@spacebar_ai/moldclaw-core 2026.3.41 → 2026.3.44

package/dist/secrets-cli-C6yIWBbN.js

@@ -1,2070 +0,0 @@
-import "./redact-fatrROh9.js";
-import "./errors-DOJWZqNo.js";
-import "./unhandled-rejections-CTvNvnT0.js";
-import "./logger-BFfIIIKH.js";
-import { _ as resolveStateDir } from "./paths-D6AgsMTU.js";
-import "./tmp-moldclaw-dir-DWF-d8qD.js";
-import { r as theme } from "./theme-BSXzMzAA.js";
-import { t as danger } from "./globals-DESrFYmC.js";
-import { n as defaultRuntime } from "./runtime-_tQz41uA.js";
-import "./ansi-BPhP6LBZ.js";
-import "./subsystem-CPmDTJ2P.js";
-import "./boolean-B6zcAynR.js";
-import "./env-D42cffog.js";
-import "./warning-filter-B1UOeM0G.js";
-import { g as resolveConfigDir, y as resolveUserPath } from "./utils-C7ykRPCQ.js";
-import { t as formatDocsLink } from "./links-BcahUP5U.js";
-import { y as resolveAuthStorePath } from "./setup-binary-C17YnmA8.js";
-import { Bd as hasConfiguredPlaintextSecretValue, DE as loadAuthProfileStoreForSecretsRuntime, Vd as isExpectedResolvedSecretValue, bx as isNonSecretApiKeyMarker, xx as isSecretRefHeaderValueMarker, yd as prepareSecretsRuntimeSnapshot, zd as assertExpectedResolvedSecretValue } from "./auth-profiles-1kPLbBwI.js";
-import { w as normalizeProviderId } from "./model-selection-hL8i1Jbs.js";
-import { a as resolveAgentDir, i as resolveAgentConfig, m as resolveDefaultAgentId, r as listAgentIds } from "./agent-scope-C-YmLnnb.js";
-import { c as normalizeAgentId } from "./session-key-UoG7Kfw5.js";
-import "./boundary-file-read-tPYh_8fH.js";
-import "./logger-BGzLUitz.js";
-import "./exec-CvEtXqTZ.js";
-import "./workspace-CpWi5wPr.js";
-import { i as createConfigIO } from "./io-CMfWWPXQ.js";
-import "./host-env-security-DQ2i_W12.js";
-import "./safe-text-Cnulee_z.js";
-import "./version-T8nMYUnU.js";
-import { d as resolveSecretInputRef, i as coerceSecretRef } from "./types.secrets-Ca-9L8vU.js";
-import "./env-substitution-68cyvF5h.js";
-import "./config-state-h5jUoHya.js";
-import "./network-mode-BtWXzwYn.js";
-import { t as isSafeExecutableValue } from "./exec-safety-Bpmt08lt.js";
-import "./registry-C1pRrsQl.js";
-import "./manifest-registry-DAd0SRAP.js";
-import "./ip-C4YAIpr4.js";
-import { a as formatExecSecretRefIdValidationMessage, c as isValidSecretProviderAlias, l as resolveDefaultSecretProviderAlias, o as isValidExecSecretRefId, u as secretRefKey } from "./ref-contract-4C9nIZsw.js";
-import { C as SecretProviderSchema } from "./zod-schema.core-DvwgNmpd.js";
-import "./config-sW57gztj.js";
-import "./audit-fs-CMb-YUHX.js";
-import { t as runTasksWithConcurrency } from "./run-with-concurrency-FCQhTT5R.js";
-import { i as resolveSecretRefValues, r as resolveSecretRefValue, t as isProviderScopedSecretResolutionError } from "./resolve-PSlwZjg3.js";
-import { a as parseDotPath, c as writeTextFileAtomic, n as isNonEmptyString, o as parseEnvValue, r as isRecord, s as toDotPath, t as describeUnknownError } from "./shared-dXUb11iF.js";
-import "./provider-web-search-CcUC9ktE.js";
-import "./text-runtime-Cfq-Uyx0.js";
-import "./workspace-dirs-x10McA9t.js";
-import "./config-BwkGZjD5.js";
-import "./tailnet-fFTz5Twr.js";
-import "./net-K181nxTH.js";
-import "./credentials-D-5Pb-aZ.js";
-import "./routes-4k2kpvoT.js";
-import "./frontmatter-Cgg0ICvh.js";
-import "./env-overrides-DBQl3LRc.js";
-import "./path-alias-guards-BtSO7sk7.js";
-import "./skills-CbB5b27M.js";
-import "./ports-Ca74cFb2.js";
-import "./ports-lsof-CoiADo0p.js";
-import "./ssh-tunnel-DsY-9yao.js";
-import "./image-ops-Ck_D_vpe.js";
-import "./fs-safe-CRXFoBmh.js";
-import "./mime-DGFQe4XX.js";
-import "./server-middleware-Djfoa1s0.js";
-import "./message-channel-DFE4FuE_.js";
-import "./resolve-route-CSHDsa_m.js";
-import "./internal-hooks-83AcmxP3.js";
-import "./lazy-runtime-BoGB4usD.js";
-import "./config-schema-BNU4GQh_.js";
-import "./method-scopes-CQE7-bZ-.js";
-import "./session-cost-usage-DWgQk6XT.js";
-import "./paths-ApLcu1Uu.js";
-import "./routing-DQ-fpTaA.js";
-import "./send-BuNhp8PH.js";
-import "./node-resolve-D5Hvcgyx.js";
-import "./provider-stream-DrUD69ai.js";
-import "./identity-file-sshkKKIr.js";
-import "./provider-models-BCId_Lfu.js";
-import "./secret-file-p1IhQzwJ.js";
-import "./logging-Dy7UYzIN.js";
-import "./runtime-env-BlEtPF6b.js";
-import { d as PROVIDER_ENV_VARS, p as listKnownSecretEnvVarNames } from "./registry-BFMbkmgR.js";
-import "./provider-onboard-Ca0TaNud.js";
-import "./model-definitions-Cyyzm6Kr.js";
-import "./usage-N3bxnbmt.js";
-import "./device-identity-CRfhC3_s.js";
-import "./auth-Byfp0flq.js";
-import "./subscription-BhZORXN9.js";
-import "./diagnostic-D96Xaqrj.js";
-import "./message-hook-mappers-CeiHXgSQ.js";
-import "./json-store--7cBPxTG.js";
-import "./call-ByEzDJ1_.js";
-import "./multimodal-BJBBn_4F.js";
-import "./memory-search-Cv1SBrn7.js";
-import "./query-expansion-D_Mm5Hhi.js";
-import "./search-manager-C7J7B3_a.js";
-import "./core-CvDzLs7B.js";
-import "./issue-format-B0SI57Es.js";
-import "./logging-CxP9suT8.js";
-import "./note-dOl5kPAy.js";
-import "./state-paths-DsMoTg25.js";
-import "./config-value-CtTWALxG.js";
-import { _ as getPath, g as deletePathStrict, h as resolvePlanTargetAgainstRegistry, l as discoverAuthProfileSecretTargets, m as listAuthProfileSecretTargetEntries, p as isKnownSecretTargetType, u as discoverConfigSecretTargets, v as setPathCreateStrict } from "./command-secret-targets-BFF4x_RB.js";
-import "./brave-BoWimrLe.js";
-import "./provider-usage-D8EZpFz9.js";
-import "./perplexity-EZwC3y2b.js";
-import "./restart-stale-pids-CPF1_61W.js";
-import "./delivery-queue-BOf5wYIc.js";
-import "./pairing-token-bu1e6z6X.js";
-import "./accounts-J2OhhhQi.js";
-import "./process-runtime-D27SftX_.js";
-import "./audit-CIWW1Aqm.js";
-import "./cli-runtime-DTCHPjCi.js";
-import "./cli-utils-BCuSS4l6.js";
-import "./help-format-BFzPm_8V.js";
-import "./progress-Cwq59vgZ.js";
-import "./gateway-runtime-D89mSQPB.js";
-import { n as callGatewayFromCli, t as addGatewayClientOptions } from "./gateway-rpc-BGC1Rxvg.js";
-import fs from "node:fs";
-import path from "node:path";
-import os from "node:os";
-import { isDeepStrictEqual } from "node:util";
-import { confirm, select, text } from "@clack/prompts";
-//#region src/secrets/auth-profiles-scan.ts
-function getAuthProfileFieldName(pathPattern) {
-	const segments = pathPattern.split(".").filter(Boolean);
-	return segments[segments.length - 1] ?? "";
-}
-const AUTH_PROFILE_FIELD_SPEC_BY_TYPE = (() => {
-	const defaults = {
-		api_key: {
-			valueField: "key",
-			refField: "keyRef"
-		},
-		token: {
-			valueField: "token",
-			refField: "tokenRef"
-		}
-	};
-	for (const target of listAuthProfileSecretTargetEntries()) {
-		if (!target.authProfileType) continue;
-		defaults[target.authProfileType] = {
-			valueField: getAuthProfileFieldName(target.pathPattern),
-			refField: target.refPathPattern !== void 0 ? getAuthProfileFieldName(target.refPathPattern) : defaults[target.authProfileType].refField
-		};
-	}
-	return defaults;
-})();
-function getAuthProfileFieldSpec(type) {
-	return AUTH_PROFILE_FIELD_SPEC_BY_TYPE[type];
-}
-function toSecretCredentialVisit(params) {
-	const spec = getAuthProfileFieldSpec(params.kind);
-	return {
-		kind: params.kind,
-		profileId: params.profileId,
-		provider: params.provider,
-		profile: params.profile,
-		valueField: spec.valueField,
-		refField: spec.refField,
-		value: params.profile[spec.valueField],
-		refValue: params.profile[spec.refField]
-	};
-}
-function* iterateAuthProfileCredentials(profiles) {
-	for (const [profileId, value] of Object.entries(profiles)) {
-		if (!isRecord(value) || !isNonEmptyString(value.provider)) continue;
-		const provider = String(value.provider);
-		if (value.type === "api_key" || value.type === "token") {
-			yield toSecretCredentialVisit({
-				kind: value.type,
-				profileId,
-				provider,
-				profile: value
-			});
-			continue;
-		}
-		if (value.type === "oauth") yield {
-			kind: "oauth",
-			profileId,
-			provider,
-			profile: value,
-			hasAccess: isNonEmptyString(value.access),
-			hasRefresh: isNonEmptyString(value.refresh)
-		};
-	}
-}
-//#endregion
-//#region src/secrets/config-io.ts
-const silentConfigIoLogger = {
-	error: () => {},
-	warn: () => {}
-};
-function createSecretsConfigIO(params) {
-	return createConfigIO({
-		env: params.env,
-		logger: silentConfigIoLogger
-	});
-}
-//#endregion
-//#region src/secrets/plan.ts
-const FORBIDDEN_PATH_SEGMENTS = new Set([
-	"__proto__",
-	"prototype",
-	"constructor"
-]);
-function isObjectRecord(value) {
-	return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-function isSecretProviderConfigShape(value) {
-	return SecretProviderSchema.safeParse(value).success;
-}
-function hasForbiddenPathSegment(segments) {
-	return segments.some((segment) => FORBIDDEN_PATH_SEGMENTS.has(segment));
-}
-function resolveValidatedPlanTarget(candidate) {
-	if (!isKnownSecretTargetType(candidate.type)) return null;
-	const path = typeof candidate.path === "string" ? candidate.path.trim() : "";
-	if (!path) return null;
-	const segments = Array.isArray(candidate.pathSegments) && candidate.pathSegments.length > 0 ? candidate.pathSegments.map((segment) => String(segment).trim()).filter(Boolean) : parseDotPath(path);
-	if (segments.length === 0 || hasForbiddenPathSegment(segments) || path !== toDotPath(segments)) return null;
-	return resolvePlanTargetAgainstRegistry({
-		type: candidate.type,
-		pathSegments: segments,
-		providerId: candidate.providerId,
-		accountId: candidate.accountId
-	});
-}
-function isSecretsApplyPlan(value) {
-	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
-	const typed = value;
-	if (typed.version !== 1 || typed.protocolVersion !== 1 || !Array.isArray(typed.targets)) return false;
-	for (const target of typed.targets) {
-		if (!target || typeof target !== "object") return false;
-		const candidate = target;
-		const ref = candidate.ref;
-		const resolved = resolveValidatedPlanTarget({
-			type: candidate.type,
-			path: candidate.path,
-			pathSegments: candidate.pathSegments,
-			agentId: candidate.agentId,
-			providerId: candidate.providerId,
-			accountId: candidate.accountId,
-			authProfileProvider: candidate.authProfileProvider
-		});
