@pixelzx/genesis 2026.6.6-1 → 2026.6.7

package/dist/secrets-cli-DRs2TyS0.js

@@ -0,0 +1,2101 @@
+import { i as formatErrorMessage } from "./errors-CufR9eHH.js";
+import { a as normalizeLowercaseStringOrEmpty, c as normalizeOptionalString, d as normalizeStringifiedOptionalString, s as normalizeOptionalLowercaseString } from "./string-coerce-DPP_aYVc.js";
+import { f as resolveConfigDir, l as isRecord, m as resolveUserPath } from "./utils-CWrkFsp0.js";
+import { n as defaultRuntime } from "./runtime-DDkDH9fa.js";
+import { t as formatDocsLink } from "./links-C1-jbHJx.js";
+import { r as theme } from "./theme-DD6pQv2_.js";
+import { _ as resolveStateDir } from "./paths-Bv2rGpO9.js";
+import { a as coerceSecretRef, p as resolveSecretInputRef } from "./types.secrets-BbgGt42I.js";
+import { a as formatExecSecretRefIdValidationMessage, c as isValidSecretProviderAlias, l as resolveDefaultSecretProviderAlias, o as isValidExecSecretRefId, u as secretRefKey } from "./ref-contract-D_WmZ91C.js";
+import { t as danger } from "./globals-wYf9_gv5.js";
+import { t as runTasksWithConcurrency } from "./run-with-concurrency-BPqtfY7o.js";
+import { a as parseEnvValue, i as parseDotPath, l as writeTextFileAtomic, n as isNonEmptyString, s as toDotPath } from "./shared-BdNvMmVL.js";
+import { a as resolveSecretRefValue, o as resolveSecretRefValues, r as isProviderScopedSecretResolutionError } from "./resolve-DFimFdgC.js";
+import { t as isSafeExecutableValue } from "./exec-safety-C4kppa_m.js";
+import { w as SecretProviderSchema } from "./zod-schema.core-B5quvztM.js";
+import { r as createConfigIO } from "./io-BbxW7tf4.js";
+import { c as normalizeAgentId } from "./session-key-Cj8Hd5K-.js";
+import { r as normalizeProviderId } from "./provider-id--dmcBtHB.js";
+import { r as listKnownSecretEnvVarNames, t as getProviderEnvVars } from "./provider-env-vars-DDxo5bUJ.js";
+import { _ as resolveAgentConfig, g as listAgentIds, x as resolveDefaultAgentId, y as resolveAgentDir } from "./agent-scope-Duyu_T59.js";
+import { n as getPath, r as setPathCreateStrict, t as deletePathStrict } from "./path-utils-CJ35S4Ql.js";
+import { a as listAuthProfileSecretTargetEntries, c as resolvePlanTargetAgainstRegistry, n as discoverConfigSecretTargets, t as discoverAuthProfileSecretTargets } from "./target-registry-BrTvhqBU.js";
+import "./config-De9ZYLYC.js";
+import { l as resolveAuthStorePath } from "./source-check-DKjWkJoA.js";
+import { c as loadAuthProfileStoreForSecretsRuntime, m as loadPersistedAuthProfileStore, p as coercePersistedAuthProfileStore } from "./store-DSStaRcR.js";
+import { f as isSecretRefHeaderValueMarker, u as isNonSecretApiKeyMarker } from "./model-auth-markers-DmpwbL0s.js";
+import "./model-selection-Le6XU3cD.js";
+import "./auth-profiles-By5m4dfL.js";
+import { a as prepareSecretsRuntimeSnapshot } from "./runtime-C2Kw4WLN.js";
+import { n as hasConfiguredPlaintextSecretValue, r as isExpectedResolvedSecretValue, t as assertExpectedResolvedSecretValue } from "./secret-value-BaWFT5hJ.js";
+import { n as callGatewayFromCli, t as addGatewayClientOptions } from "./gateway-rpc-DE9eTnTH.js";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { isDeepStrictEqual } from "node:util";
+import { confirm, select, text } from "@clack/prompts";
+//#region src/secrets/auth-profiles-scan.ts
+function getAuthProfileFieldName(pathPattern) {
+	const segments = pathPattern.split(".").filter(Boolean);
+	return segments[segments.length - 1] ?? "";
+}
+const AUTH_PROFILE_FIELD_SPEC_BY_TYPE = (() => {
+	const defaults = {
+		api_key: {
+			valueField: "key",
+			refField: "keyRef"
+		},
+		token: {
+			valueField: "token",
+			refField: "tokenRef"
+		}
+	};
+	for (const target of listAuthProfileSecretTargetEntries()) {
+		if (!target.authProfileType) continue;
+		defaults[target.authProfileType] = {
+			valueField: getAuthProfileFieldName(target.pathPattern),
+			refField: target.refPathPattern !== void 0 ? getAuthProfileFieldName(target.refPathPattern) : defaults[target.authProfileType].refField
+		};
+	}
+	return defaults;
+})();
+function getAuthProfileFieldSpec(type) {
+	return AUTH_PROFILE_FIELD_SPEC_BY_TYPE[type];
+}
+function toSecretCredentialVisit(params) {
+	const spec = getAuthProfileFieldSpec(params.kind);
+	return {
+		kind: params.kind,
+		profileId: params.profileId,
+		provider: params.provider,
+		profile: params.profile,
+		valueField: spec.valueField,
+		refField: spec.refField,
+		value: params.profile[spec.valueField],
+		refValue: params.profile[spec.refField]
+	};
+}
+function* iterateAuthProfileCredentials(profiles) {
+	for (const [profileId, value] of Object.entries(profiles)) {
+		if (!isRecord(value) || !isNonEmptyString(value.provider)) continue;
+		const provider = value.provider;
+		if (value.type === "api_key" || value.type === "token") {
+			yield toSecretCredentialVisit({
+				kind: value.type,
+				profileId,
+				provider,
+				profile: value
+			});
+			continue;
+		}
+		if (value.type === "oauth") yield {
+			kind: "oauth",
+			profileId,
+			provider,
+			profile: value,
+			hasAccess: isNonEmptyString(value.access),
+			hasRefresh: isNonEmptyString(value.refresh)
+		};
+	}
+}
+//#endregion
+//#region src/secrets/config-io.ts
+const silentConfigIoLogger = {
+	error: () => {},
+	warn: () => {}
+};
+function createSecretsConfigIO(params) {
+	return createConfigIO({
+		env: params.env,
+		logger: silentConfigIoLogger
+	});
+}
+//#endregion
+//#region src/secrets/exec-resolution-policy.ts
+function selectRefsForExecPolicy(params) {
+	const refsToResolve = [];
+	const skippedExecRefs = [];
+	for (const ref of params.refs) {
+		if (ref.source === "exec" && !params.allowExec) {
+			skippedExecRefs.push(ref);
+			continue;
+		}
+		refsToResolve.push(ref);
+	}
+	return {
+		refsToResolve,
+		skippedExecRefs
+	};
+}
+function getSkippedExecRefStaticError(params) {
+	const id = params.ref.id.trim();
+	const refLabel = `${params.ref.source}:${params.ref.provider}:${id}`;
+	if (!id) return "Error: Secret reference id is empty.";
+	if (!isValidExecSecretRefId(id)) return `Error: ${formatExecSecretRefIdValidationMessage()} (ref: ${refLabel}).`;
+	const providerConfig = params.config.secrets?.providers?.[params.ref.provider];
+	if (!providerConfig) return `Error: Secret provider "${params.ref.provider}" is not configured (ref: ${refLabel}).`;
+	if (providerConfig.source !== params.ref.source) return `Error: Secret provider "${params.ref.provider}" has source "${providerConfig.source}" but ref requests "${params.ref.source}".`;
+	return null;
+}
+//#endregion
+//#region src/secrets/plan.ts
+const FORBIDDEN_PATH_SEGMENTS = new Set([
+	"__proto__",
+	"prototype",
+	"constructor"
+]);
+function isObjectRecord(value) {
+	return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function isSecretProviderConfigShape(value) {
+	return SecretProviderSchema.safeParse(value).success;
+}
+function hasForbiddenPathSegment(segments) {
+	return segments.some((segment) => FORBIDDEN_PATH_SEGMENTS.has(segment));
+}
+function resolveValidatedPlanTarget(candidate) {
+	if (typeof candidate.type !== "string" || !candidate.type.trim()) return null;
+	const path = typeof candidate.path === "string" ? candidate.path.trim() : "";
+	if (!path) return null;
+	const segments = Array.isArray(candidate.pathSegments) && candidate.pathSegments.length > 0 ? candidate.pathSegments.map((segment) => segment.trim()).filter(Boolean) : parseDotPath(path);
+	if (segments.length === 0 || hasForbiddenPathSegment(segments) || path !== toDotPath(segments)) return null;
+	return resolvePlanTargetAgainstRegistry({
+		type: candidate.type,
+		pathSegments: segments,
+		providerId: candidate.providerId,
+		accountId: candidate.accountId
+	});
+}
+function isSecretsApplyPlan(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+	const typed = value;
+	if (typed.version !== 1 || typed.protocolVersion !== 1 || !Array.isArray(typed.targets)) return false;
+	for (const target of typed.targets) {
+		if (!target || typeof target !== "object") return false;
+		const candidate = target;
+		const ref = candidate.ref;
+		const resolved = resolveValidatedPlanTarget({
+			type: candidate.type,
+			path: candidate.path,
+			pathSegments: candidate.pathSegments,
+			agentId: candidate.agentId,
+			providerId: candidate.providerId,
+			accountId: candidate.accountId,
+			authProfileProvider: candidate.authProfileProvider
+		});
+		if (typeof candidate.path !== "string" || !candidate.path.trim() || candidate.pathSegments !== void 0 && !Array.isArray(candidate.pathSegments) || !resolved || !ref || typeof ref !== "object" || ref.source !== "env" && ref.source !== "file" && ref.source !== "exec" || typeof ref.provider !== "string" || ref.provider.trim().length === 0 || typeof ref.id !== "string" || ref.id.trim().length === 0 || ref.source === "exec" && !isValidExecSecretRefId(ref.id)) return false;
+		if (resolved.entry.configFile === "auth-profiles.json") {
+			if (typeof candidate.agentId !== "string" || candidate.agentId.trim().length === 0) return false;
+			if (candidate.authProfileProvider !== void 0 && (typeof candidate.authProfileProvider !== "string" || candidate.authProfileProvider.trim().length === 0)) return false;
+		}
+	}
+	if (typed.providerUpserts !== void 0) {
+		if (!isObjectRecord(typed.providerUpserts)) return false;
+		for (const [providerAlias, providerValue] of Object.entries(typed.providerUpserts)) {
+			if (!isValidSecretProviderAlias(providerAlias)) return false;
+			if (!isSecretProviderConfigShape(providerValue)) return false;
+		}
+	}
+	if (typed.providerDeletes !== void 0) {
+		if (!Array.isArray(typed.providerDeletes) || typed.providerDeletes.some((providerAlias) => typeof providerAlias !== "string" || !isValidSecretProviderAlias(providerAlias))) return false;
+	}
+	return true;
+}
+function normalizeSecretsPlanOptions(options) {
+	return {
+		scrubEnv: options?.scrubEnv ?? true,
+		scrubAuthProfilesForProviderTargets: options?.scrubAuthProfilesForProviderTargets ?? true,
+		scrubLegacyAuthJson: options?.scrubLegacyAuthJson ?? true
+	};
+}
+//#endregion
+//#region src/secrets/auth-store-paths.ts
+function listAuthProfileStorePaths$1(config, stateDir) {
+	const paths = /* @__PURE__ */ new Set();
+	paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
+	const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
+	if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
+		if (!entry.isDirectory()) continue;
+		paths.add(path.join(agentsRoot, entry.name, "agent", "auth-profiles.json"));
+	}
+	for (const agentId of listAgentIds(config)) {
+		if (agentId === "main") {
+			paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
