@probelabs/visor 0.1.95 → 0.1.96

package/dist/index.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-process.env.VISOR_VERSION = '0.1.95';
-process.env.PROBE_VERSION = '0.6.0-rc145';
+process.env.VISOR_VERSION = '0.1.96';
+process.env.PROBE_VERSION = '0.6.0-rc146';
 /******/ (() => { // webpackBootstrap
 /******/ 	var __webpack_modules__ = ({
 
@@ -177300,6 +177300,522 @@ DelayedStream.prototype._checkIfMaxDataSizeExceeded = function() {
 };
 
 
+/***/ }),
+
+/***/ 52874:
+/***/ ((__unused_webpack_module, __unused_webpack_exports, __nccwpck_require__) => {
+
+(function () {
+  (__nccwpck_require__(18889).config)(
+    Object.assign(
+      {},
+      __nccwpck_require__(39990),
+      __nccwpck_require__(4531)(process.argv)
+    )
+  )
+})()
+
+
+/***/ }),
+
+/***/ 4531:
+/***/ ((module) => {
+
+const re = /^dotenv_config_(encoding|path|quiet|debug|override|DOTENV_KEY)=(.+)$/
+
+module.exports = function optionMatcher (args) {
+  const options = args.reduce(function (acc, cur) {
+    const matches = cur.match(re)
+    if (matches) {
+      acc[matches[1]] = matches[2]
+    }
+    return acc
+  }, {})
+
+  if (!('quiet' in options)) {
+    options.quiet = 'true'
+  }
+
+  return options
+}
+
+
+/***/ }),
+
+/***/ 39990:
+/***/ ((module) => {
+
+// ../config.js accepts options via environment variables
+const options = {}
+
+if (process.env.DOTENV_CONFIG_ENCODING != null) {
+  options.encoding = process.env.DOTENV_CONFIG_ENCODING
+}
+
+if (process.env.DOTENV_CONFIG_PATH != null) {
+  options.path = process.env.DOTENV_CONFIG_PATH
+}
+
+if (process.env.DOTENV_CONFIG_QUIET != null) {
+  options.quiet = process.env.DOTENV_CONFIG_QUIET
+}
+
+if (process.env.DOTENV_CONFIG_DEBUG != null) {
+  options.debug = process.env.DOTENV_CONFIG_DEBUG
+}
+
+if (process.env.DOTENV_CONFIG_OVERRIDE != null) {
+  options.override = process.env.DOTENV_CONFIG_OVERRIDE
+}
+
+if (process.env.DOTENV_CONFIG_DOTENV_KEY != null) {
+  options.DOTENV_KEY = process.env.DOTENV_CONFIG_DOTENV_KEY
+}
+
+module.exports = options
+
+
+/***/ }),
+
+/***/ 18889:
+/***/ ((module, __unused_webpack_exports, __nccwpck_require__) => {
+
+const fs = __nccwpck_require__(79896)
+const path = __nccwpck_require__(16928)
+const os = __nccwpck_require__(70857)
+const crypto = __nccwpck_require__(76982)
+const packageJson = __nccwpck_require__(80056)
+
+const version = packageJson.version
+
+// Array of tips to display randomly
+const TIPS = [
+  '🔐 encrypt with Dotenvx: https://dotenvx.com',
+  '🔐 prevent committing .env to code: https://dotenvx.com/precommit',
+  '🔐 prevent building .env in docker: https://dotenvx.com/prebuild',
+  '📡 add observability to secrets: https://dotenvx.com/ops',
+  '👥 sync secrets across teammates & machines: https://dotenvx.com/ops',
+  '🗂️ backup and recover secrets: https://dotenvx.com/ops',
+  '✅ audit secrets and track compliance: https://dotenvx.com/ops',
+  '🔄 add secrets lifecycle management: https://dotenvx.com/ops',
+  '🔑 add access controls to secrets: https://dotenvx.com/ops',
+  '🛠️  run anywhere with `dotenvx run -- yourcommand`',
+  '⚙️  specify custom .env file path with { path: \'/custom/path/.env\' }',
+  '⚙️  enable debug logging with { debug: true }',
+  '⚙️  override existing env vars with { override: true }',
+  '⚙️  suppress all logs with { quiet: true }',
+  '⚙️  write to custom object with { processEnv: myObject }',
+  '⚙️  load multiple .env files with { path: [\'.env.local\', \'.env\'] }'
+]
+
+// Get a random tip from the tips array
+function _getRandomTip () {
+  return TIPS[Math.floor(Math.random() * TIPS.length)]
+}
+
+function parseBoolean (value) {
+  if (typeof value === 'string') {
+    return !['false', '0', 'no', 'off', ''].includes(value.toLowerCase())
+  }
+  return Boolean(value)
+}
+
+function supportsAnsi () {
+  return process.stdout.isTTY // && process.env.TERM !== 'dumb'
+}
+
+function dim (text) {
+  return supportsAnsi() ? `\x1b[2m${text}\x1b[0m` : text
+}
+
+const LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg
+
+// Parse src into an Object
+function parse (src) {
+  const obj = {}
+
+  // Convert buffer to string
+  let lines = src.toString()
+
+  // Convert line breaks to same format
+  lines = lines.replace(/\r\n?/mg, '\n')
+
+  let match
+  while ((match = LINE.exec(lines)) != null) {
+    const key = match[1]
+
+    // Default undefined or null to empty string
+    let value = (match[2] || '')
+
+    // Remove whitespace
+    value = value.trim()
+
+    // Check if double quoted
+    const maybeQuote = value[0]
+
+    // Remove surrounding quotes
+    value = value.replace(/^(['"`])([\s\S]*)\1$/mg, '$2')
+
+    // Expand newlines if double quoted
+    if (maybeQuote === '"') {
+      value = value.replace(/\\n/g, '\n')
+      value = value.replace(/\\r/g, '\r')
+    }
+
+    // Add to object
+    obj[key] = value
+  }
+
+  return obj
+}
+
+function _parseVault (options) {
+  options = options || {}
+
+  const vaultPath = _vaultPath(options)
+  options.path = vaultPath // parse .env.vault
+  const result = DotenvModule.configDotenv(options)
+  if (!result.parsed) {
+    const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`)
+    err.code = 'MISSING_DATA'
+    throw err
+  }
+
+  // handle scenario for comma separated keys - for use with key rotation
+  // example: DOTENV_KEY="dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenvx.com/vault/.env.vault?environment=prod"
+  const keys = _dotenvKey(options).split(',')
+  const length = keys.length
+
+  let decrypted
+  for (let i = 0; i < length; i++) {
+    try {
+      // Get full key
+      const key = keys[i].trim()
+
+      // Get instructions for decrypt
+      const attrs = _instructions(result, key)
+
+      // Decrypt
+      decrypted = DotenvModule.decrypt(attrs.ciphertext, attrs.key)
+
+      break
+    } catch (error) {
+      // last key
+      if (i + 1 >= length) {
+        throw error
+      }
+      // try next key
+    }
+  }
+
+  // Parse decrypted .env string
+  return DotenvModule.parse(decrypted)
+}
+
+function _warn (message) {
+  console.error(`[dotenv@${version}][WARN] ${message}`)
+}
+
+function _debug (message) {
+  console.log(`[dotenv@${version}][DEBUG] ${message}`)
+}
+
+function _log (message) {
+  console.log(`[dotenv@${version}] ${message}`)
+}
+
+function _dotenvKey (options) {
+  // prioritize developer directly setting options.DOTENV_KEY
+  if (options && options.DOTENV_KEY && options.DOTENV_KEY.length > 0) {
+    return options.DOTENV_KEY
+  }
+
+  // secondary infra already contains a DOTENV_KEY environment variable
+  if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+    return process.env.DOTENV_KEY
+  }
+
+  // fallback to empty string
+  return ''
+}
+
+function _instructions (result, dotenvKey) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (error) {
+    if (error.code === 'ERR_INVALID_URL') {
+      const err = new Error('INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development')
+      err.code = 'INVALID_DOTENV_KEY'
+      throw err
+    }
+
+    throw error
+  }
+
+  // Get decrypt key
+  const key = uri.password
+  if (!key) {
