@i4ctime/q-ring 0.4.0 → 0.9.1

package/dist/chunk-6IQ5SFLI.js

@@ -1,967 +0,0 @@
-#!/usr/bin/env node
-
-// src/core/envelope.ts
-function createEnvelope(value, opts) {
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  let expiresAt = opts?.expiresAt;
-  if (!expiresAt && opts?.ttlSeconds) {
-    expiresAt = new Date(Date.now() + opts.ttlSeconds * 1e3).toISOString();
-  }
-  return {
-    v: 1,
-    value: opts?.states ? void 0 : value,
-    states: opts?.states,
-    defaultEnv: opts?.defaultEnv,
-    meta: {
-      createdAt: now,
-      updatedAt: now,
-      expiresAt,
-      ttlSeconds: opts?.ttlSeconds,
-      description: opts?.description,
-      tags: opts?.tags,
-      entangled: opts?.entangled,
-      accessCount: 0,
-      rotationFormat: opts?.rotationFormat,
-      rotationPrefix: opts?.rotationPrefix,
-      provider: opts?.provider
-    }
-  };
-}
-function parseEnvelope(raw) {
-  try {
-    const parsed = JSON.parse(raw);
-    if (parsed && typeof parsed === "object" && parsed.v === 1) {
-      return parsed;
-    }
-  } catch {
-  }
-  return null;
-}
-function wrapLegacy(rawValue) {
-  const now = (/* @__PURE__ */ new Date()).toISOString();
-  return {
-    v: 1,
-    value: rawValue,
-    meta: {
-      createdAt: now,
-      updatedAt: now,
-      accessCount: 0
-    }
-  };
-}
-function serializeEnvelope(envelope) {
-  return JSON.stringify(envelope);
-}
-function collapseValue(envelope, env) {
-  if (envelope.states) {
-    const targetEnv = env ?? envelope.defaultEnv;
-    if (targetEnv && envelope.states[targetEnv]) {
-      return envelope.states[targetEnv];
-    }
-    if (envelope.defaultEnv && envelope.states[envelope.defaultEnv]) {
-      return envelope.states[envelope.defaultEnv];
-    }
-    const keys = Object.keys(envelope.states);
-    if (keys.length > 0) {
-      return envelope.states[keys[0]];
-    }
-    return null;
-  }
-  return envelope.value ?? null;
-}
-function checkDecay(envelope) {
-  if (!envelope.meta.expiresAt) {
-    return {
-      isExpired: false,
-      isStale: false,
-      lifetimePercent: 0,
-      secondsRemaining: null,
-      timeRemaining: null
-    };
-  }
-  const now = Date.now();
-  const expires = new Date(envelope.meta.expiresAt).getTime();
-  const created = new Date(envelope.meta.createdAt).getTime();
-  const totalLifetime = expires - created;
-  const elapsed = now - created;
-  const remaining = expires - now;
-  const lifetimePercent = totalLifetime > 0 ? Math.round(elapsed / totalLifetime * 100) : 100;
-  const secondsRemaining = Math.floor(remaining / 1e3);
-  let timeRemaining = null;
-  if (remaining > 0) {
-    const days = Math.floor(remaining / 864e5);
-    const hours = Math.floor(remaining % 864e5 / 36e5);
-    const minutes = Math.floor(remaining % 36e5 / 6e4);
-    if (days > 0) timeRemaining = `${days}d ${hours}h`;
-    else if (hours > 0) timeRemaining = `${hours}h ${minutes}m`;
-    else timeRemaining = `${minutes}m`;
-  } else {
-    timeRemaining = "expired";
-  }
-  return {
-    isExpired: remaining <= 0,
-    isStale: lifetimePercent >= 75,
-    lifetimePercent,
-    secondsRemaining,
-    timeRemaining
-  };
-}
-function recordAccess(envelope) {
-  return {
-    ...envelope,
-    meta: {
-      ...envelope.meta,
-      accessCount: envelope.meta.accessCount + 1,
-      lastAccessedAt: (/* @__PURE__ */ new Date()).toISOString()
-    }
-  };
-}
-
-// src/core/collapse.ts
-import { execSync } from "child_process";
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-var BRANCH_ENV_MAP = {
-  main: "prod",
-  master: "prod",
-  production: "prod",
