@lunora/cli 1.0.0-alpha.21 → 1.0.0-alpha.23

package/dist/packem_chunks/handler9.mjs

@@ -1,16 +1,315 @@
+import { writeFileSync, existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, generateSecretValue, DEV_VARS_EXAMPLE_FILE, parseDevVariableEntries, isPlaceholderValue, packageNamesFromBindings, inferLunoraBindings, requiredSecrets, isMintableSecretKey } from '@lunora/config';
 import { d as defineHandler } from '../packem_shared/command-BC30oSBW.mjs';
-import { a as resolveProductionWorkerUrl } from '../packem_shared/resolve-target-qbsJ_5sF.mjs';
-import { runExportCommand } from '../packem_shared/DEFAULT_IMPORT_BATCH_SIZE-Ck-2bU08.mjs';
+import { defaultSpawner } from '../packem_shared/createRecordingSpawner-DxI3mebw.mjs';
+import { l as listRemoteSecrets } from '../packem_shared/wrangler-secrets-P2_ZUR-k.mjs';
 
-const execute = defineHandler(
-  ({ argument, cwd, logger, options }) => runExportCommand({
+const NEWLINE_PRESENT = /[\r\n]/u;
+const UNREPRESENTABLE_PRESENT = /["\\]/u;
+const parseDevVariables = (content) => {
+  const map = /* @__PURE__ */ new Map();
+  for (const entry of parseDevVariableEntries(content)) {
+    map.set(entry.key, entry);
+  }
+  return map;
+};
+const serializeDevVariables = (map) => {
+  const lines = [];
+  for (const entry of map.values()) {
+    lines.push(`${entry.key}="${entry.value}"`);
+  }
+  return `${lines.join("\n")}
+`;
+};
+const redact = (value) => {
+  if (value.length <= 4) {
+    return "****";
+  }
+  return `${value.slice(0, 4)}${"*".repeat(Math.min(8, value.length - 4))}`;
+};
+const loadDevVariables = (devVariablesPath) => {
+  if (!existsSync(devVariablesPath)) {
+    return /* @__PURE__ */ new Map();
+  }
+  return parseDevVariables(readFileSync(devVariablesPath, "utf8"));
+};
+const runEnvList = (context) => {
+  const map = loadDevVariables(context.devVariablesPath);
+  if (map.size === 0) {
+    context.logger.info(`${DEV_VARS_FILE}: (empty)`);
+    return { code: 0, descriptors: [] };
+  }
+  for (const entry of map.values()) {
+    context.logger.info(`${entry.key}=${redact(entry.value)}`);
+  }
+  return { code: 0, descriptors: [] };
+};
+const runEnvGet = (context) => {
+  const { devVariablesPath, logger, options } = context;
+  if (!options.key) {
+    logger.error("env get requires a key. Usage: lunora env get <KEY>");
+    return { code: 1, descriptors: [] };
+  }
+  const entry = loadDevVariables(devVariablesPath).get(options.key);
+  if (!entry) {
+    logger.error(`env: ${options.key} is not set in ${DEV_VARS_FILE}`);
+    return { code: 1, descriptors: [] };
+  }
+  process.stdout.write(`${entry.value}
+`);
+  return { code: 0, descriptors: [] };
+};
+const runEnvSet = (context) => {
+  const { devVariablesPath, logger, options } = context;
+  if (!options.key) {
+    logger.error("env set requires a key. Usage: lunora env set <KEY> <VALUE>");
+    return { code: 1, descriptors: [] };
+  }
+  if (!DEV_VARS_KEY_PATTERN.test(options.key)) {
+    logger.error(`env: invalid key "${options.key}" — must match [A-Za-z_][A-Za-z0-9_]*`);
+    return { code: 1, descriptors: [] };
+  }
+  if (options.value === void 0) {
+    logger.error("env set requires a value. Usage: lunora env set <KEY> <VALUE>");
+    return { code: 1, descriptors: [] };
+  }
+  if (NEWLINE_PRESENT.test(options.value)) {
+    logger.error(`env: value for "${options.key}" contains a newline, which .dev.vars cannot represent`);
+    return { code: 1, descriptors: [] };
+  }
+  if (UNREPRESENTABLE_PRESENT.test(options.value)) {
+    logger.error(`env: value for "${options.key}" contains a double-quote or backslash, which .dev.vars cannot round-trip`);
+    return { code: 1, descriptors: [] };
+  }
