@clef-sh/cli 0.1.13 → 0.1.14

package/dist/index.cjs

@@ -31,6 +31,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
   mod
 ));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // ../../node_modules/commander/lib/error.js
 var require_error = __commonJS({
@@ -965,8 +966,8 @@ var require_command = __commonJS({
   "../../node_modules/commander/lib/command.js"(exports2) {
     var EventEmitter = require("node:events").EventEmitter;
     var childProcess = require("node:child_process");
-    var path56 = require("node:path");
-    var fs35 = require("node:fs");
+    var path57 = require("node:path");
+    var fs38 = require("node:fs");
     var process2 = require("node:process");
     var { Argument: Argument2, humanReadableArgName } = require_argument();
     var { CommanderError: CommanderError2 } = require_error();
@@ -1898,11 +1899,11 @@ Expecting one of '${allowedValues.join("', '")}'`);
         let launchWithNode = false;
         const sourceExt = [".js", ".ts", ".tsx", ".mjs", ".cjs"];
         function findFile(baseDir, baseName) {
-          const localBin = path56.resolve(baseDir, baseName);
-          if (fs35.existsSync(localBin)) return localBin;
-          if (sourceExt.includes(path56.extname(baseName))) return void 0;
+          const localBin = path57.resolve(baseDir, baseName);
+          if (fs38.existsSync(localBin)) return localBin;
+          if (sourceExt.includes(path57.extname(baseName))) return void 0;
           const foundExt = sourceExt.find(
-            (ext) => fs35.existsSync(`${localBin}${ext}`)
+            (ext) => fs38.existsSync(`${localBin}${ext}`)
           );
           if (foundExt) return `${localBin}${foundExt}`;
           return void 0;
@@ -1914,21 +1915,21 @@ Expecting one of '${allowedValues.join("', '")}'`);
         if (this._scriptPath) {
           let resolvedScriptPath;
           try {
-            resolvedScriptPath = fs35.realpathSync(this._scriptPath);
+            resolvedScriptPath = fs38.realpathSync(this._scriptPath);
           } catch (err) {
             resolvedScriptPath = this._scriptPath;
           }
-          executableDir = path56.resolve(
-            path56.dirname(resolvedScriptPath),
+          executableDir = path57.resolve(
+            path57.dirname(resolvedScriptPath),
             executableDir
           );
         }
         if (executableDir) {
           let localFile = findFile(executableDir, executableFile);
           if (!localFile && !subcommand._executableFile && this._scriptPath) {
-            const legacyName = path56.basename(
+            const legacyName = path57.basename(
               this._scriptPath,
-              path56.extname(this._scriptPath)
+              path57.extname(this._scriptPath)
             );
             if (legacyName !== this._name) {
               localFile = findFile(
@@ -1939,7 +1940,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
           }
           executableFile = localFile || executableFile;
         }
-        launchWithNode = sourceExt.includes(path56.extname(executableFile));
+        launchWithNode = sourceExt.includes(path57.extname(executableFile));
         let proc;
         if (process2.platform !== "win32") {
           if (launchWithNode) {
@@ -2779,7 +2780,7 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @return {Command}
        */
       nameFromFilename(filename) {
-        this._name = path56.basename(filename, path56.extname(filename));
+        this._name = path57.basename(filename, path57.extname(filename));
         return this;
       }
       /**
@@ -2793,9 +2794,9 @@ Expecting one of '${allowedValues.join("', '")}'`);
        * @param {string} [path]
        * @return {(string|null|Command)}
        */
-      executableDir(path57) {
-        if (path57 === void 0) return this._executableDir;
-        this._executableDir = path57;
+      executableDir(path58) {
+        if (path58 === void 0) return this._executableDir;
+        this._executableDir = path58;
         return this;
       }
       /**
@@ -3102,17 +3103,17 @@ var require_visit = __commonJS({
     visit.BREAK = BREAK;
     visit.SKIP = SKIP;
     visit.REMOVE = REMOVE;
-    function visit_(key, node2, visitor, path56) {
-      const ctrl = callVisitor(key, node2, visitor, path56);
+    function visit_(key, node2, visitor, path57) {
+      const ctrl = callVisitor(key, node2, visitor, path57);
       if (identity.isNode(ctrl) || identity.isPair(ctrl)) {
-        replaceNode(key, path56, ctrl);
-        return visit_(key, ctrl, visitor, path56);
+        replaceNode(key, path57, ctrl);
+        return visit_(key, ctrl, visitor, path57);
       }
       if (typeof ctrl !== "symbol") {
         if (identity.isCollection(node2)) {
-          path56 = Object.freeze(path56.concat(node2));
+          path57 = Object.freeze(path57.concat(node2));
           for (let i = 0; i < node2.items.length; ++i) {
-            const ci = visit_(i, node2.items[i], visitor, path56);
+            const ci = visit_(i, node2.items[i], visitor, path57);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -3123,13 +3124,13 @@ var require_visit = __commonJS({
             }
           }
         } else if (identity.isPair(node2)) {
-          path56 = Object.freeze(path56.concat(node2));
-          const ck = visit_("key", node2.key, visitor, path56);
+          path57 = Object.freeze(path57.concat(node2));
+          const ck = visit_("key", node2.key, visitor, path57);
           if (ck === BREAK)
             return BREAK;
           else if (ck === REMOVE)
             node2.key = null;
-          const cv = visit_("value", node2.value, visitor, path56);
+          const cv = visit_("value", node2.value, visitor, path57);
           if (cv === BREAK)
             return BREAK;
           else if (cv === REMOVE)
@@ -3150,17 +3151,17 @@ var require_visit = __commonJS({
     visitAsync.BREAK = BREAK;
     visitAsync.SKIP = SKIP;
     visitAsync.REMOVE = REMOVE;
-    async function visitAsync_(key, node2, visitor, path56) {
-      const ctrl = await callVisitor(key, node2, visitor, path56);
+    async function visitAsync_(key, node2, visitor, path57) {
+      const ctrl = await callVisitor(key, node2, visitor, path57);
       if (identity.isNode(ctrl) || identity.isPair(ctrl)) {
-        replaceNode(key, path56, ctrl);
-        return visitAsync_(key, ctrl, visitor, path56);
+        replaceNode(key, path57, ctrl);
+        return visitAsync_(key, ctrl, visitor, path57);
       }
       if (typeof ctrl !== "symbol") {
         if (identity.isCollection(node2)) {
-          path56 = Object.freeze(path56.concat(node2));
+          path57 = Object.freeze(path57.concat(node2));
           for (let i = 0; i < node2.items.length; ++i) {
-            const ci = await visitAsync_(i, node2.items[i], visitor, path56);
+            const ci = await visitAsync_(i, node2.items[i], visitor, path57);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -3171,13 +3172,13 @@ var require_visit = __commonJS({
             }
           }
         } else if (identity.isPair(node2)) {
-          path56 = Object.freeze(path56.concat(node2));
-          const ck = await visitAsync_("key", node2.key, visitor, path56);
+          path57 = Object.freeze(path57.concat(node2));
+          const ck = await visitAsync_("key", node2.key, visitor, path57);
           if (ck === BREAK)
             return BREAK;
           else if (ck === REMOVE)
             node2.key = null;
-          const cv = await visitAsync_("value", node2.value, visitor, path56);
+          const cv = await visitAsync_("value", node2.value, visitor, path57);
           if (cv === BREAK)
             return BREAK;
           else if (cv === REMOVE)
@@ -3204,23 +3205,23 @@ var require_visit = __commonJS({
       }
       return visitor;
     }
-    function callVisitor(key, node2, visitor, path56) {
+    function callVisitor(key, node2, visitor, path57) {
       if (typeof visitor === "function")
-        return visitor(key, node2, path56);
+        return visitor(key, node2, path57);
       if (identity.isMap(node2))
-        return visitor.Map?.(key, node2, path56);
+        return visitor.Map?.(key, node2, path57);
       if (identity.isSeq(node2))
-        return visitor.Seq?.(key, node2, path56);
+        return visitor.Seq?.(key, node2, path57);
       if (identity.isPair(node2))
-        return visitor.Pair?.(key, node2, path56);
+        return visitor.Pair?.(key, node2, path57);
       if (identity.isScalar(node2))
-        return visitor.Scalar?.(key, node2, path56);
+        return visitor.Scalar?.(key, node2, path57);
       if (identity.isAlias(node2))
-        return visitor.Alias?.(key, node2, path56);
+        return visitor.Alias?.(key, node2, path57);
       return void 0;
     }
-    function replaceNode(key, path56, node2) {
-      const parent = path56[path56.length - 1];
+    function replaceNode(key, path57, node2) {
+      const parent = path57[path57.length - 1];
       if (identity.isCollection(parent)) {
         parent.items[key] = node2;
       } else if (identity.isPair(parent)) {
@@ -3828,10 +3829,10 @@ var require_Collection = __commonJS({
     var createNode = require_createNode();
     var identity = require_identity();
     var Node = require_Node();
-    function collectionFromPath(schema, path56, value) {
+    function collectionFromPath(schema, path57, value) {
       let v = value;
-      for (let i = path56.length - 1; i >= 0; --i) {
-        const k = path56[i];
+      for (let i = path57.length - 1; i >= 0; --i) {
+        const k = path57[i];
         if (typeof k === "number" && Number.isInteger(k) && k >= 0) {
           const a = [];
           a[k] = v;
@@ -3850,7 +3851,7 @@ var require_Collection = __commonJS({
         sourceObjects: /* @__PURE__ */ new Map()
       });
     }
-    var isEmptyPath = (path56) => path56 == null || typeof path56 === "object" && !!path56[Symbol.iterator]().next().done;
+    var isEmptyPath = (path57) => path57 == null || typeof path57 === "object" && !!path57[Symbol.iterator]().next().done;
     var Collection = class extends Node.NodeBase {
       constructor(type, schema) {
         super(type);
@@ -3880,11 +3881,11 @@ var require_Collection = __commonJS({
        * be a Pair instance or a `{ key, value }` object, which may not have a key
        * that already exists in the map.
        */
-      addIn(path56, value) {
-        if (isEmptyPath(path56))
+      addIn(path57, value) {
+        if (isEmptyPath(path57))
           this.add(value);
         else {
-          const [key, ...rest] = path56;
+          const [key, ...rest] = path57;
           const node2 = this.get(key, true);
           if (identity.isCollection(node2))
             node2.addIn(rest, value);
@@ -3898,8 +3899,8 @@ var require_Collection = __commonJS({
        * Removes a value from the collection.
        * @returns `true` if the item was found and removed.
        */
-      deleteIn(path56) {
-        const [key, ...rest] = path56;
+      deleteIn(path57) {
+        const [key, ...rest] = path57;
         if (rest.length === 0)
           return this.delete(key);
         const node2 = this.get(key, true);
@@ -3913,8 +3914,8 @@ var require_Collection = __commonJS({
        * scalar values from their surrounding node; to disable set `keepScalar` to
        * `true` (collections are always returned intact).
        */
-      getIn(path56, keepScalar) {
-        const [key, ...rest] = path56;
+      getIn(path57, keepScalar) {
+        const [key, ...rest] = path57;
         const node2 = this.get(key, true);
         if (rest.length === 0)
           return !keepScalar && identity.isScalar(node2) ? node2.value : node2;
@@ -3932,8 +3933,8 @@ var require_Collection = __commonJS({
       /**
        * Checks if the collection includes a value with the key `key`.
        */
-      hasIn(path56) {
-        const [key, ...rest] = path56;
+      hasIn(path57) {
+        const [key, ...rest] = path57;
         if (rest.length === 0)
           return this.has(key);
         const node2 = this.get(key, true);
@@ -3943,8 +3944,8 @@ var require_Collection = __commonJS({
        * Sets a value in this collection. For `!!set`, `value` needs to be a
        * boolean to add/remove the item from the set.
        */
-      setIn(path56, value) {
-        const [key, ...rest] = path56;
+      setIn(path57, value) {
+        const [key, ...rest] = path57;
         if (rest.length === 0) {
           this.set(key, value);
         } else {
@@ -6456,9 +6457,9 @@ var require_Document = __commonJS({
           this.contents.add(value);
       }
       /** Adds a value to the document. */
-      addIn(path56, value) {
+      addIn(path57, value) {
         if (assertCollection(this.contents))
-          this.contents.addIn(path56, value);
+          this.contents.addIn(path57, value);
       }
       /**
        * Create a new `Alias` node, ensuring that the target `node` has the required anchor.
@@ -6533,14 +6534,14 @@ var require_Document = __commonJS({
        * Removes a value from the document.
        * @returns `true` if the item was found and removed.
        */
-      deleteIn(path56) {
-        if (Collection.isEmptyPath(path56)) {
+      deleteIn(path57) {
+        if (Collection.isEmptyPath(path57)) {
           if (this.contents == null)
             return false;
           this.contents = null;
           return true;
         }
-        return assertCollection(this.contents) ? this.contents.deleteIn(path56) : false;
+        return assertCollection(this.contents) ? this.contents.deleteIn(path57) : false;
       }
       /**
        * Returns item at `key`, or `undefined` if not found. By default unwraps
@@ -6555,10 +6556,10 @@ var require_Document = __commonJS({
        * scalar values from their surrounding node; to disable set `keepScalar` to
        * `true` (collections are always returned intact).
        */
-      getIn(path56, keepScalar) {
-        if (Collection.isEmptyPath(path56))
+      getIn(path57, keepScalar) {
+        if (Collection.isEmptyPath(path57))
           return !keepScalar && identity.isScalar(this.contents) ? this.contents.value : this.contents;
-        return identity.isCollection(this.contents) ? this.contents.getIn(path56, keepScalar) : void 0;
+        return identity.isCollection(this.contents) ? this.contents.getIn(path57, keepScalar) : void 0;
       }
       /**
        * Checks if the document includes a value with the key `key`.
@@ -6569,10 +6570,10 @@ var require_Document = __commonJS({
       /**
        * Checks if the document includes a value at `path`.
        */
-      hasIn(path56) {
-        if (Collection.isEmptyPath(path56))
+      hasIn(path57) {
+        if (Collection.isEmptyPath(path57))
           return this.contents !== void 0;
-        return identity.isCollection(this.contents) ? this.contents.hasIn(path56) : false;
+        return identity.isCollection(this.contents) ? this.contents.hasIn(path57) : false;
       }
       /**
        * Sets a value in this document. For `!!set`, `value` needs to be a
@@ -6589,13 +6590,13 @@ var require_Document = __commonJS({
        * Sets a value in this document. For `!!set`, `value` needs to be a
        * boolean to add/remove the item from the set.
        */
-      setIn(path56, value) {
-        if (Collection.isEmptyPath(path56)) {
+      setIn(path57, value) {
+        if (Collection.isEmptyPath(path57)) {
           this.contents = value;
         } else if (this.contents == null) {
-          this.contents = Collection.collectionFromPath(this.schema, Array.from(path56), value);
+          this.contents = Collection.collectionFromPath(this.schema, Array.from(path57), value);
         } else if (assertCollection(this.contents)) {
-          this.contents.setIn(path56, value);
+          this.contents.setIn(path57, value);
         }
       }
       /**
@@ -8552,9 +8553,9 @@ var require_cst_visit = __commonJS({
     visit.BREAK = BREAK;
     visit.SKIP = SKIP;
     visit.REMOVE = REMOVE;
-    visit.itemAtPath = (cst, path56) => {
+    visit.itemAtPath = (cst, path57) => {
       let item = cst;
-      for (const [field, index] of path56) {
+      for (const [field, index] of path57) {
         const tok = item?.[field];
         if (tok && "items" in tok) {
           item = tok.items[index];
@@ -8563,23 +8564,23 @@ var require_cst_visit = __commonJS({
       }
       return item;
     };
-    visit.parentCollection = (cst, path56) => {
-      const parent = visit.itemAtPath(cst, path56.slice(0, -1));
-      const field = path56[path56.length - 1][0];
+    visit.parentCollection = (cst, path57) => {
+      const parent = visit.itemAtPath(cst, path57.slice(0, -1));
+      const field = path57[path57.length - 1][0];
       const coll = parent?.[field];
       if (coll && "items" in coll)
         return coll;
       throw new Error("Parent collection not found");
     };
-    function _visit(path56, item, visitor) {
-      let ctrl = visitor(item, path56);
+    function _visit(path57, item, visitor) {
+      let ctrl = visitor(item, path57);
       if (typeof ctrl === "symbol")
         return ctrl;
       for (const field of ["key", "value"]) {
         const token = item[field];
         if (token && "items" in token) {
           for (let i = 0; i < token.items.length; ++i) {
-            const ci = _visit(Object.freeze(path56.concat([[field, i]])), token.items[i], visitor);
+            const ci = _visit(Object.freeze(path57.concat([[field, i]])), token.items[i], visitor);
             if (typeof ci === "number")
               i = ci - 1;
             else if (ci === BREAK)
@@ -8590,10 +8591,10 @@ var require_cst_visit = __commonJS({
             }
           }
           if (typeof ctrl === "function" && field === "key")
-            ctrl = ctrl(item, path56);
+            ctrl = ctrl(item, path57);
         }
       }
-      return typeof ctrl === "function" ? ctrl(item, path56) : ctrl;
+      return typeof ctrl === "function" ? ctrl(item, path57) : ctrl;
     }
     exports2.visit = visit;
   }
@@ -9878,14 +9879,14 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs35 = this.flowScalar(this.type);
+              const fs38 = this.flowScalar(this.type);
               if (atNextItem || it.value) {
-                map.items.push({ start, key: fs35, sep: [] });
+                map.items.push({ start, key: fs38, sep: [] });
                 this.onKeyLine = true;
               } else if (it.sep) {
-                this.stack.push(fs35);
+                this.stack.push(fs38);
               } else {
-                Object.assign(it, { key: fs35, sep: [] });
+                Object.assign(it, { key: fs38, sep: [] });
                 this.onKeyLine = true;
               }
               return;
@@ -10013,13 +10014,13 @@ var require_parser = __commonJS({
             case "scalar":
             case "single-quoted-scalar":
             case "double-quoted-scalar": {
-              const fs35 = this.flowScalar(this.type);
+              const fs38 = this.flowScalar(this.type);
               if (!it || it.value)
-                fc.items.push({ start: [], key: fs35, sep: [] });
+                fc.items.push({ start: [], key: fs38, sep: [] });
               else if (it.sep)
-                this.stack.push(fs35);
+                this.stack.push(fs38);
               else
-                Object.assign(it, { key: fs35, sep: [] });
+                Object.assign(it, { key: fs38, sep: [] });
               return;
             }
             case "flow-map-end":
@@ -12490,7 +12491,7 @@ var require_age_encryption = __commonJS({
       }
       return to;
     };
-    var __toCommonJS = (mod3) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod3);
+    var __toCommonJS2 = (mod3) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod3);
     var stdin_exports = {};
     __export2(stdin_exports, {
       Decrypter: () => Decrypter,
@@ -12503,7 +12504,7 @@ var require_age_encryption = __commonJS({
       identityToRecipient: () => identityToRecipient,
       webauthn: () => webauthn_exports
     });
-    module2.exports = __toCommonJS(stdin_exports);
+    module2.exports = __toCommonJS2(stdin_exports);
     function isBytes(a) {
       return a instanceof Uint8Array || ArrayBuffer.isView(a) && a.constructor.name === "Uint8Array";
     }
@@ -13049,7 +13050,7 @@ var require_age_encryption = __commonJS({
       };
     }
     // @__NO_SIDE_EFFECTS__
-    function join51(separator = "") {
+    function join52(separator = "") {
       astr("join", separator);
       return {
         encode: (from) => {
@@ -13179,9 +13180,9 @@ var require_age_encryption = __commonJS({
       decode(s) {
         return decodeBase64Builtin(s, false);
       }
-    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join51(""));
-    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join51(""));
-    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join51(""));
+    } : /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ padding(6), /* @__PURE__ */ join52(""));
+    var base64nopad = /* @__PURE__ */ chain(/* @__PURE__ */ radix2(6), /* @__PURE__ */ alphabet("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"), /* @__PURE__ */ join52(""));
+    var BECH_ALPHABET = /* @__PURE__ */ chain(/* @__PURE__ */ alphabet("qpzry9x8gf2tvdw0s3jn54khce6mua7l"), /* @__PURE__ */ join52(""));
     var POLYMOD_GENERATORS = [996825010, 642813549, 513874426, 1027748829, 705979059];
     function bech32Polymod(pre) {
       const b = pre >> 25;
@@ -16080,7 +16081,7 @@ var require_age_encryption = __commonJS({
         const sig = drbg(seed, k2sig);
         return sig.toBytes(opts2.format);
       }
-      function verify2(signature, message, publicKey, opts2 = {}) {
+      function verify3(signature, message, publicKey, opts2 = {}) {
         const { lowS, prehash, format } = validateSigOpts(opts2, defaultSigOpts);
         publicKey = abytes4(publicKey, void 0, "publicKey");
         message = validateMsgAndHash(message, prehash);
@@ -16121,7 +16122,7 @@ var require_age_encryption = __commonJS({
         lengths,
         Point,
         sign: sign2,
-        verify: verify2,
+        verify: verify3,
         recoverPublicKey,
         Signature,
         hash
@@ -20710,15 +20711,15 @@ function saveRequests(repoRoot, requests) {
 function upsertRequest(repoRoot, key, label, environment) {
   const requests = loadRequests(repoRoot);
   const now = /* @__PURE__ */ new Date();
-  const request = { key, label, requestedAt: now, environment };
+  const request2 = { key, label, requestedAt: now, environment };
   const existingIndex = requests.findIndex((r) => r.key === key);
   if (existingIndex >= 0) {
-    requests[existingIndex] = request;
+    requests[existingIndex] = request2;
   } else {
-    requests.push(request);
+    requests.push(request2);
   }
   saveRequests(repoRoot, requests);
-  return request;
+  return request2;
 }
 function removeRequest(repoRoot, identifier) {
   const requests = loadRequests(repoRoot);
@@ -31230,11 +31231,11 @@ var require_mime_types = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path56) {
-      if (!path56 || typeof path56 !== "string") {
+    function lookup(path57) {
+      if (!path57 || typeof path57 !== "string") {
         return false;
       }
-      var extension2 = extname3("x." + path56).toLowerCase().substr(1);
+      var extension2 = extname3("x." + path57).toLowerCase().substr(1);
       if (!extension2) {
         return false;
       }
@@ -32339,13 +32340,13 @@ var require_form_data = __commonJS({
     "use strict";
     var CombinedStream = require_combined_stream();
     var util = require("util");
-    var path56 = require("path");
+    var path57 = require("path");
     var http = require("http");
     var https = require("https");
     var parseUrl = require("url").parse;
-    var fs35 = require("fs");
+    var fs38 = require("fs");
     var Stream = require("stream").Stream;
-    var crypto6 = require("crypto");
+    var crypto10 = require("crypto");
     var mime = require_mime_types();
     var asynckit = require_asynckit();
     var setToStringTag = require_es_set_tostringtag();
@@ -32410,7 +32411,7 @@ var require_form_data = __commonJS({
         if (value.end != void 0 && value.end != Infinity && value.start != void 0) {
           callback(null, value.end + 1 - (value.start ? value.start : 0));
         } else {
-          fs35.stat(value.path, function(err, stat) {
+          fs38.stat(value.path, function(err, stat) {
             if (err) {
               callback(err);
               return;
@@ -32467,11 +32468,11 @@ var require_form_data = __commonJS({
     FormData2.prototype._getContentDisposition = function(value, options) {
       var filename;
       if (typeof options.filepath === "string") {
-        filename = path56.normalize(options.filepath).replace(/\\/g, "/");
+        filename = path57.normalize(options.filepath).replace(/\\/g, "/");
       } else if (options.filename || value && (value.name || value.path)) {
-        filename = path56.basename(options.filename || value && (value.name || value.path));
+        filename = path57.basename(options.filename || value && (value.name || value.path));
       } else if (value && value.readable && hasOwn(value, "httpVersion")) {
-        filename = path56.basename(value.client._httpMessage.path || "");
+        filename = path57.basename(value.client._httpMessage.path || "");
       }
       if (filename) {
         return 'filename="' + filename + '"';
@@ -32551,7 +32552,7 @@ var require_form_data = __commonJS({
       return Buffer.concat([dataBuffer, Buffer.from(this._lastBoundary())]);
     };
     FormData2.prototype._generateBoundary = function() {
-      this._boundary = "--------------------------" + crypto6.randomBytes(12).toString("hex");
+      this._boundary = "--------------------------" + crypto10.randomBytes(12).toString("hex");
     };
     FormData2.prototype.getLengthSync = function() {
       var knownLength = this._overheadLength + this._valueLength;
@@ -32591,7 +32592,7 @@ var require_form_data = __commonJS({
       });
     };
     FormData2.prototype.submit = function(params, cb) {
-      var request;
+      var request2;
       var options;
       var defaults = { method: "post" };
       if (typeof params === "string") {
@@ -32610,9 +32611,9 @@ var require_form_data = __commonJS({
       }
       options.headers = this.getHeaders(params.headers);
       if (options.protocol === "https:") {
-        request = https.request(options);
+        request2 = https.request(options);
       } else {
-        request = http.request(options);
+        request2 = http.request(options);
       }
       this.getLength(function(err, length) {
         if (err && err !== "Unknown stream") {
@@ -32620,22 +32621,22 @@ var require_form_data = __commonJS({
           return;
         }
         if (length) {
-          request.setHeader("Content-Length", length);
+          request2.setHeader("Content-Length", length);
         }
-        this.pipe(request);
+        this.pipe(request2);
         if (cb) {
           var onResponse;
           var callback = function(error, responce) {
-            request.removeListener("error", callback);
-            request.removeListener("response", onResponse);
+            request2.removeListener("error", callback);
+            request2.removeListener("response", onResponse);
             return cb.call(this, error, responce);
           };
           onResponse = callback.bind(this, null);
-          request.on("error", callback);
-          request.on("response", onResponse);
+          request2.on("error", callback);
+          request2.on("response", onResponse);
         }
       }.bind(this));
-      return request;
+      return request2;
     };
     FormData2.prototype._error = function(err) {
       if (!this.error) {
@@ -33235,7 +33236,7 @@ var require_node = __commonJS({
   "../../node_modules/debug/src/node.js"(exports2, module2) {
     var tty = require("tty");
     var util = require("util");
-    exports2.init = init;
+    exports2.init = init2;
     exports2.log = log;
     exports2.formatArgs = formatArgs;
     exports2.save = save;
@@ -33384,7 +33385,7 @@ var require_node = __commonJS({
     function load() {
       return process.env.DEBUG;
     }
-    function init(debug) {
+    function init2(debug) {
       debug.inspectOpts = {};
       const keys = Object.keys(exports2.inspectOpts);
       for (let i = 0; i < keys.length; i++) {
@@ -33686,10 +33687,10 @@ var require_follow_redirects = __commonJS({
         var scheme = protocol.slice(0, -1);
         this._options.agent = this._options.agents[scheme];
       }
-      var request = this._currentRequest = nativeProtocol.request(this._options, this._onNativeResponse);
-      request._redirectable = this;
+      var request2 = this._currentRequest = nativeProtocol.request(this._options, this._onNativeResponse);
+      request2._redirectable = this;
       for (var event of events) {
-        request.on(event, eventHandlers[event]);
+        request2.on(event, eventHandlers[event]);
       }
       this._currentUrl = /^\//.test(this._options.path) ? url.format(this._options) : (
         // When making a request to a proxy, […]
@@ -33701,16 +33702,16 @@ var require_follow_redirects = __commonJS({
         var self2 = this;
         var buffers = this._requestBodyBuffers;
         (function writeNext(error) {
-          if (request === self2._currentRequest) {
+          if (request2 === self2._currentRequest) {
             if (error) {
               self2.emit("error", error);
             } else if (i < buffers.length) {
               var buffer = buffers[i++];
-              if (!request.finished) {
-                request.write(buffer.data, buffer.encoding, writeNext);
+              if (!request2.finished) {
+                request2.write(buffer.data, buffer.encoding, writeNext);
               }
             } else if (self2._ended) {
-              request.end();
+              request2.end();
             }
           }
         })();
@@ -33792,7 +33793,7 @@ var require_follow_redirects = __commonJS({
         var protocol = scheme + ":";
         var nativeProtocol = nativeProtocols[protocol] = protocols[scheme];
         var wrappedProtocol = exports3[scheme] = Object.create(nativeProtocol);
-        function request(input, options, callback) {
+        function request2(input, options, callback) {
           if (isURL(input)) {
             input = spreadUrlObject(input);
           } else if (isString(input)) {
@@ -33824,7 +33825,7 @@ var require_follow_redirects = __commonJS({
           return wrappedRequest;
         }
         Object.defineProperties(wrappedProtocol, {
-          request: { value: request, configurable: true, enumerable: true, writable: true },
+          request: { value: request2, configurable: true, enumerable: true, writable: true },
           get: { value: get, configurable: true, enumerable: true, writable: true }
         });
       });
@@ -33902,12 +33903,12 @@ var require_follow_redirects = __commonJS({
       });
       return CustomError;
     }
-    function destroyRequest(request, error) {
+    function destroyRequest(request2, error) {
       for (var event of events) {
-        request.removeListener(event, eventHandlers[event]);
+        request2.removeListener(event, eventHandlers[event]);
       }
-      request.on("error", noop);
-      request.destroy(error);
+      request2.on("error", noop);
+      request2.destroy(error);
     }
     function isSubdomain(subdomain, domain) {
       assert2(isString(subdomain) && isString(domain));
@@ -33936,7 +33937,7 @@ var require_axios = __commonJS({
   "../../node_modules/axios/dist/node/axios.cjs"(exports2, module2) {
     "use strict";
     var FormData$1 = require_form_data();
-    var crypto6 = require("crypto");
+    var crypto10 = require("crypto");
     var url = require("url");
     var http = require("http");
     var https = require("https");
@@ -34387,8 +34388,8 @@ var require_axios = __commonJS({
       isIterable
     };
     var AxiosError = class _AxiosError extends Error {
-      static from(error, code, config, request, response, customProps) {
-        const axiosError = new _AxiosError(error.message, code || error.code, config, request, response);
+      static from(error, code, config, request2, response, customProps) {