-  develop: "dev",
-  development: "dev",
-  dev: "dev",
-  staging: "staging",
-  stage: "staging",
-  test: "test",
-  testing: "test"
-};
-function detectGitBranch(cwd) {
-  try {
-    const branch = execSync("git rev-parse --abbrev-ref HEAD", {
-      cwd: cwd ?? process.cwd(),
-      stdio: ["pipe", "pipe", "pipe"],
-      encoding: "utf8",
-      timeout: 3e3
-    }).trim();
-    return branch || null;
-  } catch {
-    return null;
-  }
-}
-function readProjectConfig(projectPath) {
-  const configPath = join(projectPath ?? process.cwd(), ".q-ring.json");
-  try {
-    if (existsSync(configPath)) {
-      return JSON.parse(readFileSync(configPath, "utf8"));
-    }
-  } catch {
-  }
-  return null;
-}
-function collapseEnvironment(ctx = {}) {
-  if (ctx.explicit) {
-    return { env: ctx.explicit, source: "explicit" };
-  }
-  const qringEnv = process.env.QRING_ENV;
-  if (qringEnv) {
-    return { env: qringEnv, source: "QRING_ENV" };
-  }
-  const nodeEnv = process.env.NODE_ENV;
-  if (nodeEnv) {
-    const mapped = mapEnvName(nodeEnv);
-    return { env: mapped, source: "NODE_ENV" };
-  }
-  const config = readProjectConfig(ctx.projectPath);
-  if (config?.env) {
-    return { env: config.env, source: "project-config" };
-  }
-  const branch = detectGitBranch(ctx.projectPath);
-  if (branch) {
-    const branchMap = { ...BRANCH_ENV_MAP, ...config?.branchMap };
-    const mapped = branchMap[branch] ?? matchGlob(branchMap, branch);
-    if (mapped) {
-      return { env: mapped, source: "git-branch" };
-    }
-  }
-  if (config?.defaultEnv) {
-    return { env: config.defaultEnv, source: "project-config" };
-  }
-  return null;
-}
-function matchGlob(branchMap, branch) {
-  for (const [pattern, env] of Object.entries(branchMap)) {
-    if (!pattern.includes("*")) continue;
-    const regex = new RegExp(
-      "^" + pattern.replace(/\*/g, ".*") + "$"
-    );
-    if (regex.test(branch)) return env;
-  }
-  return void 0;
-}
-function mapEnvName(raw) {
-  const lower = raw.toLowerCase();
-  if (lower === "production") return "prod";
-  if (lower === "development") return "dev";
-  return lower;
-}
-
-// src/core/observer.ts
-import { existsSync as existsSync2, mkdirSync, appendFileSync, readFileSync as readFileSync2 } from "fs";
-import { join as join2 } from "path";
-import { homedir } from "os";
-function getAuditDir() {
-  const dir = join2(homedir(), ".config", "q-ring");
-  if (!existsSync2(dir)) {
-    mkdirSync(dir, { recursive: true });
-  }
-  return dir;
-}
-function getAuditPath() {
-  return join2(getAuditDir(), "audit.jsonl");
-}
-function logAudit(event) {
-  const full = {
-    ...event,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    pid: process.pid
-  };
-  try {
-    appendFileSync(getAuditPath(), JSON.stringify(full) + "\n");
-  } catch {
-  }
-}
-function queryAudit(query = {}) {
-  const path = getAuditPath();
-  if (!existsSync2(path)) return [];
-  try {
-    const lines = readFileSync2(path, "utf8").split("\n").filter((l) => l.trim());
-    let events = lines.map((line) => {
-      try {
-        return JSON.parse(line);
-      } catch {
-        return null;
-      }
-    }).filter((e) => e !== null);
-    if (query.key) {
-      events = events.filter((e) => e.key === query.key);
-    }
-    if (query.action) {
-      events = events.filter((e) => e.action === query.action);
-    }
-    if (query.since) {
-      const since = new Date(query.since).getTime();
-      events = events.filter(
-        (e) => new Date(e.timestamp).getTime() >= since
-      );
-    }
-    events.sort(
-      (a, b) => new Date(b.timestamp).getTime() - new Date(a.timestamp).getTime()
