@dragonmastery/tamer 0.31.0 → 0.31.4

package/dist/tamer.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { c as TAMER_OVERLAY_ENV_KEY, f as getDispatchNamespaces, n as materializeTamerResolvable, r as materializeVars, t as materializeCloudflareBindings } from "./normalize-DVSTRZhO.mjs";
-import { basename, dirname, resolve } from "path";
+import { basename, dirname, relative, resolve } from "path";
 import { existsSync, readFileSync } from "fs";
 import * as readline from "readline/promises";
 
@@ -5553,216 +5553,6 @@ function base64ToBytes(base64$1) {
 	return new Uint8Array(Buffer.from(base64$1, "base64"));
 }
 
-//#endregion
-//#region src/core/naming/NamingEngine.ts
-function reLiteral(s) {
-	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-var NamingEngine = class {
-	constructor(tenant, conventions) {
-		this.tenant = tenant;
-		this.conventions = conventions;
-	}
-	/** Tenant id for per-resource {@link CloudflareNameFn} overrides. */
-	get tenantId() {
-		return this.tenant.id;
-	}
-	d1SingleName(logicalName, env) {
-		if (this.conventions?.d1Single) return this.conventions.d1Single(logicalName, this.tenant.id, env);
-		return `db_${logicalName}_t_${this.tenant.id}_${env}`;
-	}
-	d1ShardName(logicalName, shardDate, env) {
-		if (this.conventions?.d1Shard) return this.conventions.d1Shard(logicalName, shardDate, this.tenant.id, env);
-		const dateNoDashes = shardDate.replace(/-/g, "");
-		if (logicalName === "default" || logicalName === "") return `db_${dateNoDashes}_t_${this.tenant.id}_${env}`;
-		return `db_${logicalName}_${dateNoDashes}_t_${this.tenant.id}_${env}`;
-	}
-	d1SingleBindingKey(logicalName) {
-		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	d1ShardBindingKey(logicalName, shardDate) {
-		const dateNoDashes = shardDate.replace(/-/g, "");
-		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_${dateNoDashes}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	r2BucketName(logicalName, env) {
-		if (this.conventions?.r2Bucket) {
-			const dateNoDashes = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10).replace(/-/g, "");
-			return this.conventions.r2Bucket(logicalName, dateNoDashes, this.tenant.id, env);
-		}
-		return `r2-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	/**
-	* Wrangler `r2_buckets[].binding`: logical + tenant only (same idea as {@link kvBindingKey}).
-	* Stable across envs; default {@link r2BucketName} is `r2-{logical}-t-{tenant}-{env}`.
-	*/
-	r2BindingKey(logicalName) {
-		return `R2_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	kvNamespaceName(logicalName, env) {
-		return `kv_${logicalName}_t_${this.tenant.id}_${env}`;
-	}
-	kvBindingKey(logicalName) {
-		return `KV_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	queueName(logicalName, env) {
-		return `q-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	queueBindingKey(logicalName) {
-		return `Q_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	hyperdriveName(logicalName, env) {
-		return `hd-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	hyperdriveBindingKey(logicalName) {
-		return `HD_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	vectorizeName(logicalName, env) {
-		return `vec-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	vectorizeBindingKey(logicalName) {
-		return `VEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	/**
-	* AI Gateway slug (== Cloudflare gateway id). Per the Cloudflare API,
-	* gateway ids are case-sensitive lowercase ascii with `-`/`_`. Format:
-	* `aigw-{logical}-t-{tenantId}-{env}`.
-	*/
-	aiGatewayId(logicalName, env) {
-		return `aigw-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Stable cross-reference binding key for AI Gateway. AI Gateway has no
-	* Wrangler binding kind today, so this is only consumed by
-	* `${tamer:ai_gateway:<logical>.binding}` interpolations.
-	*/
-	aiGatewayBindingKey(logicalName) {
-		return `AI_GW_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	/**
-	* Cloudflare-side pipeline name. Pipelines V1 names must be lowercase
-	* alphanumerics + hyphens (no underscores), so we mirror the R2 scheme.
-	* Pattern: `pipe-{logical}-t-{tenantId}-{env}`.
