@karmaniverous/get-dotenv 5.2.6 → 6.0.0-1

package/dist/plugins-aws.mjs

@@ -1,9 +1,20 @@
 import { execa, execaCommand } from 'execa';
 import { z } from 'zod';
+import 'fs-extra';
+import 'path';
+import 'package-directory';
+import 'url';
+import 'yaml';
+import 'nanoid';
+import 'dotenv';
+import 'crypto';
 
 // Minimal tokenizer for shell-off execution:
 // Splits by whitespace while preserving quoted segments (single or double quotes).
-const tokenize = (command) => {
+// Optionally preserve doubled quotes inside quoted segments:
+// - default: "" => " (Windows/PowerShell style literal-quote escape)
+// - preserveDoubledQuotes: true => "" stays "" (needed for Node -e payloads)
+const tokenize = (command, opts) => {
     const out = [];
     let cur = '';
     let quote = null;
@@ -11,12 +22,16 @@ const tokenize = (command) => {
         const c = command.charAt(i);
         if (quote) {
             if (c === quote) {
-                // Support doubled quotes inside a quoted segment (Windows/PowerShell style):
-                // "" -> " and '' -> '
+                // Support doubled quotes inside a quoted segment:
+                // default: "" -> " and '' -> ' (Windows/PowerShell style)
+                // preserve: keep as "" to allow empty string literals in Node -e payloads
                 const next = command.charAt(i + 1);
                 if (next === quote) {
-                    cur += quote;
-                    i += 1; // skip the second quote
+                    {
+                        // Collapse to a single literal quote
+                        cur += quote;
+                        i += 1; // skip the second quote
+                    }
                 }
                 else {
                     // end of quoted segment
@@ -90,62 +105,55 @@ const sanitizeEnv = (env) => {
     const entries = Object.entries(env).filter((e) => typeof e[1] === 'string');
     return entries.length > 0 ? Object.fromEntries(entries) : undefined;
 };
-/**
- * Execute a command and capture stdout/stderr (buffered).
- * - Preserves plain vs shell behavior and argv/string normalization.
- * - Never re-emits stdout/stderr to parent; returns captured buffers.
- * - Supports optional timeout (ms).
- */
-const runCommandResult = async (command, shell, opts = {}) => {
+async function runCommandResult(command, shell, opts = {}) {
     const envSan = sanitizeEnv(opts.env);
     {
         let file;
         let args = [];
-        if (Array.isArray(command)) {
-            file = command[0];
-            args = command.slice(1).map(stripOuterQuotes);
-        }
-        else {
+        if (typeof command === 'string') {
             const tokens = tokenize(command);
             file = tokens[0];
             args = tokens.slice(1);
         }
+        else {
+            file = command[0];
+            args = command.slice(1).map(stripOuterQuotes);
+        }
         if (!file)
             return { exitCode: 0, stdout: '', stderr: '' };
         dbg('exec:capture (plain)', { file, args });
         try {
-            const result = await execa(file, args, {
+            const ok = pickResult((await execa(file, args, {
                 ...(opts.cwd !== undefined ? { cwd: opts.cwd } : {}),
                 ...(envSan !== undefined ? { env: envSan } : {}),
                 stdio: 'pipe',
                 ...(opts.timeoutMs !== undefined
                     ? { timeout: opts.timeoutMs, killSignal: 'SIGKILL' }
                     : {}),
-            });
-            const ok = pickResult(result);
+            })));
             dbg('exit:capture (plain)', { exitCode: ok.exitCode });
             return ok;
         }
-        catch (err) {
-            const out = pickResult(err);
+        catch (e) {
+            const out = pickResult(e);
             dbg('exit:capture:error (plain)', { exitCode: out.exitCode });
             return out;
         }
     }
-};
-const runCommand = async (command, shell, opts) => {
+}