+    const err = new Error('INVALID_DOTENV_KEY: Missing key part')
+    err.code = 'INVALID_DOTENV_KEY'
+    throw err
+  }
+
+  // Get environment
+  const environment = uri.searchParams.get('environment')
+  if (!environment) {
+    const err = new Error('INVALID_DOTENV_KEY: Missing environment part')
+    err.code = 'INVALID_DOTENV_KEY'
+    throw err
+  }
+
+  // Get ciphertext payload
+  const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
+  const ciphertext = result.parsed[environmentKey] // DOTENV_VAULT_PRODUCTION
+  if (!ciphertext) {
+    const err = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${environmentKey} in your .env.vault file.`)
+    err.code = 'NOT_FOUND_DOTENV_ENVIRONMENT'
+    throw err
+  }
+
+  return { ciphertext, key }
+}
+
+function _vaultPath (options) {
+  let possibleVaultPath = null
+
+  if (options && options.path && options.path.length > 0) {
+    if (Array.isArray(options.path)) {
+      for (const filepath of options.path) {
+        if (fs.existsSync(filepath)) {
+          possibleVaultPath = filepath.endsWith('.vault') ? filepath : `${filepath}.vault`
+        }
+      }
+    } else {
+      possibleVaultPath = options.path.endsWith('.vault') ? options.path : `${options.path}.vault`
+    }
+  } else {
+    possibleVaultPath = path.resolve(process.cwd(), '.env.vault')
+  }
+
+  if (fs.existsSync(possibleVaultPath)) {
+    return possibleVaultPath
+  }
+
+  return null
+}
+
+function _resolveHome (envPath) {
+  return envPath[0] === '~' ? path.join(os.homedir(), envPath.slice(1)) : envPath
+}
+
+function _configVault (options) {
+  const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || (options && options.debug))
+  const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || (options && options.quiet))
+
+  if (debug || !quiet) {
+    _log('Loading env from encrypted .env.vault')
+  }
+
+  const parsed = DotenvModule._parseVault(options)
+
+  let processEnv = process.env
+  if (options && options.processEnv != null) {
+    processEnv = options.processEnv
+  }
+
+  DotenvModule.populate(processEnv, parsed, options)
+
+  return { parsed }
+}
+
+function configDotenv (options) {
+  const dotenvPath = path.resolve(process.cwd(), '.env')
+  let encoding = 'utf8'
+  let processEnv = process.env
+  if (options && options.processEnv != null) {
+    processEnv = options.processEnv
+  }
+  let debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || (options && options.debug))
+  let quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || (options && options.quiet))
+
+  if (options && options.encoding) {
+    encoding = options.encoding
+  } else {
+    if (debug) {
+      _debug('No encoding is specified. UTF-8 is used by default')
+    }
+  }
+
+  let optionPaths = [dotenvPath] // default, look for .env
+  if (options && options.path) {
+    if (!Array.isArray(options.path)) {
+      optionPaths = [_resolveHome(options.path)]
+    } else {
+      optionPaths = [] // reset default
+      for (const filepath of options.path) {
+        optionPaths.push(_resolveHome(filepath))
+      }
+    }
+  }
+
+  // Build the parsed data in a temporary object (because we need to return it).  Once we have the final
+  // parsed data, we will combine it with process.env (or options.processEnv if provided).
+  let lastError
+  const parsedAll = {}
+  for (const path of optionPaths) {
+    try {
+      // Specifying an encoding returns a string instead of a buffer
+      const parsed = DotenvModule.parse(fs.readFileSync(path, { encoding }))
+
+      DotenvModule.populate(parsedAll, parsed, options)
+    } catch (e) {
+      if (debug) {
+        _debug(`Failed to load ${path} ${e.message}`)
+      }
+      lastError = e
+    }
+  }
+
+  const populated = DotenvModule.populate(processEnv, parsedAll, options)
+
+  // handle user settings DOTENV_CONFIG_ options inside .env file(s)
+  debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || debug)
+  quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || quiet)
+
+  if (debug || !quiet) {
+    const keysCount = Object.keys(populated).length
+    const shortPaths = []
+    for (const filePath of optionPaths) {
+      try {
+        const relative = path.relative(process.cwd(), filePath)
+        shortPaths.push(relative)
+      } catch (e) {
+        if (debug) {
+          _debug(`Failed to load ${filePath} ${e.message}`)
+        }
+        lastError = e
+      }
+    }
+
+    _log(`injecting env (${keysCount}) from ${shortPaths.join(',')} ${dim(`-- tip: ${_getRandomTip()}`)}`)
+  }
+
+  if (lastError) {
+    return { parsed: parsedAll, error: lastError }
+  } else {
+    return { parsed: parsedAll }
+  }
+}
+
+// Populates process.env from .env file
+function config (options) {
+  // fallback to original dotenv if DOTENV_KEY is not set
+  if (_dotenvKey(options).length === 0) {
+    return DotenvModule.configDotenv(options)
+  }
+
+  const vaultPath = _vaultPath(options)
+
+  // dotenvKey exists but .env.vault file does not exist
+  if (!vaultPath) {
+    _warn(`You set DOTENV_KEY but you are missing a .env.vault file at ${vaultPath}. Did you forget to build it?`)
+
+    return DotenvModule.configDotenv(options)
+  }
+
+  return DotenvModule._configVault(options)
+}
+
+function decrypt (encrypted, keyStr) {
+  const key = Buffer.from(keyStr.slice(-64), 'hex')
+  let ciphertext = Buffer.from(encrypted, 'base64')
+
+  const nonce = ciphertext.subarray(0, 12)
+  const authTag = ciphertext.subarray(-16)
+  ciphertext = ciphertext.subarray(12, -16)
+
+  try {
+    const aesgcm = crypto.createDecipheriv('aes-256-gcm', key, nonce)
+    aesgcm.setAuthTag(authTag)
+    return `${aesgcm.update(ciphertext)}${aesgcm.final()}`
+  } catch (error) {
+    const isRange = error instanceof RangeError
+    const invalidKeyLength = error.message === 'Invalid key length'
+    const decryptionFailed = error.message === 'Unsupported state or unable to authenticate data'
+
+    if (isRange || invalidKeyLength) {
+      const err = new Error('INVALID_DOTENV_KEY: It must be 64 characters long (or more)')
+      err.code = 'INVALID_DOTENV_KEY'
+      throw err
+    } else if (decryptionFailed) {
+      const err = new Error('DECRYPTION_FAILED: Please check your DOTENV_KEY')
+      err.code = 'DECRYPTION_FAILED'
+      throw err
+    } else {
+      throw error
+    }
+  }
+}
+
+// Populate process.env with parsed values
+function populate (processEnv, parsed, options = {}) {
+  const debug = Boolean(options && options.debug)
+  const override = Boolean(options && options.override)
+  const populated = {}
+
+  if (typeof parsed !== 'object') {
+    const err = new Error('OBJECT_REQUIRED: Please check the processEnv argument being passed to populate')
+    err.code = 'OBJECT_REQUIRED'
+    throw err
+  }
+
+  // Set process.env
+  for (const key of Object.keys(parsed)) {
+    if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+      if (override === true) {
+        processEnv[key] = parsed[key]
+        populated[key] = parsed[key]
+      }
+
+      if (debug) {
+        if (override === true) {
+          _debug(`"${key}" is already defined and WAS overwritten`)
