@dragonmastery/tamer 0.31.1 → 0.31.5

package/dist/tamer.mjs

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { c as TAMER_OVERLAY_ENV_KEY, f as getDispatchNamespaces, n as materializeTamerResolvable, r as materializeVars, t as materializeCloudflareBindings } from "./normalize-DVSTRZhO.mjs";
-import { basename, dirname, resolve } from "path";
+import { basename, dirname, relative, resolve } from "path";
 import { existsSync, readFileSync } from "fs";
 import * as readline from "readline/promises";
 
@@ -5553,216 +5553,6 @@ function base64ToBytes(base64$1) {
 	return new Uint8Array(Buffer.from(base64$1, "base64"));
 }
 
-//#endregion
-//#region src/core/naming/NamingEngine.ts
-function reLiteral(s) {
-	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-var NamingEngine = class {
-	constructor(tenant, conventions) {
-		this.tenant = tenant;
-		this.conventions = conventions;
-	}
-	/** Tenant id for per-resource {@link CloudflareNameFn} overrides. */
-	get tenantId() {
-		return this.tenant.id;
-	}
-	d1SingleName(logicalName, env) {
-		if (this.conventions?.d1Single) return this.conventions.d1Single(logicalName, this.tenant.id, env);
-		return `db_${logicalName}_t_${this.tenant.id}_${env}`;
-	}
-	d1ShardName(logicalName, shardDate, env) {
-		if (this.conventions?.d1Shard) return this.conventions.d1Shard(logicalName, shardDate, this.tenant.id, env);
-		const dateNoDashes = shardDate.replace(/-/g, "");
-		if (logicalName === "default" || logicalName === "") return `db_${dateNoDashes}_t_${this.tenant.id}_${env}`;
-		return `db_${logicalName}_${dateNoDashes}_t_${this.tenant.id}_${env}`;
-	}
-	d1SingleBindingKey(logicalName) {
-		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	d1ShardBindingKey(logicalName, shardDate) {
-		const dateNoDashes = shardDate.replace(/-/g, "");
-		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_${dateNoDashes}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	r2BucketName(logicalName, env) {
-		if (this.conventions?.r2Bucket) {
-			const dateNoDashes = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10).replace(/-/g, "");
-			return this.conventions.r2Bucket(logicalName, dateNoDashes, this.tenant.id, env);
-		}
-		return `r2-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	/**
-	* Wrangler `r2_buckets[].binding`: logical + tenant only (same idea as {@link kvBindingKey}).
-	* Stable across envs; default {@link r2BucketName} is `r2-{logical}-t-{tenant}-{env}`.
-	*/
-	r2BindingKey(logicalName) {
-		return `R2_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	kvNamespaceName(logicalName, env) {
-		return `kv_${logicalName}_t_${this.tenant.id}_${env}`;
-	}
-	kvBindingKey(logicalName) {
-		return `KV_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	queueName(logicalName, env) {
-		return `q-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	queueBindingKey(logicalName) {
-		return `Q_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	hyperdriveName(logicalName, env) {
-		return `hd-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	hyperdriveBindingKey(logicalName) {
-		return `HD_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	vectorizeName(logicalName, env) {
-		return `vec-${logicalName}-t-${this.tenant.id}-${env}`;
-	}
-	vectorizeBindingKey(logicalName) {
-		return `VEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	/**
-	* AI Gateway slug (== Cloudflare gateway id). Per the Cloudflare API,
-	* gateway ids are case-sensitive lowercase ascii with `-`/`_`. Format:
-	* `aigw-{logical}-t-{tenantId}-{env}`.
-	*/
-	aiGatewayId(logicalName, env) {
-		return `aigw-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Stable cross-reference binding key for AI Gateway. AI Gateway has no
-	* Wrangler binding kind today, so this is only consumed by
-	* `${tamer:ai_gateway:<logical>.binding}` interpolations.
-	*/
-	aiGatewayBindingKey(logicalName) {
-		return `AI_GW_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	/**
-	* Cloudflare-side pipeline name. Pipelines V1 names must be lowercase
-	* alphanumerics + hyphens (no underscores), so we mirror the R2 scheme.
-	* Pattern: `pipe-{logical}-t-{tenantId}-{env}`.
-	*/
-	pipelineName(logicalName, env) {
-		return `pipe-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Wrangler binding key emitted in `pipelines[]`. Uppercased logical with
-	* the tenant id appended so two tenants can share a worker namespace
-	* without colliding bindings.
-	*/
-	pipelineBindingKey(logicalName) {
-		return `PIPE_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	pipelineMatchPattern(logicalName, env) {
-		const exact = this.pipelineName(logicalName, env);
-		return (name) => name === exact;
-	}
-	/**
-	* Cloudflare-side workflow name. Workflow names accept lowercase
-	* alphanumerics + hyphens; we mirror the pipelines/AI-Gateway hyphen
-	* scheme. Pattern: `wf-{logical}-t-{tenantId}-{env}`.
