@hasna/configs 0.1.0 → 0.1.2

package/dist/index.js

@@ -524,83 +524,199 @@ async function applyConfigs(configs, opts = {}) {
   return results;
 }
 // src/lib/sync.ts
-import { existsSync as existsSync3, readdirSync, readFileSync as readFileSync2, statSync } from "fs";
-import { extname, join as join2, relative } from "path";
-import { homedir as homedir2 } from "os";
-function detectCategory(filePath) {
-  const p = filePath.toLowerCase().replace(homedir2(), "~");
-  if (p.includes("/.claude/rules/") || p.endsWith("claude.md") || p.endsWith("agents.md") || p.endsWith("gemini.md"))
-    return "rules";
-  if (p.includes("/.claude/") || p.includes("/.codex/") || p.includes("/.gemini/") || p.includes("/.cursor/"))
-    return "agent";
-  if (p.includes(".mcp.json") || p.includes("mcp"))
-    return "mcp";
-  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc") || p.includes(".bash_profile"))
-    return "shell";
-  if (p.includes(".gitconfig") || p.includes(".gitignore"))
-    return "git";
-  if (p.includes(".npmrc") || p.includes("tsconfig") || p.includes("bunfig"))
-    return "tools";
-  if (p.includes(".secrets"))
-    return "secrets_schema";
-  return "tools";
-}
-function detectAgent(filePath) {
-  const p = filePath.toLowerCase().replace(homedir2(), "~");
-  if (p.includes("/.claude/") || p.endsWith("claude.md"))
-    return "claude";
-  if (p.includes("/.codex/") || p.endsWith("agents.md"))
-    return "codex";
-  if (p.includes("/.gemini/") || p.endsWith("gemini.md"))
-    return "gemini";
-  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc"))
-    return "zsh";
-  if (p.includes(".gitconfig") || p.includes(".gitignore"))
-    return "git";
-  if (p.includes(".npmrc"))
-    return "npm";
-  return "global";
+import { existsSync as existsSync4, readdirSync as readdirSync2, readFileSync as readFileSync3 } from "fs";
+import { extname, join as join3 } from "path";
+import { homedir as homedir3 } from "os";
+
+// src/lib/redact.ts
+var SECRET_KEY_PATTERN = /^(.*_?API_?KEY|.*_?TOKEN|.*_?SECRET|.*_?PASSWORD|.*_?PASSWD|.*_?CREDENTIAL|.*_?AUTH(?:_TOKEN|_KEY|ORIZATION)?|.*_?PRIVATE_?KEY|.*_?ACCESS_?KEY|.*_?CLIENT_?SECRET|.*_?SIGNING_?KEY|.*_?ENCRYPTION_?KEY|.*_AUTH_TOKEN)$/i;
+var VALUE_PATTERNS = [
+  { re: /npm_[A-Za-z0-9]{36,}/, reason: "npm token" },
+  { re: /gh[pousr]_[A-Za-z0-9_]{36,}/, reason: "GitHub token" },
+  { re: /sk-ant-[A-Za-z0-9\-_]{40,}/, reason: "Anthropic API key" },
+  { re: /sk-[A-Za-z0-9]{48,}/, reason: "OpenAI API key" },
+  { re: /xoxb-[0-9]+-[A-Za-z0-9\-]+/, reason: "Slack bot token" },
+  { re: /AIza[0-9A-Za-z\-_]{35}/, reason: "Google API key" },
+  { re: /ey[A-Za-z0-9_\-]{20,}\.[A-Za-z0-9_\-]{20,}\./, reason: "JWT token" },
+  { re: /AKIA[0-9A-Z]{16}/, reason: "AWS access key" }
+];
+var MIN_SECRET_VALUE_LEN = 8;
+function redactShell(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*(?:export\s+)?)([A-Z][A-Z0-9_]*)(\s*=\s*)(['"]?)(.+?)\4\s*$/);
+    if (m) {
+      const [, prefix, key, eq, quote, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const reason = reasonFor(key, value);
+        redacted.push({ varName: key, line: i + 1, reason });
+        out.push(`${prefix}${key}${eq}${quote}{{${key}}}${quote}`);
+        continue;
+      }
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-function detectFormat(filePath) {
-  const ext = extname(filePath).toLowerCase();
-  if (ext === ".json")
-    return "json";
-  if (ext === ".toml")
-    return "toml";
-  if (ext === ".yaml" || ext === ".yml")
-    return "yaml";
-  if (ext === ".md" || ext === ".markdown")
-    return "markdown";
-  if (ext === ".ini" || ext === ".cfg")
-    return "ini";
-  return "text";
+function redactJson(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*"([^"]+)"\s*:\s*)"([^"]+)"(,?)(\s*)$/);
