+function applyReleaseDeprecate(state, version, now) {
+  const synced = deprecateRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyReleaseYank(state, version, now) {
+  const synced = yankRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyLinkedWorkspaceUpsert(state, link, ledger, snapshot2, now) {
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: { ...state.synced.linkedWorkspaces, [link.id]: link },
+    releases: ledger ? {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [link.id]: ledger }
+    } : state.synced.releases,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = snapshot2 ? {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [link.id]: snapshot2 }
+  } : state.local;
+  return { next: { synced, local }, changedIds: [link.id] };
+}
+function applyLinkedWorkspaceRemove(state, id, now) {
+  if (!state.synced.linkedWorkspaces[id]) {
+    return { next: state, changedIds: [] };
+  }
+  const linkedWorkspaces = { ...state.synced.linkedWorkspaces };
+  delete linkedWorkspaces[id];
+  const perLink = { ...state.synced.releases.perLink };
+  delete perLink[id];
+  const prefix = `${id}:`;
+  const dropPrefixed = (map) => Object.fromEntries(Object.entries(map).filter(([k]) => !k.startsWith(prefix)));
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces,
+    releases: { ...state.synced.releases, perLink },
+    linkedOverrides: {
+      requests: dropPrefixed(state.synced.linkedOverrides.requests),
+      environmentVars: dropPrefixed(state.synced.linkedOverrides.environmentVars)
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const linkedCollections = { ...state.local.linkedCollections };
+  delete linkedCollections[id];
+  const githubLinks = { ...state.local.sessions.github.links };
+  delete githubLinks[id];
+  const local = {
+    ...state.local,
+    linkedCollections,
+    sessions: {
+      ...state.local.sessions,
+      github: { ...state.local.sessions.github, links: githubLinks }
+    }
+  };
+  return { next: { synced, local }, changedIds: [id] };
+}
+function applyLinkedWorkspaceApplyUpdate(state, patch, now) {
+  const link = state.synced.linkedWorkspaces[patch.id];
+  if (!link) {
+    return { next: state, changedIds: [] };
+  }
+  const prefix = `${patch.id}:`;
+  const otherRequests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  for (const o of patch.requestOverrides) {
+    otherRequests[`${o.linkedWorkspaceId}:${o.itemId}`] = o;
+  }
+  const otherEnvVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  for (const o of patch.envVarOverrides) {
+    otherEnvVars[`${o.linkedWorkspaceId}:${o.envName}:${o.varKey}`] = o;
+  }
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: {
+      ...state.synced.linkedWorkspaces,
+      [patch.id]: { ...link, pinnedVersion: patch.pinnedVersion }
+    },
+    releases: {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [patch.id]: patch.ledger }
+    },
+    linkedOverrides: { requests: otherRequests, environmentVars: otherEnvVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [patch.id]: patch.snapshot }
+  };
+  return { next: { synced, local }, changedIds: [patch.id] };
+}
+function applyLinkedOverrideSetRequest(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.itemId}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      requests: {
+        ...state.synced.linkedOverrides.requests,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveRequest(state, linkedWorkspaceId, itemId, now) {
+  const key = `${linkedWorkspaceId}:${itemId}`;
+  if (!state.synced.linkedOverrides.requests[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = { ...state.synced.linkedOverrides.requests };