-		if (!isKnownSecretTargetType(candidate.type) || typeof candidate.path !== "string" || !candidate.path.trim() || candidate.pathSegments !== void 0 && !Array.isArray(candidate.pathSegments) || !resolved || !ref || typeof ref !== "object" || ref.source !== "env" && ref.source !== "file" && ref.source !== "exec" || typeof ref.provider !== "string" || ref.provider.trim().length === 0 || typeof ref.id !== "string" || ref.id.trim().length === 0 || ref.source === "exec" && !isValidExecSecretRefId(ref.id)) return false;
-		if (resolved.entry.configFile === "auth-profiles.json") {
-			if (typeof candidate.agentId !== "string" || candidate.agentId.trim().length === 0) return false;
-			if (candidate.authProfileProvider !== void 0 && (typeof candidate.authProfileProvider !== "string" || candidate.authProfileProvider.trim().length === 0)) return false;
-		}
-	}
-	if (typed.providerUpserts !== void 0) {
-		if (!isObjectRecord(typed.providerUpserts)) return false;
-		for (const [providerAlias, providerValue] of Object.entries(typed.providerUpserts)) {
-			if (!isValidSecretProviderAlias(providerAlias)) return false;
-			if (!isSecretProviderConfigShape(providerValue)) return false;
-		}
-	}
-	if (typed.providerDeletes !== void 0) {
-		if (!Array.isArray(typed.providerDeletes) || typed.providerDeletes.some((providerAlias) => typeof providerAlias !== "string" || !isValidSecretProviderAlias(providerAlias))) return false;
-	}
-	return true;
-}
-function normalizeSecretsPlanOptions(options) {
-	return {
-		scrubEnv: options?.scrubEnv ?? true,
-		scrubAuthProfilesForProviderTargets: options?.scrubAuthProfilesForProviderTargets ?? true,
-		scrubLegacyAuthJson: options?.scrubLegacyAuthJson ?? true
-	};
-}
-//#endregion
-//#region src/secrets/auth-store-paths.ts
-function listAuthProfileStorePaths$1(config, stateDir) {
-	const paths = /* @__PURE__ */ new Set();
-	paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
-	const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
-	if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
-		if (!entry.isDirectory()) continue;
-		paths.add(path.join(agentsRoot, entry.name, "agent", "auth-profiles.json"));
-	}
-	for (const agentId of listAgentIds(config)) {
-		if (agentId === "main") {
-			paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
-			continue;
-		}
-		const agentDir = resolveAgentDir(config, agentId);
-		paths.add(resolveUserPath(resolveAuthStorePath(agentDir)));
-	}
-	return [...paths];
-}
-//#endregion
-//#region src/secrets/storage-scan.ts
-function parseEnvAssignmentValue(raw) {
-	return parseEnvValue(raw);
-}
-function listAuthProfileStorePaths(config, stateDir) {
-	return listAuthProfileStorePaths$1(config, stateDir);
-}
-function listLegacyAuthJsonPaths(stateDir) {
-	const out = [];
-	const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
-	if (!fs.existsSync(agentsRoot)) return out;
-	for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
-		if (!entry.isDirectory()) continue;
-		const candidate = path.join(agentsRoot, entry.name, "agent", "auth.json");
-		if (fs.existsSync(candidate)) out.push(candidate);
-	}
-	return out;
-}
-function resolveActiveAgentDir(stateDir, env = process.env) {
-	const override = env.MOLDCLAW_AGENT_DIR?.trim() || env.PI_CODING_AGENT_DIR?.trim();
-	if (override) return resolveUserPath(override);
-	return path.join(resolveUserPath(stateDir), "agents", "main", "agent");
-}
-function listAgentModelsJsonPaths(config, stateDir, env = process.env) {
-	const resolvedStateDir = resolveUserPath(stateDir);
-	const paths = /* @__PURE__ */ new Set();
-	paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
-	paths.add(path.join(resolveActiveAgentDir(stateDir, env), "models.json"));
-	const agentsRoot = path.join(resolvedStateDir, "agents");
-	if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
-		if (!entry.isDirectory()) continue;
-		paths.add(path.join(agentsRoot, entry.name, "agent", "models.json"));
-	}
-	for (const agentId of listAgentIds(config)) {
-		if (agentId === "main") {
-			paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
-			continue;
-		}
-		const agentDir = resolveAgentDir(config, agentId);
-		paths.add(path.join(resolveUserPath(agentDir), "models.json"));
-	}
-	return [...paths];
-}
-function readJsonObjectIfExists(filePath, options = {}) {
-	if (!fs.existsSync(filePath)) return { value: null };
-	try {
-		const stats = fs.statSync(filePath);
-		if (options.requireRegularFile && !stats.isFile()) return {
-			value: null,
-			error: `Refusing to read non-regular file: ${filePath}`
-		};
-		if (typeof options.maxBytes === "number" && Number.isFinite(options.maxBytes) && options.maxBytes >= 0 && stats.size > options.maxBytes) return {
-			value: null,
-			error: `Refusing to read oversized JSON (${stats.size} bytes): ${filePath}`
-		};
-		const raw = fs.readFileSync(filePath, "utf8");
-		const parsed = JSON.parse(raw);
-		if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return { value: null };
-		return { value: parsed };
-	} catch (err) {
-		return {
-			value: null,
-			error: err instanceof Error ? err.message : String(err)
-		};
-	}
-}
-//#endregion
-//#region src/secrets/apply.ts
-function resolveTarget(target) {
-	const resolved = resolveValidatedPlanTarget(target);
-	if (!resolved) throw new Error(`Invalid plan target path for ${target.type}: ${target.path}`);
-	return resolved;
-}
-function scrubEnvRaw(raw, migratedValues, allowedEnvKeys) {
-	if (migratedValues.size === 0 || allowedEnvKeys.size === 0) return {
-		nextRaw: raw,
-		removed: 0
-	};
-	const lines = raw.split(/\r?\n/);
-	const nextLines = [];
-	let removed = 0;
-	for (const line of lines) {
-		const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
-		if (!match) {
-			nextLines.push(line);
-			continue;
-		}
-		const envKey = match[1] ?? "";
-		if (!allowedEnvKeys.has(envKey)) {
-			nextLines.push(line);
-			continue;
-		}
-		const parsedValue = parseEnvAssignmentValue(match[2] ?? "");
-		if (migratedValues.has(parsedValue)) {
-			removed += 1;
-			continue;
-		}
-		nextLines.push(line);
-	}
-	const hadTrailingNewline = raw.endsWith("\n");
-	const joined = nextLines.join("\n");
-	return {
-		nextRaw: hadTrailingNewline || joined.length === 0 ? `${joined}${joined.endsWith("\n") ? "" : "\n"}` : joined,
-		removed
-	};
-}
-function applyProviderPlanMutations(params) {
-	const currentProviders = isRecord(params.config.secrets?.providers) ? structuredClone(params.config.secrets?.providers) : {};
-	let changed = false;
-	for (const providerAlias of params.deletes ?? []) {
-		if (!Object.prototype.hasOwnProperty.call(currentProviders, providerAlias)) continue;
-		delete currentProviders[providerAlias];
-		changed = true;
-	}
-	for (const [providerAlias, providerConfig] of Object.entries(params.upserts ?? {})) {
-		const previous = currentProviders[providerAlias];
-		if (isDeepStrictEqual(previous, providerConfig)) continue;
-		currentProviders[providerAlias] = structuredClone(providerConfig);
-		changed = true;
-	}
-	if (!changed) return false;
-	params.config.secrets ??= {};
-	if (Object.keys(currentProviders).length === 0) {
-		if ("providers" in params.config.secrets) delete params.config.secrets.providers;
-		return true;
-	}
-	params.config.secrets.providers = currentProviders;
-	return true;
-}
-async function projectPlanState(params) {
-	const { snapshot, writeOptions } = await createSecretsConfigIO({ env: params.env }).readConfigFileSnapshotForWrite();
-	if (!snapshot.valid) throw new Error("Cannot apply secrets plan: config is invalid.");
-	const options = normalizeSecretsPlanOptions(params.plan.options);
-	const nextConfig = structuredClone(snapshot.config);
-	const stateDir = resolveStateDir(params.env, os.homedir);
-	const changedFiles = /* @__PURE__ */ new Set();
-	const warnings = [];
-	const configPath = resolveUserPath(snapshot.path);
-	if (applyProviderPlanMutations({
-		config: nextConfig,
-		upserts: params.plan.providerUpserts,
-		deletes: params.plan.providerDeletes
-	})) changedFiles.add(configPath);
-	const targetMutations = applyConfigTargetMutations({
-		planTargets: params.plan.targets,
-		nextConfig,
-		stateDir,
-		authStoreByPath: /* @__PURE__ */ new Map(),
-		changedFiles
-	});
-	if (targetMutations.configChanged) changedFiles.add(configPath);
-	const authStoreByPath = scrubAuthStoresForProviderTargets({
-		nextConfig,
-		stateDir,
-		providerTargets: targetMutations.providerTargets,
-		scrubbedValues: targetMutations.scrubbedValues,
-		authStoreByPath: targetMutations.authStoreByPath,
-		changedFiles,
-		warnings,
-		enabled: options.scrubAuthProfilesForProviderTargets
-	});
-	const authJsonByPath = scrubLegacyAuthJsonStores({
-		stateDir,
-		changedFiles,
-		enabled: options.scrubLegacyAuthJson
-	});
-	const envRawByPath = scrubEnvFiles({
-		env: params.env,
-		scrubbedValues: targetMutations.scrubbedValues,
-		changedFiles,
-		enabled: options.scrubEnv
-	});
-	await validateProjectedSecretsState({
-		env: params.env,
-		nextConfig,
-		resolvedTargets: targetMutations.resolvedTargets,
-		authStoreByPath
-	});
-	return {
-		nextConfig,
-		configPath,
-		configWriteOptions: writeOptions,
-		authStoreByPath,
-		authJsonByPath,
-		envRawByPath,
-		changedFiles,
-		warnings
-	};
-}
-function applyConfigTargetMutations(params) {
-	const resolvedTargets = params.planTargets.map((target) => ({
-		target,
-		resolved: resolveTarget(target)
-	}));
-	const scrubbedValues = /* @__PURE__ */ new Set();
-	const providerTargets = /* @__PURE__ */ new Set();
-	let configChanged = false;
-	for (const { target, resolved } of resolvedTargets) {
-		if (resolved.entry.configFile === "auth-profiles.json") {
-			if (applyAuthProfileTargetMutation({
-				target,
-				resolved,
-				nextConfig: params.nextConfig,
-				stateDir: params.stateDir,
-				authStoreByPath: params.authStoreByPath,
-				scrubbedValues
-			})) {
-				const agentId = String(target.agentId ?? "").trim();
-				if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${target.path}.`);
-				params.changedFiles.add(resolveAuthStorePathForAgent({
-					nextConfig: params.nextConfig,
-					stateDir: params.stateDir,
-					agentId
-				}));
-			}
-			continue;
-		}
-		const targetPathSegments = resolved.pathSegments;
-		if (resolved.entry.secretShape === "sibling_ref") {
-			const previous = getPath(params.nextConfig, targetPathSegments);
-			if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
-			const refPathSegments = resolved.refPathSegments;