+			continue;
+		}
+		const agentDir = resolveAgentDir(config, agentId);
+		paths.add(resolveUserPath(resolveAuthStorePath(agentDir)));
+	}
+	return [...paths];
+}
+//#endregion
+//#region src/secrets/storage-scan.ts
+function isJsonObject(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function parseEnvAssignmentValue(raw) {
+	return parseEnvValue(raw);
+}
+function listAuthProfileStorePaths(config, stateDir) {
+	return listAuthProfileStorePaths$1(config, stateDir);
+}
+function listLegacyAuthJsonPaths(stateDir) {
+	const out = [];
+	const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
+	if (!fs.existsSync(agentsRoot)) return out;
+	for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
+		if (!entry.isDirectory()) continue;
+		const candidate = path.join(agentsRoot, entry.name, "agent", "auth.json");
+		if (fs.existsSync(candidate)) out.push(candidate);
+	}
+	return out;
+}
+function resolveActiveAgentDir(stateDir, env = process.env) {
+	const override = env.GENESIS_AGENT_DIR?.trim() || env.PI_CODING_AGENT_DIR?.trim();
+	if (override) return resolveUserPath(override);
+	return path.join(resolveUserPath(stateDir), "agents", "main", "agent");
+}
+function listAgentModelsJsonPaths(config, stateDir, env = process.env) {
+	const resolvedStateDir = resolveUserPath(stateDir);
+	const paths = /* @__PURE__ */ new Set();
+	paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
+	paths.add(path.join(resolveActiveAgentDir(stateDir, env), "models.json"));
+	const agentsRoot = path.join(resolvedStateDir, "agents");
+	if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
+		if (!entry.isDirectory()) continue;
+		paths.add(path.join(agentsRoot, entry.name, "agent", "models.json"));
+	}
+	for (const agentId of listAgentIds(config)) {
+		if (agentId === "main") {
+			paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
+			continue;
+		}
+		const agentDir = resolveAgentDir(config, agentId);
+		paths.add(path.join(resolveUserPath(agentDir), "models.json"));
+	}
+	return [...paths];
+}
+function readJsonObjectIfExists(filePath, options = {}) {
+	if (!fs.existsSync(filePath)) return { value: null };
+	try {
+		const stats = fs.statSync(filePath);
+		if (options.requireRegularFile && !stats.isFile()) return {
+			value: null,
+			error: `Refusing to read non-regular file: ${filePath}`
+		};
+		if (typeof options.maxBytes === "number" && Number.isFinite(options.maxBytes) && options.maxBytes >= 0 && stats.size > options.maxBytes) return {
+			value: null,
+			error: `Refusing to read oversized JSON (${stats.size} bytes): ${filePath}`
+		};
+		const raw = fs.readFileSync(filePath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (!isJsonObject(parsed)) return { value: null };
+		return { value: parsed };
+	} catch (err) {
+		return {
+			value: null,
+			error: formatErrorMessage(err)
+		};
+	}
+}
+//#endregion
+//#region src/secrets/apply.ts
+function planContainsExecReferences(plan) {
+	if (plan.targets.some((target) => target.ref.source === "exec")) return true;
+	return Object.values(plan.providerUpserts ?? {}).some((provider) => provider.source === "exec");
+}
+function resolveTarget(target) {
+	const resolved = resolveValidatedPlanTarget(target);
+	if (!resolved) throw new Error(`Invalid plan target path for ${target.type}: ${target.path}`);
+	return resolved;
+}
+function scrubEnvRaw(raw, migratedValues, allowedEnvKeys) {
+	if (migratedValues.size === 0 || allowedEnvKeys.size === 0) return {
+		nextRaw: raw,
+		removed: 0
+	};
+	const lines = raw.split(/\r?\n/);
+	const nextLines = [];
+	let removed = 0;
+	for (const line of lines) {
+		const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
+		if (!match) {
+			nextLines.push(line);
+			continue;
+		}
+		const envKey = match[1] ?? "";
+		if (!allowedEnvKeys.has(envKey)) {
+			nextLines.push(line);
+			continue;
+		}
+		const parsedValue = parseEnvAssignmentValue(match[2] ?? "");
+		if (migratedValues.has(parsedValue)) {
+			removed += 1;
+			continue;
+		}
+		nextLines.push(line);
+	}
+	const hadTrailingNewline = raw.endsWith("\n");
+	const joined = nextLines.join("\n");
+	return {
+		nextRaw: hadTrailingNewline || joined.length === 0 ? `${joined}${joined.endsWith("\n") ? "" : "\n"}` : joined,
+		removed
+	};
+}
+function applyProviderPlanMutations(params) {
+	const currentProviders = isRecord(params.config.secrets?.providers) ? structuredClone(params.config.secrets?.providers) : {};
+	let changed = false;
+	for (const providerAlias of params.deletes ?? []) {
+		if (!Object.prototype.hasOwnProperty.call(currentProviders, providerAlias)) continue;
+		delete currentProviders[providerAlias];
+		changed = true;
+	}
+	for (const [providerAlias, providerConfig] of Object.entries(params.upserts ?? {})) {
+		const previous = currentProviders[providerAlias];
+		if (isDeepStrictEqual(previous, providerConfig)) continue;
+		currentProviders[providerAlias] = structuredClone(providerConfig);
+		changed = true;
+	}
+	if (!changed) return false;
+	params.config.secrets ??= {};
+	if (Object.keys(currentProviders).length === 0) {
+		if ("providers" in params.config.secrets) delete params.config.secrets.providers;
+		return true;
+	}
+	params.config.secrets.providers = currentProviders;
+	return true;
+}
+async function projectPlanState(params) {
+	const { snapshot, writeOptions } = await createSecretsConfigIO({ env: params.env }).readConfigFileSnapshotForWrite();
+	if (!snapshot.valid) throw new Error("Cannot apply secrets plan: config is invalid.");
+	const options = normalizeSecretsPlanOptions(params.plan.options);
+	const nextConfig = structuredClone(snapshot.config);
+	const stateDir = resolveStateDir(params.env, os.homedir);
+	const changedFiles = /* @__PURE__ */ new Set();
+	const warnings = [];
+	const configPath = resolveUserPath(snapshot.path);
+	if (applyProviderPlanMutations({
+		config: nextConfig,
+		upserts: params.plan.providerUpserts,
+		deletes: params.plan.providerDeletes
+	})) changedFiles.add(configPath);
+	const targetMutations = applyConfigTargetMutations({
+		planTargets: params.plan.targets,
+		nextConfig,
+		stateDir,
+		authStoreByPath: /* @__PURE__ */ new Map(),
+		changedFiles
+	});
+	if (targetMutations.configChanged) changedFiles.add(configPath);
+	const authStoreByPath = scrubAuthStoresForProviderTargets({
+		nextConfig,
+		stateDir,
+		providerTargets: targetMutations.providerTargets,
+		scrubbedValues: targetMutations.scrubbedValues,
+		authStoreByPath: targetMutations.authStoreByPath,
+		changedFiles,
+		warnings,
+		enabled: options.scrubAuthProfilesForProviderTargets
+	});
+	const authJsonByPath = scrubLegacyAuthJsonStores({
+		stateDir,
+		changedFiles,
+		enabled: options.scrubLegacyAuthJson
+	});
+	const envRawByPath = scrubEnvFiles({
+		env: params.env,
+		scrubbedValues: targetMutations.scrubbedValues,
+		changedFiles,
+		enabled: options.scrubEnv
+	});
+	const checkFullRuntime = params.write ? changedFiles.size > 0 : params.allowExecInDryRun;
+	const validation = await validateProjectedSecretsState({
+		env: params.env,
+		nextConfig,
+		resolvedTargets: targetMutations.resolvedTargets,
+		authStoreByPath,
+		write: params.write,
+		allowExecInDryRun: params.allowExecInDryRun,
+		checkFullRuntime
+	});
+	return {
+		nextConfig,
+		configPath,
+		configWriteOptions: writeOptions,
+		authStoreByPath,
+		authJsonByPath,
+		envRawByPath,
+		changedFiles,
+		warnings,
+		refsChecked: validation.refsChecked,
+		skippedExecRefs: validation.skippedExecRefs,
+		resolvabilityComplete: validation.resolvabilityComplete
+	};
+}
+function applyConfigTargetMutations(params) {
+	const resolvedTargets = params.planTargets.map((target) => ({
+		target,
+		resolved: resolveTarget(target)
+	}));
+	const scrubbedValues = /* @__PURE__ */ new Set();
+	const providerTargets = /* @__PURE__ */ new Set();
+	let configChanged = false;
+	for (const { target, resolved } of resolvedTargets) {
+		if (resolved.entry.configFile === "auth-profiles.json") {
+			if (applyAuthProfileTargetMutation({
+				target,
+				resolved,
+				nextConfig: params.nextConfig,
+				stateDir: params.stateDir,
+				authStoreByPath: params.authStoreByPath,
+				scrubbedValues
+			})) {
+				const agentId = (target.agentId ?? "").trim();
+				if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${target.path}.`);
+				params.changedFiles.add(resolveAuthStorePathForAgent({
+					nextConfig: params.nextConfig,
+					stateDir: params.stateDir,
+					agentId
+				}));
+			}
+			continue;
+		}
+		const targetPathSegments = resolved.pathSegments;
+		if (resolved.entry.secretShape === "sibling_ref") {
+			const previous = getPath(params.nextConfig, targetPathSegments);
+			if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
+			const refPathSegments = resolved.refPathSegments;
+			if (!refPathSegments) throw new Error(`Missing sibling ref path for target ${target.type}.`);
+			const wroteRef = setPathCreateStrict(params.nextConfig, refPathSegments, target.ref);
+			const deletedLegacy = deletePathStrict(params.nextConfig, targetPathSegments);
+			if (wroteRef || deletedLegacy) configChanged = true;
+			continue;
+		}
+		const previous = getPath(params.nextConfig, targetPathSegments);
+		if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
+		if (setPathCreateStrict(params.nextConfig, targetPathSegments, target.ref)) configChanged = true;
+		if (resolved.entry.trackProviderShadowing && resolved.providerId) providerTargets.add(normalizeProviderId(resolved.providerId));
+	}
+	return {
+		resolvedTargets,
+		scrubbedValues,
+		providerTargets,
+		configChanged,
+		authStoreByPath: params.authStoreByPath
+	};
+}
+function scrubAuthStoresForProviderTargets(params) {
+	if (!params.enabled || params.providerTargets.size === 0) return params.authStoreByPath;
+	for (const authStorePath of listAuthProfileStorePaths(params.nextConfig, params.stateDir)) {
+		const parsed = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
+		if (!parsed || !isRecord(parsed.profiles)) continue;
+		const nextStore = structuredClone(parsed);
+		const profiles = nextStore.profiles;
+		if (!isRecord(profiles)) continue;
+		let mutated = false;
+		for (const profile of iterateAuthProfileCredentials(profiles)) {
+			const provider = normalizeProviderId(profile.provider);
+			if (!params.providerTargets.has(provider)) continue;
+			if (profile.kind === "api_key" || profile.kind === "token") {
+				if (isNonEmptyString(profile.value)) params.scrubbedValues.add(profile.value.trim());
+				if (profile.valueField in profile.profile) {
+					delete profile.profile[profile.valueField];
+					mutated = true;
+				}
+				if (profile.refField in profile.profile) {