+        const axiosError = new _AxiosError(error.message, code || error.code, config, request2, response);
         axiosError.cause = error;
         axiosError.name = error.name;
         if (error.status != null && axiosError.status == null) {
@@ -34408,7 +34409,7 @@ var require_axios = __commonJS({
        *
        * @returns {Error} The created error.
        */
-      constructor(message, code, config, request, response) {
+      constructor(message, code, config, request2, response) {
         super(message);
         Object.defineProperty(this, "message", {
           value: message,
@@ -34420,7 +34421,7 @@ var require_axios = __commonJS({
         this.isAxiosError = true;
         code && (this.code = code);
         config && (this.config = config);
-        request && (this.request = request);
+        request2 && (this.request = request2);
         if (response) {
           this.response = response;
           this.status = response.status;
@@ -34464,9 +34465,9 @@ var require_axios = __commonJS({
     function removeBrackets(key) {
       return utils$1.endsWith(key, "[]") ? key.slice(0, -2) : key;
     }
-    function renderKey(path56, key, dots) {
-      if (!path56) return key;
-      return path56.concat(key).map(function each(token, i) {
+    function renderKey(path57, key, dots) {
+      if (!path57) return key;
+      return path57.concat(key).map(function each(token, i) {
         token = removeBrackets(token);
         return !dots && i ? "[" + token + "]" : token;
       }).join(dots ? "." : "");
@@ -34514,13 +34515,13 @@ var require_axios = __commonJS({
         }
         return value;
       }
-      function defaultVisitor(value, key, path56) {
+      function defaultVisitor(value, key, path57) {
         let arr = value;
         if (utils$1.isReactNative(formData) && utils$1.isReactNativeBlob(value)) {
-          formData.append(renderKey(path56, key, dots), convertValue(value));
+          formData.append(renderKey(path57, key, dots), convertValue(value));
           return false;
         }
-        if (value && !path56 && typeof value === "object") {
+        if (value && !path57 && typeof value === "object") {
           if (utils$1.endsWith(key, "{}")) {
             key = metaTokens ? key : key.slice(0, -2);
             value = JSON.stringify(value);
@@ -34539,7 +34540,7 @@ var require_axios = __commonJS({
         if (isVisitable(value)) {
           return true;
         }
-        formData.append(renderKey(path56, key, dots), convertValue(value));
+        formData.append(renderKey(path57, key, dots), convertValue(value));
         return false;
       }
       const stack = [];
@@ -34548,16 +34549,16 @@ var require_axios = __commonJS({
         convertValue,
         isVisitable
       });
-      function build(value, path56) {
+      function build(value, path57) {
         if (utils$1.isUndefined(value)) return;
         if (stack.indexOf(value) !== -1) {
-          throw Error("Circular reference detected in " + path56.join("."));
+          throw Error("Circular reference detected in " + path57.join("."));
         }
         stack.push(value);
         utils$1.forEach(value, function each(el, key) {
-          const result = !(utils$1.isUndefined(el) || el === null) && visitor.call(formData, el, utils$1.isString(key) ? key.trim() : key, path56, exposedHelpers);
+          const result = !(utils$1.isUndefined(el) || el === null) && visitor.call(formData, el, utils$1.isString(key) ? key.trim() : key, path57, exposedHelpers);
           if (result === true) {
-            build(el, path56 ? path56.concat(key) : [key]);
+            build(el, path57 ? path57.concat(key) : [key]);
           }
         });
         stack.pop();
@@ -34707,7 +34708,7 @@ var require_axios = __commonJS({
         length
       } = alphabet;
       const randomValues = new Uint32Array(size);
-      crypto6.randomFillSync(randomValues);
+      crypto10.randomFillSync(randomValues);
       for (let i = 0; i < size; i++) {
         str2 += alphabet[randomValues[i] % length];
       }
@@ -34746,7 +34747,7 @@ var require_axios = __commonJS({
     };
     function toURLEncodedForm(data, options) {
       return toFormData(data, new platform.classes.URLSearchParams(), {
-        visitor: function(value, key, path56, helpers) {
+        visitor: function(value, key, path57, helpers) {
           if (platform.isNode && utils$1.isBuffer(value)) {
             this.append(key, value.toString("base64"));
             return false;
@@ -34774,11 +34775,11 @@ var require_axios = __commonJS({
       return obj;
     }
     function formDataToJSON(formData) {
-      function buildPath(path56, value, target, index) {
-        let name = path56[index++];
+      function buildPath(path57, value, target, index) {
+        let name = path57[index++];
         if (name === "__proto__") return true;
         const isNumericKey = Number.isFinite(+name);
-        const isLast = index >= path56.length;
+        const isLast = index >= path57.length;
         name = !name && utils$1.isArray(target) ? target.length : name;
         if (isLast) {
           if (utils$1.hasOwnProp(target, name)) {
@@ -34791,7 +34792,7 @@ var require_axios = __commonJS({
         if (!target[name] || !utils$1.isObject(target[name])) {
           target[name] = [];
         }
-        const result = buildPath(path56, value, target[name], index);
+        const result = buildPath(path57, value, target[name], index);
         if (result && utils$1.isArray(target[name])) {
           target[name] = arrayToObject(target[name]);
         }
@@ -35187,8 +35188,8 @@ var require_axios = __commonJS({
        *
        * @returns {CanceledError} The created error.
        */
-      constructor(message, config, request) {
-        super(message == null ? "canceled" : message, AxiosError.ERR_CANCELED, config, request);
+      constructor(message, config, request2) {
+        super(message == null ? "canceled" : message, AxiosError.ERR_CANCELED, config, request2);
         this.name = "CanceledError";
         this.__CANCEL__ = true;
       }
@@ -36109,9 +36110,9 @@ var require_axios = __commonJS({
           auth = urlUsername + ":" + urlPassword;
         }
         auth && headers.delete("authorization");
-        let path56;
+        let path57;
         try {
-          path56 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, "");
+          path57 = buildURL(parsed.pathname + parsed.search, config.params, config.paramsSerializer).replace(/^\?/, "");
         } catch (err) {
           const customErr = new Error(err.message);
           customErr.config = config;
@@ -36121,7 +36122,7 @@ var require_axios = __commonJS({
         }
         headers.set("Accept-Encoding", "gzip, compress, deflate" + (isBrotliSupported ? ", br" : ""), false);
         const options = {
-          path: path56,
+          path: path57,
           method,
           headers: headers.toJSON(),
           agents: {
@@ -36327,14 +36328,14 @@ var require_axios = __commonJS({
     var cookies = platform.hasStandardBrowserEnv ? (
       // Standard browser envs support document.cookie
       {
-        write(name, value, expires, path56, domain, secure, sameSite) {
+        write(name, value, expires, path57, domain, secure, sameSite) {
           if (typeof document === "undefined") return;
           const cookie = [`${name}=${encodeURIComponent(value)}`];
           if (utils$1.isNumber(expires)) {
             cookie.push(`expires=${new Date(expires).toUTCString()}`);
           }
-          if (utils$1.isString(path56)) {
-            cookie.push(`path=${path56}`);
+          if (utils$1.isString(path57)) {
+            cookie.push(`path=${path57}`);
           }
           if (utils$1.isString(domain)) {
             cookie.push(`domain=${domain}`);
@@ -36513,22 +36514,22 @@ var require_axios = __commonJS({
           _config.cancelToken && _config.cancelToken.unsubscribe(onCanceled);
           _config.signal && _config.signal.removeEventListener("abort", onCanceled);
         }
-        let request = new XMLHttpRequest();
-        request.open(_config.method.toUpperCase(), _config.url, true);
-        request.timeout = _config.timeout;
+        let request2 = new XMLHttpRequest();
+        request2.open(_config.method.toUpperCase(), _config.url, true);
+        request2.timeout = _config.timeout;
         function onloadend() {
-          if (!request) {
+          if (!request2) {
             return;
           }
-          const responseHeaders = AxiosHeaders.from("getAllResponseHeaders" in request && request.getAllResponseHeaders());
-          const responseData = !responseType || responseType === "text" || responseType === "json" ? request.responseText : request.response;
+          const responseHeaders = AxiosHeaders.from("getAllResponseHeaders" in request2 && request2.getAllResponseHeaders());
+          const responseData = !responseType || responseType === "text" || responseType === "json" ? request2.responseText : request2.response;
           const response = {
             data: responseData,
-            status: request.status,
-            statusText: request.statusText,
+            status: request2.status,
+            statusText: request2.statusText,
             headers: responseHeaders,
             config,
-            request
+            request: request2
           };
           settle(function _resolve(value) {
             resolve7(value);
@@ -36537,73 +36538,73 @@ var require_axios = __commonJS({
             reject(err);
             done();
           }, response);
-          request = null;
+          request2 = null;
         }
-        if ("onloadend" in request) {
-          request.onloadend = onloadend;
+        if ("onloadend" in request2) {
+          request2.onloadend = onloadend;
         } else {
-          request.onreadystatechange = function handleLoad() {
-            if (!request || request.readyState !== 4) {
+          request2.onreadystatechange = function handleLoad() {
+            if (!request2 || request2.readyState !== 4) {
               return;
             }
-            if (request.status === 0 && !(request.responseURL && request.responseURL.indexOf("file:") === 0)) {
+            if (request2.status === 0 && !(request2.responseURL && request2.responseURL.indexOf("file:") === 0)) {
               return;
             }
             setTimeout(onloadend);
           };
         }
-        request.onabort = function handleAbort() {
-          if (!request) {
+        request2.onabort = function handleAbort() {
+          if (!request2) {
             return;
           }
-          reject(new AxiosError("Request aborted", AxiosError.ECONNABORTED, config, request));
-          request = null;
+          reject(new AxiosError("Request aborted", AxiosError.ECONNABORTED, config, request2));
+          request2 = null;
         };
-        request.onerror = function handleError(event) {
+        request2.onerror = function handleError(event) {
           const msg = event && event.message ? event.message : "Network Error";
-          const err = new AxiosError(msg, AxiosError.ERR_NETWORK, config, request);
+          const err = new AxiosError(msg, AxiosError.ERR_NETWORK, config, request2);
           err.event = event || null;
           reject(err);
-          request = null;
+          request2 = null;
         };
-        request.ontimeout = function handleTimeout() {
+        request2.ontimeout = function handleTimeout() {
           let timeoutErrorMessage = _config.timeout ? "timeout of " + _config.timeout + "ms exceeded" : "timeout exceeded";
           const transitional = _config.transitional || transitionalDefaults;
           if (_config.timeoutErrorMessage) {
             timeoutErrorMessage = _config.timeoutErrorMessage;
           }
-          reject(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, request));
-          request = null;
+          reject(new AxiosError(timeoutErrorMessage, transitional.clarifyTimeoutError ? AxiosError.ETIMEDOUT : AxiosError.ECONNABORTED, config, request2));
+          request2 = null;
         };
         requestData === void 0 && requestHeaders.setContentType(null);
-        if ("setRequestHeader" in request) {
+        if ("setRequestHeader" in request2) {
           utils$1.forEach(requestHeaders.toJSON(), function setRequestHeader(val, key) {
-            request.setRequestHeader(key, val);
+            request2.setRequestHeader(key, val);
           });
         }
         if (!utils$1.isUndefined(_config.withCredentials)) {
-          request.withCredentials = !!_config.withCredentials;
+          request2.withCredentials = !!_config.withCredentials;
         }
         if (responseType && responseType !== "json") {
-          request.responseType = _config.responseType;
+          request2.responseType = _config.responseType;
         }
         if (onDownloadProgress) {
           [downloadThrottled, flushDownload] = progressEventReducer(onDownloadProgress, true);
-          request.addEventListener("progress", downloadThrottled);
+          request2.addEventListener("progress", downloadThrottled);
         }
-        if (onUploadProgress && request.upload) {
+        if (onUploadProgress && request2.upload) {
           [uploadThrottled, flushUpload] = progressEventReducer(onUploadProgress);
-          request.upload.addEventListener("progress", uploadThrottled);
-          request.upload.addEventListener("loadend", flushUpload);
+          request2.upload.addEventListener("progress", uploadThrottled);
+          request2.upload.addEventListener("loadend", flushUpload);
         }
         if (_config.cancelToken || _config.signal) {
           onCanceled = (cancel) => {
-            if (!request) {
+            if (!request2) {
               return;
             }
-            reject(!cancel || cancel.type ? new CanceledError(null, config, request) : cancel);
-            request.abort();
-            request = null;
+            reject(!cancel || cancel.type ? new CanceledError(null, config, request2) : cancel);
+            request2.abort();
+            request2 = null;
           };
           _config.cancelToken && _config.cancelToken.subscribe(onCanceled);
           if (_config.signal) {
@@ -36615,7 +36616,7 @@ var require_axios = __commonJS({
           reject(new AxiosError("Unsupported protocol " + protocol + ":", AxiosError.ERR_BAD_REQUEST, config));
           return;
         }
-        request.send(requestData || null);
+        request2.send(requestData || null);
       });
     };
     var composeSignals = (signals, timeout) => {
@@ -36850,7 +36851,7 @@ var require_axios = __commonJS({
         let _fetch2 = envFetch || fetch;
         responseType = responseType ? (responseType + "").toLowerCase() : "text";
         let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout);
-        let request = null;
+        let request2 = null;
         const unsubscribe = composedSignal && composedSignal.unsubscribe && (() => {
           composedSignal.unsubscribe();
         });
@@ -36884,8 +36885,8 @@ var require_axios = __commonJS({
             duplex: "half",
             credentials: isCredentialsSupported ? withCredentials : void 0
           };
-          request = isRequestSupported && new Request3(url2, resolvedOptions);
-          let response = await (isRequestSupported ? _fetch2(request, fetchOptions) : _fetch2(url2, resolvedOptions));
+          request2 = isRequestSupported && new Request3(url2, resolvedOptions);
+          let response = await (isRequestSupported ? _fetch2(request2, fetchOptions) : _fetch2(url2, resolvedOptions));
           const isStreamResponse = supportsResponseStream && (responseType === "stream" || responseType === "response");
           if (supportsResponseStream && (onDownloadProgress || isStreamResponse && unsubscribe)) {
             const options = {};
@@ -36909,17 +36910,17 @@ var require_axios = __commonJS({
               status: response.status,
               statusText: response.statusText,
               config,
-              request
+              request: request2
             });
           });
         } catch (err) {
           unsubscribe && unsubscribe();
           if (err && err.name === "TypeError" && /Load failed|fetch/i.test(err.message)) {
-            throw Object.assign(new AxiosError("Network Error", AxiosError.ERR_NETWORK, config, request, err && err.response), {
+            throw Object.assign(new AxiosError("Network Error", AxiosError.ERR_NETWORK, config, request2, err && err.response), {
               cause: err.cause || err
             });
           }
-          throw AxiosError.from(err, err && err.code, config, request, err && err.response);
+          throw AxiosError.from(err, err && err.code, config, request2, err && err.response);
         }
       };
     };
@@ -37295,11 +37296,11 @@ var require_axios = __commonJS({
           };
           return promise;
         };
-        executor(function cancel(message, config, request) {
+        executor(function cancel(message, config, request2) {
           if (token.reason) {
             return;
           }
-          token.reason = new CanceledError(message, config, request);
+          token.reason = new CanceledError(message, config, request2);
           resolvePromise(token.reason);
         });
       }
@@ -37852,8 +37853,8 @@ function createGetModuleFromFilename(basePath = process.argv[1] ? (0, import_pat
     return decodedFile;
   };
 }
-function normalizeWindowsPath(path56) {
-  return path56.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
+function normalizeWindowsPath(path57) {
+  return path57.replace(/^[A-Z]:/, "").replace(/\\/g, "/");
 }
 async function addSourceContext(frames) {
   const filesToLines = {};
@@ -37898,9 +37899,9 @@ async function addSourceContext(frames) {
   LRU_FILE_CONTENTS_CACHE.reduce();
   return frames;
 }
-function getContextLinesFromFile(path56, ranges, output) {
+function getContextLinesFromFile(path57, ranges, output) {
   return new Promise((resolve7) => {
-    const stream = (0, import_node_fs.createReadStream)(path56);
+    const stream = (0, import_node_fs.createReadStream)(path57);
     const lineReaded = (0, import_node_readline.createInterface)({
       input: stream
     });
@@ -37918,7 +37919,7 @@ function getContextLinesFromFile(path56, ranges, output) {
     let rangeStart = range[0];
     let rangeEnd = range[1];
     function onStreamError() {
-      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path56, 1);
+      LRU_FILE_CONTENTS_FS_READ_FAILED.set(path57, 1);
       lineReaded.close();
       lineReaded.removeAllListeners();
       destroyStreamAndResolve();
@@ -37995,8 +37996,8 @@ function clearLineContext(frame) {
   delete frame.context_line;
   delete frame.post_context;
 }
-function shouldSkipContextLinesForFile(path56) {
-  return path56.startsWith("node:") || path56.endsWith(".min.js") || path56.endsWith(".min.cjs") || path56.endsWith(".min.mjs") || path56.startsWith("data:");
+function shouldSkipContextLinesForFile(path57) {
+  return path57.startsWith("node:") || path57.endsWith(".min.js") || path57.endsWith(".min.cjs") || path57.endsWith(".min.mjs") || path57.startsWith("data:");
 }
 function shouldSkipContextLinesForFrame(frame) {
   if (frame.lineno !== void 0 && frame.lineno > MAX_CONTEXTLINES_LINENO) {
@@ -40372,9 +40373,9 @@ var init_node = __esm({
         return globalThis.crypto.subtle;
       }
       try {
-        const crypto6 = await nodeCrypto.getValue();
-        if (crypto6?.webcrypto?.subtle) {
-          return crypto6.webcrypto.subtle;
+        const crypto10 = await nodeCrypto.getValue();
+        if (crypto10?.webcrypto?.subtle) {
+          return crypto10.webcrypto.subtle;
         }
       } catch {
       }
@@ -41815,18 +41816,18 @@ var init_report_client = __esm({
           Authorization: `Bearer ${apiKey}`,
           "Content-Type": "application/json"
         };
-        const init = {
+        const init2 = {
           method,
           headers,
           ...body !== void 0 ? { body: JSON.stringify(body) } : {}
         };
         let response;
         try {
-          response = await fetch(url, init);
+          response = await fetch(url, init2);
         } catch {
           await this.delay(this.retryDelayMs);
           try {
-            response = await fetch(url, init);
+            response = await fetch(url, init2);
           } catch (retryErr) {
             throw new CloudApiError2(
               `Network error contacting Clef Cloud: ${retryErr.message}`,
@@ -41840,7 +41841,7 @@ var init_report_client = __esm({
         }
         if (response.status >= 500 && response.status < 600) {
           await this.delay(this.retryDelayMs);
-          const retryResponse = await fetch(url, init);
+          const retryResponse = await fetch(url, init2);
           if (retryResponse.ok) {
             return await retryResponse.json();
           }
@@ -56407,11 +56408,11 @@ var require_mime_types2 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path56) {
-      if (!path56 || typeof path56 !== "string") {
+    function lookup(path57) {
+      if (!path57 || typeof path57 !== "string") {
         return false;
       }
-      var extension2 = extname3("x." + path56).toLowerCase().slice(1);
+      var extension2 = extname3("x." + path57).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -56651,16 +56652,16 @@ var require_utils = __commonJS({
       var inflate = options?.inflate !== false;
       var limit = typeof options?.limit !== "number" ? bytes.parse(options?.limit || "100kb") : options?.limit;
       var type = options?.type || defaultType;
-      var verify2 = options?.verify || false;
+      var verify3 = options?.verify || false;
       var defaultCharset = options?.defaultCharset || "utf-8";
-      if (verify2 !== false && typeof verify2 !== "function") {
+      if (verify3 !== false && typeof verify3 !== "function") {
         throw new TypeError("option verify must be function");
       }
       var shouldParse = typeof type !== "function" ? typeChecker(type) : type;
       return {
         inflate,
         limit,
-        verify: verify2,
+        verify: verify3,
         defaultCharset,
         shouldParse
       };
@@ -56718,7 +56719,7 @@ var require_read = __commonJS({
       var length;
       var opts = options;
       var stream;
-      var verify2 = opts.verify;
+      var verify3 = opts.verify;
       try {
         stream = contentstream(req, debug, opts.inflate);
         length = stream.length;
@@ -56727,7 +56728,7 @@ var require_read = __commonJS({
         return next(err);
       }
       opts.length = length;
-      opts.encoding = verify2 ? null : encoding;
+      opts.encoding = verify3 ? null : encoding;
       if (opts.encoding === null && encoding !== null && !iconv.encodingExists(encoding)) {
         return next(createError(415, 'unsupported charset "' + encoding.toUpperCase() + '"', {
           charset: encoding.toLowerCase(),
@@ -56755,10 +56756,10 @@ var require_read = __commonJS({
           });
           return;
         }
-        if (verify2) {
+        if (verify3) {
           try {
             debug("verify body");
-            verify2(req, res, body, encoding);
+            verify3(req, res, body, encoding);
           } catch (err) {
             next(createError(403, err, {
               body,
@@ -59076,13 +59077,13 @@ var require_view = __commonJS({
   "../../node_modules/express/lib/view.js"(exports2, module2) {
     "use strict";
     var debug = require_src()("express:view");
-    var path56 = require("node:path");
-    var fs35 = require("node:fs");
-    var dirname10 = path56.dirname;
-    var basename6 = path56.basename;
-    var extname3 = path56.extname;
-    var join51 = path56.join;
-    var resolve7 = path56.resolve;
+    var path57 = require("node:path");
+    var fs38 = require("node:fs");
+    var dirname11 = path57.dirname;
+    var basename6 = path57.basename;
+    var extname3 = path57.extname;
+    var join52 = path57.join;
+    var resolve7 = path57.resolve;
     module2.exports = View;
     function View(name, options) {
       var opts = options || {};
@@ -59111,17 +59112,17 @@ var require_view = __commonJS({
       this.path = this.lookup(fileName);
     }
     View.prototype.lookup = function lookup(name) {
-      var path57;
+      var path58;
       var roots = [].concat(this.root);
       debug('lookup "%s"', name);
-      for (var i = 0; i < roots.length && !path57; i++) {
+      for (var i = 0; i < roots.length && !path58; i++) {
         var root = roots[i];
         var loc = resolve7(root, name);
-        var dir = dirname10(loc);
+        var dir = dirname11(loc);
         var file = basename6(loc);
-        path57 = this.resolve(dir, file);
+        path58 = this.resolve(dir, file);
       }
-      return path57;
+      return path58;
     };
     View.prototype.render = function render(options, callback) {
       var sync = true;
@@ -59143,21 +59144,21 @@ var require_view = __commonJS({
     };
     View.prototype.resolve = function resolve8(dir, file) {
       var ext = this.ext;
-      var path57 = join51(dir, file);
-      var stat = tryStat(path57);
+      var path58 = join52(dir, file);
+      var stat = tryStat(path58);
       if (stat && stat.isFile()) {
-        return path57;
+        return path58;
       }
-      path57 = join51(dir, basename6(file, ext), "index" + ext);
-      stat = tryStat(path57);
+      path58 = join52(dir, basename6(file, ext), "index" + ext);
+      stat = tryStat(path58);
       if (stat && stat.isFile()) {
-        return path57;
+        return path58;
       }
     };
-    function tryStat(path57) {
-      debug('stat "%s"', path57);
+    function tryStat(path58) {
+      debug('stat "%s"', path58);
       try {
-        return fs35.statSync(path57);
+        return fs38.statSync(path58);
       } catch (e) {
         return void 0;
       }
@@ -59170,14 +59171,14 @@ var require_etag = __commonJS({
   "../../node_modules/etag/index.js"(exports2, module2) {
     "use strict";
     module2.exports = etag;
-    var crypto6 = require("crypto");
+    var crypto10 = require("crypto");
     var Stats = require("fs").Stats;
     var toString = Object.prototype.toString;
     function entitytag(entity) {
       if (entity.length === 0) {
         return '"0-2jmj7l5rSw0yVb/vlWAYkK/YBwk"';
       }
-      var hash = crypto6.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
+      var hash = crypto10.createHash("sha1").update(entity, "utf8").digest("base64").substring(0, 27);
       var len = typeof entity === "string" ? Buffer.byteLength(entity, "utf8") : entity.length;
       return '"' + len.toString(16) + "-" + hash + '"';
     }
@@ -68663,11 +68664,11 @@ var require_mime_types3 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path56) {
-      if (!path56 || typeof path56 !== "string") {
+    function lookup(path57) {
+      if (!path57 || typeof path57 !== "string") {
         return false;
       }
-      var extension2 = extname3("x." + path56).toLowerCase().slice(1);
+      var extension2 = extname3("x." + path57).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -69848,15 +69849,15 @@ var require_dist2 = __commonJS({
           if (token.type === endType)
             break;
           if (token.type === "char" || token.type === "escape") {
-            let path56 = token.value;
+            let path57 = token.value;
             let cur = tokens[pos];
             while (cur.type === "char" || cur.type === "escape") {
-              path56 += cur.value;
+              path57 += cur.value;
               cur = tokens[++pos];
             }
             output.push({
               type: "text",
-              value: encodePath(path56)
+              value: encodePath(path57)
             });
             continue;
           }
@@ -69880,16 +69881,16 @@ var require_dist2 = __commonJS({
       }
       return new TokenData(consumeUntil("end"), str2);
     }
-    function compile(path56, options = {}) {
+    function compile(path57, options = {}) {
       const { encode = encodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const data = typeof path56 === "object" ? path56 : parse18(path56, options);
+      const data = typeof path57 === "object" ? path57 : parse18(path57, options);
       const fn = tokensToFunction(data.tokens, delimiter, encode);
-      return function path57(params = {}) {
-        const [path58, ...missing] = fn(params);
+      return function path58(params = {}) {
+        const [path59, ...missing] = fn(params);
         if (missing.length) {
           throw new TypeError(`Missing parameters: ${missing.join(", ")}`);
         }
-        return path58;
+        return path59;
       };
     }
     function tokensToFunction(tokens, delimiter, encode) {
@@ -69945,9 +69946,9 @@ var require_dist2 = __commonJS({
         return [encodeValue(value)];
       };
     }
-    function match(path56, options = {}) {
+    function match(path57, options = {}) {
       const { decode = decodeURIComponent, delimiter = DEFAULT_DELIMITER } = options;
-      const { regexp, keys } = pathToRegexp(path56, options);
+      const { regexp, keys } = pathToRegexp(path57, options);
       const decoders = keys.map((key) => {
         if (decode === false)
           return NOOP_VALUE;
@@ -69959,7 +69960,7 @@ var require_dist2 = __commonJS({
         const m = regexp.exec(input);
         if (!m)
           return false;
-        const path57 = m[0];
+        const path58 = m[0];
         const params = /* @__PURE__ */ Object.create(null);
         for (let i = 1; i < m.length; i++) {
           if (m[i] === void 0)
@@ -69968,22 +69969,22 @@ var require_dist2 = __commonJS({
           const decoder = decoders[i - 1];
           params[key.name] = decoder(m[i]);
         }
-        return { path: path57, params };
+        return { path: path58, params };
       };
     }
-    function pathToRegexp(path56, options = {}) {
+    function pathToRegexp(path57, options = {}) {
       const { delimiter = DEFAULT_DELIMITER, end = true, sensitive = false, trailing = true } = options;
       const keys = [];
       const sources = [];
-      const paths = [path56];
+      const paths = [path57];
       let combinations = 0;
       while (paths.length) {
-        const path57 = paths.shift();
-        if (Array.isArray(path57)) {
-          paths.push(...path57);
+        const path58 = paths.shift();
+        if (Array.isArray(path58)) {
+          paths.push(...path58);
           continue;
         }
-        const data = typeof path57 === "object" ? path57 : parse18(path57, options);
+        const data = typeof path58 === "object" ? path58 : parse18(path58, options);
         flatten(data.tokens, 0, [], (tokens) => {
           if (combinations++ >= 256) {
             throw new PathError("Too many path combinations", data.originalPath);
@@ -70128,18 +70129,18 @@ var require_layer = __commonJS({
     var TRAILING_SLASH_REGEXP = /\/+$/;
     var MATCHING_GROUP_REGEXP = /\((?:\?<(.*?)>)?(?!\?)/g;
     module2.exports = Layer;
-    function Layer(path56, options, fn) {
+    function Layer(path57, options, fn) {
       if (!(this instanceof Layer)) {
-        return new Layer(path56, options, fn);
+        return new Layer(path57, options, fn);
       }
-      debug("new %o", path56);
+      debug("new %o", path57);
       const opts = options || {};
       this.handle = fn;
       this.keys = [];
       this.name = fn.name || "<anonymous>";
       this.params = void 0;
       this.path = void 0;
-      this.slash = path56 === "/" && opts.end === false;
+      this.slash = path57 === "/" && opts.end === false;
       function matcher(_path) {
         if (_path instanceof RegExp) {
           const keys = [];
@@ -70178,7 +70179,7 @@ var require_layer = __commonJS({
           decode: decodeParam
         });
       }
-      this.matchers = Array.isArray(path56) ? path56.map(matcher) : [matcher(path56)];
+      this.matchers = Array.isArray(path57) ? path57.map(matcher) : [matcher(path57)];
     }
     Layer.prototype.handleError = function handleError(error, req, res, next) {
       const fn = this.handle;
@@ -70218,9 +70219,9 @@ var require_layer = __commonJS({
         next(err);
       }
     };
-    Layer.prototype.match = function match(path56) {