-	*/
-	pipelineName(logicalName, env) {
-		return `pipe-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Wrangler binding key emitted in `pipelines[]`. Uppercased logical with
-	* the tenant id appended so two tenants can share a worker namespace
-	* without colliding bindings.
-	*/
-	pipelineBindingKey(logicalName) {
-		return `PIPE_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	pipelineMatchPattern(logicalName, env) {
-		const exact = this.pipelineName(logicalName, env);
-		return (name) => name === exact;
-	}
-	/**
-	* Cloudflare-side workflow name. Workflow names accept lowercase
-	* alphanumerics + hyphens; we mirror the pipelines/AI-Gateway hyphen
-	* scheme. Pattern: `wf-{logical}-t-{tenantId}-{env}`.
-	*/
-	workflowName(logicalName, env) {
-		if (this.conventions?.workflow) return this.conventions.workflow(logicalName, this.tenant.id, env);
-		return `wf-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Wrangler binding key emitted in `workflows[]`. Uppercased logical with
-	* the tenant id appended so two tenants sharing a script can't collide.
-	*/
-	workflowBindingKey(logicalName) {
-		return `WF_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	workflowMatchPattern(logicalName, env) {
-		const exact = this.workflowName(logicalName, env);
-		return (name) => name === exact;
-	}
-	/**
-	* Cloudflare Secrets Store name. Account-scoped — the API allows free-form
-	* names (the dashboard examples use both `service_x_keys` and dashed
-	* variants), so we mirror our hyphen convention for consistency with
-	* pipelines / workflows / AI Gateway. Pattern:
-	* `sec-{logical}-t-{tenantId}-{env}`.
-	*/
-	secretsStoreName(logicalName, env) {
-		return `sec-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Stable cross-reference key for the store. Secrets Store has no Wrangler
-	* binding kind directly — `secrets_store_secrets[]` references the
-	* resolved `store_id`, not the store name — so this only powers
-	* `${tamer:secret_store:<n>.binding}` interpolations.
-	*/
-	secretsStoreBindingKey(logicalName) {
-		return `SEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	secretsStoreMatchPattern(logicalName, env) {
-		const exact = this.secretsStoreName(logicalName, env);
-		return (name) => name === exact;
-	}
-	workerName(workerKey, env) {
-		if (this.conventions?.workerName) return this.conventions.workerName(this.tenant.slug, workerKey, env, this.tenant.id);
-		if (env === "local") return `${this.tenant.slug}-${workerKey}-${this.tenant.id}`;
-		return `${this.tenant.slug}-${workerKey}-${env}-${this.tenant.id}`;
-	}
-	/** Whether stack {@link NamingConventions.d1Shard} is configured. */
-	hasD1ShardConvention() {
-		return Boolean(this.conventions?.d1Shard);
-	}
-	d1MatchPattern(logicalName, env) {
-		if (this.conventions?.d1Shard) return (name) => {
-			const shardDate = this.extractD1ShardDate(name);
-			if (!shardDate) return false;
-			return this.d1ShardName(logicalName, shardDate, env) === name;
-		};
-		const suffix = `_t_${this.tenant.id}_${env}`;
-		if (logicalName === "default" || logicalName === "") return (name) => /^db_\d{8}_t_/.test(name) && name.endsWith(suffix);
-		const prefix = `db_${logicalName}_`;
-		return (name) => name.startsWith(prefix) && name.endsWith(suffix);
-	}
-	/**
-	* Default: exact {@link r2BucketName}, or legacy dated buckets
-	* `r2-{logical}-{YYYYMMDD}-t-{tenant}-{env}` from older Tamer versions.
-	* Custom {@link NamingConventions.r2Bucket}: exact name only (uses today's date
-	* when calling the hook, same as apply).