+async function runCommand(command, shell, opts) {
     if (shell === false) {
         let file;
         let args = [];
-        if (Array.isArray(command)) {
-            file = command[0];
-            args = command.slice(1).map(stripOuterQuotes);
-        }
-        else {
+        if (typeof command === 'string') {
             const tokens = tokenize(command);
             file = tokens[0];
             args = tokens.slice(1);
         }
+        else {
+            file = command[0];
+            args = command.slice(1).map(stripOuterQuotes);
+        }
         if (!file)
             return 0;
         dbg('exec (plain)', { file, args, stdio: opts.stdio });
@@ -158,16 +166,15 @@ const runCommand = async (command, shell, opts) => {
             plainOpts.env = envSan;
         if (opts.stdio !== undefined)
             plainOpts.stdio = opts.stdio;
-        const result = await execa(file, args, plainOpts);
-        if (opts.stdio === 'pipe' && result.stdout) {
-            process.stdout.write(result.stdout + (result.stdout.endsWith('\n') ? '' : '\n'));
+        const ok = pickResult((await execa(file, args, plainOpts)));
+        if (opts.stdio === 'pipe' && ok.stdout) {
+            process.stdout.write(ok.stdout + (ok.stdout.endsWith('\n') ? '' : '\n'));
         }
-        const exit = result?.exitCode;
-        dbg('exit (plain)', { exitCode: exit });
-        return typeof exit === 'number' ? exit : Number.NaN;
+        dbg('exit (plain)', { exitCode: ok.exitCode });
+        return typeof ok.exitCode === 'number' ? ok.exitCode : Number.NaN;
     }
     else {
-        const commandStr = Array.isArray(command) ? command.join(' ') : command;
+        const commandStr = typeof command === 'string' ? command : command.join(' ');
         dbg('exec (shell)', {
             shell: typeof shell === 'string' ? shell : 'custom',
             stdio: opts.stdio,
@@ -181,17 +188,29 @@ const runCommand = async (command, shell, opts) => {
             shellOpts.env = envSan;
         if (opts.stdio !== undefined)
             shellOpts.stdio = opts.stdio;
-        const result = await execaCommand(commandStr, shellOpts);
-        const out = result?.stdout;
-        if (opts.stdio === 'pipe' && out) {
-            process.stdout.write(out + (out.endsWith('\n') ? '' : '\n'));
+        const ok = pickResult((await execaCommand(commandStr, shellOpts)));
+        if (opts.stdio === 'pipe' && ok.stdout) {
+            process.stdout.write(ok.stdout + (ok.stdout.endsWith('\n') ? '' : '\n'));
         }
-        const exit = result?.exitCode;
-        dbg('exit (shell)', { exitCode: exit });
-        return typeof exit === 'number' ? exit : Number.NaN;
+        dbg('exit (shell)', { exitCode: ok.exitCode });
+        return typeof ok.exitCode === 'number' ? ok.exitCode : Number.NaN;
     }
-};
+}
 
+/** src/cliCore/spawnEnv.ts
+ * Build a sanitized environment bag for child processes.
+ *
+ * Requirements addressed:
+ * - Provide a single helper (buildSpawnEnv) to normalize/dedupe child env.
+ * - Drop undefined values (exactOptional semantics).
+ * - On Windows, dedupe keys case-insensitively and prefer the last value,
+ *   preserving the latest key's casing. Ensure HOME fallback from USERPROFILE.
+ *   Normalize TMP/TEMP consistency when either is present.
+ * - On POSIX, keep keys as-is; when a temp dir key is present (TMPDIR/TMP/TEMP),
+ *   ensure TMPDIR exists for downstream consumers that expect it.
+ *
+ * Adapter responsibility: pure mapping; no business logic.
+ */
 const dropUndefined = (bag) => Object.fromEntries(Object.entries(bag).filter((e) => typeof e[1] === 'string'));
 /** Build a sanitized env for child processes from base + overlay. */
 const buildSpawnEnv = (base, overlay) => {
@@ -234,6 +253,83 @@ const buildSpawnEnv = (base, overlay) => {
     return out;
 };
 
+/**
+ * Zod schemas for configuration files discovered by the new loader.
+ *
+ * Notes:
+ * - RAW: all fields optional; shapes are stringly-friendly (paths may be string[] or string).