+    Layer.prototype.match = function match(path57) {
       let match2;
-      if (path56 != null) {
+      if (path57 != null) {
         if (this.slash) {
           this.params = {};
           this.path = "";
@@ -70228,7 +70229,7 @@ var require_layer = __commonJS({
         }
         let i = 0;
         while (!match2 && i < this.matchers.length) {
-          match2 = this.matchers[i](path56);
+          match2 = this.matchers[i](path57);
           i++;
         }
       }
@@ -70256,13 +70257,13 @@ var require_layer = __commonJS({
         throw err;
       }
     }
-    function loosen(path56) {
-      if (path56 instanceof RegExp || path56 === "/") {
-        return path56;
+    function loosen(path57) {
+      if (path57 instanceof RegExp || path57 === "/") {
+        return path57;
       }
-      return Array.isArray(path56) ? path56.map(function(p) {
+      return Array.isArray(path57) ? path57.map(function(p) {
         return loosen(p);
-      }) : String(path56).replace(TRAILING_SLASH_REGEXP, "");
+      }) : String(path57).replace(TRAILING_SLASH_REGEXP, "");
     }
   }
 });
@@ -70278,9 +70279,9 @@ var require_route = __commonJS({
     var flatten = Array.prototype.flat;
     var methods = METHODS.map((method) => method.toLowerCase());
     module2.exports = Route;
-    function Route(path56) {
-      debug("new %o", path56);
-      this.path = path56;
+    function Route(path57) {
+      debug("new %o", path57);
+      this.path = path57;
       this.stack = [];
       this.methods = /* @__PURE__ */ Object.create(null);
     }
@@ -70488,8 +70489,8 @@ var require_router = __commonJS({
         if (++sync > 100) {
           return setImmediate(next, err);
         }
-        const path56 = getPathname(req);
-        if (path56 == null) {
+        const path57 = getPathname(req);
+        if (path57 == null) {
           return done(layerError);
         }
         let layer;
@@ -70497,7 +70498,7 @@ var require_router = __commonJS({
         let route;
         while (match !== true && idx < stack.length) {
           layer = stack[idx++];
-          match = matchLayer(layer, path56);
+          match = matchLayer(layer, path57);
           route = layer.route;
           if (typeof match !== "boolean") {
             layerError = layerError || match;
@@ -70535,18 +70536,18 @@ var require_router = __commonJS({
           } else if (route) {
             layer.handleRequest(req, res, next);
           } else {
-            trimPrefix(layer, layerError, layerPath, path56);
+            trimPrefix(layer, layerError, layerPath, path57);
           }
           sync = 0;
         });
       }
-      function trimPrefix(layer, layerError, layerPath, path56) {
+      function trimPrefix(layer, layerError, layerPath, path57) {
         if (layerPath.length !== 0) {
-          if (layerPath !== path56.substring(0, layerPath.length)) {
+          if (layerPath !== path57.substring(0, layerPath.length)) {
             next(layerError);
             return;
           }
-          const c = path56[layerPath.length];
+          const c = path57[layerPath.length];
           if (c && c !== "/") {
             next(layerError);
             return;
@@ -70570,7 +70571,7 @@ var require_router = __commonJS({
     };
     Router2.prototype.use = function use(handler) {
       let offset = 0;
-      let path56 = "/";
+      let path57 = "/";
       if (typeof handler !== "function") {
         let arg = handler;
         while (Array.isArray(arg) && arg.length !== 0) {
@@ -70578,7 +70579,7 @@ var require_router = __commonJS({
         }
         if (typeof arg !== "function") {
           offset = 1;
-          path56 = handler;
+          path57 = handler;
         }
       }
       const callbacks = flatten.call(slice.call(arguments, offset), Infinity);
@@ -70590,8 +70591,8 @@ var require_router = __commonJS({
         if (typeof fn !== "function") {
           throw new TypeError("argument handler must be a function");
         }
-        debug("use %o %s", path56, fn.name || "<anonymous>");
-        const layer = new Layer(path56, {
+        debug("use %o %s", path57, fn.name || "<anonymous>");
+        const layer = new Layer(path57, {
           sensitive: this.caseSensitive,
           strict: false,
           end: false
@@ -70601,9 +70602,9 @@ var require_router = __commonJS({
       }
       return this;
     };
-    Router2.prototype.route = function route(path56) {
-      const route2 = new Route(path56);
-      const layer = new Layer(path56, {
+    Router2.prototype.route = function route(path57) {
+      const route2 = new Route(path57);
+      const layer = new Layer(path57, {
         sensitive: this.caseSensitive,
         strict: this.strict,
         end: true
@@ -70616,8 +70617,8 @@ var require_router = __commonJS({
       return route2;
     };
     methods.concat("all").forEach(function(method) {
-      Router2.prototype[method] = function(path56) {
-        const route = this.route(path56);
+      Router2.prototype[method] = function(path57) {
+        const route = this.route(path57);
         route[method].apply(route, slice.call(arguments, 1));
         return this;
       };
@@ -70646,9 +70647,9 @@ var require_router = __commonJS({
       const fqdnIndex = url.substring(0, pathLength).indexOf("://");
       return fqdnIndex !== -1 ? url.substring(0, url.indexOf("/", 3 + fqdnIndex)) : void 0;
     }
-    function matchLayer(layer, path56) {
+    function matchLayer(layer, path57) {
       try {
-        return layer.match(path56);
+        return layer.match(path57);
       } catch (err) {
         return err;
       }
@@ -70804,7 +70805,7 @@ var require_application = __commonJS({
     var flatten = Array.prototype.flat;
     var app = exports2 = module2.exports = {};
     var trustProxyDefaultSymbol = "@@symbol:trust_proxy_default";
-    app.init = function init() {
+    app.init = function init2() {
       var router = null;
       this.cache = /* @__PURE__ */ Object.create(null);
       this.engines = /* @__PURE__ */ Object.create(null);
@@ -70876,7 +70877,7 @@ var require_application = __commonJS({
     };
     app.use = function use(fn) {
       var offset = 0;
-      var path56 = "/";
+      var path57 = "/";
       if (typeof fn !== "function") {
         var arg = fn;
         while (Array.isArray(arg) && arg.length !== 0) {
@@ -70884,7 +70885,7 @@ var require_application = __commonJS({
         }
         if (typeof arg !== "function") {
           offset = 1;
-          path56 = fn;
+          path57 = fn;
         }
       }
       var fns = flatten.call(slice.call(arguments, offset), Infinity);
@@ -70894,12 +70895,12 @@ var require_application = __commonJS({
       var router = this.router;
       fns.forEach(function(fn2) {
         if (!fn2 || !fn2.handle || !fn2.set) {
-          return router.use(path56, fn2);
+          return router.use(path57, fn2);
         }
-        debug(".use app under %s", path56);
-        fn2.mountpath = path56;
+        debug(".use app under %s", path57);
+        fn2.mountpath = path57;
         fn2.parent = this;
-        router.use(path56, function mounted_app(req, res, next) {
+        router.use(path57, function mounted_app(req, res, next) {
           var orig = req.app;
           fn2.handle(req, res, function(err) {
             Object.setPrototypeOf(req, orig.request);
@@ -70911,8 +70912,8 @@ var require_application = __commonJS({
       }, this);
       return this;
     };
-    app.route = function route(path56) {
-      return this.router.route(path56);
+    app.route = function route(path57) {
+      return this.router.route(path57);
     };
     app.engine = function engine(ext, fn) {
       if (typeof fn !== "function") {
@@ -70955,7 +70956,7 @@ var require_application = __commonJS({
       }
       return this;
     };
-    app.path = function path56() {
+    app.path = function path57() {
       return this.parent ? this.parent.path() + this.mountpath : "";
     };
     app.enabled = function enabled(setting) {
@@ -70971,17 +70972,17 @@ var require_application = __commonJS({
       return this.set(setting, false);
     };
     methods.forEach(function(method) {
-      app[method] = function(path56) {
+      app[method] = function(path57) {
         if (method === "get" && arguments.length === 1) {
-          return this.set(path56);
+          return this.set(path57);
         }
-        var route = this.route(path56);
+        var route = this.route(path57);
         route[method].apply(route, slice.call(arguments, 1));
         return this;
       };
     });
-    app.all = function all(path56) {
-      var route = this.route(path56);
+    app.all = function all(path57) {
+      var route = this.route(path57);
       var args = slice.call(arguments, 1);
       for (var i = 0; i < methods.length; i++) {
         route[methods[i]].apply(route, args);
@@ -71513,11 +71514,11 @@ var require_negotiator = __commonJS({
     var preferredMediaTypes = require_mediaType();
     module2.exports = Negotiator;
     module2.exports.Negotiator = Negotiator;
-    function Negotiator(request) {
+    function Negotiator(request2) {
       if (!(this instanceof Negotiator)) {
-        return new Negotiator(request);
+        return new Negotiator(request2);
       }
-      this.request = request;
+      this.request = request2;
     }
     Negotiator.prototype.charset = function charset(available) {
       var set = this.charsets(available);
@@ -81015,11 +81016,11 @@ var require_mime_types4 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path56) {
-      if (!path56 || typeof path56 !== "string") {
+    function lookup(path57) {
+      if (!path57 || typeof path57 !== "string") {
         return false;
       }
-      var extension2 = extname3("x." + path56).toLowerCase().slice(1);
+      var extension2 = extname3("x." + path57).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -81396,7 +81397,7 @@ var require_request = __commonJS({
       var subdomains2 = !isIP2(hostname2) ? hostname2.split(".").reverse() : [hostname2];
       return subdomains2.slice(offset);
     });
-    defineGetter(req, "path", function path56() {
+    defineGetter(req, "path", function path57() {
       return parse18(this).pathname;
     });
     defineGetter(req, "host", function host() {
@@ -81612,17 +81613,17 @@ var require_content_disposition = __commonJS({
 // ../../node_modules/cookie-signature/index.js
 var require_cookie_signature = __commonJS({
   "../../node_modules/cookie-signature/index.js"(exports2) {
-    var crypto6 = require("crypto");
+    var crypto10 = require("crypto");
     exports2.sign = function(val, secret) {
       if ("string" != typeof val) throw new TypeError("Cookie value must be provided as a string.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
-      return val + "." + crypto6.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
+      return val + "." + crypto10.createHmac("sha256", secret).update(val).digest("base64").replace(/\=+$/, "");
     };
     exports2.unsign = function(input, secret) {
       if ("string" != typeof input) throw new TypeError("Signed cookie string must be provided.");
       if (null == secret) throw new TypeError("Secret key must be provided.");
       var tentativeValue = input.slice(0, input.lastIndexOf(".")), expectedInput = exports2.sign(tentativeValue, secret), expectedBuffer = Buffer.from(expectedInput), inputBuffer = Buffer.from(input);
-      return expectedBuffer.length === inputBuffer.length && crypto6.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
+      return expectedBuffer.length === inputBuffer.length && crypto10.timingSafeEqual(expectedBuffer, inputBuffer) ? tentativeValue : false;
     };
   }
 });
@@ -91249,11 +91250,11 @@ var require_mime_types5 = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path56) {
-      if (!path56 || typeof path56 !== "string") {
+    function lookup(path57) {
+      if (!path57 || typeof path57 !== "string") {
         return false;
       }
-      var extension2 = extname3("x." + path56).toLowerCase().slice(1);
+      var extension2 = extname3("x." + path57).toLowerCase().slice(1);
       if (!extension2) {
         return false;
       }
@@ -91308,32 +91309,32 @@ var require_send = __commonJS({
     var escapeHtml = require_escape_html();
     var etag = require_etag();
     var fresh = require_fresh();
-    var fs35 = require("fs");
+    var fs38 = require("fs");
     var mime = require_mime_types5();
     var ms = require_ms();
     var onFinished = require_on_finished();
     var parseRange = require_range_parser();
-    var path56 = require("path");
+    var path57 = require("path");
     var statuses = require_statuses();
     var Stream = require("stream");
     var util = require("util");
-    var extname3 = path56.extname;
-    var join51 = path56.join;
-    var normalize = path56.normalize;
-    var resolve7 = path56.resolve;
-    var sep3 = path56.sep;
+    var extname3 = path57.extname;
+    var join52 = path57.join;
+    var normalize = path57.normalize;
+    var resolve7 = path57.resolve;
+    var sep3 = path57.sep;
     var BYTES_RANGE_REGEXP = /^ *bytes=/;
     var MAX_MAXAGE = 60 * 60 * 24 * 365 * 1e3;
     var UP_PATH_REGEXP = /(?:^|[\\/])\.\.(?:[\\/]|$)/;
     module2.exports = send;
-    function send(req, path57, options) {
-      return new SendStream(req, path57, options);
+    function send(req, path58, options) {
+      return new SendStream(req, path58, options);
     }
-    function SendStream(req, path57, options) {
+    function SendStream(req, path58, options) {
       Stream.call(this);
       var opts = options || {};
       this.options = opts;
-      this.path = path57;
+      this.path = path58;
       this.req = req;
       this._acceptRanges = opts.acceptRanges !== void 0 ? Boolean(opts.acceptRanges) : true;
       this._cacheControl = opts.cacheControl !== void 0 ? Boolean(opts.cacheControl) : true;
@@ -91447,10 +91448,10 @@ var require_send = __commonJS({
       var lastModified = this.res.getHeader("Last-Modified");
       return parseHttpDate(lastModified) <= parseHttpDate(ifRange);
     };
-    SendStream.prototype.redirect = function redirect(path57) {
+    SendStream.prototype.redirect = function redirect(path58) {
       var res = this.res;
       if (hasListeners(this, "directory")) {
-        this.emit("directory", res, path57);
+        this.emit("directory", res, path58);
         return;
       }
       if (this.hasTrailingSlash()) {
@@ -91470,38 +91471,38 @@ var require_send = __commonJS({
     SendStream.prototype.pipe = function pipe(res) {
       var root = this._root;
       this.res = res;
-      var path57 = decode(this.path);
-      if (path57 === -1) {
+      var path58 = decode(this.path);
+      if (path58 === -1) {
         this.error(400);
         return res;
       }
-      if (~path57.indexOf("\0")) {
+      if (~path58.indexOf("\0")) {
         this.error(400);
         return res;
       }
       var parts;
       if (root !== null) {
-        if (path57) {
-          path57 = normalize("." + sep3 + path57);
+        if (path58) {
+          path58 = normalize("." + sep3 + path58);
         }
-        if (UP_PATH_REGEXP.test(path57)) {
-          debug('malicious path "%s"', path57);
+        if (UP_PATH_REGEXP.test(path58)) {
+          debug('malicious path "%s"', path58);
           this.error(403);
           return res;
         }
-        parts = path57.split(sep3);
-        path57 = normalize(join51(root, path57));
+        parts = path58.split(sep3);
+        path58 = normalize(join52(root, path58));
       } else {
-        if (UP_PATH_REGEXP.test(path57)) {
-          debug('malicious path "%s"', path57);
+        if (UP_PATH_REGEXP.test(path58)) {
+          debug('malicious path "%s"', path58);
           this.error(403);
           return res;
         }
-        parts = normalize(path57).split(sep3);
-        path57 = resolve7(path57);
+        parts = normalize(path58).split(sep3);
+        path58 = resolve7(path58);
       }
       if (containsDotFile(parts)) {
-        debug('%s dotfile "%s"', this._dotfiles, path57);
+        debug('%s dotfile "%s"', this._dotfiles, path58);
         switch (this._dotfiles) {
           case "allow":
             break;
@@ -91515,13 +91516,13 @@ var require_send = __commonJS({
         }
       }
       if (this._index.length && this.hasTrailingSlash()) {
-        this.sendIndex(path57);
+        this.sendIndex(path58);
         return res;
       }
-      this.sendFile(path57);
+      this.sendFile(path58);
       return res;
     };
-    SendStream.prototype.send = function send2(path57, stat) {
+    SendStream.prototype.send = function send2(path58, stat) {
       var len = stat.size;
       var options = this.options;
       var opts = {};
@@ -91533,9 +91534,9 @@ var require_send = __commonJS({
         this.headersAlreadySent();
         return;
       }
-      debug('pipe "%s"', path57);
-      this.setHeader(path57, stat);
-      this.type(path57);
+      debug('pipe "%s"', path58);
+      this.setHeader(path58, stat);
+      this.type(path58);
       if (this.isConditionalGET()) {
         if (this.isPreconditionFailure()) {
           this.error(412);
@@ -91584,30 +91585,30 @@ var require_send = __commonJS({
         res.end();
         return;
       }
-      this.stream(path57, opts);
+      this.stream(path58, opts);
     };
-    SendStream.prototype.sendFile = function sendFile(path57) {
+    SendStream.prototype.sendFile = function sendFile(path58) {
       var i = 0;
       var self2 = this;
-      debug('stat "%s"', path57);
-      fs35.stat(path57, function onstat(err, stat) {
-        var pathEndsWithSep = path57[path57.length - 1] === sep3;
-        if (err && err.code === "ENOENT" && !extname3(path57) && !pathEndsWithSep) {
+      debug('stat "%s"', path58);
+      fs38.stat(path58, function onstat(err, stat) {
+        var pathEndsWithSep = path58[path58.length - 1] === sep3;
+        if (err && err.code === "ENOENT" && !extname3(path58) && !pathEndsWithSep) {
           return next(err);
         }
         if (err) return self2.onStatError(err);
-        if (stat.isDirectory()) return self2.redirect(path57);
+        if (stat.isDirectory()) return self2.redirect(path58);
         if (pathEndsWithSep) return self2.error(404);
-        self2.emit("file", path57, stat);
-        self2.send(path57, stat);
+        self2.emit("file", path58, stat);
+        self2.send(path58, stat);
       });
       function next(err) {
         if (self2._extensions.length <= i) {
           return err ? self2.onStatError(err) : self2.error(404);
         }
-        var p = path57 + "." + self2._extensions[i++];
+        var p = path58 + "." + self2._extensions[i++];
         debug('stat "%s"', p);
-        fs35.stat(p, function(err2, stat) {
+        fs38.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self2.emit("file", p, stat);
@@ -91615,7 +91616,7 @@ var require_send = __commonJS({
         });
       }
     };
-    SendStream.prototype.sendIndex = function sendIndex(path57) {
+    SendStream.prototype.sendIndex = function sendIndex(path58) {
       var i = -1;
       var self2 = this;
       function next(err) {
@@ -91623,9 +91624,9 @@ var require_send = __commonJS({
           if (err) return self2.onStatError(err);
           return self2.error(404);
         }
-        var p = join51(path57, self2._index[i]);
+        var p = join52(path58, self2._index[i]);
         debug('stat "%s"', p);
-        fs35.stat(p, function(err2, stat) {
+        fs38.stat(p, function(err2, stat) {
           if (err2) return next(err2);
           if (stat.isDirectory()) return next();
           self2.emit("file", p, stat);
@@ -91634,10 +91635,10 @@ var require_send = __commonJS({
       }
       next();
     };
-    SendStream.prototype.stream = function stream(path57, options) {
+    SendStream.prototype.stream = function stream(path58, options) {
       var self2 = this;
       var res = this.res;
-      var stream2 = fs35.createReadStream(path57, options);
+      var stream2 = fs38.createReadStream(path58, options);
       this.emit("stream", stream2);
       stream2.pipe(res);
       function cleanup() {
@@ -91652,17 +91653,17 @@ var require_send = __commonJS({
         self2.emit("end");
       });
     };
-    SendStream.prototype.type = function type(path57) {
+    SendStream.prototype.type = function type(path58) {
       var res = this.res;
       if (res.getHeader("Content-Type")) return;
-      var ext = extname3(path57);
+      var ext = extname3(path58);
       var type2 = mime.contentType(ext) || "application/octet-stream";
       debug("content-type %s", type2);
       res.setHeader("Content-Type", type2);
     };
-    SendStream.prototype.setHeader = function setHeader(path57, stat) {
+    SendStream.prototype.setHeader = function setHeader(path58, stat) {
       var res = this.res;
-      this.emit("headers", res, path57, stat);
+      this.emit("headers", res, path58, stat);
       if (this._acceptRanges && !res.getHeader("Accept-Ranges")) {
         debug("accept ranges");
         res.setHeader("Accept-Ranges", "bytes");
@@ -91720,9 +91721,9 @@ var require_send = __commonJS({
       }
       return err instanceof Error ? createError(status, err, { expose: false }) : createError(status, err);
     }
-    function decode(path57) {
+    function decode(path58) {
       try {
-        return decodeURIComponent(path57);
+        return decodeURIComponent(path58);
       } catch (err) {
         return -1;
       }
@@ -91866,7 +91867,7 @@ var require_response = __commonJS({
     var http = require("node:http");
     var onFinished = require_on_finished();
     var mime = require_mime_types3();
-    var path56 = require("node:path");
+    var path57 = require("node:path");
     var pathIsAbsolute = require("node:path").isAbsolute;
     var statuses = require_statuses();
     var sign2 = require_cookie_signature().sign;
@@ -91875,8 +91876,8 @@ var require_response = __commonJS({
     var setCharset = require_utils3().setCharset;
     var cookie = require_cookie();
     var send = require_send();
-    var extname3 = path56.extname;
-    var resolve7 = path56.resolve;
+    var extname3 = path57.extname;
+    var resolve7 = path57.resolve;
     var vary = require_vary();
     var { Buffer: Buffer3 } = require("node:buffer");
     var res = Object.create(http.ServerResponse.prototype);
@@ -92022,26 +92023,26 @@ var require_response = __commonJS({
       this.type("txt");
       return this.send(body);
     };
-    res.sendFile = function sendFile(path57, options, callback) {
+    res.sendFile = function sendFile(path58, options, callback) {
       var done = callback;
       var req = this.req;
       var res2 = this;
       var next = req.next;
       var opts = options || {};
-      if (!path57) {
+      if (!path58) {
         throw new TypeError("path argument is required to res.sendFile");
       }
-      if (typeof path57 !== "string") {
+      if (typeof path58 !== "string") {
         throw new TypeError("path must be a string to res.sendFile");
       }
       if (typeof options === "function") {
         done = options;
         opts = {};
       }
-      if (!opts.root && !pathIsAbsolute(path57)) {
+      if (!opts.root && !pathIsAbsolute(path58)) {
         throw new TypeError("path must be absolute or specify root to res.sendFile");
       }
-      var pathname = encodeURI(path57);
+      var pathname = encodeURI(path58);
       opts.etag = this.app.enabled("etag");
       var file = send(req, pathname, opts);
       sendfile(res2, file, opts, function(err) {
@@ -92052,7 +92053,7 @@ var require_response = __commonJS({
         }
       });
     };
-    res.download = function download(path57, filename, options, callback) {
+    res.download = function download(path58, filename, options, callback) {
       var done = callback;
       var name = filename;
       var opts = options || null;
@@ -92069,7 +92070,7 @@ var require_response = __commonJS({
         opts = filename;
       }
       var headers = {
-        "Content-Disposition": contentDisposition(name || path57)
+        "Content-Disposition": contentDisposition(name || path58)
       };
       if (opts && opts.headers) {
         var keys = Object.keys(opts.headers);
@@ -92082,7 +92083,7 @@ var require_response = __commonJS({
       }
       opts = Object.create(opts);
       opts.headers = headers;
-      var fullPath = !opts.root ? resolve7(path57) : path57;
+      var fullPath = !opts.root ? resolve7(path58) : path58;
       return this.sendFile(fullPath, opts, done);
     };
     res.contentType = res.type = function contentType(type) {
@@ -92365,11 +92366,11 @@ var require_serve_static = __commonJS({
         }
         var forwardError = !fallthrough;
         var originalUrl = parseUrl.original(req);
-        var path56 = parseUrl(req).pathname;
-        if (path56 === "/" && originalUrl.pathname.substr(-1) !== "/") {
-          path56 = "";
+        var path57 = parseUrl(req).pathname;
+        if (path57 === "/" && originalUrl.pathname.substr(-1) !== "/") {
+          path57 = "";
         }
-        var stream = send(req, path56, opts);
+        var stream = send(req, path57, opts);
         stream.on("directory", onDirectory);
         if (setHeaders) {
           stream.on("headers", setHeaders);
@@ -92613,8 +92614,8 @@ var init_dist = __esm({
        *
        * @returns {void}
        */
-      trustProxy(request) {
-        if (request.app.get("trust proxy") === true) {
+      trustProxy(request2) {
+        if (request2.app.get("trust proxy") === true) {
           throw new ValidationError2(
             "ERR_ERL_PERMISSIVE_TRUST_PROXY",
             `The Express 'trust proxy' setting is true, which allows anyone to trivially bypass IP-based rate limiting.`
@@ -92631,8 +92632,8 @@ var init_dist = __esm({
        *
        * @returns {void}
        */
-      xForwardedForHeader(request) {
-        if (request.headers["x-forwarded-for"] && request.app.get("trust proxy") === false) {
+      xForwardedForHeader(request2) {
+        if (request2.headers["x-forwarded-for"] && request2.app.get("trust proxy") === false) {
           throw new ValidationError2(
             "ERR_ERL_UNEXPECTED_X_FORWARDED_FOR",
             `The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users.`
@@ -92674,11 +92675,11 @@ var init_dist = __esm({
        *
        * @returns {void}
        */
-      singleCount(request, store, key) {
-        let storeKeys = singleCountKeys.get(request);
+      singleCount(request2, store, key) {
+        let storeKeys = singleCountKeys.get(request2);
         if (!storeKeys) {
           storeKeys = /* @__PURE__ */ new Map();
-          singleCountKeys.set(request, storeKeys);
+          singleCountKeys.set(request2, storeKeys);
         }
         const storeKey = store.localKeys ? store : store.constructor.name;
         let keys = storeKeys.get(storeKey);
@@ -93066,10 +93067,10 @@ var init_dist = __esm({
         message: "Too many requests, please try again later.",
         statusCode: 429,
         legacyHeaders: passedOptions.headers ?? true,
-        identifier(request, _response) {
+        identifier(request2, _response) {
           let duration = "";
           const property = config.requestPropertyName;
-          const { limit } = request[property];
+          const { limit } = request2[property];
           const seconds = config.windowMs / 1e3;
           const minutes = config.windowMs / (1e3 * 60);
           const hours = config.windowMs / (1e3 * 60 * 60);
@@ -93085,16 +93086,16 @@ var init_dist = __esm({
         skipSuccessfulRequests: false,
         requestWasSuccessful: (_request, response) => response.statusCode < 400,
         skip: (_request, _response) => false,
-        keyGenerator(request, _response) {
-          validations2.ip(request.ip);
-          validations2.trustProxy(request);
-          validations2.xForwardedForHeader(request);
-          return request.ip;
+        keyGenerator(request2, _response) {
+          validations2.ip(request2.ip);
+          validations2.trustProxy(request2);
+          validations2.xForwardedForHeader(request2);
+          return request2.ip;
         },
-        async handler(request, response, _next, _optionsUsed) {
+        async handler(request2, response, _next, _optionsUsed) {
           response.status(config.statusCode);
           const message = typeof config.message === "function" ? await config.message(
-            request,
+            request2,
             response
           ) : config.message;
           if (!response.writableEnded) {
@@ -93119,9 +93120,9 @@ var init_dist = __esm({
       }
       return config;
     };
-    handleAsyncErrors = (fn) => async (request, response, next) => {
+    handleAsyncErrors = (fn) => async (request2, response, next) => {
       try {
-        await Promise.resolve(fn(request, response, next)).catch(next);
+        await Promise.resolve(fn(request2, response, next)).catch(next);
       } catch (error) {
         next(error);
       }
@@ -93133,14 +93134,14 @@ var init_dist = __esm({
       config.validations.unsharedStore(config.store);
       if (typeof config.store.init === "function") config.store.init(options);
       const middleware = handleAsyncErrors(
-        async (request, response, next) => {
-          const skip = await config.skip(request, response);
+        async (request2, response, next) => {
+          const skip = await config.skip(request2, response);
           if (skip) {
             next();
             return;
           }
-          const augmentedRequest = request;
-          const key = await config.keyGenerator(request, response);
+          const augmentedRequest = request2;
+          const key = await config.keyGenerator(request2, response);
           let totalHits = 0;
           let resetTime;
           try {
@@ -93159,8 +93160,8 @@ var init_dist = __esm({
             throw error;
           }
           config.validations.positiveHits(totalHits);
-          config.validations.singleCount(request, config.store, key);
-          const retrieveLimit = typeof config.limit === "function" ? config.limit(request, response) : config.limit;
+          config.validations.singleCount(request2, config.store, key);
+          const retrieveLimit = typeof config.limit === "function" ? config.limit(request2, response) : config.limit;
           const limit = await retrieveLimit;
           config.validations.limit(limit);
           const info = {
@@ -93190,7 +93191,7 @@ var init_dist = __esm({
                 break;
               }
               case "draft-8": {
-                const retrieveName = typeof config.identifier === "function" ? config.identifier(request, response) : config.identifier;
+                const retrieveName = typeof config.identifier === "function" ? config.identifier(request2, response) : config.identifier;
                 const name = await retrieveName;
                 config.validations.headersResetTime(info.resetTime);
                 setDraft8Headers(response, info, config.windowMs, name, key);
@@ -93212,7 +93213,7 @@ var init_dist = __esm({
             };
             if (config.skipFailedRequests) {
               response.on("finish", async () => {
-                if (!await config.requestWasSuccessful(request, response))
+                if (!await config.requestWasSuccessful(request2, response))
                   await decrementKey();
               });
               response.on("close", async () => {
@@ -93224,7 +93225,7 @@ var init_dist = __esm({
             }
             if (config.skipSuccessfulRequests) {
               response.on("finish", async () => {
-                if (await config.requestWasSuccessful(request, response))
+                if (await config.requestWasSuccessful(request2, response))
                   await decrementKey();
               });
             }
@@ -93234,7 +93235,7 @@ var init_dist = __esm({
             if (config.legacyHeaders || config.standardHeaders) {
               setRetryAfterHeader(response, info, config.windowMs);
             }
-            config.handler(request, response, next, options);
+            config.handler(request2, response, next, options);
             return;
           }
           next();
@@ -94297,13 +94298,12 @@ var init_server = __esm({
   }
 });
 
