@lunora/config 1.0.0-alpha.11 → 1.0.0-alpha.13

package/dist/index.d.mts

@@ -668,6 +668,8 @@ interface RemoteEnableInputs {
 * is still overridable per-run by `--remote` or `LUNORA_REMOTE=1`.
 */
 declare const resolveRemoteEnabled: (inputs: RemoteEnableInputs) => boolean;
+/** Core (always-scaffolded) secrets followed by the package-specific ones for the detected capabilities. */
+declare const requiredSecrets: (packageNames: ReadonlyArray<string>) => SecretEntry[];
 /**
 * Whether an (already-unquoted) value looks like a fill-me-in placeholder —
 * empty, angle-bracketed, or containing a known marker — rather than a real
@@ -676,6 +678,15 @@ declare const resolveRemoteEnabled: (inputs: RemoteEnableInputs) => boolean;
 */
 declare const isPlaceholderValue: (value: string) => boolean;
 /**
+* True for a secret-looking key whose value Lunora can mint locally (a random
+* 32-byte hex, like `openssl rand -hex 32`) — e.g. `AUTH_SECRET`,
+* `LUNORA_ADMIN_TOKEN`, `STORAGE_SIGNING_SECRET`. False for provider-issued keys
+* ({@link PROVIDER_SECRET_KEYS}) and any non-secret key.
+*/
+declare const isMintableSecretKey: (key: string) => boolean;
+/** Mint a fresh strong secret value — 64 hex chars (32 bytes), like `openssl rand -hex 32`. */
+declare const generateSecretValue: (randomHex?: (bytes: number) => string) => string;
+/**
 * The outcome of planning a scaffold — a discriminated union so the orchestrator
 * never has to re-derive whether `content` is present.
 *
@@ -777,6 +788,58 @@ declare const buildPackageSecretsBlock: (packageNames: ReadonlyArray<string>, ex
 * **Safety invariant:** only placeholder values are written — no real secrets.
 */
 declare const ensureDevVariablesExample: (cwd: string, packageNames: ReadonlyArray<string>) => string[];
+interface DevSecretsFillPlan {
+  /** {@link CORE_SECRETS} keys appended because they were absent (each generated). */
+  addedKeys: string[];
+  /** The full new file content to write. */
+  content: string;
+  /** Existing empty/placeholder secret-keyed entries filled with fresh values. */
+  filledKeys: string[];
+}
+/**
+* Plan the in-place generation of dev secrets for a `.dev.vars`. First, every
+* line whose KEY looks like a secret (`*_SECRET`, `*_TOKEN`, `*_KEY`,
+* `*_PASSWORD`) and whose value is empty or a placeholder gets a freshly
+* generated value — so a `lunora add`-scaffolded `.dev.vars` (which writes each
+* secret blank) becomes usable on `lunora dev` / `vite dev` without the user
+* running `openssl` by hand. Second, any {@link CORE_SECRETS} key absent from
+* the file is appended (generated) — notably `LUNORA_ADMIN_TOKEN`, which the
+* local Studio needs to call the worker's admin gate in dev (without it the
+* Studio shows its login gate).
+*
+* Pure (given `randomHex`): real (non-placeholder) values are never touched, and
+* comments + non-secret entries are preserved verbatim.
+*/
+declare const planDevSecretsFill: (input: {
+  existingContent: string;
+  randomHex?: (bytes: number) => string;
+}) => DevSecretsFillPlan;
+interface FillDevSecretsResult {
+  /** Core secret keys appended (generated) because they were missing. */
+  addedKeys: string[];
+  /** Existing empty/placeholder secrets filled with generated values. */
+  filledKeys: string[];
+  /** `created` = no `.dev.vars` existed; `filled` = topped up an existing one; `unchanged` = nothing to do. */
+  status: "created" | "filled" | "unchanged";
+}
+/**
+* Generate any missing/empty dev secrets in the project's `.dev.vars`, in place.
