@kalphq/cli 0.0.0-dev-20260513002723 → 0.0.0-dev-20260513005628

package/dist/add-NDU352FV.js

@@ -0,0 +1,124 @@
+#!/usr/bin/env node
+import {
+  generateTypes
+} from "./chunk-MMS3GWBG.js";
+import {
+  mergeSecrets,
+  readLocalSecretsFromConfig,
+  resolveSecretsRuntimeConfigPath,
+  writeLocalSecretsToConfig
+} from "./chunk-5ZRVO3TQ.js";
+import "./chunk-INB3LG6O.js";
+import {
+  requireAuth,
+  resolveProvider
+} from "./chunk-GNQI376N.js";
+import "./chunk-FO24J6XL.js";
+import "./chunk-DHCCSWJN.js";
+
+// src/commands/secrets/add.ts
+import { defineCommand } from "citty";
+import * as p from "@clack/prompts";
+import pc from "picocolors";
+var LOGO = "\u{1F98B}";
+var add_default = defineCommand({
+  meta: {
+    name: "add",
+    description: "Add a secret to remote runtime and local config"
+  },
+  args: {
+    key: {
+      type: "string",
+      alias: "k",
+      description: "Secret key (UPPER_SNAKE_CASE)"
+    },
+    value: {
+      type: "string",
+      alias: "v",
+      description: "Secret value"
+    },
+    help: {
+      type: "boolean",
+      alias: "h",
+      description: "Show help",
+      default: false
+    }
+  },
+  async run({ args }) {
+    const cwd = process.cwd();
+    if (args.help) {
+      p.log.info(`${pc.bold("Usage")}: kalp secrets add -k <KEY> -v <VALUE>`);
+      return;
+    }
+    p.intro(`${LOGO} ${pc.bold("kalp secrets add")}`);
+    await requireAuth().catch(() => {
+      p.log.error("Not authenticated. Run `kalp login` first.");
+      process.exit(1);
+    });
+    let key = args.key?.trim();
+    let value = args.value;
+    if (!key) {
+      const input = await p.text({
+        message: "Secret key name",
+        placeholder: "STRIPE_SECRET_KEY",
+        validate: (v) => {
+          if (!v) return "Key is required";
+          if (!/^[A-Z_][A-Z0-9_]*$/.test(v)) {
+            return "Key must be UPPER_SNAKE_CASE";
+          }
+        }
+      });
+      if (p.isCancel(input)) {
+        p.outro("Cancelled");
+        return;
+      }
+      key = String(input).trim();
+    }
+    if (!/^[A-Z_][A-Z0-9_]*$/.test(key)) {
+      p.log.error("Invalid key. Use UPPER_SNAKE_CASE.");
+      process.exit(1);
+    }
+    if (!value) {
+      const input = await p.password({
+        message: `Enter value for ${key}`,
+        mask: "*"
+      });
+      if (p.isCancel(input)) {
+        p.outro("Cancelled");
+        return;
+      }
+      value = String(input);
+    }
+    const trimmedValue = value.trim();
+    if (!trimmedValue) {
+      p.log.error("Secret value cannot be empty.");
+      process.exit(1);
+    }
+    const spinner2 = p.spinner();
+    spinner2.start(`Adding ${pc.cyan(key)} to remote runtime`);
+    try {
+      const configPath = await resolveSecretsRuntimeConfigPath(cwd);
+      const provider = resolveProvider();
+      await provider.putSecret({
+        cwd,
+        configPath,
+        name: key,
+        value: trimmedValue
+      });
+      const localSecrets = await readLocalSecretsFromConfig(cwd);
+      const merged = mergeSecrets(localSecrets, [key]);
+      await writeLocalSecretsToConfig(cwd, merged);
+      await generateTypes(cwd);
+      spinner2.stop(`Secret ${pc.cyan(key)} added`);
+      p.outro("Done");
+    } catch (error) {
+      spinner2.stop("Failed to add secret");
+      p.log.error(error instanceof Error ? error.message : String(error));
+      process.exit(1);
+    }
+  }
+});
+export {
+  add_default as default
+};
+//# sourceMappingURL=add-NDU352FV.js.map