+ * - RESOLVED: normalized shapes (paths always string[]).
+ * - For JSON/YAML configs, the loader rejects "dynamic" and "schema" (JS/TS-only).
+ */
+// String-only env value map
+const stringMap = z.record(z.string(), z.string());
+const envStringMap = z.record(z.string(), stringMap);
+// Allow string[] or single string for "paths" in RAW; normalize later.
+const rawPathsSchema = z.union([z.array(z.string()), z.string()]).optional();
+const getDotenvConfigSchemaRaw = z.object({
+    dotenvToken: z.string().optional(),
+    privateToken: z.string().optional(),
+    paths: rawPathsSchema,
+    loadProcess: z.boolean().optional(),
+    log: z.boolean().optional(),
+    shell: z.union([z.string(), z.boolean()]).optional(),
+    scripts: z.record(z.string(), z.unknown()).optional(), // Scripts validation left wide; generator validates elsewhere
+    requiredKeys: z.array(z.string()).optional(),
+    schema: z.unknown().optional(), // JS/TS-only; loader rejects in JSON/YAML
+    vars: stringMap.optional(), // public, global
+    envVars: envStringMap.optional(), // public, per-env
+    // Dynamic in config (JS/TS only). JSON/YAML loader will reject if set.
+    dynamic: z.unknown().optional(),
+    // Per-plugin config bag; validated by plugins/host when used.
+    plugins: z.record(z.string(), z.unknown()).optional(),
+});
+// Normalize paths to string[]
+const normalizePaths = (p) => p === undefined ? undefined : Array.isArray(p) ? p : [p];
+getDotenvConfigSchemaRaw.transform((raw) => ({
+    ...raw,
+    paths: normalizePaths(raw.paths),
+}));
+
+/**
+ * Zod schemas for programmatic GetDotenv options.
+ *
+ * Canonical source of truth for options shape. Public types are derived
+ * from these schemas (see consumers via z.output\<\>).
+ */
+// Minimal process env representation: string values or undefined to indicate "unset".
+const processEnvSchema = z.record(z.string(), z.string().optional());
+// RAW: all fields optional — undefined means "inherit" from lower layers.
+z.object({
+    defaultEnv: z.string().optional(),
+    dotenvToken: z.string().optional(),
+    dynamicPath: z.string().optional(),
+    // Dynamic map is intentionally wide for now; refine once sources are normalized.
+    dynamic: z.record(z.string(), z.unknown()).optional(),
+    env: z.string().optional(),
+    excludeDynamic: z.boolean().optional(),
+    excludeEnv: z.boolean().optional(),
+    excludeGlobal: z.boolean().optional(),
+    excludePrivate: z.boolean().optional(),
+    excludePublic: z.boolean().optional(),
+    loadProcess: z.boolean().optional(),
+    log: z.boolean().optional(),
+    logger: z.unknown().optional(),
+    outputPath: z.string().optional(),
+    paths: z.array(z.string()).optional(),
+    privateToken: z.string().optional(),
+    vars: processEnvSchema.optional(),
+});
+
+/**
+ * Instance-bound plugin config store.
+ * Host stores the validated/interpolated slice per plugin instance.
+ * The store is intentionally private to this module; definePlugin()
+ * provides a typed accessor that reads from this store for the calling
+ * plugin instance.
+ */
+const PLUGIN_CONFIG_STORE = new WeakMap();
+const _getPluginConfigForInstance = (plugin) => PLUGIN_CONFIG_STORE.get(plugin);
+
 /** src/cliHost/definePlugin.ts
  * Plugin contracts for the GetDotenv CLI host.
  *
@@ -241,26 +337,59 @@ const buildSpawnEnv = (base, overlay) => {
  * should use (GetDotenvCliPublic). Using a structural type at the seam avoids
  * nominal class identity issues (private fields) in downstream consumers.
  */
-/**
- * Define a GetDotenv CLI plugin with compositional helpers.