+    if (m) {
+      const [, prefix, key, value, comma, trail] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${prefix}"{{${varName}}}"${comma}${trail}`);
+        continue;
+      }
+    }
+    let newLine = line;
+    for (const { re, reason } of VALUE_PATTERNS) {
+      newLine = newLine.replace(re, (match) => {
+        const varName = `REDACTED_${reason.toUpperCase().replace(/[^A-Z0-9]/g, "_")}`;
+        redacted.push({ varName, line: i + 1, reason });
+        return `{{${varName}}}`;
+      });
+    }
+    out.push(newLine);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-var SKIP_PATTERNS = [".db", ".db-shm", ".db-wal", ".log", ".lock", ".DS_Store", "node_modules", ".git"];
-function shouldSkip(p) {
-  return SKIP_PATTERNS.some((pat) => p.includes(pat));
+function redactToml(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const m = line.match(/^(\s*)([a-zA-Z][a-zA-Z0-9_\-]*)(\s*=\s*)(['"]?)(.+?)\4\s*$/);
+    if (m) {
+      const [, indent, key, eq, quote, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${indent}${key}${eq}${quote}{{${varName}}}${quote}`);
+        continue;
+      }
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
 }
-function walkDir(dir, files = []) {
-  const entries = readdirSync(dir, { withFileTypes: true });
-  for (const entry of entries) {
-    const full = join2(dir, entry.name);
-    if (shouldSkip(full))
+function redactIni(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    const line = lines[i];
+    const authM = line.match(/^(\/\/[^:]+:_authToken=)(.+)$/);
+    if (authM) {
+      redacted.push({ varName: "NPM_AUTH_TOKEN", line: i + 1, reason: "npm auth token" });
+      out.push(`${authM[1]}{{NPM_AUTH_TOKEN}}`);
       continue;
-    if (entry.isDirectory()) {
-      walkDir(full, files);
-    } else if (entry.isFile()) {
-      files.push(full);
     }
+    const m = line.match(/^(\s*)([a-zA-Z][a-zA-Z0-9_\-]*)(\s*=\s*)(.+?)\s*$/);
+    if (m) {
+      const [, indent, key, eq, value] = m;
+      if (shouldRedactKeyValue(key, value)) {
+        const varName = key.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason: reasonFor(key, value) });
+        out.push(`${indent}${key}${eq}{{${varName}}}`);
+        continue;
+      }
+    }
+    out.push(line);
   }
-  return files;
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
+}
+function redactGeneric(content) {
+  const redacted = [];
+  const lines = content.split(`
+`);
+  const out = [];
+  for (let i = 0;i < lines.length; i++) {
+    let line = lines[i];
+    for (const { re, reason } of VALUE_PATTERNS) {
+      line = line.replace(re, (match) => {
+        const varName = reason.toUpperCase().replace(/[^A-Z0-9]/g, "_");
+        redacted.push({ varName, line: i + 1, reason });
+        return `{{${varName}}}`;
+      });
+    }
+    out.push(line);
+  }
+  return { content: out.join(`
+`), redacted, isTemplate: redacted.length > 0 };
+}
+function shouldRedactKeyValue(key, value) {
+  if (!value || value.startsWith("{{"))
+    return false;
+  if (value.length < MIN_SECRET_VALUE_LEN)
+    return false;
+  if (/^(true|false|yes|no|on|off|null|undefined|\d+)$/i.test(value))
+    return false;
+  if (SECRET_KEY_PATTERN.test(key))
+    return true;
+  for (const { re } of VALUE_PATTERNS) {
+    if (re.test(value))
+      return true;
+  }
+  return false;
+}
+function reasonFor(key, value) {
+  if (SECRET_KEY_PATTERN.test(key))
+    return `secret key name: ${key}`;
+  for (const { re, reason } of VALUE_PATTERNS) {
+    if (re.test(value))
+      return reason;
+  }
+  return "secret value pattern";
+}
+function redactContent(content, format) {
+  switch (format) {
+    case "shell":