-    );
-    if (query.limit) {
-      events = events.slice(0, query.limit);
-    }
-    return events;
-  } catch {
-    return [];
-  }
-}
-function detectAnomalies(key) {
-  const recent = queryAudit({
-    key,
-    action: "read",
-    since: new Date(Date.now() - 36e5).toISOString()
-    // last hour
-  });
-  const anomalies = [];
-  if (key && recent.length > 50) {
-    anomalies.push({
-      type: "burst",
-      description: `${recent.length} reads of "${key}" in the last hour`,
-      events: recent.slice(0, 10)
-    });
-  }
-  const nightAccess = recent.filter((e) => {
-    const hour = new Date(e.timestamp).getHours();
-    return hour >= 1 && hour < 5;
-  });
-  if (nightAccess.length > 0) {
-    anomalies.push({
-      type: "unusual-hour",
-      description: `${nightAccess.length} access(es) during unusual hours (1am-5am)`,
-      events: nightAccess
-    });
-  }
-  return anomalies;
-}
-
-// src/core/entanglement.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3, writeFileSync, mkdirSync as mkdirSync2 } from "fs";
-import { join as join3 } from "path";
-import { homedir as homedir2 } from "os";
-function getRegistryPath() {
-  const dir = join3(homedir2(), ".config", "q-ring");
-  if (!existsSync3(dir)) {
-    mkdirSync2(dir, { recursive: true });
-  }
-  return join3(dir, "entanglement.json");
-}
-function loadRegistry() {
-  const path = getRegistryPath();
-  if (!existsSync3(path)) {
-    return { pairs: [] };
-  }
-  try {
-    return JSON.parse(readFileSync3(path, "utf8"));
-  } catch {
-    return { pairs: [] };
-  }
-}
-function saveRegistry(registry) {
-  writeFileSync(getRegistryPath(), JSON.stringify(registry, null, 2));
-}
-function entangle(source, target) {
-  const registry = loadRegistry();
-  const exists = registry.pairs.some(
-    (p) => p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key
-  );
-  if (!exists) {
-    registry.pairs.push({
-      source,
-      target,
-      createdAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    registry.pairs.push({
-      source: target,
-      target: source,
-      createdAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    saveRegistry(registry);
-  }
-}
-function disentangle(source, target) {
-  const registry = loadRegistry();
-  registry.pairs = registry.pairs.filter(
-    (p) => !(p.source.service === source.service && p.source.key === source.key && p.target.service === target.service && p.target.key === target.key || p.source.service === target.service && p.source.key === target.key && p.target.service === source.service && p.target.key === source.key)
-  );
-  saveRegistry(registry);
-}
-function findEntangled(source) {
-  const registry = loadRegistry();
-  return registry.pairs.filter(
-    (p) => p.source.service === source.service && p.source.key === source.key
-  ).map((p) => p.target);
-}
-function listEntanglements() {
-  return loadRegistry().pairs;
-}
-
-// src/core/keyring.ts
-import { Entry, findCredentials } from "@napi-rs/keyring";
-
-// src/utils/hash.ts
-import { createHash } from "crypto";
-function hashProjectPath(projectPath) {
-  return createHash("sha256").update(projectPath).digest("hex").slice(0, 12);
-}
-
-// src/core/scope.ts
-var SERVICE_PREFIX = "q-ring";
-function globalService() {
-  return `${SERVICE_PREFIX}:global`;
-}
-function projectService(projectPath) {
-  const hash = hashProjectPath(projectPath);
-  return `${SERVICE_PREFIX}:project:${hash}`;
-}
-function resolveScope(opts) {
-  const { scope, projectPath } = opts;
-  if (scope === "global") {
