@apicircle/core 1.0.9 → 1.1.0

package/dist/index.js

@@ -1054,8 +1054,7 @@ async function importPkcs8(pem, algorithm) {
       "JWT: PKCS#1 RSA PEM (`BEGIN RSA PRIVATE KEY`) is not supported. Convert with `openssl pkcs8 -topk8 -in key.pem -out pkcs8.pem -nocrypt`."
     );
   }
-  const envelope = /-----BEGIN [A-Z ]+-----([\s\S]*?)-----END [A-Z ]+-----/.exec(pem);
-  const body = envelope ? envelope[1] : pem;
+  const body = extractPemBody(pem);
   const stripped = body.replace(/\s+/g, "");
   if (!stripped) {
     throw new Error("JWT: PEM key is empty after stripping headers/whitespace");
@@ -1076,6 +1075,19 @@ async function importPkcs8(pem, algorithm) {
     ["sign"]
   );
 }
+function extractPemBody(pem) {
+  const BEGIN = "-----BEGIN ";
+  const END = "-----END ";
+  const FENCE = "-----";
+  const beginAt = pem.indexOf(BEGIN);
+  if (beginAt === -1) return pem;
+  const beginHeaderEnd = pem.indexOf(FENCE, beginAt + BEGIN.length);
+  if (beginHeaderEnd === -1) return pem;
+  const bodyStart = beginHeaderEnd + FENCE.length;
+  const endAt = pem.indexOf(END, bodyStart);
+  if (endAt === -1) return pem;
+  return pem.slice(bodyStart, endAt);
+}
 function base64UrlEncode(bytes) {
   let s = "";
   for (let i = 0; i < bytes.length; i++) s += String.fromCharCode(bytes[i]);
@@ -1530,6 +1542,10 @@ async function fetchOAuth2Token(args) {
   if (args.extraParams) {
     for (const [k, v] of Object.entries(args.extraParams)) body.set(k, v);
   }
+  const tokenUrlParsed = new URL(args.tokenUrl);
+  if (tokenUrlParsed.protocol !== "https:" && tokenUrlParsed.protocol !== "http:") {
+    throw new Error(`Token URL must use HTTP or HTTPS, got ${tokenUrlParsed.protocol}`);
+  }
   const response = await fetchImpl(args.tokenUrl, {
     method: "POST",
     headers,
@@ -2476,6 +2492,30 @@ function getVariableAutocomplete(text, cursorPosition, scope) {
   );
 }
 
+// src/request/resolveInheritedAuth.ts
+var NONE = { type: "none" };
+function resolveInheritedAuth({
+  requestAuth,
+  folderId,
+  folders
+}) {
+  if (requestAuth.type !== "inherit") return requestAuth;
+  let cursor = folderId;
+  const visited = /* @__PURE__ */ new Set();
+  while (cursor !== null) {
+    if (visited.has(cursor)) {
+      break;
+    }
+    visited.add(cursor);
+    const folder = folders[cursor];
+    if (!folder) break;
+    const auth = folder.auth;
+    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
+    cursor = folder.parentId;
+  }
+  return NONE;
+}
+
 // src/request/preSendValidation.ts
 var TYPED_BODY_CT = {
   json: ["application/json", "application/ld+json", "application/vnd.api+json"],
@@ -2488,7 +2528,8 @@ function collectMissing(value, scope) {
 }
 function preSendValidation({
   request,
-  scope
+  scope,
+  folders
 }) {
   const warnings = [];
   const blockers = [];
@@ -2563,29 +2604,43 @@ function preSendValidation({
       });
     }
   }
-  const auth = request.auth;
+  let effectiveAuth = request.auth;
+  let resolvedFromInherit = false;
+  if (folders && effectiveAuth?.type === "inherit") {
+    effectiveAuth = resolveInheritedAuth({
+      requestAuth: { type: "inherit" },
+      folderId: request.folderId,
+      folders
+    });
+    resolvedFromInherit = true;
+  }
+  const auth = effectiveAuth;
+  const inheritedNote = resolvedFromInherit ? " (resolved from folder-level auth)" : "";
   if (auth) {
     if (auth.type === "bearer" && !auth.token?.trim()) {
-      blockers.push({ kind: "auth-fields-missing", message: "Bearer token is empty." });
+      blockers.push({
+        kind: "auth-fields-missing",
+        message: `Bearer token is empty.${inheritedNote}`
+      });
     } else if (auth.type === "basic") {
       if (!auth.username?.trim() || !auth.password?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Basic auth requires both username and password."
+          message: `Basic auth requires both username and password.${inheritedNote}`
         });
       }
     } else if (auth.type === "api-key") {
       if (!auth.key?.trim() || !auth.value?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "API key auth requires both name and value."
+          message: `API key auth requires both name and value.${inheritedNote}`
         });
       }
     } else if (auth.type === "custom-header") {
       if (!auth.key?.trim()) {
         blockers.push({
           kind: "auth-fields-missing",
-          message: "Custom header auth requires a header name."