+      return redactShell(content);
+    case "json":
+      return redactJson(content);
+    case "toml":
+      return redactToml(content);
+    case "ini":
+      return redactIni(content);
+    default:
+      return redactGeneric(content);
+  }
+}
+
+// src/lib/sync-dir.ts
+import { existsSync as existsSync3, readdirSync, readFileSync as readFileSync2, statSync } from "fs";
+import { join as join2, relative } from "path";
+import { homedir as homedir2 } from "os";
+var SKIP = [".db", ".db-shm", ".db-wal", ".log", ".lock", ".DS_Store", "node_modules", ".git"];
+function shouldSkip(p) {
+  return SKIP.some((s) => p.includes(s));
 }
 async function syncFromDir(dir, opts = {}) {
   const d = opts.db || getDatabase();
   const absDir = expandPath(dir);
-  if (!existsSync3(absDir)) {
-    return { added: 0, updated: 0, unchanged: 0, skipped: [`Directory not found: ${absDir}`] };
-  }
+  if (!existsSync3(absDir))
+    return { added: 0, updated: 0, unchanged: 0, skipped: [`Not found: ${absDir}`] };
   const files = opts.recursive !== false ? walkDir(absDir) : readdirSync(absDir).map((f) => join2(absDir, f)).filter((f) => statSync(f).isFile());
   const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
+  const home = homedir2();
   const allConfigs = listConfigs(undefined, d);
   for (const file of files) {
     if (shouldSkip(file)) {
@@ -609,25 +725,19 @@ async function syncFromDir(dir, opts = {}) {
     }
     try {
       const content = readFileSync2(file, "utf-8");
-      const targetPath = file.startsWith(homedir2()) ? file.replace(homedir2(), "~") : file;
+      if (content.length > 500000) {
+        result.skipped.push(file + " (too large)");
+        continue;
+      }
+      const targetPath = file.replace(home, "~");
       const existing = allConfigs.find((c) => c.target_path === targetPath);
       if (!existing) {
-        if (!opts.dryRun) {
-          const name = relative(absDir, file);
-          createConfig({
-            name,
-            category: detectCategory(file),
-            agent: detectAgent(file),
-            target_path: targetPath,
-            format: detectFormat(file),
-            content
-          }, d);
-        }
+        if (!opts.dryRun)
+          createConfig({ name: relative(absDir, file), category: detectCategory(file), agent: detectAgent(file), target_path: targetPath, format: detectFormat(file), content }, d);
         result.added++;
       } else if (existing.content !== content) {
-        if (!opts.dryRun) {
+        if (!opts.dryRun)
           updateConfig(existing.id, { content }, d);
-        }
         result.updated++;
       } else {
         result.unchanged++;
@@ -640,22 +750,152 @@ async function syncFromDir(dir, opts = {}) {
 }
 async function syncToDir(dir, opts = {}) {
   const d = opts.db || getDatabase();
+  const home = homedir2();
   const absDir = expandPath(dir);
-  const normalizedDir = dir.startsWith("~/") ? dir : absDir.replace(homedir2(), "~");
-  const configs = listConfigs(undefined, d).filter((c) => c.target_path && (c.target_path.startsWith(normalizedDir) || c.target_path.startsWith(absDir)));
+  const normalized = dir.startsWith("~/") ? dir : absDir.replace(home, "~");
+  const configs = listConfigs(undefined, d).filter((c) => c.target_path && (c.target_path.startsWith(normalized) || c.target_path.startsWith(absDir)));
   const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
   for (const config of configs) {
     if (config.kind === "reference")
       continue;
     try {
       const r = await applyConfig(config, { dryRun: opts.dryRun, db: d });
-      if (r.changed) {
-        existsSync3(expandPath(config.target_path)) ? result.updated++ : result.added++;