+  delete requests[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, requests },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideSetEnvVar(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.envName}:${override.varKey}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      environmentVars: {
+        ...state.synced.linkedOverrides.environmentVars,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveEnvVar(state, linkedWorkspaceId, envName, varKey, now) {
+  const key = `${linkedWorkspaceId}:${envName}:${varKey}`;
+  if (!state.synced.linkedOverrides.environmentVars[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const environmentVars = { ...state.synced.linkedOverrides.environmentVars };
+  delete environmentVars[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideClearForLink(state, linkedWorkspaceId, now) {
+  const prefix = `${linkedWorkspaceId}:`;
+  const requestKeys = Object.keys(state.synced.linkedOverrides.requests).filter(
+    (k) => k.startsWith(prefix)
+  );
+  const envKeys = Object.keys(state.synced.linkedOverrides.environmentVars).filter(
+    (k) => k.startsWith(prefix)
+  );
+  if (requestKeys.length === 0 && envKeys.length === 0) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  const environmentVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { requests, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [...requestKeys, ...envKeys] };
+}
 function applyGlobalAssetUpsertFile(state, file, now) {
   const files = state.synced.globalAssets.files ?? {};
   const existing = files[file.id];
@@ -7232,6 +7963,14 @@ function applyGlobalAssetRemoveFile(state, id, now) {
     delete nextUsage[id];
     local = { ...local, assetUsageIndex: nextUsage };
   }
+  const existing = files[id];
+  const hadRemoteRef = Boolean(existing.workingBranchRef || existing.baseBranchRef);
+  if (hadRemoteRef && !(local.pendingAttachmentDeletes ?? []).includes(existing.slotId)) {
+    local = {
+      ...local,
+      pendingAttachmentDeletes: [...local.pendingAttachmentDeletes ?? [], existing.slotId]
+    };
+  }
   const synced = {
     ...state.synced,
     collections: { ...state.synced.collections, requests },
@@ -7388,7 +8127,7 @@ function evictSnapshotsToCap(entries, maxBytes) {
   };
 }
 function applySnapshotCapture(state, args, now) {
-  const id = args.id ?? (0, import_shared2.generateId)();
+  const id = args.id ?? (0, import_shared3.generateId)();
   const snapshot2 = {
     id,
     createdAt: now,
@@ -7477,7 +8216,7 @@ function applyHistoryPurge(state, olderThanMs) {
 }
 
 // src/workspace/runPlan.ts
-var import_shared3 = require("@apicircle/shared");
+var import_shared4 = require("@apicircle/shared");
 var MAX_REQUEST_RUNS = 500;
 var MAX_PLAN_RUNS = 200;
 var ANONYMOUS_ACTOR = { kind: "unknown", name: "unknown" };
@@ -7543,22 +8282,6 @@ function lookupPlanStepRequest(step, synced, local) {
     linkedGlobalAssets: snapshot2.globalAssets
   };
 }
-function mergeRequestOverride(base, patch) {
-  const merged = { ...base };
-  if (patch.name !== void 0) merged.name = patch.name;
-  if (patch.method !== void 0) merged.method = patch.method;
-  if (patch.url !== void 0) merged.url = patch.url;
-  if (patch.headers !== void 0) merged.headers = patch.headers;
-  if (patch.query !== void 0) merged.query = patch.query;
-  if (patch.pathParams !== void 0) merged.pathParams = patch.pathParams;
-  if (patch.cookies !== void 0) merged.cookies = patch.cookies;
-  if (patch.body !== void 0) merged.body = patch.body;
-  if (patch.auth !== void 0) merged.auth = patch.auth;
-  if (patch.contextVars !== void 0) merged.contextVars = patch.contextVars;
-  if (patch.extractions !== void 0) merged.extractions = patch.extractions;
-  if (patch.assertions !== void 0) merged.assertions = patch.assertions;