+          message: `Custom header auth requires a header name.${inheritedNote}`
         });
       }
     }
@@ -2972,6 +3027,15 @@ async function executeRequest(req, opts = {}) {
     );
     const redirectMode = isBrowserRuntime() ? "follow" : "manual";
     let currentUrl = builtRequest.url;
+    try {
+      const parsedUrl = new URL(currentUrl);
+      if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+        throw new Error(`Unsupported URL scheme: ${parsedUrl.protocol}`);
+      }
+    } catch (e) {
+      if (e instanceof Error && e.message.startsWith("Unsupported URL scheme")) throw e;
+      throw new Error(`Invalid request URL: ${currentUrl}`);
+    }
     let currentHeaders = { ...builtRequest.headers };
     let currentMethod = builtRequest.method;
     let currentBody = builtRequest.body;
@@ -3270,30 +3334,6 @@ function base64UrlEncode2(bytes) {
   return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
-// src/request/resolveInheritedAuth.ts
-var NONE = { type: "none" };
-function resolveInheritedAuth({
-  requestAuth,
-  folderId,
-  folders
-}) {
-  if (requestAuth.type !== "inherit") return requestAuth;
-  let cursor = folderId;
-  const visited = /* @__PURE__ */ new Set();
-  while (cursor !== null) {
-    if (visited.has(cursor)) {
-      break;
-    }
-    visited.add(cursor);
-    const folder = folders[cursor];
-    if (!folder) break;
-    const auth = folder.auth;
-    if (auth && auth.type !== "inherit" && auth.type !== "none") return auth;
-    cursor = folder.parentId;
-  }
-  return NONE;
-}
-
 // src/request/parseCurl.ts
 var HTTP_METHODS = /* @__PURE__ */ new Set(["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"]);
 function tokenizeCurl(input) {
@@ -3595,10 +3635,12 @@ function parsePostmanCollection(input) {
     items.forEach((item, idx) => {
       const pathIds = parentPathIds ? [...parentPathIds, idx] : [idx];
       if (Array.isArray(item.item)) {
+        const folderAuth = item.auth ? parseAuth(item.auth, warnings, item.name) : void 0;
         folders.push({
           name: (item.name ?? "Untitled folder").trim() || "Untitled folder",
           pathIds,
-          parentPathIds
+          parentPathIds,
+          ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
         });
         walk(item.item, pathIds);
         return;
@@ -3839,10 +3881,12 @@ function parseInsomniaCollection(input) {
     const parentPath = r.parentId ? folderIndexById.get(r.parentId) ?? null : null;
     const ourPath = parentPath ? [...parentPath, folderCounter++] : [folderCounter++];
     folderIndexById.set(r._id ?? "", ourPath);
+    const folderAuth = r.authentication ? parseAuth2(r.authentication, warnings, r.name) : void 0;
     folders.push({
       name: (r.name ?? "Untitled folder").trim() || "Untitled folder",
       pathIds: ourPath,
-      parentPathIds: parentPath
+      parentPathIds: parentPath,
+      ...folderAuth && folderAuth.type !== "none" ? { auth: folderAuth } : {}
     });
   }
   const requests = [];
@@ -4243,7 +4287,7 @@ function serializeFolderExport(envelope) {
   return JSON.stringify(envelope, null, 2);
 }
 function suggestFolderExportFilename(envelope) {
-  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  const slug = envelope.folder.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-/, "").replace(/-$/, "");
   const base = slug || "folder";
   return `${base}.apicircle.json`;
 }
@@ -4869,6 +4913,140 @@ function extractContext(result, extractions) {
   return { extracted, warnings };
 }
 
+// src/environment/resolveRequest.ts
+import { envPriorityKey } from "@apicircle/shared";
+function resolveRequestForExecution(args) {
+  const refs = args.envPriorityOverride && args.envPriorityOverride.length > 0 ? args.envPriorityOverride : args.synced.environments.priorityOrder;
+  const flatEnvs = {};
+  for (const [name, vars] of Object.entries(args.localEnvs)) {
+    flatEnvs[envPriorityKey({ kind: "local", name })] = vars;
+  }
+  for (const [linkId, byEnv] of Object.entries(args.linkedEnvs ?? {})) {
+    for (const [envName, vars] of Object.entries(byEnv)) {
+      flatEnvs[envPriorityKey({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+    }
+  }
+  const ctxMap = { ...args.globalContext ?? {} };
+  for (const v of args.planVariables ?? []) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  for (const v of args.request.contextVars) {
+    if (v.key) ctxMap[v.key] = v.value;
+  }
+  const contextVars = Object.entries(ctxMap).map(([key, value]) => ({ key, value }));
+  const scope = buildScope({
+    contextVars,
+    environments: flatEnvs,
+    activeEnvName: null,
+    // priorityOrder is the sole list the resolver consults.
+    priorityOrder: refs.map(envPriorityKey),
+    secrets: args.secrets ?? {}
+  });
+  const missing = /* @__PURE__ */ new Set();
+  const interp = (s) => {
+    const r = resolveString(s, scope);
+    for (const m of r.missing) missing.add(m);
+    return r.value;
+  };
+  const url = interp(args.request.url);
+  const headers = args.request.headers.map((h) => ({
+    ...h,
+    key: interp(h.key),
+    value: interp(h.value)
+  }));
+  const query = args.request.query.map((q) => ({
+    ...q,
+    key: interp(q.key),
+    value: interp(q.value)
+  }));
+  let body = args.request.body;
+  if (body.type === "json" || body.type === "text" || body.type === "xml" || body.type === "graphql" || body.type === "urlencoded") {
+    body = { ...body, content: interp(body.content) };
+  } else if (body.type === "form-data" && body.formRows) {
+    body = {
+      ...body,
+      formRows: body.formRows.map(
+        (row) => row.kind === "text" ? { ...row, key: interp(row.key), value: interp(row.value) } : { ...row, key: interp(row.key) }
+      )
+    };
+  }
+  const inheritedAuth = resolveInheritedAuth({