-// ../runtime/dist/secrets-cache.js
-var require_secrets_cache = __commonJS({
-  "../runtime/dist/secrets-cache.js"(exports2) {
+// ../runtime/src/secrets-cache.ts
+var SecretsCache;
+var init_secrets_cache = __esm({
+  "../runtime/src/secrets-cache.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.SecretsCache = void 0;
-    var SecretsCache = class {
+    SecretsCache = class {
       snapshot = null;
       /** Replace the cached secrets in a single reference assignment. */
       swap(values, keys, revision) {
@@ -94316,8 +94316,7 @@ var require_secrets_cache = __commonJS({
       }
       /** Whether the cache has exceeded the given TTL (seconds). */
       isExpired(ttlSeconds) {
-        if (!this.snapshot)
-          return false;
+        if (!this.snapshot) return false;
         return (Date.now() - this.snapshot.swappedAt) / 1e3 > ttlSeconds;
       }
       /** Clear the cached snapshot, zeroing values first (best-effort). */
@@ -94340,8 +94339,7 @@ var require_secrets_cache = __commonJS({
       /** Get all cached secret values. Returns null if not yet loaded. */
       getAll() {
         const s = this.snapshot;
-        if (!s)
-          return null;
+        if (!s) return null;
         return { ...s.values };
       }
       /** Get the list of available secret key names. */
@@ -94358,79 +94356,40 @@ var require_secrets_cache = __commonJS({
         return this.snapshot !== null;
       }
     };
-    exports2.SecretsCache = SecretsCache;
   }
 });
 