+*
+* Complements {@link ensureDevVariables} (which scaffolds `.dev.vars` from
+* `.dev.vars.example`). A `lunora add`-scaffolded project writes secrets blank
+* straight into `.dev.vars` (no example) and never includes `LUNORA_ADMIN_TOKEN`
+* — so the worker boots with empty secrets and the Studio shows its login gate.
+* This fills those gaps at dev startup, so both `lunora dev` and the
+* `@lunora/vite` dev server give a working project with zero manual `openssl`.
+*
+* Never overwrites a real (non-placeholder) value. The write is atomic + owner-
+* only (temp + rename, `mode: 0o600`), matching the other `.dev.vars` writers.
+*/
+declare const fillDevSecrets: (deps: {
+  cwd: string;
+  info?: (message: string) => void;
+  randomHex?: (bytes: number) => string;
+}) => FillDevSecretsResult;
 /** Add a new table to `defineSchema({ ... })`. */
 interface AddTableEdit {
   readonly kind: "addTable";
@@ -1137,4 +1200,4 @@ interface WranglerProjectValidationResult {
 * `{ problems, wranglerPath }` shape plus the structured `report`.
 */
 declare const validateWranglerProject: (options: WranglerProjectValidationOptions) => WranglerProjectValidationResult;
-export { ACCENT, AGENT_RULES_DIR, AGENT_RULES_HINT, AGENT_RULES_HINT_ENV, type AddIndexEdit, type AddOptionalColumnEdit, type AddTableEdit, type AdditiveEdit, type AgentRulesStatus, type ApplyEditResult, type ApplyFailureReason, type AugmentPlan, BADGES, BADGE_COLUMN_WIDTH, type BadgeName, type BadgeSpec, DEV_VARS_EXAMPLE_FILE, DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, type DestructiveEdit, type DetectedFramework, type DiscoverContainerInfoResult, type DiscoverSchemaInfoResult, type DiscoverWorkflowInfoResult, type EnsureDevVariablesDeps, type EnsureDevVariablesResult, type EnsureDevVariablesStatus, type ExportGap, type FrameworkClass, type FrameworkDetection, type InferOptions, type InferredBindings, type InferredContainer, type InferredWorkflow, LINKED_PROJECT_DIR, LINKED_PROJECT_FILE, LUNA_ART, LUNA_BUNNY, LUNA_NAME, LUNA_SIGNOFF, LUNORA_CONFIG_FILE, LUNORA_EVENT_SOURCE, LUNORA_SKILL_NAMES, type LevelBadgeName, type LinkedProject, type LunoraFormattedLine, type LunoraLineLevel, type LunoraProjectConfig, LunoraReporter, type MaterializeOptions, type MaterializeResult, type MultiSelectOption, PACKAGE_SECRETS_REGISTRY, type ParseSchemaResult, REMOTE_ELIGIBLE_KEYS, REQUIRED_COMPATIBILITY_DATE, REQUIRED_FLAG, ROOT_SKILL_NAME, type ReadWranglerResult, type ReconcileBindingsResult, type RemoteBindingPlan, type RemoteEnableInputs, type RemotePreference, type RemoteWranglerShape, STEP_BADGE_NAMES, type ScaffoldPlan, type SchemaColumn, type SchemaEdit, type SchemaIndex, type SchemaInfo, type SchemaTable, type SecretEntry, type SelectOption, type StepBadgeName, type TailConsumer, WRANGLER_FILES, type WranglerConfig, type WranglerContainerEntry, type WranglerProjectValidationOptions, type WranglerProjectValidationResult, type WranglerValidationReport, type WranglerWorkflowEntry, applyAdditiveEdit, badgeLead, badgeWidth, buildPackageSecretsBlock, claimAgentRulesHint, classifyEdit, createConfirm, detectAgentRules, detectFramework, discoverContainerInfo, discoverSchemaInfo, discoverWorkflowInfo, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, findWranglerFile, formatLunoraEvent, inferLunoraBindings, injectRemoteFlags, interpretRemote, isInteractive, isPlaceholderValue, isRemoteEnvEnabled, materializeRemoteWranglerConfig, packageNamesFromBindings, padBadge, paintAnswer, paintBadge, parseDevVariableEntries, parseSchema, planDevVariablesAugment, planDevVariablesScaffold, planRemoteBindings, promptMultiSelect, promptSelect, promptYesNo, readLinkedProject, readProjectRemotePreference, readWranglerJsonc, reconcileWranglerBindings, resolveRemoteEnabled, secretsForPackages, validateWrangler, validateWranglerConfig, validateWranglerProject, withTailConsumer, writeLinkedProject };