-    return [{ scope: "global", service: globalService() }];
-  }
-  if (scope === "project") {
-    if (!projectPath) {
-      throw new Error("Project path is required for project scope");
-    }
-    return [
-      { scope: "project", service: projectService(projectPath), projectPath }
-    ];
-  }
-  if (projectPath) {
-    return [
-      { scope: "project", service: projectService(projectPath), projectPath },
-      { scope: "global", service: globalService() }
-    ];
-  }
-  return [{ scope: "global", service: globalService() }];
-}
-
-// src/core/hooks.ts
-import { existsSync as existsSync4, readFileSync as readFileSync4, writeFileSync as writeFileSync2, mkdirSync as mkdirSync3 } from "fs";
-import { join as join4 } from "path";
-import { homedir as homedir3 } from "os";
-import { exec } from "child_process";
-import { request as httpsRequest } from "https";
-import { request as httpRequest } from "http";
-import { randomUUID } from "crypto";
-function getRegistryPath2() {
-  const dir = join4(homedir3(), ".config", "q-ring");
-  if (!existsSync4(dir)) {
-    mkdirSync3(dir, { recursive: true });
-  }
-  return join4(dir, "hooks.json");
-}
-function loadRegistry2() {
-  const path = getRegistryPath2();
-  if (!existsSync4(path)) {
-    return { hooks: [] };
-  }
-  try {
-    return JSON.parse(readFileSync4(path, "utf8"));
-  } catch {
-    return { hooks: [] };
-  }
-}
-function saveRegistry2(registry) {
-  writeFileSync2(getRegistryPath2(), JSON.stringify(registry, null, 2));
-}
-function registerHook(entry) {
-  const registry = loadRegistry2();
-  const hook = {
-    ...entry,
-    id: randomUUID().slice(0, 8),
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  registry.hooks.push(hook);
-  saveRegistry2(registry);
-  return hook;
-}
-function removeHook(id) {
-  const registry = loadRegistry2();
-  const before = registry.hooks.length;
-  registry.hooks = registry.hooks.filter((h) => h.id !== id);
-  if (registry.hooks.length < before) {
-    saveRegistry2(registry);
-    return true;
-  }
-  return false;
-}
-function listHooks() {
-  return loadRegistry2().hooks;
-}
-function matchesHook(hook, payload, tags) {
-  if (!hook.enabled) return false;
-  const m = hook.match;
-  if (m.action?.length && !m.action.includes(payload.action)) return false;
-  if (m.key && m.key !== payload.key) return false;
-  if (m.keyPattern) {
-    const regex = new RegExp(
-      "^" + m.keyPattern.replace(/\*/g, ".*") + "$",
-      "i"
-    );
-    if (!regex.test(payload.key)) return false;
-  }
-  if (m.tag && (!tags || !tags.includes(m.tag))) return false;
-  if (m.scope && m.scope !== payload.scope) return false;
-  return true;
-}
-function executeShell(command, payload) {
-  return new Promise((resolve) => {
-    const env = {
-      ...process.env,
-      QRING_HOOK_KEY: payload.key,
-      QRING_HOOK_ACTION: payload.action,
-      QRING_HOOK_SCOPE: payload.scope
-    };
-    exec(command, { timeout: 3e4, env }, (err, stdout, stderr) => {
-      if (err) {
-        resolve({ hookId: "", success: false, message: `Shell error: ${err.message}` });
-      } else {
-        resolve({ hookId: "", success: true, message: stdout.trim() || "OK" });
-      }
-    });
-  });
-}
-function executeHttp(url, payload) {
-  return new Promise((resolve) => {
-    const body = JSON.stringify(payload);
-    const parsedUrl = new URL(url);
-    const reqFn = parsedUrl.protocol === "https:" ? httpsRequest : httpRequest;
-    const req = reqFn(
-      url,
-      {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          "Content-Length": Buffer.byteLength(body),
-          "User-Agent": "q-ring-hooks/1.0"