+    requestAuth: args.request.auth ?? { type: "none" },
+    folderId: args.request.folderId,
+    folders: args.synced.collections.folders
+  });
+  const auth = interpolateAuthVariables(inheritedAuth, interp);
+  return {
+    request: { ...args.request, url, headers, query, body, auth },
+    scope,
+    missing: [...missing]
+  };
+}
+function interpolateAuthVariables(auth, interp) {
+  const resolved = {};
+  for (const [key, value] of Object.entries(auth)) {
+    resolved[key] = key !== "type" && typeof value === "string" ? interp(value) : value;
+  }
+  return resolved;
+}
+function applyLinkedEnvironmentOverrides(source, linkedWorkspaceId, synced) {
+  const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
+    (o) => o.linkedWorkspaceId === linkedWorkspaceId
+  );
+  if (overrides.length === 0) return source;
+  const items = {};
+  for (const [envName, env] of Object.entries(source.items)) {
+    const envOverrides = overrides.filter((o) => o.envName === envName);
+    if (envOverrides.length === 0) {
+      items[envName] = env;
+      continue;
+    }
+    const removed = new Set(envOverrides.filter((o) => o.removed).map((o) => o.varKey));
+    const replaceMap = new Map(envOverrides.filter((o) => !o.removed).map((o) => [o.varKey, o]));
+    const variables = [];
+    const seenKeys = /* @__PURE__ */ new Set();
+    for (const v of env.variables) {
+      if (removed.has(v.key)) continue;
+      const ov = replaceMap.get(v.key);
+      if (ov) {
+        variables.push({
+          key: v.key,
+          value: ov.value ?? v.value,
+          encrypted: ov.encrypted ?? v.encrypted,
+          ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : v.secretKeyId !== void 0 ? { secretKeyId: v.secretKeyId } : {}
+        });
+      } else {
+        variables.push(v);
+      }
+      seenKeys.add(v.key);
+    }
+    for (const ov of envOverrides) {
+      if (ov.removed) continue;
+      if (seenKeys.has(ov.varKey)) continue;
+      variables.push({
+        key: ov.varKey,
+        value: ov.value ?? "",
+        encrypted: ov.encrypted ?? false,
+        ...ov.secretKeyId !== void 0 ? { secretKeyId: ov.secretKeyId } : {}
+      });
+    }
+    items[envName] = { ...env, variables };
+  }
+  return { ...source, items };
+}
+function plaintextEnvMap(source) {
+  const out = {};
+  for (const [name, env] of Object.entries(source.items)) {
+    const vars = {};
+    for (const v of env.variables) {
+      if (v.encrypted) continue;
+      vars[v.key] = v.value;
+    }
+    out[name] = vars;
+  }
+  return out;
+}
+
 // src/secrets/crypto.ts
 var IV_BYTES = 12;
 var SALT_BYTES = 16;
@@ -4953,6 +5131,95 @@ function base64ToBytes(b64) {
   return out;
 }
 
+// src/secrets/passphraseKey.ts
+var PBKDF2_HASH = "SHA-256";
+var PBKDF2_ITERATIONS2 = 12e5;
+var SALT_BYTES2 = 16;
+var VERIFIER_SENTINEL = "apicircle/passphrase-verifier/v1";
+function base64Encode2(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary);
+}
+function base64Decode2(b64) {
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+function utf8Bytes(s) {
+  return new TextEncoder().encode(s);
+}
+async function deriveKey(passphrase, salt, iterations) {
+  const baseKey = await crypto.subtle.importKey(
+    "raw",
+    utf8Bytes(passphrase),
+    { name: "PBKDF2" },
+    false,
+    ["deriveKey"]
+  );
+  return crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt,
+      iterations,
+      hash: PBKDF2_HASH
+    },
+    baseKey,
+    { name: "AES-GCM", length: 256 },
+    /* extractable */
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+async function computeVerifier(key) {
+  const iv = new Uint8Array(12);
+  const ct = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    utf8Bytes(VERIFIER_SENTINEL)
+  );
+  return base64Encode2(new Uint8Array(ct));
+}
+async function initSecretCrypto(passphrase, iterations = PBKDF2_ITERATIONS2) {
+  if (passphrase.length === 0) throw new Error("Passphrase cannot be empty");
+  if (iterations < 1) throw new Error("iterations must be >= 1");
+  const salt = crypto.getRandomValues(new Uint8Array(SALT_BYTES2));
+  const key = await deriveKey(passphrase, salt, iterations);
+  const verifier = await computeVerifier(key);
+  return {
+    crypto: {
+      kdf: "pbkdf2-sha256-v1",
+      salt: base64Encode2(salt),
+      iterations,
+      verifier
+    },
+    key
+  };
+}
+async function unlockSecretCrypto(passphrase, blob) {
+  if (blob.kdf !== "pbkdf2-sha256-v1") {
+    return { ok: false, reason: `Unsupported KDF: ${String(blob.kdf)}` };
+  }
+  let salt;
+  try {
+    salt = base64Decode2(blob.salt);
+  } catch {
+    return { ok: false, reason: "Workspace secret salt is corrupt." };
+  }
+  let key;
+  try {
+    key = await deriveKey(passphrase, salt, blob.iterations);
+  } catch (err) {
+    return { ok: false, reason: err instanceof Error ? err.message : "Key derivation failed" };
+  }
+  const verifier = await computeVerifier(key);
+  if (verifier !== blob.verifier) {
+    return { ok: false, reason: "Wrong passphrase." };
+  }
+  return { ok: true, key };
+}
+
 // src/git/branchNames.ts
 var SLUG_FALLBACK = "workspace";
 var SUFFIX_LEN = 6;
@@ -5012,10 +5279,32 @@ function sortedReplacer(_key, value) {
 
 // src/git/repoPaths.ts
 var WORKSPACE_DIR = ".apicircle";
-var WORKSPACE_JSON_PATH = `${WORKSPACE_DIR}/workspace.json`;
-var ATTACHMENTS_DIR = `${WORKSPACE_DIR}/attachments`;
-function attachmentPath(slotId) {
-  return `${ATTACHMENTS_DIR}/${slotId}`;
+var REGISTRY_JSON_PATH = `${WORKSPACE_DIR}/registry.json`;
+function workspaceJsonPath(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/workspace.json`;
+}
+function attachmentsDir(workspaceId) {
+  return `${WORKSPACE_DIR}/workspace-${workspaceId}/attachments`;
+}
+function attachmentPath(workspaceId, slotId) {
+  return `${attachmentsDir(workspaceId)}/${slotId}`;
+}