package/dist/add-NDU352FV.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/commands/secrets/add.ts"],"sourcesContent":["import { defineCommand } from \"citty\";\nimport * as p from \"@clack/prompts\";\nimport pc from \"picocolors\";\nimport { requireAuth } from \"@/utils/auth\";\nimport { generateTypes } from \"@/utils/codegen\";\nimport { resolveProvider } from \"@/utils/providers\";\nimport {\n  mergeSecrets,\n  readLocalSecretsFromConfig,\n  writeLocalSecretsToConfig,\n} from \"@/utils/secrets-config\";\nimport { resolveSecretsRuntimeConfigPath } from \"@/utils/secrets-runtime\";\n\nconst LOGO = \"🦋\";\n\nexport default defineCommand({\n  meta: {\n    name: \"add\",\n    description: \"Add a secret to remote runtime and local config\",\n  },\n  args: {\n    key: {\n      type: \"string\",\n      alias: \"k\",\n      description: \"Secret key (UPPER_SNAKE_CASE)\",\n    },\n    value: {\n      type: \"string\",\n      alias: \"v\",\n      description: \"Secret value\",\n    },\n    help: {\n      type: \"boolean\",\n      alias: \"h\",\n      description: \"Show help\",\n      default: false,\n    },\n  },\n  async run({ args }) {\n    const cwd = process.cwd();\n\n    if (args.help) {\n      p.log.info(`${pc.bold(\"Usage\")}: kalp secrets add -k <KEY> -v <VALUE>`);\n      return;\n    }\n\n    p.intro(`${LOGO} ${pc.bold(\"kalp secrets add\")}`);\n\n    await requireAuth().catch(() => {\n      p.log.error(\"Not authenticated. Run `kalp login` first.\");\n      process.exit(1);\n    });\n\n    let key = args.key?.trim();\n    let value = args.value;\n\n    if (!key) {\n      const input = await p.text({\n        message: \"Secret key name\",\n        placeholder: \"STRIPE_SECRET_KEY\",\n        validate: (v) => {\n          if (!v) return \"Key is required\";\n          if (!/^[A-Z_][A-Z0-9_]*$/.test(v)) {\n            return \"Key must be UPPER_SNAKE_CASE\";\n          }\n        },\n      });\n      if (p.isCancel(input)) {\n        p.outro(\"Cancelled\");\n        return;\n      }\n      key = String(input).trim();\n    }\n\n    if (!/^[A-Z_][A-Z0-9_]*$/.test(key)) {\n      p.log.error(\"Invalid key. Use UPPER_SNAKE_CASE.\");\n      process.exit(1);\n    }\n\n    if (!value) {\n      const input = await p.password({\n        message: `Enter value for ${key}`,\n        mask: \"*\",\n      });\n      if (p.isCancel(input)) {\n        p.outro(\"Cancelled\");\n        return;\n      }\n      value = String(input);\n    }\n\n    const trimmedValue = value.trim();\n    if (!trimmedValue) {\n      p.log.error(\"Secret value cannot be empty.\");\n      process.exit(1);\n    }\n\n    const spinner = p.spinner();\n    spinner.start(`Adding ${pc.cyan(key)} to remote runtime`);\n\n    try {\n      const configPath = await resolveSecretsRuntimeConfigPath(cwd);\n      const provider = resolveProvider();\n      await provider.putSecret({\n        cwd,\n        configPath,\n        name: key,\n        value: trimmedValue,\n      });\n\n      const localSecrets = await readLocalSecretsFromConfig(cwd);\n      const merged = mergeSecrets(localSecrets, [key]);\n      await writeLocalSecretsToConfig(cwd, merged);\n      await generateTypes(cwd);\n\n      spinner.stop(`Secret ${pc.cyan(key)} added`);\n      p.outro(\"Done\");\n    } catch (error) {\n      spinner.stop(\"Failed to add secret\");\n      p.log.error(error instanceof Error ? error.message : String(error));\n      process.exit(1);\n    }\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAAA,SAAS,qBAAqB;AAC9B,YAAY,OAAO;AACnB,OAAO,QAAQ;AAWf,IAAM,OAAO;AAEb,IAAO,cAAQ,cAAc;AAAA,EAC3B,MAAM;AAAA,IACJ,MAAM;AAAA,IACN,aAAa;AAAA,EACf;AAAA,EACA,MAAM;AAAA,IACJ,KAAK;AAAA,MACH,MAAM;AAAA,MACN,OAAO;AAAA,MACP,aAAa;AAAA,IACf;AAAA,IACA,OAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO;AAAA,MACP,aAAa;AAAA,IACf;AAAA,IACA,MAAM;AAAA,MACJ,MAAM;AAAA,MACN,OAAO;AAAA,MACP,aAAa;AAAA,MACb,SAAS;AAAA,IACX;AAAA,EACF;AAAA,EACA,MAAM,IAAI,EAAE,KAAK,GAAG;AAClB,UAAM,MAAM,QAAQ,IAAI;AAExB,QAAI,KAAK,MAAM;AACb,MAAE,MAAI,KAAK,GAAG,GAAG,KAAK,OAAO,CAAC,wCAAwC;AACtE;AAAA,IACF;AAEA,IAAE,QAAM,GAAG,IAAI,IAAI,GAAG,KAAK,kBAAkB,CAAC,EAAE;AAEhD,UAAM,YAAY,EAAE,MAAM,MAAM;AAC9B,MAAE,MAAI,