-  return merged;
-}
 function applyEnvironmentOverrides(source, linkedWorkspaceId, synced) {
   const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
     (override) => override.linkedWorkspaceId === linkedWorkspaceId
@@ -7624,7 +8347,7 @@ async function runPlan(state, planId, opts = {}) {
   const baseRefs = plan.envPriorityOrder.length > 0 ? plan.envPriorityOrder : state.synced.environments.priorityOrder;
   const envRefs = opts.env ? [{ kind: "local", name: opts.env }, ...baseRefs] : baseRefs;
   const startedAt = (/* @__PURE__ */ new Date()).toISOString();
-  const planRunId = (0, import_shared3.generateId)();
+  const planRunId = (0, import_shared4.generateId)();
   const t0 = Date.now();
   const stepRecords = [];
   const newRequestRuns = [];
@@ -7657,7 +8380,7 @@ async function runPlan(state, planId, opts = {}) {
     const lookup2 = lookupPlanStepRequest(step, state.synced, state.local);
     const baseRequest = lookup2.request;
     if (!baseRequest) {
-      const runId = (0, import_shared3.generateId)();
+      const runId = (0, import_shared4.generateId)();
       const error = lookup2.error ?? "Request no longer exists in workspace.";
       newRequestRuns.push(orphanRun(runId, step.requestId, error));
       stepRecords.push({ requestRunId: runId, passed: false });
@@ -7775,7 +8498,7 @@ function buildEnvMaps(synced, secretsById, local) {
         vars[v.key] = v.value;
       }
     }
-    flat[(0, import_shared3.envPriorityKey)({ kind: "local", name })] = vars;
+    flat[(0, import_shared4.envPriorityKey)({ kind: "local", name })] = vars;
   }
   if (local) {
     for (const [linkId, snapshot2] of Object.entries(local.linkedCollections)) {
@@ -7792,7 +8515,7 @@ function buildEnvMaps(synced, secretsById, local) {
             vars[variable.key] = variable.value;
           }
         }
-        flat[(0, import_shared3.envPriorityKey)({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+        flat[(0, import_shared4.envPriorityKey)({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
       }
     }
   }
@@ -7819,7 +8542,7 @@ function resolveRequest(request, synced, plan, envRefs, globalContext, flatEnvs,
     contextVars: Object.entries(ctxMap).map(([key, value]) => ({ key, value })),
     environments: flatEnvs,
     activeEnvName: null,
-    priorityOrder: envRefs.map(import_shared3.envPriorityKey),
+    priorityOrder: envRefs.map(import_shared4.envPriorityKey),
     secrets: secretsByLabel
   });
   const missing = /* @__PURE__ */ new Set();
@@ -7889,7 +8612,7 @@ function orphanRun(id, requestId, error) {
 function buildRequestRun(resolved, result, assertions) {
   const { preview, truncated } = clampPreview(result.body ?? "");
   return {
-    id: (0, import_shared3.generateId)(),
+    id: (0, import_shared4.generateId)(),
     requestId: resolved.id,
     startedAt: result.startedAt,
     durationMs: result.durationMs,
@@ -7909,8 +8632,8 @@ function buildRequestRun(resolved, result, assertions) {
   };
 }
 function clampPreview(value) {
-  if (value.length <= import_shared3.RUN_BODY_PREVIEW_LIMIT) return { preview: value, truncated: false };
-  return { preview: value.slice(0, import_shared3.RUN_BODY_PREVIEW_LIMIT), truncated: true };
+  if (value.length <= import_shared4.RUN_BODY_PREVIEW_LIMIT) return { preview: value, truncated: false };
+  return { preview: value.slice(0, import_shared4.RUN_BODY_PREVIEW_LIMIT), truncated: true };
 }
 function redactUrlCredentials(url) {
   try {
@@ -8133,9 +8856,9 @@ function toCsv(value) {
 }
 
 // src/transform/computeSavings.ts
-var import_shared4 = require("@apicircle/shared");
+var import_shared5 = require("@apicircle/shared");
 function computeTransformSavings(body, contentType) {