+export { ACCENT, AGENT_RULES_DIR, AGENT_RULES_HINT, AGENT_RULES_HINT_ENV, type AddIndexEdit, type AddOptionalColumnEdit, type AddTableEdit, type AdditiveEdit, type AgentRulesStatus, type ApplyEditResult, type ApplyFailureReason, type AugmentPlan, BADGES, BADGE_COLUMN_WIDTH, type BadgeName, type BadgeSpec, DEV_VARS_EXAMPLE_FILE, DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, type DestructiveEdit, type DetectedFramework, type DevSecretsFillPlan, type DiscoverContainerInfoResult, type DiscoverSchemaInfoResult, type DiscoverWorkflowInfoResult, type EnsureDevVariablesDeps, type EnsureDevVariablesResult, type EnsureDevVariablesStatus, type ExportGap, type FillDevSecretsResult, type FrameworkClass, type FrameworkDetection, type InferOptions, type InferredBindings, type InferredContainer, type InferredWorkflow, LINKED_PROJECT_DIR, LINKED_PROJECT_FILE, LUNA_ART, LUNA_BUNNY, LUNA_NAME, LUNA_SIGNOFF, LUNORA_CONFIG_FILE, LUNORA_EVENT_SOURCE, LUNORA_SKILL_NAMES, type LevelBadgeName, type LinkedProject, type LunoraFormattedLine, type LunoraLineLevel, type LunoraProjectConfig, LunoraReporter, type MaterializeOptions, type MaterializeResult, type MultiSelectOption, PACKAGE_SECRETS_REGISTRY, type ParseSchemaResult, REMOTE_ELIGIBLE_KEYS, REQUIRED_COMPATIBILITY_DATE, REQUIRED_FLAG, ROOT_SKILL_NAME, type ReadWranglerResult, type ReconcileBindingsResult, type RemoteBindingPlan, type RemoteEnableInputs, type RemotePreference, type RemoteWranglerShape, STEP_BADGE_NAMES, type ScaffoldPlan, type SchemaColumn, type SchemaEdit, type SchemaIndex, type SchemaInfo, type SchemaTable, type SecretEntry, type SelectOption, type StepBadgeName, type TailConsumer, WRANGLER_FILES, type WranglerConfig, type WranglerContainerEntry, type WranglerProjectValidationOptions, type WranglerProjectValidationResult, type WranglerValidationReport, type WranglerWorkflowEntry, applyAdditiveEdit, badgeLead, badgeWidth, buildPackageSecretsBlock, claimAgentRulesHint, classifyEdit, createConfirm, detectAgentRules, detectFramework, discoverContainerInfo, discoverSchemaInfo, discoverWorkflowInfo, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, fillDevSecrets, findWranglerFile, formatLunoraEvent, generateSecretValue, inferLunoraBindings, injectRemoteFlags, interpretRemote, isInteractive, isMintableSecretKey, isPlaceholderValue, isRemoteEnvEnabled, materializeRemoteWranglerConfig, packageNamesFromBindings, padBadge, paintAnswer, paintBadge, parseDevVariableEntries, parseSchema, planDevSecretsFill, planDevVariablesAugment, planDevVariablesScaffold, planRemoteBindings, promptMultiSelect, promptSelect, promptYesNo, readLinkedProject, readProjectRemotePreference, readWranglerJsonc, reconcileWranglerBindings, requiredSecrets, resolveRemoteEnabled, secretsForPackages, validateWrangler, validateWranglerConfig, validateWranglerProject, withTailConsumer, writeLinkedProject };

package/dist/index.d.ts

@@ -668,6 +668,8 @@ interface RemoteEnableInputs {
 * is still overridable per-run by `--remote` or `LUNORA_REMOTE=1`.