MAAM,4CAA4C;AACxD,cAAQ,KAAK,CAAC;AAAA,IAChB,CAAC;AAED,QAAI,MAAM,KAAK,KAAK,KAAK;AACzB,QAAI,QAAQ,KAAK;AAEjB,QAAI,CAAC,KAAK;AACR,YAAM,QAAQ,MAAQ,OAAK;AAAA,QACzB,SAAS;AAAA,QACT,aAAa;AAAA,QACb,UAAU,CAAC,MAAM;AACf,cAAI,CAAC,EAAG,QAAO;AACf,cAAI,CAAC,qBAAqB,KAAK,CAAC,GAAG;AACjC,mBAAO;AAAA,UACT;AAAA,QACF;AAAA,MACF,CAAC;AACD,UAAM,WAAS,KAAK,GAAG;AACrB,QAAE,QAAM,WAAW;AACnB;AAAA,MACF;AACA,YAAM,OAAO,KAAK,EAAE,KAAK;AAAA,IAC3B;AAEA,QAAI,CAAC,qBAAqB,KAAK,GAAG,GAAG;AACnC,MAAE,MAAI,MAAM,oCAAoC;AAChD,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,QAAI,CAAC,OAAO;AACV,YAAM,QAAQ,MAAQ,WAAS;AAAA,QAC7B,SAAS,mBAAmB,GAAG;AAAA,QAC/B,MAAM;AAAA,MACR,CAAC;AACD,UAAM,WAAS,KAAK,GAAG;AACrB,QAAE,QAAM,WAAW;AACnB;AAAA,MACF;AACA,cAAQ,OAAO,KAAK;AAAA,IACtB;AAEA,UAAM,eAAe,MAAM,KAAK;AAChC,QAAI,CAAC,cAAc;AACjB,MAAE,MAAI,MAAM,+BAA+B;AAC3C,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,UAAMA,WAAY,UAAQ;AAC1B,IAAAA,SAAQ,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,oBAAoB;AAExD,QAAI;AACF,YAAM,aAAa,MAAM,gCAAgC,GAAG;AAC5D,YAAM,WAAW,gBAAgB;AACjC,YAAM,SAAS,UAAU;AAAA,QACvB;AAAA,QACA;AAAA,QACA,MAAM;AAAA,QACN,OAAO;AAAA,MACT,CAAC;AAED,YAAM,eAAe,MAAM,2BAA2B,GAAG;AACzD,YAAM,SAAS,aAAa,cAAc,CAAC,GAAG,CAAC;AAC/C,YAAM,0BAA0B,KAAK,MAAM;AAC3C,YAAM,cAAc,GAAG;AAEvB,MAAAA,SAAQ,KAAK,UAAU,GAAG,KAAK,GAAG,CAAC,QAAQ;AAC3C,MAAE,QAAM,MAAM;AAAA,IAChB,SAAS,OAAO;AACd,MAAAA,SAAQ,KAAK,sBAAsB;AACnC,MAAE,MAAI,MAAM,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,CAAC;AAClE,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF;AACF,CAAC;","names":["spinner"]}

package/dist/chunk-5ZRVO3TQ.js

@@ -0,0 +1,70 @@
+#!/usr/bin/env node
+import {
+  ensureConfig
+} from "./chunk-INB3LG6O.js";
+import {
+  materializeRuntime,
+  readProjectState
+} from "./chunk-DHCCSWJN.js";
+
+// src/utils/secrets-config.ts
+import { readFile, writeFile } from "fs/promises";
+import { join } from "path";
+var SECRETS_ARRAY_REGEX = /secrets:\s*\[([\s\S]*?)\]/m;
+var SECRET_LITERAL_REGEX = /["'`]([^"'`]+)["'`]/g;
+async function readLocalSecretsFromConfig(cwd) {
+  const configPath = join(cwd, "kalp.config.ts");
+  const content = await readFile(configPath, "utf-8").catch(() => {
+    throw new Error("kalp.config.ts not found. Run create-kalp first.");
+  });
+  const match = content.match(SECRETS_ARRAY_REGEX);
+  if (!match) return [];
+  const body = match[1] ?? "";
+  const values = [];
+  let item;
+  while ((item = SECRET_LITERAL_REGEX.exec(body)) !== null) {
+    if (item[1]) values.push(item[1]);
+  }
+  return [...new Set(values)].sort((a, b) => a.localeCompare(b));
+}
+async function writeLocalSecretsToConfig(cwd, secrets) {
+  const configPath = join(cwd, "kalp.config.ts");
+  const content = await readFile(configPath, "utf-8").catch(() => {
+    throw new Error("kalp.config.ts not found. Run create-kalp first.");
+  });
+  if (!SECRETS_ARRAY_REGEX.test(content)) {
+    throw new Error(
+      "Could not find `secrets: []` in kalp.config.ts. Add a secrets array first."
+    );
+  }
+  const sorted = [...new Set(secrets)].map((value) => value.trim()).filter(Boolean).sort((a, b) => a.localeCompare(b));
+  const serialized = sorted.length > 0 ? sorted.map((secret) => `"${secret}"`).join(", ") : "";
+  const next = content.replace(SECRETS_ARRAY_REGEX, `secrets: [${serialized}]`);
+  await writeFile(configPath, next, "utf-8");
+}
+function mergeSecrets(base, incoming) {
+  return [...new Set([...base, ...incoming].map((value) => value.trim()).filter(Boolean))].sort((a, b) => a.localeCompare(b));
+}
+
+// src/utils/secrets-runtime.ts
+async function resolveSecretsRuntimeConfigPath(cwd) {
+  await ensureConfig(cwd).catch(() => {
+    throw new Error("kalp.config.ts not found.");
+  });
+  const state = await readProjectState(cwd);
+  if (!state?.workerUrl) {
+    throw new Error(
+      "No remote runtime found for this project. Run `kalp deploy` first."