+      r.changed ? result.updated++ : result.unchanged++;
+    } catch {
+      result.skipped.push(config.target_path || config.id);
+    }
+  }
+  return result;
+}
+function walkDir(dir, files = []) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const full = join2(dir, entry.name);
+    if (shouldSkip(full))
+      continue;
+    if (entry.isDirectory())
+      walkDir(full, files);
+    else if (entry.isFile())
+      files.push(full);
+  }
+  return files;
+}
+
+// src/lib/sync.ts
+var KNOWN_CONFIGS = [
+  { path: "~/.claude/CLAUDE.md", name: "claude-claude-md", category: "rules", agent: "claude", format: "markdown" },
+  { path: "~/.claude/settings.json", name: "claude-settings", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/settings.local.json", name: "claude-settings-local", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/keybindings.json", name: "claude-keybindings", category: "agent", agent: "claude", format: "json" },
+  { path: "~/.claude/rules", name: "claude-rules", category: "rules", agent: "claude", rulesDir: "~/.claude/rules" },
+  { path: "~/.codex/config.toml", name: "codex-config", category: "agent", agent: "codex", format: "toml" },
+  { path: "~/.codex/AGENTS.md", name: "codex-agents-md", category: "rules", agent: "codex", format: "markdown" },
+  { path: "~/.gemini/settings.json", name: "gemini-settings", category: "agent", agent: "gemini", format: "json" },
+  { path: "~/.gemini/GEMINI.md", name: "gemini-gemini-md", category: "rules", agent: "gemini", format: "markdown" },
+  { path: "~/.claude.json", name: "claude-json", category: "mcp", agent: "claude", format: "json", description: "Claude Code global config (includes MCP server entries)" },
+  { path: "~/.zshrc", name: "zshrc", category: "shell", agent: "zsh" },
+  { path: "~/.zprofile", name: "zprofile", category: "shell", agent: "zsh" },
+  { path: "~/.bashrc", name: "bashrc", category: "shell", agent: "zsh" },
+  { path: "~/.bash_profile", name: "bash-profile", category: "shell", agent: "zsh" },
+  { path: "~/.gitconfig", name: "gitconfig", category: "git", agent: "git", format: "ini" },
+  { path: "~/.gitignore_global", name: "gitignore-global", category: "git", agent: "git" },
+  { path: "~/.npmrc", name: "npmrc", category: "tools", agent: "npm", format: "ini" },
+  { path: "~/.bunfig.toml", name: "bunfig", category: "tools", agent: "global", format: "toml" }
+];
+async function syncKnown(opts = {}) {
+  const d = opts.db || getDatabase();
+  const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
+  const home = homedir3();
+  let targets = KNOWN_CONFIGS;
+  if (opts.agent)
+    targets = targets.filter((k) => k.agent === opts.agent);
+  if (opts.category)
+    targets = targets.filter((k) => k.category === opts.category);
+  const allConfigs = listConfigs(undefined, d);
+  for (const known of targets) {
+    if (known.rulesDir) {
+      const absDir = expandPath(known.rulesDir);
+      if (!existsSync4(absDir)) {
+        result.skipped.push(known.rulesDir);
+        continue;
+      }
+      const mdFiles = readdirSync2(absDir).filter((f) => f.endsWith(".md"));
+      for (const f of mdFiles) {
+        const abs2 = join3(absDir, f);
+        const targetPath = abs2.replace(home, "~");
+        const raw = readFileSync3(abs2, "utf-8");
+        const { content, isTemplate } = redactContent(raw, "markdown");
+        const name = `claude-rules-${f}`;
+        const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+        const existing = allConfigs.find((c) => c.target_path === targetPath || c.slug === slug);
+        if (!existing) {
+          if (!opts.dryRun)
+            createConfig({ name, category: "rules", agent: "claude", format: "markdown", content, target_path: targetPath, is_template: isTemplate }, d);