-			if (!refPathSegments) throw new Error(`Missing sibling ref path for target ${target.type}.`);
-			const wroteRef = setPathCreateStrict(params.nextConfig, refPathSegments, target.ref);
-			const deletedLegacy = deletePathStrict(params.nextConfig, targetPathSegments);
-			if (wroteRef || deletedLegacy) configChanged = true;
-			continue;
-		}
-		const previous = getPath(params.nextConfig, targetPathSegments);
-		if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
-		if (setPathCreateStrict(params.nextConfig, targetPathSegments, target.ref)) configChanged = true;
-		if (resolved.entry.trackProviderShadowing && resolved.providerId) providerTargets.add(normalizeProviderId(resolved.providerId));
-	}
-	return {
-		resolvedTargets,
-		scrubbedValues,
-		providerTargets,
-		configChanged,
-		authStoreByPath: params.authStoreByPath
-	};
-}
-function scrubAuthStoresForProviderTargets(params) {
-	if (!params.enabled || params.providerTargets.size === 0) return params.authStoreByPath;
-	for (const authStorePath of listAuthProfileStorePaths(params.nextConfig, params.stateDir)) {
-		const parsed = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
-		if (!parsed || !isRecord(parsed.profiles)) continue;
-		const nextStore = structuredClone(parsed);
-		let mutated = false;
-		for (const profile of iterateAuthProfileCredentials(nextStore.profiles)) {
-			const provider = normalizeProviderId(profile.provider);
-			if (!params.providerTargets.has(provider)) continue;
-			if (profile.kind === "api_key" || profile.kind === "token") {
-				if (isNonEmptyString(profile.value)) params.scrubbedValues.add(profile.value.trim());
-				if (profile.valueField in profile.profile) {
-					delete profile.profile[profile.valueField];
-					mutated = true;
-				}
-				if (profile.refField in profile.profile) {
-					delete profile.profile[profile.refField];
-					mutated = true;
-				}
-				continue;
-			}
-			if (profile.kind === "oauth" && (profile.hasAccess || profile.hasRefresh)) params.warnings.push(`Provider "${provider}" has OAuth credentials in ${authStorePath}; those still take precedence and are out of scope for static SecretRef migration.`);
-		}
-		if (mutated) {
-			params.authStoreByPath.set(authStorePath, nextStore);
-			params.changedFiles.add(authStorePath);
-		}
-	}
-	return params.authStoreByPath;
-}
-function ensureMutableAuthStore(store) {
-	const next = store ? structuredClone(store) : {};
-	if (!isRecord(next.profiles)) next.profiles = {};
-	if (typeof next.version !== "number" || !Number.isFinite(next.version)) next.version = 1;
-	return next;
-}
-function resolveAuthStoreForTarget(params) {
-	const agentId = String(params.target.agentId ?? "").trim();
-	if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${params.target.path}.`);
-	const authStorePath = resolveAuthStorePathForAgent({
-		nextConfig: params.nextConfig,
-		stateDir: params.stateDir,
-		agentId
-	});
-	const loaded = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
-	const store = ensureMutableAuthStore(isRecord(loaded) ? loaded : void 0);
-	params.authStoreByPath.set(authStorePath, store);
-	return {
-		path: authStorePath,
-		store
-	};
-}
-function asConfigPathRoot(store) {
-	return store;
-}
-function resolveAuthStorePathForAgent(params) {
-	const normalizedAgentId = normalizeAgentId(params.agentId);
-	const configuredAgentDir = resolveAgentConfig(params.nextConfig, normalizedAgentId)?.agentDir?.trim();
-	if (configuredAgentDir) return resolveUserPath(resolveAuthStorePath(configuredAgentDir));
-	return path.join(resolveUserPath(params.stateDir), "agents", normalizedAgentId, "agent", "auth-profiles.json");
-}
-function ensureAuthProfileContainer(params) {
-	let changed = false;
-	const profilePathSegments = params.resolved.pathSegments.slice(0, 2);
-	const profileId = profilePathSegments[1];
-	if (!profileId) throw new Error(`Invalid auth profile target path: ${params.target.path}`);
-	const current = getPath(params.store, profilePathSegments);
-	const expectedType = params.resolved.entry.authProfileType;
-	if (isRecord(current)) {
-		if (expectedType && typeof current.type === "string" && current.type !== expectedType) throw new Error(`Auth profile "${profileId}" type mismatch for ${params.target.path}: expected "${expectedType}", got "${current.type}".`);
-		if (!isNonEmptyString(current.provider) && isNonEmptyString(params.target.authProfileProvider)) {
-			const wroteProvider = setPathCreateStrict(asConfigPathRoot(params.store), [...profilePathSegments, "provider"], params.target.authProfileProvider);
-			changed = changed || wroteProvider;
-		}
-		return changed;
-	}
-	if (!expectedType) throw new Error(`Auth profile target ${params.target.path} is missing auth profile type metadata.`);
-	const provider = String(params.target.authProfileProvider ?? "").trim();
-	if (!provider) throw new Error(`Cannot create auth profile "${profileId}" for ${params.target.path} without authProfileProvider.`);
-	const wroteProfile = setPathCreateStrict(asConfigPathRoot(params.store), profilePathSegments, {
-		type: expectedType,
-		provider
-	});
-	changed = changed || wroteProfile;
-	return changed;
-}
-function applyAuthProfileTargetMutation(params) {
-	if (params.resolved.entry.configFile !== "auth-profiles.json") return false;
-	const { store } = resolveAuthStoreForTarget({
-		target: params.target,
-		nextConfig: params.nextConfig,
-		stateDir: params.stateDir,
-		authStoreByPath: params.authStoreByPath
-	});
-	let changed = ensureAuthProfileContainer({
-		target: params.target,
-		resolved: params.resolved,
-		store
-	});
-	const targetPathSegments = params.resolved.pathSegments;
-	if (params.resolved.entry.secretShape === "sibling_ref") {
-		const previous = getPath(store, targetPathSegments);
-		if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
-		const refPathSegments = params.resolved.refPathSegments;
-		if (!refPathSegments) throw new Error(`Missing sibling ref path for auth-profiles target ${params.target.path}.`);
-		const wroteRef = setPathCreateStrict(asConfigPathRoot(store), refPathSegments, params.target.ref);
-		const deletedPlaintext = deletePathStrict(asConfigPathRoot(store), targetPathSegments);
-		changed = changed || wroteRef || deletedPlaintext;
-		return changed;
-	}
-	const previous = getPath(store, targetPathSegments);
-	if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
-	const wroteRef = setPathCreateStrict(asConfigPathRoot(store), targetPathSegments, params.target.ref);
-	changed = changed || wroteRef;
-	return changed;
-}
-function scrubLegacyAuthJsonStores(params) {
-	const authJsonByPath = /* @__PURE__ */ new Map();
-	if (!params.enabled) return authJsonByPath;
-	for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
-		const parsed = readJsonObjectIfExists(authJsonPath).value;
-		if (!parsed) continue;
-		let mutated = false;
-		const nextParsed = structuredClone(parsed);
-		for (const [providerId, value] of Object.entries(nextParsed)) {
-			if (!isRecord(value)) continue;
-			if (value.type === "api_key" && isNonEmptyString(value.key)) {
-				delete nextParsed[providerId];
-				mutated = true;
-			}
-		}
-		if (mutated) {
-			authJsonByPath.set(authJsonPath, nextParsed);
-			params.changedFiles.add(authJsonPath);
-		}
-	}
-	return authJsonByPath;
-}
-function scrubEnvFiles(params) {
-	const envRawByPath = /* @__PURE__ */ new Map();
-	if (!params.enabled || params.scrubbedValues.size === 0) return envRawByPath;
-	const envPath = path.join(resolveConfigDir(params.env, os.homedir), ".env");
-	if (!fs.existsSync(envPath)) return envRawByPath;
-	const current = fs.readFileSync(envPath, "utf8");
-	const scrubbed = scrubEnvRaw(current, params.scrubbedValues, new Set(listKnownSecretEnvVarNames()));
-	if (scrubbed.removed > 0 && scrubbed.nextRaw !== current) {
-		envRawByPath.set(envPath, scrubbed.nextRaw);
-		params.changedFiles.add(envPath);
-	}
-	return envRawByPath;
-}
-async function validateProjectedSecretsState(params) {
-	const cache = {};
-	for (const { target, resolved: resolvedTarget } of params.resolvedTargets) assertExpectedResolvedSecretValue({
-		value: await resolveSecretRefValue(target.ref, {
-			config: params.nextConfig,
-			env: params.env,
-			cache
-		}),
-		expected: resolvedTarget.entry.expectedResolvedValue,
-		errorMessage: resolvedTarget.entry.expectedResolvedValue === "string" ? `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not a non-empty string.` : `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not string/object.`
-	});
-	const authStoreLookup = /* @__PURE__ */ new Map();
-	for (const [authStorePath, store] of params.authStoreByPath.entries()) authStoreLookup.set(resolveUserPath(authStorePath), store);
-	await prepareSecretsRuntimeSnapshot({
-		config: params.nextConfig,
-		env: params.env,
-		loadAuthStore: (agentDir) => {
-			const storePath = resolveUserPath(resolveAuthStorePath(agentDir));
-			const override = authStoreLookup.get(storePath);
-			if (override) return structuredClone(override);
-			return loadAuthProfileStoreForSecretsRuntime(agentDir);
-		}
-	});
-}
-function captureFileSnapshot(pathname) {
-	if (!fs.existsSync(pathname)) return {
-		existed: false,
-		content: "",
-		mode: 384
-	};
-	const stat = fs.statSync(pathname);
-	return {
-		existed: true,
-		content: fs.readFileSync(pathname, "utf8"),
-		mode: stat.mode & 511
-	};
-}
-function restoreFileSnapshot(pathname, snapshot) {
-	if (!snapshot.existed) {
-		if (fs.existsSync(pathname)) fs.rmSync(pathname, { force: true });
-		return;
-	}
-	writeTextFileAtomic(pathname, snapshot.content, snapshot.mode || 384);
-}
-function toJsonWrite(pathname, value) {
-	return {
-		path: pathname,
-		content: `${JSON.stringify(value, null, 2)}\n`,
-		mode: 384
-	};
-}
-async function runSecretsApply(params) {
-	const env = params.env ?? process.env;
-	const projected = await projectPlanState({
-		plan: params.plan,
-		env
-	});
-	const changedFiles = [...projected.changedFiles].toSorted();
-	if (!params.write) return {
-		mode: "dry-run",
-		changed: changedFiles.length > 0,
-		changedFiles,
-		warningCount: projected.warnings.length,
-		warnings: projected.warnings
-	};
-	if (changedFiles.length === 0) return {
-		mode: "write",
-		changed: false,
-		changedFiles: [],
-		warningCount: projected.warnings.length,
-		warnings: projected.warnings
-	};
-	const io = createSecretsConfigIO({ env });
-	const snapshots = /* @__PURE__ */ new Map();