-	*/
-	workflowName(logicalName, env) {
-		if (this.conventions?.workflow) return this.conventions.workflow(logicalName, this.tenant.id, env);
-		return `wf-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Wrangler binding key emitted in `workflows[]`. Uppercased logical with
-	* the tenant id appended so two tenants sharing a script can't collide.
-	*/
-	workflowBindingKey(logicalName) {
-		return `WF_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	workflowMatchPattern(logicalName, env) {
-		const exact = this.workflowName(logicalName, env);
-		return (name) => name === exact;
-	}
-	/**
-	* Cloudflare Secrets Store name. Account-scoped — the API allows free-form
-	* names (the dashboard examples use both `service_x_keys` and dashed
-	* variants), so we mirror our hyphen convention for consistency with
-	* pipelines / workflows / AI Gateway. Pattern:
-	* `sec-{logical}-t-{tenantId}-{env}`.
-	*/
-	secretsStoreName(logicalName, env) {
-		return `sec-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
-	}
-	/**
-	* Stable cross-reference key for the store. Secrets Store has no Wrangler
-	* binding kind directly — `secrets_store_secrets[]` references the
-	* resolved `store_id`, not the store name — so this only powers
-	* `${tamer:secret_store:<n>.binding}` interpolations.
-	*/
-	secretsStoreBindingKey(logicalName) {
-		return `SEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
-	}
-	secretsStoreMatchPattern(logicalName, env) {
-		const exact = this.secretsStoreName(logicalName, env);
-		return (name) => name === exact;
-	}
-	workerName(workerKey, env) {
-		if (this.conventions?.workerName) return this.conventions.workerName(this.tenant.slug, workerKey, env, this.tenant.id);
-		if (env === "local") return `${this.tenant.slug}-${workerKey}-${this.tenant.id}`;
-		return `${this.tenant.slug}-${workerKey}-${env}-${this.tenant.id}`;
-	}
-	/** Whether stack {@link NamingConventions.d1Shard} is configured. */
-	hasD1ShardConvention() {
-		return Boolean(this.conventions?.d1Shard);
-	}
-	d1MatchPattern(logicalName, env) {
-		if (this.conventions?.d1Shard) return (name) => {
-			const shardDate = this.extractD1ShardDate(name);
-			if (!shardDate) return false;
-			return this.d1ShardName(logicalName, shardDate, env) === name;
-		};
-		const suffix = `_t_${this.tenant.id}_${env}`;
-		if (logicalName === "default" || logicalName === "") return (name) => /^db_\d{8}_t_/.test(name) && name.endsWith(suffix);
-		const prefix = `db_${logicalName}_`;
-		return (name) => name.startsWith(prefix) && name.endsWith(suffix);
-	}
-	/**
-	* Default: exact {@link r2BucketName}, or legacy dated buckets
-	* `r2-{logical}-{YYYYMMDD}-t-{tenant}-{env}` from older Tamer versions.
-	* Custom {@link NamingConventions.r2Bucket}: exact name only (uses today's date
-	* when calling the hook, same as apply).
-	*/
-	r2MatchPattern(logicalName, env) {
-		if (this.conventions?.r2Bucket) {
-			const expected = this.r2BucketName(logicalName, env);
-			return (name) => name === expected;
-		}
-		const exactNew = `r2-${logicalName}-t-${this.tenant.id}-${env}`;
-		const legacyDated = /* @__PURE__ */ new RegExp(`^r2-${reLiteral(logicalName)}-\\d{8}-t-${reLiteral(this.tenant.id)}-${reLiteral(env)}$`);
-		return (name) => name === exactNew || legacyDated.test(name);
-	}
-	extractD1ShardDate(name) {
-		const compact = name.match(/_(\d{8})_t_/);
-		if (compact) {
-			const d = compact[1];
-			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
-		}
-		const underscored = name.match(/_(\d{4})_(\d{2})_(\d{2})_t_/);
-		if (underscored) return `${underscored[1]}-${underscored[2]}-${underscored[3]}`;
-		return null;
-	}
-	extractR2Date(name) {
-		const match = name.match(/r2-\w+-(\d{8})-t-/);
-		if (match) {
-			const d = match[1];
-			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
-		}
-		return null;
-	}
-};
-
-//#endregion
-//#region src/core/config/namingFromConfig.ts
-function namingFromConfig(config$1) {
-	const conventions = "naming" in config$1 && config$1.naming ? config$1.naming : void 0;
-	return new NamingEngine(config$1.tenant, conventions);
-}
-
 //#endregion
 //#region src/features/dispatch-namespace/dispatch-namespace.resolve.ts
 const ephemeralPredicateCache = /* @__PURE__ */ new WeakMap();
@@ -7314,6 +7104,216 @@ function requiredSecretsForWorker(workerConfig) {
 	return workerConfig.secrets?.required ?? [];
 }
 
+//#endregion
+//#region src/core/naming/NamingEngine.ts
+function reLiteral(s) {
+	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+var NamingEngine = class {
+	constructor(tenant, conventions) {
+		this.tenant = tenant;
+		this.conventions = conventions;
+	}
+	/** Tenant id for per-resource {@link CloudflareNameFn} overrides. */
+	get tenantId() {