-        },
-        timeout: 1e4
-      },
-      (res) => {
-        let data = "";
-        res.on("data", (chunk) => data += chunk);
-        res.on("end", () => {
-          resolve({
-            hookId: "",
-            success: (res.statusCode ?? 0) >= 200 && (res.statusCode ?? 0) < 300,
-            message: `HTTP ${res.statusCode}`
-          });
-        });
-      }
-    );
-    req.on("error", (err) => {
-      resolve({ hookId: "", success: false, message: `HTTP error: ${err.message}` });
-    });
-    req.on("timeout", () => {
-      req.destroy();
-      resolve({ hookId: "", success: false, message: "HTTP timeout" });
-    });
-    req.write(body);
-    req.end();
-  });
-}
-function executeSignal(target, signal = "SIGHUP") {
-  return new Promise((resolve) => {
-    const pid = parseInt(target, 10);
-    if (!isNaN(pid)) {
-      try {
-        process.kill(pid, signal);
-        resolve({ hookId: "", success: true, message: `Signal ${signal} sent to PID ${pid}` });
-      } catch (err) {
-        resolve({ hookId: "", success: false, message: `Signal error: ${err instanceof Error ? err.message : String(err)}` });
-      }
-      return;
-    }
-    exec(`pgrep -f "${target}"`, { timeout: 5e3 }, (err, stdout) => {
-      if (err || !stdout.trim()) {
-        resolve({ hookId: "", success: false, message: `Process "${target}" not found` });
-        return;
-      }
-      const pids = stdout.trim().split("\n").map((p) => parseInt(p.trim(), 10)).filter((p) => !isNaN(p));
-      let sent = 0;
-      for (const p of pids) {
-        try {
-          process.kill(p, signal);
-          sent++;
-        } catch {
-        }
-      }
-      resolve({ hookId: "", success: sent > 0, message: `Signal ${signal} sent to ${sent} process(es)` });
-    });
-  });
-}
-async function executeHook(hook, payload) {
-  let result;
-  switch (hook.type) {
-    case "shell":
-      result = hook.command ? await executeShell(hook.command, payload) : { hookId: hook.id, success: false, message: "No command specified" };
-      break;
-    case "http":
-      result = hook.url ? await executeHttp(hook.url, payload) : { hookId: hook.id, success: false, message: "No URL specified" };
-      break;
-    case "signal":
-      result = hook.signal ? await executeSignal(hook.signal.target, hook.signal.signal) : { hookId: hook.id, success: false, message: "No signal target specified" };
-      break;
-    default:
-      result = { hookId: hook.id, success: false, message: `Unknown hook type: ${hook.type}` };
-  }
-  result.hookId = hook.id;
-  return result;
-}
-async function fireHooks(payload, tags) {
-  const hooks = listHooks();
-  const matching = hooks.filter((h) => matchesHook(h, payload, tags));
-  if (matching.length === 0) return [];
-  const results = await Promise.allSettled(
-    matching.map((h) => executeHook(h, payload))
-  );
-  const hookResults = [];
-  for (const r of results) {
-    if (r.status === "fulfilled") {
-      hookResults.push(r.value);
-    } else {
-      hookResults.push({
-        hookId: "unknown",
-        success: false,
-        message: r.reason?.message ?? "Hook execution failed"
-      });
-    }
-  }
-  for (const r of hookResults) {
-    try {
-      logAudit({
-        action: "write",
-        key: payload.key,
-        scope: payload.scope,
-        source: payload.source,
-        detail: `hook:${r.hookId} ${r.success ? "ok" : "fail"} \u2014 ${r.message}`
-      });
-    } catch {
-    }
-  }
-  return hookResults;
-}
-
-// src/core/keyring.ts
-function readEnvelope(service, key) {