+    );
+  }
+  const runtime = await materializeRuntime(cwd, { mode: "remote" });
+  return runtime.wranglerConfigPath;
+}
+
+export {
+  readLocalSecretsFromConfig,
+  writeLocalSecretsToConfig,
+  mergeSecrets,
+  resolveSecretsRuntimeConfigPath
+};
+//# sourceMappingURL=chunk-5ZRVO3TQ.js.map

package/dist/chunk-5ZRVO3TQ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/secrets-config.ts","../src/utils/secrets-runtime.ts"],"sourcesContent":["import { readFile, writeFile } from \"node:fs/promises\";\nimport { join } from \"node:path\";\n\nconst SECRETS_ARRAY_REGEX = /secrets:\\s*\\[([\\s\\S]*?)\\]/m;\nconst SECRET_LITERAL_REGEX = /[\"'`]([^\"'`]+)[\"'`]/g;\n\nexport async function readLocalSecretsFromConfig(cwd: string): Promise<string[]> {\n  const configPath = join(cwd, \"kalp.config.ts\");\n  const content = await readFile(configPath, \"utf-8\").catch(() => {\n    throw new Error(\"kalp.config.ts not found. Run create-kalp first.\");\n  });\n\n  const match = content.match(SECRETS_ARRAY_REGEX);\n  if (!match) return [];\n  const body = match[1] ?? \"\";\n  const values: string[] = [];\n  let item: RegExpExecArray | null;\n  while ((item = SECRET_LITERAL_REGEX.exec(body)) !== null) {\n    if (item[1]) values.push(item[1]);\n  }\n  return [...new Set(values)].sort((a, b) => a.localeCompare(b));\n}\n\nexport async function writeLocalSecretsToConfig(\n  cwd: string,\n  secrets: string[],\n): Promise<void> {\n  const configPath = join(cwd, \"kalp.config.ts\");\n  const content = await readFile(configPath, \"utf-8\").catch(() => {\n    throw new Error(\"kalp.config.ts not found. Run create-kalp first.\");\n  });\n\n  if (!SECRETS_ARRAY_REGEX.test(content)) {\n    throw new Error(\n      \"Could not find `secrets: []` in kalp.config.ts. Add a secrets array first.\",\n    );\n  }\n\n  const sorted = [...new Set(secrets)]\n    .map((value) => value.trim())\n    .filter(Boolean)\n    .sort((a, b) => a.localeCompare(b));\n\n  const serialized =\n    sorted.length > 0 ? sorted.map((secret) => `\"${secret}\"`).join(\", \") : \"\";\n  const next = content.replace(SECRETS_ARRAY_REGEX, `secrets: [${serialized}]`);\n  await writeFile(configPath, next, \"utf-8\");\n}\n\nexport function mergeSecrets(\n  base: string[],\n  incoming: string[],\n): string[] {\n  return [...new Set([...base, ...incoming].map((value) => value.trim()).filter(Boolean))]\n    .sort((a, b) => a.localeCompare(b));\n}\n","import { ensureConfig } from \"@/utils/fs\";\nimport { readProjectState } from \"@/utils/project-state\";\nimport { materializeRuntime } from \"@/utils/runtime\";\n\nexport async function resolveSecretsRuntimeConfigPath(cwd: string): Promise<string> {\n  await ensureConfig(cwd).catch(() => {\n    throw new Error(\"kalp.config.ts not found.\");\n  });\n\n  const state = await readProjectState(cwd);\n  if (!state?.workerUrl) {\n    throw new Error(\n      \"No remote runtime found for this project. Run `kalp deploy` first.\",\n    );\n  }\n\n  const runtime = await materializeRuntime(cwd, { mode: \"remote\" });\n  return runtime.wranglerConfigPath;\n}\n"],"mappings":";;;;;;;;;;AAAA,SAAS,UAAU,iBAAiB;AACpC,SAAS,YAAY;AAErB,IAAM,sBAAsB;AAC5B,IAAM,uBAAuB;AAE7B,eAAsB,2BAA2B,KAAgC;AAC/E,QAAM,aAAa,KAAK,KAAK,gBAAgB;AAC7C,QAAM,UAAU,MAAM,SAAS,YAAY,OAAO,EAAE,MAAM,MAAM;AAC9D,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE,CAAC;AAED,QAAM,QAAQ,QAAQ,MAAM,mBAAmB;AAC/C,MAAI,CAAC,MAAO,QAAO,CAAC;AACpB,QAAM,OAAO,MAAM,CAAC,KAAK;AACzB,QAAM,SAAmB,CAAC;AAC1B,MAAI;AACJ,UAAQ,OAAO,qBAAqB,KAAK,IAAI,OAAO,MAAM;AACxD,QAAI,KAAK,CAAC,EAAG,QAAO,KAAK,KAAK,CAAC,CAAC;AAAA,EAClC;AACA,SAAO,CAAC,GAAG,IAAI,IAAI,MAAM,CAAC,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,cAAc,CAAC,CAAC;AAC/D;AAEA,eAAsB,0BACpB,KACA,SACe;AACf,QAAM,aAAa,KAAK,KAAK,gBAAgB;AAC7C,QAAM,UAAU,MAAM,SAAS,YAAY,OAAO,EAAE,MAAM,MAAM;AAC9D,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACpE,CAAC;AAED,MAAI,CAAC,oBAAoB,KAAK,OAAO,GAAG;AACtC,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,SAAS,CAAC,GAAG,IAAI,IAAI,OAAO,CAAC,EAChC,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAC3B,OAAO,OAAO,EACd,KAAK,CAAC,GAAG,MAAM,EAAE,cAAc,CAAC,CAAC;AAEpC,QAAM,aACJ,OAAO,SAAS,IAAI,OAAO,IAAI,CAAC,WAAW,IAAI,MAAM,GAAG,EAAE,KAAK,IAAI,IAAI;AACzE,QAAM,OAAO,QAAQ,QAAQ,qBAAqB,aAAa,UAAU,GAAG;AAC5E,QAAM,UAAU,YAAY,MAAM,OAAO;AAC3C;AAEO,SAAS,aACd,MACA,UACU;AACV,SAAO,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,MAAM,GAAG,QAAQ,EAAE,IAAI,CAAC,UAAU,MAAM,KAAK,CAAC,EAAE,OAAO,OAAO,CAAC,CAAC,EACpF,KAAK,CAAC,GAAG,MAAM,EAAE,cAAc,CAAC,CAAC;AACtC;;;ACnDA,eAAsB,gCAAgC,KAA8B;AAClF,QAAM,aAAa,GAAG,EAAE,MAAM,MAAM;AAClC,UAAM,IAAI,MAAM,2BAA2B;AAAA,EAC7C,CAAC;AAED,QAAM,QAAQ,MAAM,iBAAiB,GAAG;AACxC,MAAI,CAAC,OAAO,WAAW;AACrB,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,mBAAmB,KAAK,EAAE,MAAM,SAAS,CAAC;AAChE,SAAO,QAAQ;AACjB;","names":[]}

package/dist/{chunk-GW6MLHK7.js → chunk-DHCCSWJN.js}

@@ -1,103 +1,8 @@
 #!/usr/bin/env node
 
-// src/utils/secret.ts
-import { randomBytes } from "crypto";
-import { readFile, writeFile } from "fs/promises";
-import { join } from "path";
-var SECRET_KEY = "KALP_SECRET_KEY";
-var STUDIO_PASSWORD = "KALP_STUDIO_PASSWORD";
-var STUDIO_ADMIN_USER = "KALP_STUDIO_ADMIN_USER";
-var SERVICE_KEY = "KALP_SERVICE_KEY";
-function escapeRegExp(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function parseEnv(content) {
-  const result = {};
-  for (const line of content.split(/\r?\n/g)) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eqIndex = trimmed.indexOf("=");
-    if (eqIndex <= 0) continue;
-    const key = trimmed.slice(0, eqIndex).trim();
-    const value = trimmed.slice(eqIndex + 1).trim();
-    result[key] = value;
-  }
-  return result;
-}
-function applyEnvUpdates(content, updates) {
-  let next = content;
-  for (const [key, value] of Object.entries(updates)) {
-    const line = `${key}=${value}`;
-    const pattern = new RegExp(`^${escapeRegExp(key)}=.*$`, "m");
-    if (pattern.test(next)) {
-      next = next.replace(pattern, line);
-      continue;
-    }
-    const trimmed = next.trimEnd();
-    next = trimmed.length > 0 ? `${trimmed}
-${line}
-` : `${line}
-`;
-  }
-  return next.trimEnd() + "\n";
-}
-async function readEnvFile(cwd) {
-  const envPath = join(cwd, ".env");
-  try {
-    return await readFile(envPath, "utf-8");
-  } catch {
-    return "";
-  }
-}
-async function readDevVarsFile(cwd) {
-  const devVarsPath = join(cwd, ".dev.vars");
-  try {
-    return await readFile(devVarsPath, "utf-8");
-  } catch {
-    return "";
-  }
-}
-function generateStudioPassword() {
-  return randomBytes(24).toString("base64url");
-}
-function generateServiceKey() {
-  return `kalp_sk_live_${randomBytes(32).toString("base64url")}`;
-}
-async function ensureStudioSecrets(cwd) {
-  const envPath = join(cwd, ".env");
-  const devVarsPath = join(cwd, ".dev.vars");
-  const content = await readEnvFile(cwd);
-  const parsed = parseEnv(content);
-  const key = parsed[SECRET_KEY]?.trim() || randomBytes(32).toString("hex");
-  const studioPassword = parsed[STUDIO_PASSWORD]?.trim() || generateStudioPassword();
-  const studioAdminUser = parsed[STUDIO_ADMIN_USER]?.trim() || "admin";
-  const serviceKey = parsed[SERVICE_KEY]?.trim() || generateServiceKey();
-  const isNew = !parsed[SECRET_KEY]?.trim() || !parsed[STUDIO_PASSWORD]?.trim() || !parsed[STUDIO_ADMIN_USER]?.trim() || !parsed[SERVICE_KEY]?.trim();
-  const next = applyEnvUpdates(content, {
-    [SECRET_KEY]: key,
-    [STUDIO_PASSWORD]: studioPassword,
-    [STUDIO_ADMIN_USER]: studioAdminUser,
-    [SERVICE_KEY]: serviceKey
-  });
-  await writeFile(envPath, next, "utf-8");
-  const devVarsContent = await readDevVarsFile(cwd);
-  const nextDevVars = applyEnvUpdates(devVarsContent, {
-    [SECRET_KEY]: key,
-    [STUDIO_PASSWORD]: studioPassword,
-    [STUDIO_ADMIN_USER]: studioAdminUser,
-    [SERVICE_KEY]: serviceKey
-  });
-  await writeFile(devVarsPath, nextDevVars, "utf-8");
-  return { key, studioPassword, studioAdminUser, serviceKey, isNew };