+		return this.tenant.id;
+	}
+	d1SingleName(logicalName, env) {
+		if (this.conventions?.d1Single) return this.conventions.d1Single(logicalName, this.tenant.id, env);
+		return `db_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	d1ShardName(logicalName, shardDate, env) {
+		if (this.conventions?.d1Shard) return this.conventions.d1Shard(logicalName, shardDate, this.tenant.id, env);
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		if (logicalName === "default" || logicalName === "") return `db_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+		return `db_${logicalName}_${dateNoDashes}_t_${this.tenant.id}_${env}`;
+	}
+	d1SingleBindingKey(logicalName) {
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	d1ShardBindingKey(logicalName, shardDate) {
+		const dateNoDashes = shardDate.replace(/-/g, "");
+		return `DB_${logicalName.toUpperCase().replace(/-/g, "_")}_${dateNoDashes}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	r2BucketName(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const dateNoDashes = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10).replace(/-/g, "");
+			return this.conventions.r2Bucket(logicalName, dateNoDashes, this.tenant.id, env);
+		}
+		return `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	/**
+	* Wrangler `r2_buckets[].binding`: logical + tenant only (same idea as {@link kvBindingKey}).
+	* Stable across envs; default {@link r2BucketName} is `r2-{logical}-t-{tenant}-{env}`.
+	*/
+	r2BindingKey(logicalName) {
+		return `R2_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	kvNamespaceName(logicalName, env) {
+		return `kv_${logicalName}_t_${this.tenant.id}_${env}`;
+	}
+	kvBindingKey(logicalName) {
+		return `KV_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	queueName(logicalName, env) {
+		return `q-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	queueBindingKey(logicalName) {
+		return `Q_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	hyperdriveName(logicalName, env) {
+		return `hd-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	hyperdriveBindingKey(logicalName) {
+		return `HD_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	vectorizeName(logicalName, env) {
+		return `vec-${logicalName}-t-${this.tenant.id}-${env}`;
+	}
+	vectorizeBindingKey(logicalName) {
+		return `VEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* AI Gateway slug (== Cloudflare gateway id). Per the Cloudflare API,
+	* gateway ids are case-sensitive lowercase ascii with `-`/`_`. Format:
+	* `aigw-{logical}-t-{tenantId}-{env}`.
+	*/
+	aiGatewayId(logicalName, env) {
+		return `aigw-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference binding key for AI Gateway. AI Gateway has no
+	* Wrangler binding kind today, so this is only consumed by
+	* `${tamer:ai_gateway:<logical>.binding}` interpolations.
+	*/
+	aiGatewayBindingKey(logicalName) {
+		return `AI_GW_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	/**
+	* Cloudflare-side pipeline name. Pipelines V1 names must be lowercase
+	* alphanumerics + hyphens (no underscores), so we mirror the R2 scheme.
+	* Pattern: `pipe-{logical}-t-{tenantId}-{env}`.
+	*/
+	pipelineName(logicalName, env) {
+		return `pipe-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `pipelines[]`. Uppercased logical with
+	* the tenant id appended so two tenants can share a worker namespace
+	* without colliding bindings.
+	*/
+	pipelineBindingKey(logicalName) {
+		return `PIPE_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	pipelineMatchPattern(logicalName, env) {
+		const exact = this.pipelineName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare-side workflow name. Workflow names accept lowercase
+	* alphanumerics + hyphens; we mirror the pipelines/AI-Gateway hyphen
+	* scheme. Pattern: `wf-{logical}-t-{tenantId}-{env}`.
+	*/
+	workflowName(logicalName, env) {
+		if (this.conventions?.workflow) return this.conventions.workflow(logicalName, this.tenant.id, env);
+		return `wf-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Wrangler binding key emitted in `workflows[]`. Uppercased logical with
+	* the tenant id appended so two tenants sharing a script can't collide.
+	*/
+	workflowBindingKey(logicalName) {
+		return `WF_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	workflowMatchPattern(logicalName, env) {
+		const exact = this.workflowName(logicalName, env);
+		return (name) => name === exact;
+	}
+	/**
+	* Cloudflare Secrets Store name. Account-scoped — the API allows free-form
+	* names (the dashboard examples use both `service_x_keys` and dashed
+	* variants), so we mirror our hyphen convention for consistency with
+	* pipelines / workflows / AI Gateway. Pattern:
+	* `sec-{logical}-t-{tenantId}-{env}`.