 */
 declare const resolveRemoteEnabled: (inputs: RemoteEnableInputs) => boolean;
+/** Core (always-scaffolded) secrets followed by the package-specific ones for the detected capabilities. */
+declare const requiredSecrets: (packageNames: ReadonlyArray<string>) => SecretEntry[];
 /**
 * Whether an (already-unquoted) value looks like a fill-me-in placeholder —
 * empty, angle-bracketed, or containing a known marker — rather than a real
@@ -676,6 +678,15 @@ declare const resolveRemoteEnabled: (inputs: RemoteEnableInputs) => boolean;
 */
 declare const isPlaceholderValue: (value: string) => boolean;
 /**
+* True for a secret-looking key whose value Lunora can mint locally (a random
+* 32-byte hex, like `openssl rand -hex 32`) — e.g. `AUTH_SECRET`,
+* `LUNORA_ADMIN_TOKEN`, `STORAGE_SIGNING_SECRET`. False for provider-issued keys
+* ({@link PROVIDER_SECRET_KEYS}) and any non-secret key.
+*/
+declare const isMintableSecretKey: (key: string) => boolean;
+/** Mint a fresh strong secret value — 64 hex chars (32 bytes), like `openssl rand -hex 32`. */
+declare const generateSecretValue: (randomHex?: (bytes: number) => string) => string;
+/**
 * The outcome of planning a scaffold — a discriminated union so the orchestrator
 * never has to re-derive whether `content` is present.
 *
@@ -777,6 +788,58 @@ declare const buildPackageSecretsBlock: (packageNames: ReadonlyArray<string>, ex
 * **Safety invariant:** only placeholder values are written — no real secrets.
 */
 declare const ensureDevVariablesExample: (cwd: string, packageNames: ReadonlyArray<string>) => string[];
+interface DevSecretsFillPlan {
+  /** {@link CORE_SECRETS} keys appended because they were absent (each generated). */
+  addedKeys: string[];
+  /** The full new file content to write. */
+  content: string;
+  /** Existing empty/placeholder secret-keyed entries filled with fresh values. */
+  filledKeys: string[];
+}
+/**
+* Plan the in-place generation of dev secrets for a `.dev.vars`. First, every
+* line whose KEY looks like a secret (`*_SECRET`, `*_TOKEN`, `*_KEY`,
+* `*_PASSWORD`) and whose value is empty or a placeholder gets a freshly
+* generated value — so a `lunora add`-scaffolded `.dev.vars` (which writes each
+* secret blank) becomes usable on `lunora dev` / `vite dev` without the user
+* running `openssl` by hand. Second, any {@link CORE_SECRETS} key absent from
+* the file is appended (generated) — notably `LUNORA_ADMIN_TOKEN`, which the
+* local Studio needs to call the worker's admin gate in dev (without it the
+* Studio shows its login gate).
+*
+* Pure (given `randomHex`): real (non-placeholder) values are never touched, and
+* comments + non-secret entries are preserved verbatim.
+*/
+declare const planDevSecretsFill: (input: {
+  existingContent: string;
+  randomHex?: (bytes: number) => string;
+}) => DevSecretsFillPlan;
+interface FillDevSecretsResult {
+  /** Core secret keys appended (generated) because they were missing. */
+  addedKeys: string[];
+  /** Existing empty/placeholder secrets filled with generated values. */
+  filledKeys: string[];
+  /** `created` = no `.dev.vars` existed; `filled` = topped up an existing one; `unchanged` = nothing to do. */
+  status: "created" | "filled" | "unchanged";
+}
+/**
+* Generate any missing/empty dev secrets in the project's `.dev.vars`, in place.