-	const capture = (pathname) => {
-		if (!snapshots.has(pathname)) snapshots.set(pathname, captureFileSnapshot(pathname));
-	};
-	capture(projected.configPath);
-	const writes = [];
-	for (const [pathname, value] of projected.authStoreByPath.entries()) {
-		capture(pathname);
-		writes.push(toJsonWrite(pathname, value));
-	}
-	for (const [pathname, value] of projected.authJsonByPath.entries()) {
-		capture(pathname);
-		writes.push(toJsonWrite(pathname, value));
-	}
-	for (const [pathname, raw] of projected.envRawByPath.entries()) {
-		capture(pathname);
-		writes.push({
-			path: pathname,
-			content: raw,
-			mode: 384
-		});
-	}
-	try {
-		await io.writeConfigFile(projected.nextConfig, projected.configWriteOptions);
-		for (const write of writes) writeTextFileAtomic(write.path, write.content, write.mode);
-	} catch (err) {
-		for (const [pathname, snapshot] of snapshots.entries()) try {
-			restoreFileSnapshot(pathname, snapshot);
-		} catch {}
-		throw new Error(`Secrets apply failed: ${String(err)}`, { cause: err });
-	}
-	return {
-		mode: "write",
-		changed: changedFiles.length > 0,
-		changedFiles,
-		warningCount: projected.warnings.length,
-		warnings: projected.warnings
-	};
-}
-//#endregion
-//#region src/secrets/audit.ts
-const REF_RESOLVE_FALLBACK_CONCURRENCY = 8;
-const MAX_AUDIT_MODELS_JSON_BYTES = 5 * 1024 * 1024;
-const ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES = new Set([
-	"authorization",
-	"proxy-authorization",
-	"x-api-key",
-	"api-key",
-	"apikey",
-	"x-auth-token",
-	"auth-token",
-	"x-access-token",
-	"access-token",
-	"x-secret-key",
-	"secret-key"
-]);
-const SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS = [
-	"api-key",
-	"apikey",
-	"token",
-	"secret",
-	"password",
-	"credential"
-];
-function isLikelySensitiveModelProviderHeaderName(value) {
-	const normalized = value.trim().toLowerCase();
-	if (!normalized) return false;
-	if (ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES.has(normalized)) return true;
-	return SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS.some((fragment) => normalized.includes(fragment));
-}
-function addFinding(collector, finding) {
-	collector.findings.push(finding);
-}
-function collectProviderRefPath(collector, providerId, configPath) {
-	const key = normalizeProviderId(providerId);
-	const existing = collector.configProviderRefPaths.get(key);
-	if (existing) {
-		existing.push(configPath);
-		return;
-	}
-	collector.configProviderRefPaths.set(key, [configPath]);
-}
-function trackAuthProviderState(collector, provider, mode) {
-	const key = normalizeProviderId(provider);
-	const existing = collector.authProviderState.get(key);
-	if (existing) {
-		existing.hasUsableStaticOrOAuth = true;
-		existing.modes.add(mode);
-		return;
-	}
-	collector.authProviderState.set(key, {
-		hasUsableStaticOrOAuth: true,
-		modes: new Set([mode])
-	});
-}
-function collectEnvPlaintext(params) {
-	if (!fs.existsSync(params.envPath)) return;
-	params.collector.filesScanned.add(params.envPath);
-	const knownKeys = new Set(listKnownSecretEnvVarNames());
-	const lines = fs.readFileSync(params.envPath, "utf8").split(/\r?\n/);
-	for (const line of lines) {
-		const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
-		if (!match) continue;
-		const key = match[1] ?? "";
-		if (!knownKeys.has(key)) continue;
-		if (!parseEnvAssignmentValue(match[2] ?? "")) continue;
-		addFinding(params.collector, {
-			code: "PLAINTEXT_FOUND",
-			severity: "warn",
-			file: params.envPath,
-			jsonPath: `$env.${key}`,
-			message: `Potential secret found in .env (${key}).`
-		});
-	}
-}
-function collectConfigSecrets(params) {
-	const defaults = params.config.secrets?.defaults;
-	for (const target of discoverConfigSecretTargets(params.config)) {
-		if (!target.entry.includeInAudit) continue;
-		const { ref } = resolveSecretInputRef({
-			value: target.value,
-			refValue: target.refValue,
-			defaults
-		});
-		if (ref) {
-			params.collector.refAssignments.push({
-				file: params.configPath,
-				path: target.path,
-				ref,
-				expected: target.entry.expectedResolvedValue,
-				provider: target.providerId
-			});
-			if (target.entry.trackProviderShadowing && target.providerId) collectProviderRefPath(params.collector, target.providerId, target.path);
-			continue;
-		}
-		const hasPlaintext = hasConfiguredPlaintextSecretValue(target.value, target.entry.expectedResolvedValue);
-		if (target.entry.id === "models.providers.*.headers.*" && !isLikelySensitiveModelProviderHeaderName(target.pathSegments.at(-1) ?? "")) continue;
-		if (!hasPlaintext) continue;
-		addFinding(params.collector, {
-			code: "PLAINTEXT_FOUND",
-			severity: "warn",
-			file: params.configPath,
-			jsonPath: target.path,
-			message: `${target.path} is stored as plaintext.`,
-			provider: target.providerId
-		});
-	}
-}
-function collectAuthStoreSecrets(params) {
-	if (!fs.existsSync(params.authStorePath)) return;
-	params.collector.filesScanned.add(params.authStorePath);
-	const parsedResult = readJsonObjectIfExists(params.authStorePath);
-	if (parsedResult.error) {
-		addFinding(params.collector, {
-			code: "REF_UNRESOLVED",
-			severity: "error",
-			file: params.authStorePath,
-			jsonPath: "<root>",
-			message: `Invalid JSON in auth-profiles store: ${parsedResult.error}`
-		});
-		return;
-	}
-	const parsed = parsedResult.value;
-	if (!parsed || !isRecord(parsed.profiles)) return;
-	for (const entry of iterateAuthProfileCredentials(parsed.profiles)) {
-		if (entry.kind === "api_key" || entry.kind === "token") {
-			const { ref } = resolveSecretInputRef({
-				value: entry.value,
-				refValue: entry.refValue,
-				defaults: params.defaults
-			});
-			if (ref) {
-				params.collector.refAssignments.push({
-					file: params.authStorePath,
-					path: `profiles.${entry.profileId}.${entry.valueField}`,
-					ref,
-					expected: "string",
-					provider: entry.provider
-				});
-				trackAuthProviderState(params.collector, entry.provider, entry.kind);
-			}
-			if (isNonEmptyString(entry.value)) {
-				addFinding(params.collector, {
-					code: "PLAINTEXT_FOUND",
-					severity: "warn",
-					file: params.authStorePath,
-					jsonPath: `profiles.${entry.profileId}.${entry.valueField}`,
-					message: entry.kind === "api_key" ? "Auth profile API key is stored as plaintext." : "Auth profile token is stored as plaintext.",
-					provider: entry.provider,
-					profileId: entry.profileId
-				});
-				trackAuthProviderState(params.collector, entry.provider, entry.kind);
-			}
-			continue;
-		}
-		if (entry.hasAccess || entry.hasRefresh) {
-			addFinding(params.collector, {
-				code: "LEGACY_RESIDUE",
-				severity: "info",
-				file: params.authStorePath,
-				jsonPath: `profiles.${entry.profileId}`,
-				message: "OAuth credentials are present (out of scope for static SecretRef migration).",
-				provider: entry.provider,
-				profileId: entry.profileId
-			});
-			trackAuthProviderState(params.collector, entry.provider, "oauth");
-		}
-	}
-}
-function collectAuthJsonResidue(params) {
-	for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
-		params.collector.filesScanned.add(authJsonPath);
-		const parsedResult = readJsonObjectIfExists(authJsonPath);
-		if (parsedResult.error) {
-			addFinding(params.collector, {
-				code: "REF_UNRESOLVED",
-				severity: "error",
-				file: authJsonPath,
-				jsonPath: "<root>",
-				message: `Invalid JSON in legacy auth.json: ${parsedResult.error}`
-			});
-			continue;
-		}
-		const parsed = parsedResult.value;
-		if (!parsed) continue;
-		for (const [providerId, value] of Object.entries(parsed)) {
-			if (!isRecord(value)) continue;
-			if (value.type === "api_key" && isNonEmptyString(value.key)) addFinding(params.collector, {
-				code: "LEGACY_RESIDUE",
-				severity: "warn",
-				file: authJsonPath,
-				jsonPath: providerId,
-				message: "Legacy auth.json contains static api_key credentials.",
-				provider: providerId
-			});
-		}
-	}
-}
-function collectModelsJsonSecrets(params) {
-	if (!fs.existsSync(params.modelsJsonPath)) return;
-	params.collector.filesScanned.add(params.modelsJsonPath);
-	const parsedResult = readJsonObjectIfExists(params.modelsJsonPath, {
-		requireRegularFile: true,
-		maxBytes: MAX_AUDIT_MODELS_JSON_BYTES
-	});
-	if (parsedResult.error) {
-		addFinding(params.collector, {
-			code: "REF_UNRESOLVED",
-			severity: "error",
-			file: params.modelsJsonPath,
-			jsonPath: "<root>",
-			message: `Invalid JSON in models.json: ${parsedResult.error}`
-		});
-		return;
-	}
-	const parsed = parsedResult.value;
-	if (!parsed || !isRecord(parsed.providers)) return;
-	for (const [providerId, providerValue] of Object.entries(parsed.providers)) {
-		if (!isRecord(providerValue)) continue;
-		const apiKey = providerValue.apiKey;
-		if (coerceSecretRef(apiKey)) addFinding(params.collector, {
-			code: "REF_UNRESOLVED",
-			severity: "error",
-			file: params.modelsJsonPath,
-			jsonPath: `providers.${providerId}.apiKey`,
-			message: "models.json contains an unresolved SecretRef object; regenerate models.json.",
-			provider: providerId
-		});
-		else if (isNonEmptyString(apiKey) && !isNonSecretApiKeyMarker(apiKey)) addFinding(params.collector, {
-			code: "PLAINTEXT_FOUND",
-			severity: "warn",
-			file: params.modelsJsonPath,
-			jsonPath: `providers.${providerId}.apiKey`,
-			message: "models.json provider apiKey is stored as plaintext.",
-			provider: providerId
-		});
-		const headers = isRecord(providerValue.headers) ? providerValue.headers : void 0;
-		if (!headers) continue;
-		for (const [headerKey, headerValue] of Object.entries(headers)) {
-			const headerPath = `providers.${providerId}.headers.${headerKey}`;
-			if (coerceSecretRef(headerValue)) {
-				addFinding(params.collector, {
-					code: "REF_UNRESOLVED",
-					severity: "error",
-					file: params.modelsJsonPath,
-					jsonPath: headerPath,
-					message: "models.json contains an unresolved SecretRef object for provider headers; regenerate models.json.",
-					provider: providerId
-				});
-				continue;
-			}
-			if (!isNonEmptyString(headerValue)) continue;
-			if (isSecretRefHeaderValueMarker(headerValue)) continue;
-			if (!isLikelySensitiveModelProviderHeaderName(headerKey)) continue;
-			addFinding(params.collector, {
-				code: "PLAINTEXT_FOUND",
-				severity: "warn",
-				file: params.modelsJsonPath,