+        } else {
+          _debug(`"${key}" is already defined and was NOT overwritten`)
+        }
+      }
+    } else {
+      processEnv[key] = parsed[key]
+      populated[key] = parsed[key]
+    }
+  }
+
+  return populated
+}
+
+const DotenvModule = {
+  configDotenv,
+  _configVault,
+  _parseVault,
+  config,
+  decrypt,
+  parse,
+  populate
+}
+
+module.exports.configDotenv = DotenvModule.configDotenv
+module.exports._configVault = DotenvModule._configVault
+module.exports._parseVault = DotenvModule._parseVault
+module.exports.config = DotenvModule.config
+module.exports.decrypt = DotenvModule.decrypt
+module.exports.parse = DotenvModule.parse
+module.exports.populate = DotenvModule.populate
+
+module.exports = DotenvModule
+
+
 /***/ }),
 
 /***/ 26669:
@@ -224380,6 +224896,8 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.main = main;
+// Load environment variables from .env file
+__nccwpck_require__(52874);
 const cli_1 = __nccwpck_require__(95581);
 const config_1 = __nccwpck_require__(22973);
 const check_execution_engine_1 = __nccwpck_require__(80299);
@@ -229828,6 +230346,8 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.deriveExecutedCheckNames = void 0;
 exports.run = run;
+// Load environment variables from .env file
+__nccwpck_require__(52874);
 const rest_1 = __nccwpck_require__(47432);
 const auth_app_1 = __nccwpck_require__(76479);
 const core_1 = __nccwpck_require__(37484);
@@ -254293,6 +254813,364 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// node_modules/dotenv/package.json
+var require_package = __commonJS({
+  "node_modules/dotenv/package.json"(exports2, module2) {
+    module2.exports = {
+      name: "dotenv",
+      version: "16.6.1",
+      description: "Loads environment variables from .env file",
+      main: "lib/main.js",
+      types: "lib/main.d.ts",
+      exports: {
+        ".": {
+          types: "./lib/main.d.ts",
+          require: "./lib/main.js",
+          default: "./lib/main.js"
+        },
+        "./config": "./config.js",
+        "./config.js": "./config.js",
+        "./lib/env-options": "./lib/env-options.js",
+        "./lib/env-options.js": "./lib/env-options.js",
+        "./lib/cli-options": "./lib/cli-options.js",
+        "./lib/cli-options.js": "./lib/cli-options.js",
+        "./package.json": "./package.json"
+      },
+      scripts: {
+        "dts-check": "tsc --project tests/types/tsconfig.json",
+        lint: "standard",
+        pretest: "npm run lint && npm run dts-check",
+        test: "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
+        "test:coverage": "tap run --show-full-coverage --timeout=60000 --coverage-report=text --coverage-report=lcov",
+        prerelease: "npm test",
+        release: "standard-version"
+      },
+      repository: {
+        type: "git",
+        url: "git://github.com/motdotla/dotenv.git"
+      },
+      homepage: "https://github.com/motdotla/dotenv#readme",
+      funding: "https://dotenvx.com",
+      keywords: [
+        "dotenv",
+        "env",
+        ".env",
+        "environment",
+        "variables",
+        "config",
+        "settings"
+      ],
+      readmeFilename: "README.md",
+      license: "BSD-2-Clause",
+      devDependencies: {
+        "@types/node": "^18.11.3",
+        decache: "^4.6.2",
+        sinon: "^14.0.1",
+        standard: "^17.0.0",
+        "standard-version": "^9.5.0",
+        tap: "^19.2.0",
+        typescript: "^4.8.4"
+      },
+      engines: {
+        node: ">=12"
+      },
+      browser: {
+        fs: false
+      }
+    };
+  }
+});
+
+// node_modules/dotenv/lib/main.js
+var require_main = __commonJS({
+  "node_modules/dotenv/lib/main.js"(exports2, module2) {
+    var fs6 = __nccwpck_require__(79896);
+    var path7 = __nccwpck_require__(16928);
+    var os3 = __nccwpck_require__(70857);
+    var crypto2 = __nccwpck_require__(76982);
+    var packageJson = require_package();
+    var version = packageJson.version;
+    var LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
+    function parse6(src) {
+      const obj = {};
+      let lines = src.toString();
+      lines = lines.replace(/\r\n?/mg, "\n");
+      let match2;
+      while ((match2 = LINE.exec(lines)) != null) {
+        const key = match2[1];
+        let value = match2[2] || "";
+        value = value.trim();
+        const maybeQuote = value[0];
+        value = value.replace(/^(['"`])([\s\S]*)\1$/mg, "$2");
+        if (maybeQuote === '"') {
+          value = value.replace(/\\n/g, "\n");
+          value = value.replace(/\\r/g, "\r");
+        }
+        obj[key] = value;
+      }
+      return obj;
+    }
+    function _parseVault(options) {
+      options = options || {};
+      const vaultPath = _vaultPath(options);
+      options.path = vaultPath;
+      const result = DotenvModule.configDotenv(options);
+      if (!result.parsed) {
+        const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`);
+        err.code = "MISSING_DATA";
+        throw err;
+      }
+      const keys2 = _dotenvKey(options).split(",");
+      const length = keys2.length;
+      let decrypted;
+      for (let i3 = 0; i3 < length; i3++) {
+        try {
+          const key = keys2[i3].trim();
+          const attrs = _instructions(result, key);
+          decrypted = DotenvModule.decrypt(attrs.ciphertext, attrs.key);
+          break;
+        } catch (error2) {
+          if (i3 + 1 >= length) {
+            throw error2;
+          }
+        }
+      }
+      return DotenvModule.parse(decrypted);
+    }
+    function _warn(message) {
+      console.log(`[dotenv@${version}][WARN] ${message}`);
+    }
+    function _debug(message) {
+      console.log(`[dotenv@${version}][DEBUG] ${message}`);
+    }
+    function _log(message) {
+      console.log(`[dotenv@${version}] ${message}`);
+    }
+    function _dotenvKey(options) {
+      if (options && options.DOTENV_KEY && options.DOTENV_KEY.length > 0) {
+        return options.DOTENV_KEY;
+      }
+      if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+        return process.env.DOTENV_KEY;
+      }
+      return "";
+    }
+    function _instructions(result, dotenvKey) {
+      let uri;
+      try {
+        uri = new URL(dotenvKey);
+      } catch (error2) {
+        if (error2.code === "ERR_INVALID_URL") {
+          const err = new Error("INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        }
+        throw error2;
+      }
+      const key = uri.password;
+      if (!key) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing key part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environment = uri.searchParams.get("environment");
+      if (!environment) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing environment part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`;
+      const ciphertext = result.parsed[environmentKey];
+      if (!ciphertext) {
+        const err = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${environmentKey} in your .env.vault file.`);
+        err.code = "NOT_FOUND_DOTENV_ENVIRONMENT";
+        throw err;
+      }