+function parseRegistryActiveId(registryJsonContent) {
+  try {
+    const parsed = JSON.parse(registryJsonContent);
+    return parsed.activeWorkspaceId ?? parsed.workspaces?.[0]?.id ?? null;
+  } catch {
+    return null;
+  }
+}
+async function fetchRemoteWorkspaceJson(fetchFile) {
+  const registryContent = await fetchFile(REGISTRY_JSON_PATH);
+  if (registryContent === null) return { error: "No .apicircle/registry.json found in repo" };
+  const wsId = parseRegistryActiveId(registryContent);
+  if (!wsId) return { error: "Registry is empty \u2014 no workspaces found" };
+  const wsContent = await fetchFile(workspaceJsonPath(wsId));
+  if (wsContent === null) return { error: `No workspace.json at .apicircle/workspace-${wsId}/` };
+  return { workspaceId: wsId, content: wsContent };
 }
 
 // src/git/parseWorkspaceJson.ts
@@ -5274,18 +5563,14 @@ function sortVersionsDesc(versions) {
 }
 
 // src/release/publishRelease.ts
-async function publishRelease(synced, args) {
+async function buildReleaseEntry(synced, args) {
   const version = args.version.trim();
   if (!isValidSemver(version)) {
     throw new Error(`Invalid semver: ${args.version}`);
   }
-  const ledger = synced.releases.self ?? emptyLedger();
-  if (ledger.versions.some((v) => v.version === version)) {
-    throw new Error(`Version ${version} already exists in this workspace's release ledger`);
-  }
   const snapshotSource = serializeWorkspaceForGit(synced);
   const workspaceSnapshot = await sha256Hex2(snapshotSource);
-  const entry = {
+  return {
     version,
     publishedAt: args.publishedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
     notes: args.notes,
@@ -5295,23 +5580,36 @@ async function publishRelease(synced, args) {
     ...args.sha ? { sha: args.sha } : {},
     ...args.tagName ? { tagName: args.tagName } : {}
   };
+}
+function appendReleaseEntry(synced, entry, now = entry.publishedAt) {
+  if (!isValidSemver(entry.version)) {
+    throw new Error(`Invalid semver: ${entry.version}`);
+  }
+  const ledger = synced.releases.self ?? emptyLedger();
+  if (ledger.versions.some((v) => v.version === entry.version)) {
+    throw new Error(`Version ${entry.version} already exists in this workspace's release ledger`);
+  }
   const next = {
     versions: [...ledger.versions, entry],
-    currentVersion: version
+    currentVersion: entry.version
   };
   return {
     ...synced,
     releases: { ...synced.releases, self: next },
-    meta: { ...synced.meta, updatedAt: entry.publishedAt }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
-function deprecateRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }));
+async function publishRelease(synced, args) {
+  const entry = await buildReleaseEntry(synced, args);
+  return appendReleaseEntry(synced, entry);
+}
+function deprecateRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, deprecated: true }), now);
 }
-function yankRelease(synced, version) {
-  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }));
+function yankRelease(synced, version, now = (/* @__PURE__ */ new Date()).toISOString()) {
+  return mapReleaseVersion(synced, version, (v) => ({ ...v, yanked: true }), now);
 }
-function mapReleaseVersion(synced, version, fn) {
+function mapReleaseVersion(synced, version, fn, now) {
   const ledger = synced.releases.self;
   if (!ledger) throw new Error("No releases to modify");
   const idx = ledger.versions.findIndex((v) => v.version === version);
@@ -5321,7 +5619,7 @@ function mapReleaseVersion(synced, version, fn) {
   return {
     ...synced,
     releases: { ...synced.releases, self: { ...ledger, versions } },
-    meta: { ...synced.meta, updatedAt: (/* @__PURE__ */ new Date()).toISOString() }
+    meta: { ...synced.meta, updatedAt: now }
   };
 }
 function emptyLedger() {
@@ -5333,6 +5631,99 @@ async function sha256Hex2(text) {
   return [...new Uint8Array(digest)].map((b) => b.toString(16).padStart(2, "0")).join("");
 }
 
+// src/linked/linkedSnapshot.ts
+var LINKED_FORBIDDEN_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
+var MAX_LINKED_JSON_BYTES = 16 * 1024 * 1024;
+function parseLinkedWorkspaceJson(text) {
+  if (text.length > MAX_LINKED_JSON_BYTES) {
+    throw new Error("Remote workspace.json exceeds 16 MiB");
+  }
+  let raw;
+  try {
+    raw = JSON.parse(
+      text,
+      (key, value) => LINKED_FORBIDDEN_KEYS.has(key) ? void 0 : value
+    );
+  } catch {
+    throw new Error("Remote workspace.json is not valid JSON");
+  }
+  if (typeof raw !== "object" || raw === null || Array.isArray(raw)) {
+    throw new Error("Remote workspace.json is not an object");
+  }
+  const obj = raw;
+  const asObject = (v) => typeof v === "object" && v !== null ? v : void 0;
+  return {
+    workspaceId: typeof obj.workspaceId === "string" ? obj.workspaceId : void 0,
+    releases: asObject(obj.releases),
+    collections: asObject(obj.collections),
+    environments: asObject(obj.environments),
+    secretKeys: asObject(obj.secretKeys),
+    globalAssets: asObject(obj.globalAssets)
+  };
+}
+function ledgerFromProbe(parsed) {
+  return parsed.releases?.self ?? { versions: [], currentVersion: null };
+}
+function buildLinkedSnapshot(parsed, link) {
+  if (!parsed.collections && !parsed.environments) return null;
+  return {
+    pulledAt: link.linkedAt,
+    ref: link.pinnedVersion ? `v${link.pinnedVersion}` : `HEAD@${link.source.branch}`,
+    collections: parsed.collections ?? {
+      tree: { id: "remote-root", type: "root", children: [] },
+      requests: {},
+      folders: {}
+    },
+    environments: parsed.environments ?? {
+      items: {},
+      activeName: null,
+      priorityOrder: []
+    },
+    ...parsed.secretKeys ? { secretKeys: parsed.secretKeys } : {},
+    ...parsed.globalAssets ? { globalAssets: parsed.globalAssets } : {}
+  };
+}
+
+// src/linked/requestOverride.ts