+  const map = loadDevVariables(devVariablesPath);
+  map.set(options.key, { key: options.key, value: options.value });
+  writeFileSync(devVariablesPath, serializeDevVariables(map), "utf8");
+  logger.success(`env: set ${options.key} (${redact(options.value)}) in ${DEV_VARS_FILE}`);
+  return { code: 0, descriptors: [] };
+};
+const runEnvUnset = (context) => {
+  const { devVariablesPath, logger, options } = context;
+  if (!options.key) {
+    logger.error("env unset requires a key. Usage: lunora env unset <KEY>");
+    return { code: 1, descriptors: [] };
+  }
+  const map = loadDevVariables(devVariablesPath);
+  if (!map.delete(options.key)) {
+    logger.warn(`env: ${options.key} was not set in ${DEV_VARS_FILE}`);
+    return { code: 0, descriptors: [] };
+  }
+  writeFileSync(devVariablesPath, serializeDevVariables(map), "utf8");
+  logger.success(`env: unset ${options.key} in ${DEV_VARS_FILE}`);
+  return { code: 0, descriptors: [] };
+};
+const runEnvPush = async (context) => {
+  const { devVariablesPath, logger, options } = context;
+  if (!options.yes) {
+    logger.error("env push uploads secrets to Cloudflare. Re-run with --yes to confirm.");
+    return { code: 1, descriptors: [] };
+  }
+  const map = loadDevVariables(devVariablesPath);
+  if (map.size === 0) {
+    logger.warn(`${DEV_VARS_FILE}: nothing to push (empty)`);
+    return { code: 0, descriptors: [] };
+  }
+  const spawner = options.spawner ?? defaultSpawner;
+  const descriptors = [];
+  for (const entry of map.values()) {
+    const args = ["exec", "wrangler", "secret", "put", entry.key];
+    if (options.prod) {
+      args.push("--env", "production");
+    }
+    if (options.temporary) {
+      args.push("--temporary");
+    }
+    const descriptor = {
+      args,
+      command: "pnpm",
+      cwd: options.cwd ?? process.cwd(),
+      // `wrangler secret put <name>` reads the value from stdin. We
+      // pipe it through the spawner's `input` channel so the secret
+      // never lands on the command line, in env, or in shell history.
+      input: entry.value
+    };
+    descriptors.push(descriptor);
+    logger.info(`pushing ${entry.key} -> wrangler secret${options.prod ? " (production)" : ""}`);
+    const result = await spawner(descriptor);
+    if (result.code !== 0) {
+      logger.error(`env push: failed at ${entry.key} (exit ${String(result.code)})`);
+      return { code: result.code, descriptors };
+    }
+  }
+  logger.success(`env: pushed ${String(map.size)} secret(s)`);
+  return { code: 0, descriptors };
+};
+const fetchRemoteSecretNames = (context) => {
+  const lister = context.options.secretLister ?? listRemoteSecrets;
+  return lister({
+    cwd: context.cwd,
+    env: context.options.prod ? "production" : void 0,
+    temporary: context.options.temporary
+  });
+};
+const runEnvDiff = async (context) => {
+  const { devVariablesPath, logger } = context;
+  const remote = await fetchRemoteSecretNames(context);
+  if (!remote.ok) {
+    logger.error(`env diff: ${remote.error ?? "failed to list remote secrets"}`);
+    return { code: 1, descriptors: [] };
+  }
+  const localKeys = new Set(loadDevVariables(devVariablesPath).keys());
+  const remoteKeys = new Set(remote.names);
+  const localOnly = [...localKeys].filter((key) => !remoteKeys.has(key)).toSorted((a, b) => a.localeCompare(b));
+  const remoteOnly = remote.names.filter((name) => !localKeys.has(name));
+  const both = [...localKeys].filter((key) => remoteKeys.has(key)).toSorted((a, b) => a.localeCompare(b));
+  for (const key of localOnly) {
+    logger.info(`local only (run \`lunora env push\`): ${key}`);
+  }
+  for (const key of remoteOnly) {
+    logger.info(`remote only (in Cloudflare, not ${DEV_VARS_FILE}): ${key}`);