-// ../runtime/dist/disk-cache.js
-var require_disk_cache = __commonJS({
-  "../runtime/dist/disk-cache.js"(exports2) {
+// ../runtime/src/disk-cache.ts
+var fs32, path48, DiskCache;
+var init_disk_cache = __esm({
+  "../runtime/src/disk-cache.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.DiskCache = void 0;
-    var fs35 = __importStar(require("fs"));
-    var path56 = __importStar(require("path"));
-    var DiskCache = class {
+    fs32 = __toESM(require("fs"));
+    path48 = __toESM(require("path"));
+    DiskCache = class {
       artifactPath;
       metaPath;
       constructor(cachePath, identity, environment) {
-        const dir = path56.join(cachePath, identity);
-        this.artifactPath = path56.join(dir, `${environment}.age.json`);
-        this.metaPath = path56.join(dir, `${environment}.meta`);
+        const dir = path48.join(cachePath, identity);
+        this.artifactPath = path48.join(dir, `${environment}.age.json`);
+        this.metaPath = path48.join(dir, `${environment}.meta`);
       }
       /** Write an artifact and optional metadata to disk (atomic via tmp+rename). */
       write(raw, sha) {
-        const dir = path56.dirname(this.artifactPath);
-        fs35.mkdirSync(dir, { recursive: true });
+        const dir = path48.dirname(this.artifactPath);
+        fs32.mkdirSync(dir, { recursive: true });
         const tmpArtifact = `${this.artifactPath}.tmp.${process.pid}`;
-        fs35.writeFileSync(tmpArtifact, raw, "utf-8");
-        fs35.renameSync(tmpArtifact, this.artifactPath);
+        fs32.writeFileSync(tmpArtifact, raw, "utf-8");
+        fs32.renameSync(tmpArtifact, this.artifactPath);
         const meta = { sha, fetchedAt: (/* @__PURE__ */ new Date()).toISOString() };
         const tmpMeta = `${this.metaPath}.tmp.${process.pid}`;
-        fs35.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
-        fs35.renameSync(tmpMeta, this.metaPath);
+        fs32.writeFileSync(tmpMeta, JSON.stringify(meta), "utf-8");
+        fs32.renameSync(tmpMeta, this.metaPath);
       }
       /** Read the cached artifact. Returns null if no cache file exists. */
       read() {
         try {
-          return fs35.readFileSync(this.artifactPath, "utf-8");
+          return fs32.readFileSync(this.artifactPath, "utf-8");
         } catch {
           return null;
         }
@@ -94445,7 +94404,7 @@ var require_disk_cache = __commonJS({
       }
       readMeta() {
         try {
-          const raw = fs35.readFileSync(this.metaPath, "utf-8");
+          const raw = fs32.readFileSync(this.metaPath, "utf-8");
           return JSON.parse(raw);
         } catch {
           return void 0;
@@ -94454,64 +94413,25 @@ var require_disk_cache = __commonJS({
       /** Remove cached artifact and metadata files. */
       purge() {
         try {
-          fs35.unlinkSync(this.artifactPath);
+          fs32.unlinkSync(this.artifactPath);
         } catch {
         }
         try {
-          fs35.unlinkSync(this.metaPath);
+          fs32.unlinkSync(this.metaPath);
         } catch {
         }
       }
     };
-    exports2.DiskCache = DiskCache;
   }
 });
 
-// ../runtime/dist/decrypt.js
-var require_decrypt = __commonJS({
-  "../runtime/dist/decrypt.js"(exports2) {
+// ../runtime/src/decrypt.ts
+var fs33, AgeDecryptor;
+var init_decrypt = __esm({
+  "../runtime/src/decrypt.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.AgeDecryptor = void 0;
-    var fs35 = __importStar(require("fs"));
-    var AgeDecryptor = class {
+    fs33 = __toESM(require("fs"));
+    AgeDecryptor = class {
       /**
        * Decrypt an age-encrypted PEM-armored ciphertext string.
        *
@@ -94520,7 +94440,7 @@ var require_decrypt = __commonJS({
        * @returns The decrypted plaintext string.
        */
       async decrypt(ciphertext, privateKey) {
-        const { Decrypter } = await Promise.resolve(`${"age-encryption"}`).then((s) => __importStar(require(s)));
+        const { Decrypter } = await Promise.resolve().then(() => __toESM(require_age_encryption()));
         const d = new Decrypter();
         d.addIdentity(privateKey);
         return d.decrypt(Buffer.from(ciphertext, "base64"), "text");
@@ -94533,10 +94453,9 @@ var require_decrypt = __commonJS({
        * @returns The age private key string.
        */
       resolveKey(ageKey, ageKeyFile) {
-        if (ageKey)
-          return ageKey.trim();
+        if (ageKey) return ageKey.trim();
         if (ageKeyFile) {
-          const content = fs35.readFileSync(ageKeyFile, "utf-8").trim();
+          const content = fs33.readFileSync(ageKeyFile, "utf-8").trim();
           const lines = content.split("\n").filter((l) => l.startsWith("AGE-SECRET-KEY-"));
           if (lines.length === 0) {
             throw new Error(`No age secret key found in file: ${ageKeyFile}`);
@@ -94546,54 +94465,15 @@ var require_decrypt = __commonJS({
         throw new Error("No age key available. Set CLEF_AGE_KEY or CLEF_AGE_KEY_FILE.");
       }
     };
-    exports2.AgeDecryptor = AgeDecryptor;
   }
 });
 
-// ../runtime/dist/kms/aws.js
-var require_aws = __commonJS({
-  "../runtime/dist/kms/aws.js"(exports2) {
+// ../runtime/src/kms/aws.ts
+var AwsKmsProvider;
+var init_aws = __esm({
+  "../runtime/src/kms/aws.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.AwsKmsProvider = void 0;
-    var AwsKmsProvider = class {
+    AwsKmsProvider = class {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK client
       client;
       // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK module
@@ -94603,13 +94483,14 @@ var require_aws = __commonJS({
         this.region = region;
       }
       async ensureClient() {
-        if (this.client)
-          return;
+        if (this.client) return;
         try {
-          this.sdk = await Promise.resolve().then(() => __importStar(require("@aws-sdk/client-kms")));
+          this.sdk = await import("@aws-sdk/client-kms");
           this.client = new this.sdk.KMSClient({ region: this.region });
         } catch {
-          throw new Error("AWS KMS requires @aws-sdk/client-kms. Install it with: npm install @aws-sdk/client-kms");
+          throw new Error(
+            "AWS KMS requires @aws-sdk/client-kms. Install it with: npm install @aws-sdk/client-kms"
+          );
         }
       }
       async wrap(keyId, plaintext) {
@@ -94656,64 +94537,26 @@ var require_aws = __commonJS({
         return Buffer.from(response.Signature);
       }
     };
-    exports2.AwsKmsProvider = AwsKmsProvider;
   }
 });
 
-// ../runtime/dist/kms/gcp.js
-var require_gcp = __commonJS({
-  "../runtime/dist/kms/gcp.js"(exports2) {
+// ../runtime/src/kms/gcp.ts
+var GcpKmsProvider;
+var init_gcp = __esm({
+  "../runtime/src/kms/gcp.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.GcpKmsProvider = void 0;
-    var GcpKmsProvider = class {
+    GcpKmsProvider = class {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK client
       client;
       async ensureClient() {
-        if (this.client)
-          return;
+        if (this.client) return;
         try {
-          const kms = await Promise.resolve().then(() => __importStar(require("@google-cloud/kms")));
+          const kms = await import("@google-cloud/kms");
           this.client = new kms.KeyManagementServiceClient();
         } catch {
-          throw new Error("GCP KMS requires @google-cloud/kms. Install it with: npm install @google-cloud/kms");
+          throw new Error(
+            "GCP KMS requires @google-cloud/kms. Install it with: npm install @google-cloud/kms"
+          );
         }
       }
       async wrap(keyId, plaintext) {
@@ -94742,67 +94585,29 @@ var require_gcp = __commonJS({
         return Buffer.from(response.plaintext);
       }
     };
-    exports2.GcpKmsProvider = GcpKmsProvider;
   }
 });
 
-// ../runtime/dist/kms/azure.js
-var require_azure = __commonJS({
-  "../runtime/dist/kms/azure.js"(exports2) {
+// ../runtime/src/kms/azure.ts
+var AzureKmsProvider;
+var init_azure = __esm({
+  "../runtime/src/kms/azure.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.AzureKmsProvider = void 0;
-    var AzureKmsProvider = class {
+    AzureKmsProvider = class {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK credential
       credential;
       // eslint-disable-next-line @typescript-eslint/no-explicit-any -- lazy-loaded SDK module
       keysModule;
       async ensureLoaded() {
-        if (this.credential)
-          return;
+        if (this.credential) return;
         try {
-          const identity = await Promise.resolve().then(() => __importStar(require("@azure/identity")));
-          this.keysModule = await Promise.resolve().then(() => __importStar(require("@azure/keyvault-keys")));
+          const identity = await import("@azure/identity");
+          this.keysModule = await import("@azure/keyvault-keys");
           this.credential = new identity.DefaultAzureCredential();
         } catch {
-          throw new Error("Azure Key Vault requires @azure/identity and @azure/keyvault-keys. Install them with: npm install @azure/identity @azure/keyvault-keys");
+          throw new Error(
+            "Azure Key Vault requires @azure/identity and @azure/keyvault-keys. Install them with: npm install @azure/identity @azure/keyvault-keys"
+          );
         }
       }
       async wrap(keyId, plaintext) {
@@ -94827,38 +94632,84 @@ var require_azure = __commonJS({
         return Buffer.from(result.result);
       }
     };
-    exports2.AzureKmsProvider = AzureKmsProvider;
   }
 });
 
-// ../client/dist/kms.js
-var require_kms = __commonJS({
-  "../client/dist/kms.js"(exports2, module2) {
+// ../client/dist/kms.mjs
+var kms_exports = {};
+__export(kms_exports, {
+  ClefClientError: () => ClefClientError,
+  CloudKmsProvider: () => CloudKmsProvider
+});
+function resolveToken(explicit) {
+  if (explicit) return explicit;
+  if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
+    return process.env.CLEF_SERVICE_TOKEN;
+  }
+  throw new ClefClientError(
+    "No service token configured",
+    void 0,
+    "Set CLEF_SERVICE_TOKEN or pass token in options."
+  );
+}
+async function request(baseUrl, opts) {
+  const url = `${baseUrl}${opts.path}`;
+  const headers = {
+    Authorization: `Bearer ${opts.token}`,
+    Accept: "application/json"
+  };
+  if (opts.body !== void 0) {
+    headers["Content-Type"] = "application/json";
+  }
+  const init2 = {
+    method: opts.method,
+    headers,
+    body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
+  };
+  let response;
+  try {
+    response = await opts.fetchFn(url, init2);
+  } catch (err) {
+    try {
+      response = await opts.fetchFn(url, init2);
+    } catch {
+      throw new ClefClientError(
+        `Connection failed: ${err.message}`,
+        void 0,
+        "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
+      );
+    }
+  }
+  if (response.status >= 500) {
+    response = await opts.fetchFn(url, init2);
+  }
+  if (response.status === 401) {
+    throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
+  }
+  if (response.status === 503) {
+    throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
+  }
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    throw new ClefClientError(
+      `HTTP ${response.status}: ${text || response.statusText}`,
+      response.status
+    );
+  }
+  const json = await response.json();
+  if (json && typeof json === "object" && "success" in json) {
+    if (!json.success) {
+      throw new ClefClientError(json.message || "Request failed", response.status);
+    }
+    return json.data;
+  }
+  return json;
+}
+var ClefClientError, CloudKmsProvider;
+var init_kms2 = __esm({
+  "../client/dist/kms.mjs"() {
     "use strict";
-    var __defProp2 = Object.defineProperty;
-    var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
-    var __getOwnPropNames2 = Object.getOwnPropertyNames;
-    var __hasOwnProp2 = Object.prototype.hasOwnProperty;
-    var __export2 = (target, all) => {
-      for (var name in all)
-        __defProp2(target, name, { get: all[name], enumerable: true });
-    };
-    var __copyProps2 = (to, from, except, desc) => {
-      if (from && typeof from === "object" || typeof from === "function") {
-        for (let key of __getOwnPropNames2(from))
-          if (!__hasOwnProp2.call(to, key) && key !== except)
-            __defProp2(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable });
-      }
-      return to;
-    };
-    var __toCommonJS = (mod) => __copyProps2(__defProp2({}, "__esModule", { value: true }), mod);
-    var kms_exports = {};
-    __export2(kms_exports, {
-      ClefClientError: () => ClefClientError,
-      CloudKmsProvider: () => CloudKmsProvider
-    });
-    module2.exports = __toCommonJS(kms_exports);
-    var ClefClientError = class extends Error {
+    ClefClientError = class extends Error {
       constructor(message, statusCode, fix) {
         super(message);
         this.statusCode = statusCode;
@@ -94868,71 +94719,7 @@ var require_kms = __commonJS({
       statusCode;
       fix;
     };
-    function resolveToken(explicit) {
-      if (explicit) return explicit;
-      if (typeof process !== "undefined" && process.env?.CLEF_SERVICE_TOKEN) {
-        return process.env.CLEF_SERVICE_TOKEN;
-      }
-      throw new ClefClientError(
-        "No service token configured",
-        void 0,
-        "Set CLEF_SERVICE_TOKEN or pass token in options."
-      );
-    }
-    async function request(baseUrl, opts) {
-      const url = `${baseUrl}${opts.path}`;
-      const headers = {
-        Authorization: `Bearer ${opts.token}`,
-        Accept: "application/json"
-      };
-      if (opts.body !== void 0) {
-        headers["Content-Type"] = "application/json";
-      }
-      const init = {
-        method: opts.method,
-        headers,
-        body: opts.body !== void 0 ? JSON.stringify(opts.body) : void 0
-      };
-      let response;
-      try {
-        response = await opts.fetchFn(url, init);
-      } catch (err) {
-        try {
-          response = await opts.fetchFn(url, init);
-        } catch {
-          throw new ClefClientError(
-            `Connection failed: ${err.message}`,
-            void 0,
-            "Is the endpoint reachable? Check your CLEF_ENDPOINT setting."
-          );
-        }
-      }
-      if (response.status >= 500) {
-        response = await opts.fetchFn(url, init);
-      }
-      if (response.status === 401) {
-        throw new ClefClientError("Authentication failed", 401, "Check your CLEF_SERVICE_TOKEN.");
-      }
-      if (response.status === 503) {
-        throw new ClefClientError("Secrets expired or not loaded", 503, "Check the agent logs.");
-      }
-      if (!response.ok) {
-        const text = await response.text().catch(() => "");
-        throw new ClefClientError(
-          `HTTP ${response.status}: ${text || response.statusText}`,
-          response.status
-        );
-      }
-      const json = await response.json();
-      if (json && typeof json === "object" && "success" in json) {
-        if (!json.success) {
-          throw new ClefClientError(json.message || "Request failed", response.status);
-        }
-        return json.data;
-      }
-      return json;
-    }
-    var CloudKmsProvider = class {
+    CloudKmsProvider = class {
       endpoint;
       token;
       constructor(options) {
@@ -94961,139 +94748,54 @@ var require_kms = __commonJS({
   }
 });
 
-// ../runtime/dist/kms/index.js
-var require_kms2 = __commonJS({
-  "../runtime/dist/kms/index.js"(exports2) {
-    "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.AzureKmsProvider = exports2.GcpKmsProvider = exports2.AwsKmsProvider = void 0;
-    exports2.createKmsProvider = createKmsProvider;
-    var aws_1 = require_aws();
-    var gcp_1 = require_gcp();
-    var azure_1 = require_azure();
-    var aws_2 = require_aws();
-    Object.defineProperty(exports2, "AwsKmsProvider", { enumerable: true, get: function() {
-      return aws_2.AwsKmsProvider;
-    } });
-    var gcp_2 = require_gcp();
-    Object.defineProperty(exports2, "GcpKmsProvider", { enumerable: true, get: function() {
-      return gcp_2.GcpKmsProvider;
-    } });
-    var azure_2 = require_azure();
-    Object.defineProperty(exports2, "AzureKmsProvider", { enumerable: true, get: function() {
-      return azure_2.AzureKmsProvider;
-    } });
-    async function createKmsProvider(provider, options) {
-      switch (provider) {
-        case "aws":
-          return new aws_1.AwsKmsProvider(options?.region);
-        case "gcp":
-          return new gcp_1.GcpKmsProvider();
-        case "azure":
-          return new azure_1.AzureKmsProvider();
-        case "cloud": {
-          try {
-            const { CloudKmsProvider } = await Promise.resolve().then(() => __importStar(require_kms()));
-            return new CloudKmsProvider({
-              endpoint: options?.endpoint ?? "",
-              token: options?.token
-            });
-          } catch {
-            throw new Error("Clef Cloud KMS requires @clef-sh/client. Install it with: npm install @clef-sh/client");
-          }
-        }
-        default:
-          throw new Error(`Unknown KMS provider: ${provider}`);
+// ../runtime/src/kms/index.ts
+async function createKmsProvider(provider, options) {
+  switch (provider) {
+    case "aws":
+      return new AwsKmsProvider(options?.region);
+    case "gcp":
+      return new GcpKmsProvider();
+    case "azure":
+      return new AzureKmsProvider();
+    case "cloud": {
+      try {
+        const { CloudKmsProvider: CloudKmsProvider2 } = await Promise.resolve().then(() => (init_kms2(), kms_exports));
+        return new CloudKmsProvider2({
+          endpoint: options?.endpoint ?? "",
+          token: options?.token
+        });
+      } catch {
+        throw new Error(
+          "Clef Cloud KMS requires @clef-sh/client. Install it with: npm install @clef-sh/client"
+        );
       }
     }
+    default:
+      throw new Error(`Unknown KMS provider: ${provider}`);
+  }
+}
+var init_kms3 = __esm({
+  "../runtime/src/kms/index.ts"() {
+    "use strict";
+    init_aws();
+    init_gcp();
+    init_azure();
+    init_aws();
+    init_gcp();
+    init_azure();
   }
 });
 