+					delete profile.profile[profile.refField];
+					mutated = true;
+				}
+				continue;
+			}
+			if (profile.kind === "oauth" && (profile.hasAccess || profile.hasRefresh)) params.warnings.push(`Provider "${provider}" has OAuth credentials in ${authStorePath}; those still take precedence and are out of scope for static SecretRef migration.`);
+		}
+		if (mutated) {
+			params.authStoreByPath.set(authStorePath, nextStore);
+			params.changedFiles.add(authStorePath);
+		}
+	}
+	return params.authStoreByPath;
+}
+function ensureMutableAuthStore(store) {
+	const next = store ? structuredClone(store) : {};
+	const profiles = isRecord(next.profiles) ? next.profiles : {};
+	if (typeof next.version !== "number" || !Number.isFinite(next.version)) next.version = 1;
+	return {
+		...next,
+		profiles
+	};
+}
+function resolveAuthStoreForTarget(params) {
+	const agentId = (params.target.agentId ?? "").trim();
+	if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${params.target.path}.`);
+	const authStorePath = resolveAuthStorePathForAgent({
+		nextConfig: params.nextConfig,
+		stateDir: params.stateDir,
+		agentId
+	});
+	const loaded = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
+	const store = ensureMutableAuthStore(isRecord(loaded) ? loaded : void 0);
+	params.authStoreByPath.set(authStorePath, store);
+	return {
+		path: authStorePath,
+		store
+	};
+}
+function resolveAuthStorePathForAgent(params) {
+	const normalizedAgentId = normalizeAgentId(params.agentId);
+	const configuredAgentDir = resolveAgentConfig(params.nextConfig, normalizedAgentId)?.agentDir?.trim();
+	if (configuredAgentDir) return resolveUserPath(resolveAuthStorePath(configuredAgentDir));
+	return path.join(resolveUserPath(params.stateDir), "agents", normalizedAgentId, "agent", "auth-profiles.json");
+}
+function ensureAuthProfileContainer(params) {
+	let changed = false;
+	const profilePathSegments = params.resolved.pathSegments.slice(0, 2);
+	const profileId = profilePathSegments[1];
+	if (!profileId) throw new Error(`Invalid auth profile target path: ${params.target.path}`);
+	const current = getPath(params.store, profilePathSegments);
+	const expectedType = params.resolved.entry.authProfileType;
+	if (isRecord(current)) {
+		if (expectedType && typeof current.type === "string" && current.type !== expectedType) throw new Error(`Auth profile "${profileId}" type mismatch for ${params.target.path}: expected "${expectedType}", got "${current.type}".`);
+		if (!isNonEmptyString(current.provider) && isNonEmptyString(params.target.authProfileProvider)) {
+			const wroteProvider = setPathCreateStrict(params.store, [...profilePathSegments, "provider"], params.target.authProfileProvider);
+			changed = changed || wroteProvider;
+		}
+		return changed;
+	}
+	if (!expectedType) throw new Error(`Auth profile target ${params.target.path} is missing auth profile type metadata.`);
+	const provider = (params.target.authProfileProvider ?? "").trim();
+	if (!provider) throw new Error(`Cannot create auth profile "${profileId}" for ${params.target.path} without authProfileProvider.`);
+	const wroteProfile = setPathCreateStrict(params.store, profilePathSegments, {
+		type: expectedType,
+		provider
+	});
+	changed = changed || wroteProfile;
+	return changed;
+}
+function applyAuthProfileTargetMutation(params) {
+	if (params.resolved.entry.configFile !== "auth-profiles.json") return false;
+	const { store } = resolveAuthStoreForTarget({
+		target: params.target,
+		nextConfig: params.nextConfig,
+		stateDir: params.stateDir,
+		authStoreByPath: params.authStoreByPath
+	});
+	let changed = ensureAuthProfileContainer({
+		target: params.target,
+		resolved: params.resolved,
+		store
+	});
+	const targetPathSegments = params.resolved.pathSegments;
+	if (params.resolved.entry.secretShape === "sibling_ref") {
+		const previous = getPath(store, targetPathSegments);
+		if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
+		const refPathSegments = params.resolved.refPathSegments;
+		if (!refPathSegments) throw new Error(`Missing sibling ref path for auth-profiles target ${params.target.path}.`);
+		const wroteRef = setPathCreateStrict(store, refPathSegments, params.target.ref);
+		const deletedPlaintext = deletePathStrict(store, targetPathSegments);
+		changed = changed || wroteRef || deletedPlaintext;
+		return changed;
+	}
+	const previous = getPath(store, targetPathSegments);
+	if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
+	const wroteRef = setPathCreateStrict(store, targetPathSegments, params.target.ref);
+	changed = changed || wroteRef;
+	return changed;
+}
+function scrubLegacyAuthJsonStores(params) {
+	const authJsonByPath = /* @__PURE__ */ new Map();
+	if (!params.enabled) return authJsonByPath;
+	for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
+		const parsed = readJsonObjectIfExists(authJsonPath).value;
+		if (!parsed) continue;
+		let mutated = false;
+		const nextParsed = structuredClone(parsed);
+		for (const [providerId, value] of Object.entries(nextParsed)) {
+			if (!isRecord(value)) continue;
+			if (value.type === "api_key" && isNonEmptyString(value.key)) {
+				delete nextParsed[providerId];
+				mutated = true;
+			}
+		}
+		if (mutated) {
+			authJsonByPath.set(authJsonPath, nextParsed);
+			params.changedFiles.add(authJsonPath);
+		}
+	}
+	return authJsonByPath;
+}
+function scrubEnvFiles(params) {
+	const envRawByPath = /* @__PURE__ */ new Map();
+	if (!params.enabled || params.scrubbedValues.size === 0) return envRawByPath;
+	const envPath = path.join(resolveConfigDir(params.env, os.homedir), ".env");
+	if (!fs.existsSync(envPath)) return envRawByPath;
+	const current = fs.readFileSync(envPath, "utf8");
+	const scrubbed = scrubEnvRaw(current, params.scrubbedValues, new Set(listKnownSecretEnvVarNames()));
+	if (scrubbed.removed > 0 && scrubbed.nextRaw !== current) {
+		envRawByPath.set(envPath, scrubbed.nextRaw);
+		params.changedFiles.add(envPath);
+	}
+	return envRawByPath;
+}
+async function validateProjectedSecretsState(params) {
+	const cache = {};
+	let refsChecked = 0;
+	let skippedExecRefs = 0;
+	for (const { target, resolved: resolvedTarget } of params.resolvedTargets) {
+		if (!params.write && target.ref.source === "exec" && !params.allowExecInDryRun) {
+			skippedExecRefs += 1;
+			const staticError = getSkippedExecRefStaticError({
+				ref: target.ref,
+				config: params.nextConfig
+			});
+			if (staticError) throw new Error(staticError);
+			continue;
+		}
+		const resolved = await resolveSecretRefValue(target.ref, {
+			config: params.nextConfig,
+			env: params.env,
+			cache
+		});
+		refsChecked += 1;
+		assertExpectedResolvedSecretValue({
+			value: resolved,
+			expected: resolvedTarget.entry.expectedResolvedValue,
+			errorMessage: resolvedTarget.entry.expectedResolvedValue === "string" ? `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not a non-empty string.` : `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not string/object.`
+		});
+	}
+	const authStoreLookup = /* @__PURE__ */ new Map();
+	for (const [authStorePath, store] of params.authStoreByPath.entries()) authStoreLookup.set(resolveUserPath(authStorePath), store);
+	if (params.checkFullRuntime) await prepareSecretsRuntimeSnapshot({
+		config: params.nextConfig,
+		env: params.env,
+		includeAuthStoreRefs: params.write || params.authStoreByPath.size > 0,
+		loadAuthStore: (agentDir) => {
+			const storePath = resolveUserPath(resolveAuthStorePath(agentDir));
+			const override = authStoreLookup.get(storePath);
+			if (override) return coercePersistedAuthProfileStore(structuredClone(override)) ?? {
+				version: 1,
+				profiles: {}
+			};
+			return loadAuthProfileStoreForSecretsRuntime(agentDir);
+		}
+	});
+	return {
+		refsChecked,
+		skippedExecRefs,
+		resolvabilityComplete: params.write || params.allowExecInDryRun || skippedExecRefs === 0
+	};
+}
+function captureFileSnapshot(pathname) {
+	if (!fs.existsSync(pathname)) return {
+		existed: false,
+		content: "",
+		mode: 384
+	};
+	const stat = fs.statSync(pathname);
+	return {
+		existed: true,
+		content: fs.readFileSync(pathname, "utf8"),
+		mode: stat.mode & 511
+	};
+}
+function restoreFileSnapshot(pathname, snapshot) {
+	if (!snapshot.existed) {
+		if (fs.existsSync(pathname)) fs.rmSync(pathname, { force: true });
+		return;
+	}
+	writeTextFileAtomic(pathname, snapshot.content, snapshot.mode || 384);
+}
+function toJsonWrite(pathname, value) {
+	return {
+		path: pathname,
+		content: `${JSON.stringify(value, null, 2)}\n`,
+		mode: 384
+	};
+}
+async function runSecretsApply(params) {
+	const env = params.env ?? process.env;
+	const write = params.write === true;
+	const allowExec = Boolean(params.allowExec);
+	if (write && planContainsExecReferences(params.plan) && !allowExec) throw new Error("Plan contains exec SecretRefs/providers. Re-run with --allow-exec.");
+	const allowExecInDryRun = write ? true : allowExec;
+	const projected = await projectPlanState({
+		plan: params.plan,
+		env,
+		write,
+		allowExecInDryRun
+	});
+	const changedFiles = [...projected.changedFiles].toSorted();
+	if (!write) return {
+		mode: "dry-run",
+		changed: changedFiles.length > 0,
+		changedFiles,
+		checks: {
+			resolvability: true,
+			resolvabilityComplete: projected.resolvabilityComplete
+		},
+		refsChecked: projected.refsChecked,
+		skippedExecRefs: projected.skippedExecRefs,
+		warningCount: projected.warnings.length,
+		warnings: projected.warnings
+	};
+	if (changedFiles.length === 0) return {
+		mode: "write",
+		changed: false,
+		changedFiles: [],
+		checks: {
+			resolvability: true,
+			resolvabilityComplete: true
+		},
+		refsChecked: projected.refsChecked,
+		skippedExecRefs: 0,
+		warningCount: projected.warnings.length,
+		warnings: projected.warnings
+	};
+	const io = createSecretsConfigIO({ env });
+	const snapshots = /* @__PURE__ */ new Map();
+	const capture = (pathname) => {
+		if (!snapshots.has(pathname)) snapshots.set(pathname, captureFileSnapshot(pathname));
+	};
+	capture(projected.configPath);
+	const writes = [];
+	for (const [pathname, value] of projected.authStoreByPath.entries()) {
+		capture(pathname);
+		writes.push(toJsonWrite(pathname, value));
+	}
+	for (const [pathname, value] of projected.authJsonByPath.entries()) {
+		capture(pathname);
+		writes.push(toJsonWrite(pathname, value));
+	}
+	for (const [pathname, raw] of projected.envRawByPath.entries()) {
+		capture(pathname);
+		writes.push({
+			path: pathname,
+			content: raw,
+			mode: 384
+		});
+	}
+	try {
+		await io.writeConfigFile(projected.nextConfig, projected.configWriteOptions);
+		for (const write of writes) writeTextFileAtomic(write.path, write.content, write.mode);