+	*/
+	secretsStoreName(logicalName, env) {
+		return `sec-${logicalName}-t-${this.tenant.id}-${env}`.toLowerCase();
+	}
+	/**
+	* Stable cross-reference key for the store. Secrets Store has no Wrangler
+	* binding kind directly — `secrets_store_secrets[]` references the
+	* resolved `store_id`, not the store name — so this only powers
+	* `${tamer:secret_store:<n>.binding}` interpolations.
+	*/
+	secretsStoreBindingKey(logicalName) {
+		return `SEC_${logicalName.toUpperCase().replace(/-/g, "_")}_T_${this.tenant.id.toUpperCase()}`;
+	}
+	secretsStoreMatchPattern(logicalName, env) {
+		const exact = this.secretsStoreName(logicalName, env);
+		return (name) => name === exact;
+	}
+	workerName(workerKey, env) {
+		if (this.conventions?.workerName) return this.conventions.workerName(this.tenant.slug, workerKey, env, this.tenant.id);
+		if (env === "local") return `${this.tenant.slug}-${workerKey}-${this.tenant.id}`;
+		return `${this.tenant.slug}-${workerKey}-${env}-${this.tenant.id}`;
+	}
+	/** Whether stack {@link NamingConventions.d1Shard} is configured. */
+	hasD1ShardConvention() {
+		return Boolean(this.conventions?.d1Shard);
+	}
+	d1MatchPattern(logicalName, env) {
+		if (this.conventions?.d1Shard) return (name) => {
+			const shardDate = this.extractD1ShardDate(name);
+			if (!shardDate) return false;
+			return this.d1ShardName(logicalName, shardDate, env) === name;
+		};
+		const suffix = `_t_${this.tenant.id}_${env}`;
+		if (logicalName === "default" || logicalName === "") return (name) => /^db_\d{8}_t_/.test(name) && name.endsWith(suffix);
+		const prefix = `db_${logicalName}_`;
+		return (name) => name.startsWith(prefix) && name.endsWith(suffix);
+	}
+	/**
+	* Default: exact {@link r2BucketName}, or legacy dated buckets
+	* `r2-{logical}-{YYYYMMDD}-t-{tenant}-{env}` from older Tamer versions.
+	* Custom {@link NamingConventions.r2Bucket}: exact name only (uses today's date
+	* when calling the hook, same as apply).
+	*/
+	r2MatchPattern(logicalName, env) {
+		if (this.conventions?.r2Bucket) {
+			const expected = this.r2BucketName(logicalName, env);
+			return (name) => name === expected;
+		}
+		const exactNew = `r2-${logicalName}-t-${this.tenant.id}-${env}`;
+		const legacyDated = /* @__PURE__ */ new RegExp(`^r2-${reLiteral(logicalName)}-\\d{8}-t-${reLiteral(this.tenant.id)}-${reLiteral(env)}$`);
+		return (name) => name === exactNew || legacyDated.test(name);
+	}
+	extractD1ShardDate(name) {
+		const compact = name.match(/_(\d{8})_t_/);
+		if (compact) {
+			const d = compact[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		const underscored = name.match(/_(\d{4})_(\d{2})_(\d{2})_t_/);
+		if (underscored) return `${underscored[1]}-${underscored[2]}-${underscored[3]}`;
+		return null;
+	}
+	extractR2Date(name) {
+		const match = name.match(/r2-\w+-(\d{8})-t-/);
+		if (match) {
+			const d = match[1];
+			return `${d.slice(0, 4)}-${d.slice(4, 6)}-${d.slice(6, 8)}`;
+		}
+		return null;
+	}
+};
+
+//#endregion
+//#region src/core/config/namingFromConfig.ts
+function namingFromConfig(config$1) {
+	const conventions = "naming" in config$1 && config$1.naming ? config$1.naming : void 0;
+	return new NamingEngine(config$1.tenant, conventions);
+}
+
 //#endregion
 //#region src/core/secrets/SecretsVault.ts
 /**
@@ -7543,6 +7543,36 @@ function assertSecretName(name) {
 	if (!trimmed) throw new Error("secret name is required");
 	return trimmed;
 }
+/** Resolve worker dir + declared secret names for `secrets load`. */
+async function resolveWorkerSecretsLoadTarget(ctx, workerKey, options) {
+	const baseDir = process.cwd();
+	const workers = await getWorkers(ctx.config, baseDir);
+	const hit = workers.find(([key]) => key === workerKey);
+	if (!hit) {
+		const available = workers.map(([key]) => key).sort().join(", ");
+		throw new Error(`secrets load: worker "${workerKey}" not found in config` + (available ? ` (available: ${available})` : ""));
+	}
+	const [, workerConfig] = hit;
+	const imports = await fetchStackImports(ctx.api, ctx.config, ctx.env).catch(() => ({}));
+	const required$1 = requiredSecretsForWorker(mergeWorkerConfigForResourcePick(ctx.config, workerKey, workerConfig, ctx.env, ctx.accountId, ctx.naming, ctx.state, {