+  }
+  logger.info(`in both: ${String(both.length)} secret(s)`);
+  if (localOnly.length === 0 && remoteOnly.length === 0) {
+    logger.success("env diff: local and remote secret names match");
+  }
+  return { code: 0, descriptors: [] };
+};
+const runEnvDoctor = (context) => {
+  const { cwd, devVariablesPath, logger } = context;
+  const examplePath = join(cwd, DEV_VARS_EXAMPLE_FILE);
+  if (!existsSync(examplePath)) {
+    logger.info(`env doctor: no ${DEV_VARS_EXAMPLE_FILE} to check against — nothing to validate.`);
+    return { code: 0, descriptors: [] };
+  }
+  const exampleKeys = parseDevVariableEntries(readFileSync(examplePath, "utf8")).map((entry) => entry.key);
+  const current = loadDevVariables(devVariablesPath);
+  if (!existsSync(devVariablesPath)) {
+    logger.error(`env doctor: ${DEV_VARS_FILE} is missing. Run \`lunora dev\` to scaffold it, or \`lunora env set <KEY> <VALUE>\`.`);
+    logger.info(`expected (from ${DEV_VARS_EXAMPLE_FILE}): ${exampleKeys.join(", ")}`);
+    return { code: 1, descriptors: [] };
+  }
+  const missing = exampleKeys.filter((key) => !current.has(key));
+  const placeholders = [...current.values()].filter((entry) => isPlaceholderValue(entry.value)).map((entry) => entry.key);
+  const exampleKeySet = new Set(exampleKeys);
+  const extra = [...current.keys()].filter((key) => !exampleKeySet.has(key));
+  for (const key of missing) {
+    logger.error(`missing: ${key} is in ${DEV_VARS_EXAMPLE_FILE} but not ${DEV_VARS_FILE}`);
+  }
+  for (const key of placeholders) {
+    logger.error(`unset: ${key} still has a placeholder value`);
+  }
+  for (const key of extra) {
+    logger.info(`extra: ${key} is set locally but not listed in ${DEV_VARS_EXAMPLE_FILE}`);
+  }
+  if (missing.length === 0 && placeholders.length === 0) {
+    logger.success(`env doctor: ${DEV_VARS_FILE} looks good (${String(current.size)} var(s)).`);
+    return { code: 0, descriptors: [] };
+  }
+  return { code: 1, descriptors: [] };
+};
+const resolveMintableKeys = async (context) => {
+  let packages = [];
+  try {
+    packages = packageNamesFromBindings(await inferLunoraBindings({ projectRoot: context.cwd }));
+  } catch {
+  }
+  const fromPackages = requiredSecrets(packages).map((entry) => entry.key).filter((key) => isMintableSecretKey(key));
+  const fromLocal = [...loadDevVariables(context.devVariablesPath).keys()].filter((key) => isMintableSecretKey(key));
+  return [.../* @__PURE__ */ new Set([...fromPackages, ...fromLocal])];
+};
+const runEnvGenerate = async (context) => {
+  const { devVariablesPath, logger, options } = context;
+  let keys;
+  if (options.key === void 0) {
+    keys = await resolveMintableKeys(context);
+    if (keys.length === 0) {
+      logger.info("env generate: no locally-generatable secrets for this project. Name one explicitly: lunora env generate <KEY>");
+      return { code: 0, descriptors: [] };
+    }
+  } else {
+    if (!DEV_VARS_KEY_PATTERN.test(options.key)) {
+      logger.error(`env: invalid key "${options.key}" — must match [A-Za-z_][A-Za-z0-9_]*`);
+      return { code: 1, descriptors: [] };
+    }
+    keys = [options.key];
+  }
+  const generated = keys.map((key) => {
+    return { key, value: generateSecretValue() };
+  });
+  if (options.set === true) {
+    const map = loadDevVariables(devVariablesPath);
+    for (const entry of generated) {
+      map.set(entry.key, entry);
+    }
+    writeFileSync(devVariablesPath, serializeDevVariables(map), "utf8");
+    logger.success(`env: generated ${String(generated.length)} secret(s) into ${DEV_VARS_FILE}: ${generated.map((entry) => entry.key).join(", ")}`);
+    return { code: 0, descriptors: [] };
+  }