-				jsonPath: headerPath,
-				message: "models.json provider header value is stored as plaintext.",
-				provider: providerId
-			});
-		}
-	}
-}
-async function collectUnresolvedRefFindings(params) {
-	const cache = {};
-	const refsByProvider = /* @__PURE__ */ new Map();
-	for (const assignment of params.collector.refAssignments) {
-		const providerKey = `${assignment.ref.source}:${assignment.ref.provider}`;
-		let refsForProvider = refsByProvider.get(providerKey);
-		if (!refsForProvider) {
-			refsForProvider = /* @__PURE__ */ new Map();
-			refsByProvider.set(providerKey, refsForProvider);
-		}
-		refsForProvider.set(secretRefKey(assignment.ref), assignment.ref);
-	}
-	const resolvedByRefKey = /* @__PURE__ */ new Map();
-	const errorsByRefKey = /* @__PURE__ */ new Map();
-	for (const refsForProvider of refsByProvider.values()) {
-		const refs = [...refsForProvider.values()];
-		const provider = refs[0]?.provider;
-		try {
-			const resolved = await resolveSecretRefValues(refs, {
-				config: params.config,
-				env: params.env,
-				cache
-			});
-			for (const [key, value] of resolved.entries()) resolvedByRefKey.set(key, value);
-			continue;
-		} catch (err) {
-			if (provider && isProviderScopedSecretResolutionError(err)) {
-				for (const ref of refs) errorsByRefKey.set(secretRefKey(ref), err);
-				continue;
-			}
-		}
-		const fallback = await runTasksWithConcurrency({
-			tasks: refs.map((ref) => async () => ({
-				key: secretRefKey(ref),
-				resolved: await resolveSecretRefValue(ref, {
-					config: params.config,
-					env: params.env,
-					cache
-				})
-			})),
-			limit: Math.min(REF_RESOLVE_FALLBACK_CONCURRENCY, refs.length),
-			errorMode: "continue",
-			onTaskError: (error, index) => {
-				const ref = refs[index];
-				if (!ref) return;
-				errorsByRefKey.set(secretRefKey(ref), error);
-			}
-		});
-		for (const result of fallback.results) {
-			if (!result) continue;
-			resolvedByRefKey.set(result.key, result.resolved);
-		}
-	}
-	for (const assignment of params.collector.refAssignments) {
-		const key = secretRefKey(assignment.ref);
-		const resolveErr = errorsByRefKey.get(key);
-		if (resolveErr) {
-			addFinding(params.collector, {
-				code: "REF_UNRESOLVED",
-				severity: "error",
-				file: assignment.file,
-				jsonPath: assignment.path,
-				message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (${describeUnknownError(resolveErr)}).`,
-				provider: assignment.provider
-			});
-			continue;
-		}
-		if (!resolvedByRefKey.has(key)) {
-			addFinding(params.collector, {
-				code: "REF_UNRESOLVED",
-				severity: "error",
-				file: assignment.file,
-				jsonPath: assignment.path,
-				message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is missing).`,
-				provider: assignment.provider
-			});
-			continue;
-		}
-		if (!isExpectedResolvedSecretValue(resolvedByRefKey.get(key), assignment.expected)) addFinding(params.collector, {
-			code: "REF_UNRESOLVED",
-			severity: "error",
-			file: assignment.file,
-			jsonPath: assignment.path,
-			message: assignment.expected === "string" ? `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a non-empty string).` : `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a string/object).`,
-			provider: assignment.provider
-		});
-	}
-}
-function collectShadowingFindings(collector) {
-	for (const [provider, paths] of collector.configProviderRefPaths.entries()) {
-		const authState = collector.authProviderState.get(provider);
-		if (!authState?.hasUsableStaticOrOAuth) continue;
-		const modeText = [...authState.modes].join("/");
-		for (const configPath of paths) addFinding(collector, {
-			code: "REF_SHADOWED",
-			severity: "warn",
-			file: "moldclaw.json",
-			jsonPath: configPath,
-			message: `Auth profile credentials (${modeText}) take precedence for provider "${provider}", so this config ref may never be used.`,
-			provider
-		});
-	}
-}
-function summarizeFindings(findings) {
-	return {
-		plaintextCount: findings.filter((entry) => entry.code === "PLAINTEXT_FOUND").length,
-		unresolvedRefCount: findings.filter((entry) => entry.code === "REF_UNRESOLVED").length,
-		shadowedRefCount: findings.filter((entry) => entry.code === "REF_SHADOWED").length,
-		legacyResidueCount: findings.filter((entry) => entry.code === "LEGACY_RESIDUE").length
-	};
-}
-async function runSecretsAudit(params = {}) {
-	const env = params.env ?? process.env;
-	const snapshot = await createSecretsConfigIO({ env }).readConfigFileSnapshot();
-	const configPath = resolveUserPath(snapshot.path);
-	const defaults = snapshot.valid ? snapshot.config.secrets?.defaults : void 0;
-	const collector = {
-		findings: [],
-		refAssignments: [],
-		configProviderRefPaths: /* @__PURE__ */ new Map(),
-		authProviderState: /* @__PURE__ */ new Map(),
-		filesScanned: new Set([configPath])
-	};
-	const stateDir = resolveStateDir(env, os.homedir);
-	const envPath = path.join(resolveConfigDir(env, os.homedir), ".env");
-	const config = snapshot.valid ? snapshot.config : {};
-	if (snapshot.valid) {
-		collectConfigSecrets({
-			config,
-			configPath,
-			collector
-		});
-		for (const authStorePath of listAuthProfileStorePaths(config, stateDir)) collectAuthStoreSecrets({
-			authStorePath,
-			collector,
-			defaults
-		});
-		for (const modelsJsonPath of listAgentModelsJsonPaths(config, stateDir, env)) collectModelsJsonSecrets({
-			modelsJsonPath,
-			collector
-		});
-		await collectUnresolvedRefFindings({
-			collector,
-			config,
-			env
-		});
-		collectShadowingFindings(collector);
-	} else addFinding(collector, {
-		code: "REF_UNRESOLVED",
-		severity: "error",
-		file: configPath,
-		jsonPath: "<root>",
-		message: "Config is invalid; cannot validate secret references reliably."
-	});
-	collectEnvPlaintext({
-		envPath,
-		collector
-	});
-	collectAuthJsonResidue({
-		stateDir,
-		collector
-	});
-	const summary = summarizeFindings(collector.findings);
-	return {
-		version: 1,
-		status: summary.unresolvedRefCount > 0 ? "unresolved" : collector.findings.length > 0 ? "findings" : "clean",
-		filesScanned: [...collector.filesScanned].toSorted(),
-		summary,
-		findings: collector.findings
-	};
-}
-function resolveSecretsAuditExitCode(report, check) {
-	if (report.summary.unresolvedRefCount > 0) return 2;
-	if (check && report.findings.length > 0) return 1;
-	return 0;
-}
-//#endregion
-//#region src/secrets/configure-plan.ts
-function getSecretProviders$1(config) {
-	if (!isRecord(config.secrets?.providers)) return {};
-	return config.secrets.providers;
-}
-function configureCandidateSortKey(candidate) {
-	if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${candidate.agentId ?? ""}:${candidate.path}`;
-	return `moldclaw:${candidate.path}`;
-}
-function resolveAuthProfileProvider(store, pathSegments) {
-	const profileId = pathSegments[1];
-	if (!profileId) return;
-	const profile = store.profiles?.[profileId];
-	if (!isRecord(profile) || typeof profile.provider !== "string") return;
-	const provider = profile.provider.trim();
-	return provider.length > 0 ? provider : void 0;
-}
-function buildConfigureCandidatesForScope(params) {
-	const authoredConfig = params.authoredmoldClawConfig ?? params.config;
-	const hasPathInAuthoredConfig = (pathSegments) => hasPath(authoredConfig, pathSegments);
-	const moldclawCandidates = discoverConfigSecretTargets(params.config).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
-		const resolved = resolveSecretInputRef({
-			value: entry.value,
-			refValue: entry.refValue,
-			defaults: params.config.secrets?.defaults
-		});
-		const pathExists = hasPathInAuthoredConfig(entry.pathSegments);
-		const refPathExists = entry.refPathSegments ? hasPathInAuthoredConfig(entry.refPathSegments) : false;
-		return {
-			type: entry.entry.targetType,
-			path: entry.path,
-			pathSegments: [...entry.pathSegments],
-			label: entry.path,
-			configFile: "moldclaw.json",
-			expectedResolvedValue: entry.entry.expectedResolvedValue,
-			...resolved.ref ? { existingRef: resolved.ref } : {},
-			...pathExists || refPathExists ? {} : { isDerived: true },
-			...entry.providerId ? { providerId: entry.providerId } : {},
-			...entry.accountId ? { accountId: entry.accountId } : {}
-		};
-	});
-	const authCandidates = params.authProfiles === void 0 ? [] : discoverAuthProfileSecretTargets(params.authProfiles.store).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
-		const authProfiles = params.authProfiles;
-		if (!authProfiles) throw new Error("Missing auth profile scope for configure candidate discovery.");
-		const authProfileProvider = resolveAuthProfileProvider(authProfiles.store, entry.pathSegments);
-		const resolved = resolveSecretInputRef({
-			value: entry.value,
-			refValue: entry.refValue,
-			defaults: params.config.secrets?.defaults
-		});
-		return {
-			type: entry.entry.targetType,
-			path: entry.path,
-			pathSegments: [...entry.pathSegments],
-			label: `${entry.path} (auth profile, agent ${authProfiles.agentId})`,
-			configFile: "auth-profiles.json",
-			expectedResolvedValue: entry.entry.expectedResolvedValue,
-			...resolved.ref ? { existingRef: resolved.ref } : {},
-			agentId: authProfiles.agentId,
-			...authProfileProvider ? { authProfileProvider } : {}
-		};
-	});
-	return [...moldclawCandidates, ...authCandidates].toSorted((a, b) => configureCandidateSortKey(a).localeCompare(configureCandidateSortKey(b)));
-}
-function hasPath(root, segments) {
-	if (segments.length === 0) return false;
-	let cursor = root;
-	for (let index = 0; index < segments.length; index += 1) {
-		const segment = segments[index] ?? "";
-		if (Array.isArray(cursor)) {
-			if (!/^\d+$/.test(segment)) return false;
-			const parsedIndex = Number.parseInt(segment, 10);
-			if (!Number.isFinite(parsedIndex) || parsedIndex < 0 || parsedIndex >= cursor.length) return false;
-			if (index === segments.length - 1) return true;
-			cursor = cursor[parsedIndex];
-			continue;
-		}
-		if (!isRecord(cursor)) return false;
-		if (!Object.prototype.hasOwnProperty.call(cursor, segment)) return false;
-		if (index === segments.length - 1) return true;
-		cursor = cursor[segment];
-	}
-	return false;
-}
-function collectConfigureProviderChanges(params) {
-	const originalProviders = getSecretProviders$1(params.original);
-	const nextProviders = getSecretProviders$1(params.next);
-	const upserts = {};
-	const deletes = [];
