@super-repo/envx-plugins 0.2.3-b.4

package/dist/op.d.ts

@@ -0,0 +1,52 @@
+import { type SecretProvider } from "./types.js";
+export interface OnePasswordOptions {
+    /**
+     * Service account token. When set, the plugin uses the @1password/sdk
+     * directly. When unset, it falls back to spawning the local `op` CLI
+     * (which gets credentials from your signed-in session).
+     */
+    readonly token?: string;
+    /**
+     * Override the SDK / CLI loader. Useful for tests — pass a function
+     * that returns the secret value for a given reference.
+     */
+    readonly fetcher?: (ref: string) => Promise<string>;
+    /** Provider name, defaults to `"op"` (matches the conventional `op://` URI scheme). */
+    readonly name?: string;
+}
+/**
+ * 1Password provider.
+ *
+ * Two execution modes:
+ *   - **SDK mode** (when `token` is set): uses `@1password/sdk`, no CLI needed.
+ *   - **CLI mode** (when `token` is unset): exec's the `op` binary,
+ *     reads creds from your signed-in session. No SDK install required.
+ *
+ * ```ts
+ * import { onePassword } from "@super-repo/envx-plugins/op";
+ *
+ * // CLI mode — works on developer machines that ran `op signin` once.
+ * const op = onePassword();
+ *
+ * // SDK mode — for CI / containers.
+ * const op = onePassword({ token: process.env.OP_SERVICE_ACCOUNT_TOKEN! });
+ *
+ * await op.preload([
+ *   "op://prod/Database/url",
+ *   "op://prod/API/key",
+ * ]);
+ *
+ * envx({ resolvers: { [op.name]: op.resolve } });
+ * ```
+ *
+ * Reference shape — pass the full `op://vault/item/field` URI:
+ *
+ * ```
+ * DB_URL=${op:op://prod/Database/url}
+ * API_KEY=${op:op://prod/API/key}
+ * ```
+ *
+ * SDK install (only if you set `token`): `pnpm add @1password/sdk`
+ */
+export declare function onePassword(opts?: OnePasswordOptions): SecretProvider;
+//# sourceMappingURL=op.d.ts.map

package/dist/op.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"op.d.ts","sourceRoot":"","sources":["../src/op.ts"],"names":[],"mappings":"AAGA,OAAO,EAAkC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAMjF,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IACpD,uFAAuF;IACvF,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAgB,WAAW,CAAC,IAAI,GAAE,kBAAuB,GAAG,cAAc,CAuDzE"}

package/dist/op.js

@@ -0,0 +1,85 @@
+import { execFile } from "child_process";
+import { promisify } from "util";
+import { buildProvider, MissingSdkError } from "./types.js";
+const execFileAsync = promisify(execFile);
+/**
+ * 1Password provider.
+ *
+ * Two execution modes:
+ *   - **SDK mode** (when `token` is set): uses `@1password/sdk`, no CLI needed.
+ *   - **CLI mode** (when `token` is unset): exec's the `op` binary,
+ *     reads creds from your signed-in session. No SDK install required.
+ *
+ * ```ts
+ * import { onePassword } from "@super-repo/envx-plugins/op";
+ *
+ * // CLI mode — works on developer machines that ran `op signin` once.
+ * const op = onePassword();
+ *
+ * // SDK mode — for CI / containers.
+ * const op = onePassword({ token: process.env.OP_SERVICE_ACCOUNT_TOKEN! });
+ *
+ * await op.preload([
+ *   "op://prod/Database/url",
+ *   "op://prod/API/key",
+ * ]);
+ *
+ * envx({ resolvers: { [op.name]: op.resolve } });
+ * ```
+ *
+ * Reference shape — pass the full `op://vault/item/field` URI:
+ *
+ * ```
+ * DB_URL=${op:op://prod/Database/url}
+ * API_KEY=${op:op://prod/API/key}
+ * ```
+ *
+ * SDK install (only if you set `token`): `pnpm add @1password/sdk`
+ */
+export function onePassword(opts = {}) {
+    const name = opts.name ?? "op";
+    let fetcher = opts.fetcher;
+    return buildProvider(name, async (ref) => {
+        if (!fetcher) {
+            if (opts.token) {
+                let sdk;
+                try {
+                    const specifier = "@1password/sdk";
+                    sdk = (await import(/* @vite-ignore */ specifier));
+                }
+                catch {
+                    throw new MissingSdkError("1password", "@1password/sdk");
+                }
+                const client = await sdk.createClient({
+                    auth: opts.token,
+                    integrationName: "envx-plugins",
+                    integrationVersion: "0.1.0",
+                });
+                fetcher = (r) => client.secrets.resolve(r);
+            }
+            else {
+                // CLI mode — `op read <ref>`
+                fetcher = async (r) => {
+                    try {
+                        const { stdout } = await execFileAsync("op", ["read", r], {
+                            encoding: "utf8",
+                        });
+                        return stdout.trim();
+                    }
+                    catch (e) {
+                        const err = e;
+                        if (err.code === "ENOENT") {
+                            throw new Error("[ENVX_PLUGIN_OP_CLI] the `op` CLI is not on PATH.\n" +
+                                "  install: https://developer.1password.com/docs/cli\n" +
+                                "  or run with a service-account token: onePassword({ token: ... })");
+                        }
+                        throw new Error(`op read '${r}' failed: ${err.stderr?.trim() || err.message}`);
+                    }
+                };
+            }
+        }
+        return fetcher(ref);
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=op.js.map