+	} catch (err) {
+		for (const [pathname, snapshot] of snapshots.entries()) try {
+			restoreFileSnapshot(pathname, snapshot);
+		} catch {}
+		throw new Error(`Secrets apply failed: ${String(err)}`, { cause: err });
+	}
+	return {
+		mode: "write",
+		changed: changedFiles.length > 0,
+		changedFiles,
+		checks: {
+			resolvability: true,
+			resolvabilityComplete: true
+		},
+		refsChecked: projected.refsChecked,
+		skippedExecRefs: 0,
+		warningCount: projected.warnings.length,
+		warnings: projected.warnings
+	};
+}
+//#endregion
+//#region src/secrets/audit.ts
+const REF_RESOLVE_FALLBACK_CONCURRENCY = 8;
+const MAX_AUDIT_MODELS_JSON_BYTES = 5 * 1024 * 1024;
+const ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES = new Set([
+	"authorization",
+	"proxy-authorization",
+	"x-api-key",
+	"api-key",
+	"apikey",
+	"x-auth-token",
+	"auth-token",
+	"x-access-token",
+	"access-token",
+	"x-secret-key",
+	"secret-key"
+]);
+const SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS = [
+	"api-key",
+	"apikey",
+	"token",
+	"secret",
+	"password",
+	"credential"
+];
+function isLikelySensitiveModelProviderHeaderName(value) {
+	const normalized = normalizeLowercaseStringOrEmpty(value);
+	if (!normalized) return false;
+	if (ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES.has(normalized)) return true;
+	return SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS.some((fragment) => normalized.includes(fragment));
+}
+function addFinding(collector, finding) {
+	collector.findings.push(finding);
+}
+function collectProviderRefPath(collector, providerId, configPath) {
+	const key = normalizeProviderId(providerId);
+	const existing = collector.configProviderRefPaths.get(key);
+	if (existing) {
+		existing.push(configPath);
+		return;
+	}
+	collector.configProviderRefPaths.set(key, [configPath]);
+}
+function trackAuthProviderState(collector, provider, mode) {
+	const key = normalizeProviderId(provider);
+	const existing = collector.authProviderState.get(key);
+	if (existing) {
+		existing.hasUsableStaticOrOAuth = true;
+		existing.modes.add(mode);
+		return;
+	}
+	collector.authProviderState.set(key, {
+		hasUsableStaticOrOAuth: true,
+		modes: new Set([mode])
+	});
+}
+function collectEnvPlaintext(params) {
+	if (!fs.existsSync(params.envPath)) return;
+	params.collector.filesScanned.add(params.envPath);
+	const knownKeys = new Set(listKnownSecretEnvVarNames());
+	const lines = fs.readFileSync(params.envPath, "utf8").split(/\r?\n/);
+	for (const line of lines) {
+		const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
+		if (!match) continue;
+		const key = match[1] ?? "";
+		if (!knownKeys.has(key)) continue;
+		if (!parseEnvAssignmentValue(match[2] ?? "")) continue;
+		addFinding(params.collector, {
+			code: "PLAINTEXT_FOUND",
+			severity: "warn",
+			file: params.envPath,
+			jsonPath: `$env.${key}`,
+			message: `Potential secret found in .env (${key}).`
+		});
+	}
+}
+function collectConfigSecrets(params) {
+	const defaults = params.config.secrets?.defaults;
+	for (const target of discoverConfigSecretTargets(params.config)) {
+		if (!target.entry.includeInAudit) continue;
+		const { ref } = resolveSecretInputRef({
+			value: target.value,
+			refValue: target.refValue,
+			defaults
+		});
+		if (ref) {
+			params.collector.refAssignments.push({
+				file: params.configPath,
+				path: target.path,
+				ref,
+				expected: target.entry.expectedResolvedValue,
+				provider: target.providerId
+			});
+			if (target.entry.trackProviderShadowing && target.providerId) collectProviderRefPath(params.collector, target.providerId, target.path);
+			continue;
+		}
+		const hasPlaintext = hasConfiguredPlaintextSecretValue(target.value, target.entry.expectedResolvedValue);
+		if (target.entry.id === "models.providers.*.headers.*" && !isLikelySensitiveModelProviderHeaderName(target.pathSegments.at(-1) ?? "")) continue;
+		if (!hasPlaintext) continue;
+		addFinding(params.collector, {
+			code: "PLAINTEXT_FOUND",
+			severity: "warn",
+			file: params.configPath,
+			jsonPath: target.path,
+			message: `${target.path} is stored as plaintext.`,
+			provider: target.providerId
+		});
+	}
+}
+function collectAuthStoreSecrets(params) {
+	if (!fs.existsSync(params.authStorePath)) return;
+	params.collector.filesScanned.add(params.authStorePath);
+	const parsedResult = readJsonObjectIfExists(params.authStorePath);
+	if (parsedResult.error) {
+		addFinding(params.collector, {
+			code: "REF_UNRESOLVED",
+			severity: "error",
+			file: params.authStorePath,
+			jsonPath: "<root>",
+			message: `Invalid JSON in auth-profiles store: ${parsedResult.error}`
+		});
+		return;
+	}
+	const parsed = parsedResult.value;
+	if (!parsed || !isRecord(parsed.profiles)) return;
+	for (const entry of iterateAuthProfileCredentials(parsed.profiles)) {
+		if (entry.kind === "api_key" || entry.kind === "token") {
+			const { ref } = resolveSecretInputRef({
+				value: entry.value,
+				refValue: entry.refValue,
+				defaults: params.defaults
+			});
+			if (ref) {
+				params.collector.refAssignments.push({
+					file: params.authStorePath,
+					path: `profiles.${entry.profileId}.${entry.valueField}`,
+					ref,
+					expected: "string",
+					provider: entry.provider
+				});
+				trackAuthProviderState(params.collector, entry.provider, entry.kind);
+			}
+			if (isNonEmptyString(entry.value)) {
+				addFinding(params.collector, {
+					code: "PLAINTEXT_FOUND",
+					severity: "warn",
+					file: params.authStorePath,
+					jsonPath: `profiles.${entry.profileId}.${entry.valueField}`,
+					message: entry.kind === "api_key" ? "Auth profile API key is stored as plaintext." : "Auth profile token is stored as plaintext.",
+					provider: entry.provider,
+					profileId: entry.profileId
+				});
+				trackAuthProviderState(params.collector, entry.provider, entry.kind);
+			}
+			continue;
+		}
+		if (entry.hasAccess || entry.hasRefresh) {
+			addFinding(params.collector, {
+				code: "LEGACY_RESIDUE",
+				severity: "info",
+				file: params.authStorePath,
+				jsonPath: `profiles.${entry.profileId}`,
+				message: "OAuth credentials are present (out of scope for static SecretRef migration).",
+				provider: entry.provider,
+				profileId: entry.profileId
+			});
+			trackAuthProviderState(params.collector, entry.provider, "oauth");
+		}
+	}
+}
+function collectAuthJsonResidue(params) {
+	for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
+		params.collector.filesScanned.add(authJsonPath);
+		const parsedResult = readJsonObjectIfExists(authJsonPath);
+		if (parsedResult.error) {
+			addFinding(params.collector, {
+				code: "REF_UNRESOLVED",
+				severity: "error",
+				file: authJsonPath,
+				jsonPath: "<root>",
+				message: `Invalid JSON in legacy auth.json: ${parsedResult.error}`
+			});
+			continue;
+		}
+		const parsed = parsedResult.value;
+		if (!parsed) continue;
+		for (const [providerId, value] of Object.entries(parsed)) {
+			if (!isRecord(value)) continue;
+			if (value.type === "api_key" && isNonEmptyString(value.key)) addFinding(params.collector, {
+				code: "LEGACY_RESIDUE",
+				severity: "warn",
+				file: authJsonPath,
+				jsonPath: providerId,
+				message: "Legacy auth.json contains static api_key credentials.",
+				provider: providerId
+			});
+		}
+	}
+}
+function collectModelsJsonSecrets(params) {
+	if (!fs.existsSync(params.modelsJsonPath)) return;
+	params.collector.filesScanned.add(params.modelsJsonPath);
+	const parsedResult = readJsonObjectIfExists(params.modelsJsonPath, {
+		requireRegularFile: true,
+		maxBytes: MAX_AUDIT_MODELS_JSON_BYTES
+	});
+	if (parsedResult.error) {
+		addFinding(params.collector, {
+			code: "REF_UNRESOLVED",
+			severity: "error",
+			file: params.modelsJsonPath,
+			jsonPath: "<root>",
+			message: `Invalid JSON in models.json: ${parsedResult.error}`
+		});
+		return;
+	}
+	const parsed = parsedResult.value;
+	if (!parsed || !isRecord(parsed.providers)) return;
+	for (const [providerId, providerValue] of Object.entries(parsed.providers)) {
+		if (!isRecord(providerValue)) continue;
+		const apiKey = providerValue.apiKey;
+		if (coerceSecretRef(apiKey)) addFinding(params.collector, {
+			code: "REF_UNRESOLVED",
+			severity: "error",
+			file: params.modelsJsonPath,
+			jsonPath: `providers.${providerId}.apiKey`,
+			message: "models.json contains an unresolved SecretRef object; regenerate models.json.",
+			provider: providerId
+		});
+		else if (isNonEmptyString(apiKey) && !isNonSecretApiKeyMarker(apiKey)) addFinding(params.collector, {
+			code: "PLAINTEXT_FOUND",
+			severity: "warn",
+			file: params.modelsJsonPath,
+			jsonPath: `providers.${providerId}.apiKey`,
+			message: "models.json provider apiKey is stored as plaintext.",
+			provider: providerId
+		});
+		const headers = isRecord(providerValue.headers) ? providerValue.headers : void 0;
+		if (!headers) continue;
+		for (const [headerKey, headerValue] of Object.entries(headers)) {
+			const headerPath = `providers.${providerId}.headers.${headerKey}`;
+			if (coerceSecretRef(headerValue)) {
+				addFinding(params.collector, {
+					code: "REF_UNRESOLVED",
+					severity: "error",
+					file: params.modelsJsonPath,
+					jsonPath: headerPath,
+					message: "models.json contains an unresolved SecretRef object for provider headers; regenerate models.json.",
+					provider: providerId
+				});
+				continue;
+			}
+			if (!isNonEmptyString(headerValue)) continue;
+			if (isSecretRefHeaderValueMarker(headerValue)) continue;
+			if (!isLikelySensitiveModelProviderHeaderName(headerKey)) continue;
+			addFinding(params.collector, {
+				code: "PLAINTEXT_FOUND",
+				severity: "warn",
+				file: params.modelsJsonPath,
+				jsonPath: headerPath,
+				message: "models.json provider header value is stored as plaintext.",
+				provider: providerId
+			});
+		}
+	}
+}
+async function collectUnresolvedRefFindings(params) {
+	const cache = {};
+	const refsByProvider = /* @__PURE__ */ new Map();
+	const skippedRefKeys = /* @__PURE__ */ new Set();
+	let refsChecked = 0;
+	let skippedExecRefs = 0;
+	for (const assignment of params.collector.refAssignments) {
+		const providerKey = `${assignment.ref.source}:${assignment.ref.provider}`;
+		let refsForProvider = refsByProvider.get(providerKey);
+		if (!refsForProvider) {
+			refsForProvider = /* @__PURE__ */ new Map();
+			refsByProvider.set(providerKey, refsForProvider);
+		}
+		refsForProvider.set(secretRefKey(assignment.ref), assignment.ref);
+	}
+	const resolvedByRefKey = /* @__PURE__ */ new Map();
+	const errorsByRefKey = /* @__PURE__ */ new Map();
+	for (const refsForProvider of refsByProvider.values()) {