+		referencesMode: "tolerant",
+		imports
+	}));
+	if (required$1.length === 0) {
+		if (options?.skipUndeclared) return null;
+		throw new Error(`secrets load: worker "${workerKey}" has no secrets.required — declare names in config first`);
+	}
+	return {
+		workerKey,
+		workerDir: workerConfig.path ? resolve(baseDir, workerConfig.path) : baseDir,
+		required: required$1
+	};
+}
+/** Path for logs — relative to cwd when possible. */
+function displayPathFromCwd(absOrRel) {
+	const rel = relative(process.cwd(), resolve(process.cwd(), absOrRel));
+	return rel && !rel.startsWith("..") ? rel.replace(/\\/g, "/") : absOrRel.replace(/\\/g, "/");
+}
 /** Vault + master key for deploy auto-push (remote envs only). */
 async function createDeploySecretsResources(api, env) {
 	const resolvedEnv = resolveSecretsEnv(env);
@@ -7702,9 +7732,25 @@ function parseDotenvContent(content) {
 function readDotenvFile(filePath) {
 	return parseDotenvContent(readFileSync(resolve(process.cwd(), filePath), "utf8"));
 }
-/** Default bulk-load file for a remote env. Plain `.dev.vars` is wrangler dev / local only. */
-function defaultSecretsLoadFile(env) {
-	return `.dev.vars.${env}`;
+/** Default bulk-load file under a worker directory. */
+function defaultWorkerSecretsLoadFile(workerDir, env) {
+	return `${workerDir.replace(/\\/g, "/")}/.dev.vars.${env}`;
+}
+/**
+* When loading for a worker, only `secrets.required` names are imported.
+* Returns keys to upsert; throws if the file contains undeclared names.
+*/
+function filterSecretsLoadEntriesForWorker(fileEntries, required$1) {
+	const requiredSet = new Set(required$1);
+	const extras = [];
+	const entries = {};
+	for (const [name, value] of Object.entries(fileEntries)) if (requiredSet.has(name)) entries[name] = value;
+	else extras.push(name);
+	if (extras.length > 0) throw new Error(`secrets load: file contains key(s) not in worker secrets.required: ${extras.sort().join(", ")}`);
+	return {
+		entries,
+		missing: required$1.filter((name) => !(name in fileEntries)).sort()
+	};
 }
 /**
 * Reject plain `.dev.vars` — reserved for local `wrangler dev`, not vault seeding.
@@ -7715,19 +7761,15 @@ function assertRemoteSecretsLoadFile(filePath, env) {
 
 //#endregion
 //#region src/cli/commands/secrets/load.ts
-async function runSecretsLoad(options) {
-	const env = resolveSecretsEnv(options.env);
-	const file = options.file?.trim() || defaultSecretsLoadFile(env);
-	assertRemoteSecretsLoadFile(file, env);
-	const ctx = await createSecretsContext({
-		env,
-		configPath: options.configPath
-	});
-	const fileEntries = readDotenvFile(file);
+async function loadSecretsForWorker(ctx, target, fileOverride) {
+	const file = fileOverride?.trim() || defaultWorkerSecretsLoadFile(target.workerDir, ctx.env);
+	assertRemoteSecretsLoadFile(file, ctx.env);
+	const { entries: fileEntries, missing } = filterSecretsLoadEntriesForWorker(readDotenvFile(file), target.required);
+	if (missing.length > 0) console.log(`secrets load: worker "${target.workerKey}" — skipping ${missing.length} declared secret(s) not in file: ${missing.join(", ")}`);
 	const names = Object.keys(fileEntries).sort();
 	if (names.length === 0) {
-		console.log("secrets load: no entries to import");
-		return;
+		console.log(`secrets load: worker "${target.workerKey}" — no entries to import from ${displayPathFromCwd(file)}`);
+		return 0;
 	}
 	let count = 0;
 	for (const name of names) {
@@ -7737,7 +7779,37 @@ async function runSecretsLoad(options) {
 		await ctx.vault.upsert(name, encrypted, valueHash, { updatedBy: cliUpdatedBy() });
 		count += 1;
 	}
-	console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${file}`);
+	console.log(`secrets: loaded ${count} secret(s) into ${ctx.env} vault from ${displayPathFromCwd(file)} (worker ${target.workerKey})`);
+	return count;
+}
+async function listWorkerSecretsLoadTargets(ctx, workerFilter) {
+	const workers = await getWorkers(ctx.config, process.cwd());
+	const out = [];
+	for (const [workerKey] of workers) {
+		if (workerFilter && workerKey !== workerFilter) continue;
+		const target = await resolveWorkerSecretsLoadTarget(ctx, workerKey, { skipUndeclared: !workerFilter });