-// ../runtime/dist/artifact-decryptor.js
-var require_artifact_decryptor = __commonJS({
-  "../runtime/dist/artifact-decryptor.js"(exports2) {
+// ../runtime/src/artifact-decryptor.ts
+var crypto6, ArtifactDecryptor;
+var init_artifact_decryptor = __esm({
+  "../runtime/src/artifact-decryptor.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ArtifactDecryptor = void 0;
-    var crypto6 = __importStar(require("crypto"));
-    var decrypt_1 = require_decrypt();
-    var kms_1 = require_kms2();
-    var ArtifactDecryptor = class {
-      ageDecryptor = new decrypt_1.AgeDecryptor();
+    crypto6 = __toESM(require("crypto"));
+    init_decrypt();
+    init_kms3();
+    ArtifactDecryptor = class {
+      ageDecryptor = new AgeDecryptor();
       privateKey;
       telemetryOverride;
       initialTelemetry;
@@ -95140,7 +94842,7 @@ var require_artifact_decryptor = __commonJS({
         const envelope = artifact.envelope;
         let dek;
         try {
-          const kms = await (0, kms_1.createKmsProvider)(envelope.provider);
+          const kms = await createKmsProvider(envelope.provider);
           const wrappedKey = Buffer.from(envelope.wrappedKey, "base64");
           dek = await kms.unwrap(envelope.keyId, wrappedKey, envelope.algorithm);
         } catch (err) {
@@ -95170,7 +94872,9 @@ var require_artifact_decryptor = __commonJS({
       /** Age-only: decrypt with the static private key. */
       async decryptAge(artifact) {
         if (!this.privateKey) {
-          throw new Error("Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption.");
+          throw new Error(
+            "Artifact requires an age private key. Set CLEF_AGENT_AGE_KEY or use KMS envelope encryption."
+          );
         }
         try {
           return await this.ageDecryptor.decrypt(artifact.ciphertext, this.privateKey);
@@ -95183,141 +94887,72 @@ var require_artifact_decryptor = __commonJS({
         }
       }
     };
-    exports2.ArtifactDecryptor = ArtifactDecryptor;
   }
 });
 
-// ../runtime/dist/signature.js
-var require_signature = __commonJS({
-  "../runtime/dist/signature.js"(exports2) {
+// ../runtime/src/signature.ts
+function buildSigningPayload2(artifact) {
+  const fields = [
+    "clef-sig-v3",
+    String(artifact.version),
+    artifact.identity,
+    artifact.environment,
+    artifact.revision,
+    artifact.packedAt,
+    artifact.ciphertextHash,
+    artifact.expiresAt ?? "",
+    artifact.envelope?.provider ?? "",
+    artifact.envelope?.keyId ?? "",
+    artifact.envelope?.wrappedKey ?? "",
+    artifact.envelope?.algorithm ?? "",
+    artifact.envelope?.iv ?? "",
+    artifact.envelope?.authTag ?? ""
+  ];
+  return Buffer.from(fields.join("\n"), "utf-8");
+}
+function verifySignature2(payload, signatureBase64, publicKeyBase64) {
+  const keyObj = crypto7.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const signature = Buffer.from(signatureBase64, "base64");
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") {
+    return crypto7.verify(null, payload, keyObj, signature);
+  }
+  if (keyType === "ec") {
+    return crypto7.verify("sha256", payload, keyObj, signature);
+  }
+  throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+}
+var crypto7;
+var init_signature = __esm({
+  "../runtime/src/signature.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.buildSigningPayload = buildSigningPayload2;
-    exports2.verifySignature = verifySignature2;
-    var crypto6 = __importStar(require("crypto"));
-    function buildSigningPayload2(artifact) {
-      const fields = [
-        "clef-sig-v3",
-        String(artifact.version),
-        artifact.identity,
-        artifact.environment,
-        artifact.revision,
-        artifact.packedAt,
-        artifact.ciphertextHash,
-        artifact.expiresAt ?? "",
-        artifact.envelope?.provider ?? "",
-        artifact.envelope?.keyId ?? "",
-        artifact.envelope?.wrappedKey ?? "",
-        artifact.envelope?.algorithm ?? "",
-        artifact.envelope?.iv ?? "",
-        artifact.envelope?.authTag ?? ""
-      ];
-      return Buffer.from(fields.join("\n"), "utf-8");
-    }
-    function verifySignature2(payload, signatureBase64, publicKeyBase64) {
-      const keyObj = crypto6.createPublicKey({
-        key: Buffer.from(publicKeyBase64, "base64"),
-        format: "der",
-        type: "spki"
-      });
-      const signature = Buffer.from(signatureBase64, "base64");
-      const keyType = keyObj.asymmetricKeyType;
-      if (keyType === "ed25519") {
-        return crypto6.verify(null, payload, keyObj, signature);
-      }
-      if (keyType === "ec") {
-        return crypto6.verify("sha256", payload, keyObj, signature);
-      }
-      throw new Error(`Unsupported key type for signature verification: ${keyType}`);
-    }
+    crypto7 = __toESM(require("crypto"));
   }
 });
 
-// ../runtime/dist/poller.js
-var require_poller = __commonJS({
-  "../runtime/dist/poller.js"(exports2) {
+// ../runtime/src/poller.ts
+function classifyValidationError(err) {
+  if (err instanceof SyntaxError) return "json_parse";
+  const msg = err instanceof Error ? err.message : "";
+  if (msg.includes("Unsupported artifact version")) return "unsupported_version";
+  if (msg.includes("missing required fields")) return "missing_fields";
+  if (msg.includes("incomplete envelope")) return "incomplete_envelope";
+  if (msg.includes("signature")) return "signature";
+  return "unknown";
+}
+var crypto8, MIN_POLL_MS, ArtifactPoller;
+var init_poller = __esm({
+  "../runtime/src/poller.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ArtifactPoller = void 0;
-    var crypto6 = __importStar(require("crypto"));
-    var artifact_decryptor_1 = require_artifact_decryptor();
-    var signature_1 = require_signature();
-    var MIN_POLL_MS = 5e3;
-    var ArtifactPoller = class {
+    crypto8 = __toESM(require("crypto"));
+    init_artifact_decryptor();
+    init_signature();
+    MIN_POLL_MS = 5e3;
+    ArtifactPoller = class {
       timer = null;
       lastContentHash = null;
       lastRevision = null;
@@ -95329,7 +94964,7 @@ var require_poller = __commonJS({
       constructor(options) {
         this.options = options;
         this.jitMode = !!options.encryptedStore;
-        this.decryptor = new artifact_decryptor_1.ArtifactDecryptor({
+        this.decryptor = new ArtifactDecryptor({
           privateKey: options.privateKey,
           telemetry: options.telemetry
         });
@@ -95352,8 +94987,7 @@ var require_poller = __commonJS({
        */
       async fetchAndDecrypt() {
         const result = await this.fetchRaw();
-        if (!result)
-          return;
+        if (!result) return;
         await this.validateDecryptAndCache(result.artifact, result.contentHash);
       }
       /**
@@ -95363,8 +94997,7 @@ var require_poller = __commonJS({
        */
       async fetchAndValidate() {
         const result = await this.fetchRaw();
-        if (!result)
-          return;
+        if (!result) return;
         const artifact = this.validateArtifact(result.artifact);
         this.options.encryptedStore.swap(artifact);
         this.lastRevision = artifact.revision;
@@ -95389,8 +95022,7 @@ var require_poller = __commonJS({
           const result = await this.options.source.fetch();
           raw = result.raw;
           contentHash = result.contentHash;
-          if (contentHash && contentHash === this.lastContentHash)
-            return null;
+          if (contentHash && contentHash === this.lastContentHash) return null;
           this.options.diskCache?.write(raw, contentHash);
         } catch (err) {
           this.telemetry?.fetchFailed({
@@ -95415,8 +95047,7 @@ var require_poller = __commonJS({
               }
               raw = cached3;
               contentHash = this.options.diskCache.getCachedSha();
-              if (contentHash && contentHash === this.lastContentHash)
-                return null;
+              if (contentHash && contentHash === this.lastContentHash) return null;
             } else {
               if (ttl !== void 0 && ttl > 0 && this.options.cache.isExpired(ttl)) {
                 this.options.cache.wipe();
@@ -95450,7 +95081,9 @@ var require_poller = __commonJS({
           this.telemetry?.artifactRevoked({
             revokedAt: String(parsed.revokedAt)
           });
-          throw new Error(`Artifact revoked: ${parsed.identity}/${parsed.environment} at ${parsed.revokedAt}`);
+          throw new Error(
+            `Artifact revoked: ${parsed.identity}/${parsed.environment} at ${parsed.revokedAt}`
+          );
         }
         return { artifact: parsed, contentHash };
       }
@@ -95478,11 +95111,12 @@ var require_poller = __commonJS({
           this.telemetry?.artifactExpired({ expiresAt: artifact.expiresAt });
           throw new Error(`Artifact expired at ${artifact.expiresAt}`);
         }
-        if (artifact.revision === this.lastRevision)
-          return artifact;
-        const hash = crypto6.createHash("sha256").update(artifact.ciphertext).digest("hex");
+        if (artifact.revision === this.lastRevision) return artifact;
+        const hash = crypto8.createHash("sha256").update(artifact.ciphertext).digest("hex");
         if (hash !== artifact.ciphertextHash) {
-          const err = new Error(`Artifact integrity check failed: expected hash ${artifact.ciphertextHash}, got ${hash}`);
+          const err = new Error(
+            `Artifact integrity check failed: expected hash ${artifact.ciphertextHash}, got ${hash}`
+          );
           this.telemetry?.artifactInvalid({
             reason: "integrity",
             error: err.message
@@ -95491,19 +95125,23 @@ var require_poller = __commonJS({
         }
         if (this.options.verifyKey) {
           if (!artifact.signature) {
-            const err = new Error("Artifact signature verification failed: artifact is unsigned but a verify key is configured. Only signed artifacts are accepted when signature verification is enabled.");
+            const err = new Error(
+              "Artifact signature verification failed: artifact is unsigned but a verify key is configured. Only signed artifacts are accepted when signature verification is enabled."
+            );
             this.telemetry?.artifactInvalid({
               reason: "signature_missing",
               error: err.message
             });
             throw err;
           }
-          const payload = (0, signature_1.buildSigningPayload)(artifact);
+          const payload = buildSigningPayload2(artifact);
           let valid;
           try {
-            valid = (0, signature_1.verifySignature)(payload, artifact.signature, this.options.verifyKey);
+            valid = verifySignature2(payload, artifact.signature, this.options.verifyKey);
           } catch (sigErr) {
-            const err = new Error(`Artifact signature verification error: ${sigErr instanceof Error ? sigErr.message : String(sigErr)}`);
+            const err = new Error(
+              `Artifact signature verification error: ${sigErr instanceof Error ? sigErr.message : String(sigErr)}`
+            );
             this.telemetry?.artifactInvalid({
               reason: "signature_error",
               error: err.message
@@ -95511,7 +95149,9 @@ var require_poller = __commonJS({
             throw err;
           }
           if (!valid) {
-            const err = new Error("Artifact signature verification failed: signature does not match the verify key. The artifact may have been tampered with or signed by a different key.");
+            const err = new Error(
+              "Artifact signature verification failed: signature does not match the verify key. The artifact may have been tampered with or signed by a different key."
+            );
             this.telemetry?.artifactInvalid({
               reason: "signature_invalid",
               error: err.message
@@ -95526,8 +95166,7 @@ var require_poller = __commonJS({
        */
       async validateDecryptAndCache(parsed, contentHash) {
         const artifact = this.validateArtifact(parsed);
-        if (artifact.revision === this.lastRevision)
-          return;
+        if (artifact.revision === this.lastRevision) return;
         const { values } = await this.decryptor.decrypt(artifact);
         const keys = Object.keys(values);
         this.options.cache.swap(values, keys, artifact.revision);
@@ -95552,8 +95191,7 @@ var require_poller = __commonJS({
       }
       /** Start only the polling schedule (no initial fetch). */
       startPolling() {
-        if (this.timer)
-          return;
+        if (this.timer) return;
         this.scheduleNext();
       }
       /** Stop the polling loop. */
@@ -95593,8 +95231,7 @@ var require_poller = __commonJS({
           }
           return MIN_POLL_MS;
         }
-        if (this.jitMode)
-          return MIN_POLL_MS;
+        if (this.jitMode) return MIN_POLL_MS;
         const ttl = this.options.cacheTtl;
         if (ttl !== void 0) {
           return Math.max(ttl / 10 * 1e3, MIN_POLL_MS);
@@ -95616,31 +95253,15 @@ var require_poller = __commonJS({
         return artifact;
       }
     };
-    exports2.ArtifactPoller = ArtifactPoller;
-    function classifyValidationError(err) {
-      if (err instanceof SyntaxError)
-        return "json_parse";
-      const msg = err instanceof Error ? err.message : "";
-      if (msg.includes("Unsupported artifact version"))
-        return "unsupported_version";
-      if (msg.includes("missing required fields"))
-        return "missing_fields";
-      if (msg.includes("incomplete envelope"))
-        return "incomplete_envelope";
-      if (msg.includes("signature"))
-        return "signature";
-      return "unknown";
-    }
   }
 });
 
-// ../runtime/dist/encrypted-artifact-store.js
-var require_encrypted_artifact_store = __commonJS({
-  "../runtime/dist/encrypted-artifact-store.js"(exports2) {
+// ../runtime/src/encrypted-artifact-store.ts
+var EncryptedArtifactStore;
+var init_encrypted_artifact_store = __esm({
+  "../runtime/src/encrypted-artifact-store.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.EncryptedArtifactStore = void 0;
-    var EncryptedArtifactStore = class {
+    EncryptedArtifactStore = class {
       artifact = null;
       _storedAt = null;
       /** Atomically replace the stored artifact. */
@@ -95670,17 +95291,23 @@ var require_encrypted_artifact_store = __commonJS({
         this._storedAt = null;
       }
     };
-    exports2.EncryptedArtifactStore = EncryptedArtifactStore;
   }
 });
 
-// ../runtime/dist/telemetry.js
-var require_telemetry = __commonJS({
-  "../runtime/dist/telemetry.js"(exports2) {
+// ../runtime/src/telemetry.ts
+function otlpValue(v) {
+  if (typeof v === "boolean") return { boolValue: v };
+  if (typeof v === "number") return { intValue: String(v) };
+  return { stringValue: String(v) };
+}
+function isoToUnixNano(iso) {
+  return String(new Date(iso).getTime() * 1e6);
+}
+var SEVERITY, BASE_FIELDS, TelemetryEmitter;
+var init_telemetry = __esm({
+  "../runtime/src/telemetry.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.TelemetryEmitter = void 0;
-    var SEVERITY = {
+    SEVERITY = {
       "agent.started": { number: 9, text: "INFO" },
       "agent.stopped": { number: 9, text: "INFO" },
       "artifact.refreshed": { number: 9, text: "INFO" },
@@ -95690,7 +95317,7 @@ var require_telemetry = __commonJS({
       "cache.expired": { number: 17, text: "ERROR" },
       "artifact.invalid": { number: 17, text: "ERROR" }
     };
-    var BASE_FIELDS = /* @__PURE__ */ new Set([
+    BASE_FIELDS = /* @__PURE__ */ new Set([
       "type",
       "timestamp",
       "agentId",
@@ -95698,17 +95325,7 @@ var require_telemetry = __commonJS({
       "environment",
       "sourceType"
     ]);
-    function otlpValue(v) {
-      if (typeof v === "boolean")
-        return { boolValue: v };
-      if (typeof v === "number")
-        return { intValue: String(v) };
-      return { stringValue: String(v) };
-    }
-    function isoToUnixNano(iso) {
-      return String(new Date(iso).getTime() * 1e6);
-    }
-    var TelemetryEmitter = class {
+    TelemetryEmitter = class {
       buffer = [];
       timer = null;
       opts;
@@ -95746,8 +95363,7 @@ var require_telemetry = __commonJS({
       }
       /** Fire-and-forget flush of the current buffer. */
       flush() {
-        if (this.buffer.length === 0)
-          return;
+        if (this.buffer.length === 0) return;
         const batch = this.buffer;
         this.buffer = [];
         fetch(this.opts.url, {
@@ -95759,8 +95375,7 @@ var require_telemetry = __commonJS({
       }
       /** Awaitable flush for graceful shutdown. */
       async flushAsync() {
-        if (this.buffer.length === 0)
-          return;
+        if (this.buffer.length === 0) return;
         const batch = this.buffer;
         this.buffer = [];
         try {
@@ -95822,8 +95437,7 @@ var require_telemetry = __commonJS({
             { key: "event.name", value: { stringValue: `clef.${event.type}` } }
           ];
           for (const [key, val] of Object.entries(event)) {
-            if (BASE_FIELDS.has(key))
-              continue;
+            if (BASE_FIELDS.has(key)) continue;
             attributes.push({ key: `clef.${key}`, value: otlpValue(val) });
           }
           return {
@@ -95849,17 +95463,15 @@ var require_telemetry = __commonJS({
         });
       }
     };
-    exports2.TelemetryEmitter = TelemetryEmitter;
   }
 });
 
-// ../runtime/dist/vcs/github.js
-var require_github = __commonJS({
-  "../runtime/dist/vcs/github.js"(exports2) {
+// ../runtime/src/vcs/github.ts
+var GitHubProvider;
+var init_github = __esm({
+  "../runtime/src/vcs/github.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.GitHubProvider = void 0;
-    var GitHubProvider = class {
+    GitHubProvider = class {
       repo;
       token;
       ref;
@@ -95870,10 +95482,9 @@ var require_github = __commonJS({
         this.ref = config.ref;
         this.apiUrl = config.apiUrl ?? "https://api.github.com";
       }
-      async fetchFile(path56) {
-        const url = new URL(`/repos/${this.repo}/contents/${path56}`, this.apiUrl);
-        if (this.ref)
-          url.searchParams.set("ref", this.ref);
+      async fetchFile(path57) {
+        const url = new URL(`/repos/${this.repo}/contents/${path57}`, this.apiUrl);
+        if (this.ref) url.searchParams.set("ref", this.ref);
         const res = await fetch(url.toString(), {
           headers: {
             Authorization: `Bearer ${this.token}`,
@@ -95881,24 +95492,22 @@ var require_github = __commonJS({
           }
         });
         if (!res.ok) {
-          throw new Error(`GitHub API error: ${res.status} fetching ${path56} from ${this.repo}`);
+          throw new Error(`GitHub API error: ${res.status} fetching ${path57} from ${this.repo}`);
         }
         const data = await res.json();
         const content = Buffer.from(data.content, "base64").toString("utf-8");
         return { content, sha: data.sha };
       }
     };
-    exports2.GitHubProvider = GitHubProvider;
   }
 });
 
-// ../runtime/dist/vcs/gitlab.js
-var require_gitlab = __commonJS({
-  "../runtime/dist/vcs/gitlab.js"(exports2) {
+// ../runtime/src/vcs/gitlab.ts
+var GitLabProvider;
+var init_gitlab = __esm({
+  "../runtime/src/vcs/gitlab.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.GitLabProvider = void 0;
-    var GitLabProvider = class {
+    GitLabProvider = class {
       repo;
       token;
       ref;
@@ -95909,36 +95518,36 @@ var require_gitlab = __commonJS({
         this.ref = config.ref;
         this.apiUrl = config.apiUrl ?? "https://gitlab.com";
       }
-      async fetchFile(path56) {
+      async fetchFile(path57) {
         const encodedRepo = encodeURIComponent(this.repo);
-        const encodedPath = encodeURIComponent(path56);
-        const url = new URL(`/api/v4/projects/${encodedRepo}/repository/files/${encodedPath}`, this.apiUrl);
-        if (this.ref)
-          url.searchParams.set("ref", this.ref);
+        const encodedPath = encodeURIComponent(path57);
+        const url = new URL(
+          `/api/v4/projects/${encodedRepo}/repository/files/${encodedPath}`,
+          this.apiUrl
+        );
+        if (this.ref) url.searchParams.set("ref", this.ref);
         const res = await fetch(url.toString(), {
           headers: {
             "PRIVATE-TOKEN": this.token
           }
         });
         if (!res.ok) {
-          throw new Error(`GitLab API error: ${res.status} fetching ${path56} from ${this.repo}`);
+          throw new Error(`GitLab API error: ${res.status} fetching ${path57} from ${this.repo}`);
         }
         const data = await res.json();
         const content = Buffer.from(data.content, "base64").toString("utf-8");
         return { content, sha: data.blob_id };
       }
     };
-    exports2.GitLabProvider = GitLabProvider;
   }
 });
 
-// ../runtime/dist/vcs/bitbucket.js
-var require_bitbucket = __commonJS({
-  "../runtime/dist/vcs/bitbucket.js"(exports2) {
+// ../runtime/src/vcs/bitbucket.ts
+var BitbucketProvider;
+var init_bitbucket = __esm({
+  "../runtime/src/vcs/bitbucket.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.BitbucketProvider = void 0;
-    var BitbucketProvider = class {
+    BitbucketProvider = class {
       repo;
       token;
       ref;
@@ -95949,8 +95558,8 @@ var require_bitbucket = __commonJS({
         this.ref = config.ref ?? "main";
         this.apiUrl = config.apiUrl ?? "https://api.bitbucket.org";
       }
-      async fetchFile(path56) {
-        const baseUrl = `${this.apiUrl}/2.0/repositories/${this.repo}/src/${this.ref}/${path56}`;
+      async fetchFile(path57) {
+        const baseUrl = `${this.apiUrl}/2.0/repositories/${this.repo}/src/${this.ref}/${path57}`;
         const metaRes = await fetch(baseUrl, {
           headers: {
             Authorization: `Bearer ${this.token}`,
@@ -95958,7 +95567,7 @@ var require_bitbucket = __commonJS({
           }
         });
         if (!metaRes.ok) {
-          throw new Error(`Bitbucket API error: ${metaRes.status} fetching ${path56} from ${this.repo}`);
+          throw new Error(`Bitbucket API error: ${metaRes.status} fetching ${path57} from ${this.repo}`);
         }
         const meta = await metaRes.json();
         const rawRes = await fetch(baseUrl, {
@@ -95967,60 +95576,48 @@ var require_bitbucket = __commonJS({
           }
         });
         if (!rawRes.ok) {
-          throw new Error(`Bitbucket API error: ${rawRes.status} fetching raw content of ${path56} from ${this.repo}`);
+          throw new Error(
+            `Bitbucket API error: ${rawRes.status} fetching raw content of ${path57} from ${this.repo}`
+          );
         }
         const content = await rawRes.text();
         return { content, sha: meta.commit.hash };
       }
     };
-    exports2.BitbucketProvider = BitbucketProvider;
   }
 });
 