+		const refs = [...refsForProvider.values()];
+		const selectedRefs = selectRefsForExecPolicy({
+			refs,
+			allowExec: params.allowExec
+		});
+		if (selectedRefs.skippedExecRefs.length > 0) {
+			skippedExecRefs += selectedRefs.skippedExecRefs.length;
+			for (const ref of selectedRefs.skippedExecRefs) {
+				skippedRefKeys.add(secretRefKey(ref));
+				const staticError = getSkippedExecRefStaticError({
+					ref,
+					config: params.config
+				});
+				if (staticError) errorsByRefKey.set(secretRefKey(ref), new Error(staticError));
+			}
+		}
+		if (selectedRefs.refsToResolve.length === 0) continue;
+		refsChecked += selectedRefs.refsToResolve.length;
+		const provider = refs[0]?.provider;
+		try {
+			const resolved = await resolveSecretRefValues(selectedRefs.refsToResolve, {
+				config: params.config,
+				env: params.env,
+				cache
+			});
+			for (const [key, value] of resolved.entries()) resolvedByRefKey.set(key, value);
+			continue;
+		} catch (err) {
+			if (provider && isProviderScopedSecretResolutionError(err)) {
+				for (const ref of selectedRefs.refsToResolve) errorsByRefKey.set(secretRefKey(ref), err);
+				continue;
+			}
+		}
+		const fallback = await runTasksWithConcurrency({
+			tasks: selectedRefs.refsToResolve.map((ref) => async () => ({
+				key: secretRefKey(ref),
+				resolved: await resolveSecretRefValue(ref, {
+					config: params.config,
+					env: params.env,
+					cache
+				})
+			})),
+			limit: Math.min(REF_RESOLVE_FALLBACK_CONCURRENCY, selectedRefs.refsToResolve.length),
+			errorMode: "continue",
+			onTaskError: (error, index) => {
+				const ref = selectedRefs.refsToResolve[index];
+				if (!ref) return;
+				errorsByRefKey.set(secretRefKey(ref), error);
+			}
+		});
+		for (const result of fallback.results) {
+			if (!result) continue;
+			resolvedByRefKey.set(result.key, result.resolved);
+		}
+	}
+	for (const assignment of params.collector.refAssignments) {
+		const key = secretRefKey(assignment.ref);
+		if (skippedRefKeys.has(key) && !errorsByRefKey.has(key)) continue;
+		const resolveErr = errorsByRefKey.get(key);
+		if (resolveErr) {
+			addFinding(params.collector, {
+				code: "REF_UNRESOLVED",
+				severity: "error",
+				file: assignment.file,
+				jsonPath: assignment.path,
+				message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (${formatErrorMessage(resolveErr)}).`,
+				provider: assignment.provider
+			});
+			continue;
+		}
+		if (!resolvedByRefKey.has(key)) {
+			addFinding(params.collector, {
+				code: "REF_UNRESOLVED",
+				severity: "error",
+				file: assignment.file,
+				jsonPath: assignment.path,
+				message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is missing).`,
+				provider: assignment.provider
+			});
+			continue;
+		}
+		if (!isExpectedResolvedSecretValue(resolvedByRefKey.get(key), assignment.expected)) addFinding(params.collector, {
+			code: "REF_UNRESOLVED",
+			severity: "error",
+			file: assignment.file,
+			jsonPath: assignment.path,
+			message: assignment.expected === "string" ? `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a non-empty string).` : `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a string/object).`,
+			provider: assignment.provider
+		});
+	}
+	return {
+		refsChecked,
+		skippedExecRefs
+	};
+}
+function collectShadowingFindings(collector) {
+	for (const [provider, paths] of collector.configProviderRefPaths.entries()) {
+		const authState = collector.authProviderState.get(provider);
+		if (!authState?.hasUsableStaticOrOAuth) continue;
+		const modeText = [...authState.modes].join("/");
+		for (const configPath of paths) addFinding(collector, {
+			code: "REF_SHADOWED",
+			severity: "warn",
+			file: "genesis.json",
+			jsonPath: configPath,
+			message: `Auth profile credentials (${modeText}) take precedence for provider "${provider}", so this config ref may never be used.`,
+			provider
+		});
+	}
+}
+function summarizeFindings(findings) {
+	return {
+		plaintextCount: findings.filter((entry) => entry.code === "PLAINTEXT_FOUND").length,
+		unresolvedRefCount: findings.filter((entry) => entry.code === "REF_UNRESOLVED").length,
+		shadowedRefCount: findings.filter((entry) => entry.code === "REF_SHADOWED").length,
+		legacyResidueCount: findings.filter((entry) => entry.code === "LEGACY_RESIDUE").length
+	};
+}
+async function runSecretsAudit(params = {}) {
+	const env = params.env ?? process.env;
+	const allowExec = Boolean(params.allowExec);
+	const snapshot = await createSecretsConfigIO({ env }).readConfigFileSnapshot();
+	const configPath = resolveUserPath(snapshot.path);
+	const defaults = snapshot.valid ? snapshot.config.secrets?.defaults : void 0;
+	const collector = {
+		findings: [],
+		refAssignments: [],
+		configProviderRefPaths: /* @__PURE__ */ new Map(),
+		authProviderState: /* @__PURE__ */ new Map(),
+		filesScanned: new Set([configPath])
+	};
+	const stateDir = resolveStateDir(env, os.homedir);
+	const envPath = path.join(resolveConfigDir(env, os.homedir), ".env");
+	const config = snapshot.valid ? snapshot.config : {};
+	let resolution = {
+		refsChecked: 0,
+		skippedExecRefs: 0,
+		resolvabilityComplete: true
+	};
+	if (snapshot.valid) {
+		collectConfigSecrets({
+			config,
+			configPath,
+			collector
+		});
+		for (const authStorePath of listAuthProfileStorePaths(config, stateDir)) collectAuthStoreSecrets({
+			authStorePath,
+			collector,
+			defaults
+		});
+		for (const modelsJsonPath of listAgentModelsJsonPaths(config, stateDir, env)) collectModelsJsonSecrets({
+			modelsJsonPath,
+			collector
+		});
+		const unresolvedRefResult = await collectUnresolvedRefFindings({
+			collector,
+			config,
+			env,
+			allowExec
+		});
+		resolution = {
+			refsChecked: unresolvedRefResult.refsChecked,
+			skippedExecRefs: unresolvedRefResult.skippedExecRefs,
+			resolvabilityComplete: unresolvedRefResult.skippedExecRefs === 0
+		};
+		collectShadowingFindings(collector);
+	} else addFinding(collector, {
+		code: "REF_UNRESOLVED",
+		severity: "error",
+		file: configPath,
+		jsonPath: "<root>",
+		message: "Config is invalid; cannot validate secret references reliably."
+	});
+	collectEnvPlaintext({
+		envPath,
+		collector
+	});
+	collectAuthJsonResidue({
+		stateDir,
+		collector
+	});
+	const summary = summarizeFindings(collector.findings);
+	return {
+		version: 1,
+		status: summary.unresolvedRefCount > 0 ? "unresolved" : collector.findings.length > 0 ? "findings" : "clean",
+		resolution,
+		filesScanned: [...collector.filesScanned].toSorted(),
+		summary,
+		findings: collector.findings
+	};
+}
+function resolveSecretsAuditExitCode(report, check) {
+	if (report.summary.unresolvedRefCount > 0) return 2;
+	if (check && report.findings.length > 0) return 1;
+	return 0;
+}
+//#endregion
+//#region src/secrets/configure-plan.ts
+function getSecretProviders$1(config) {
+	if (!isRecord(config.secrets?.providers)) return {};
+	return config.secrets.providers;
+}
+function configureCandidateSortKey(candidate) {
+	if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${candidate.agentId ?? ""}:${candidate.path}`;
+	return `genesis:${candidate.path}`;
+}
+function resolveAuthProfileProvider(store, pathSegments) {
+	const profileId = pathSegments[1];
+	if (!profileId) return;
+	const profile = store.profiles?.[profileId];
+	if (!isRecord(profile) || typeof profile.provider !== "string") return;
+	const provider = profile.provider.trim();
+	return provider.length > 0 ? provider : void 0;
+}
+function buildConfigureCandidatesForScope(params) {
+	const authoredConfig = params.authoredGenesisConfig ?? params.config;
+	const hasPathInAuthoredConfig = (pathSegments) => hasPath(authoredConfig, pathSegments);
+	const genesisCandidates = discoverConfigSecretTargets(params.config).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
+		const resolved = resolveSecretInputRef({
+			value: entry.value,
+			refValue: entry.refValue,
+			defaults: params.config.secrets?.defaults
+		});
+		const pathExists = hasPathInAuthoredConfig(entry.pathSegments);
+		const refPathExists = entry.refPathSegments ? hasPathInAuthoredConfig(entry.refPathSegments) : false;
+		return Object.assign({
+			type: entry.entry.targetType,
+			path: entry.path,
+			pathSegments: [...entry.pathSegments],
+			label: entry.path,
+			configFile: `genesis.json`,
+			expectedResolvedValue: entry.entry.expectedResolvedValue
+		}, resolved.ref ? { existingRef: resolved.ref } : {}, pathExists || refPathExists ? {} : { isDerived: true }, entry.providerId ? { providerId: entry.providerId } : {}, entry.accountId ? { accountId: entry.accountId } : {});
+	});
+	const authCandidates = params.authProfiles === void 0 ? [] : discoverAuthProfileSecretTargets(params.authProfiles.store).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
+		const authProfiles = params.authProfiles;
+		if (!authProfiles) throw new Error("Missing auth profile scope for configure candidate discovery.");
+		const authProfileProvider = resolveAuthProfileProvider(authProfiles.store, entry.pathSegments);
+		const resolved = resolveSecretInputRef({
+			value: entry.value,
+			refValue: entry.refValue,
+			defaults: params.config.secrets?.defaults
+		});
+		return Object.assign({
+			type: entry.entry.targetType,
+			path: entry.path,
+			pathSegments: [...entry.pathSegments],
+			label: `${entry.path} (auth profile, agent ${authProfiles.agentId})`,
+			configFile: `auth-profiles.json`,
+			expectedResolvedValue: entry.entry.expectedResolvedValue
+		}, resolved.ref ? { existingRef: resolved.ref } : {}, { agentId: authProfiles.agentId }, authProfileProvider ? { authProfileProvider } : {});
+	});
+	return [...genesisCandidates, ...authCandidates].toSorted((a, b) => configureCandidateSortKey(a).localeCompare(configureCandidateSortKey(b)));
+}
+function hasPath(root, segments) {
+	if (segments.length === 0) return false;
+	let cursor = root;
+	for (let index = 0; index < segments.length; index += 1) {
+		const segment = segments[index] ?? "";
+		if (Array.isArray(cursor)) {
+			if (!/^\d+$/.test(segment)) return false;
+			const parsedIndex = Number.parseInt(segment, 10);
+			if (!Number.isFinite(parsedIndex) || parsedIndex < 0 || parsedIndex >= cursor.length) return false;
+			if (index === segments.length - 1) return true;
+			cursor = cursor[parsedIndex];
+			continue;
+		}
+		if (!isRecord(cursor)) return false;
+		if (!Object.prototype.hasOwnProperty.call(cursor, segment)) return false;
+		if (index === segments.length - 1) return true;
+		cursor = cursor[segment];
+	}
+	return false;
+}
+function collectConfigureProviderChanges(params) {
+	const originalProviders = getSecretProviders$1(params.original);