+		if (target) out.push(target);
+	}
+	return out;
+}
+async function runSecretsLoad(options) {
+	const env = resolveSecretsEnv(options.env);
+	const workerKey = options.worker?.trim();
+	const fileOverride = options.file?.trim();
+	if (fileOverride && !workerKey) throw new Error("secrets load: --file requires --worker <name>");
+	const ctx = await createSecretsContext({
+		env,
+		configPath: options.configPath
+	});
+	const targets = await listWorkerSecretsLoadTargets(ctx, workerKey);
+	if (targets.length === 0) {
+		const hint = workerKey ? `worker "${workerKey}" has no secrets.required` : "no workers declare secrets.required";
+		console.log(`secrets load (${ctx.env}): ${hint}`);
+		return;
+	}
+	let total = 0;
+	for (const target of targets) total += await loadSecretsForWorker(ctx, target, workerKey ? fileOverride : void 0);
+	if (!workerKey && targets.length > 1) console.log(`secrets load (${ctx.env}): ${total} secret(s) from ${targets.length} worker(s)`);
 }
 
 //#endregion
@@ -7969,13 +8041,7 @@ function secretsDrift(entries) {
 					detail: "removed from vault"
 				});
 				break;
-			case "undeclared_on_worker":
-				drift.unrecordedInState.push({
-					logicalName: e.name,
-					derivedName,
-					detail: "undeclared on worker"
-				});
-				break;
+			case "undeclared_on_worker": break;
 		}
 	}
 	return drift;
@@ -8030,8 +8096,20 @@ const STATUS_LABEL = {
 	never_deployed: "never deployed",
 	rotated_not_deployed: "rotated, not deployed",
 	removed_from_vault: "removed from vault",
-	undeclared_on_worker: "undeclared on worker"
+	undeclared_on_worker: "not in secrets.required"
 };
+function isDeclaredIssue(status) {
+	return status !== "in_sync" && status !== "undeclared_on_worker";
+}
+function sortEntries(entries) {
+	return [...entries].sort((a, b) => secretDerivedName(a.worker, a.name).localeCompare(secretDerivedName(b.worker, b.name)));
+}
+function printEntry(entry) {
+	const label = STATUS_LABEL[entry.status];
+	const id = secretDerivedName(entry.worker, entry.name);
+	const workerFlag = entry.onWorker ? "on worker" : "not on worker";
+	console.log(`  ${id}  ${label} (${workerFlag})`);
+}
 async function runSecretsVerify(options) {
 	const ctx = await createSecretsContext({
 		env: options.env,
@@ -8051,21 +8129,31 @@ async function runSecretsVerify(options) {
 		vault: vaultReaderFromVault(ctx.vault),
 		state: ctx.state
 	});
+	const declared = sortEntries(entries.filter((e) => e.status !== "undeclared_on_worker"));
+	const onWorkerOnly = sortEntries(entries.filter((e) => e.status === "undeclared_on_worker"));
 	console.log(`\nSecrets verify — env ${ctx.env}\n`);
-	if (entries.length === 0) {
+	if (declared.length === 0 && onWorkerOnly.length === 0) {
 		console.log("  (no declared secrets)\n");
 		return 0;
 	}
-	let issues = 0;
-	for (const entry of entries.sort((a, b) => secretDerivedName(a.worker, a.name).localeCompare(secretDerivedName(b.worker, b.name)))) {
-		const label = STATUS_LABEL[entry.status];
-		const id = secretDerivedName(entry.worker, entry.name);
-		const workerFlag = entry.onWorker ? "on worker" : "not on worker";
-		console.log(`  ${id}  ${label} (${workerFlag})`);
-		if (entry.status !== "in_sync") issues += 1;
+	if (declared.length > 0) {
+		console.log("  Declared in config (secrets.required):\n");
+		for (const entry of declared) printEntry(entry);
+		console.log("");
+	}
+	if (onWorkerOnly.length > 0) {
+		console.log("  On worker, not in secrets.required (outside Tamer management — add to config or remove from worker):\n");
+		for (const entry of onWorkerOnly) printEntry(entry);
+		console.log("");
+	}
+	const declaredIssues = declared.filter((e) => isDeclaredIssue(e.status)).length;
+	if (declaredIssues === 0) {
+		const suffix = onWorkerOnly.length > 0 ? ` (${onWorkerOnly.length} on worker but not in config — informational only)` : "";
+		console.log(`All declared secrets in sync.${suffix}\n`);
+		return 0;
 	}
-	console.log(issues === 0 ? "\nAll declared secrets in sync.\n" : `\n${issues} secret(s) need attention.\n`);
-	return issues === 0 ? 0 : 1;
+	console.log(`${declaredIssues} declared secret(s) need attention.\n`);