+      return { ciphertext, key };
+    }
+    function _vaultPath(options) {
+      let possibleVaultPath = null;
+      if (options && options.path && options.path.length > 0) {
+        if (Array.isArray(options.path)) {
+          for (const filepath of options.path) {
+            if (fs6.existsSync(filepath)) {
+              possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
+            }
+          }
+        } else {
+          possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
+        }
+      } else {
+        possibleVaultPath = path7.resolve(process.cwd(), ".env.vault");
+      }
+      if (fs6.existsSync(possibleVaultPath)) {
+        return possibleVaultPath;
+      }
+      return null;
+    }
+    function _resolveHome(envPath) {
+      return envPath[0] === "~" ? path7.join(os3.homedir(), envPath.slice(1)) : envPath;
+    }
+    function _configVault(options) {
+      const debug = Boolean(options && options.debug);
+      const quiet = options && "quiet" in options ? options.quiet : true;
+      if (debug || !quiet) {
+        _log("Loading env from encrypted .env.vault");
+      }
+      const parsed = DotenvModule._parseVault(options);
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      DotenvModule.populate(processEnv, parsed, options);
+      return { parsed };
+    }
+    function configDotenv(options) {
+      const dotenvPath = path7.resolve(process.cwd(), ".env");
+      let encoding = "utf8";
+      const debug = Boolean(options && options.debug);
+      const quiet = options && "quiet" in options ? options.quiet : true;
+      if (options && options.encoding) {
+        encoding = options.encoding;
+      } else {
+        if (debug) {
+          _debug("No encoding is specified. UTF-8 is used by default");
+        }
+      }
+      let optionPaths = [dotenvPath];
+      if (options && options.path) {
+        if (!Array.isArray(options.path)) {
+          optionPaths = [_resolveHome(options.path)];
+        } else {
+          optionPaths = [];
+          for (const filepath of options.path) {
+            optionPaths.push(_resolveHome(filepath));
+          }
+        }
+      }
+      let lastError;
+      const parsedAll = {};
+      for (const path8 of optionPaths) {
+        try {
+          const parsed = DotenvModule.parse(fs6.readFileSync(path8, { encoding }));
+          DotenvModule.populate(parsedAll, parsed, options);
+        } catch (e3) {
+          if (debug) {
+            _debug(`Failed to load ${path8} ${e3.message}`);
+          }
+          lastError = e3;
+        }
+      }
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      DotenvModule.populate(processEnv, parsedAll, options);
+      if (debug || !quiet) {
+        const keysCount = Object.keys(parsedAll).length;
+        const shortPaths = [];
+        for (const filePath of optionPaths) {
+          try {
+            const relative = path7.relative(process.cwd(), filePath);
+            shortPaths.push(relative);
+          } catch (e3) {
+            if (debug) {
+              _debug(`Failed to load ${filePath} ${e3.message}`);
+            }
+            lastError = e3;
+          }
+        }
+        _log(`injecting env (${keysCount}) from ${shortPaths.join(",")}`);
+      }
+      if (lastError) {
+        return { parsed: parsedAll, error: lastError };
+      } else {
+        return { parsed: parsedAll };
+      }
+    }
+    function config(options) {
+      if (_dotenvKey(options).length === 0) {
+        return DotenvModule.configDotenv(options);
+      }
+      const vaultPath = _vaultPath(options);
+      if (!vaultPath) {
+        _warn(`You set DOTENV_KEY but you are missing a .env.vault file at ${vaultPath}. Did you forget to build it?`);
+        return DotenvModule.configDotenv(options);
+      }
+      return DotenvModule._configVault(options);
+    }
+    function decrypt(encrypted, keyStr) {
+      const key = Buffer.from(keyStr.slice(-64), "hex");
+      let ciphertext = Buffer.from(encrypted, "base64");
+      const nonce = ciphertext.subarray(0, 12);
+      const authTag = ciphertext.subarray(-16);
+      ciphertext = ciphertext.subarray(12, -16);
+      try {
+        const aesgcm = crypto2.createDecipheriv("aes-256-gcm", key, nonce);
+        aesgcm.setAuthTag(authTag);
+        return `${aesgcm.update(ciphertext)}${aesgcm.final()}`;
+      } catch (error2) {
+        const isRange = error2 instanceof RangeError;
+        const invalidKeyLength = error2.message === "Invalid key length";
+        const decryptionFailed = error2.message === "Unsupported state or unable to authenticate data";
+        if (isRange || invalidKeyLength) {
+          const err = new Error("INVALID_DOTENV_KEY: It must be 64 characters long (or more)");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        } else if (decryptionFailed) {
+          const err = new Error("DECRYPTION_FAILED: Please check your DOTENV_KEY");
+          err.code = "DECRYPTION_FAILED";
+          throw err;
+        } else {
+          throw error2;
+        }
+      }
+    }
+    function populate(processEnv, parsed, options = {}) {
+      const debug = Boolean(options && options.debug);
+      const override = Boolean(options && options.override);
+      if (typeof parsed !== "object") {
+        const err = new Error("OBJECT_REQUIRED: Please check the processEnv argument being passed to populate");
+        err.code = "OBJECT_REQUIRED";
+        throw err;
+      }
+      for (const key of Object.keys(parsed)) {
+        if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+          if (override === true) {
+            processEnv[key] = parsed[key];
+          }
+          if (debug) {
+            if (override === true) {
+              _debug(`"${key}" is already defined and WAS overwritten`);
+            } else {
+              _debug(`"${key}" is already defined and was NOT overwritten`);
+            }
+          }
+        } else {
+          processEnv[key] = parsed[key];
+        }
+      }
+    }
+    var DotenvModule = {
+      configDotenv,
+      _configVault,
+      _parseVault,
+      config,
+      decrypt,
+      parse: parse6,
+      populate
+    };
+    module2.exports.configDotenv = DotenvModule.configDotenv;
+    module2.exports._configVault = DotenvModule._configVault;
+    module2.exports._parseVault = DotenvModule._parseVault;
+    module2.exports.config = DotenvModule.config;
+    module2.exports.decrypt = DotenvModule.decrypt;
+    module2.exports.parse = DotenvModule.parse;
+    module2.exports.populate = DotenvModule.populate;
+    module2.exports = DotenvModule;
+  }
+});
+
 // src/directory-resolver.js
 async function getPackageBinDir() {
   const debug = process.env.DEBUG === "1" || process.env.VERBOSE === "1";
@@ -275759,7 +276637,7 @@ var require_uint32ArrayFrom = __commonJS({
 });
 
 // node_modules/@aws-crypto/util/build/main/index.js
-var require_main = __commonJS({
+var require_main2 = __commonJS({
   "node_modules/@aws-crypto/util/build/main/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