-	for (const [providerAlias, nextProviderConfig] of Object.entries(nextProviders)) {
-		const current = originalProviders[providerAlias];
-		if (isDeepStrictEqual(current, nextProviderConfig)) continue;
-		upserts[providerAlias] = structuredClone(nextProviderConfig);
-	}
-	for (const providerAlias of Object.keys(originalProviders)) if (!Object.prototype.hasOwnProperty.call(nextProviders, providerAlias)) deletes.push(providerAlias);
-	return {
-		upserts,
-		deletes: deletes.toSorted()
-	};
-}
-function hasConfigurePlanChanges(params) {
-	return params.selectedTargets.size > 0 || Object.keys(params.providerChanges.upserts).length > 0 || params.providerChanges.deletes.length > 0;
-}
-function buildSecretsConfigurePlan(params) {
-	return {
-		version: 1,
-		protocolVersion: 1,
-		generatedAt: params.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
-		generatedBy: "moldclaw secrets configure",
-		targets: [...params.selectedTargets.values()].map((entry) => ({
-			type: entry.type,
-			path: entry.path,
-			pathSegments: [...entry.pathSegments],
-			ref: entry.ref,
-			...entry.agentId ? { agentId: entry.agentId } : {},
-			...entry.providerId ? { providerId: entry.providerId } : {},
-			...entry.accountId ? { accountId: entry.accountId } : {},
-			...entry.authProfileProvider ? { authProfileProvider: entry.authProfileProvider } : {}
-		})),
-		...Object.keys(params.providerChanges.upserts).length > 0 ? { providerUpserts: params.providerChanges.upserts } : {},
-		...params.providerChanges.deletes.length > 0 ? { providerDeletes: params.providerChanges.deletes } : {},
-		options: {
-			scrubEnv: true,
-			scrubAuthProfilesForProviderTargets: true,
-			scrubLegacyAuthJson: true
-		}
-	};
-}
-//#endregion
-//#region src/secrets/configure.ts
-const ENV_NAME_PATTERN = /^[A-Z][A-Z0-9_]{0,127}$/;
-const WINDOWS_ABS_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
-const WINDOWS_UNC_PATH_PATTERN = /^\\\\[^\\]+\\[^\\]+/;
-function isAbsolutePathValue(value) {
-	return path.isAbsolute(value) || WINDOWS_ABS_PATH_PATTERN.test(value) || WINDOWS_UNC_PATH_PATTERN.test(value);
-}
-function parseCsv(value) {
-	return value.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
-}
-function parseOptionalPositiveInt(value, max) {
-	const trimmed = value.trim();
-	if (!trimmed) return;
-	if (!/^\d+$/.test(trimmed)) return;
-	const parsed = Number.parseInt(trimmed, 10);
-	if (!Number.isFinite(parsed) || parsed <= 0 || parsed > max) return;
-	return parsed;
-}
-function getSecretProviders(config) {
-	if (!isRecord(config.secrets?.providers)) return {};
-	return config.secrets.providers;
-}
-function setSecretProvider(config, providerAlias, providerConfig) {
-	config.secrets ??= {};
-	if (!isRecord(config.secrets.providers)) config.secrets.providers = {};
-	config.secrets.providers[providerAlias] = providerConfig;
-}
-function removeSecretProvider(config, providerAlias) {
-	if (!isRecord(config.secrets?.providers)) return false;
-	const providers = config.secrets.providers;
-	if (!Object.prototype.hasOwnProperty.call(providers, providerAlias)) return false;
-	delete providers[providerAlias];
-	if (Object.keys(providers).length === 0) delete config.secrets?.providers;
-	if (isRecord(config.secrets?.defaults)) {
-		const defaults = config.secrets.defaults;
-		if (defaults?.env === providerAlias) delete defaults.env;
-		if (defaults?.file === providerAlias) delete defaults.file;
-		if (defaults?.exec === providerAlias) delete defaults.exec;
-		if (defaults && defaults.env === void 0 && defaults.file === void 0 && defaults.exec === void 0) delete config.secrets?.defaults;
-	}
-	return true;
-}
-function providerHint(provider) {
-	if (provider.source === "env") return provider.allowlist?.length ? `env (${provider.allowlist.length} allowlisted)` : "env";
-	if (provider.source === "file") return `file (${provider.mode ?? "json"})`;
-	return `exec (${provider.jsonOnly === false ? "json+text" : "json"})`;
-}
-function toSourceChoices(config) {
-	const hasSource = (source) => Object.values(config.secrets?.providers ?? {}).some((provider) => provider?.source === source);
-	const choices = [{
-		value: "env",
-		label: "env"
-	}];
-	if (hasSource("file")) choices.push({
-		value: "file",
-		label: "file"
-	});
-	if (hasSource("exec")) choices.push({
-		value: "exec",
-		label: "exec"
-	});
-	return choices;
-}
-function assertNoCancel(value, message) {
-	if (typeof value === "symbol") throw new Error(message);
-	return value;
-}
-const AUTH_PROFILE_ID_PATTERN = /^[A-Za-z0-9:_-]{1,128}$/;
-function validateEnvNameCsv(value) {
-	const entries = parseCsv(value);
-	for (const entry of entries) if (!ENV_NAME_PATTERN.test(entry)) return `Invalid env name: ${entry}`;
-}
-async function promptEnvNameCsv(params) {
-	const raw = assertNoCancel(await text({
-		message: params.message,
-		initialValue: params.initialValue,
-		validate: (value) => validateEnvNameCsv(String(value ?? ""))
-	}), "Secrets configure cancelled.");
-	return parseCsv(String(raw ?? ""));
-}
-async function promptOptionalPositiveInt(params) {
-	const raw = assertNoCancel(await text({
-		message: params.message,
-		initialValue: params.initialValue === void 0 ? "" : String(params.initialValue),
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return;
-			if (parseOptionalPositiveInt(trimmed, params.max) === void 0) return `Must be an integer between 1 and ${params.max}`;
-		}
-	}), "Secrets configure cancelled.");
-	return parseOptionalPositiveInt(String(raw ?? ""), params.max);
-}
-function configureCandidateKey(candidate) {
-	if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${String(candidate.agentId ?? "").trim()}:${candidate.path}`;
-	return `moldclaw:${candidate.path}`;
-}
-function hasSourceChoice(sourceChoices, source) {
-	return sourceChoices.some((entry) => entry.value === source);
-}
-function resolveCandidateProviderHint(candidate) {
-	if (typeof candidate.authProfileProvider === "string" && candidate.authProfileProvider.trim()) return candidate.authProfileProvider.trim().toLowerCase();
-	if (typeof candidate.providerId === "string" && candidate.providerId.trim()) return candidate.providerId.trim().toLowerCase();
-}
-function resolveSuggestedEnvSecretId(candidate) {
-	const hintedProvider = resolveCandidateProviderHint(candidate);
-	if (!hintedProvider) return;
-	const envCandidates = PROVIDER_ENV_VARS[hintedProvider];
-	if (!Array.isArray(envCandidates) || envCandidates.length === 0) return;
-	return envCandidates[0];
-}
-function resolveConfigureAgentId(config, explicitAgentId) {
-	const knownAgentIds = new Set(listAgentIds(config));
-	if (!explicitAgentId) return resolveDefaultAgentId(config);
-	const normalized = normalizeAgentId(explicitAgentId);
-	if (knownAgentIds.has(normalized)) return normalized;
-	const known = [...knownAgentIds].toSorted().join(", ");
-	throw new Error(`Unknown agent id "${explicitAgentId}". Known agents: ${known || "none configured"}.`);
-}
-function normalizeAuthStoreForConfigure(raw, storePath) {
-	if (!raw) return {
-		version: 1,
-		profiles: {}
-	};
-	if (!isRecord(raw.profiles)) throw new Error(`Cannot run interactive secrets configure because ${storePath} is invalid (missing "profiles" object).`);
-	return {
-		version: typeof raw.version === "number" && Number.isFinite(raw.version) ? raw.version : 1,
-		profiles: raw.profiles,
-		...isRecord(raw.order) ? { order: raw.order } : {},
-		...isRecord(raw.lastGood) ? { lastGood: raw.lastGood } : {},
-		...isRecord(raw.usageStats) ? { usageStats: raw.usageStats } : {}
-	};
-}
-function loadAuthProfileStoreForConfigure(params) {
-	const storePath = resolveAuthStorePath(resolveAgentDir(params.config, params.agentId));
-	const parsed = readJsonObjectIfExists(storePath);
-	if (parsed.error) throw new Error(`Cannot run interactive secrets configure because ${storePath} could not be read: ${parsed.error}`);
-	return normalizeAuthStoreForConfigure(parsed.value, storePath);
-}
-async function promptNewAuthProfileCandidate(agentId) {
-	const profileId = assertNoCancel(await text({
-		message: "Auth profile id",
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return "Required";
-			if (!AUTH_PROFILE_ID_PATTERN.test(trimmed)) return "Use letters/numbers/\":\"/\"_\"/\"-\" only.";
-		}
-	}), "Secrets configure cancelled.");
-	const credentialType = assertNoCancel(await select({
-		message: "Auth profile credential type",
-		options: [{
-			value: "api_key",
-			label: "api_key (key/keyRef)"
-		}, {
-			value: "token",
-			label: "token (token/tokenRef)"
-		}]
-	}), "Secrets configure cancelled.");
-	const provider = assertNoCancel(await text({
-		message: "Provider id",
-		validate: (value) => String(value ?? "").trim().length > 0 ? void 0 : "Required"
-	}), "Secrets configure cancelled.");
-	const profileIdTrimmed = String(profileId).trim();
-	const providerTrimmed = String(provider).trim();
-	if (credentialType === "token") return {
-		type: "auth-profiles.token.token",
-		path: `profiles.${profileIdTrimmed}.token`,
-		pathSegments: [
-			"profiles",
-			profileIdTrimmed,
-			"token"
-		],
-		label: `profiles.${profileIdTrimmed}.token (auth profile, agent ${agentId})`,
-		configFile: "auth-profiles.json",
-		agentId,
-		authProfileProvider: providerTrimmed,
-		expectedResolvedValue: "string"
-	};
-	return {
-		type: "auth-profiles.api_key.key",
-		path: `profiles.${profileIdTrimmed}.key`,
-		pathSegments: [
-			"profiles",
-			profileIdTrimmed,
-			"key"
-		],
-		label: `profiles.${profileIdTrimmed}.key (auth profile, agent ${agentId})`,
-		configFile: "auth-profiles.json",
-		agentId,
-		authProfileProvider: providerTrimmed,
-		expectedResolvedValue: "string"
-	};
-}
-async function promptProviderAlias(params) {
-	const alias = assertNoCancel(await text({
-		message: "Provider alias",
-		initialValue: "default",
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return "Required";
-			if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
-			if (params.existingAliases.has(trimmed)) return "Alias already exists";
-		}
-	}), "Secrets configure cancelled.");
-	return String(alias).trim();
-}
-async function promptProviderSource(initial) {
-	return assertNoCancel(await select({
-		message: "Provider source",
-		options: [
-			{
-				value: "env",
-				label: "env"
-			},
-			{
-				value: "file",
-				label: "file"
-			},
-			{
-				value: "exec",