+	const nextProviders = getSecretProviders$1(params.next);
+	const upserts = {};
+	const deletes = [];
+	for (const [providerAlias, nextProviderConfig] of Object.entries(nextProviders)) {
+		const current = originalProviders[providerAlias];
+		if (isDeepStrictEqual(current, nextProviderConfig)) continue;
+		upserts[providerAlias] = structuredClone(nextProviderConfig);
+	}
+	for (const providerAlias of Object.keys(originalProviders)) if (!Object.prototype.hasOwnProperty.call(nextProviders, providerAlias)) deletes.push(providerAlias);
+	return {
+		upserts,
+		deletes: deletes.toSorted()
+	};
+}
+function hasConfigurePlanChanges(params) {
+	return params.selectedTargets.size > 0 || Object.keys(params.providerChanges.upserts).length > 0 || params.providerChanges.deletes.length > 0;
+}
+function buildSecretsConfigurePlan(params) {
+	return {
+		version: 1,
+		protocolVersion: 1,
+		generatedAt: params.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+		generatedBy: "genesis secrets configure",
+		targets: [...params.selectedTargets.values()].map((entry) => Object.assign({
+			type: entry.type,
+			path: entry.path,
+			pathSegments: [...entry.pathSegments],
+			ref: entry.ref
+		}, entry.agentId ? { agentId: entry.agentId } : {}, entry.providerId ? { providerId: entry.providerId } : {}, entry.accountId ? { accountId: entry.accountId } : {}, entry.authProfileProvider ? { authProfileProvider: entry.authProfileProvider } : {})),
+		...Object.keys(params.providerChanges.upserts).length > 0 ? { providerUpserts: params.providerChanges.upserts } : {},
+		...params.providerChanges.deletes.length > 0 ? { providerDeletes: params.providerChanges.deletes } : {},
+		options: {
+			scrubEnv: true,
+			scrubAuthProfilesForProviderTargets: true,
+			scrubLegacyAuthJson: true
+		}
+	};
+}
+//#endregion
+//#region src/secrets/configure.ts
+const ENV_NAME_PATTERN = /^[A-Z][A-Z0-9_]{0,127}$/;
+const WINDOWS_ABS_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
+const WINDOWS_UNC_PATH_PATTERN = /^\\\\[^\\]+\\[^\\]+/;
+function isAbsolutePathValue(value) {
+	return path.isAbsolute(value) || WINDOWS_ABS_PATH_PATTERN.test(value) || WINDOWS_UNC_PATH_PATTERN.test(value);
+}
+function parseCsv(value) {
+	return value.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+}
+function parseOptionalPositiveInt(value, max) {
+	const trimmed = value.trim();
+	if (!trimmed) return;
+	if (!/^\d+$/.test(trimmed)) return;
+	const parsed = Number.parseInt(trimmed, 10);
+	if (!Number.isFinite(parsed) || parsed <= 0 || parsed > max) return;
+	return parsed;
+}
+function getSecretProviders(config) {
+	if (!isRecord(config.secrets?.providers)) return {};
+	return config.secrets.providers;
+}
+function setSecretProvider(config, providerAlias, providerConfig) {
+	config.secrets ??= {};
+	if (!isRecord(config.secrets.providers)) config.secrets.providers = {};
+	config.secrets.providers[providerAlias] = providerConfig;
+}
+function removeSecretProvider(config, providerAlias) {
+	if (!isRecord(config.secrets?.providers)) return false;
+	const providers = config.secrets.providers;
+	if (!Object.prototype.hasOwnProperty.call(providers, providerAlias)) return false;
+	delete providers[providerAlias];
+	if (Object.keys(providers).length === 0) delete config.secrets?.providers;
+	if (isRecord(config.secrets?.defaults)) {
+		const defaults = config.secrets.defaults;
+		if (defaults?.env === providerAlias) delete defaults.env;
+		if (defaults?.file === providerAlias) delete defaults.file;
+		if (defaults?.exec === providerAlias) delete defaults.exec;
+		if (defaults && defaults.env === void 0 && defaults.file === void 0 && defaults.exec === void 0) delete config.secrets?.defaults;
+	}
+	return true;
+}
+function providerHint(provider) {
+	if (provider.source === "env") return provider.allowlist?.length ? `env (${provider.allowlist.length} allowlisted)` : "env";
+	if (provider.source === "file") return `file (${provider.mode ?? "json"})`;
+	return `exec (${provider.jsonOnly === false ? "json+text" : "json"})`;
+}
+function toSourceChoices(config) {
+	const hasSource = (source) => Object.values(config.secrets?.providers ?? {}).some((provider) => provider?.source === source);
+	const choices = [{
+		value: "env",
+		label: "env"
+	}];
+	if (hasSource("file")) choices.push({
+		value: "file",
+		label: "file"
+	});
+	if (hasSource("exec")) choices.push({
+		value: "exec",
+		label: "exec"
+	});
+	return choices;
+}
+function assertNoCancel(value, message) {
+	if (typeof value === "symbol") throw new Error(message);
+	return value;
+}
+const AUTH_PROFILE_ID_PATTERN = /^[A-Za-z0-9:_-]{1,128}$/;
+function validateEnvNameCsv(value) {
+	const entries = parseCsv(value);
+	for (const entry of entries) if (!ENV_NAME_PATTERN.test(entry)) return `Invalid env name: ${entry}`;
+}
+async function promptEnvNameCsv(params) {
+	return parseCsv(assertNoCancel(await text({
+		message: params.message,
+		initialValue: params.initialValue,
+		validate: (value) => validateEnvNameCsv(value ?? "")
+	}), "Secrets configure cancelled.") ?? "");
+}
+async function promptOptionalPositiveInt(params) {
+	return parseOptionalPositiveInt(normalizeStringifiedOptionalString(assertNoCancel(await text({
+		message: params.message,
+		initialValue: params.initialValue === void 0 ? "" : String(params.initialValue),
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return;
+			if (parseOptionalPositiveInt(trimmed, params.max) === void 0) return `Must be an integer between 1 and ${params.max}`;
+		}
+	}), "Secrets configure cancelled.")) ?? "", params.max);
+}
+function configureCandidateKey(candidate) {
+	if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${normalizeOptionalString(candidate.agentId) ?? ""}:${candidate.path}`;
+	return `genesis:${candidate.path}`;
+}
+function hasSourceChoice(sourceChoices, source) {
+	return sourceChoices.some((entry) => entry.value === source);
+}
+function resolveCandidateProviderHint(candidate) {
+	return normalizeOptionalLowercaseString(candidate.authProfileProvider) ?? normalizeOptionalLowercaseString(candidate.providerId);
+}
+function resolveSuggestedEnvSecretId(candidate) {
+	const hintedProvider = resolveCandidateProviderHint(candidate);
+	if (!hintedProvider) return;
+	const envCandidates = getProviderEnvVars(hintedProvider);
+	if (!Array.isArray(envCandidates) || envCandidates.length === 0) return;
+	return envCandidates[0];
+}
+function resolveConfigureAgentId(config, explicitAgentId) {
+	const knownAgentIds = new Set(listAgentIds(config));
+	if (!explicitAgentId) return resolveDefaultAgentId(config);
+	const normalized = normalizeAgentId(explicitAgentId);
+	if (knownAgentIds.has(normalized)) return normalized;
+	const known = [...knownAgentIds].toSorted().join(", ");
+	throw new Error(`Unknown agent id "${explicitAgentId}". Known agents: ${known || "none configured"}.`);
+}
+function loadAuthProfileStoreForConfigure(params) {
+	return loadPersistedAuthProfileStore(resolveAgentDir(params.config, params.agentId)) ?? {
+		version: 1,
+		profiles: {}
+	};
+}
+async function promptNewAuthProfileCandidate(agentId) {
+	const profileId = assertNoCancel(await text({
+		message: "Auth profile id",
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return "Required";
+			if (!AUTH_PROFILE_ID_PATTERN.test(trimmed)) return "Use letters/numbers/\":\"/\"_\"/\"-\" only.";
+		}
+	}), "Secrets configure cancelled.");
+	const credentialType = assertNoCancel(await select({
+		message: "Auth profile credential type",
+		options: [{
+			value: "api_key",
+			label: "api_key (key/keyRef)"
+		}, {
+			value: "token",
+			label: "token (token/tokenRef)"
+		}]
+	}), "Secrets configure cancelled.");
+	const provider = assertNoCancel(await text({
+		message: "Provider id",
+		validate: (value) => normalizeStringifiedOptionalString(value) ? void 0 : "Required"
+	}), "Secrets configure cancelled.");
+	const profileIdTrimmed = normalizeStringifiedOptionalString(profileId) ?? "";
+	const providerTrimmed = normalizeStringifiedOptionalString(provider) ?? "";
+	if (credentialType === "token") return {
+		type: "auth-profiles.token.token",
+		path: `profiles.${profileIdTrimmed}.token`,
+		pathSegments: [
+			"profiles",
+			profileIdTrimmed,
+			"token"
+		],
+		label: `profiles.${profileIdTrimmed}.token (auth profile, agent ${agentId})`,
+		configFile: "auth-profiles.json",
+		agentId,
+		authProfileProvider: providerTrimmed,
+		expectedResolvedValue: "string"
+	};
+	return {
+		type: "auth-profiles.api_key.key",
+		path: `profiles.${profileIdTrimmed}.key`,
+		pathSegments: [
+			"profiles",
+			profileIdTrimmed,
+			"key"
+		],
+		label: `profiles.${profileIdTrimmed}.key (auth profile, agent ${agentId})`,
+		configFile: "auth-profiles.json",
+		agentId,
+		authProfileProvider: providerTrimmed,
+		expectedResolvedValue: "string"
+	};
+}
+async function promptProviderAlias(params) {
+	return normalizeStringifiedOptionalString(assertNoCancel(await text({
+		message: "Provider alias",
+		initialValue: "default",
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return "Required";
+			if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
+			if (params.existingAliases.has(trimmed)) return "Alias already exists";
+		}
+	}), "Secrets configure cancelled.")) ?? "";
+}
+async function promptProviderSource(initial) {
+	return assertNoCancel(await select({
+		message: "Provider source",
+		options: [
+			{
+				value: "env",
+				label: "env"
+			},
+			{
+				value: "file",
+				label: "file"
+			},
+			{
+				value: "exec",
+				label: "exec"
+			}
+		],
+		initialValue: initial
+	}), "Secrets configure cancelled.");
+}
+async function promptEnvProvider(base) {
+	const allowlist = await promptEnvNameCsv({
+		message: "Env allowlist (comma-separated, blank for unrestricted)",
+		initialValue: base?.allowlist?.join(",") ?? ""
+	});
+	return {
+		source: "env",
+		...allowlist.length > 0 ? { allowlist } : {}
+	};
+}
+async function promptFileProvider(base) {
+	const filePath = assertNoCancel(await text({
+		message: "File path (absolute)",
+		initialValue: base?.path ?? "",
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return "Required";
+			if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
+		}
+	}), "Secrets configure cancelled.");
+	const mode = assertNoCancel(await select({
+		message: "File mode",
+		options: [{
+			value: "json",
+			label: "json"
+		}, {
+			value: "singleValue",
+			label: "singleValue"
+		}],
+		initialValue: base?.mode ?? "json"
+	}), "Secrets configure cancelled.");
+	const timeoutMs = await promptOptionalPositiveInt({
+		message: "Timeout ms (blank for default)",
+		initialValue: base?.timeoutMs,
+		max: 12e4
+	});