+var OVERRIDABLE_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function mergeRequestOverride(base, patch) {
+  const merged = { ...base };
+  const p = patch;
+  const target = merged;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (p[field] !== void 0) target[field] = p[field];
+  }
+  return merged;
+}
+function computeRequestOverridePatch(base, effective) {
+  const baseRec = { ...base };
+  const effRec = { ...effective };
+  const patch = {};
+  const patchRec = patch;
+  for (const field of OVERRIDABLE_FIELDS) {
+    if (JSON.stringify(baseRec[field]) !== JSON.stringify(effRec[field])) {
+      patchRec[field] = effRec[field];
+    }
+  }
+  return patch;
+}
+function isEmptyOverridePatch(patch) {
+  return Object.keys(patch).filter((k) => OVERRIDABLE_FIELDS.includes(k)).length === 0;
+}
+
 // src/editors/contentTypeLanguageMap.ts
 var CONTENT_TYPE_LANGUAGE_MAP = {
   "application/json": "json",
@@ -6265,7 +6656,8 @@ function previewLinkedUpdate(args) {
       status,
       base,
       target,
-      override
+      override,
+      ...status === "both-changed" && base && target && override ? { autoMergeable: requestOverrideIsDisjoint(base, target, override) } : {}
     });
   }
   const baseFolders = args.base?.collections.folders ?? {};
@@ -6345,6 +6737,34 @@ function classifyRequest(base, target, override) {
   if (sourceChanged && !hasOverride) return "source-only";
   return "both-changed";
 }
+var OVERRIDABLE_REQUEST_FIELDS = [
+  "name",
+  "method",
+  "url",
+  "headers",
+  "query",
+  "pathParams",
+  "cookies",
+  "body",
+  "auth",
+  "contextVars",
+  "extractions",
+  "assertions"
+];
+function requestOverrideIsDisjoint(base, target, override) {
+  const baseRec = { ...base };
+  const targetRec = { ...target };
+  const overriddenFields = Object.keys(override.patch);
+  for (const f of overriddenFields) {
+    if (!OVERRIDABLE_REQUEST_FIELDS.includes(f)) {
+      continue;
+    }
+    if (!structurallyEqual2(baseRec[f], targetRec[f])) {
+      return false;
+    }
+  }
+  return true;
+}
 function classifyFolder(base, target) {
   if (!base && target) return "new-in-source";
   if (base && !target) return "removed-in-source";
@@ -6394,7 +6814,7 @@ function applyLinkedUpdate(args) {
       continue;
     }
     if (entry.status === "both-changed") {
-      const choice = args.resolutions[id];
+      const choice = args.resolutions[id] ?? (entry.autoMergeable ? "mine" : void 0);
       if (!choice) {
         throw new Error(
           `applyLinkedUpdate: unresolved both-changed entry "${entry.label}" (${id})`
@@ -6405,7 +6825,8 @@ function applyLinkedUpdate(args) {
         else if (entry.bucket === "environment-var") envVarOverridesByKey.delete(entry.key);
         log.push({ entryKey: id, bucket: entry.bucket, action: "accept-source" });
       } else {
-        log.push({ entryKey: id, bucket: entry.bucket, action: "keep-mine" });
+        const auto = entry.autoMergeable === true && !args.resolutions[id];
+        log.push({ entryKey: id, bucket: entry.bucket, action: auto ? "auto-merge" : "keep-mine" });
       }
     }
   }
@@ -6421,7 +6842,7 @@ function structurallyEqual2(a, b) {
 }
 
 // src/workspace/applyMutation.ts
-import { envPriorityKey, generateId as generateId2 } from "@apicircle/shared";
+import { envPriorityKey as envPriorityKey2, generateId as generateId2 } from "@apicircle/shared";
 
 // src/workspace/apicircleFolderImport.ts
 function importApicircleFolderInto(synced, parsed, parentFolderId) {
@@ -6662,6 +7083,8 @@ function applyMutation(state, patch, options = {}) {
       return applyFolderDelete(state, patch.id, now);
     case "folder.move":
       return applyFolderMove(state, patch.id, patch.newParentId, now);
+    case "folder.update":
+      return applyFolderUpdate(state, patch.id, patch.patch, now);
     case "folder.import_apicircle":
       return applyFolderImportApicircle(state, patch.parsed, patch.parentFolderId, now);
     case "environment.upsert":
@@ -6674,6 +7097,10 @@ function applyMutation(state, patch, options = {}) {
       return applyEnvSetPriority(state, patch.order, now);
     case "secretKey.upsert":
       return applySecretKeyUpsert(state, patch.meta, now);
+    case "secret.crypto.set":
+      return applySecretCryptoSet(state, patch.crypto, now);
+    case "secret.crypto.clear":
+      return applySecretCryptoClear(state, now);
     case "assertion.upsert":
       return applyAssertionUpsert(state, patch.requestId, patch.assertion, now);
     case "assertion.delete":
@@ -6682,6 +7109,34 @@ function applyMutation(state, patch, options = {}) {
       return applyMockUpsert(state, patch.mock, now);
     case "mock.delete":
       return applyMockDelete(state, patch.id, now);
+    case "release.publish":
+      return applyReleasePublish(state, patch.entry, now);
+    case "release.deprecate":
+      return applyReleaseDeprecate(state, patch.version, now);
+    case "release.yank":
+      return applyReleaseYank(state, patch.version, now);
+    case "linkedWorkspace.upsert":
+      return applyLinkedWorkspaceUpsert(state, patch.link, patch.ledger, patch.snapshot, now);
+    case "linkedWorkspace.remove":
+      return applyLinkedWorkspaceRemove(state, patch.id, now);
+    case "linkedWorkspace.applyUpdate":
+      return applyLinkedWorkspaceApplyUpdate(state, patch, now);
+    case "linkedOverride.setRequest":
+      return applyLinkedOverrideSetRequest(state, patch.override, now);
+    case "linkedOverride.removeRequest":
+      return applyLinkedOverrideRemoveRequest(state, patch.linkedWorkspaceId, patch.itemId, now);
+    case "linkedOverride.setEnvVar":
+      return applyLinkedOverrideSetEnvVar(state, patch.override, now);
+    case "linkedOverride.removeEnvVar":
+      return applyLinkedOverrideRemoveEnvVar(
+        state,