+*
+* Complements {@link ensureDevVariables} (which scaffolds `.dev.vars` from
+* `.dev.vars.example`). A `lunora add`-scaffolded project writes secrets blank
+* straight into `.dev.vars` (no example) and never includes `LUNORA_ADMIN_TOKEN`
+* — so the worker boots with empty secrets and the Studio shows its login gate.
+* This fills those gaps at dev startup, so both `lunora dev` and the
+* `@lunora/vite` dev server give a working project with zero manual `openssl`.
+*
+* Never overwrites a real (non-placeholder) value. The write is atomic + owner-
+* only (temp + rename, `mode: 0o600`), matching the other `.dev.vars` writers.
+*/
+declare const fillDevSecrets: (deps: {
+  cwd: string;
+  info?: (message: string) => void;
+  randomHex?: (bytes: number) => string;
+}) => FillDevSecretsResult;
 /** Add a new table to `defineSchema({ ... })`. */
 interface AddTableEdit {
   readonly kind: "addTable";
@@ -1137,4 +1200,4 @@ interface WranglerProjectValidationResult {
 * `{ problems, wranglerPath }` shape plus the structured `report`.
 */
 declare const validateWranglerProject: (options: WranglerProjectValidationOptions) => WranglerProjectValidationResult;
-export { ACCENT, AGENT_RULES_DIR, AGENT_RULES_HINT, AGENT_RULES_HINT_ENV, type AddIndexEdit, type AddOptionalColumnEdit, type AddTableEdit, type AdditiveEdit, type AgentRulesStatus, type ApplyEditResult, type ApplyFailureReason, type AugmentPlan, BADGES, BADGE_COLUMN_WIDTH, type BadgeName, type BadgeSpec, DEV_VARS_EXAMPLE_FILE, DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, type DestructiveEdit, type DetectedFramework, type DiscoverContainerInfoResult, type DiscoverSchemaInfoResult, type DiscoverWorkflowInfoResult, type EnsureDevVariablesDeps, type EnsureDevVariablesResult, type EnsureDevVariablesStatus, type ExportGap, type FrameworkClass, type FrameworkDetection, type InferOptions, type InferredBindings, type InferredContainer, type InferredWorkflow, LINKED_PROJECT_DIR, LINKED_PROJECT_FILE, LUNA_ART, LUNA_BUNNY, LUNA_NAME, LUNA_SIGNOFF, LUNORA_CONFIG_FILE, LUNORA_EVENT_SOURCE, LUNORA_SKILL_NAMES, type LevelBadgeName, type LinkedProject, type LunoraFormattedLine, type LunoraLineLevel, type LunoraProjectConfig, LunoraReporter, type MaterializeOptions, type MaterializeResult, type MultiSelectOption, PACKAGE_SECRETS_REGISTRY, type ParseSchemaResult, REMOTE_ELIGIBLE_KEYS, REQUIRED_COMPATIBILITY_DATE, REQUIRED_FLAG, ROOT_SKILL_NAME, type ReadWranglerResult, type ReconcileBindingsResult, type RemoteBindingPlan, type RemoteEnableInputs, type RemotePreference, type RemoteWranglerShape, STEP_BADGE_NAMES, type ScaffoldPlan, type SchemaColumn, type SchemaEdit, type SchemaIndex, type SchemaInfo, type SchemaTable, type SecretEntry, type SelectOption, type StepBadgeName, type TailConsumer, WRANGLER_FILES, type WranglerConfig, type WranglerContainerEntry, type WranglerProjectValidationOptions, type WranglerProjectValidationResult, type WranglerValidationReport, type