+  for (const entry of generated) {
+    process.stdout.write(`${entry.key}=${entry.value}
+`);
+  }
+  return { code: 0, descriptors: [] };
+};
+const runEnvCommand = async (options) => {
+  const cwd = options.cwd ?? process.cwd();
+  const context = {
+    cwd,
+    devVariablesPath: join(cwd, DEV_VARS_FILE),
+    logger: options.logger,
+    options
+  };
+  switch (options.subcommand) {
+    case "diff": {
+      return runEnvDiff(context);
+    }
+    case "doctor": {
+      return runEnvDoctor(context);
+    }
+    case "generate": {
+      return runEnvGenerate(context);
+    }
+    case "get": {
+      return runEnvGet(context);
+    }
+    case "list": {
+      return runEnvList(context);
+    }
+    case "push": {
+      return runEnvPush(context);
+    }
+    case "set": {
+      return runEnvSet(context);
+    }
+    case "unset": {
+      return runEnvUnset(context);
+    }
+    default: {
+      options.logger.error(`env: unknown subcommand "${options.subcommand}"`);
+      return { code: 1, descriptors: [] };
+    }
+  }
+};
+const isEnvSubcommand = (value) => value === "list" || value === "get" || value === "set" || value === "unset" || value === "push" || value === "diff" || value === "doctor" || value === "generate";
+const execute = defineHandler(({ argument, cwd, logger, options }) => {
+  const sub = argument[0];
+  if (!isEnvSubcommand(sub)) {
+    logger.error(`env: unknown subcommand "${sub ?? ""}" — expected list | get | set | unset | push | diff | doctor | generate`);
+    return { code: 1 };
+  }
+  return runEnvCommand({
+    cwd,
+    key: argument[1],
     logger,
-    out: argument[0] ?? options.out,
     prod: options.prod === true,
-    tables: options.tables,
-    token: options.token,
-    url: resolveProductionWorkerUrl({ cwd, prod: options.prod === true, url: options.url })
-  })
-);
+    set: options.set === true,
+    subcommand: sub,
+    temporary: options.temporary === true,
+    value: argument[2],
+    yes: options.yes === true
+  });
+});
 
-export { execute };
+export { execute, runEnvCommand };

package/dist/packem_chunks/planDevCommand.mjs

@@ -1,5 +1,5 @@
 import { spawn } from 'node:child_process';
-import { detectAgentRules, resolveRemoteEnabled, readProjectRemotePreference, inferLunoraBindings, packageNamesFromBindings, ensureDevVarsExample, ensureDevVariables, isInteractive, DEV_VARS_FILE, DEV_VARS_EXAMPLE_FILE, claimAgentRulesHint, AGENT_RULES_HINT, materializeRemoteWranglerConfig, formatLunoraEvent } from '@lunora/config';
+import { detectAgentRules, resolveRemoteEnabled, readProjectRemotePreference, inferLunoraBindings, packageNamesFromBindings, ensureDevVarsExample, ensureDevVariables, isInteractive, DEV_VARS_FILE, DEV_VARS_EXAMPLE_FILE, fillDevSecrets, claimAgentRulesHint, AGENT_RULES_HINT, materializeRemoteWranglerConfig, formatLunoraEvent } from '@lunora/config';
 import { p as parseApiSpec } from '../packem_shared/api-spec-CtA6ilu4.mjs';
 import { existsSync, watch } from 'node:fs';
 import { join } from 'node:path';
@@ -409,6 +409,15 @@ const offerDevVariablesScaffold = async (options, cwd) => {
       `hint: ${DEV_VARS_FILE} was not scaffolded (non-interactive run). Copy ${DEV_VARS_EXAMPLE_FILE} → ${DEV_VARS_FILE} and fill in secrets, or run \`lunora dev\` in an interactive terminal to scaffold automatically.`
     );
   }
+  try {
+    (options.fillSecrets ?? fillDevSecrets)({
+      cwd,
+      info: (message) => {
+        options.logger.info(message);
+      }
+    });
+  } catch {
+  }
 };
 const runDevCommand = async (options) => {
   const plan = planDevCommand(options);

package/dist/packem_chunks/runDeployCommand.mjs

@@ -1,6 +1,6 @@
 import { existsSync, readFileSync } from 'node:fs';