-	*/
-	r2MatchPattern(logicalName, env) {
-		if (this.conventions?.r2Bucket) {
-			const expected = this.r2BucketName(logicalName, env);
-			return (name) => name === expected;
-		}
-		const exactNew = `r2-${logicalName}-t-${this.tenant.id}-${env}`;
-		const legacyDated = /* @__PURE__ */ new RegExp(`^r2-${reLiteral(logicalName)}-\\d{8}-t-${reLiteral(this.tenant.id)}-${reLiteral(env)}$`);
-		return (name) => name === exactNew || legacyDated.test(name);
-	}
-	extractD1ShardDate(name) {
-		const compact = name.match(/_(\d{8})_t_/);
-		if (compact) {
-			const d = compact[1];
-			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
-		}
-		const underscored = name.match(/_(\d{4})_(\d{2})_(\d{2})_t_/);
-		if (underscored) return `${underscored[1]}-${underscored[2]}-${underscored[3]}`;
-		return null;
-	}
-	extractR2Date(name) {
-		const match = name.match(/r2-\w+-(\d{8})-t-/);
-		if (match) {
-			const d = match[1];
-			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
-		}
-		return null;
-	}
-};
-
-//#endregion
-//#region src/core/config/namingFromConfig.ts
-function namingFromConfig(config$1) {
-	const conventions = "naming" in config$1 && config$1.naming ? config$1.naming : void 0;
-	return new NamingEngine(config$1.tenant, conventions);
-}
-
 //#endregion
 //#region src/features/dispatch-namespace/dispatch-namespace.resolve.ts
 const ephemeralPredicateCache = /* @__PURE__ */ new WeakMap();
@@ -7314,6 +7104,216 @@ function requiredSecretsForWorker(workerConfig) {
 	return workerConfig.secrets?.required ?? [];
 }
 
+//#endregion
+//#region src/core/naming/NamingEngine.ts
+function reLiteral(s) {
+	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var NamingEngine = class {
+	constructor(tenant, conventions) {
+		this.tenant = tenant;
+		this.conventions = conventions;
+	}
+	/** Tenant id for per-resource {@link CloudflareNameFn} overrides. */
+	get tenantId() {
+		return this.tenant.id;
+	}
+	d1SingleName(logicalName, env) {
+		if (this.conventions?.d1Single) return this.conventions.d1Single(logicalName, this.tenant.id, env);
+		return `db_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	d1ShardName(logicalName, shardDate, env) {
+		if (this.conventions?.d1Shard) return this.conventions.d1Shard(logicalName, shardDate, this.tenant.id, env);
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		if (logicalName === "default" || logicalName === "") return `db_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+		return `db_${logicalName}_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+	}
+	d1SingleBindingKey(logicalName) {
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	d1ShardBindingKey(logicalName, shardDate) {
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_${dateNoDashes}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	r2BucketName(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const dateNoDashes = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10).replace(/-/g, "");
+			return this.conventions.r2Bucket(logicalName, dateNoDashes, this.tenant.id, env);
+		}
+		return `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	/**
+	* Wrangler `r2_buckets[].binding`: logical + tenant only (same idea as {@link kvBindingKey}).
+	* Stable across envs; default {@link r2BucketName} is `r2-{logical}-t-{tenant}-{env}`.
+	*/
+	r2BindingKey(logicalName) {
+		return `R2_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	kvNamespaceName(logicalName, env) {
+		return `kv_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	kvBindingKey(logicalName) {
+		return `KV_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	queueName(logicalName, env) {
+		return `q-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	queueBindingKey(logicalName) {
+		return `Q_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	hyperdriveName(logicalName, env) {
+		return `hd-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	hyperdriveBindingKey(logicalName) {
+		return `HD_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	vectorizeName(logicalName, env) {
+		return `vec-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	vectorizeBindingKey(logicalName) {
+		return `VEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* AI Gateway slug (== Cloudflare gateway id). Per the Cloudflare API,
+	* gateway ids are case-sensitive lowercase ascii with `-`/`_`. Format:
+	* `aigw-{logical}-t-{tenantId}-{env}`.
+	*/
+	aiGatewayId(logicalName, env) {
+		return `aigw-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference binding key for AI Gateway. AI Gateway has no
+	* Wrangler binding kind today, so this is only consumed by
+	* `${tamer:ai_gateway:<logical>.binding}` interpolations.
+	*/
+	aiGatewayBindingKey(logicalName) {
+		return `AI_GW_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* Cloudflare-side pipeline name. Pipelines V1 names must be lowercase
+	* alphanumerics + hyphens (no underscores), so we mirror the R2 scheme.
