@karmaniverous/get-dotenv 6.3.0 → 6.4.0

package/dist/chunks/{readMergedOptions-DLBDzpXX.mjs → readMergedOptions-B7VdLROn.mjs}

@@ -1,13 +1,13 @@
 import { z } from 'zod';
 import { Option, Command } from '@commander-js/extra-typings';
-import { d as dotenvExpand, b as dotenvExpandAll, l as loadAndApplyDynamic, a as applyDynamicMap, o as overlayEnv, c as dotenvExpandFromProcessEnv } from './overlayEnv-Bqh_kPGA.mjs';
-import 'node:path';
+import { g as dotenvExpand, r as readDotenvCascadeWithProvenance, o as overlayEnvWithProvenance, b as applyDynamicMapWithProvenance, l as loadDynamicModuleDefault, h as dotenvExpandFromProcessEnv } from './readDotenvCascade-DfFkWMjs.mjs';
 import fs from 'fs-extra';
-import { nanoid } from 'nanoid';
+import 'node:path';
+import 'nanoid';
 import path from 'path';
 import 'crypto';
 import { fileURLToPath } from 'url';
-import { parse } from 'dotenv';
+import 'dotenv';
 import { g as getDotenvOptionsSchemaResolved, r as resolveGetDotenvConfigSources } from './loader-CePOf74i.mjs';
 import { packageDirectory } from 'package-directory';
 
@@ -114,14 +114,6 @@ const interpolateDeep = (value, envRef) => {
  * @param obj - Object to filter.
  * @returns A shallow copy of `obj` without keys whose value is `undefined`.
  */
-function omitUndefined(obj) {
-    const out = {};
-    for (const [k, v] of Object.entries(obj)) {
-        if (v !== undefined)
-            out[k] = v;
-    }
-    return out;
-}
 /**
  * Specialized helper for env-like maps: drop undefined and return string-only.
  *
@@ -138,111 +130,6 @@ function omitUndefinedRecord(obj) {
     return out;
 }
 