+        patch.linkedWorkspaceId,
+        patch.envName,
+        patch.varKey,
+        now
+      );
+    case "linkedOverride.clearForLink":
+      return applyLinkedOverrideClearForLink(state, patch.linkedWorkspaceId, now);
     case "globalAsset.upsertFile":
       return applyGlobalAssetUpsertFile(state, patch.file, now);
     case "globalAsset.removeFile":
@@ -6718,12 +7173,13 @@ function applyRequestCreate(state, request, now) {
   if (state.synced.collections.requests[request.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = request.folderId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       requests: { ...state.synced.collections.requests, [request.id]: request },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "request", id: request.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6772,12 +7228,13 @@ function applyFolderCreate(state, folder, now) {
   if (state.synced.collections.folders[folder.id]) {
     return { next: state, changedIds: [] };
   }
+  const tree = folder.parentId ? state.synced.collections.tree : pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id });
   const synced = {
     ...state.synced,
     collections: {
       ...state.synced.collections,
       folders: { ...state.synced.collections.folders, [folder.id]: folder },
-      tree: pushTreeChild(state.synced.collections.tree, { kind: "folder", id: folder.id })
+      tree
     },
     meta: { ...state.synced.meta, updatedAt: now }
   };
@@ -6846,6 +7303,57 @@ function applyFolderMove(state, id, newParentId, now) {
   };
   return { next: { ...state, synced }, changedIds: [id] };
 }
+function applyFolderUpdate(state, id, patch, now) {
+  const folder = state.synced.collections.folders[id];
+  if (!folder) {
+    return { next: state, changedIds: [] };
+  }
+  const nameChanging = "name" in patch && patch.name !== void 0;
+  const authChanging = "auth" in patch;
+  if (!nameChanging && !authChanging) {
+    return { next: state, changedIds: [] };
+  }
+  let nextName = folder.name;
+  if (nameChanging) {
+    const trimmed = patch.name.trim();
+    if (!trimmed) {
+    } else if (trimmed === folder.name) {
+    } else if (!isFolderNameUnique(state, folder.parentId, trimmed, id)) {
+      return { next: state, changedIds: [] };
+    } else {
+      nextName = trimmed;
+    }
+  }
+  const nextFolder = { ...folder, name: nextName };
+  if (authChanging) {
+    if (patch.auth === void 0) {
+      delete nextFolder.auth;
+    } else {
+      nextFolder.auth = patch.auth;
+    }
+  }
+  if (nextFolder.name === folder.name && nextFolder.auth === folder.auth) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    collections: {
+      ...state.synced.collections,
+      folders: { ...state.synced.collections.folders, [id]: nextFolder }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [id] };
+}
+function isFolderNameUnique(state, parentId, trimmedCandidate, ignoreId) {
+  const target = trimmedCandidate.toLowerCase();
+  for (const f of Object.values(state.synced.collections.folders)) {
+    if (f.id === ignoreId) continue;
+    if (f.parentId !== parentId) continue;
+    if (f.name.trim().toLowerCase() === target) return false;
+  }
+  return true;
+}
 function applyFolderImportApicircle(state, parsed, parentFolderId, now) {
   const result = importApicircleFolderInto(
     state.synced,
@@ -6925,7 +7433,7 @@ function applyEnvSetPriority(state, order, now) {
   const knownLocal = new Set(Object.keys(state.synced.environments.items));
   const seen = /* @__PURE__ */ new Set();
   const filtered = order.filter((ref) => {
-    const key = envPriorityKey(ref);
+    const key = envPriorityKey2(ref);
     if (seen.has(key)) return false;
     if (ref.kind === "local" && !knownLocal.has(ref.name)) return false;
     seen.add(key);
@@ -6936,7 +7444,7 @@ function applyEnvSetPriority(state, order, now) {
     environments: { ...state.synced.environments, priorityOrder: filtered },
     meta: { ...state.synced.meta, updatedAt: now }
   };
-  return { next: { ...state, synced }, changedIds: filtered.map(envPriorityKey) };
+  return { next: { ...state, synced }, changedIds: filtered.map(envPriorityKey2) };
 }
 function applySecretKeyUpsert(state, meta, now) {
   if (!meta.id || !meta.label.trim() || !meta.salt) {
@@ -6952,6 +7460,28 @@ function applySecretKeyUpsert(state, meta, now) {
   };
   return { next: { ...state, synced }, changedIds: [meta.id] };
 }
+function applySecretCryptoSet(state, crypto2, now) {
+  if (!crypto2 || crypto2.kdf !== "pbkdf2-sha256-v1" || !crypto2.salt || !crypto2.verifier || !(crypto2.iterations >= 1)) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: { ...crypto2 },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
+function applySecretCryptoClear(state, now) {
+  if (!state.synced.secretCrypto) {
+    return { next: state, changedIds: [] };
+  }
+  const synced = {
+    ...state.synced,
+    secretCrypto: null,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: ["secret.crypto"] };
+}
 function applyAssertionUpsert(state, requestId, assertion, now) {
   const request = state.synced.collections.requests[requestId];
   if (!request) {
@@ -7009,6 +7539,191 @@ function applyMockDelete(state, id, now) {
   } : state.local;
   return { next: { synced, local }, changedIds: [id] };
 }
+function applyReleasePublish(state, entry, now) {
+  const synced = appendReleaseEntry(state.synced, entry, now);
+  return { next: { ...state, synced }, changedIds: [entry.version] };
+}
+function applyReleaseDeprecate(state, version, now) {
+  const synced = deprecateRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyReleaseYank(state, version, now) {
+  const synced = yankRelease(state.synced, version, now);
+  return { next: { ...state, synced }, changedIds: [version] };
+}
+function applyLinkedWorkspaceUpsert(state, link, ledger, snapshot2, now) {