+          result.added++;
+        } else if (existing.content !== content) {
+          if (!opts.dryRun)
+            updateConfig(existing.id, { content, is_template: isTemplate }, d);
+          result.updated++;
+        } else {
+          result.unchanged++;
+        }
+      }
+      continue;
+    }
+    const abs = expandPath(known.path);
+    if (!existsSync4(abs)) {
+      result.skipped.push(known.path);
+      continue;
+    }
+    try {
+      const rawContent = readFileSync3(abs, "utf-8");
+      if (rawContent.length > 500000) {
+        result.skipped.push(known.path + " (too large)");
+        continue;
+      }
+      const fmt = known.format ?? detectFormat(abs);
+      const { content, isTemplate } = redactContent(rawContent, fmt);
+      const targetPath = abs.replace(home, "~");
+      const existing = allConfigs.find((c) => c.target_path === targetPath || c.slug === known.name);
+      if (!existing) {
+        if (!opts.dryRun) {
+          createConfig({
+            name: known.name,
+            category: known.category,
+            agent: known.agent,
+            format: fmt,
+            content,
+            target_path: known.kind === "reference" ? null : targetPath,
+            kind: known.kind ?? "file",
+            description: known.description,
+            is_template: isTemplate
+          }, d);
+        }
+        result.added++;
+      } else if (existing.content !== content) {
+        if (!opts.dryRun)
+          updateConfig(existing.id, { content, is_template: isTemplate }, d);
+        result.updated++;
       } else {
         result.unchanged++;
       }
     } catch {
-      result.skipped.push(config.target_path || config.id);
+      result.skipped.push(known.path);
+    }
+  }
+  return result;
+}
+async function syncToDisk(opts = {}) {
+  const d = opts.db || getDatabase();
+  const result = { added: 0, updated: 0, unchanged: 0, skipped: [] };
+  let configs = listConfigs({ kind: "file", ...opts.agent ? { agent: opts.agent } : {}, ...opts.category ? { category: opts.category } : {} }, d);
+  for (const config of configs) {
+    if (!config.target_path)
+      continue;
+    try {
+      const r = await applyConfig(config, { dryRun: opts.dryRun, db: d });
+      r.changed ? result.updated++ : result.unchanged++;
+    } catch {
+      result.skipped.push(config.target_path);
     }
   }
   return result;
@@ -664,9 +904,9 @@ function diffConfig(config) {
   if (!config.target_path)
     return "(reference \u2014 no target path)";
   const path = expandPath(config.target_path);
-  if (!existsSync3(path))
+  if (!existsSync4(path))
     return `(file not found on disk: ${path})`;
-  const diskContent = readFileSync2(path, "utf-8");
+  const diskContent = readFileSync3(path, "utf-8");
   if (diskContent === config.content)
     return "(no diff \u2014 identical)";
   const stored = config.content.split(`
@@ -677,30 +917,78 @@ function diffConfig(config) {
   const maxLen = Math.max(stored.length, disk.length);
   for (let i = 0;i < maxLen; i++) {
     const s = stored[i];
-    const d = disk[i];
-    if (s === d) {
+    const dk = disk[i];
+    if (s === dk) {
       if (s !== undefined)
         lines.push(` ${s}`);
     } else {
       if (s !== undefined)
         lines.push(`-${s}`);
-      if (d !== undefined)
-        lines.push(`+${d}`);
+      if (dk !== undefined)
+        lines.push(`+${dk}`);
     }
   }
   return lines.join(`
 `);
 }
+function detectCategory(filePath) {
+  const p = filePath.toLowerCase().replace(homedir3(), "~");
+  if (p.includes("/.claude/rules/") || p.endsWith("claude.md") || p.endsWith("agents.md") || p.endsWith("gemini.md"))
+    return "rules";