-/** src/diagnostics/entropy.ts
- * Entropy diagnostics (presentation-only).
- * - Gated by min length and printable ASCII.
- * - Warn once per key per run when bits/char \>= threshold.
- * - Supports whitelist patterns to suppress known-noise keys.
- */
-const warned = new Set();
-const isPrintableAscii = (s) => /^[\x20-\x7E]+$/.test(s);
-const compile$1 = (patterns) => (patterns ?? []).map((p) => (typeof p === 'string' ? new RegExp(p, 'i') : p));
-const whitelisted = (key, regs) => regs.some((re) => re.test(key));
-const shannonBitsPerChar = (s) => {
-    const freq = new Map();
-    for (const ch of s)
-        freq.set(ch, (freq.get(ch) ?? 0) + 1);
-    const n = s.length;
-    let h = 0;
-    for (const c of freq.values()) {
-        const p = c / n;
-        h -= p * Math.log2(p);
-    }
-    return h;
-};
-/**
- * Maybe emit a one-line entropy warning for a key.
- * Caller supplies an `emit(line)` function; the helper ensures once-per-key.
- */
-const maybeWarnEntropy = (key, value, origin, opts, emit) => {
-    if (!opts || opts.warnEntropy === false)
-        return;
-    if (warned.has(key))
-        return;
-    const v = value ?? '';
-    const minLen = Math.max(0, opts.entropyMinLength ?? 16);
-    const threshold = opts.entropyThreshold ?? 3.8;
-    if (v.length < minLen)
-        return;
-    if (!isPrintableAscii(v))
-        return;
-    const wl = compile$1(opts.entropyWhitelist);
-    if (whitelisted(key, wl))
-        return;
-    const bpc = shannonBitsPerChar(v);
-    if (bpc >= threshold) {
-        warned.add(key);
-        emit(`[entropy] key=${key} score=${bpc.toFixed(2)} len=${String(v.length)} origin=${origin}`);
-    }
-};
-
-const DEFAULT_PATTERNS = [
-    '\\bsecret\\b',
-    '\\btoken\\b',
-    '\\bpass(word)?\\b',
-    '\\bapi[_-]?key\\b',
-    '\\bkey\\b',
-];
-const compile = (patterns) => (patterns && patterns.length > 0 ? patterns : DEFAULT_PATTERNS).map((p) => typeof p === 'string' ? new RegExp(p, 'i') : p);
-const shouldRedactKey = (key, regs) => regs.some((re) => re.test(key));
-const MASK = '[redacted]';
-/**
- * Redact a single displayed value according to key/patterns.
- * Returns the original value when redaction is disabled or key is not matched.
- */
-const redactDisplay = (key, value, opts) => {
-    if (!value)
-        return value;
-    if (!opts?.redact)
-        return value;
-    const regs = compile(opts.redactPatterns);
-    return shouldRedactKey(key, regs) ? MASK : value;
-};
-/**
- * Produce a shallow redacted copy of an env-like object for display.
- */
-const redactObject = (obj, opts) => {
-    if (!opts?.redact)
-        return { ...obj };
-    const regs = compile(opts.redactPatterns);
-    const out = {};
-    for (const [k, v] of Object.entries(obj)) {
-        out[k] = v && shouldRedactKey(k, regs) ? MASK : v;
-    }
-    return out;
-};
-/**
- * Utility to redact three related displayed values (parent/dotenv/final)
- * consistently for trace lines.
- */
-const redactTriple = (key, triple, opts) => {
-    if (!opts?.redact)
-        return triple;
-    const regs = compile(opts.redactPatterns);
-    const maskIf = (v) => (v && shouldRedactKey(key, regs) ? MASK : v);
-    const out = {};
-    const p = maskIf(triple.parent);
-    const d = maskIf(triple.dotenv);
-    const f = maskIf(triple.final);
-    if (p !== undefined)
-        out.parent = p;
-    if (d !== undefined)
-        out.dotenv = d;
-    if (f !== undefined)
-        out.final = f;
-    return out;
-};
-
 /**
  * Base root CLI defaults (shared; kept untyped here to avoid cross-layer deps).
  * Used as the bottom layer for CLI option resolution.
@@ -383,131 +270,6 @@ const resolveGetDotenvOptions = (customOptions) => {
     });
 };
 