-  const entry = new Entry(service, key);
-  const raw = entry.getPassword();
-  if (raw === null) return null;
-  const envelope = parseEnvelope(raw);
-  return envelope ?? wrapLegacy(raw);
-}
-function writeEnvelope(service, key, envelope) {
-  const entry = new Entry(service, key);
-  entry.setPassword(serializeEnvelope(envelope));
-}
-function resolveEnv(opts) {
-  if (opts.env) return opts.env;
-  const result = collapseEnvironment({ projectPath: opts.projectPath });
-  return result?.env;
-}
-function getSecret(key, opts = {}) {
-  const scopes = resolveScope(opts);
-  const env = resolveEnv(opts);
-  const source = opts.source ?? "cli";
-  for (const { service, scope } of scopes) {
-    const envelope = readEnvelope(service, key);
-    if (!envelope) continue;
-    const decay = checkDecay(envelope);
-    if (decay.isExpired) {
-      logAudit({
-        action: "read",
-        key,
-        scope,
-        source,
-        detail: "blocked: secret expired (quantum decay)"
-      });
-      continue;
-    }
-    const value = collapseValue(envelope, env);
-    if (value === null) continue;
-    const updated = recordAccess(envelope);
-    writeEnvelope(service, key, updated);
-    logAudit({ action: "read", key, scope, env, source });
-    return value;
-  }
-  return null;
-}
-function getEnvelope(key, opts = {}) {
-  const scopes = resolveScope(opts);
-  for (const { service, scope } of scopes) {
-    const envelope = readEnvelope(service, key);
-    if (envelope) return { envelope, scope };
-  }
-  return null;
-}
-function setSecret(key, value, opts = {}) {
-  const scope = opts.scope ?? "global";
-  const scopes = resolveScope({ ...opts, scope });
-  const { service } = scopes[0];
-  const source = opts.source ?? "cli";
-  const existing = readEnvelope(service, key);
-  let envelope;
-  const rotFmt = opts.rotationFormat ?? existing?.meta.rotationFormat;
-  const rotPfx = opts.rotationPrefix ?? existing?.meta.rotationPrefix;
-  const prov = opts.provider ?? existing?.meta.provider;
-  if (opts.states) {
-    envelope = createEnvelope("", {
-      states: opts.states,
-      defaultEnv: opts.defaultEnv,
-      description: opts.description,
-      tags: opts.tags,
-      ttlSeconds: opts.ttlSeconds,
-      expiresAt: opts.expiresAt,
-      entangled: existing?.meta.entangled,
-      rotationFormat: rotFmt,
-      rotationPrefix: rotPfx,
-      provider: prov
-    });
-  } else {
-    envelope = createEnvelope(value, {
-      description: opts.description,
-      tags: opts.tags,
-      ttlSeconds: opts.ttlSeconds,
-      expiresAt: opts.expiresAt,
-      entangled: existing?.meta.entangled,
-      rotationFormat: rotFmt,
-      rotationPrefix: rotPfx,
-      provider: prov
-    });
-  }
-  if (existing) {
-    envelope.meta.createdAt = existing.meta.createdAt;
-    envelope.meta.accessCount = existing.meta.accessCount;
-  }
-  writeEnvelope(service, key, envelope);
-  logAudit({ action: "write", key, scope, source });
-  const entangled = findEntangled({ service, key });
-  for (const target of entangled) {
-    try {
-      const targetEnvelope = readEnvelope(target.service, target.key);
-      if (targetEnvelope) {
-        if (opts.states) {
-          targetEnvelope.states = opts.states;
-        } else {
-          targetEnvelope.value = value;
-        }
-        targetEnvelope.meta.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
-        writeEnvelope(target.service, target.key, targetEnvelope);
-        logAudit({
-          action: "entangle",
-          key: target.key,
-          scope: "global",
-          source,
-          detail: `propagated from ${key}`