+  if (p.includes("/.claude/") || p.includes("/.codex/") || p.includes("/.gemini/") || p.includes("/.cursor/"))
+    return "agent";
+  if (p.includes(".mcp.json") || p.includes("mcp"))
+    return "mcp";
+  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc") || p.includes(".bash_profile"))
+    return "shell";
+  if (p.includes(".gitconfig") || p.includes(".gitignore"))
+    return "git";
+  if (p.includes(".npmrc") || p.includes("tsconfig") || p.includes("bunfig"))
+    return "tools";
+  if (p.includes(".secrets"))
+    return "secrets_schema";
+  return "tools";
+}
+function detectAgent(filePath) {
+  const p = filePath.toLowerCase().replace(homedir3(), "~");
+  if (p.includes("/.claude/") || p.endsWith("claude.md"))
+    return "claude";
+  if (p.includes("/.codex/") || p.endsWith("agents.md"))
+    return "codex";
+  if (p.includes("/.gemini/") || p.endsWith("gemini.md"))
+    return "gemini";
+  if (p.includes(".zshrc") || p.includes(".zprofile") || p.includes(".bashrc"))
+    return "zsh";
+  if (p.includes(".gitconfig") || p.includes(".gitignore"))
+    return "git";
+  if (p.includes(".npmrc"))
+    return "npm";
+  return "global";
+}
+function detectFormat(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  if (ext === ".json")
+    return "json";
+  if (ext === ".toml")
+    return "toml";
+  if (ext === ".yaml" || ext === ".yml")
+    return "yaml";
+  if (ext === ".md" || ext === ".markdown")
+    return "markdown";
+  if (ext === ".ini" || ext === ".cfg")
+    return "ini";
+  return "text";
+}
 // src/lib/export.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, rmSync, writeFileSync as writeFileSync2 } from "fs";
-import { join as join3, resolve as resolve4 } from "path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync3, rmSync, writeFileSync as writeFileSync2 } from "fs";
+import { join as join4, resolve as resolve3 } from "path";
 import { tmpdir } from "os";
 async function exportConfigs(outputPath, opts = {}) {
   const d = opts.db || getDatabase();
   const configs = listConfigs(opts.filter, d);
-  const absOutput = resolve4(outputPath);
-  const tmpDir = join3(tmpdir(), `configs-export-${Date.now()}`);
-  const contentsDir = join3(tmpDir, "contents");
+  const absOutput = resolve3(outputPath);
+  const tmpDir = join4(tmpdir(), `configs-export-${Date.now()}`);
+  const contentsDir = join4(tmpDir, "contents");
   try {
     mkdirSync3(contentsDir, { recursive: true });
     const manifest = {
@@ -708,10 +996,10 @@ async function exportConfigs(outputPath, opts = {}) {
       exported_at: now(),
       configs: configs.map(({ content: _content, ...meta }) => meta)
     };
-    writeFileSync2(join3(tmpDir, "manifest.json"), JSON.stringify(manifest, null, 2), "utf-8");
+    writeFileSync2(join4(tmpDir, "manifest.json"), JSON.stringify(manifest, null, 2), "utf-8");
     for (const config of configs) {
       const fileName = `${config.slug}.${config.format === "text" ? "txt" : config.format}`;
-      writeFileSync2(join3(contentsDir, fileName), config.content, "utf-8");
+      writeFileSync2(join4(contentsDir, fileName), config.content, "utf-8");
     }
     const proc = Bun.spawn(["tar", "czf", absOutput, "-C", tmpDir, "."], {
       stdout: "pipe",
@@ -724,20 +1012,20 @@ async function exportConfigs(outputPath, opts = {}) {
     }
     return { path: absOutput, count: configs.length };
   } finally {
-    if (existsSync4(tmpDir)) {
+    if (existsSync5(tmpDir)) {
       rmSync(tmpDir, { recursive: true, force: true });
     }
   }
 }
 // src/lib/import.ts
-import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3, rmSync as rmSync2 } from "fs";
-import { join as join4, resolve as resolve5 } from "path";