-				label: "exec"
-			}
-		],
-		initialValue: initial
-	}), "Secrets configure cancelled.");
-}
-async function promptEnvProvider(base) {
-	const allowlist = await promptEnvNameCsv({
-		message: "Env allowlist (comma-separated, blank for unrestricted)",
-		initialValue: base?.allowlist?.join(",") ?? ""
-	});
-	return {
-		source: "env",
-		...allowlist.length > 0 ? { allowlist } : {}
-	};
-}
-async function promptFileProvider(base) {
-	const filePath = assertNoCancel(await text({
-		message: "File path (absolute)",
-		initialValue: base?.path ?? "",
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return "Required";
-			if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
-		}
-	}), "Secrets configure cancelled.");
-	const mode = assertNoCancel(await select({
-		message: "File mode",
-		options: [{
-			value: "json",
-			label: "json"
-		}, {
-			value: "singleValue",
-			label: "singleValue"
-		}],
-		initialValue: base?.mode ?? "json"
-	}), "Secrets configure cancelled.");
-	const timeoutMs = await promptOptionalPositiveInt({
-		message: "Timeout ms (blank for default)",
-		initialValue: base?.timeoutMs,
-		max: 12e4
-	});
-	const maxBytes = await promptOptionalPositiveInt({
-		message: "Max bytes (blank for default)",
-		initialValue: base?.maxBytes,
-		max: 20 * 1024 * 1024
-	});
-	return {
-		source: "file",
-		path: String(filePath).trim(),
-		mode,
-		...timeoutMs ? { timeoutMs } : {},
-		...maxBytes ? { maxBytes } : {}
-	};
-}
-async function parseArgsInput(rawValue) {
-	const trimmed = rawValue.trim();
-	if (!trimmed) return;
-	const parsed = JSON.parse(trimmed);
-	if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) throw new Error("args must be a JSON array of strings");
-	return parsed;
-}
-async function promptExecProvider(base) {
-	const command = assertNoCancel(await text({
-		message: "Command path (absolute)",
-		initialValue: base?.command ?? "",
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return "Required";
-			if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
-			if (!isSafeExecutableValue(trimmed)) return "Command value is not allowed";
-		}
-	}), "Secrets configure cancelled.");
-	const argsRaw = assertNoCancel(await text({
-		message: "Args JSON array (blank for none)",
-		initialValue: JSON.stringify(base?.args ?? []),
-		validate: (value) => {
-			const trimmed = String(value ?? "").trim();
-			if (!trimmed) return;
-			try {
-				const parsed = JSON.parse(trimmed);
-				if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) return "Must be a JSON array of strings";
-				return;
-			} catch {
-				return "Must be valid JSON";
-			}
-		}
-	}), "Secrets configure cancelled.");
-	const timeoutMs = await promptOptionalPositiveInt({
-		message: "Timeout ms (blank for default)",
-		initialValue: base?.timeoutMs,
-		max: 12e4
-	});
-	const noOutputTimeoutMs = await promptOptionalPositiveInt({
-		message: "No-output timeout ms (blank for default)",
-		initialValue: base?.noOutputTimeoutMs,
-		max: 12e4
-	});
-	const maxOutputBytes = await promptOptionalPositiveInt({
-		message: "Max output bytes (blank for default)",
-		initialValue: base?.maxOutputBytes,
-		max: 20 * 1024 * 1024
-	});
-	const jsonOnly = assertNoCancel(await confirm({
-		message: "Require JSON-only response?",
-		initialValue: base?.jsonOnly ?? true
-	}), "Secrets configure cancelled.");
-	const passEnv = await promptEnvNameCsv({
-		message: "Pass-through env vars (comma-separated, blank for none)",
-		initialValue: base?.passEnv?.join(",") ?? ""
-	});
-	const trustedDirsRaw = assertNoCancel(await text({
-		message: "Trusted dirs (comma-separated absolute paths, blank for none)",
-		initialValue: base?.trustedDirs?.join(",") ?? "",
-		validate: (value) => {
-			const entries = parseCsv(String(value ?? ""));
-			for (const entry of entries) if (!isAbsolutePathValue(entry)) return `Trusted dir must be absolute: ${entry}`;
-		}
-	}), "Secrets configure cancelled.");
-	const allowInsecurePath = assertNoCancel(await confirm({
-		message: "Allow insecure command path checks?",
-		initialValue: base?.allowInsecurePath ?? false
-	}), "Secrets configure cancelled.");
-	const allowSymlinkCommand = assertNoCancel(await confirm({
-		message: "Allow symlink command path?",
-		initialValue: base?.allowSymlinkCommand ?? false
-	}), "Secrets configure cancelled.");
-	const args = await parseArgsInput(String(argsRaw ?? ""));
-	const trustedDirs = parseCsv(String(trustedDirsRaw ?? ""));
-	return {
-		source: "exec",
-		command: String(command).trim(),
-		...args && args.length > 0 ? { args } : {},
-		...timeoutMs ? { timeoutMs } : {},
-		...noOutputTimeoutMs ? { noOutputTimeoutMs } : {},
-		...maxOutputBytes ? { maxOutputBytes } : {},
-		...jsonOnly ? { jsonOnly } : { jsonOnly: false },
-		...passEnv.length > 0 ? { passEnv } : {},
-		...trustedDirs.length > 0 ? { trustedDirs } : {},
-		...allowInsecurePath ? { allowInsecurePath: true } : {},
-		...allowSymlinkCommand ? { allowSymlinkCommand: true } : {},
-		...isRecord(base?.env) ? { env: base.env } : {}
-	};
-}
-async function promptProviderConfig(source, current) {
-	if (source === "env") return await promptEnvProvider(current?.source === "env" ? current : void 0);
-	if (source === "file") return await promptFileProvider(current?.source === "file" ? current : void 0);
-	return await promptExecProvider(current?.source === "exec" ? current : void 0);
-}
-async function configureProvidersInteractive(config) {
-	while (true) {
-		const providers = getSecretProviders(config);
-		const providerEntries = Object.entries(providers).toSorted(([left], [right]) => left.localeCompare(right));
-		const actionOptions = [{
-			value: "add",
-			label: "Add provider",
-			hint: "Define a new env/file/exec provider"
-		}];
-		if (providerEntries.length > 0) {
-			actionOptions.push({
-				value: "edit",
-				label: "Edit provider",
-				hint: "Update an existing provider"
-			});
-			actionOptions.push({
-				value: "remove",
-				label: "Remove provider",
-				hint: "Delete a provider alias"
-			});
-		}
-		actionOptions.push({
-			value: "continue",
-			label: "Continue",
-			hint: "Move to credential mapping"
-		});
-		const action = assertNoCancel(await select({
-			message: providerEntries.length > 0 ? "Configure secret providers" : "Configure secret providers (only env refs are available until file/exec providers are added)",
-			options: actionOptions
-		}), "Secrets configure cancelled.");
-		if (action === "continue") return;
-		if (action === "add") {
-			const source = await promptProviderSource();
-			setSecretProvider(config, await promptProviderAlias({ existingAliases: new Set(providerEntries.map(([providerAlias]) => providerAlias)) }), await promptProviderConfig(source));
-			continue;
-		}
-		if (action === "edit") {
-			const alias = assertNoCancel(await select({
-				message: "Select provider to edit",
-				options: providerEntries.map(([providerAlias, providerConfig]) => ({
-					value: providerAlias,
-					label: providerAlias,
-					hint: providerHint(providerConfig)
-				}))
-			}), "Secrets configure cancelled.");
-			const current = providers[alias];
-			if (!current) continue;
-			const nextProviderConfig = await promptProviderConfig(await promptProviderSource(current.source), current);
-			if (!isDeepStrictEqual(current, nextProviderConfig)) setSecretProvider(config, alias, nextProviderConfig);
-			continue;
-		}
-		if (action === "remove") {
-			const alias = assertNoCancel(await select({
-				message: "Select provider to remove",
-				options: providerEntries.map(([providerAlias, providerConfig]) => ({
-					value: providerAlias,
-					label: providerAlias,
-					hint: providerHint(providerConfig)
-				}))
-			}), "Secrets configure cancelled.");
-			if (assertNoCancel(await confirm({
-				message: `Remove provider "${alias}"?`,
-				initialValue: false
-			}), "Secrets configure cancelled.")) removeSecretProvider(config, alias);
-		}
-	}
-}
-async function runSecretsConfigureInteractive(params = {}) {
-	if (!process.stdin.isTTY) throw new Error("secrets configure requires an interactive TTY.");
-	if (params.providersOnly && params.skipProviderSetup) throw new Error("Cannot combine --providers-only with --skip-provider-setup.");
-	const env = params.env ?? process.env;
-	const { snapshot } = await createSecretsConfigIO({ env }).readConfigFileSnapshotForWrite();
-	if (!snapshot.valid) throw new Error("Cannot run interactive secrets configure because config is invalid.");
-	const stagedConfig = structuredClone(snapshot.config);
-	if (!params.skipProviderSetup) await configureProvidersInteractive(stagedConfig);
-	const providerChanges = collectConfigureProviderChanges({
-		original: snapshot.config,
-		next: stagedConfig
-	});
-	const selectedByPath = /* @__PURE__ */ new Map();
-	if (!params.providersOnly) {
-		const configureAgentId = resolveConfigureAgentId(snapshot.config, params.agentId);
-		const authStore = loadAuthProfileStoreForConfigure({
-			config: snapshot.config,
-			agentId: configureAgentId
-		});
-		const candidates = buildConfigureCandidatesForScope({
-			config: stagedConfig,
-			authoredmoldClawConfig: snapshot.resolved,
-			authProfiles: {
-				agentId: configureAgentId,
-				store: authStore
-			}
-		});
-		if (candidates.length === 0) throw new Error("No configurable secret-bearing fields found for this agent scope.");
-		const sourceChoices = toSourceChoices(stagedConfig);
-		const hasDerivedCandidates = candidates.some((candidate) => candidate.isDerived === true);
-		let showDerivedCandidates = false;
-		while (true) {
-			const visibleCandidates = showDerivedCandidates ? candidates : candidates.filter((candidate) => candidate.isDerived !== true);
-			const options = visibleCandidates.map((candidate) => ({
-				value: configureCandidateKey(candidate),
-				label: candidate.label,
-				hint: [candidate.configFile === "auth-profiles.json" ? "auth-profiles.json" : "moldclaw.json", candidate.isDerived === true ? "derived" : void 0].filter(Boolean).join(" | ")
-			}));
-			options.push({
-				value: "__create_auth_profile__",
-				label: "Create auth profile mapping",
-				hint: `Add a new auth-profiles target for agent ${configureAgentId}`
-			});
-			if (hasDerivedCandidates) options.push({
-				value: "__toggle_derived__",
-				label: showDerivedCandidates ? "Hide derived targets" : "Show derived targets",