+	* Pattern: `pipe-{logical}-t-{tenantId}-{env}`.
+	*/
+	pipelineName(logicalName, env) {
+		return `pipe-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `pipelines[]`. Uppercased logical with
+	* the tenant id appended so two tenants can share a worker namespace
+	* without colliding bindings.
+	*/
+	pipelineBindingKey(logicalName) {
+		return `PIPE_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	pipelineMatchPattern(logicalName, env) {
+		const exact = this.pipelineName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare-side workflow name. Workflow names accept lowercase
+	* alphanumerics + hyphens; we mirror the pipelines/AI-Gateway hyphen
+	* scheme. Pattern: `wf-{logical}-t-{tenantId}-{env}`.
+	*/
+	workflowName(logicalName, env) {
+		if (this.conventions?.workflow) return this.conventions.workflow(logicalName, this.tenant.id, env);
+		return `wf-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `workflows[]`. Uppercased logical with
+	* the tenant id appended so two tenants sharing a script can't collide.
+	*/
+	workflowBindingKey(logicalName) {
+		return `WF_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	workflowMatchPattern(logicalName, env) {
+		const exact = this.workflowName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare Secrets Store name. Account-scoped — the API allows free-form
+	* names (the dashboard examples use both `service_x_keys` and dashed
+	* variants), so we mirror our hyphen convention for consistency with
+	* pipelines / workflows / AI Gateway. Pattern:
+	* `sec-{logical}-t-{tenantId}-{env}`.
+	*/
+	secretsStoreName(logicalName, env) {
+		return `sec-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference key for the store. Secrets Store has no Wrangler
+	* binding kind directly — `secrets_store_secrets[]` references the
+	* resolved `store_id`, not the store name — so this only powers
+	* `${tamer:secret_store:<n>.binding}` interpolations.
+	*/
+	secretsStoreBindingKey(logicalName) {
+		return `SEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	secretsStoreMatchPattern(logicalName, env) {
+		const exact = this.secretsStoreName(logicalName, env);
+		return (name) => name === exact;
+	}
+	workerName(workerKey, env) {
+		if (this.conventions?.workerName) return this.conventions.workerName(this.tenant.slug, workerKey, env, this.tenant.id);
+		if (env === "local") return `${this.tenant.slug}-${workerKey}-${this.tenant.id}`;
+		return `${this.tenant.slug}-${workerKey}-${env}-${this.tenant.id}`;
+	}
+	/** Whether stack {@link NamingConventions.d1Shard} is configured. */
+	hasD1ShardConvention() {
+		return Boolean(this.conventions?.d1Shard);
+	}
+	d1MatchPattern(logicalName, env) {
+		if (this.conventions?.d1Shard) return (name) => {
+			const shardDate = this.extractD1ShardDate(name);
+			if (!shardDate) return false;
+			return this.d1ShardName(logicalName, shardDate, env) === name;
+		};
+		const suffix = `_t_${this.tenant.id}_${env}`;
+		if (logicalName === "default" || logicalName === "") return (name) => /^db_\d{8}_t_/.test(name) && name.endsWith(suffix);
+		const prefix = `db_${logicalName}_`;
+		return (name) => name.startsWith(prefix) && name.endsWith(suffix);
+	}
+	/**
+	* Default: exact {@link r2BucketName}, or legacy dated buckets
+	* `r2-{logical}-{YYYYMMDD}-t-{tenant}-{env}` from older Tamer versions.
+	* Custom {@link NamingConventions.r2Bucket}: exact name only (uses today's date
+	* when calling the hook, same as apply).