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: { ...state.synced.linkedWorkspaces, [link.id]: link },
+    releases: ledger ? {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [link.id]: ledger }
+    } : state.synced.releases,
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = snapshot2 ? {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [link.id]: snapshot2 }
+  } : state.local;
+  return { next: { synced, local }, changedIds: [link.id] };
+}
+function applyLinkedWorkspaceRemove(state, id, now) {
+  if (!state.synced.linkedWorkspaces[id]) {
+    return { next: state, changedIds: [] };
+  }
+  const linkedWorkspaces = { ...state.synced.linkedWorkspaces };
+  delete linkedWorkspaces[id];
+  const perLink = { ...state.synced.releases.perLink };
+  delete perLink[id];
+  const prefix = `${id}:`;
+  const dropPrefixed = (map) => Object.fromEntries(Object.entries(map).filter(([k]) => !k.startsWith(prefix)));
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces,
+    releases: { ...state.synced.releases, perLink },
+    linkedOverrides: {
+      requests: dropPrefixed(state.synced.linkedOverrides.requests),
+      environmentVars: dropPrefixed(state.synced.linkedOverrides.environmentVars)
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const linkedCollections = { ...state.local.linkedCollections };
+  delete linkedCollections[id];
+  const githubLinks = { ...state.local.sessions.github.links };
+  delete githubLinks[id];
+  const local = {
+    ...state.local,
+    linkedCollections,
+    sessions: {
+      ...state.local.sessions,
+      github: { ...state.local.sessions.github, links: githubLinks }
+    }
+  };
+  return { next: { synced, local }, changedIds: [id] };
+}
+function applyLinkedWorkspaceApplyUpdate(state, patch, now) {
+  const link = state.synced.linkedWorkspaces[patch.id];
+  if (!link) {
+    return { next: state, changedIds: [] };
+  }
+  const prefix = `${patch.id}:`;
+  const otherRequests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  for (const o of patch.requestOverrides) {
+    otherRequests[`${o.linkedWorkspaceId}:${o.itemId}`] = o;
+  }
+  const otherEnvVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  for (const o of patch.envVarOverrides) {
+    otherEnvVars[`${o.linkedWorkspaceId}:${o.envName}:${o.varKey}`] = o;
+  }
+  const synced = {
+    ...state.synced,
+    linkedWorkspaces: {
+      ...state.synced.linkedWorkspaces,
+      [patch.id]: { ...link, pinnedVersion: patch.pinnedVersion }
+    },
+    releases: {
+      ...state.synced.releases,
+      perLink: { ...state.synced.releases.perLink, [patch.id]: patch.ledger }
+    },
+    linkedOverrides: { requests: otherRequests, environmentVars: otherEnvVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  const local = {
+    ...state.local,
+    linkedCollections: { ...state.local.linkedCollections, [patch.id]: patch.snapshot }
+  };
+  return { next: { synced, local }, changedIds: [patch.id] };
+}
+function applyLinkedOverrideSetRequest(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.itemId}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      requests: {
+        ...state.synced.linkedOverrides.requests,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveRequest(state, linkedWorkspaceId, itemId, now) {
+  const key = `${linkedWorkspaceId}:${itemId}`;
+  if (!state.synced.linkedOverrides.requests[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = { ...state.synced.linkedOverrides.requests };
+  delete requests[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, requests },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideSetEnvVar(state, override, now) {
+  const key = `${override.linkedWorkspaceId}:${override.envName}:${override.varKey}`;
+  const synced = {
+    ...state.synced,
+    linkedOverrides: {
+      ...state.synced.linkedOverrides,
+      environmentVars: {
+        ...state.synced.linkedOverrides.environmentVars,
+        [key]: { ...override, updatedAt: now }
+      }
+    },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideRemoveEnvVar(state, linkedWorkspaceId, envName, varKey, now) {
+  const key = `${linkedWorkspaceId}:${envName}:${varKey}`;
+  if (!state.synced.linkedOverrides.environmentVars[key]) {
+    return { next: state, changedIds: [] };
+  }
+  const environmentVars = { ...state.synced.linkedOverrides.environmentVars };
+  delete environmentVars[key];
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { ...state.synced.linkedOverrides, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [key] };
+}
+function applyLinkedOverrideClearForLink(state, linkedWorkspaceId, now) {
+  const prefix = `${linkedWorkspaceId}:`;
+  const requestKeys = Object.keys(state.synced.linkedOverrides.requests).filter(
+    (k) => k.startsWith(prefix)
+  );
+  const envKeys = Object.keys(state.synced.linkedOverrides.environmentVars).filter(
+    (k) => k.startsWith(prefix)
+  );
+  if (requestKeys.length === 0 && envKeys.length === 0) {
+    return { next: state, changedIds: [] };
+  }
+  const requests = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.requests).filter(([k]) => !k.startsWith(prefix))
+  );
+  const environmentVars = Object.fromEntries(
+    Object.entries(state.synced.linkedOverrides.environmentVars).filter(
+      ([k]) => !k.startsWith(prefix)
+    )
+  );
+  const synced = {
+    ...state.synced,
+    linkedOverrides: { requests, environmentVars },
+    meta: { ...state.synced.meta, updatedAt: now }
+  };
+  return { next: { ...state, synced }, changedIds: [...requestKeys, ...envKeys] };
+}
 function applyGlobalAssetUpsertFile(state, file, now) {
   const files = state.synced.globalAssets.files ?? {};
   const existing = files[file.id];
@@ -7079,6 +7794,14 @@ function applyGlobalAssetRemoveFile(state, id, now) {
     delete nextUsage[id];