-/**
- * Asynchronously read a dotenv file & parse it into an object.
- *
- * @param path - Path to dotenv file.
- * @returns The parsed dotenv object.
- */
-const readDotenv = async (path) => {
-    try {
-        return (await fs.exists(path)) ? parse(await fs.readFile(path)) : {};
-    }
-    catch {
-        return {};
-    }
-};
-
-async function getDotenv(options = {}) {
-    // Apply defaults.
-    const { defaultEnv, dotenvToken = '.env', dynamicPath, env, excludeDynamic = false, excludeEnv = false, excludeGlobal = false, excludePrivate = false, excludePublic = false, loadProcess = false, log = false, logger = console, outputPath, paths = [], privateToken = 'local', vars = {}, } = await resolveGetDotenvOptions(options);
-    // Read .env files.
-    const loaded = paths.length
-        ? await paths.reduce(async (e, p) => {
-            const publicGlobal = excludePublic || excludeGlobal
-                ? Promise.resolve({})
-                : readDotenv(path.resolve(p, dotenvToken));
-            const publicEnv = excludePublic || excludeEnv || (!env && !defaultEnv)
-                ? Promise.resolve({})
-                : readDotenv(path.resolve(p, `${dotenvToken}.${env ?? defaultEnv ?? ''}`));
-            const privateGlobal = excludePrivate || excludeGlobal
-                ? Promise.resolve({})
-                : readDotenv(path.resolve(p, `${dotenvToken}.${privateToken}`));
-            const privateEnv = excludePrivate || excludeEnv || (!env && !defaultEnv)
-                ? Promise.resolve({})
-                : readDotenv(path.resolve(p, `${dotenvToken}.${env ?? defaultEnv ?? ''}.${privateToken}`));
-            const [eResolved, publicGlobalResolved, publicEnvResolved, privateGlobalResolved, privateEnvResolved,] = await Promise.all([
-                e,
-                publicGlobal,
-                publicEnv,
-                privateGlobal,
-                privateEnv,
-            ]);
-            return {
-                ...eResolved,
-                ...publicGlobalResolved,
-                ...publicEnvResolved,
-                ...privateGlobalResolved,
-                ...privateEnvResolved,
-            };
-        }, Promise.resolve({}))
-        : {};
-    const outputKey = nanoid();
-    const dotenv = dotenvExpandAll({
-        ...loaded,
-        ...vars,
-        ...(outputPath ? { [outputKey]: outputPath } : {}),
-    }, { progressive: true });
-    // Process dynamic variables. Programmatic option takes precedence over path.
-    if (!excludeDynamic) {
-        let dynamic = undefined;
-        if (options.dynamic && Object.keys(options.dynamic).length > 0) {
-            dynamic = options.dynamic;
-        }
-        else if (dynamicPath) {
-            const absDynamicPath = path.resolve(dynamicPath);
-            await loadAndApplyDynamic(dotenv, absDynamicPath, env ?? defaultEnv, 'getdotenv-dynamic');
-        }
-        if (dynamic) {
-            try {
-                applyDynamicMap(dotenv, dynamic, env ?? defaultEnv);
-            }
-            catch {
-                throw new Error(`Unable to evaluate dynamic variables.`);
-            }
-        }
-    }
-    // Write output file.
-    let resultDotenv = dotenv;
-    if (outputPath) {
-        const outputPathResolved = dotenv[outputKey];
-        if (!outputPathResolved)
-            throw new Error('Output path not found.');
-        const { [outputKey]: _omitted, ...dotenvForOutput } = dotenv;
-        await writeDotenvFile(outputPathResolved, dotenvForOutput);
-        resultDotenv = dotenvForOutput;
-    }
-    // Log result.
-    if (log) {
-        const redactFlag = options.redact ?? false;
-        const redactPatterns = options.redactPatterns ?? undefined;
-        const redOpts = {};
-        if (redactFlag)
-            redOpts.redact = true;
-        if (redactFlag && Array.isArray(redactPatterns))
-            redOpts.redactPatterns = redactPatterns;
-        const bag = redactFlag
-            ? redactObject(resultDotenv, redOpts)
-            : { ...resultDotenv };
-        logger.log(bag);
-        // Entropy warnings: once-per-key-per-run (presentation only)
-        const warnEntropyVal = options.warnEntropy ?? true;
-        const entropyThresholdVal = options
-            .entropyThreshold;
-        const entropyMinLengthVal = options
-            .entropyMinLength;
-        const entropyWhitelistVal = options.entropyWhitelist;
-        const entOpts = {};
-        if (typeof warnEntropyVal === 'boolean')
-            entOpts.warnEntropy = warnEntropyVal;
-        if (typeof entropyThresholdVal === 'number')
-            entOpts.entropyThreshold = entropyThresholdVal;
-        if (typeof entropyMinLengthVal === 'number')
-            entOpts.entropyMinLength = entropyMinLengthVal;
-        if (Array.isArray(entropyWhitelistVal))
-            entOpts.entropyWhitelist = entropyWhitelistVal;
-        for (const [k, v] of Object.entries(resultDotenv)) {
-            maybeWarnEntropy(k, v, v !== undefined ? 'dotenv' : 'unset', entOpts, (line) => {
-                logger.log(line);
-            });
-        }
-    }
-    // Load process.env.
-    if (loadProcess)
-        Object.assign(process.env, resultDotenv);
-    return resultDotenv;
-}
-
 /**
  * Compute the realized path for a command mount (leaf-up to root).
  * Excludes the root application alias.