-// ../runtime/dist/vcs/index.js
-var require_vcs = __commonJS({
-  "../runtime/dist/vcs/index.js"(exports2) {
+// ../runtime/src/vcs/index.ts
+function createVcsProvider(config) {
+  switch (config.provider) {
+    case "github":
+      return new GitHubProvider(config);
+    case "gitlab":
+      return new GitLabProvider(config);
+    case "bitbucket":
+      return new BitbucketProvider(config);
+    default:
+      throw new Error(`Unsupported VCS provider: ${config.provider}`);
+  }
+}
+var init_vcs = __esm({
+  "../runtime/src/vcs/index.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = void 0;
-    exports2.createVcsProvider = createVcsProvider;
-    var github_1 = require_github();
-    Object.defineProperty(exports2, "GitHubProvider", { enumerable: true, get: function() {
-      return github_1.GitHubProvider;
-    } });
-    var gitlab_1 = require_gitlab();
-    Object.defineProperty(exports2, "GitLabProvider", { enumerable: true, get: function() {
-      return gitlab_1.GitLabProvider;
-    } });
-    var bitbucket_1 = require_bitbucket();
-    Object.defineProperty(exports2, "BitbucketProvider", { enumerable: true, get: function() {
-      return bitbucket_1.BitbucketProvider;
-    } });
-    var github_2 = require_github();
-    var gitlab_2 = require_gitlab();
-    var bitbucket_2 = require_bitbucket();
-    function createVcsProvider(config) {
-      switch (config.provider) {
-        case "github":
-          return new github_2.GitHubProvider(config);
-        case "gitlab":
-          return new gitlab_2.GitLabProvider(config);
-        case "bitbucket":
-          return new bitbucket_2.BitbucketProvider(config);
-        default:
-          throw new Error(`Unsupported VCS provider: ${config.provider}`);
-      }
-    }
+    init_github();
+    init_gitlab();
+    init_bitbucket();
+    init_github();
+    init_gitlab();
+    init_bitbucket();
   }
 });
 
-// ../runtime/dist/sources/http.js
-var require_http = __commonJS({
-  "../runtime/dist/sources/http.js"(exports2) {
+// ../runtime/src/sources/http.ts
+var HttpArtifactSource;
+var init_http = __esm({
+  "../runtime/src/sources/http.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.HttpArtifactSource = void 0;
-    var HttpArtifactSource = class {
+    HttpArtifactSource = class {
       url;
       constructor(url) {
         this.url = url;
@@ -96028,7 +95625,9 @@ var require_http = __commonJS({
       async fetch() {
         const res = await fetch(this.url);
         if (!res.ok) {
-          throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`);
+          throw new Error(
+            `Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`
+          );
         }
         const raw = await res.text();
         const etag = res.headers.get("etag") ?? void 0;
@@ -96047,78 +95646,37 @@ var require_http = __commonJS({
         }
       }
     };
-    exports2.HttpArtifactSource = HttpArtifactSource;
   }
 });
 
-// ../runtime/dist/sources/file.js
-var require_file = __commonJS({
-  "../runtime/dist/sources/file.js"(exports2) {
+// ../runtime/src/sources/file.ts
+var fs34, FileArtifactSource;
+var init_file = __esm({
+  "../runtime/src/sources/file.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.FileArtifactSource = void 0;
-    var fs35 = __importStar(require("fs"));
-    var FileArtifactSource = class {
+    fs34 = __toESM(require("fs"));
+    FileArtifactSource = class {
       path;
       constructor(filePath) {
         this.path = filePath;
       }
       async fetch() {
-        const raw = fs35.readFileSync(this.path, "utf-8");
+        const raw = fs34.readFileSync(this.path, "utf-8");
         return { raw };
       }
       describe() {
         return `file ${this.path}`;
       }
     };
-    exports2.FileArtifactSource = FileArtifactSource;
   }
 });
 
-// ../runtime/dist/sources/vcs.js
-var require_vcs2 = __commonJS({
-  "../runtime/dist/sources/vcs.js"(exports2) {
+// ../runtime/src/sources/vcs.ts
+var VcsArtifactSource;
+var init_vcs2 = __esm({
+  "../runtime/src/sources/vcs.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.VcsArtifactSource = void 0;
-    var VcsArtifactSource = class {
+    VcsArtifactSource = class {
       provider;
       path;
       identity;
@@ -96137,95 +95695,104 @@ var require_vcs2 = __commonJS({
         return `VCS .clef/packed/${this.identity}/${this.environment}.age.json`;
       }
     };
-    exports2.VcsArtifactSource = VcsArtifactSource;
   }
 });
 
-// ../runtime/dist/sources/s3.js
-var require_s3 = __commonJS({
-  "../runtime/dist/sources/s3.js"(exports2) {
+// ../runtime/src/sources/s3.ts
+function isS3Url(url) {
+  return parseS3UrlSafe(url) !== null;
+}
+function parseS3Url(url) {
+  const loc = parseS3UrlSafe(url);
+  if (!loc) throw new Error(`Not a valid S3 URL: ${url}`);
+  return loc;
+}
+function parseS3UrlSafe(url) {
+  let u;
+  try {
+    u = new URL(url);
+  } catch {
+    return null;
+  }
+  if (u.protocol !== "https:") return null;
+  const host = u.hostname;
+  const key = u.pathname.slice(1);
+  if (!key) return null;
+  const vhMatch = host.match(/^(.+)\.s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^(.+)\.s3\.amazonaws\.com$/);
+  if (vhMatch) {
+    return { bucket: vhMatch[1], key, region: vhMatch[2] || "us-east-1" };
+  }
+  const psMatch = host.match(/^s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^s3\.amazonaws\.com$/);
+  if (psMatch) {
+    const slashIdx = key.indexOf("/");
+    if (slashIdx < 0) return null;
+    return {
+      bucket: key.slice(0, slashIdx),
+      key: key.slice(slashIdx + 1),
+      region: psMatch[1] || "us-east-1"
+    };
+  }
+  return null;
+}
+function hmacSha256(key, data) {
+  return crypto9.createHmac("sha256", key).update(data, "utf-8").digest();
+}
+function sha256Hex(data) {
+  return crypto9.createHash("sha256").update(data, "utf-8").digest("hex");
+}
+function toAmzDate(date) {
+  return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
+}
+function toDateStamp(date) {
+  return toAmzDate(date).slice(0, 8);
+}
+function encodeS3Key(key) {
+  return key.split("/").map((s) => encodeURIComponent(s)).join("/");
+}
+function signS3GetRequest(host, path57, region, creds, now) {
+  const amzDate = toAmzDate(now);
+  const dateStamp = toDateStamp(now);
+  const service = "s3";
+  const scope = `${dateStamp}/${region}/${service}/aws4_request`;
+  const headers = {
+    host,
+    "x-amz-date": amzDate,
+    "x-amz-content-sha256": "UNSIGNED-PAYLOAD"
+  };
+  if (creds.sessionToken) {
+    headers["x-amz-security-token"] = creds.sessionToken;
+  }
+  const signedHeaderKeys = Object.keys(headers).sort();
+  const signedHeaders = signedHeaderKeys.join(";");
+  const canonicalHeaders = signedHeaderKeys.map((k) => `${k}:${headers[k]}
+`).join("");
+  const canonicalRequest = [
+    "GET",
+    path57,
+    "",
+    // no query string
+    canonicalHeaders,
+    signedHeaders,
+    "UNSIGNED-PAYLOAD"
+  ].join("\n");
+  const stringToSign = ["AWS4-HMAC-SHA256", amzDate, scope, sha256Hex(canonicalRequest)].join("\n");
+  const kDate = hmacSha256(`AWS4${creds.secretAccessKey}`, dateStamp);
+  const kRegion = hmacSha256(kDate, region);
+  const kService = hmacSha256(kRegion, service);
+  const kSigning = hmacSha256(kService, "aws4_request");
+  const signature = hmacSha256(kSigning, stringToSign).toString("hex");
+  const authorization = `AWS4-HMAC-SHA256 Credential=${creds.accessKeyId}/${scope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+  return {
+    ...headers,
+    Authorization: authorization
+  };
+}
+var crypto9, S3ArtifactSource;
+var init_s3 = __esm({
+  "../runtime/src/sources/s3.ts"() {
     "use strict";
-    var __createBinding = exports2 && exports2.__createBinding || (Object.create ? (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      var desc = Object.getOwnPropertyDescriptor(m, k);
-      if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-        desc = { enumerable: true, get: function() {
-          return m[k];
-        } };
-      }
-      Object.defineProperty(o, k2, desc);
-    }) : (function(o, m, k, k2) {
-      if (k2 === void 0) k2 = k;
-      o[k2] = m[k];
-    }));
-    var __setModuleDefault = exports2 && exports2.__setModuleDefault || (Object.create ? (function(o, v) {
-      Object.defineProperty(o, "default", { enumerable: true, value: v });
-    }) : function(o, v) {
-      o["default"] = v;
-    });
-    var __importStar = exports2 && exports2.__importStar || /* @__PURE__ */ (function() {
-      var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function(o2) {
-          var ar = [];
-          for (var k in o2) if (Object.prototype.hasOwnProperty.call(o2, k)) ar[ar.length] = k;
-          return ar;
-        };
-        return ownKeys(o);
-      };
-      return function(mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) {
-          for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        }
-        __setModuleDefault(result, mod);
-        return result;
-      };
-    })();
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.S3ArtifactSource = void 0;
-    exports2.isS3Url = isS3Url;
-    var crypto6 = __importStar(require("crypto"));
-    function isS3Url(url) {
-      return parseS3UrlSafe(url) !== null;
-    }
-    function parseS3Url(url) {
-      const loc = parseS3UrlSafe(url);
-      if (!loc)
-        throw new Error(`Not a valid S3 URL: ${url}`);
-      return loc;
-    }
-    function parseS3UrlSafe(url) {
-      let u;
-      try {
-        u = new URL(url);
-      } catch {
-        return null;
-      }
-      if (u.protocol !== "https:")
-        return null;
-      const host = u.hostname;
-      const key = u.pathname.slice(1);
-      if (!key)
-        return null;
-      const vhMatch = host.match(/^(.+)\.s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^(.+)\.s3\.amazonaws\.com$/);
-      if (vhMatch) {
-        return { bucket: vhMatch[1], key, region: vhMatch[2] || "us-east-1" };
-      }
-      const psMatch = host.match(/^s3\.([a-z0-9-]+)\.amazonaws\.com$/) ?? host.match(/^s3\.amazonaws\.com$/);
-      if (psMatch) {
-        const slashIdx = key.indexOf("/");
-        if (slashIdx < 0)
-          return null;
-        return {
-          bucket: key.slice(0, slashIdx),
-          key: key.slice(slashIdx + 1),
-          region: psMatch[1] || "us-east-1"
-        };
-      }
-      return null;
-    }
-    var S3ArtifactSource = class {
+    crypto9 = __toESM(require("crypto"));
+    S3ArtifactSource = class {
       url;
       location;
       cachedCredentials = null;
@@ -96237,12 +95804,14 @@ var require_s3 = __commonJS({
         const creds = await this.resolveCredentials();
         const { bucket, key, region } = this.location;
         const host = `${bucket}.s3.${region}.amazonaws.com`;
-        const path56 = `/${encodeS3Key(key)}`;
+        const path57 = `/${encodeS3Key(key)}`;
         const now = /* @__PURE__ */ new Date();
-        const headers = signS3GetRequest(host, path56, region, creds, now);
-        const res = await globalThis.fetch(`https://${host}${path56}`, { headers });
+        const headers = signS3GetRequest(host, path57, region, creds, now);
+        const res = await globalThis.fetch(`https://${host}${path57}`, { headers });
         if (!res.ok) {
-          throw new Error(`Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`);
+          throw new Error(
+            `Failed to fetch artifact from ${this.describe()}: ${res.status} ${res.statusText}`
+          );
         }
         const raw = await res.text();
         const etag = res.headers.get("etag") ?? void 0;
@@ -96273,7 +95842,9 @@ var require_s3 = __commonJS({
             sessionToken: process.env.AWS_SESSION_TOKEN
           };
         }
-        throw new Error("No AWS credentials found. Set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or run in ECS/Fargate with a task role.");
+        throw new Error(
+          "No AWS credentials found. Set AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY, or run in ECS/Fargate with a task role."
+        );
       }
       async fetchEcsCredentials(endpoint) {
         const headers = {};
@@ -96300,172 +95871,90 @@ var require_s3 = __commonJS({
         return creds;
       }
     };
-    exports2.S3ArtifactSource = S3ArtifactSource;
-    function hmacSha256(key, data) {
-      return crypto6.createHmac("sha256", key).update(data, "utf-8").digest();
-    }
-    function sha256Hex(data) {
-      return crypto6.createHash("sha256").update(data, "utf-8").digest("hex");
-    }
-    function toAmzDate(date) {
-      return date.toISOString().replace(/[-:]/g, "").replace(/\.\d{3}/, "");
-    }
-    function toDateStamp(date) {
-      return toAmzDate(date).slice(0, 8);
-    }
-    function encodeS3Key(key) {
-      return key.split("/").map((s) => encodeURIComponent(s)).join("/");
-    }
-    function signS3GetRequest(host, path56, region, creds, now) {
-      const amzDate = toAmzDate(now);
-      const dateStamp = toDateStamp(now);
-      const service = "s3";
-      const scope = `${dateStamp}/${region}/${service}/aws4_request`;
-      const headers = {
-        host,
-        "x-amz-date": amzDate,
-        "x-amz-content-sha256": "UNSIGNED-PAYLOAD"
-      };
-      if (creds.sessionToken) {
-        headers["x-amz-security-token"] = creds.sessionToken;
-      }
-      const signedHeaderKeys = Object.keys(headers).sort();
-      const signedHeaders = signedHeaderKeys.join(";");
-      const canonicalHeaders = signedHeaderKeys.map((k) => `${k}:${headers[k]}
-`).join("");
-      const canonicalRequest = [
-        "GET",
-        path56,
-        "",
-        // no query string
-        canonicalHeaders,
-        signedHeaders,
-        "UNSIGNED-PAYLOAD"
-      ].join("\n");
-      const stringToSign = ["AWS4-HMAC-SHA256", amzDate, scope, sha256Hex(canonicalRequest)].join("\n");
-      const kDate = hmacSha256(`AWS4${creds.secretAccessKey}`, dateStamp);
-      const kRegion = hmacSha256(kDate, region);
-      const kService = hmacSha256(kRegion, service);
-      const kSigning = hmacSha256(kService, "aws4_request");
-      const signature = hmacSha256(kSigning, stringToSign).toString("hex");
-      const authorization = `AWS4-HMAC-SHA256 Credential=${creds.accessKeyId}/${scope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
-      return {
-        ...headers,
-        Authorization: authorization
-      };
-    }
   }
 });
 
-// ../runtime/dist/index.js
-var require_dist3 = __commonJS({
-  "../runtime/dist/index.js"(exports2) {
+// ../runtime/src/index.ts
+var src_exports3 = {};
+__export(src_exports3, {
+  AgeDecryptor: () => AgeDecryptor,
+  ArtifactDecryptor: () => ArtifactDecryptor,
+  ArtifactPoller: () => ArtifactPoller,
+  AwsKmsProvider: () => AwsKmsProvider,
+  BitbucketProvider: () => BitbucketProvider,
+  ClefRuntime: () => ClefRuntime,
+  DiskCache: () => DiskCache,
+  EncryptedArtifactStore: () => EncryptedArtifactStore,
+  FileArtifactSource: () => FileArtifactSource,
+  GitHubProvider: () => GitHubProvider,
+  GitLabProvider: () => GitLabProvider,
+  HttpArtifactSource: () => HttpArtifactSource,
+  S3ArtifactSource: () => S3ArtifactSource,
+  SecretsCache: () => SecretsCache,
+  TelemetryEmitter: () => TelemetryEmitter,
+  VcsArtifactSource: () => VcsArtifactSource,
+  buildSigningPayload: () => buildSigningPayload2,
+  createKmsProvider: () => createKmsProvider,
+  createVcsProvider: () => createVcsProvider,
+  init: () => init,
+  isS3Url: () => isS3Url,
+  verifySignature: () => verifySignature2
+});
+async function init(config) {
+  const runtime = new ClefRuntime(config);
+  await runtime.start();
+  return runtime;
+}
+var ClefRuntime;
+var init_src4 = __esm({
+  "../runtime/src/index.ts"() {
     "use strict";
-    Object.defineProperty(exports2, "__esModule", { value: true });
-    exports2.ClefRuntime = exports2.verifySignature = exports2.buildSigningPayload = exports2.isS3Url = exports2.S3ArtifactSource = exports2.VcsArtifactSource = exports2.FileArtifactSource = exports2.HttpArtifactSource = exports2.createKmsProvider = exports2.AwsKmsProvider = exports2.createVcsProvider = exports2.BitbucketProvider = exports2.GitLabProvider = exports2.GitHubProvider = exports2.TelemetryEmitter = exports2.EncryptedArtifactStore = exports2.ArtifactDecryptor = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.DiskCache = exports2.SecretsCache = void 0;
-    exports2.init = init;
-    var secrets_cache_1 = require_secrets_cache();
-    Object.defineProperty(exports2, "SecretsCache", { enumerable: true, get: function() {
-      return secrets_cache_1.SecretsCache;
-    } });
-    var disk_cache_1 = require_disk_cache();
-    Object.defineProperty(exports2, "DiskCache", { enumerable: true, get: function() {
-      return disk_cache_1.DiskCache;
-    } });
-    var decrypt_1 = require_decrypt();
-    Object.defineProperty(exports2, "AgeDecryptor", { enumerable: true, get: function() {
-      return decrypt_1.AgeDecryptor;
-    } });
-    var poller_1 = require_poller();
-    Object.defineProperty(exports2, "ArtifactPoller", { enumerable: true, get: function() {
-      return poller_1.ArtifactPoller;
-    } });
-    var artifact_decryptor_1 = require_artifact_decryptor();
-    Object.defineProperty(exports2, "ArtifactDecryptor", { enumerable: true, get: function() {
-      return artifact_decryptor_1.ArtifactDecryptor;
-    } });
-    var encrypted_artifact_store_1 = require_encrypted_artifact_store();
-    Object.defineProperty(exports2, "EncryptedArtifactStore", { enumerable: true, get: function() {
-      return encrypted_artifact_store_1.EncryptedArtifactStore;
-    } });
-    var telemetry_1 = require_telemetry();
-    Object.defineProperty(exports2, "TelemetryEmitter", { enumerable: true, get: function() {
-      return telemetry_1.TelemetryEmitter;
-    } });
-    var github_1 = require_github();
-    Object.defineProperty(exports2, "GitHubProvider", { enumerable: true, get: function() {
-      return github_1.GitHubProvider;
-    } });
-    var gitlab_1 = require_gitlab();
-    Object.defineProperty(exports2, "GitLabProvider", { enumerable: true, get: function() {
-      return gitlab_1.GitLabProvider;
-    } });
-    var bitbucket_1 = require_bitbucket();
-    Object.defineProperty(exports2, "BitbucketProvider", { enumerable: true, get: function() {
-      return bitbucket_1.BitbucketProvider;
-    } });
-    var index_1 = require_vcs();
-    Object.defineProperty(exports2, "createVcsProvider", { enumerable: true, get: function() {
-      return index_1.createVcsProvider;
-    } });
-    var kms_1 = require_kms2();
-    Object.defineProperty(exports2, "AwsKmsProvider", { enumerable: true, get: function() {
-      return kms_1.AwsKmsProvider;
-    } });
-    var kms_2 = require_kms2();
-    Object.defineProperty(exports2, "createKmsProvider", { enumerable: true, get: function() {
-      return kms_2.createKmsProvider;
-    } });
-    var http_1 = require_http();
-    Object.defineProperty(exports2, "HttpArtifactSource", { enumerable: true, get: function() {
-      return http_1.HttpArtifactSource;
-    } });
-    var file_1 = require_file();
-    Object.defineProperty(exports2, "FileArtifactSource", { enumerable: true, get: function() {
-      return file_1.FileArtifactSource;
-    } });
-    var vcs_1 = require_vcs2();
-    Object.defineProperty(exports2, "VcsArtifactSource", { enumerable: true, get: function() {
-      return vcs_1.VcsArtifactSource;
-    } });
-    var s3_1 = require_s3();
-    Object.defineProperty(exports2, "S3ArtifactSource", { enumerable: true, get: function() {
-      return s3_1.S3ArtifactSource;
-    } });
-    Object.defineProperty(exports2, "isS3Url", { enumerable: true, get: function() {
-      return s3_1.isS3Url;
-    } });
-    var signature_1 = require_signature();
-    Object.defineProperty(exports2, "buildSigningPayload", { enumerable: true, get: function() {
-      return signature_1.buildSigningPayload;
-    } });
-    Object.defineProperty(exports2, "verifySignature", { enumerable: true, get: function() {
-      return signature_1.verifySignature;
-    } });
-    var secrets_cache_2 = require_secrets_cache();
-    var disk_cache_2 = require_disk_cache();
-    var decrypt_2 = require_decrypt();
-    var poller_2 = require_poller();
-    var index_2 = require_vcs();
-    var vcs_2 = require_vcs2();
-    var http_2 = require_http();
-    var file_2 = require_file();
-    var s3_2 = require_s3();
-    var ClefRuntime = class {
-      cache = new secrets_cache_2.SecretsCache();
+    init_secrets_cache();
+    init_disk_cache();
+    init_decrypt();
+    init_poller();
+    init_artifact_decryptor();
+    init_encrypted_artifact_store();
+    init_telemetry();
+    init_github();
+    init_gitlab();
+    init_bitbucket();
+    init_vcs();
+    init_kms3();
+    init_kms3();
+    init_http();
+    init_file();
+    init_vcs2();
+    init_s3();
+    init_signature();
+    init_secrets_cache();
+    init_disk_cache();
+    init_decrypt();
+    init_poller();
+    init_vcs();
+    init_vcs2();
+    init_http();
+    init_file();
+    init_s3();
+    ClefRuntime = class {
+      cache = new SecretsCache();
       poller;
       config;
       constructor(config) {
         this.config = config;
         let privateKey;
         try {
-          const decryptor = new decrypt_2.AgeDecryptor();
+          const decryptor = new AgeDecryptor();
           privateKey = decryptor.resolveKey(config.ageKey, config.ageKeyFile);
         } catch {
         }
         const source = this.resolveSource(config);
-        const diskCache = config.cachePath ? new disk_cache_2.DiskCache(config.cachePath, config.identity ?? "default", config.environment ?? "default") : void 0;
-        this.poller = new poller_2.ArtifactPoller({
+        const diskCache = config.cachePath ? new DiskCache(
+          config.cachePath,
+          config.identity ?? "default",
+          config.environment ?? "default"
+        ) : void 0;
+        this.poller = new ArtifactPoller({
           source,
           privateKey,
           cache: this.cache,
@@ -96531,36 +96020,34 @@ var require_dist3 = __commonJS({
         const missingVcs = Object.entries(vcsFields).filter(([, v]) => !v);
         if (presentVcs.length > 0 && missingVcs.length > 0) {
           const missing = missingVcs.map(([k]) => k).join(", ");
-          throw new Error(`Partial VCS config detected. Missing: ${missing}. Provide all VCS fields (provider, repo, token, identity, environment) or use a source URL/path instead.`);
+          throw new Error(
+            `Partial VCS config detected. Missing: ${missing}. Provide all VCS fields (provider, repo, token, identity, environment) or use a source URL/path instead.`
+          );
         }
         if (presentVcs.length === Object.keys(vcsFields).length) {
-          const provider = (0, index_2.createVcsProvider)({
+          const provider = createVcsProvider({
             provider: config.provider,
             repo: config.repo,
             token: config.token,
             ref: config.ref,
             apiUrl: config.apiUrl
           });
-          return new vcs_2.VcsArtifactSource(provider, config.identity, config.environment);
+          return new VcsArtifactSource(provider, config.identity, config.environment);
         }
         if (config.source) {
-          if ((0, s3_2.isS3Url)(config.source)) {
-            return new s3_2.S3ArtifactSource(config.source);
+          if (isS3Url(config.source)) {
+            return new S3ArtifactSource(config.source);
           }
           if (config.source.startsWith("http://") || config.source.startsWith("https://")) {
-            return new http_2.HttpArtifactSource(config.source);
+            return new HttpArtifactSource(config.source);
           }
-          return new file_2.FileArtifactSource(config.source);
+          return new FileArtifactSource(config.source);
         }
-        throw new Error("No artifact source configured. Provide VCS config (provider, repo, token, identity, environment) or a source URL/path.");
+        throw new Error(
+          "No artifact source configured. Provide VCS config (provider, repo, token, identity, environment) or a source URL/path."
+        );
       }
     };
-    exports2.ClefRuntime = ClefRuntime;
-    async function init(config) {
-      const runtime = new ClefRuntime(config);
-      await runtime.start();
-      return runtime;
-    }
   }
 });
 