+	const maxBytes = await promptOptionalPositiveInt({
+		message: "Max bytes (blank for default)",
+		initialValue: base?.maxBytes,
+		max: 20 * 1024 * 1024
+	});
+	const allowInsecurePath = assertNoCancel(await confirm({
+		message: "Allow insecure file path checks?",
+		initialValue: base?.allowInsecurePath ?? false
+	}), "Secrets configure cancelled.");
+	return {
+		source: "file",
+		path: normalizeStringifiedOptionalString(filePath) ?? "",
+		mode,
+		...timeoutMs ? { timeoutMs } : {},
+		...maxBytes ? { maxBytes } : {},
+		...allowInsecurePath ? { allowInsecurePath: true } : {}
+	};
+}
+async function parseArgsInput(rawValue) {
+	const trimmed = rawValue.trim();
+	if (!trimmed) return;
+	const parsed = JSON.parse(trimmed);
+	if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) throw new Error("args must be a JSON array of strings");
+	return parsed;
+}
+async function promptExecProvider(base) {
+	const command = assertNoCancel(await text({
+		message: "Command path (absolute)",
+		initialValue: base?.command ?? "",
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return "Required";
+			if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
+			if (!isSafeExecutableValue(trimmed)) return "Command value is not allowed";
+		}
+	}), "Secrets configure cancelled.");
+	const argsRaw = assertNoCancel(await text({
+		message: "Args JSON array (blank for none)",
+		initialValue: JSON.stringify(base?.args ?? []),
+		validate: (value) => {
+			const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+			if (!trimmed) return;
+			try {
+				const parsed = JSON.parse(trimmed);
+				if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) return "Must be a JSON array of strings";
+				return;
+			} catch {
+				return "Must be valid JSON";
+			}
+		}
+	}), "Secrets configure cancelled.");
+	const timeoutMs = await promptOptionalPositiveInt({
+		message: "Timeout ms (blank for default)",
+		initialValue: base?.timeoutMs,
+		max: 12e4
+	});
+	const noOutputTimeoutMs = await promptOptionalPositiveInt({
+		message: "No-output timeout ms (blank for default)",
+		initialValue: base?.noOutputTimeoutMs,
+		max: 12e4
+	});
+	const maxOutputBytes = await promptOptionalPositiveInt({
+		message: "Max output bytes (blank for default)",
+		initialValue: base?.maxOutputBytes,
+		max: 20 * 1024 * 1024
+	});
+	const jsonOnly = assertNoCancel(await confirm({
+		message: "Require JSON-only response?",
+		initialValue: base?.jsonOnly ?? true
+	}), "Secrets configure cancelled.");
+	const passEnv = await promptEnvNameCsv({
+		message: "Pass-through env vars (comma-separated, blank for none)",
+		initialValue: base?.passEnv?.join(",") ?? ""
+	});
+	const trustedDirsRaw = assertNoCancel(await text({
+		message: "Trusted dirs (comma-separated absolute paths, blank for none)",
+		initialValue: base?.trustedDirs?.join(",") ?? "",
+		validate: (value) => {
+			const entries = parseCsv(value ?? "");
+			for (const entry of entries) if (!isAbsolutePathValue(entry)) return `Trusted dir must be absolute: ${entry}`;
+		}
+	}), "Secrets configure cancelled.");
+	const allowInsecurePath = assertNoCancel(await confirm({
+		message: "Allow insecure command path checks?",
+		initialValue: base?.allowInsecurePath ?? false
+	}), "Secrets configure cancelled.");
+	const allowSymlinkCommand = assertNoCancel(await confirm({
+		message: "Allow symlink command path?",
+		initialValue: base?.allowSymlinkCommand ?? false
+	}), "Secrets configure cancelled.");
+	const args = await parseArgsInput(normalizeStringifiedOptionalString(argsRaw) ?? "");
+	const trustedDirs = parseCsv(trustedDirsRaw ?? "");
+	return {
+		source: "exec",
+		command: normalizeStringifiedOptionalString(command) ?? "",
+		...args && args.length > 0 ? { args } : {},
+		...timeoutMs ? { timeoutMs } : {},
+		...noOutputTimeoutMs ? { noOutputTimeoutMs } : {},
+		...maxOutputBytes ? { maxOutputBytes } : {},
+		...jsonOnly ? { jsonOnly } : { jsonOnly: false },
+		...passEnv.length > 0 ? { passEnv } : {},
+		...trustedDirs.length > 0 ? { trustedDirs } : {},
+		...allowInsecurePath ? { allowInsecurePath: true } : {},
+		...allowSymlinkCommand ? { allowSymlinkCommand: true } : {},
+		...isRecord(base?.env) ? { env: base.env } : {}
+	};
+}
+async function promptProviderConfig(source, current) {
+	if (source === "env") return await promptEnvProvider(current?.source === "env" ? current : void 0);
+	if (source === "file") return await promptFileProvider(current?.source === "file" ? current : void 0);
+	return await promptExecProvider(current?.source === "exec" ? current : void 0);
+}
+async function configureProvidersInteractive(config) {
+	while (true) {
+		const providers = getSecretProviders(config);
+		const providerEntries = Object.entries(providers).toSorted(([left], [right]) => left.localeCompare(right));
+		const actionOptions = [{
+			value: "add",
+			label: "Add provider",
+			hint: "Define a new env/file/exec provider"
+		}];
+		if (providerEntries.length > 0) {
+			actionOptions.push({
+				value: "edit",
+				label: "Edit provider",
+				hint: "Update an existing provider"
+			});
+			actionOptions.push({
+				value: "remove",
+				label: "Remove provider",
+				hint: "Delete a provider alias"
+			});
+		}
+		actionOptions.push({
+			value: "continue",
+			label: "Continue",
+			hint: "Move to credential mapping"
+		});
+		const action = assertNoCancel(await select({
+			message: providerEntries.length > 0 ? "Configure secret providers" : "Configure secret providers (only env refs are available until file/exec providers are added)",
+			options: actionOptions
+		}), "Secrets configure cancelled.");
+		if (action === "continue") return;
+		if (action === "add") {
+			const source = await promptProviderSource();
+			setSecretProvider(config, await promptProviderAlias({ existingAliases: new Set(providerEntries.map(([providerAlias]) => providerAlias)) }), await promptProviderConfig(source));
+			continue;
+		}
+		if (action === "edit") {
+			const alias = assertNoCancel(await select({
+				message: "Select provider to edit",
+				options: providerEntries.map(([providerAlias, providerConfig]) => ({
+					value: providerAlias,
+					label: providerAlias,
+					hint: providerHint(providerConfig)
+				}))
+			}), "Secrets configure cancelled.");
+			const current = providers[alias];
+			if (!current) continue;
+			const nextProviderConfig = await promptProviderConfig(await promptProviderSource(current.source), current);
+			if (!isDeepStrictEqual(current, nextProviderConfig)) setSecretProvider(config, alias, nextProviderConfig);
+			continue;
+		}
+		if (action === "remove") {
+			const alias = assertNoCancel(await select({
+				message: "Select provider to remove",
+				options: providerEntries.map(([providerAlias, providerConfig]) => ({
+					value: providerAlias,
+					label: providerAlias,
+					hint: providerHint(providerConfig)
+				}))
+			}), "Secrets configure cancelled.");
+			if (assertNoCancel(await confirm({
+				message: `Remove provider "${alias}"?`,
+				initialValue: false
+			}), "Secrets configure cancelled.")) removeSecretProvider(config, alias);
+		}
+	}
+}
+async function runSecretsConfigureInteractive(params = {}) {
+	if (!process.stdin.isTTY) throw new Error("secrets configure requires an interactive TTY.");
+	if (params.providersOnly && params.skipProviderSetup) throw new Error("Cannot combine --providers-only with --skip-provider-setup.");
+	const env = params.env ?? process.env;
+	const allowExecInPreflight = Boolean(params.allowExecInPreflight);
+	const { snapshot } = await createSecretsConfigIO({ env }).readConfigFileSnapshotForWrite();
+	if (!snapshot.valid) throw new Error("Cannot run interactive secrets configure because config is invalid.");
+	const stagedConfig = structuredClone(snapshot.config);
+	if (!params.skipProviderSetup) await configureProvidersInteractive(stagedConfig);
+	const providerChanges = collectConfigureProviderChanges({
+		original: snapshot.config,
+		next: stagedConfig
+	});
+	const selectedByPath = /* @__PURE__ */ new Map();
+	if (!params.providersOnly) {
+		const configureAgentId = resolveConfigureAgentId(snapshot.config, params.agentId);
+		const authStore = loadAuthProfileStoreForConfigure({
+			config: snapshot.config,
+			agentId: configureAgentId
+		});
+		const candidates = buildConfigureCandidatesForScope({
+			config: stagedConfig,
+			authoredGenesisConfig: snapshot.resolved,
+			authProfiles: {
+				agentId: configureAgentId,
+				store: authStore
+			}
+		});
+		if (candidates.length === 0) throw new Error("No configurable secret-bearing fields found for this agent scope.");
+		const sourceChoices = toSourceChoices(stagedConfig);
+		const hasDerivedCandidates = candidates.some((candidate) => candidate.isDerived === true);
+		let showDerivedCandidates = false;
+		while (true) {
+			const visibleCandidates = showDerivedCandidates ? candidates : candidates.filter((candidate) => candidate.isDerived !== true);
+			const options = visibleCandidates.map((candidate) => ({
+				value: configureCandidateKey(candidate),
+				label: candidate.label,
+				hint: [candidate.configFile === "auth-profiles.json" ? "auth-profiles.json" : "genesis.json", candidate.isDerived === true ? "derived" : void 0].filter(Boolean).join(" | ")
+			}));
+			options.push({
+				value: "__create_auth_profile__",
+				label: "Create auth profile mapping",
+				hint: `Add a new auth-profiles target for agent ${configureAgentId}`
+			});
+			if (hasDerivedCandidates) options.push({
+				value: "__toggle_derived__",
+				label: showDerivedCandidates ? "Hide derived targets" : "Show derived targets",
+				hint: showDerivedCandidates ? "Show only fields authored directly in config" : "Include normalized/derived aliases"
+			});
+			if (selectedByPath.size > 0) options.unshift({
+				value: "__done__",
+				label: "Done",
+				hint: "Finish and run preflight"
+			});
+			const selectedPath = assertNoCancel(await select({
+				message: "Select credential field",
+				options
+			}), "Secrets configure cancelled.");
+			if (selectedPath === "__done__") break;
+			if (selectedPath === "__create_auth_profile__") {
+				const createdCandidate = await promptNewAuthProfileCandidate(configureAgentId);
+				const key = configureCandidateKey(createdCandidate);
+				const existingIndex = candidates.findIndex((entry) => configureCandidateKey(entry) === key);
+				if (existingIndex >= 0) candidates[existingIndex] = createdCandidate;
+				else candidates.push(createdCandidate);
+				continue;
+			}
+			if (selectedPath === "__toggle_derived__") {
+				showDerivedCandidates = !showDerivedCandidates;
+				continue;
+			}