     local = { ...local, assetUsageIndex: nextUsage };
   }
+  const existing = files[id];
+  const hadRemoteRef = Boolean(existing.workingBranchRef || existing.baseBranchRef);
+  if (hadRemoteRef && !(local.pendingAttachmentDeletes ?? []).includes(existing.slotId)) {
+    local = {
+      ...local,
+      pendingAttachmentDeletes: [...local.pendingAttachmentDeletes ?? [], existing.slotId]
+    };
+  }
   const synced = {
     ...state.synced,
     collections: { ...state.synced.collections, requests },
@@ -7324,7 +8047,7 @@ function applyHistoryPurge(state, olderThanMs) {
 }
 
 // src/workspace/runPlan.ts
-import { envPriorityKey as envPriorityKey2, generateId as generateId3, RUN_BODY_PREVIEW_LIMIT } from "@apicircle/shared";
+import { envPriorityKey as envPriorityKey3, generateId as generateId3, RUN_BODY_PREVIEW_LIMIT } from "@apicircle/shared";
 var MAX_REQUEST_RUNS = 500;
 var MAX_PLAN_RUNS = 200;
 var ANONYMOUS_ACTOR = { kind: "unknown", name: "unknown" };
@@ -7390,22 +8113,6 @@ function lookupPlanStepRequest(step, synced, local) {
     linkedGlobalAssets: snapshot2.globalAssets
   };
 }
-function mergeRequestOverride(base, patch) {
-  const merged = { ...base };
-  if (patch.name !== void 0) merged.name = patch.name;
-  if (patch.method !== void 0) merged.method = patch.method;
-  if (patch.url !== void 0) merged.url = patch.url;
-  if (patch.headers !== void 0) merged.headers = patch.headers;
-  if (patch.query !== void 0) merged.query = patch.query;
-  if (patch.pathParams !== void 0) merged.pathParams = patch.pathParams;
-  if (patch.cookies !== void 0) merged.cookies = patch.cookies;
-  if (patch.body !== void 0) merged.body = patch.body;
-  if (patch.auth !== void 0) merged.auth = patch.auth;
-  if (patch.contextVars !== void 0) merged.contextVars = patch.contextVars;
-  if (patch.extractions !== void 0) merged.extractions = patch.extractions;
-  if (patch.assertions !== void 0) merged.assertions = patch.assertions;
-  return merged;
-}
 function applyEnvironmentOverrides(source, linkedWorkspaceId, synced) {
   const overrides = Object.values(synced.linkedOverrides.environmentVars).filter(
     (override) => override.linkedWorkspaceId === linkedWorkspaceId
@@ -7622,7 +8329,7 @@ function buildEnvMaps(synced, secretsById, local) {
         vars[v.key] = v.value;
       }
     }
-    flat[envPriorityKey2({ kind: "local", name })] = vars;
+    flat[envPriorityKey3({ kind: "local", name })] = vars;
   }
   if (local) {
     for (const [linkId, snapshot2] of Object.entries(local.linkedCollections)) {
@@ -7639,7 +8346,7 @@ function buildEnvMaps(synced, secretsById, local) {
             vars[variable.key] = variable.value;
           }
         }
-        flat[envPriorityKey2({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
+        flat[envPriorityKey3({ kind: "linked", linkedWorkspaceId: linkId, envName })] = vars;
       }
     }
   }
@@ -7666,7 +8373,7 @@ function resolveRequest(request, synced, plan, envRefs, globalContext, flatEnvs,
     contextVars: Object.entries(ctxMap).map(([key, value]) => ({ key, value })),
     environments: flatEnvs,
     activeEnvName: null,
-    priorityOrder: envRefs.map(envPriorityKey2),
+    priorityOrder: envRefs.map(envPriorityKey3),
     secrets: secretsByLabel
   });
   const missing = /* @__PURE__ */ new Set();
@@ -8043,31 +8750,35 @@ var TRANSFORM_FORMAT_LABELS = {
 export {
   ANONYMOUS_ACTOR,
   APICIRCLE_FOLDER_EXPORT_FORMAT,
-  ATTACHMENTS_DIR,
   DESKTOP_APP_ORIGIN,
   EMPTY_UNPUSHED_SUMMARY,
   HTTP_HEADERS_MAP,
   OAuth2TokenError,
   PlanRunDeniedError,
+  REGISTRY_JSON_PATH,
   RemoteWorkspaceParseError,
   TRANSFORM_FORMAT_LABELS,
   WORKSPACE_DIR,
-  WORKSPACE_JSON_PATH,
+  appendReleaseEntry,
   applyAuth,
   applyAwsSigV4,
   applyContentTypeForBodyType,
+  applyLinkedEnvironmentOverrides,
   applyLinkedUpdate,
   applyMerge,
   applyMutation,
   applyPathParams,
   assertNoPlaintextCredentials,
   attachmentPath,
+  attachmentsDir,
   buildAuthorizeUrl,
   buildAutoHeaders,
   buildDigestAuthHeader,
   buildHawkAuthHeader,
+  buildLinkedSnapshot,
   buildNtlmType1Negotiate,
   buildNtlmType3Authenticate,
+  buildReleaseEntry,
   buildRequest,
   buildScope,
   collectAttachmentSlots,
@@ -8081,6 +8792,7 @@ export {
   composeUrl,
   composeUrlWithQuery,
   computeCodeChallenge,
+  computeRequestOverridePatch,
   computeThreeWayDiff,
   computeTransformSavings,
   decryptString,
@@ -8093,6 +8805,7 @@ export {
   exportKey,
   extractContext,
   fetchOAuth2Token,
+  fetchRemoteWorkspaceJson,
   findPathPlaceholders,
   generateAesKey,
   generateCodeVerifier,
@@ -8110,14 +8823,18 @@ export {
   hasUnpushedChanges,
   importApicircleFolderInto,
   importKey,
+  initSecretCrypto,
   isApicircleEnvironment,
   isApicircleFolderExport,
   isDesktop,
+  isEmptyOverridePatch,
   isInsomniaExport,
   isPostmanEnvironment,
   isPostmanV2Collection,
   isValidSemver,
+  ledgerFromProbe,
   lookup,
+  mergeRequestOverride,
   mergeWithAutoHeaders,
   normalizeContentType,
   parseApicircleEnvironment,
@@ -8128,12 +8845,15 @@ export {
   parseDigestChallenge,
   parseGraphqlSchema,
   parseInsomniaCollection,
+  parseLinkedWorkspaceJson,
   parseNtlmType2Challenge,
   parsePostmanCollection,
   parsePostmanEnvironment,
+  parseRegistryActiveId,
   parseSemver,
   parseUrlQuery,
   parseWorkspaceJson,
+  plaintextEnvMap,
   pollDeviceFlow,
   preSendValidation,
   previewLinkedUpdate,
@@ -8146,6 +8866,7 @@ export {
   requestRunToExecutionResult,
   resolveInheritedAuth,
   resolvePlanRef,
+  resolveRequestForExecution,
   resolveString,
   resolveStringMap,
   runAssertions,
@@ -8167,7 +8888,9 @@ export {
   toYaml,
   tokenizeCurl,
   tryParsePayload,
+  unlockSecretCrypto,
   validateBranchName,
+  workspaceJsonPath,
   yankRelease
 };
 //# sourceMappingURL=index.js.map