- *
- * @example
- * const parent = definePlugin(\{ id: 'p', setup(cli) \{ /* ... *\/ \} \})
- *   .use(childA)
- *   .use(childB);
- */
-const definePlugin = (spec) => {
+/* eslint-disable tsdoc/syntax */
+function definePlugin(spec) {
     const { children = [], ...rest } = spec;
-    const plugin = {
+    // Default to a strict empty-object schema so “no-config” plugins fail fast
+    // on unknown keys and provide a concrete {} at runtime.
+    const effectiveSchema = spec.configSchema ?? z.object({}).strict();
+    // Build base plugin first, then extend with instance-bound helpers.
+    const base = {
         ...rest,
+        // Always carry a schema (strict empty by default) to simplify host logic
+        // and improve inference/ergonomics for plugin authors.
+        configSchema: effectiveSchema,
         children: [...children],
         use(child) {
             this.children.push(child);
             return this;
         },
     };
-    return plugin;
-};
+    // Attach instance-bound helpers on the returned plugin object.
+    const extended = base;
+    extended.readConfig = function (_cli) {
+        // Config is stored per-plugin-instance by the host (WeakMap in computeContext).
+        const value = _getPluginConfigForInstance(extended);
+        if (value === undefined) {
+            // Guard: host has not resolved config yet (incorrect lifecycle usage).
+            throw new Error('Plugin config not available. Ensure resolveAndLoad() has been called before readConfig().');
+        }
+        return value;
+    };
+    // Plugin-bound dynamic option factory
+    extended.createPluginDynamicOption = function (cli, flags, desc, parser, defaultValue) {
+        return cli.createDynamicOption(flags, (cfg) => {
+            // Prefer the validated slice stored per instance; fallback to help-bag
+            // (by-id) so top-level `-h` can render effective defaults before resolve.
+            const fromStore = _getPluginConfigForInstance(extended);
+            const id = extended.id;
+            let fromBag;
+            if (!fromStore && id) {
+                const maybe = cfg.plugins[id];
+                if (maybe && typeof maybe === 'object') {
+                    fromBag = maybe;
+                }
+            }
+            // Always provide a concrete object to dynamic callbacks:
+            // - With a schema: computeContext stores the parsed object.
+            // - Without a schema: computeContext stores {}.
+            // - Help-time fallback: coalesce to {} when only a by-id bag exists.
+            const cfgVal = (fromStore ?? fromBag ?? {});
+            return desc(cfg, cfgVal);
+        }, parser, defaultValue);
+    };
+    return extended;
+}
 
 /**
  * Batch services (neutral): resolve command and shell settings.
@@ -481,90 +610,79 @@ const AwsPluginConfigSchema = z.object({
     regionKey: z.string().default('AWS_REGION').optional(),
     strategy: z.enum(['cli-export', 'none']).default('cli-export').optional(),
     loginOnDemand: z.boolean().default(false).optional(),
-    setEnv: z.boolean().default(true).optional(),
-    addCtx: z.boolean().default(true).optional(),
 });
 
-const awsPlugin = () => definePlugin({
-    id: 'aws',
-    // Host validates this slice when the loader path is active.
-    configSchema: AwsPluginConfigSchema,
-    setup(cli) {
-        // Subcommand: aws
-        cli
-            .ns('aws')
-            .description('Establish an AWS session and optionally forward to the AWS CLI')
-            .configureHelp({ showGlobalOptions: true })
-            .enablePositionalOptions()
-            .passThroughOptions()
-            .allowUnknownOption(true)
-            // Boolean toggles
-            .option('--login-on-demand', 'attempt aws sso login on-demand')
-            .option('--no-login-on-demand', 'disable sso login on-demand')
-            .option('--set-env', 'write resolved values into process.env')
-            .option('--no-set-env', 'do not write resolved values into process.env')
-            .option('--add-ctx', 'mirror results under ctx.plugins.aws')
-            .option('--no-add-ctx', 'do not mirror results under ctx.plugins.aws')
-            // Strings / enums
-            .option('--profile <string>', 'AWS profile name')
-            .option('--region <string>', 'AWS region')
-            .option('--default-region <string>', 'fallback region')
-            .option('--strategy <string>', 'credential acquisition strategy: cli-export|none')
-            // Advanced key overrides
-            .option('--profile-key <string>', 'dotenv/config key for local profile')
-            .option('--profile-fallback-key <string>', 'fallback dotenv/config key for profile')
-            .option('--region-key <string>', 'dotenv/config key for region')
-            // Accept any extra operands so Commander does not error when tokens appear after "--".