WranglerWorkflowEntry, applyAdditiveEdit, badgeLead, badgeWidth, buildPackageSecretsBlock, claimAgentRulesHint, classifyEdit, createConfirm, detectAgentRules, detectFramework, discoverContainerInfo, discoverSchemaInfo, discoverWorkflowInfo, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, findWranglerFile, formatLunoraEvent, inferLunoraBindings, injectRemoteFlags, interpretRemote, isInteractive, isPlaceholderValue, isRemoteEnvEnabled, materializeRemoteWranglerConfig, packageNamesFromBindings, padBadge, paintAnswer, paintBadge, parseDevVariableEntries, parseSchema, planDevVariablesAugment, planDevVariablesScaffold, planRemoteBindings, promptMultiSelect, promptSelect, promptYesNo, readLinkedProject, readProjectRemotePreference, readWranglerJsonc, reconcileWranglerBindings, resolveRemoteEnabled, secretsForPackages, validateWrangler, validateWranglerConfig, validateWranglerProject, withTailConsumer, writeLinkedProject };
+export { ACCENT, AGENT_RULES_DIR, AGENT_RULES_HINT, AGENT_RULES_HINT_ENV, type AddIndexEdit, type AddOptionalColumnEdit, type AddTableEdit, type AdditiveEdit, type AgentRulesStatus, type ApplyEditResult, type ApplyFailureReason, type AugmentPlan, BADGES, BADGE_COLUMN_WIDTH, type BadgeName, type BadgeSpec, DEV_VARS_EXAMPLE_FILE, DEV_VARS_FILE, DEV_VARS_KEY_PATTERN, type DestructiveEdit, type DetectedFramework, type DevSecretsFillPlan, type DiscoverContainerInfoResult, type DiscoverSchemaInfoResult, type DiscoverWorkflowInfoResult, type EnsureDevVariablesDeps, type EnsureDevVariablesResult, type EnsureDevVariablesStatus, type ExportGap, type FillDevSecretsResult, type FrameworkClass, type FrameworkDetection, type InferOptions, type InferredBindings, type InferredContainer, type InferredWorkflow, LINKED_PROJECT_DIR, LINKED_PROJECT_FILE, LUNA_ART, LUNA_BUNNY, LUNA_NAME, LUNA_SIGNOFF, LUNORA_CONFIG_FILE, LUNORA_EVENT_SOURCE, LUNORA_SKILL_NAMES, type LevelBadgeName, type LinkedProject, type LunoraFormattedLine, type LunoraLineLevel, type LunoraProjectConfig, LunoraReporter, type MaterializeOptions, type MaterializeResult, type MultiSelectOption, PACKAGE_SECRETS_REGISTRY, type ParseSchemaResult, REMOTE_ELIGIBLE_KEYS, REQUIRED_COMPATIBILITY_DATE, REQUIRED_FLAG, ROOT_SKILL_NAME, type ReadWranglerResult, type ReconcileBindingsResult, type RemoteBindingPlan, type RemoteEnableInputs, type RemotePreference, type RemoteWranglerShape, STEP_BADGE_NAMES, type ScaffoldPlan, type SchemaColumn, type SchemaEdit, type SchemaIndex, type SchemaInfo, type SchemaTable, type SecretEntry, type SelectOption, type StepBadgeName, type TailConsumer, WRANGLER_FILES, type WranglerConfig, type WranglerContainerEntry, type WranglerProjectValidationOptions, type WranglerProjectValidationResult, type WranglerValidationReport, type WranglerWorkflowEntry, applyAdditiveEdit, badgeLead, badgeWidth, buildPackageSecretsBlock, claimAgentRulesHint, classifyEdit, createConfirm, detectAgentRules, detectFramework, discoverContainerInfo, discoverSchemaInfo, discoverWorkflowInfo, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, fillDevSecrets, findWranglerFile, formatLunoraEvent, generateSecretValue, inferLunoraBindings, injectRemoteFlags, interpretRemote, isInteractive, isMintableSecretKey, isPlaceholderValue, isRemoteEnvEnabled, materializeRemoteWranglerConfig, packageNamesFromBindings, padBadge, paintAnswer, paintBadge, parseDevVariableEntries, parseSchema, planDevSecretsFill, planDevVariablesAugment, planDevVariablesScaffold, planRemoteBindings, promptMultiSelect, promptSelect, promptYesNo, readLinkedProject, readProjectRemotePreference, readWranglerJsonc, reconcileWranglerBindings, requiredSecrets, resolveRemoteEnabled, secretsForPackages, validateWrangler, validateWranglerConfig, validateWranglerProject, withTailConsumer, writeLinkedProject };