@@ -275790,8 +276668,8 @@ var require_aws_crc32 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.AwsCrc32 = void 0;
     var tslib_1 = (init_tslib_es6(), __toCommonJS(tslib_es6_exports));
-    var util_1 = require_main();
-    var index_1 = require_main2();
+    var util_1 = require_main2();
+    var index_1 = require_main3();
     var AwsCrc32 = (
       /** @class */
       (function() {
@@ -275821,13 +276699,13 @@ var require_aws_crc32 = __commonJS({
 });
 
 // node_modules/@aws-crypto/crc32/build/main/index.js
-var require_main2 = __commonJS({
+var require_main3 = __commonJS({
   "node_modules/@aws-crypto/crc32/build/main/index.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.AwsCrc32 = exports2.Crc32 = exports2.crc32 = void 0;
     var tslib_1 = (init_tslib_es6(), __toCommonJS(tslib_es6_exports));
-    var util_1 = require_main();
+    var util_1 = require_main2();
     function crc32(data2) {
       return new Crc32().update(data2).digest();
     }
@@ -276133,7 +277011,7 @@ var require_main2 = __commonJS({
 var require_dist_cjs33 = __commonJS({
   "node_modules/@smithy/eventstream-codec/dist-cjs/index.js"(exports2) {
     "use strict";
-    var crc32 = require_main2();
+    var crc32 = require_main3();
     var utilHexEncoding = require_dist_cjs17();
     var Int64 = class _Int64 {
       bytes;
@@ -278683,12 +279561,12 @@ var require_httpAuthSchemeProvider = __commonJS({
 });
 
 // node_modules/@aws-sdk/client-bedrock-runtime/package.json
-var require_package = __commonJS({
+var require_package2 = __commonJS({
   "node_modules/@aws-sdk/client-bedrock-runtime/package.json"(exports2, module2) {
     module2.exports = {
       name: "@aws-sdk/client-bedrock-runtime",
       description: "AWS SDK for JavaScript Bedrock Runtime Client for Node.js, Browser and React Native",
-      version: "3.911.0",
+      version: "3.913.0",
       scripts: {
         build: "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
         "build:cjs": "node ../../scripts/compilation/inline client-bedrock-runtime",
@@ -278708,7 +279586,7 @@ var require_package = __commonJS({
         "@aws-crypto/sha256-browser": "5.2.0",
         "@aws-crypto/sha256-js": "5.2.0",
         "@aws-sdk/core": "3.911.0",
-        "@aws-sdk/credential-provider-node": "3.911.0",
+        "@aws-sdk/credential-provider-node": "3.913.0",
         "@aws-sdk/eventstream-handler-node": "3.910.0",
         "@aws-sdk/middleware-eventstream": "3.910.0",
         "@aws-sdk/middleware-host-header": "3.910.0",
@@ -280917,7 +281795,7 @@ var require_httpAuthSchemeProvider2 = __commonJS({
 });
 
 // node_modules/@aws-sdk/client-sso/package.json
-var require_package2 = __commonJS({
+var require_package3 = __commonJS({
   "node_modules/@aws-sdk/client-sso/package.json"(exports2, module2) {
     module2.exports = {
       name: "@aws-sdk/client-sso",
@@ -281132,7 +282010,7 @@ var require_runtimeConfig = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.getRuntimeConfig = void 0;
     var tslib_1 = (init_tslib_es6(), __toCommonJS(tslib_es6_exports));
-    var package_json_1 = tslib_1.__importDefault(require_package2());
+    var package_json_1 = tslib_1.__importDefault(require_package3());
     var core_1 = (init_dist_es2(), __toCommonJS(dist_es_exports2));
     var util_user_agent_node_1 = require_dist_cjs51();
     var config_resolver_1 = require_dist_cjs39();
@@ -283366,7 +284244,7 @@ var require_dist_cjs61 = __commonJS({
       }
       return withProviderProfile;
     };
-    var resolveAssumeRoleCredentials = async (profileName, profiles, options, visitedProfiles = {}) => {
+    var resolveAssumeRoleCredentials = async (profileName, profiles, options, visitedProfiles = {}, resolveProfileData2) => {
       options.logger?.debug("@aws-sdk/credential-provider-ini - resolveAssumeRoleCredentials (STS)");
       const profileData = profiles[profileName];
       const { source_profile, region } = profileData;
@@ -283385,7 +284263,7 @@ var require_dist_cjs61 = __commonJS({
         throw new propertyProvider.CredentialsProviderError(`Detected a cycle attempting to resolve credentials for profile ${sharedIniFileLoader.getProfileName(options)}. Profiles visited: ` + Object.keys(visitedProfiles).join(", "), { logger: options.logger });
       }
       options.logger?.debug(`@aws-sdk/credential-provider-ini - finding credential resolver using ${source_profile ? `source_profile=[${source_profile}]` : `profile=[${profileName}]`}`);
-      const sourceCredsProvider = source_profile ? resolveProfileData(source_profile, profiles, options, {
+      const sourceCredsProvider = source_profile ? resolveProfileData2(source_profile, profiles, options, {
         ...visitedProfiles,
         [source_profile]: true
       }, isCredentialSourceWithoutRoleArn(profiles[source_profile] ?? {})) : (await resolveCredentialSource(profileData.credential_source, profileName, options.logger)(options))();
@@ -283461,7 +284339,7 @@ var require_dist_cjs61 = __commonJS({
         return resolveStaticCredentials(data2, options);
       }
       if (isAssumeRoleRecursiveCall || isAssumeRoleProfile(data2, { profile: profileName, logger: options.logger })) {
-        return resolveAssumeRoleCredentials(profileName, profiles, options, visitedProfiles);
+        return resolveAssumeRoleCredentials(profileName, profiles, options, visitedProfiles, resolveProfileData);
       }
       if (isStaticCredsProfile(data2)) {
         return resolveStaticCredentials(data2, options);
@@ -283853,7 +284731,7 @@ var require_runtimeConfig2 = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.getRuntimeConfig = void 0;
     var tslib_1 = (init_tslib_es6(), __toCommonJS(tslib_es6_exports));
-    var package_json_1 = tslib_1.__importDefault(require_package());
+    var package_json_1 = tslib_1.__importDefault(require_package2());
     var core_1 = (init_dist_es2(), __toCommonJS(dist_es_exports2));
     var credential_provider_node_1 = require_dist_cjs62();
     var eventstream_handler_node_1 = require_dist_cjs63();
@@ -308347,8 +309225,8 @@ var init_parser2 = __esm({
                     { ALT: () => this.CONSUME(Identifier) },
                     { ALT: () => this.CONSUME(Text) },
                     { ALT: () => this.CONSUME(NumberLiteral) },
-                    { ALT: () => this.CONSUME(RoundOpen) },
-                    { ALT: () => this.CONSUME(RoundClose) },
+                    // Note: RoundOpen and RoundClose (parentheses) are NOT allowed in unquoted labels
+                    // to match Mermaid's behavior - use quoted labels like ["text (with parens)"] instead
                     // Allow HTML-like tags (e.g., <br/>) inside labels
                     { ALT: () => this.CONSUME(AngleLess) },
                     { ALT: () => this.CONSUME(AngleOpen) },
@@ -308437,7 +309315,17 @@ var init_parser2 = __esm({
             this.OR([
               { ALT: () => this.CONSUME(Identifier) },
               { ALT: () => this.CONSUME(Text) },
-              { ALT: () => this.CONSUME(NumberLiteral) }
+              { ALT: () => this.CONSUME(NumberLiteral) },
+              // Allow HTML-like angle brackets and slashes for <br/>, <i>, etc.