-            .argument('[args...]')
-            .action(async (args, opts, thisCommand) => {
-            const self = thisCommand;
-            const parent = (self.parent ?? null);
-            // Access merged root CLI options (installed by passOptions())
-            const rootOpts = (parent?.getDotenvCliOptions ?? {});
-            const capture = process.env.GETDOTENV_STDIO === 'pipe' ||
-                Boolean(rootOpts?.capture);
-            const underTests = process.env.GETDOTENV_TEST === '1' ||
-                typeof process.env.VITEST_WORKER_ID === 'string';
-            // Build overlay cfg from subcommand flags layered over discovered config.
-            const ctx = cli.getCtx();
-            const cfgBase = (ctx?.pluginConfigs?.['aws'] ??
-                {});
-            const overlay = {};
-            // Map boolean toggles (respect explicit --no-*)
-            if (Object.prototype.hasOwnProperty.call(opts, 'loginOnDemand'))
-                overlay.loginOnDemand = Boolean(opts.loginOnDemand);
-            if (Object.prototype.hasOwnProperty.call(opts, 'setEnv'))
-                overlay.setEnv = Boolean(opts.setEnv);
-            if (Object.prototype.hasOwnProperty.call(opts, 'addCtx'))
-                overlay.addCtx = Boolean(opts.addCtx);
-            // Strings/enums
-            if (typeof opts.profile === 'string')
-                overlay.profile = opts.profile;
-            if (typeof opts.region === 'string')
-                overlay.region = opts.region;
-            if (typeof opts.defaultRegion === 'string')
-                overlay.defaultRegion = opts.defaultRegion;
-            if (typeof opts.strategy === 'string')
-                overlay.strategy =
-                    opts.strategy;
-            // Advanced key overrides
-            if (typeof opts.profileKey === 'string')
-                overlay.profileKey = opts.profileKey;
-            if (typeof opts.profileFallbackKey === 'string')
-                overlay.profileFallbackKey = opts.profileFallbackKey;
-            if (typeof opts.regionKey === 'string')
-                overlay.regionKey = opts.regionKey;
-            const cfg = {
-                ...cfgBase,
-                ...overlay,
-            };
-            // Resolve current context with overrides
-            const out = await resolveAwsContext({
-                dotenv: ctx?.dotenv ?? {},
-                cfg,
-            });
-            // Apply env/ctx mirrors per toggles
-            if (cfg.setEnv !== false) {
+const awsPlugin = () => {
+    const plugin = definePlugin({
+        id: 'aws',
+        // Host validates this slice when the loader path is active.
+        configSchema: AwsPluginConfigSchema,
+        setup(cli) {
+            // Subcommand: aws
+            cli
+                .ns('aws')
+                .description('Establish an AWS session and optionally forward to the AWS CLI')
+                .enablePositionalOptions()
+                .passThroughOptions()
+                .allowUnknownOption(true)
+                // Boolean toggles with dynamic help labels (effective defaults)
+                .addOption(plugin.createPluginDynamicOption(cli, '--login-on-demand', (_bag, cfg) => `attempt aws sso login on-demand${cfg.loginOnDemand ? ' (default)' : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--no-login-on-demand', (_bag, cfg) => `disable sso login on-demand${cfg.loginOnDemand === false ? ' (default)' : ''}`))
+                // Strings / enums
+                .addOption(plugin.createPluginDynamicOption(cli, '--profile <string>', (_bag, cfg) => `AWS profile name${cfg.profile ? ` (default: ${JSON.stringify(cfg.profile)})` : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--region <string>', (_bag, cfg) => `AWS region${cfg.region ? ` (default: ${JSON.stringify(cfg.region)})` : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--default-region <string>', (_bag, cfg) => `fallback region${cfg.defaultRegion ? ` (default: ${JSON.stringify(cfg.defaultRegion)})` : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--strategy <string>', (_bag, cfg) => `credential acquisition strategy: cli-export|none${cfg.strategy ? ` (default: ${JSON.stringify(cfg.strategy)})` : ''}`))
+                // Advanced key overrides
+                .addOption(plugin.createPluginDynamicOption(cli, '--profile-key <string>', (_bag, cfg) => `dotenv/config key for local profile${cfg.profileKey ? ` (default: ${JSON.stringify(cfg.profileKey)})` : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--profile-fallback-key <string>', (_bag, cfg) => `fallback dotenv/config key for profile${cfg.profileFallbackKey ? ` (default: ${JSON.stringify(cfg.profileFallbackKey)})` : ''}`))
+                .addOption(plugin.createPluginDynamicOption(cli, '--region-key <string>', (_bag, cfg) => `dotenv/config key for region${cfg.regionKey ? ` (default: ${JSON.stringify(cfg.regionKey)})` : ''}`))
+                // Accept any extra operands so Commander does not error when tokens appear after "--".