-}
-async function ensureSecretKey(cwd) {
-  const secrets = await ensureStudioSecrets(cwd);
-  return { key: secrets.key, isNew: secrets.isNew };
-}
-
 // src/utils/project-state.ts
-import { mkdir, readFile as readFile2, writeFile as writeFile2 } from "fs/promises";
-import { join as join2 } from "path";
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { join } from "path";
 var KALP_DIR = ".kalp";
 var STATE_FILE = "state.json";
 function normalizeProjectState(raw) {
@@ -138,17 +43,17 @@ function normalizeProjectState(raw) {
 }
 async function readProjectState(cwd) {
   try {
-    const statePath = join2(cwd, KALP_DIR, STATE_FILE);
-    const content = await readFile2(statePath, "utf-8");
+    const statePath = join(cwd, KALP_DIR, STATE_FILE);
+    const content = await readFile(statePath, "utf-8");
     return normalizeProjectState(JSON.parse(content));
   } catch {
     return null;
   }
 }
 async function writeProjectState(cwd, state) {
-  const dir = join2(cwd, KALP_DIR);
+  const dir = join(cwd, KALP_DIR);
   await mkdir(dir, { recursive: true });
-  await writeFile2(join2(dir, STATE_FILE), `${JSON.stringify(state, null, 2)}
+  await writeFile(join(dir, STATE_FILE), `${JSON.stringify(state, null, 2)}
 `, "utf-8");
 }
 
@@ -159,19 +64,19 @@ import {
   cp,
   mkdir as mkdir2,
   readdir,
-  readFile as readFile4,
+  readFile as readFile3,
   rm,
   stat,
-  writeFile as writeFile4
+  writeFile as writeFile3
 } from "fs/promises";
-import { basename, dirname, join as join6, resolve as resolve2 } from "path";
+import { basename, dirname, join as join5, resolve as resolve2 } from "path";
 import { fileURLToPath } from "url";
 import { deriveLabelFromName } from "@kalphq/project";
 
 // src/utils/ai.ts
-import { access, readFile as readFile3 } from "fs/promises";
+import { access, readFile as readFile2 } from "fs/promises";
 import { constants } from "fs";
-import { join as join3 } from "path";
+import { join as join2 } from "path";
 import { createJiti } from "jiti";
 var PROVIDER_SECRET_MAP = {
   openai: "OPENAI_API_KEY",
@@ -179,7 +84,7 @@ var PROVIDER_SECRET_MAP = {
   openrouter: "OPENROUTER_API_KEY",
   custom: "CUSTOM_AI_API_KEY"
 };
-function parseEnv2(content) {
+function parseEnv(content) {
   const env = {};
   for (const raw of content.split(/\r?\n/g)) {
     const line = raw.trim();
@@ -191,7 +96,7 @@ function parseEnv2(content) {
   return env;
 }
 async function resolveProviderFromConfig(cwd) {
-  const configPath = join3(cwd, "kalp.config.ts");
+  const configPath = join2(cwd, "kalp.config.ts");
   await access(configPath, constants.F_OK);
   const jiti = createJiti(cwd, { interopDefault: true });
   const config = await jiti.import(configPath);
@@ -199,9 +104,9 @@ async function resolveProviderFromConfig(cwd) {
   return provider;
 }
 async function readDotEnv(cwd) {
-  const envPath = join3(cwd, ".env");
-  const content = await readFile3(envPath, "utf-8").catch(() => "");
-  return parseEnv2(content);
+  const envPath = join2(cwd, ".env");
+  const content = await readFile2(envPath, "utf-8").catch(() => "");
+  return parseEnv(content);
 }
 function getRequiredSecretForProvider(provider) {
   return PROVIDER_SECRET_MAP[provider];
@@ -211,7 +116,7 @@ function getRequiredSecretForProvider(provider) {
 import { createJiti as createJiti2 } from "jiti";
 import { access as access2 } from "fs/promises";
 import { constants as constants2 } from "fs";
-import { join as join4, resolve } from "path";
+import { join as join3, resolve } from "path";
 function normalizeStrategy(strategy) {
   if (!strategy) return null;
   if (strategy.type === "jwks") {
@@ -235,7 +140,7 @@ function normalizeStrategy(strategy) {
   };
 }
 async function loadProjectConfig(cwd) {
-  const configPath = resolve(join4(cwd, "kalp.config.ts"));
+  const configPath = resolve(join3(cwd, "kalp.config.ts"));
   await access2(configPath, constants2.F_OK);
   const jiti = createJiti2(cwd, { interopDefault: true });