+              { ALT: () => this.CONSUME(AngleLess) },
+              { ALT: () => this.CONSUME(AngleOpen) },
+              { ALT: () => this.CONSUME(ForwardSlash) },
+              { ALT: () => this.CONSUME(Backslash) },
+              // Allow common punctuation seen in labels
+              { ALT: () => this.CONSUME(Comma) },
+              { ALT: () => this.CONSUME(Colon) },
+              { ALT: () => this.CONSUME(Ampersand) },
+              { ALT: () => this.CONSUME(Semicolon) }
             ]);
           });
         });
@@ -309049,7 +309937,7 @@ var init_semantics = __esm({
               this.ctx.errors.push({
                 line: q3.startLine ?? 1,
                 column: col,
-                severity: "warning",
+                severity: "error",
                 code: "FL-LABEL-CURLY-IN-QUOTED",
                 message: "Curly braces inside quoted label text may be parsed as a shape by Mermaid. Replace { and } with HTML entities.",
                 hint: 'Use &#123; and &#125; for { and } inside quoted text, e.g., "tyk-trace-&#123;id&#125;".',
@@ -309179,6 +310067,8 @@ var init_semantics = __esm({
               this.ctx.errors.push({
                 line: tk.startLine ?? 1,
                 column: col,
+                // Treat backticks in quoted labels as errors (CLI rejects in many cases);
+                // outside quotes, surface as a warning.
                 severity: inQuoted ? "error" : "warning",
                 code: "FL-LABEL-BACKTICK",
                 message: "Backticks (`\u2026`) inside node labels are not supported by Mermaid.",
@@ -310463,7 +311353,7 @@ function validateFlowchart(text, options = {}) {
         code: "FL-LABEL-ESCAPED-QUOTE",
         message: 'Escaped quotes (\\") in node labels are accepted by Mermaid, but using &quot; is preferred for portability.',
         hint: 'Prefer &quot; inside quoted labels, e.g., A["He said &quot;Hi&quot;"]'
-      }).map((e3) => ({ ...e3, severity: "warning" }));
+      }).map((e3) => ({ ...e3, severity: "error" }));
       const seenDoubleLines = new Set(prevErrors.filter((e3) => e3.code === "FL-LABEL-DOUBLE-IN-DOUBLE").map((e3) => e3.line));
       const escapedLinesAll = new Set(detectEscapedQuotes(tokens, { code: "x" }).map((e3) => e3.line));
       const dbl = detectDoubleInDouble(tokens, {
@@ -312742,11 +313632,85 @@ function computeFixes(text, errors, level = "safe") {
   const patchedLines = /* @__PURE__ */ new Set();
   const seen = /* @__PURE__ */ new Set();
   const piQuoteClosedLines = /* @__PURE__ */ new Set();
+  function sanitizeAllQuotedSegmentsInShapes(lineText, lineNo) {
+    const shapes = [
+      { open: "[[", close: "]]" },
+      { open: "((", close: "))" },
+      { open: "{{", close: "}}" },
+      { open: "[(", close: ")]" },
+      { open: "([", close: "])" },
+      { open: "{", close: "}" },
+      { open: "[", close: "]" },
+      { open: "(", close: ")" }
+    ];
+    let idx = 0;
+    let produced = 0;
+    while (idx < lineText.length) {
+      let found = null;
+      for (const s3 of shapes) {
+        const i3 = lineText.indexOf(s3.open, idx);
+        if (i3 !== -1 && (found === null || i3 < found.i))
+          found = { ...s3, i: i3 };
+      }
+      if (!found)
+        break;
+      const contentStart = found.i + found.open.length;
+      const closeIdx = lineText.indexOf(found.close, contentStart);
+      if (closeIdx === -1) {
+        idx = contentStart;
+        continue;
+      }
+      let q1 = -1;
+      for (let i3 = contentStart; i3 < closeIdx; i3++) {
+        if (lineText[i3] === '"' && lineText[i3 - 1] !== "\\") {
+          q1 = i3;
+          break;
+        }
+      }
+      if (q1 !== -1) {
+        let q22 = -1;
+        for (let j3 = closeIdx - 1; j3 > q1; j3--) {
+          if (lineText[j3] === '"' && lineText[j3 - 1] !== "\\") {
+            q22 = j3;
+            break;
+          }
+        }
+        if (q22 !== -1) {
+          const inner = lineText.slice(q1 + 1, q22);
+          const replaced = sanitizeQuotedInner(inner);
+          if (replaced !== inner) {
+            edits.push({ start: { line: lineNo, column: q1 + 2 }, end: { line: lineNo, column: q22 + 1 }, newText: replaced });
+            produced++;
+          }
+        }
+      }
+      idx = closeIdx + found.close.length;
+    }
+    return produced;
+  }
+  function sanitizeQuotedInner(inner) {
+    const SENT_Q = "\0__Q__";
+    let out = inner.split("&quot;").join(SENT_Q);
+    out = out.replace(/`/g, "");
+    out = out.replace(/\\\"/g, "&quot;");
+    out = out.replace(/\"/g, "&quot;");
+    out = out.replace(/"/g, "&quot;");
+    out = out.split(SENT_Q).join("&quot;");
+    return out;
+  }
   for (const e3 of errors) {
     const key = `${e3.code}@${e3.line}:${e3.column}:${e3.length ?? 1}`;
     if (seen.has(key))
       continue;
     seen.add(key);
+    if ((e3.code === "FL-LABEL-ESCAPED-QUOTE" || e3.code === "FL-LABEL-CURLY-IN-QUOTED" || e3.code === "FL-LABEL-DOUBLE-IN-DOUBLE" || e3.code === "FL-LABEL-BACKTICK") && !patchedLines.has(e3.line)) {
+      const lineText = lineTextAt(text, e3.line);
+      const produced = sanitizeAllQuotedSegmentsInShapes(lineText, e3.line);
+      patchedLines.add(e3.line);
+      if (produced > 0) {
+        continue;
+      }
+    }
     if (is("FL-ARROW-INVALID", e3)) {
       edits.push(replaceRange(text, at(e3), e3.length ?? 2, "-->"));
       continue;
@@ -312851,6 +313815,8 @@ function computeFixes(text, errors, level = "safe") {
       continue;
     }
     if (is("FL-LABEL-ESCAPED-QUOTE", e3)) {
+      if (patchedLines.has(e3.line))
+        continue;
       const lineText = lineTextAt(text, e3.line);
       const caret0 = Math.max(0, e3.column - 1);
       const opens = [
@@ -312873,17 +313839,10 @@ function computeFixes(text, errors, level = "safe") {
           const q22 = lineText.lastIndexOf('"', closeIdx - 1);
           if (q1 !== -1 && q22 !== -1 && q22 > q1) {