package/dist/index.mjs

@@ -11,7 +11,7 @@ export { LUNORA_CONFIG_FILE, interpretRemote, readProjectRemotePreference } from
 export { createConfirm, isInteractive, promptMultiSelect, promptSelect, promptYesNo } from './packem_shared/createConfirm-fvpdgJ9s.mjs';
 export { reconcileWranglerBindings } from './packem_shared/reconcileWranglerBindings-DTHmqTbL.mjs';
 export { REMOTE_ELIGIBLE_KEYS, injectRemoteFlags, isRemoteEnvEnabled, materializeRemoteWranglerConfig, planRemoteBindings, resolveRemoteEnabled } from './packem_shared/REMOTE_ELIGIBLE_KEYS-BC7_e9Bz.mjs';
-export { buildPackageSecretsBlock, ensureDevVariables, ensureDevVarsExample, isPlaceholderValue, planDevVariablesAugment, planDevVariablesScaffold } from './packem_shared/buildPackageSecretsBlock-DNzNRu7T.mjs';
+export { buildPackageSecretsBlock, ensureDevVariables, ensureDevVarsExample, fillDevSecrets, generateSecretValue, isMintableSecretKey, isPlaceholderValue, planDevSecretsFill, planDevVariablesAugment, planDevVariablesScaffold, requiredSecrets } from './packem_shared/buildPackageSecretsBlock-DWDKHViT.mjs';
 export { applyAdditiveEdit, classifyEdit } from './packem_shared/applyAdditiveEdit-C-snTFEV.mjs';
 export { parseSchema } from './packem_shared/parseSchema-DSeyktvG.mjs';
 export { classifyPolicyEdit, scaffoldPolicyFile, wireRlsIntoProcedure } from './packem_shared/classifyPolicyEdit-BHeAqF8P.mjs';

package/dist/packem_shared/{buildPackageSecretsBlock-DNzNRu7T.mjs → buildPackageSecretsBlock-DWDKHViT.mjs}

@@ -2,7 +2,7 @@ import { randomBytes } from 'node:crypto';
 import { existsSync, readFileSync, writeFileSync, renameSync, rmSync } from 'node:fs';
 import { join } from 'node:path';
 import { DEV_VARS_FILE, DEV_VARS_EXAMPLE_FILE, parseDevVariableEntries, DEV_VARS_NEWLINE, splitDevVariableLine, unquoteDevVariable } from './DEV_VARS_EXAMPLE_FILE-dJPNTEnK.mjs';
-import { CORE_SECRETS, secretsForPackages } from './PACKAGE_SECRETS_REGISTRY-B8t_SdoZ.mjs';
+import { CORE_SECRETS, PACKAGE_SECRETS_REGISTRY, secretsForPackages } from './PACKAGE_SECRETS_REGISTRY-B8t_SdoZ.mjs';
 
 const requiredSecrets = (packageNames) => [...CORE_SECRETS, ...secretsForPackages(packageNames)];
 const SECRET_BYTES = 32;
@@ -46,6 +46,11 @@ const isPlaceholderValue = (value) => {
 const isPlaceholder = (rawValue) => isPlaceholderValue(unquoteDevVariable(rawValue.trim()));
 const defaultRandomHex = (bytes) => randomBytes(bytes).toString("hex");
 const generatedSecretFor = (key, rawValue, randomHex) => SECRET_KEY.test(key) && isPlaceholder(rawValue) ? randomHex(SECRET_BYTES) : void 0;
+const PROVIDER_SECRET_KEYS = new Set(
+  [...CORE_SECRETS, ...Object.values(PACKAGE_SECRETS_REGISTRY).flat()].filter((entry) => SECRET_KEY.test(entry.key) && entry.placeholderValue.startsWith("<")).map((entry) => entry.key)
+);
+const isMintableSecretKey = (key) => SECRET_KEY.test(key) && !PROVIDER_SECRET_KEYS.has(key);
+const generateSecretValue = (randomHex = defaultRandomHex) => randomHex(SECRET_BYTES);