@@ -568,37 +330,63 @@ const computeContext = async (customOptions, plugins, hostMetaUrl) => {
     // Zod boundary: parse returns the schema-derived shape; we adopt our public
     // GetDotenvOptions overlay (logger/dynamic typing) for internal processing.
     const validated = getDotenvOptionsSchemaResolved.parse(optionsResolved);
-    // Build a pure base without side effects or logging (no dynamics, no programmatic vars).
-    const cleanedValidated = omitUndefined(validated);
-    const base = await getDotenv({
-        ...cleanedValidated,
-        excludeDynamic: true,
-        vars: {},
-        log: false,
-        loadProcess: false,
-    });
-    // Discover config sources and overlay with progressive expansion per slice.
+    // Discover config sources.
     const sources = await resolveGetDotenvConfigSources(hostMetaUrl);
-    const dotenvOverlaid = overlayEnv({
-        base,
-        env: validated.env ?? validated.defaultEnv,
+    // Base dotenv from files (with file provenance; no dynamics; no programmatic vars; no side effects).
+    const envName = validated.env ?? validated.defaultEnv;
+    const fileRes = await readDotenvCascadeWithProvenance({
+        paths: Array.isArray(validated.paths) ? validated.paths : [],
+        ...(typeof validated.dotenvToken === 'string'
+            ? { dotenvToken: validated.dotenvToken }
+            : {}),
+        ...(typeof validated.privateToken === 'string'
+            ? { privateToken: validated.privateToken }
+            : {}),
+        ...(typeof validated.env === 'string' ? { env: validated.env } : {}),
+        ...(typeof validated.defaultEnv === 'string'
+            ? { defaultEnv: validated.defaultEnv }
+            : {}),
+        ...(validated.excludeEnv === true ? { excludeEnv: true } : {}),
+        ...(validated.excludeGlobal === true ? { excludeGlobal: true } : {}),
+        ...(validated.excludePrivate === true ? { excludePrivate: true } : {}),
+        ...(validated.excludePublic === true ? { excludePublic: true } : {}),
+    });
+    // Overlay configs + vars with provenance.
+    const overlaid = overlayEnvWithProvenance({
+        base: fileRes.dotenv,
+        env: envName,
         configs: sources,
-        ...(validated.vars ? { programmaticVars: validated.vars } : {}),
+        programmaticVars: validated.vars ?? {},
+        provenance: fileRes.provenance,
     });
-    const dotenv = { ...dotenvOverlaid };
-    // Programmatic dynamic variables (when provided)
-    applyDynamicMap(dotenv, validated.dynamic, validated.env ?? validated.defaultEnv);
-    // Packaged/project dynamics
-    const packagedDyn = (sources.packaged?.dynamic ?? undefined);
-    const publicDyn = (sources.project?.public?.dynamic ?? undefined);
-    const localDyn = (sources.project?.local?.dynamic ?? undefined);
-    applyDynamicMap(dotenv, packagedDyn, validated.env ?? validated.defaultEnv);
-    applyDynamicMap(dotenv, publicDyn, validated.env ?? validated.defaultEnv);
-    applyDynamicMap(dotenv, localDyn, validated.env ?? validated.defaultEnv);
-    // file dynamicPath (lowest)
-    if (validated.dynamicPath) {
-        const absDynamicPath = path.resolve(validated.dynamicPath);
-        await loadAndApplyDynamic(dotenv, absDynamicPath, validated.env ?? validated.defaultEnv, 'getdotenv-dynamic-host');
+    const dotenv = { ...overlaid.env };
+    const dotenvProvenance = overlaid.provenance;
+    // Dynamic precedence (A2): config dynamic < programmatic dynamic < dynamicPath
+    if (!validated.excludeDynamic) {
+        // Config dynamics (JS/TS configs only), ordered by source precedence.
+        const packagedDyn = (sources.packaged?.dynamic ?? undefined);
+        const publicDyn = (sources.project?.public?.dynamic ?? undefined);
+        const localDyn = (sources.project?.local?.dynamic ?? undefined);
+        applyDynamicMapWithProvenance(dotenv, packagedDyn, envName, dotenvProvenance, {
+            dynamicSource: 'config',
+        });
+        applyDynamicMapWithProvenance(dotenv, publicDyn, envName, dotenvProvenance, {
+            dynamicSource: 'config',
+        });
+        applyDynamicMapWithProvenance(dotenv, localDyn, envName, dotenvProvenance, {
+            dynamicSource: 'config',
+        });
+        // Programmatic dynamic (overrides config dynamic)
+        applyDynamicMapWithProvenance(dotenv, validated.dynamic, envName, dotenvProvenance, { dynamicSource: 'programmatic' });
+        // dynamicPath (highest dynamic tier; always evaluated when present)
+        if (validated.dynamicPath) {
+            const absDynamicPath = path.resolve(validated.dynamicPath);
+            const dyn = await loadDynamicModuleDefault(absDynamicPath, 'getdotenv-dynamic-host');
+            applyDynamicMapWithProvenance(dotenv, dyn, envName, dotenvProvenance, {
+                dynamicSource: 'dynamicPath',
+                dynamicPath: validated.dynamicPath,
+            });
+        }
     }
     // Effects:
     if (validated.outputPath) {
@@ -658,6 +446,7 @@ const computeContext = async (customOptions, plugins, hostMetaUrl) => {
     return {
         optionsResolved: validated,
         dotenv,
+        dotenvProvenance,
         plugins: {},
         pluginConfigs: mergedPluginConfigsByPath,
     };
@@ -1624,4 +1413,4 @@ const readMergedOptions = (cmd) => {
     return bag;
 };
 