+	*/
+	r2MatchPattern(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const expected = this.r2BucketName(logicalName, env);
+			return (name) => name === expected;
+		}
+		const exactNew = `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+		const legacyDated = /* @__PURE__ */ new RegExp(`^r2-${reLiteral(logicalName)}-\\d{8}-t-${reLiteral(this.tenant.id)}-${reLiteral(env)}$`);
+		return (name) => name === exactNew || legacyDated.test(name);
+	}
+	extractD1ShardDate(name) {
+		const compact = name.match(/_(\d{8})_t_/);
+		if (compact) {
+			const d = compact[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		const underscored = name.match(/_(\d{4})_(\d{2})_(\d{2})_t_/);
+		if (underscored) return `${underscored[1]}-${underscored[2]}-${underscored[3]}`;
+		return null;
+	}
+	extractR2Date(name) {
+		const match = name.match(/r2-\w+-(\d{8})-t-/);
+		if (match) {
+			const d = match[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		return null;
+	}
+};
+
+//#endregion
+//#region src/core/config/namingFromConfig.ts
+function namingFromConfig(config$1) {
+	const conventions = "naming" in config$1 && config$1.naming ? config$1.naming : void 0;
+	return new NamingEngine(config$1.tenant, conventions);
+}
+
 //#endregion
 //#region src/core/secrets/SecretsVault.ts
 /**
@@ -7543,6 +7543,36 @@ function assertSecretName(name) {
 	if (!trimmed) throw new Error("secret name is required");
 	return trimmed;
 }
+/** Resolve worker dir + declared secret names for `secrets load`. */
+async function resolveWorkerSecretsLoadTarget(ctx, workerKey, options) {
+	const baseDir = process.cwd();
+	const workers = await getWorkers(ctx.config, baseDir);
+	const hit = workers.find(([key]) => key === workerKey);
+	if (!hit) {
+		const available = workers.map(([key]) => key).sort().join(", ");
+		throw new Error(`secrets load: worker "${workerKey}" not found in config` + (available ? ` (available: ${available})` : ""));
+	}
+	const [, workerConfig] = hit;
+	const imports = await fetchStackImports(ctx.api, ctx.config, ctx.env).catch(() => ({}));
+	const required$1 = requiredSecretsForWorker(mergeWorkerConfigForResourcePick(ctx.config, workerKey, workerConfig, ctx.env, ctx.accountId, ctx.naming, ctx.state, {
+		referencesMode: "tolerant",
+		imports
+	}));
+	if (required$1.length === 0) {
+		if (options?.skipUndeclared) return null;
+		throw new Error(`secrets load: worker "${workerKey}" has no secrets.required — declare names in config first`);
+	}
+	return {
+		workerKey,
+		workerDir: workerConfig.path ? resolve(baseDir, workerConfig.path) : baseDir,
+		required: required$1
+	};
+}
+/** Path for logs — relative to cwd when possible. */
+function displayPathFromCwd(absOrRel) {
+	const rel = relative(process.cwd(), resolve(process.cwd(), absOrRel));
+	return rel && !rel.startsWith("..") ? rel.replace(/\\/g, "/") : absOrRel.replace(/\\/g, "/");
+}
 /** Vault + master key for deploy auto-push (remote envs only). */
 async function createDeploySecretsResources(api, env) {
 	const resolvedEnv = resolveSecretsEnv(env);
@@ -7702,40 +7732,84 @@ function parseDotenvContent(content) {
 function readDotenvFile(filePath) {
 	return parseDotenvContent(readFileSync(resolve(process.cwd(), filePath), "utf8"));
 }
+/** Default bulk-load file under a worker directory. */
+function defaultWorkerSecretsLoadFile(workerDir, env) {
+	return `${workerDir.replace(/\\/g, "/")}/.dev.vars.${env}`;
+}
 /**
-* Merge env vars for bulk load: all keys from `process.env`, then file
-* entries overwrite on duplicate keys (file wins).
+* When loading for a worker, only `secrets.required` names are imported.
+* Returns keys to upsert; throws if the file contains undeclared names.
 */
-function mergeLoadSources(fileEntries) {
-	const merged = {};
-	for (const [key, value] of Object.entries(process.env)) if (value != null && value !== "") merged[key] = value;
-	for (const [key, value] of Object.entries(fileEntries)) merged[key] = value;
-	return merged;
+function filterSecretsLoadEntriesForWorker(fileEntries, required$1) {
+	const requiredSet = new Set(required$1);
+	const extras = [];
+	const entries = {};
+	for (const [name, value] of Object.entries(fileEntries)) if (requiredSet.has(name)) entries[name] = value;
+	else extras.push(name);
+	if (extras.length > 0) throw new Error(`secrets load: file contains key(s) not in worker secrets.required: ${extras.sort().join(", ")}`);
+	return {
+		entries,
+		missing: required$1.filter((name) => !(name in fileEntries)).sort()
+	};
+}
+/**
+* Reject plain `.dev.vars` — reserved for local `wrangler dev`, not vault seeding.