-				hint: showDerivedCandidates ? "Show only fields authored directly in config" : "Include normalized/derived aliases"
-			});
-			if (selectedByPath.size > 0) options.unshift({
-				value: "__done__",
-				label: "Done",
-				hint: "Finish and run preflight"
-			});
-			const selectedPath = assertNoCancel(await select({
-				message: "Select credential field",
-				options
-			}), "Secrets configure cancelled.");
-			if (selectedPath === "__done__") break;
-			if (selectedPath === "__create_auth_profile__") {
-				const createdCandidate = await promptNewAuthProfileCandidate(configureAgentId);
-				const key = configureCandidateKey(createdCandidate);
-				const existingIndex = candidates.findIndex((entry) => configureCandidateKey(entry) === key);
-				if (existingIndex >= 0) candidates[existingIndex] = createdCandidate;
-				else candidates.push(createdCandidate);
-				continue;
-			}
-			if (selectedPath === "__toggle_derived__") {
-				showDerivedCandidates = !showDerivedCandidates;
-				continue;
-			}
-			const candidate = visibleCandidates.find((entry) => configureCandidateKey(entry) === selectedPath);
-			if (!candidate) throw new Error(`Unknown configure target: ${selectedPath}`);
-			const candidateKey = configureCandidateKey(candidate);
-			const existingRef = selectedByPath.get(candidateKey)?.ref ?? candidate.existingRef;
-			const source = assertNoCancel(await select({
-				message: "Secret source",
-				options: sourceChoices,
-				initialValue: existingRef && hasSourceChoice(sourceChoices, existingRef.source) ? existingRef.source : void 0
-			}), "Secrets configure cancelled.");
-			const defaultAlias = resolveDefaultSecretProviderAlias(stagedConfig, source, { preferFirstProviderForSource: true });
-			const provider = assertNoCancel(await text({
-				message: "Provider alias",
-				initialValue: existingRef?.source === source ? existingRef.provider : defaultAlias,
-				validate: (value) => {
-					const trimmed = String(value ?? "").trim();
-					if (!trimmed) return "Required";
-					if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
-				}
-			}), "Secrets configure cancelled.");
-			const providerAlias = String(provider).trim();
-			let suggestedId = existingRef?.source === source ? existingRef.id : void 0;
-			if (!suggestedId && source === "env") suggestedId = resolveSuggestedEnvSecretId(candidate);
-			if (!suggestedId && source === "file") {
-				const configuredProvider = stagedConfig.secrets?.providers?.[providerAlias];
-				if (configuredProvider?.source === "file" && configuredProvider.mode === "singleValue") suggestedId = "value";
-			}
-			const id = assertNoCancel(await text({
-				message: "Secret id",
-				initialValue: suggestedId,
-				validate: (value) => {
-					const trimmed = String(value ?? "").trim();
-					if (!trimmed) return "Required";
-					if (source === "exec" && !isValidExecSecretRefId(trimmed)) return formatExecSecretRefIdValidationMessage();
-				}
-			}), "Secrets configure cancelled.");
-			const ref = {
-				source,
-				provider: providerAlias,
-				id: String(id).trim()
-			};
-			assertExpectedResolvedSecretValue({
-				value: await resolveSecretRefValue(ref, {
-					config: stagedConfig,
-					env
-				}),
-				expected: candidate.expectedResolvedValue,
-				errorMessage: candidate.expectedResolvedValue === "string" ? `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a non-empty string.` : `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a supported value type.`
-			});
-			const next = {
-				...candidate,
-				ref
-			};
-			selectedByPath.set(candidateKey, next);
-			if (!assertNoCancel(await confirm({
-				message: "Configure another credential?",
-				initialValue: true
-			}), "Secrets configure cancelled.")) break;
-		}
-	}
-	if (!hasConfigurePlanChanges({
-		selectedTargets: selectedByPath,
-		providerChanges
-	})) throw new Error("No secrets changes were selected.");
-	const plan = buildSecretsConfigurePlan({
-		selectedTargets: selectedByPath,
-		providerChanges
-	});
-	return {
-		plan,
-		preflight: await runSecretsApply({
-			plan,
-			env,
-			write: false
-		})
-	};
-}
-//#endregion
-//#region src/cli/secrets-cli.ts
-function readPlanFile(pathname) {
-	const raw = fs.readFileSync(pathname, "utf8");
-	const parsed = JSON.parse(raw);
-	if (!isSecretsApplyPlan(parsed)) throw new Error(`Invalid secrets plan file: ${pathname}`);
-	return parsed;
-}
-function registerSecretsCli(program) {
-	const secrets = program.command("secrets").description("Secrets runtime controls").addHelpText("after", () => `\n${theme.muted("Docs:")} ${formatDocsLink("/gateway/security", "docs.moldclaw.ai/gateway/security")}\n`);
-	addGatewayClientOptions(secrets.command("reload").description("Re-resolve secret references and atomically swap runtime snapshot").option("--json", "Output JSON", false)).action(async (opts) => {
-		try {
-			const result = await callGatewayFromCli("secrets.reload", opts, void 0, { expectFinal: false });
-			if (opts.json) {
-				defaultRuntime.log(JSON.stringify(result, null, 2));
-				return;
-			}
-			const warningCount = Number(result?.warningCount ?? 0);
-			if (Number.isFinite(warningCount) && warningCount > 0) {
-				defaultRuntime.log(`Secrets reloaded with ${warningCount} warning(s).`);
-				return;
-			}
-			defaultRuntime.log("Secrets reloaded.");
-		} catch (err) {
-			defaultRuntime.error(danger(String(err)));
-			defaultRuntime.exit(1);
-		}
-	});
-	secrets.command("audit").description("Audit plaintext secrets, unresolved refs, and precedence drift").option("--check", "Exit non-zero when findings are present", false).option("--json", "Output JSON", false).action(async (opts) => {
-		try {
-			const report = await runSecretsAudit();
-			if (opts.json) defaultRuntime.log(JSON.stringify(report, null, 2));
-			else {
-				defaultRuntime.log(`Secrets audit: ${report.status}. plaintext=${report.summary.plaintextCount}, unresolved=${report.summary.unresolvedRefCount}, shadowed=${report.summary.shadowedRefCount}, legacy=${report.summary.legacyResidueCount}.`);
-				if (report.findings.length > 0) {
-					for (const finding of report.findings.slice(0, 20)) defaultRuntime.log(`- [${finding.code}] ${finding.file}:${finding.jsonPath} ${finding.message}`);
-					if (report.findings.length > 20) defaultRuntime.log(`... ${report.findings.length - 20} more finding(s).`);
-				}
-			}
-			const exitCode = resolveSecretsAuditExitCode(report, Boolean(opts.check));
-			if (exitCode !== 0) defaultRuntime.exit(exitCode);
-		} catch (err) {
-			defaultRuntime.error(danger(String(err)));
-			defaultRuntime.exit(2);
-		}
-	});
-	secrets.command("configure").description("Interactive secrets helper (provider setup + SecretRef mapping + preflight)").option("--apply", "Apply changes immediately after preflight", false).option("--yes", "Skip apply confirmation prompt", false).option("--providers-only", "Configure secrets.providers only, skip credential mapping", false).option("--skip-provider-setup", "Skip provider setup and only map credential fields to existing providers", false).option("--agent <id>", "Agent id for auth-profiles targets (default: configured default agent)").option("--plan-out <path>", "Write generated plan JSON to a file").option("--json", "Output JSON", false).action(async (opts) => {
-		try {
-			const configured = await runSecretsConfigureInteractive({
-				providersOnly: Boolean(opts.providersOnly),
-				skipProviderSetup: Boolean(opts.skipProviderSetup),
-				agentId: typeof opts.agent === "string" ? opts.agent : void 0
-			});
-			if (opts.planOut) fs.writeFileSync(opts.planOut, `${JSON.stringify(configured.plan, null, 2)}\n`, "utf8");
-			if (opts.json) defaultRuntime.log(JSON.stringify({
-				plan: configured.plan,
-				preflight: configured.preflight
-			}, null, 2));
-			else {
-				defaultRuntime.log(`Preflight: changed=${configured.preflight.changed}, files=${configured.preflight.changedFiles.length}, warnings=${configured.preflight.warningCount}.`);
-				if (configured.preflight.warningCount > 0) for (const warning of configured.preflight.warnings) defaultRuntime.log(`- warning: ${warning}`);
-				const providerUpserts = Object.keys(configured.plan.providerUpserts ?? {}).length;
-				const providerDeletes = configured.plan.providerDeletes?.length ?? 0;
-				defaultRuntime.log(`Plan: targets=${configured.plan.targets.length}, providerUpserts=${providerUpserts}, providerDeletes=${providerDeletes}.`);
-				if (opts.planOut) defaultRuntime.log(`Plan written to ${opts.planOut}`);
-			}
-			let shouldApply = Boolean(opts.apply);
-			if (!shouldApply && !opts.json) {
-				const approved = await confirm({
-					message: "Apply this plan now?",
-					initialValue: true
-				});
-				if (typeof approved === "boolean") shouldApply = approved;
-			}
-			if (shouldApply) {
-				if (Boolean(opts.apply) && !opts.yes && !opts.json) {
-					if (await confirm({
-						message: "This migration is one-way for migrated plaintext values. Continue with apply?",
-						initialValue: true
-					}) !== true) {
-						defaultRuntime.log("Apply cancelled.");
-						return;
-					}
-				}
-				const result = await runSecretsApply({
-					plan: configured.plan,
-					write: true
-				});
-				if (opts.json) {
-					defaultRuntime.log(JSON.stringify(result, null, 2));
-					return;
-				}
-				defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
-			}
-		} catch (err) {
-			defaultRuntime.error(danger(String(err)));
-			defaultRuntime.exit(1);
-		}
-	});
-	secrets.command("apply").description("Apply a previously generated secrets plan").requiredOption("--from <path>", "Path to plan JSON").option("--dry-run", "Validate/preflight only", false).option("--json", "Output JSON", false).action(async (opts) => {
-		try {
-			const result = await runSecretsApply({
-				plan: readPlanFile(opts.from),
-				write: !opts.dryRun
-			});
-			if (opts.json) {
-				defaultRuntime.log(JSON.stringify(result, null, 2));
-				return;
-			}
-			if (opts.dryRun) {
-				defaultRuntime.log(result.changed ? `Secrets apply dry run: ${result.changedFiles.length} file(s) would change.` : "Secrets apply dry run: no changes.");
-				return;
-			}
-			defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
-		} catch (err) {
-			defaultRuntime.error(danger(String(err)));
-			defaultRuntime.exit(1);
-		}
-	});
-}
-//#endregion
-export { registerSecretsCli };