-        });
-      }
-    } catch {
-    }
-  }
-  fireHooks({
-    action: "write",
-    key,
-    scope,
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    source
-  }, envelope.meta.tags).catch(() => {
-  });
-}
-function deleteSecret(key, opts = {}) {
-  const scopes = resolveScope(opts);
-  const source = opts.source ?? "cli";
-  let deleted = false;
-  for (const { service, scope } of scopes) {
-    const entry = new Entry(service, key);
-    try {
-      if (entry.deleteCredential()) {
-        deleted = true;
-        logAudit({ action: "delete", key, scope, source });
-        fireHooks({
-          action: "delete",
-          key,
-          scope,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-          source
-        }).catch(() => {
-        });
-      }
-    } catch {
-    }
-  }
-  return deleted;
-}
-function hasSecret(key, opts = {}) {
-  const scopes = resolveScope(opts);
-  for (const { service } of scopes) {
-    const envelope = readEnvelope(service, key);
-    if (envelope) {
-      const decay = checkDecay(envelope);
-      if (!decay.isExpired) return true;
-    }
-  }
-  return false;
-}
-function listSecrets(opts = {}) {
-  const source = opts.source ?? "cli";
-  const services = [];
-  if (!opts.scope || opts.scope === "global") {
-    services.push({ service: globalService(), scope: "global" });
-  }
-  if ((!opts.scope || opts.scope === "project") && opts.projectPath) {
-    services.push({
-      service: projectService(opts.projectPath),
-      scope: "project"
-    });
-  }
-  const results = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const { service, scope } of services) {
-    try {
-      const credentials = findCredentials(service);
-      for (const cred of credentials) {
-        const id = `${scope}:${cred.account}`;
-        if (seen.has(id)) continue;
-        seen.add(id);
-        const envelope = parseEnvelope(cred.password) ?? wrapLegacy(cred.password);
-        const decay = checkDecay(envelope);
-        results.push({
-          key: cred.account,
-          scope,
-          envelope,
-          decay
-        });
-      }
-    } catch {
-    }
-  }
-  if (!opts.silent) {
-    logAudit({ action: "list", source });
-  }
-  return results.sort((a, b) => a.key.localeCompare(b.key));
-}
-function exportSecrets(opts = {}) {
-  const format = opts.format ?? "env";
-  const env = resolveEnv(opts);
-  let entries = listSecrets(opts);
-  const source = opts.source ?? "cli";
-  if (opts.keys?.length) {
-    const keySet = new Set(opts.keys);
-    entries = entries.filter((e) => keySet.has(e.key));
-  }
-  if (opts.tags?.length) {
-    entries = entries.filter(
-      (e) => opts.tags.some((t) => e.envelope?.meta.tags?.includes(t))
-    );
-  }
-  const merged = /* @__PURE__ */ new Map();
-  const globalEntries = entries.filter((e) => e.scope === "global");
-  const projectEntries = entries.filter((e) => e.scope === "project");
-  for (const entry of [...globalEntries, ...projectEntries]) {
-    if (entry.envelope) {
-      const decay = checkDecay(entry.envelope);
-      if (decay.isExpired) continue;
-      const value = collapseValue(entry.envelope, env);
-      if (value !== null) {
-        merged.set(entry.key, value);
-      }
-    }
-  }
-  logAudit({ action: "export", source, detail: `format=${format}` });
-  if (format === "json") {
-    const obj = {};
-    for (const [key, value] of merged) {
-      obj[key] = value;
-    }
-    return JSON.stringify(obj, null, 2);
-  }
-  const lines = [];
-  for (const [key, value] of merged) {