 import { runCodegen, discoverMigrations } from '@lunora/codegen';
-import { readLinkedProject, writeLinkedProject, validateWranglerProject, inferLunoraBindings, reconcileWranglerBindings, DEV_VARS_FILE, parseDevVariableEntries, findWranglerFile, readWranglerJsonc, discoverContainerInfo } from '@lunora/config';
+import { readLinkedProject, writeLinkedProject, validateWranglerProject, inferLunoraBindings, reconcileWranglerBindings, DEV_VARS_FILE, parseDevVariableEntries, isMintableSecretKey, findWranglerFile, readWranglerJsonc, discoverContainerInfo, packageNamesFromBindings, requiredSecrets, generateSecretValue } from '@lunora/config';
 import { join } from '@visulima/path';
 import { Spinner } from '@visulima/spinner';
 import { Project } from 'ts-morph';
@@ -13,6 +13,8 @@ import { containerBuildTag } from '@lunora/container';
 import { defaultSpawner } from '../packem_shared/createRecordingSpawner-DxI3mebw.mjs';
 import { r as resolveWorkerUrl } from '../packem_shared/resolve-target-qbsJ_5sF.mjs';
 import { r as runSchemaDriftGate } from '../packem_shared/schema-drift-gate-BtBt0as0.mjs';
+import { c as createTuiConfirm } from '../packem_shared/tui-prompts-M6OWsuyw.mjs';
+import { l as listRemoteSecrets } from '../packem_shared/wrangler-secrets-P2_ZUR-k.mjs';
 import { runMigrateDataCommand } from './runMigrateGenerateCommand.mjs';
 
 const WORKERS_DEV_URL = /https?:\/\/[^\s"'<>]+\.workers\.dev[^\s"'<>]*/u;
@@ -210,6 +212,88 @@ const warnDevVariablesNotPushed = (cwd, logger) => {
     `Note: \`lunora deploy\` does not push secrets. ${DEV_VARS_FILE} has ${String(keyCount)} key(s); if you changed them, run \`lunora env push --yes\` to update the deployed secrets.`
   );
 };
+const SECRET_LIKE_KEY = /(?:KEY|PASSWORD|SECRET|TOKEN)$/u;
+const resolveRequiredSecretKeys = async (cwd) => {
+  let packages = [];
+  try {
+    packages = packageNamesFromBindings(await inferLunoraBindings({ projectRoot: cwd }));
+  } catch {
+  }
+  const fromPackages = requiredSecrets(packages).map((entry) => entry.key);
+  let fromLocal = [];
+  try {
+    const devVariablesPath = join(cwd, DEV_VARS_FILE);
+    if (existsSync(devVariablesPath)) {
+      fromLocal = parseDevVariableEntries(readFileSync(devVariablesPath, "utf8")).map((entry) => entry.key).filter((key) => SECRET_LIKE_KEY.test(key));
+    }
+  } catch {
+  }
+  return [.../* @__PURE__ */ new Set([...fromPackages, ...fromLocal])];
+};
+const pushMintableSecrets = async (cwd, options, keys) => {
+  const { logger } = options;
+  const spawner = options.spawner ?? defaultSpawner;
+  const environmentFlag = options.env === void 0 ? "" : ` --env ${options.env}`;
+  for (const key of keys) {
+    const args = ["exec", "wrangler", "secret", "put", key];
+    if (options.env !== void 0) {
+      args.push("--env", options.env);
+    }
+    if (options.temporary === true) {
+      args.push("--temporary");
+    }
+    const pushResult = await spawner({ args, command: "pnpm", cwd, input: generateSecretValue() });
+    if (pushResult.code !== 0) {
+      logger.error(
+        `failed to push secret ${key} (exit ${String(pushResult.code)}); set it manually with \`wrangler secret put ${key}${environmentFlag}\`.`
+      );
+      return false;
+    }
+    logger.success(`generated + pushed ${key}`);
+  }
+  return true;
+};
+const offerMissingSecrets = async (cwd, options, interactive) => {
+  if (options.dryRun === true || options.preview === true) {
+    return void 0;
+  }
+  const { logger } = options;
+  const environmentFlag = options.env === void 0 ? "" : ` --env ${options.env}`;
+  let remote;
+  try {
+    remote = await (options.secretLister ?? listRemoteSecrets)({ cwd, env: options.env, temporary: options.temporary });