   const moduleValue = await jiti.import(configPath);
@@ -278,8 +183,8 @@ function resolveIdentityAuthRequirements(identity) {
 
 // src/utils/runtime-identity.ts
 import { build } from "esbuild";
-import { writeFile as writeFile3 } from "fs/promises";
-import { join as join5 } from "path";
+import { writeFile as writeFile2 } from "fs/promises";
+import { join as join4 } from "path";
 var DEFAULT_IDENTITY_MAP_SOURCE = `export default function mapIdentity(payload) {
   const sub =
     payload && typeof payload === "object" && typeof payload.sub === "string"
@@ -307,7 +212,7 @@ function assertEdgeSafeSource(mapIdentitySource) {
   );
 }
 async function writeDefaultIdentityMap(identityMapPath) {
-  await writeFile3(identityMapPath, DEFAULT_IDENTITY_MAP_SOURCE, "utf-8");
+  await writeFile2(identityMapPath, DEFAULT_IDENTITY_MAP_SOURCE, "utf-8");
 }
 async function bundleIdentityMap(params) {
   const { cwd, mapIdentitySource, identityMapPath } = params;
@@ -353,8 +258,8 @@ export default mapIdentity;
 }
 async function materializeRuntimeIdentity(params) {
   const { cwd, runtimeDir } = params;
-  const identityConfigPath = join5(runtimeDir, "identity.config.json");
-  const identityMapPath = join5(runtimeDir, "identity.map.mjs");
+  const identityConfigPath = join4(runtimeDir, "identity.config.json");
+  const identityMapPath = join4(runtimeDir, "identity.map.mjs");
   let rawConfig = {};
   try {
     const loaded = await loadProjectConfig(cwd);
@@ -363,7 +268,7 @@ async function materializeRuntimeIdentity(params) {
     rawConfig = {};
   }
   const identityConfig = resolveRuntimeIdentityConfig(rawConfig);
-  await writeFile3(
+  await writeFile2(
     identityConfigPath,
     `${JSON.stringify(identityConfig, null, 2)}
 `,
@@ -400,9 +305,9 @@ function sanitizeSegment(input) {
 }
 async function resolveProjectSlug(cwd) {
   const fallback = sanitizeSegment(basename(cwd)) || "agent";
-  const packageJsonPath = join6(cwd, "package.json");
+  const packageJsonPath = join5(cwd, "package.json");
   try {
-    const content = await readFile4(packageJsonPath, "utf-8");
+    const content = await readFile3(packageJsonPath, "utf-8");
     const pkg = JSON.parse(content);
     const name = typeof pkg.name === "string" ? pkg.name : "";
     const sanitized = sanitizeSegment(name);
@@ -480,20 +385,20 @@ function runtimeTemplateCandidates() {
   );
   return [
     {
-      studioTemplateDir: join6(distTemplateRoot, STUDIO_DIR),
-      workerEntryPath: join6(distTemplateRoot, WORKER_ENTRY_FILE)
+      studioTemplateDir: join5(distTemplateRoot, STUDIO_DIR),
+      workerEntryPath: join5(distTemplateRoot, WORKER_ENTRY_FILE)
     },
     {
-      studioTemplateDir: join6(packageRootTemplate, STUDIO_DIR),
-      workerEntryPath: join6(packageRootTemplate, WORKER_ENTRY_FILE)
+      studioTemplateDir: join5(packageRootTemplate, STUDIO_DIR),
+      workerEntryPath: join5(packageRootTemplate, WORKER_ENTRY_FILE)
     },
     {
-      studioTemplateDir: join6(sourceTemplateRoot, STUDIO_DIR),
-      workerEntryPath: join6(sourceTemplateRoot, WORKER_ENTRY_FILE)
+      studioTemplateDir: join5(sourceTemplateRoot, STUDIO_DIR),
+      workerEntryPath: join5(sourceTemplateRoot, WORKER_ENTRY_FILE)
     },
     {
       studioTemplateDir: monorepoStudioDist,
-      workerEntryPath: join6(sourceTemplateRoot, WORKER_ENTRY_FILE)
+      workerEntryPath: join5(sourceTemplateRoot, WORKER_ENTRY_FILE)
     }
   ];
 }
@@ -528,13 +433,13 @@ ${cssLinks}
 `;
 }
 async function ensureStudioIndex(studioDir) {
-  const indexPath = join6(studioDir, "index.html");
+  const indexPath = join5(studioDir, "index.html");
   try {
     await access3(indexPath);
     return;
   } catch {
   }
-  const assetsDir = join6(studioDir, "assets");
+  const assetsDir = join5(studioDir, "assets");
   const assetFiles = await readdir(assetsDir);
   const entryScript = assetFiles.find((file) => /^index-.*\.js$/i.test(file)) ?? assetFiles.find((file) => file.endsWith(".js"));
   if (!entryScript) {