-    const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\n/g, "\\n");
-    lines.push(`${key}="${escaped}"`);
-  }
-  return lines.join("\n");
-}
-function entangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
-  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
-  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
-  const source = { service: sourceScopes[0].service, key: sourceKey };
-  const target = { service: targetScopes[0].service, key: targetKey };
-  entangle(source, target);
-  logAudit({
-    action: "entangle",
-    key: sourceKey,
-    source: sourceOpts.source ?? "cli",
-    detail: `entangled with ${targetKey}`
-  });
-}
-function disentangleSecrets(sourceKey, sourceOpts, targetKey, targetOpts) {
-  const sourceScopes = resolveScope({ ...sourceOpts, scope: sourceOpts.scope ?? "global" });
-  const targetScopes = resolveScope({ ...targetOpts, scope: targetOpts.scope ?? "global" });
-  const source = { service: sourceScopes[0].service, key: sourceKey };
-  const target = { service: targetScopes[0].service, key: targetKey };
-  disentangle(source, target);
-  logAudit({
-    action: "entangle",
-    key: sourceKey,
-    source: sourceOpts.source ?? "cli",
-    detail: `disentangled from ${targetKey}`
-  });
-}
-
-// src/core/tunnel.ts
-var tunnelStore = /* @__PURE__ */ new Map();
-var cleanupInterval = null;
-function ensureCleanup() {
-  if (cleanupInterval) return;
-  cleanupInterval = setInterval(() => {
-    const now = Date.now();
-    for (const [id, entry] of tunnelStore) {
-      if (entry.expiresAt && now >= entry.expiresAt) {
-        tunnelStore.delete(id);
-      }
-    }
-    if (tunnelStore.size === 0 && cleanupInterval) {
-      clearInterval(cleanupInterval);
-      cleanupInterval = null;
-    }
-  }, 5e3);
-  if (cleanupInterval && typeof cleanupInterval === "object" && "unref" in cleanupInterval) {
-    cleanupInterval.unref();
-  }
-}
-function tunnelCreate(value, opts = {}) {
-  const id = `tun_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
-  const now = Date.now();
-  tunnelStore.set(id, {
-    value,
-    createdAt: now,
-    expiresAt: opts.ttlSeconds ? now + opts.ttlSeconds * 1e3 : void 0,
-    accessCount: 0,
-    maxReads: opts.maxReads
-  });
-  ensureCleanup();
-  return id;
-}
-function tunnelRead(id) {
-  const entry = tunnelStore.get(id);
-  if (!entry) return null;
-  if (entry.expiresAt && Date.now() >= entry.expiresAt) {
-    tunnelStore.delete(id);
-    return null;
-  }
-  entry.accessCount++;
-  if (entry.maxReads && entry.accessCount >= entry.maxReads) {
-    const value = entry.value;
-    tunnelStore.delete(id);
-    return value;
-  }
-  return entry.value;
-}
-function tunnelDestroy(id) {
-  return tunnelStore.delete(id);
-}
-function tunnelList() {
-  const now = Date.now();
-  const result = [];
-  for (const [id, entry] of tunnelStore) {
-    if (entry.expiresAt && now >= entry.expiresAt) {
-      tunnelStore.delete(id);
-      continue;
-    }
-    result.push({
-      id,
-      createdAt: entry.createdAt,
-      expiresAt: entry.expiresAt,
-      accessCount: entry.accessCount,
-      maxReads: entry.maxReads
-    });
-  }
-  return result;
-}
-
-export {
-  checkDecay,
-  readProjectConfig,
-  collapseEnvironment,
-  logAudit,
-  queryAudit,
-  detectAnomalies,
-  listEntanglements,
-  registerHook,
-  removeHook,
-  listHooks,
-  fireHooks,
-  getSecret,
-  getEnvelope,
-  setSecret,
-  deleteSecret,
-  hasSecret,
-  listSecrets,
-  exportSecrets,
-  entangleSecrets,
-  disentangleSecrets,
-  tunnelCreate,
-  tunnelRead,
-  tunnelDestroy,
-  tunnelList
-};
-//# sourceMappingURL=chunk-6IQ5SFLI.js.map