             const inner = lineText.slice(q1 + 1, q22);
-            if (inner.includes('\\"')) {
-              const replaced = inner.split('\\"').join("&quot;");
+            const replaced = sanitizeQuotedInner(inner);
+            if (replaced !== inner) {
               edits.push({ start: { line: e3.line, column: q1 + 2 }, end: { line: e3.line, column: q22 + 1 }, newText: replaced });
               continue;
-              if (is("FL-META-UNSUPPORTED", e3)) {
-                if (level === "all") {
-                  const lineText2 = lineTextAt(text, e3.line);
-                  edits.push({ start: { line: e3.line, column: 1 }, end: { line: e3.line + 1, column: 1 }, newText: "" });
-                }
-                continue;
-              }
             }
           }
         }
@@ -312893,11 +313852,12 @@ function computeFixes(text, errors, level = "safe") {
     }
     if (is("FL-META-UNSUPPORTED", e3)) {
       if (level === "all") {
+        const lineText = lineTextAt(text, e3.line);
         edits.push({ start: { line: e3.line, column: 1 }, end: { line: e3.line + 1, column: 1 }, newText: "" });
       }
       continue;
     }
-    if (is("FL-LABEL-BACKTICK", e3)) {
+    if (is("FL-LABEL-BACKTICK", e3) && e3.severity === "warning") {
       edits.push(replaceRange(text, at(e3), e3.length ?? 1, ""));
       continue;
     }
@@ -312907,13 +313867,13 @@ function computeFixes(text, errors, level = "safe") {
       let qOpenIdx = -1;
       let qChar = null;
       for (let i3 = caret0; i3 >= 0; i3--) {
-        const ch2 = lineText[i3];
-        const code = ch2 ? ch2.charCodeAt(0) : -1;
+        const ch = lineText[i3];
+        const code = ch ? ch.charCodeAt(0) : -1;
         if (code === 34 || code === 39) {
           const bs = i3 > 0 && lineText[i3 - 1] === "\\";
           if (!bs) {
             qOpenIdx = i3;
-            qChar = ch2;
+            qChar = ch;
             break;
           }
         }
@@ -312921,8 +313881,8 @@ function computeFixes(text, errors, level = "safe") {
       if (qOpenIdx !== -1 && qChar) {
         let qCloseIdx = -1;
         for (let j3 = qOpenIdx + 1; j3 < lineText.length; j3++) {
-          const ch2 = lineText[j3];
-          const code = ch2 ? ch2.charCodeAt(0) : -1;
+          const ch = lineText[j3];
+          const code = ch ? ch.charCodeAt(0) : -1;
           if (code === (qChar ? qChar.charCodeAt(0) : -1)) {
             const bs = lineText[j3 - 1] === "\\";
             if (!bs) {
@@ -312933,17 +313893,13 @@ function computeFixes(text, errors, level = "safe") {
         }
         if (qCloseIdx > qOpenIdx) {
           const inner = lineText.slice(qOpenIdx + 1, qCloseIdx);
-          const replaced = inner.replace(/\{/g, "&#123;").replace(/\}/g, "&#125;");
+          const replaced = sanitizeQuotedInner(inner);
           if (replaced !== inner) {
             edits.push({ start: { line: e3.line, column: qOpenIdx + 2 }, end: { line: e3.line, column: qCloseIdx + 1 }, newText: replaced });
             continue;
           }
         }
       }
-      const ch = lineText[caret0] || "";
-      const rep = ch === "{" ? "&#123;" : ch === "}" ? "&#125;" : ch;
-      if (rep !== ch)
-        edits.push(replaceRange(text, at(e3), e3.length ?? 1, rep));
       continue;
     }
     if (is("FL-END-WITHOUT-SUBGRAPH", e3)) {
@@ -312955,6 +313911,11 @@ function computeFixes(text, errors, level = "safe") {
     if (is("FL-LABEL-DOUBLE-IN-DOUBLE", e3)) {
       const lineText = lineTextAt(text, e3.line);
       const caret0 = Math.max(0, e3.column - 1);
+      const rawDqCount = (lineText.match(/\"/g) || []).length;
+      const unescapedDqCount = (lineText.replace(/\\\"/g, "").match(/\"/g) || []).length;
+      if (rawDqCount + unescapedDqCount > 8 && level !== "all") {
+        continue;
+      }
       const opens = [
         { tok: "[[", idx: lineText.lastIndexOf("[[", caret0) },
         { tok: "((", idx: lineText.lastIndexOf("((", caret0) },
@@ -312978,7 +313939,7 @@ function computeFixes(text, errors, level = "safe") {
         const q22 = lineText.lastIndexOf('"', closeIdx - 1);
         if (q1 !== -1 && q22 !== -1 && q22 > q1) {
           const inner = lineText.slice(q1 + 1, q22);
-          const replaced = inner.split("&quot;").join("\0").split('"').join("&quot;").split("\0").join("&quot;");
+          const replaced = sanitizeQuotedInner(inner);
           if (replaced !== inner) {
             const start = { line: e3.line, column: q1 + 2 };
             const end = { line: e3.line, column: q22 + 1 };
@@ -313340,6 +314301,10 @@ function computeFixes(text, errors, level = "safe") {
       if (level === "safe" || level === "all") {
         const lineText = lineTextAt(text, e3.line);
         const caret0 = Math.max(0, e3.column - 1);
+        const dq = (lineText.replace(/\\\"/g, "").match(/\"/g) || []).length;
+        if (lineText.length > 600 || dq > 8) {
+          continue;
+        }
         const openPairs = [
           { open: "[[", close: "]]", idx: lineText.lastIndexOf("[[", caret0), delta: 2 },
           { open: "((", close: "))", idx: lineText.lastIndexOf("((", caret0), delta: 2 },
@@ -313390,6 +314355,24 @@ function computeFixes(text, errors, level = "safe") {
           { open: "[", close: "]" },
           { open: "(", close: ")" }
         ];
+        const findMatchingCloser = (text2, openIdx, opener, closer) => {
+          let pos = openIdx + opener.length;
+          let depth = 1;
+          while (pos < text2.length && depth > 0) {
+            if (text2.slice(pos, pos + opener.length) === opener) {
+              depth++;
+              pos += opener.length;
+            } else if (text2.slice(pos, pos + closer.length) === closer) {
+              depth--;
+              if (depth === 0)
+                return pos;
+              pos += closer.length;
+            } else {
+              pos++;
+            }
+          }
+          return -1;
+        };
         for (const shape of shapes) {