@@ -544,16 +449,16 @@ async function ensureStudioIndex(studioDir) {
   }
   const cssFiles = assetFiles.filter((file) => file.endsWith(".css")).sort();
   const html = createStudioShell(entryScript, cssFiles);
-  await writeFile4(indexPath, html, "utf-8");
+  await writeFile3(indexPath, html, "utf-8");
 }
 async function readLocalAgentNames(cwd) {
-  const agentsDir = join6(cwd, "agents");
+  const agentsDir = join5(cwd, "agents");
   try {
     const entries = await readdir(agentsDir, { withFileTypes: true });
     const names = [];
     for (const entry of entries) {
       if (!entry.isDirectory()) continue;
-      const indexPath = join6(agentsDir, entry.name, "index.ts");
+      const indexPath = join5(agentsDir, entry.name, "index.ts");
       const exists = await stat(indexPath).then(() => true).catch(() => false);
       if (exists) names.push(entry.name);
     }
@@ -568,7 +473,7 @@ async function createAgentsSnapshot(cwd, mode) {
   const byName = /* @__PURE__ */ new Map();
   const stateAgents = state?.agents ?? {};
   for (const name of localAgentNames) {
-    const localPath = join6(cwd, "agents", name, "index.ts");
+    const localPath = join5(cwd, "agents", name, "index.ts");
     const saved = stateAgents[name];
     const hasRemoteVersion = !!saved?.lastRemoteHash && (saved?.currentVersion ?? 0) > 0;
     if (mode === "remote" && !hasRemoteVersion) {
@@ -596,7 +501,7 @@ async function createAgentsSnapshot(cwd, mode) {
     for (const [name, saved] of Object.entries(stateAgents)) {
       const hasRemoteVersion = !!saved.lastRemoteHash && (saved.currentVersion ?? 0) > 0;
       if (!hasRemoteVersion || byName.has(name)) continue;
-      const localPath = saved.localPath ?? join6(cwd, "agents", name, "index.ts");
+      const localPath = saved.localPath ?? join5(cwd, "agents", name, "index.ts");
       const workerUrl = saved.workerUrl ?? (state?.workerUrl ? `${state.workerUrl.replace(/\/$/, "")}/a/${name}` : null);
       const versionNumber = saved.currentVersion > 0 ? saved.currentVersion : null;
       byName.set(name, {
@@ -626,8 +531,8 @@ async function createAgentsSnapshot(cwd, mode) {
 }
 async function writeRuntimeAgentsSnapshot(params) {
   const snapshot = await createAgentsSnapshot(params.cwd, params.mode);
-  await writeFile4(
-    join6(params.runtimeDir, "agents.snapshot.json"),
+  await writeFile3(
+    join5(params.runtimeDir, "agents.snapshot.json"),
     `${JSON.stringify(snapshot, null, 2)}
 `,
     "utf-8"
@@ -635,10 +540,10 @@ async function writeRuntimeAgentsSnapshot(params) {
 }
 async function materializeRuntime(cwd, options = {}) {
   const mode = options.mode ?? "remote";
-  const runtimeDir = join6(cwd, RUNTIME_ROOT, RUNTIME_DIR);
-  const studioDir = join6(runtimeDir, STUDIO_DIR);
-  const workerEntrypointPath = join6(runtimeDir, WORKER_ENTRY_FILE);
-  const wranglerConfigPath = join6(runtimeDir, WRANGLER_CONFIG_FILE);
+  const runtimeDir = join5(cwd, RUNTIME_ROOT, RUNTIME_DIR);
+  const studioDir = join5(runtimeDir, STUDIO_DIR);
+  const workerEntrypointPath = join5(runtimeDir, WORKER_ENTRY_FILE);
+  const wranglerConfigPath = join5(runtimeDir, WRANGLER_CONFIG_FILE);
   const template = await resolveRuntimeTemplate();
   await rm(runtimeDir, { recursive: true, force: true });
   await mkdir2(runtimeDir, { recursive: true });
@@ -669,7 +574,7 @@ async function materializeRuntime(cwd, options = {}) {
     mode,
     [...requiredSecrets].sort((a, b) => a.localeCompare(b))
   );
-  await writeFile4(
+  await writeFile3(
     wranglerConfigPath,
     `${JSON.stringify(wranglerConfig, null, 2)}
 `,
@@ -685,8 +590,6 @@ async function materializeRuntime(cwd, options = {}) {
 }
 
 export {
-  ensureStudioSecrets,
-  ensureSecretKey,
   readProjectState,
   writeProjectState,
   resolveProviderFromConfig,
@@ -699,4 +602,4 @@ export {
   writeRuntimeAgentsSnapshot,
   materializeRuntime
 };
-//# sourceMappingURL=chunk-GW6MLHK7.js.map
+//# sourceMappingURL=chunk-DHCCSWJN.js.map