-export { GetDotenvCli as G, defaultsDeep as a, baseRootOptionDefaults as b, attachRootOptions as c, definePlugin as d, defineDynamic as e, defineGetDotenvConfig as f, getDotenvCliOptions2Options as g, getDotenv as h, redactDisplay as i, redactObject as j, interpolateDeep as k, redactTriple as l, maybeWarnEntropy as m, readMergedOptions as r };
+export { GetDotenvCli as G, defaultsDeep as a, baseRootOptionDefaults as b, attachRootOptions as c, definePlugin as d, resolveGetDotenvOptions as e, defineDynamic as f, getDotenvCliOptions2Options as g, defineGetDotenvConfig as h, interpolateDeep as i, readMergedOptions as r, writeDotenvFile as w };

package/dist/chunks/{resolveCliOptions-_qtsVxda.mjs → resolveCliOptions-pgUXHJtj.mjs}

@@ -1,4 +1,4 @@
-import { b as baseRootOptionDefaults, a as defaultsDeep } from './readMergedOptions-DLBDzpXX.mjs';
+import { b as baseRootOptionDefaults, a as defaultsDeep } from './readMergedOptions-B7VdLROn.mjs';
 import 'fs-extra';
 import 'node:path';
 import 'crypto';

package/dist/chunks/{sdk-stream-mixin-DCdC70Up.mjs → sdk-stream-mixin-ecbbBR0l.mjs}

@@ -1,4 +1,4 @@
-import { m as fromBase64, n as toBase64, o as toHex, t as toUtf8, q as fromArrayBuffer, r as streamCollector$1 } from './index-BNcKuiBy.mjs';
+import { m as fromBase64, n as toBase64, o as toHex, t as toUtf8, q as fromArrayBuffer, r as streamCollector$1 } from './index-70Dm0f1N.mjs';
 import { Readable } from 'stream';
 
 const isReadableStream = (stream) => typeof ReadableStream === "function" &&

package/dist/chunks/{types-DdqcXCV1.mjs → types-CVDR-Sjk.mjs}

@@ -1,4 +1,4 @@
-import { d as definePlugin } from './readMergedOptions-DLBDzpXX.mjs';
+import { d as definePlugin } from './readMergedOptions-B7VdLROn.mjs';
 
 /**
  * Create a namespace-only parent plugin (a group command) for composing plugins