+			const candidate = visibleCandidates.find((entry) => configureCandidateKey(entry) === selectedPath);
+			if (!candidate) throw new Error(`Unknown configure target: ${selectedPath}`);
+			const candidateKey = configureCandidateKey(candidate);
+			const existingRef = selectedByPath.get(candidateKey)?.ref ?? candidate.existingRef;
+			const source = assertNoCancel(await select({
+				message: "Secret source",
+				options: sourceChoices,
+				initialValue: existingRef && hasSourceChoice(sourceChoices, existingRef.source) ? existingRef.source : void 0
+			}), "Secrets configure cancelled.");
+			const defaultAlias = resolveDefaultSecretProviderAlias(stagedConfig, source, { preferFirstProviderForSource: true });
+			const providerAlias = normalizeStringifiedOptionalString(assertNoCancel(await text({
+				message: "Provider alias",
+				initialValue: existingRef?.source === source ? existingRef.provider : defaultAlias,
+				validate: (value) => {
+					const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+					if (!trimmed) return "Required";
+					if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
+				}
+			}), "Secrets configure cancelled.")) ?? "";
+			let suggestedId = existingRef?.source === source ? existingRef.id : void 0;
+			if (!suggestedId && source === "env") suggestedId = resolveSuggestedEnvSecretId(candidate);
+			if (!suggestedId && source === "file") {
+				const configuredProvider = stagedConfig.secrets?.providers?.[providerAlias];
+				if (configuredProvider?.source === "file" && configuredProvider.mode === "singleValue") suggestedId = "value";
+			}
+			const ref = {
+				source,
+				provider: providerAlias,
+				id: normalizeStringifiedOptionalString(assertNoCancel(await text({
+					message: "Secret id",
+					initialValue: suggestedId,
+					validate: (value) => {
+						const trimmed = normalizeStringifiedOptionalString(value) ?? "";
+						if (!trimmed) return "Required";
+						if (source === "exec" && !isValidExecSecretRefId(trimmed)) return formatExecSecretRefIdValidationMessage();
+					}
+				}), "Secrets configure cancelled.")) ?? ""
+			};
+			if (ref.source === "exec" && !allowExecInPreflight) {
+				const staticError = getSkippedExecRefStaticError({
+					ref,
+					config: stagedConfig
+				});
+				if (staticError) throw new Error(staticError);
+			} else assertExpectedResolvedSecretValue({
+				value: await resolveSecretRefValue(ref, {
+					config: stagedConfig,
+					env
+				}),
+				expected: candidate.expectedResolvedValue,
+				errorMessage: candidate.expectedResolvedValue === "string" ? `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a non-empty string.` : `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a supported value type.`
+			});
+			const next = {
+				...candidate,
+				ref
+			};
+			selectedByPath.set(candidateKey, next);
+			if (!assertNoCancel(await confirm({
+				message: "Configure another credential?",
+				initialValue: true
+			}), "Secrets configure cancelled.")) break;
+		}
+	}
+	if (!hasConfigurePlanChanges({
+		selectedTargets: selectedByPath,
+		providerChanges
+	})) throw new Error("No secrets changes were selected.");
+	const plan = buildSecretsConfigurePlan({
+		selectedTargets: selectedByPath,
+		providerChanges
+	});
+	return {
+		plan,
+		preflight: await runSecretsApply({
+			plan,
+			env,
+			write: false,
+			allowExec: allowExecInPreflight
+		})
+	};
+}
+//#endregion
+//#region src/cli/secrets-cli.ts
+function readPlanFile(pathname) {
+	const raw = fs.readFileSync(pathname, "utf8");
+	const parsed = JSON.parse(raw);
+	if (!isSecretsApplyPlan(parsed)) throw new Error(`Invalid secrets plan file: ${pathname}`);
+	return parsed;
+}
+function registerSecretsCli(program) {
+	const secrets = program.command("secrets").description("Secrets runtime controls").addHelpText("after", () => `\n${theme.muted("Docs:")} ${formatDocsLink("/gateway/security", "genesis.pixelzx.com/docs/gateway/security")}\n`);
+	addGatewayClientOptions(secrets.command("reload").description("Re-resolve secret references and atomically swap runtime snapshot").option("--json", "Output JSON", false)).action(async (opts) => {
+		try {
+			const result = await callGatewayFromCli("secrets.reload", opts, void 0, { expectFinal: false });
+			if (opts.json) {
+				defaultRuntime.writeJson(result);
+				return;
+			}
+			const warningCount = Number(result?.warningCount ?? 0);
+			if (Number.isFinite(warningCount) && warningCount > 0) {
+				defaultRuntime.log(`Secrets reloaded with ${warningCount} warning(s).`);
+				return;
+			}
+			defaultRuntime.log("Secrets reloaded.");
+		} catch (err) {
+			defaultRuntime.error(danger(String(err)));
+			defaultRuntime.exit(1);
+		}
+	});
+	secrets.command("audit").description("Audit plaintext secrets, unresolved refs, and precedence drift").option("--check", "Exit non-zero when findings are present", false).option("--allow-exec", "Allow exec SecretRef resolution during audit (may execute provider commands)", false).option("--json", "Output JSON", false).action(async (opts) => {
+		try {
+			const report = await runSecretsAudit({ allowExec: Boolean(opts.allowExec) });
+			if (opts.json) defaultRuntime.writeJson(report);
+			else {
+				defaultRuntime.log(`Secrets audit: ${report.status}. plaintext=${report.summary.plaintextCount}, unresolved=${report.summary.unresolvedRefCount}, shadowed=${report.summary.shadowedRefCount}, legacy=${report.summary.legacyResidueCount}.`);
+				if (report.findings.length > 0) {
+					for (const finding of report.findings.slice(0, 20)) defaultRuntime.log(`- [${finding.code}] ${finding.file}:${finding.jsonPath} ${finding.message}`);
+					if (report.findings.length > 20) defaultRuntime.log(`... ${report.findings.length - 20} more finding(s).`);
+				}
+				if (report.resolution.skippedExecRefs > 0) defaultRuntime.log(`Audit note: skipped ${report.resolution.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during audit.`);
+			}
+			const exitCode = resolveSecretsAuditExitCode(report, Boolean(opts.check));
+			if (exitCode !== 0) defaultRuntime.exit(exitCode);
+		} catch (err) {
+			defaultRuntime.error(danger(String(err)));
+			defaultRuntime.exit(2);
+		}
+	});
+	secrets.command("configure").description("Interactive secrets helper (provider setup + SecretRef mapping + preflight)").option("--apply", "Apply changes immediately after preflight", false).option("--yes", "Skip apply confirmation prompt", false).option("--providers-only", "Configure secrets.providers only, skip credential mapping", false).option("--skip-provider-setup", "Skip provider setup and only map credential fields to existing providers", false).option("--agent <id>", "Agent id for auth-profiles targets (default: configured default agent)").option("--allow-exec", "Allow exec SecretRef preflight checks (may execute provider commands)", false).option("--plan-out <path>", "Write generated plan JSON to a file").option("--json", "Output JSON", false).action(async (opts) => {
+		try {
+			const configured = await runSecretsConfigureInteractive({
+				providersOnly: Boolean(opts.providersOnly),
+				skipProviderSetup: Boolean(opts.skipProviderSetup),
+				agentId: typeof opts.agent === "string" ? opts.agent : void 0,
+				allowExecInPreflight: Boolean(opts.allowExec)
+			});
+			if (opts.planOut) fs.writeFileSync(opts.planOut, `${JSON.stringify(configured.plan, null, 2)}\n`, "utf8");
+			if (opts.json) defaultRuntime.writeJson({
+				plan: configured.plan,
+				preflight: configured.preflight
+			});
+			else {
+				defaultRuntime.log(`Preflight: changed=${configured.preflight.changed}, files=${configured.preflight.changedFiles.length}, warnings=${configured.preflight.warningCount}.`);
+				if (configured.preflight.warningCount > 0) for (const warning of configured.preflight.warnings) defaultRuntime.log(`- warning: ${warning}`);
+				if (!configured.preflight.checks.resolvabilityComplete && configured.preflight.skippedExecRefs > 0) defaultRuntime.log(`Preflight note: skipped ${configured.preflight.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during preflight.`);
+				const providerUpserts = Object.keys(configured.plan.providerUpserts ?? {}).length;
+				const providerDeletes = configured.plan.providerDeletes?.length ?? 0;
+				defaultRuntime.log(`Plan: targets=${configured.plan.targets.length}, providerUpserts=${providerUpserts}, providerDeletes=${providerDeletes}.`);
+				if (opts.planOut) defaultRuntime.log(`Plan written to ${opts.planOut}`);
+			}
+			let shouldApply = Boolean(opts.apply);
+			if (!shouldApply && !opts.json) {
+				const approved = await confirm({
+					message: "Apply this plan now?",
+					initialValue: true
+				});
+				if (typeof approved === "boolean") shouldApply = approved;
+			}
+			if (shouldApply) {
+				if (Boolean(opts.apply) && !opts.yes && !opts.json) {
+					if (await confirm({
+						message: "This migration is one-way for migrated plaintext values. Continue with apply?",
+						initialValue: true
+					}) !== true) {
+						defaultRuntime.log("Apply cancelled.");
+						return;
+					}
+				}
+				const result = await runSecretsApply({
+					plan: configured.plan,
+					write: true,
+					allowExec: Boolean(opts.allowExec)
+				});
+				if (opts.json) {
+					defaultRuntime.writeJson(result);
+					return;
+				}
+				defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
+			}
+		} catch (err) {
+			defaultRuntime.error(danger(String(err)));
+			defaultRuntime.exit(1);
+		}
+	});
+	secrets.command("apply").description("Apply a previously generated secrets plan").requiredOption("--from <path>", "Path to plan JSON").option("--dry-run", "Validate/preflight only", false).option("--allow-exec", "Allow exec SecretRef checks (may execute provider commands)", false).option("--json", "Output JSON", false).action(async (opts) => {
+		try {
+			const result = await runSecretsApply({
+				plan: readPlanFile(opts.from),
+				write: !opts.dryRun,
+				allowExec: Boolean(opts.allowExec)
+			});
+			if (opts.json) {
+				defaultRuntime.writeJson(result);
+				return;
+			}
+			if (opts.dryRun) {
+				defaultRuntime.log(result.changed ? `Secrets apply dry run: ${result.changedFiles.length} file(s) would change.` : "Secrets apply dry run: no changes.");
+				if (!result.checks.resolvabilityComplete && result.skippedExecRefs > 0) defaultRuntime.log(`Secrets apply dry-run note: skipped ${result.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during dry-run.`);
+				return;
+			}
+			defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
+		} catch (err) {
+			defaultRuntime.error(danger(String(err)));
+			defaultRuntime.exit(1);
+		}
+	});
+}
+//#endregion
+export { registerSecretsCli };