+	return 1;
 }
 
 //#endregion
@@ -8156,7 +8244,8 @@ async function runSecretsPush(options) {
 const SECRETS_USAGE = `usage:
   tamer secrets init --env <env> [--config <path>]
   tamer secrets set <NAME> --env <env> [--config <path>]   # value on stdin (pipe only)
-  tamer secrets load --env <env> [--file <path>] [--config <path>]   # default file: .dev.vars.{env}
+  tamer secrets load --env <env> [--worker <name>] [--file <path>] [--config <path>]
+      # each worker: {workerDir}/.dev.vars.{env}; all declared workers when --worker omitted
   tamer secrets get <NAME> --env <env> [--config <path>]   # confirmation + audit log
   tamer secrets list --env <env> [--config <path>]
   tamer secrets rm <NAME> --env <env> [--config <path>]
@@ -8207,7 +8296,8 @@ async function runSecrets(argv) {
 			await runSecretsLoad({
 				file: parsed.file,
 				env: parsed.env,
-				configPath: parsed.configPath
+				configPath: parsed.configPath,
+				worker: parsed.worker
 			});
 			return 0;
 		case "get":
@@ -8548,14 +8638,14 @@ async function main() {
 	try {
 		switch (command) {
 			case "bootstrap":
-				await import("./bootstrap-D__dHw1w.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
+				await import("./bootstrap-CQS5s33A.mjs").then((m) => m.runBootstrap(parseBootstrapArgs(rest)));
 				break;
 			case "sync":
-				await import("./sync-CpfxqlOx.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
+				await import("./sync-KTzMVc_o.mjs").then((m) => m.runSync(parseSyncArgs(rest)));
 				break;
 			case "apply": {
 				const a = parseApplyArgs(rest);
-				await import("./apply-BjrYbyHn.mjs").then((m) => m.runApply({
+				await import("./apply-C_70Hgcf.mjs").then((m) => m.runApply({
 					env: a.env,
 					addShard: a.addShard,
 					configPath: a.configPath,
@@ -8567,11 +8657,11 @@ async function main() {
 				break;
 			}
 			case "dev":
-				await import("./dev-BLthyLml.mjs").then((m) => m.runDev(parseDevArgs(rest)));
+				await import("./dev-caJxohHI.mjs").then((m) => m.runDev(parseDevArgs(rest)));
 				break;
 			case "deploy": {
 				const d = parseDeployArgs(rest);
-				await import("./deploy-C6fX9td0.mjs").then((m) => m.runDeploy({
+				await import("./deploy-D-GXzsWR.mjs").then((m) => m.runDeploy({
 					worker: d.worker,
 					env: d.env,
 					configPath: d.configPath,
@@ -8580,23 +8670,23 @@ async function main() {
 				break;
 			}
 			case "migrate":
-				await import("./migrate-CroDjbJz.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
+				await import("./migrate-skvsDG6d.mjs").then((m) => m.runMigrate(parseMigrateArgs(rest)));
 				break;
 			case "types":
-				await import("./types-BzzHwIdw.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
+				await import("./types-D7qKnGsm.mjs").then((m) => m.runTypes(parseTypesArgs(rest)));
 				break;
 			case "status":
-				await import("./status-DkkS5lc9.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
+				await import("./status-BxStsax8.mjs").then((m) => m.runStatus(parseStatusArgs(rest)));
 				break;
 			case "events":
-				await import("./events-otk0l3aJ.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
+				await import("./events-Bor7XgLC.mjs").then((m) => m.runEvents(parseEventsArgs(rest)));
 				break;
 			case "drift":
-				exitStatus = await import("./drift-BCxWdYHG.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
+				exitStatus = await import("./drift-5_LwAdZo.mjs").then((m) => m.runDrift(parseDriftArgs(rest)));
 				break;
 			case "plan": {
 				const p = parsePlanArgs(rest);
-				exitStatus = await import("./plan-C2urqJOz.mjs").then((m) => m.runPlan({
+				exitStatus = await import("./plan-BLy8FaE2.mjs").then((m) => m.runPlan({
 					env: p.env,
 					configPath: p.configPath,
 					json: p.json,
@@ -8608,14 +8698,14 @@ async function main() {
 				break;
 			}
 			case "import":
-				await import("./import-OvohE-H2.mjs").then((m) => m.runImport(parseImportArgs(rest)));
+				await import("./import-Vn9lhWic.mjs").then((m) => m.runImport(parseImportArgs(rest)));
 				break;
 			case "doctor":
 				exitStatus = await import("./doctor-32YLAXXl.mjs").then((m) => m.runDoctor(parseDoctorArgs(rest)));