+*/
+function assertRemoteSecretsLoadFile(filePath, env) {
+	if ((filePath.replace(/\\/g, "/").split("/").pop() ?? filePath) === ".dev.vars") throw new Error(`\`.dev.vars\` is for local wrangler dev only. Seed the vault with \`.dev.vars.${env}\` or omit --file (default).`);
 }
 
 //#endregion
 //#region src/cli/commands/secrets/load.ts
-async function runSecretsLoad(options) {
-	if (!options.file?.trim()) throw new Error("usage: tamer secrets load --file <path> --env <env>");
-	const ctx = await createSecretsContext({
-		env: options.env,
-		configPath: options.configPath
-	});
-	const merged = mergeLoadSources(readDotenvFile(options.file));
-	const names = Object.keys(merged).sort();
+async function loadSecretsForWorker(ctx, target, fileOverride) {
+	const file = fileOverride?.trim() || defaultWorkerSecretsLoadFile(target.workerDir, ctx.env);
+	assertRemoteSecretsLoadFile(file, ctx.env);
+	const { entries: fileEntries, missing } = filterSecretsLoadEntriesForWorker(readDotenvFile(file), target.required);
+	if (missing.length > 0) console.log(`secrets load: worker "${target.workerKey}" — skipping ${missing.length} declared secret(s) not in file: ${missing.join(", ")}`);
+	const names = Object.keys(fileEntries).sort();
 	if (names.length === 0) {
-		console.log("secrets load: no entries to import");
-		return;
+		console.log(`secrets load: worker "${target.workerKey}" — no entries to import from ${displayPathFromCwd(file)}`);
+		return 0;
 	}
 	let count = 0;
 	for (const name of names) {
-		const plaintext = merged[name];
+		const plaintext = fileEntries[name];
 		const encrypted = await encryptSecretValue(plaintext, ctx.masterKey);
 		const valueHash = await secretValueFingerprint(plaintext);
 		await ctx.vault.upsert(name, encrypted, valueHash, { updatedBy: cliUpdatedBy() });
 		count += 1;
 	}
-	console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${options.file}`);
+	console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${displayPathFromCwd(file)} (worker ${target.workerKey})`);
+	return count;
+}
+async function listWorkerSecretsLoadTargets(ctx, workerFilter) {
+	const workers = await getWorkers(ctx.config, process.cwd());
+	const out = [];
+	for (const [workerKey] of workers) {
+		if (workerFilter && workerKey !== workerFilter) continue;
+		const target = await resolveWorkerSecretsLoadTarget(ctx, workerKey, { skipUndeclared: !workerFilter });
+		if (target) out.push(target);
+	}
+	return out;
+}
+async function runSecretsLoad(options) {
+	const env = resolveSecretsEnv(options.env);
+	const workerKey = options.worker?.trim();
+	const fileOverride = options.file?.trim();
+	if (fileOverride && !workerKey) throw new Error("secrets load: --file requires --worker <name>");
+	const ctx = await createSecretsContext({
+		env,
+		configPath: options.configPath
+	});
+	const targets = await listWorkerSecretsLoadTargets(ctx, workerKey);
+	if (targets.length === 0) {
+		const hint = workerKey ? `worker "${workerKey}" has no secrets.required` : "no workers declare secrets.required";
+		console.log(`secrets load (${ctx.env}): ${hint}`);
+		return;
+	}
+	let total = 0;
+	for (const target of targets) total += await loadSecretsForWorker(ctx, target, workerKey ? fileOverride : void 0);
+	if (!workerKey && targets.length > 1) console.log(`secrets load (${ctx.env}): ${total} secret(s) from ${targets.length} worker(s)`);
 }
 
 //#endregion
@@ -8154,7 +8228,8 @@ async function runSecretsPush(options) {
 const SECRETS_USAGE = `usage:
   tamer secrets init --env <env> [--config <path>]
   tamer secrets set <NAME> --env <env> [--config <path>]   # value on stdin (pipe only)
-  tamer secrets load --file <path> --env <env> [--config <path>]
+  tamer secrets load --env <env> [--worker <name>] [--file <path>] [--config <path>]
+      # each worker: {workerDir}/.dev.vars.{env}; all declared workers when --worker omitted