-  const originalBytes = (0, import_shared4.utf8ByteLength)(body);
+  const originalBytes = (0, import_shared5.utf8ByteLength)(body);
   if (!isJsonLike(body, contentType)) {
     return { originalBytes, minifiedBytes: originalBytes, candidates: [] };
   }
@@ -8146,7 +8869,7 @@ function computeTransformSavings(body, contentType) {
     return { originalBytes, minifiedBytes: originalBytes, candidates: [] };
   }
   const minified = JSON.stringify(parsed);
-  const minifiedBytes = (0, import_shared4.utf8ByteLength)(minified);
+  const minifiedBytes = (0, import_shared5.utf8ByteLength)(minified);
   const candidates = [];
   try {
     const toon = toToon(parsed);
@@ -8173,7 +8896,7 @@ function computeTransformSavings(body, contentType) {
   };
 }
 function makeCandidate(format, preview, baselineBytes) {
-  const bytes = (0, import_shared4.utf8ByteLength)(preview);
+  const bytes = (0, import_shared5.utf8ByteLength)(preview);
   const ratio = baselineBytes === 0 ? 0 : 1 - bytes / baselineBytes;
   return {
     format,
@@ -8197,31 +8920,35 @@ var TRANSFORM_FORMAT_LABELS = {
 0 && (module.exports = {
   ANONYMOUS_ACTOR,
   APICIRCLE_FOLDER_EXPORT_FORMAT,
-  ATTACHMENTS_DIR,
   DESKTOP_APP_ORIGIN,
   EMPTY_UNPUSHED_SUMMARY,
   HTTP_HEADERS_MAP,
   OAuth2TokenError,
   PlanRunDeniedError,
+  REGISTRY_JSON_PATH,
   RemoteWorkspaceParseError,
   TRANSFORM_FORMAT_LABELS,
   WORKSPACE_DIR,
-  WORKSPACE_JSON_PATH,
+  appendReleaseEntry,
   applyAuth,
   applyAwsSigV4,
   applyContentTypeForBodyType,
+  applyLinkedEnvironmentOverrides,
   applyLinkedUpdate,
   applyMerge,
   applyMutation,
   applyPathParams,
   assertNoPlaintextCredentials,
   attachmentPath,
+  attachmentsDir,
   buildAuthorizeUrl,
   buildAutoHeaders,
   buildDigestAuthHeader,
   buildHawkAuthHeader,
+  buildLinkedSnapshot,
   buildNtlmType1Negotiate,
   buildNtlmType3Authenticate,
+  buildReleaseEntry,
   buildRequest,
   buildScope,
   collectAttachmentSlots,
@@ -8235,6 +8962,7 @@ var TRANSFORM_FORMAT_LABELS = {
   composeUrl,
   composeUrlWithQuery,
   computeCodeChallenge,
+  computeRequestOverridePatch,
   computeThreeWayDiff,
   computeTransformSavings,
   decryptString,
@@ -8247,6 +8975,7 @@ var TRANSFORM_FORMAT_LABELS = {
   exportKey,
   extractContext,
   fetchOAuth2Token,
+  fetchRemoteWorkspaceJson,
   findPathPlaceholders,
   generateAesKey,
   generateCodeVerifier,
@@ -8264,14 +8993,18 @@ var TRANSFORM_FORMAT_LABELS = {
   hasUnpushedChanges,
   importApicircleFolderInto,
   importKey,
+  initSecretCrypto,
   isApicircleEnvironment,
   isApicircleFolderExport,
   isDesktop,
+  isEmptyOverridePatch,
   isInsomniaExport,
   isPostmanEnvironment,
   isPostmanV2Collection,
   isValidSemver,
+  ledgerFromProbe,
   lookup,
+  mergeRequestOverride,
   mergeWithAutoHeaders,
   normalizeContentType,
   parseApicircleEnvironment,
@@ -8282,12 +9015,15 @@ var TRANSFORM_FORMAT_LABELS = {
   parseDigestChallenge,
   parseGraphqlSchema,
   parseInsomniaCollection,
+  parseLinkedWorkspaceJson,
   parseNtlmType2Challenge,
   parsePostmanCollection,
   parsePostmanEnvironment,
+  parseRegistryActiveId,
   parseSemver,
   parseUrlQuery,
   parseWorkspaceJson,
+  plaintextEnvMap,
   pollDeviceFlow,
   preSendValidation,
   previewLinkedUpdate,
@@ -8300,6 +9036,7 @@ var TRANSFORM_FORMAT_LABELS = {
   requestRunToExecutionResult,
   resolveInheritedAuth,
   resolvePlanRef,
+  resolveRequestForExecution,
   resolveString,
   resolveStringMap,
   runAssertions,
@@ -8321,7 +9058,9 @@ var TRANSFORM_FORMAT_LABELS = {
   toYaml,
   tokenizeCurl,
   tryParsePayload,
+  unlockSecretCrypto,
   validateBranchName,
+  workspaceJsonPath,
   yankRelease
 });
 //# sourceMappingURL=index.cjs.map