           let searchStart = 0;
           while (true) {
@@ -313397,7 +314380,7 @@ function computeFixes(text, errors, level = "safe") {
             if (openIdx === -1)
               break;
             const contentStart = openIdx + shape.open.length;
-            const closeIdx = lineText.indexOf(shape.close, contentStart);
+            const closeIdx = shape.open === "(" && shape.close === ")" ? findMatchingCloser(lineText, openIdx, shape.open, shape.close) : lineText.indexOf(shape.close, contentStart);
             if (closeIdx === -1)
               break;
             if (openIdx <= caret0 && caret0 < closeIdx) {
@@ -313415,10 +314398,11 @@ function computeFixes(text, errors, level = "safe") {
               const left = core.slice(0, 1);
               const right = core.slice(-1);
               const isSlashPair = (l3, r3) => l3 === "/" && r3 === "/" || l3 === "\\" && r3 === "\\" || l3 === "/" && r3 === "\\" || l3 === "\\" && r3 === "/";
-              if (core.length >= 2 && isSlashPair(left, right)) {
-                break;
+              const isParallelogramShape = core.length >= 2 && isSlashPair(left, right);
+              let replaced = inner.replace(/\(/g, "&#40;").replace(/\)/g, "&#41;");
+              if (isParallelogramShape) {
+                replaced = replaced.replace(/"/g, "&quot;");
               }
-              const replaced = inner.replace(/\(/g, "&#40;").replace(/\)/g, "&#41;");
               if (replaced !== inner) {
                 edits.push({ start: { line: e3.line, column: contentStart + 1 }, end: { line: e3.line, column: closeIdx + 1 }, newText: replaced });
                 patchedLines.add(e3.line);
@@ -323538,7 +324522,7 @@ ${baseGroup}
         return out;
       }
       htmlDecode(s3) {
-        return s3.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&amp;/g, "&").replace(/&quot;/g, '"').replace(/&#39;/g, "'");
+        return s3.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&amp;/g, "&").replace(/&quot;/g, '"').replace(/&#39;/g, "'").replace(/&#96;/g, "`").replace(/&#123;/g, "{").replace(/&#125;/g, "}").replace(/&#40;/g, "(").replace(/&#41;/g, ")");
       }
       generateEdge(edge, padX, padY, nodeMap) {
         if (!edge.points || edge.points.length < 2) {
@@ -328247,10 +329231,11 @@ var ProbeAgent_exports = {};
 __export(ProbeAgent_exports, {
   ProbeAgent: () => ProbeAgent
 });
-var import_anthropic, import_openai, import_google, import_ai3, import_crypto5, import_events2, import_fs7, import_promises2, import_path9, MAX_TOOL_ITERATIONS, MAX_HISTORY_MESSAGES, SUPPORTED_IMAGE_EXTENSIONS, MAX_IMAGE_FILE_SIZE, ProbeAgent;
+var import_dotenv, import_anthropic, import_openai, import_google, import_ai3, import_crypto5, import_events2, import_fs7, import_promises2, import_path9, MAX_TOOL_ITERATIONS, MAX_HISTORY_MESSAGES, SUPPORTED_IMAGE_EXTENSIONS, MAX_IMAGE_FILE_SIZE, ProbeAgent;
 var init_ProbeAgent = __esm({
   "src/agent/ProbeAgent.js"() {
     "use strict";
+    import_dotenv = __toESM(require_main(), 1);
     import_anthropic = __nccwpck_require__(93201);
     import_openai = __nccwpck_require__(87635);
     import_google = __nccwpck_require__(30260);
@@ -328272,6 +329257,7 @@ var init_ProbeAgent = __esm({
     init_schemaUtils();
     init_xmlParsingUtils();
     init_mcp();
+    import_dotenv.default.config();
     MAX_TOOL_ITERATIONS = parseInt(process.env.MAX_TOOL_ITERATIONS || "30", 10);
     MAX_HISTORY_MESSAGES = 100;
     SUPPORTED_IMAGE_EXTENSIONS = ["png", "jpg", "jpeg", "webp", "gif", "bmp", "svg"];
@@ -331120,8 +332106,10 @@ __export(index_exports, {
   tools: () => tools_exports
 });
 module.exports = __toCommonJS(index_exports);
+var import_dotenv2;
 var init_index = __esm({
   "src/index.js"() {
+    import_dotenv2 = __toESM(require_main(), 1);
     init_search();
     init_query();
     init_extract();
@@ -331141,6 +332129,7 @@ var init_index = __esm({
     init_probeTool();
     init_storage();
     init_hooks();
+    import_dotenv2.default.config();
   }
 });
 init_index();
@@ -360716,6 +361705,14 @@ module.exports = /*#__PURE__*/JSON.parse('{"$schema":"http://json-schema.org/dra
 
 /***/ }),
 
+/***/ 80056:
+/***/ ((module) => {
+
+"use strict";
+module.exports = /*#__PURE__*/JSON.parse('{"name":"dotenv","version":"17.2.3","description":"Loads environment variables from .env file","main":"lib/main.js","types":"lib/main.d.ts","exports":{".":{"types":"./lib/main.d.ts","require":"./lib/main.js","default":"./lib/main.js"},"./config":"./config.js","./config.js":"./config.js","./lib/env-options":"./lib/env-options.js","./lib/env-options.js":"./lib/env-options.js","./lib/cli-options":"./lib/cli-options.js","./lib/cli-options.js":"./lib/cli-options.js","./package.json":"./package.json"},"scripts":{"dts-check":"tsc --project tests/types/tsconfig.json","lint":"standard","pretest":"npm run lint && npm run dts-check","test":"tap run tests/**/*.js --allow-empty-coverage --disable-coverage --timeout=60000","test:coverage":"tap run tests/**/*.js --show-full-coverage --timeout=60000 --coverage-report=text --coverage-report=lcov","prerelease":"npm test","release":"standard-version"},"repository":{"type":"git","url":"git://github.com/motdotla/dotenv.git"},"homepage":"https://github.com/motdotla/dotenv#readme","funding":"https://dotenvx.com","keywords":["dotenv","env",".env","environment","variables","config","settings"],"readmeFilename":"README.md","license":"BSD-2-Clause","devDependencies":{"@types/node":"^18.11.3","decache":"^4.6.2","sinon":"^14.0.1","standard":"^17.0.0","standard-version":"^9.5.0","tap":"^19.2.0","typescript":"^4.8.4"},"engines":{"node":">=12"},"browser":{"fs":false}}');
+
+/***/ }),
+
 /***/ 17324:
 /***/ ((module) => {
 
@@ -360784,7 +361781,7 @@ module.exports = /*#__PURE__*/JSON.parse('{"assert":true,"node:assert":[">= 14.1
 /***/ ((module) => {
 
 "use strict";
-module.exports = {"rE":"0.1.95"};
+module.exports = {"rE":"0.1.96"};
 
 /***/ })