 const planDevVariablesScaffold = (input) => {
   if (input.devVarsExists) {
     return { status: "exists" };
@@ -184,5 +189,55 @@ ${block}
   }
   return requiredSecrets(packageNames).filter((entry) => !existingKeys.has(entry.key)).map((entry) => entry.key);
 };
+const planDevSecretsFill = (input) => {
+  const randomHex = input.randomHex ?? defaultRandomHex;
+  const filledKeys = [];
+  const lines = input.existingContent.split(DEV_VARS_NEWLINE).map((line) => {
+    const parsed = splitDevVariableLine(line);
+    const secret = parsed ? generatedSecretFor(parsed.key, parsed.value, randomHex) : void 0;
+    if (!parsed || secret === void 0) {
+      return line;
+    }
+    filledKeys.push(parsed.key);
+    return `${parsed.key}="${secret}"`;
+  });
+  const present = new Set(parseDevVariableEntries(input.existingContent).map((entry) => entry.key));
+  const addedKeys = [];
+  const additions = [];
+  for (const entry of CORE_SECRETS) {
+    if (present.has(entry.key)) {
+      continue;
+    }
+    addedKeys.push(entry.key);
+    additions.push(`# ${entry.description}`, `${entry.key}="${randomHex(SECRET_BYTES)}"`);
+  }
+  const body = lines.join("\n");
+  if (additions.length === 0) {
+    return { addedKeys, content: body, filledKeys };
+  }
+  const separator = body === "" || body.endsWith("\n") ? "" : "\n";
+  return { addedKeys, content: `${body}${separator}${additions.join("\n")}
+`, filledKeys };
+};
+const fillDevSecrets = (deps) => {
+  const devVariablesPath = join(deps.cwd, DEV_VARS_FILE);
+  const exists = existsSync(devVariablesPath);
+  const existingContent = exists ? readFileSync(devVariablesPath, "utf8") : "";
+  const plan = planDevSecretsFill({ existingContent, randomHex: deps.randomHex });
+  if (plan.filledKeys.length === 0 && plan.addedKeys.length === 0) {
+    return { addedKeys: [], filledKeys: [], status: "unchanged" };
+  }
+  const temporaryPath = `${devVariablesPath}.tmp-${String(process.pid)}`;
+  try {
+    writeFileSync(temporaryPath, plan.content, { encoding: "utf8", mode: 384 });
+    renameSync(temporaryPath, devVariablesPath);
+  } catch (error) {
+    rmSync(temporaryPath, { force: true });
+    throw error;
+  }
+  const generated = [...plan.filledKeys, ...plan.addedKeys];
+  deps.info?.(`Generated ${String(generated.length)} dev secret(s) in ${DEV_VARS_FILE}: ${generated.join(", ")}`);
+  return { addedKeys: plan.addedKeys, filledKeys: plan.filledKeys, status: exists ? "filled" : "created" };
+};
 
-export { buildPackageSecretsBlock, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, isPlaceholderValue, planDevVariablesAugment, planDevVariablesScaffold };
+export { buildPackageSecretsBlock, ensureDevVariables, ensureDevVariablesExample as ensureDevVarsExample, fillDevSecrets, generateSecretValue, isMintableSecretKey, isPlaceholderValue, planDevSecretsFill, planDevVariablesAugment, planDevVariablesScaffold, requiredSecrets };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lunora/config",
-  "version": "1.0.0-alpha.11",
+  "version": "1.0.0-alpha.13",
   "description": "Internal shared CLI + Vite config layer for Lunora: wrangler.jsonc validation, binding inference, and .dev.vars scaffolding",
   "keywords": [
     "bindings",