+                .argument('[args...]')
+                .action(async (args, opts, thisCommand) => {
+                const pluginInst = plugin;
+                const cmdSelf = thisCommand;
+                const parent = (cmdSelf.parent ?? null);
+                // Access merged root CLI options (installed by passOptions())
+                const rootOpts = (parent?.getDotenvCliOptions ?? {});
+                const capture = process.env.GETDOTENV_STDIO === 'pipe' ||
+                    Boolean(rootOpts?.capture);
+                const underTests = process.env.GETDOTENV_TEST === '1' ||
+                    typeof process.env.VITEST_WORKER_ID === 'string';
+                // Build overlay cfg from subcommand flags layered over discovered config.
+                const ctx = cli.getCtx();
+                const cfgBase = pluginInst.readConfig(cli);
+                const o = opts;
+                const overlay = {};
+                // Map boolean toggles (respect explicit --no-*)
+                if (Object.prototype.hasOwnProperty.call(o, 'loginOnDemand'))
+                    overlay.loginOnDemand = Boolean(o.loginOnDemand);
+                // Strings/enums
+                if (typeof o.profile === 'string')
+                    overlay.profile = o.profile;
+                if (typeof o.region === 'string')
+                    overlay.region = o.region;
+                if (typeof o.defaultRegion === 'string')
+                    overlay.defaultRegion = o.defaultRegion;
+                if (typeof o.strategy === 'string')
+                    overlay.strategy = o.strategy;
+                // Advanced key overrides
+                if (typeof o.profileKey === 'string')
+                    overlay.profileKey = o.profileKey;
+                if (typeof o.profileFallbackKey === 'string')
+                    overlay.profileFallbackKey = o.profileFallbackKey;
+                if (typeof o.regionKey === 'string')
+                    overlay.regionKey = o.regionKey;
+                const cfg = {
+                    ...cfgBase,
+                    ...overlay,
+                };
+                // Resolve current context with overrides
+                const out = await resolveAwsContext({
+                    dotenv: ctx?.dotenv ?? {},
+                    cfg,
+                });
+                // Unconditional env writes (no per-plugin toggle)
                 if (out.region) {
                     process.env.AWS_REGION = out.region;
                     if (!process.env.AWS_DEFAULT_REGION)
@@ -578,58 +696,53 @@ const awsPlugin = () => definePlugin({
                         process.env.AWS_SESSION_TOKEN = out.credentials.sessionToken;
                     }
                 }
-            }
-            if (cfg.addCtx !== false) {
+                // Always publish minimal non-sensitive metadata
                 if (ctx) {
                     ctx.plugins ??= {};
                     ctx.plugins['aws'] = {
                         ...(out.profile ? { profile: out.profile } : {}),
                         ...(out.region ? { region: out.region } : {}),
-                        ...(out.credentials ? { credentials: out.credentials } : {}),
                     };
                 }
-            }
-            // Forward when positional args are present; otherwise session-only.