 				break;
 			case "provision-tenant": {
 				const p = parseProvisionTenantArgs(rest);
-				await import("./provision-tenant-BJ1KugON.mjs").then((m) => m.runProvisionTenant({
+				await import("./provision-tenant-CleOYFwr.mjs").then((m) => m.runProvisionTenant({
 					env: p.env,
 					product: p.product,
 					workspace: p.workspace,
@@ -8632,7 +8722,7 @@ async function main() {
 			}
 			case "destroy-tenant": {
 				const t = parseDestroyTenantArgs(rest);
-				await import("./destroy-tenant-T_94ed9x.mjs").then((m) => m.runDestroyTenant({
+				await import("./destroy-tenant-DFHfNImL.mjs").then((m) => m.runDestroyTenant({
 					env: t.env,
 					product: t.product,
 					workspace: t.workspace,
@@ -8645,7 +8735,7 @@ async function main() {
 			}
 			case "destroy": {
 				const d = parseDestroyArgs(rest);
-				await import("./destroy-vfk2Zbfj.mjs").then((m) => m.runDestroy({
+				await import("./destroy-DJRw_qLX.mjs").then((m) => m.runDestroy({
 					env: d.env,
 					force: d.force,
 					skipWorkers: d.skipWorkers,
@@ -8731,7 +8821,7 @@ Options:
 Secrets (requires TAMER_SECRETS_KEY_{env} master key env var):
   tamer secrets init --env <env>              Generate master key (print once) + provision vault
   tamer secrets set <NAME> --env <env>        Encrypt value from stdin into vault (pipe only)
-  tamer secrets load --env <env> [--file .dev.vars.<env>]  Bulk import from env file; not plain .dev.vars
+  tamer secrets load --env <env> [--worker <name>] [--file .dev.vars.<env>]  Bulk import; all workers when --worker omitted
   tamer secrets get <NAME> --env <env>        Decrypt + print (confirmation + audit log)
   tamer secrets list --env <env>              Names + fingerprints + last-set (never values)
   tamer secrets rm <NAME> --env <env>         Remove from vault
@@ -8765,5 +8855,5 @@ Environment variables (same as Wrangler):
 main();
 
 //#endregion
-export { resolveReferencesInString as A, getWorkers as B, stackNameForConfig as C, resolveDeployedWorkerName as D, mergedWorkerConfigForEnv as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, effectiveDispatchNamespaceName as M, isEphemeralEnv as N, resolveWorkerConfig as O, namingFromConfig as P, cloudflareAccountIdFromEnv as R, tamerStateDatabaseName as S, mergeWorkerConfigForResourcePick as T, loadConfig as V, tenantShardDatabaseName as _, reconcileSecrets as a, destroyTamerStateDatabase as b, vaultReaderFromMap as c, fetchStackImports as d, importedStackNames as f, tenantDispatchScriptName as g, parseTenantShardRoles as h, pushSecretsForDeploy as i, wranglerConfigCliArgs as j, rewriteIntraStackServiceTargets as k, createDeploySecretsResources as l, StateManager as m, parseSecretsArgs as n, secretsDrift as o, scanConfigForImports as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, requiredSecretsForWorker as u, tenantStateKey as v, buildIntraStackScriptNameMap as w, ensureTamerStateDatabase as x, createEmptyCfiState as y, cloudflareApiTokenFromEnv as z };
+export { rewriteIntraStackServiceTargets as A, getWorkers as B, tamerStateDatabaseName as C, mergedWorkerConfigForEnv as D, mergeWorkerConfigForResourcePick as E, ensureTamerSecretsDatabase as F, tamerSecretsDatabaseName as I, CFApiClient as L, wranglerConfigCliArgs as M, effectiveDispatchNamespaceName as N, resolveDeployedWorkerName as O, isEphemeralEnv as P, cloudflareAccountIdFromEnv as R, ensureTamerStateDatabase as S, buildIntraStackScriptNameMap as T, loadConfig as V, tenantDispatchScriptName as _, reconcileSecrets as a, createEmptyCfiState as b, vaultReaderFromMap as c, requiredSecretsForWorker as d, fetchStackImports as f, parseTenantShardRoles as g, StateManager as h, pushSecretsForDeploy as i, resolveReferencesInString as j, resolveWorkerConfig as k, createDeploySecretsResources as l, scanConfigForImports as m, parseSecretsArgs as n, secretsDrift as o, importedStackNames as p, runSecrets as r, secretsPlanItems as s, SECRETS_USAGE as t, namingFromConfig as u, tenantShardDatabaseName as v, stackNameForConfig as w, destroyTamerStateDatabase as x, tenantStateKey as y, cloudflareApiTokenFromEnv as z };
 //# sourceMappingURL=tamer.mjs.map