+import { existsSync as existsSync6, mkdirSync as mkdirSync4, readFileSync as readFileSync4, rmSync as rmSync2 } from "fs";
+import { join as join5, resolve as resolve4 } from "path";
 import { tmpdir as tmpdir2 } from "os";
 async function importConfigs(bundlePath, opts = {}) {
   const d = opts.db || getDatabase();
   const conflict = opts.conflict ?? "skip";
-  const absPath = resolve5(bundlePath);
-  const tmpDir = join4(tmpdir2(), `configs-import-${Date.now()}`);
+  const absPath = resolve4(bundlePath);
+  const tmpDir = join5(tmpdir2(), `configs-import-${Date.now()}`);
   const result = { created: 0, updated: 0, skipped: 0, errors: [] };
   try {
     mkdirSync4(tmpDir, { recursive: true });
@@ -750,15 +1038,15 @@ async function importConfigs(bundlePath, opts = {}) {
       const stderr = await new Response(proc.stderr).text();
       throw new Error(`tar extraction failed: ${stderr}`);
     }
-    const manifestPath = join4(tmpDir, "manifest.json");
-    if (!existsSync5(manifestPath))
+    const manifestPath = join5(tmpDir, "manifest.json");
+    if (!existsSync6(manifestPath))
       throw new Error("Invalid bundle: missing manifest.json");
-    const manifest = JSON.parse(readFileSync3(manifestPath, "utf-8"));
+    const manifest = JSON.parse(readFileSync4(manifestPath, "utf-8"));
     for (const meta of manifest.configs) {
       try {
         const ext = meta.format === "text" ? "txt" : meta.format;
-        const contentFile = join4(tmpDir, "contents", `${meta.slug}.${ext}`);
-        const content = existsSync5(contentFile) ? readFileSync3(contentFile, "utf-8") : "";
+        const contentFile = join5(tmpDir, "contents", `${meta.slug}.${ext}`);
+        const content = existsSync6(contentFile) ? readFileSync4(contentFile, "utf-8") : "";
         let existing = null;
         try {
           existing = getConfig(meta.slug, d);
@@ -791,7 +1079,7 @@ async function importConfigs(bundlePath, opts = {}) {
     }
     return result;
   } finally {
-    if (existsSync5(tmpDir)) {
+    if (existsSync6(tmpDir)) {
       rmSync2(tmpDir, { recursive: true, force: true });
     }
   }
@@ -844,7 +1132,9 @@ export {
   updateProfile,
   updateMachineApplied,
   updateConfig,
+  syncToDisk,
   syncToDir,
+  syncKnown,
   syncFromDir,
   slugify,
   resetDatabase,
@@ -887,6 +1177,7 @@ export {
   addConfigToProfile,
   TemplateRenderError,
   ProfileNotFoundError,
+  KNOWN_CONFIGS,
   ConfigNotFoundError,
   ConfigApplyError,
   CONFIG_KINDS,

package/dist/lib/redact.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Secret redaction engine.
+ *
+ * Detects and replaces sensitive values with {{VARNAME}} template placeholders
+ * so they are NEVER stored in the DB. The config becomes a template that can
+ * be rendered with real values at apply-time.
+ *
+ * Strategy:
+ *  1. Key-name matching — if an assignment's LHS looks like a secret key name
+ *  2. Value-pattern matching — known token formats (npm, GitHub, Anthropic, etc.)
+ *     regardless of key name
+ */
+export interface RedactResult {
+    content: string;
+    redacted: RedactedVar[];
+    isTemplate: boolean;
+}
+export interface RedactedVar {
+    varName: string;
+    line: number;
+    reason: string;
+}
+export type RedactFormat = "shell" | "json" | "toml" | "ini" | "markdown" | "text" | "yaml";
+export declare function redactContent(content: string, format: RedactFormat): RedactResult;
+/** Detect secrets without modifying content. Returns list of findings. */
+export declare function scanSecrets(content: string, format: RedactFormat): RedactedVar[];
+/** Returns true if content contains any detectable secrets. */
+export declare function hasSecrets(content: string, format: RedactFormat): boolean;
+//# sourceMappingURL=redact.d.ts.map