+  } catch {
+    return void 0;
+  }
+  if (!remote.ok) {
+    return void 0;
+  }
+  const remoteNames = new Set(remote.names);
+  const required = await resolveRequiredSecretKeys(cwd);
+  const missing = required.filter((key) => !remoteNames.has(key));
+  if (missing.length === 0) {
+    return void 0;
+  }
+  if (!interactive) {
+    return `missing required secret(s) on the deploy target: ${missing.join(", ")}. Set them with \`wrangler secret put <KEY>${environmentFlag}\` (or \`lunora env generate --set\` then \`lunora env push --yes${options.env === void 0 ? "" : " --prod"}\`), then re-deploy.`;
+  }
+  for (const key of missing.filter((name) => !isMintableSecretKey(name))) {
+    logger.warn(`required secret ${key} is not set on the target — set it with: wrangler secret put ${key}${environmentFlag}`);
+  }
+  const mintable = missing.filter((key) => isMintableSecretKey(key));
+  if (mintable.length === 0) {
+    return void 0;
+  }
+  const confirm = options.secretConfirm ?? createTuiConfirm();
+  if (await confirm(`${String(mintable.length)} required secret(s) not set on the target (${mintable.join(", ")}). Generate strong values and push them now?`)) {
+    await pushMintableSecrets(cwd, options, mintable);
+    return void 0;
+  }
+  logger.warn(
+    `${String(mintable.length)} required secret(s) not set on the target: ${mintable.join(", ")}. Generate + push with \`lunora env generate --set\` then \`lunora env push --yes${options.env === void 0 ? "" : " --prod"}\`.`
+  );
+  return void 0;
+};
 const runPostDeployMigrations = async (options, cwd) => {
   const project = new Project({ skipAddingFilesFromTsConfig: true });
   const lunoraDirectory = join(cwd, "lunora");
@@ -375,6 +459,16 @@ const buildWranglerDeployArgs = (cwd, options) => {
   }
   return args;
 };
+const reportWranglerProblems = (validation, logger) => {
+  if (validation.problems.length === 0) {
+    return false;
+  }
+  logger.error("wrangler.jsonc validation failed:");
+  for (const problem of validation.problems) {
+    logger.error(`  - ${problem}`);
+  }
+  return true;
+};
 const executeDeploy = async (options) => {
   const cwd = options.cwd ?? process.cwd();
   const interactive = isInteractive(options);
@@ -420,19 +514,15 @@ const executeDeploy = async (options) => {
     return { code: 1, descriptor: void 0, error: preflightError, validation: { problems: [], wranglerPath: void 0 } };
   }
   const validation = validateWranglerProject({ projectRoot: cwd });
-  if (validation.problems.length > 0) {
-    options.logger.error("wrangler.jsonc validation failed:");
-    for (const problem of validation.problems) {
-      options.logger.error(`  - ${problem}`);
-    }
-    return {
-      code: 1,
-      descriptor: void 0,
-      error: "wrangler validation failed",
-      validation
-    };
+  if (reportWranglerProblems(validation, options.logger)) {
+    return { code: 1, descriptor: void 0, error: "wrangler validation failed", validation };
   }
   warnDevVariablesNotPushed(cwd, options.logger);
+  const secretAbort = await offerMissingSecrets(cwd, options, interactive);
+  if (secretAbort !== void 0) {
+    options.logger.error(secretAbort);
+    return { code: 1, descriptor: void 0, error: secretAbort, validation };
+  }
   const shouldAutoLink = !isJsonFormat(options.format) && options.dryRun !== true && options.preview !== true && readLinkedProject(cwd) === void 0;
   const descriptor = {
     args: buildWranglerDeployArgs(cwd, options),

package/dist/packem_shared/{COMMANDS-D3h9Iwvl.mjs → COMMANDS-Dwo9q7Bt.mjs}

@@ -260,21 +260,24 @@ const doctorCommand = {
 };
 
 const envCommand = {
-  argument: { description: "list | get <KEY> | set <KEY> <VALUE> | unset <KEY> | push | diff | doctor", name: "subcommand", type: String },