   tamer secrets get <NAME> --env <env> [--config <path>]   # confirmation + audit log
   tamer secrets list --env <env> [--config <path>]
   tamer secrets rm <NAME> --env <env> [--config <path>]
@@ -8202,11 +8277,11 @@ async function runSecrets(argv) {
 			});
 			return 0;
 		case "load":
-			if (!parsed.file) throw new Error("secrets load requires --file <path>");
 			await runSecretsLoad({
 				file: parsed.file,
 				env: parsed.env,
-				configPath: parsed.configPath
+				configPath: parsed.configPath,
+				worker: parsed.worker
 			});
 			return 0;
 		case "get":
@@ -8547,14 +8622,14 @@ async function main() {
 	try {
 		switch (command) {
 			case "bootstrap":
-				await import("./bootstrap-D__dHw1w.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
+				await import("./bootstrap-CQS5s33A.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
 				break;
 			case "sync":
-				await import("./sync-CpfxqlOx.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
+				await import("./sync-KTzMVc_o.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
 				break;
 			case "apply": {
 				const a = parseApplyArgs(rest);
-				await import("./apply-BjrYbyHn.mjs").then((m) => m.runApply({
+				await import("./apply-C_70Hgcf.mjs").then((m) => m.runApply({
 					env: a.env,
 					addShard: a.addShard,
 					configPath: a.configPath,
@@ -8566,11 +8641,11 @@ async function main() {
 				break;
 			}
 			case "dev":
-				await import("./dev-BLthyLml.mjs").then((m) => m.runDev(parseDevArgs(rest)));
+				await import("./dev-caJxohHI.mjs").then((m) => m.runDev(parseDevArgs(rest)));
 				break;
 			case "deploy": {
 				const d = parseDeployArgs(rest);
-				await import("./deploy-C6fX9td0.mjs").then((m) => m.runDeploy({
+				await import("./deploy-D-GXzsWR.mjs").then((m) => m.runDeploy({
 					worker: d.worker,
 					env: d.env,
 					configPath: d.configPath,
@@ -8579,23 +8654,23 @@ async function main() {
 				break;
 			}
 			case "migrate":
-				await import("./migrate-CroDjbJz.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
+				await import("./migrate-skvsDG6d.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
 				break;
 			case "types":
-				await import("./types-BzzHwIdw.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
+				await import("./types-D7qKnGsm.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
 				break;
 			case "status":
-				await import("./status-DkkS5lc9.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
+				await import("./status-BxStsax8.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
 				break;
 			case "events":
-				await import("./events-otk0l3aJ.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
+				await import("./events-Bor7XgLC.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
 				break;
 			case "drift":
-				exitStatus = await import("./drift-BCxWdYHG.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
+				exitStatus = await import("./drift-5_LwAdZo.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
 				break;
 			case "plan": {
 				const p = parsePlanArgs(rest);
-				exitStatus = await import("./plan-C2urqJOz.mjs").then((m) => m.runPlan({
+				exitStatus = await import("./plan-BLy8FaE2.mjs").then((m) => m.runPlan({
 					env: p.env,
 					configPath: p.configPath,
 					json: p.json,
@@ -8607,14 +8682,14 @@ async function main() {
 				break;
 			}
 			case "import":
-				await import("./import-OvohE-H2.mjs").then((m) => m.runImport(parseImportArgs(rest)));
+				await import("./import-Vn9lhWic.mjs").then((m) => m.runImport(parseImportArgs(rest)));
 				break;
 			case "doctor":
 				exitStatus = await import("./doctor-32YLAXXl.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
 				break;
 			case "provision-tenant": {
 				const p = parseProvisionTenantArgs(rest);
-				await import("./provision-tenant-BJ1KugON.mjs").then((m) => m.runProvisionTenant({