@@ -96996,12 +96483,12 @@ var require_lambda_extension = __commonJS({
 });
 
 // ../agent/dist/index.js
-var require_dist4 = __commonJS({
+var require_dist3 = __commonJS({
   "../agent/dist/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.LambdaExtension = exports2.Daemon = exports2.readyHandler = exports2.healthHandler = exports2.ConfigError = exports2.resolveConfig = exports2.startAgentServer = exports2.TelemetryEmitter = exports2.init = exports2.ClefRuntime = exports2.ArtifactPoller = exports2.AgeDecryptor = exports2.SecretsCache = void 0;
-    var runtime_1 = require_dist3();
+    var runtime_1 = (init_src4(), __toCommonJS(src_exports3));
     Object.defineProperty(exports2, "SecretsCache", { enumerable: true, get: function() {
       return runtime_1.SecretsCache;
     } });
@@ -97017,7 +96504,7 @@ var require_dist4 = __commonJS({
     Object.defineProperty(exports2, "init", { enumerable: true, get: function() {
       return runtime_1.init;
     } });
-    var runtime_2 = require_dist3();
+    var runtime_2 = (init_src4(), __toCommonJS(src_exports3));
     Object.defineProperty(exports2, "TelemetryEmitter", { enumerable: true, get: function() {
       return runtime_2.TelemetryEmitter;
     } });
@@ -97060,7 +96547,7 @@ function registerCloudCommands(program3, deps2) {
       const parser = new ManifestParser();
       let manifest;
       try {
-        manifest = parser.parse(path55.join(repoRoot, "clef.yaml"));
+        manifest = parser.parse(path56.join(repoRoot, "clef.yaml"));
       } catch {
         formatter2.print(`${sym2("info")}  No clef.yaml found in ${repoRoot}`);
         return;
@@ -97108,7 +96595,7 @@ function registerCloudCommands(program3, deps2) {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
-      const manifest = parser.parse(path55.join(repoRoot, "clef.yaml"));
+      const manifest = parser.parse(path56.join(repoRoot, "clef.yaml"));
       const targetEnv = manifest.environments.find((e) => e.name === opts.env);
       if (!targetEnv) {
         formatter2.error(
@@ -97151,7 +96638,7 @@ function registerCloudCommands(program3, deps2) {
       } else {
         formatter2.print(`   Opening browser to set up Cloud for ${opts.env}...`);
         const session = await initiateDeviceFlow2(cloudEndpoint, {
-          repoName: path55.basename(repoRoot),
+          repoName: path56.basename(repoRoot),
           environment: opts.env,
           clientVersion: deps2.cliVersion,
           flow: "setup"
@@ -97218,14 +96705,14 @@ function registerCloudCommands(program3, deps2) {
               cloudManifest,
               cell.environment
             );
-            const relPath = path55.relative(repoRoot, cell.filePath);
+            const relPath = path56.relative(repoRoot, cell.filePath);
             formatter2.print(`   ${sym2("success")}  ${relPath}`);
           }
           formatter2.print(`
    Verifying encrypted files...`);
           for (const cell of cells) {
             await cloudSopsClient.decrypt(cell.filePath);
-            const relPath = path55.relative(repoRoot, cell.filePath);
+            const relPath = path56.relative(repoRoot, cell.filePath);
             formatter2.print(`   ${sym2("success")}  ${relPath}`);
           }
         } finally {
@@ -97260,7 +96747,7 @@ function registerCloudCommands(program3, deps2) {
       const existingCreds = readCloudCredentials2();
       const endpoint = existingCreds?.endpoint;
       const session = await initiateDeviceFlow2(endpoint, {
-        repoName: path55.basename(process.cwd()),
+        repoName: path56.basename(process.cwd()),
         clientVersion: deps2.cliVersion,
         flow: "login"
       });
@@ -97313,11 +96800,11 @@ async function pollUntilComplete(pollUrl) {
     await new Promise((resolve7) => setTimeout(resolve7, POLL_INTERVAL_MS));
   }
 }
-var path55, POLL_INTERVAL_MS;
+var path56, POLL_INTERVAL_MS;
 var init_cloud2 = __esm({
   "../cloud/src/commands/cloud.ts"() {
     "use strict";
-    path55 = __toESM(require("path"));
+    path56 = __toESM(require("path"));
     init_src();
     init_src3();
     POLL_INTERVAL_MS = 2e3;
@@ -99462,7 +98949,7 @@ async function fetchCheckpoint(config) {
 }
 
 // package.json
-var version2 = "0.1.13";
+var version2 = "0.1.14";
 var package_default = {
   name: "@clef-sh/cli",
   version: version2,
@@ -100979,13 +100466,13 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
   ).option("-e, --environment <env>", "Environment to grant access to (overrides request)").action(async (identifier, opts) => {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
-      const request = findRequest(repoRoot, identifier);
-      if (!request) {
+      const request2 = findRequest(repoRoot, identifier);
+      if (!request2) {
         formatter.error(`No pending request matching '${identifier}'.`);
         process.exit(2);
         return;
       }
-      const environment = opts.environment ?? request.environment;
+      const environment = opts.environment ?? request2.environment;
       if (!environment) {
         formatter.error(
           "An environment is required. The request did not specify one.\n  Use -e to specify: clef recipients approve " + identifier + " -e <environment>"
@@ -100997,8 +100484,8 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
         repoRoot,
         program3,
         deps2,
-        request.key,
-        request.label,
+        request2.key,
+        request2.label,
         environment
       );
       if (result) {
@@ -101007,13 +100494,13 @@ ${sym("failure")} Re-encryption failed on ${path45.basename(failedFile)}`
           formatter.json({
             action: "approved",
             identifier,
-            label: request.label,
+            label: request2.label,
             environment,
             reEncryptedFiles: result.reEncryptedFiles.length
           });
         } else {
           formatter.hint(
-            `git add clef.yaml ${REQUESTS_FILENAME} && git add -A && git commit -m "approve recipient: ${request.label} [${environment}]"`
+            `git add clef.yaml ${REQUESTS_FILENAME} && git add -A && git commit -m "approve recipient: ${request2.label} [${environment}]"`
           );
         }
       }
@@ -101613,7 +101100,7 @@ function parseKmsEnvMappings(mappings) {
 }
 
 // src/commands/pack.ts
-var path48 = __toESM(require("path"));
+var path49 = __toESM(require("path"));
 init_src();
 function registerPackCommand(program3, deps2) {
   program3.command("pack <identity> <environment>").description(
@@ -101641,7 +101128,7 @@ function registerPackCommand(program3, deps2) {
         }
         const repoRoot = program3.opts().dir || process.cwd();
         const parser = new ManifestParser();
-        const manifest = parser.parse(path48.join(repoRoot, "clef.yaml"));
+        const manifest = parser.parse(path49.join(repoRoot, "clef.yaml"));
         if (opts.remote) {
           const { resolveAccessToken: resolveAccessToken2, CloudPackClient: CloudPackClient3 } = await Promise.resolve().then(() => (init_src3(), src_exports2));
           const { accessToken: token, endpoint } = await resolveAccessToken2();
@@ -101664,13 +101151,13 @@ function registerPackCommand(program3, deps2) {
         const si = manifest.service_identities?.find((s) => s.name === identity);
         const envConfig = si?.environments[environment];
         if (envConfig && isKmsEnvelope(envConfig)) {
-          const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
-          kmsProvider = await createKmsProvider(envConfig.kms.provider, {
+          const { createKmsProvider: createKmsProvider2 } = await Promise.resolve().then(() => (init_src4(), src_exports3));
+          kmsProvider = await createKmsProvider2(envConfig.kms.provider, {
             region: envConfig.kms.region
           });
         }
         const packer = new ArtifactPacker(sopsClient, matrixManager, kmsProvider);
-        const outputPath = opts.output ? path48.resolve(opts.output) : void 0;
+        const outputPath = opts.output ? path49.resolve(opts.output) : void 0;
         const ttl = opts.ttl ? parseInt(opts.ttl, 10) : void 0;
         if (ttl !== void 0 && (isNaN(ttl) || ttl < 1)) {
           formatter.error("--ttl must be a positive integer (seconds).");
@@ -101752,8 +101239,8 @@ function registerPackCommand(program3, deps2) {
 }
 
 // src/commands/revoke.ts
-var fs32 = __toESM(require("fs"));
-var path49 = __toESM(require("path"));
+var fs35 = __toESM(require("fs"));
+var path50 = __toESM(require("path"));
 init_src();
 function registerRevokeCommand(program3, _deps) {
   program3.command("revoke <identity> <environment>").description(
@@ -101762,7 +101249,7 @@ function registerRevokeCommand(program3, _deps) {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
-      const manifest = parser.parse(path49.join(repoRoot, "clef.yaml"));
+      const manifest = parser.parse(path50.join(repoRoot, "clef.yaml"));
       const si = manifest.service_identities?.find((s) => s.name === identity);
       if (!si) {
         formatter.error(
@@ -101778,17 +101265,17 @@ function registerRevokeCommand(program3, _deps) {
         process.exit(1);
         return;
       }
-      const artifactDir = path49.join(repoRoot, ".clef", "packed", identity);
-      const artifactPath = path49.join(artifactDir, `${environment}.age.json`);
+      const artifactDir = path50.join(repoRoot, ".clef", "packed", identity);
+      const artifactPath = path50.join(artifactDir, `${environment}.age.json`);
       const revoked = {
         version: 1,
         identity,
         environment,
         revokedAt: (/* @__PURE__ */ new Date()).toISOString()
       };
-      fs32.mkdirSync(artifactDir, { recursive: true });
-      fs32.writeFileSync(artifactPath, JSON.stringify(revoked, null, 2) + "\n", "utf-8");
-      const relPath = path49.relative(repoRoot, artifactPath);
+      fs35.mkdirSync(artifactDir, { recursive: true });
+      fs35.writeFileSync(artifactPath, JSON.stringify(revoked, null, 2) + "\n", "utf-8");
+      const relPath = path50.relative(repoRoot, artifactPath);
       if (isJsonMode()) {
         formatter.json({
           identity,
@@ -101820,7 +101307,7 @@ function registerRevokeCommand(program3, _deps) {
 }
 
 // src/commands/drift.ts
-var path50 = __toESM(require("path"));
+var path51 = __toESM(require("path"));
 var import_picocolors5 = __toESM(require_picocolors());
 init_src();
 function registerDriftCommand(program3, _deps) {
@@ -101829,7 +101316,7 @@ function registerDriftCommand(program3, _deps) {
   ).option("--push", "Push results as OTLP to CLEF_TELEMETRY_URL").option("--namespace <name...>", "Scope to specific namespace(s)").action(async (remotePath, options) => {
     try {
       const localRoot = program3.opts().dir || process.cwd();
-      const remoteRoot = path50.resolve(localRoot, remotePath);
+      const remoteRoot = path51.resolve(localRoot, remotePath);
       const detector = new DriftDetector();
       const result = detector.detect(localRoot, remoteRoot, options.namespace);
       if (options.push) {
@@ -101897,11 +101384,11 @@ init_src();
 
 // src/report/historical.ts
 var os7 = __toESM(require("os"));
-var path51 = __toESM(require("path"));
-var fs33 = __toESM(require("fs"));
+var path52 = __toESM(require("path"));
+var fs36 = __toESM(require("fs"));
 init_src();
 async function generateReportAtCommit(repoRoot, commitSha, clefVersion, runner2) {
-  const tmpDir = path51.join(os7.tmpdir(), `clef-report-${commitSha.slice(0, 8)}-${Date.now()}`);
+  const tmpDir = path52.join(os7.tmpdir(), `clef-report-${commitSha.slice(0, 8)}-${Date.now()}`);
   try {
     const addResult = await runner2.run("git", ["worktree", "add", tmpDir, commitSha, "--detach"], {
       cwd: repoRoot
@@ -101919,7 +101406,7 @@ async function generateReportAtCommit(repoRoot, commitSha, clefVersion, runner2)
       await runner2.run("git", ["worktree", "remove", tmpDir, "--force"], { cwd: repoRoot });
     } catch {
       try {
-        fs33.rmSync(tmpDir, { recursive: true, force: true });
+        fs36.rmSync(tmpDir, { recursive: true, force: true });
         await runner2.run("git", ["worktree", "prune"], { cwd: repoRoot });
       } catch {
       }
@@ -102140,8 +101627,8 @@ function formatReportOutput(report) {
 }
 
 // src/commands/install.ts
-var fs34 = __toESM(require("fs"));
-var path52 = __toESM(require("path"));
+var fs37 = __toESM(require("fs"));
+var path53 = __toESM(require("path"));
 var import_yaml = __toESM(require_dist());
 
 // src/registry/client.ts
@@ -102189,8 +101676,8 @@ function registerInstallCommand(program3, _deps) {
         process.exit(1);
         return;
       }
-      const brokerDir = path52.join(repoRoot, "brokers", entry.name);
-      if (fs34.existsSync(brokerDir) && !options.force) {
+      const brokerDir = path53.join(repoRoot, "brokers", entry.name);
+      if (fs37.existsSync(brokerDir) && !options.force) {
         const overwrite = await formatter.confirm(
           `brokers/${entry.name}/ already exists. Overwrite?`
         );
@@ -102221,11 +101708,11 @@ function registerInstallCommand(program3, _deps) {
         process.exit(1);
         return;
       }
-      if (!fs34.existsSync(brokerDir)) {
-        fs34.mkdirSync(brokerDir, { recursive: true });
+      if (!fs37.existsSync(brokerDir)) {
+        fs37.mkdirSync(brokerDir, { recursive: true });
       }
       for (const file of files) {
-        fs34.writeFileSync(path52.join(brokerDir, file.name), file.content, "utf-8");
+        fs37.writeFileSync(path53.join(brokerDir, file.name), file.content, "utf-8");
       }
       const manifestFile = files.find((f2) => f2.name === "broker.yaml");
       const manifest = manifestFile ? (0, import_yaml.parse)(manifestFile.content) : {};
@@ -102338,7 +101825,7 @@ function printBrokerTable(brokers) {
 }
 
 // src/commands/migrate-backend.ts
-var path53 = __toESM(require("path"));
+var path54 = __toESM(require("path"));
 init_src();
 function resolveTarget(opts) {
   const provided = [];
@@ -102369,7 +101856,7 @@ function registerMigrateBackendCommand(program3, deps2) {
       const repoRoot = program3.opts().dir || process.cwd();
       const target = resolveTarget(opts);
       const parser = new ManifestParser();
-      const manifest = parser.parse(path53.join(repoRoot, "clef.yaml"));
+      const manifest = parser.parse(path54.join(repoRoot, "clef.yaml"));
       const matrixManager = new MatrixManager();
       const impactedEnvs = opts.environment ? manifest.environments.filter((e) => e.name === opts.environment) : manifest.environments;
       if (impactedEnvs.length === 0) {
@@ -102492,9 +101979,23 @@ ${sym("working")}  Backend migration summary:`);
 }
 
 // src/commands/serve.ts
-var path54 = __toESM(require("path"));
+var path55 = __toESM(require("path"));
 var import_crypto5 = require("crypto");
 init_src();
+function synthesizeDevManifest(manifest, identityName, envName, ephemeralPublicKey) {
+  return {
+    ...manifest,
+    service_identities: manifest.service_identities?.map(
+      (si) => si.name === identityName ? {
+        ...si,
+        environments: {
+          ...si.environments,
+          [envName]: { recipient: ephemeralPublicKey }
+        }
+      } : si
+    )
+  };
+}
 function registerServeCommand(program3, deps2) {
   program3.command("serve").description(
     "Start a local secrets server for development.\n\n  Packs and decrypts the specified service identity, then serves secrets\n  at GET /v1/secrets \u2014 the same contract as the Clef agent and Cloud serve\n  endpoint. Your app code works identically in local dev and production.\n\nUsage:\n  clef serve --identity api-gateway --env dev\n  clef serve --identity api-gateway --env dev --port 7779"
@@ -102502,7 +102003,7 @@ function registerServeCommand(program3, deps2) {
     try {
       const repoRoot = program3.opts().dir || process.cwd();
       const parser = new ManifestParser();
-      const manifest = parser.parse(path54.join(repoRoot, "clef.yaml"));
+      const manifest = parser.parse(path55.join(repoRoot, "clef.yaml"));
       const env = manifest.environments.find((e) => e.name === opts.env);
       if (!env) {
         formatter.error(`Environment '${opts.env}' not found in manifest.`);
@@ -102533,21 +102034,20 @@ function registerServeCommand(program3, deps2) {
         return;
       }
       formatter.print(`${sym("working")}  Packing '${opts.identity}/${opts.env}'...`);
+      const ephemeral = await generateAgeIdentity();
+      const devManifest = synthesizeDevManifest(
+        manifest,
+        opts.identity,
+        opts.env,
+        ephemeral.publicKey
+      );
       const sopsClient = await createSopsClient(repoRoot, deps2.runner);
       const matrixManager = new MatrixManager();
-      let kmsProvider;
-      const envConfig = si.environments[opts.env];
-      if (envConfig && isKmsEnvelope(envConfig)) {
-        const { createKmsProvider } = await Promise.resolve().then(() => __toESM(require_dist3()));
-        kmsProvider = await createKmsProvider(envConfig.kms.provider, {
-          region: envConfig.kms.region
-        });
-      }
       const memOutput = new MemoryPackOutput();
-      const packer = new ArtifactPacker(sopsClient, matrixManager, kmsProvider);
+      const packer = new ArtifactPacker(sopsClient, matrixManager);
       const result = await packer.pack(
         { identity: opts.identity, environment: opts.env, output: memOutput },
-        manifest,
+        devManifest,
         repoRoot
       );
       if (!memOutput.artifact) {
@@ -102555,16 +102055,18 @@ function registerServeCommand(program3, deps2) {
         process.exit(1);
         return;
       }
-      const { ArtifactDecryptor } = await Promise.resolve().then(() => __toESM(require_dist3()));
-      const privateKey = await resolveAgePrivateKey(repoRoot, deps2.runner);
-      const decryptor = new ArtifactDecryptor({ privateKey: privateKey ?? void 0 });
+      const { ArtifactDecryptor: ArtifactDecryptor2 } = await Promise.resolve().then(() => (init_src4(), src_exports3));
+      const decryptor = new ArtifactDecryptor2({ privateKey: ephemeral.privateKey });
       const decrypted = await decryptor.decrypt(memOutput.artifact);
-      const { SecretsCache } = await Promise.resolve().then(() => __toESM(require_dist3()));
-      const cache = new SecretsCache();
+      const { SecretsCache: SecretsCache2 } = await Promise.resolve().then(() => (init_src4(), src_exports3));
+      const cache = new SecretsCache2();
       cache.swap(decrypted.values, decrypted.keys, decrypted.revision);
       const token = (0, import_crypto5.randomBytes)(32).toString("hex");
-      const { startAgentServer } = await Promise.resolve().then(() => __toESM(require_dist4()));
+      const { startAgentServer } = await Promise.resolve().then(() => __toESM(require_dist3()));
       const server = await startAgentServer({ port, token, cache });
+      formatter.warn(
+        "DEVELOPMENT ONLY\n  This server packs secrets locally with an ephemeral age key.\n  Do NOT use this in production. For production, deploy the Clef\n  agent with the service identity's actual private key or KMS access."
+      );
       formatter.success(`Serving ${result.keyCount} secrets for '${opts.identity}/${opts.env}'`);
       formatter.print(`
   URL:      ${server.url}/v1/secrets`);
@@ -102584,6 +102086,7 @@ function registerServeCommand(program3, deps2) {
           formatter.print(`
 ${sym("working")}  Stopping server...`);
           cache.wipe();
+          ephemeral.privateKey = "";
           await server.stop();
           resolve7();
         };