-  description: "Manage .dev.vars and sync secrets via wrangler (list | get | set | unset | push | diff | doctor)",
+  argument: { description: "list | get <KEY> | set <KEY> <VALUE> | unset <KEY> | generate [KEY] | push | diff | doctor", name: "subcommand", type: String },
+  description: "Manage .dev.vars and sync secrets via wrangler (list | get | set | unset | generate | push | diff | doctor)",
   examples: [
     ["lunora env list", "List .dev.vars keys"],
     ["lunora env set API_KEY secret", "Set a local variable"],
+    ["lunora env generate", "Generate strong values for the project's secrets (print KEY=value)"],
+    ["lunora env generate AUTH_SECRET --set", "Generate one secret and write it to .dev.vars"],
     ["lunora env push --yes", "Upload secrets to Cloudflare"],
     ["lunora env diff", "Compare local .dev.vars keys against Cloudflare"]
   ],
   group: "Data",
-  loader: () => import('../packem_chunks/handler21.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler9.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "env",
   options: [
     { description: "Target production for `push` (passes --env production to wrangler)", name: "prod", type: Boolean },
+    { description: "For `generate` — write the generated secrets into .dev.vars instead of printing them", name: "set", type: Boolean },
     {
       description: "Push secrets to a temporary-account deployment when unauthenticated (wrangler secret put --temporary). Errors if you're already authenticated.",
       name: "temporary",
@@ -292,7 +295,7 @@ const exportCommand = {
     ["lunora export --tables messages,users", "Export only specific tables"]
   ],
   group: "Data",
-  loader: () => import('../packem_chunks/handler9.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler10.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "export",
@@ -314,7 +317,7 @@ const importCommand = {
   description: "Bulk-insert rows from an NDJSON file via the worker's admin endpoint",
   examples: [["lunora import backup.ndjson", "Bulk-insert rows from an NDJSON file"]],
   group: "Data",
-  loader: () => import('../packem_chunks/handler10.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler11.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "import",
@@ -338,7 +341,7 @@ const infoCommand = {
     ["lunora info --json", "Emit a JSON snapshot"]
   ],
   group: "Project",
-  loader: () => import('../packem_chunks/handler11.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler12.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "info",
@@ -442,7 +445,7 @@ const insightsCommand = {
     ["lunora insights --prod --url https://app.example.com --token $LUNORA_ADMIN_TOKEN", "Report against production"]
   ],
   group: "Develop",
-  loader: () => import('../packem_chunks/handler12.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler13.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "insights",
@@ -464,7 +467,7 @@ const linkCommand = {
     ["lunora link --remove", "Remove the link"]
   ],
   group: "Deploy",
-  loader: () => import('../packem_chunks/handler13.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler14.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "link",
@@ -480,7 +483,7 @@ const logsCommand = {
   argument: { description: "Worker name (defaults to the name in wrangler config)", name: "worker", type: String },
   description: "Stream live logs from a deployed Lunora Worker",
   group: "Deploy",
-  loader: () => import('../packem_chunks/handler14.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler15.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "logs",
@@ -540,7 +543,7 @@ const prepareCommand = {