+				await import("./provision-tenant-CleOYFwr.mjs").then((m) => m.runProvisionTenant({
 					env: p.env,
 					product: p.product,
 					workspace: p.workspace,
@@ -8631,7 +8706,7 @@ async function main() {
 			}
 			case "destroy-tenant": {
 				const t = parseDestroyTenantArgs(rest);
-				await import("./destroy-tenant-T_94ed9x.mjs").then((m) => m.runDestroyTenant({
+				await import("./destroy-tenant-DFHfNImL.mjs").then((m) => m.runDestroyTenant({
 					env: t.env,
 					product: t.product,
 					workspace: t.workspace,
@@ -8644,7 +8719,7 @@ async function main() {
 			}
 			case "destroy": {
 				const d = parseDestroyArgs(rest);
-				await import("./destroy-vfk2Zbfj.mjs").then((m) => m.runDestroy({
+				await import("./destroy-DJRw_qLX.mjs").then((m) => m.runDestroy({
 					env: d.env,
 					force: d.force,
 					skipWorkers: d.skipWorkers,
@@ -8730,7 +8805,7 @@ Options:
 Secrets (requires TAMER_SECRETS_KEY_{env} master key env var):
   tamer secrets init --env <env>              Generate master key (print once) + provision vault
   tamer secrets set <NAME> --env <env>        Encrypt value from stdin into vault (pipe only)
-  tamer secrets load --file .dev.vars --env <env>  Bulk import; file wins over process.env
+  tamer secrets load --env <env> [--worker <name>] [--file .dev.vars.<env>]  Bulk import; all workers when --worker omitted
   tamer secrets get <NAME> --env <env>        Decrypt + print (confirmation + audit log)
   tamer secrets list --env <env>              Names + fingerprints + last-set (never values)
   tamer secrets rm <NAME> --env <env>         Remove from vault
@@ -8764,5 +8839,5 @@ Environment variables (same as Wrangler):
 main();
 
 //#endregion
-export { resolveReferencesInString as A, getWorkers as B, stackNameForConfig as C, resolveDeployedWorkerName as D, mergedWorkerConfigForEnv as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, effectiveDispatchNamespaceName as M, isEphemeralEnv as N, resolveWorkerConfig as O, namingFromConfig as P, cloudflareAccountIdFromEnv as R, tamerStateDatabaseName as S, mergeWorkerConfigForResourcePick as T, loadConfig as V, tenantShardDatabaseName as _, reconcileSecrets as a, destroyTamerStateDatabase as b, vaultReaderFromMap as c, fetchStackImports as d, importedStackNames as f, tenantDispatchScriptName as g, parseTenantShardRoles as h, pushSecretsForDeploy as i, wranglerConfigCliArgs as j, rewriteIntraStackServiceTargets as k, createDeploySecretsResources as l, StateManager as m, parseSecretsArgs as n, secretsDrift as o, scanConfigForImports as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, requiredSecretsForWorker as u, tenantStateKey as v, buildIntraStackScriptNameMap as w, ensureTamerStateDatabase as x, createEmptyCfiState as y, cloudflareApiTokenFromEnv as z };
+export { rewriteIntraStackServiceTargets as A, getWorkers as B, tamerStateDatabaseName as C, mergedWorkerConfigForEnv as D, mergeWorkerConfigForResourcePick as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, wranglerConfigCliArgs as M, effectiveDispatchNamespaceName as N, resolveDeployedWorkerName as O, isEphemeralEnv as P, cloudflareAccountIdFromEnv as R, ensureTamerStateDatabase as S, buildIntraStackScriptNameMap as T, loadConfig as V, tenantDispatchScriptName as _, reconcileSecrets as a, createEmptyCfiState as b, vaultReaderFromMap as c, requiredSecretsForWorker as d, fetchStackImports as f, parseTenantShardRoles as g, StateManager as h, pushSecretsForDeploy as i, resolveReferencesInString as j, resolveWorkerConfig as k, createDeploySecretsResources as l, scanConfigForImports as m, parseSecretsArgs as n, secretsDrift as o, importedStackNames as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, namingFromConfig as u, tenantShardDatabaseName as v, stackNameForConfig as w, destroyTamerStateDatabase as x, tenantStateKey as y, cloudflareApiTokenFromEnv as z };
 //# sourceMappingURL=tamer.mjs.map