-            if (Array.isArray(args) && args.length > 0) {
-                const argv = ['aws', ...args];
-                const shellSetting = resolveShell(rootOpts?.scripts, 'aws', rootOpts?.shell);
-                const ctxDotenv = (ctx?.dotenv ?? {});
-                const exit = await runCommand(argv, shellSetting, {
-                    env: buildSpawnEnv(process.env, ctxDotenv),
-                    stdio: capture ? 'pipe' : 'inherit',
-                });
-                // Deterministic termination (suppressed under tests)
-                if (!underTests) {
-                    process.exit(typeof exit === 'number' ? exit : 0);
-                }
-                return;
-            }
-            else {
-                // Session only: low-noise breadcrumb under debug
-                if (process.env.GETDOTENV_DEBUG) {
-                    const log = console;
-                    log.log('[aws] session established', {
-                        profile: out.profile,
-                        region: out.region,
-                        hasCreds: Boolean(out.credentials),
+                // Forward when positional args are present; otherwise session-only.
+                if (Array.isArray(args) && args.length > 0) {
+                    const argv = ['aws', ...args];
+                    const shellSetting = resolveShell(rootOpts?.scripts, 'aws', rootOpts?.shell);
+                    const exit = await runCommand(argv, shellSetting, {
+                        env: buildSpawnEnv(process.env, ctx?.dotenv),
+                        stdio: capture ? 'pipe' : 'inherit',
                     });
+                    // Deterministic termination (suppressed under tests)
+                    if (!underTests) {
+                        process.exit(typeof exit === 'number' ? exit : 0);
+                    }
+                    return;
                 }
-                if (!underTests)
-                    process.exit(0);
-                return;
-            }
-        });
-    },
-    async afterResolve(_cli, ctx) {
-        const log = console;
-        const cfgRaw = (ctx.pluginConfigs?.['aws'] ?? {});
-        const cfg = (cfgRaw || {});
-        const out = await resolveAwsContext({
-            dotenv: ctx.dotenv,
-            cfg,
-        });
-        const { profile, region, credentials } = out;
-        if (cfg.setEnv !== false) {
+                else {
+                    // Session only: low-noise breadcrumb under debug
+                    if (process.env.GETDOTENV_DEBUG) {
+                        const log = console;
+                        log.log('[aws] session established', {
+                            profile: out.profile,
+                            region: out.region,
+                            hasCreds: Boolean(out.credentials),
+                        });
+                    }
+                    if (!underTests)
+                        process.exit(0);
+                    return;
+                }
+            });
+        },
+        async afterResolve(_cli, ctx) {
+            const log = console;
+            const cfg = plugin.readConfig(_cli);
+            const out = await resolveAwsContext({
+                dotenv: ctx.dotenv,
+                cfg,
+            });
+            const { profile, region, credentials } = out;
+            // Unconditional env writes in host path
             if (region) {
                 process.env.AWS_REGION = region;
                 if (!process.env.AWS_DEFAULT_REGION)
@@ -642,24 +755,23 @@ const awsPlugin = () => definePlugin({
                     process.env.AWS_SESSION_TOKEN = credentials.sessionToken;
                 }
             }
-        }
-        if (cfg.addCtx !== false) {
+            // Always publish minimal non-sensitive metadata
             ctx.plugins ??= {};
             ctx.plugins['aws'] = {
                 ...(profile ? { profile } : {}),
                 ...(region ? { region } : {}),
-                ...(credentials ? { credentials } : {}),
             };
-        }
-        // Optional: low-noise breadcrumb for diagnostics
-        if (process.env.GETDOTENV_DEBUG) {
-            log.log('[aws] afterResolve', {
-                profile,
-                region,
-                hasCreds: Boolean(credentials),
-            });
-        }
-    },
-});
+            // Optional: low-noise breadcrumb for diagnostics
+            if (process.env.GETDOTENV_DEBUG) {
+                log.log('[aws] afterResolve', {
+                    profile,
+                    region,
+                    hasCreds: Boolean(credentials),
+                });
+            }
+        },
+    });
+    return plugin;
+};
 
 export { awsPlugin };