   description: "Run codegen + binding reconcile + wrangler validation (no Vite) — for CI",
   examples: [["lunora prepare", "Codegen + binding reconcile + validate (CI, before deploy)"]],
   group: "Deploy",
-  loader: () => import('../packem_chunks/handler15.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler16.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "prepare",
@@ -564,7 +567,7 @@ const registryCommand = {
     ["lunora registry build --check", "Verify the committed catalog is current"]
   ],
   group: "Project",
-  loader: () => import('../packem_chunks/handler16.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler17.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "registry",
@@ -614,7 +617,7 @@ const rulesCommand = {
     ["lunora rules check --strict", "Exit non-zero when rules are missing (CI gate)"]
   ],
   group: "Project",
-  loader: () => import('../packem_chunks/handler17.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler18.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "rules",
@@ -652,7 +655,7 @@ const seedCommand = {
     ["lunora seed --seed 7 --dry-run", "Print the NDJSON for seed 7 without inserting"]
   ],
   group: "Data",
-  loader: () => import('../packem_chunks/handler18.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler19.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "seed",
@@ -681,7 +684,7 @@ const verifyCommand = {
     ["lunora verify --no-typecheck", "Skip the TypeScript type-check"]
   ],
   group: "Deploy",
-  loader: () => import('../packem_chunks/handler19.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler20.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "verify",
@@ -700,7 +703,7 @@ const viewCommand = {
     ["lunora view --remote", "Open the deployed studio"]
   ],
   group: "Project",
-  loader: () => import('../packem_chunks/handler20.mjs').then((m) => {
+  loader: () => import('../packem_chunks/handler21.mjs').then((m) => {
     return { default: m.execute };
   }),
   name: "view",

package/dist/packem_shared/wrangler-secrets-P2_ZUR-k.mjs

@@ -0,0 +1,47 @@
+import { execFile } from 'node:child_process';
+
+const execCode = (error) => {
+  if (!error) {
+    return 0;
+  }
+  return typeof error.code === "number" ? error.code : 1;
+};
+const defaultRunner = (command, args, cwd) => new Promise((resolve) => {
+  execFile(command, [...args], { cwd }, (error, stdout, stderr) => {
+    resolve({ code: execCode(error), stderr, stdout });
+  });
+});
+const parseSecretNames = (stdout) => {
+  let parsed;
+  try {
+    parsed = JSON.parse(stdout);
+  } catch {
+    return void 0;
+  }
+  if (!Array.isArray(parsed)) {
+    return void 0;
+  }
+  const names = parsed.map((entry) => entry !== null && typeof entry === "object" ? entry.name : void 0).filter((name) => typeof name === "string" && name.length > 0);
+  return [...names].toSorted((a, b) => a.localeCompare(b));
+};
+const listRemoteSecrets = async (inputs) => {
+  const args = ["exec", "wrangler", "secret", "list", "--format", "json"];
+  if (inputs.env !== void 0) {
+    args.push("--env", inputs.env);
+  }
+  if (inputs.temporary) {
+    args.push("--temporary");
+  }
+  const runner = inputs.runner ?? defaultRunner;
+  const result = await runner("pnpm", args, inputs.cwd);
+  if (result.code !== 0) {
+    return { error: result.stderr.trim() || `wrangler secret list exited ${String(result.code)}`, names: [], ok: false };
+  }
+  const names = parseSecretNames(result.stdout);
+  if (names === void 0) {
+    return { error: "could not parse `wrangler secret list --format json` output", names: [], ok: false };
+  }
+  return { names, ok: true };
+};
+
+export { listRemoteSecrets as l };