package/dist/op.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"op.js","sourceRoot":"","sources":["../src/op.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EAAE,aAAa,EAAE,eAAe,EAAuB,MAAM,YAAY,CAAC;AAEjF,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAoB1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,UAAU,WAAW,CAAC,OAA2B,EAAE;IACvD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;IAE/B,IAAI,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;IAE3B,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,EAAE;QACvC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;gBASf,IAAI,GAAU,CAAC;gBACf,IAAI,CAAC;oBACH,MAAM,SAAS,GAAG,gBAAgB,CAAC;oBACnC,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAqB,CAAC;gBACzE,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,IAAI,eAAe,CAAC,WAAW,EAAE,gBAAgB,CAAC,CAAC;gBAC3D,CAAC;gBACD,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC;oBACpC,IAAI,EAAE,IAAI,CAAC,KAAK;oBAChB,eAAe,EAAE,cAAc;oBAC/B,kBAAkB,EAAE,OAAO;iBAC5B,CAAC,CAAC;gBACH,OAAO,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACrD,CAAC;iBAAM,CAAC;gBACN,6BAA6B;gBAC7B,OAAO,GAAG,KAAK,EAAE,CAAS,EAAmB,EAAE;oBAC7C,IAAI,CAAC;wBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,CAAC,CAAC,EAAE;4BACxD,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAC;wBACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;oBACvB,CAAC;oBAAC,OAAO,CAAC,EAAE,CAAC;wBACX,MAAM,GAAG,GAAG,CAAgD,CAAC;wBAC7D,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;4BAC1B,MAAM,IAAI,KAAK,CACb,qDAAqD;gCACnD,uDAAuD;gCACvD,oEAAoE,CACvE,CAAC;wBACJ,CAAC;wBACD,MAAM,IAAI,KAAK,CACb,YAAY,CAAC,aAAa,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,OAAO,EAAE,CAC9D,CAAC;oBACJ,CAAC;gBACH,CAAC,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}

package/dist/runtime.d.ts

@@ -0,0 +1,95 @@
+import type { SecretProvider } from "./types.js";
+/**
+ * Async-first secret accessor for runtime / edge code.
+ *
+ * Use this when the security model is "secrets never leave the source"
+ * — the app references secrets like `${vault:prod/db}` (or by structured
+ * key), and the values are fetched on first read, cached for `ttl`
+ * seconds, then refreshed. Nothing plaintext touches disk; nothing is
+ * baked into the build artifact.
+ *
+ * Designed to run in any V8 isolate — Cloudflare Workers, Vercel Edge,
+ * Deno Deploy, AWS Lambda, Bun, Node. No `fs`, no `child_process`, no
+ * dynamic require. Plugin compatibility is the only constraint:
+ * fetch-only providers (Vault, Doppler, Infisical, custom HTTP) work
+ * everywhere; SDK-backed providers (AWS, GCP, Azure, 1Password SDK)
+ * work in Node-compatible runtimes only.
+ *
+ * ```ts
+ * // src/secrets.ts — module-level singleton, one per worker
+ * import { createSecretRuntime } from "@super-repo/envx-plugins/runtime";
+ * import { hcVault } from "@super-repo/envx-plugins/vault";
+ *
+ * export const secrets = createSecretRuntime({
+ *   providers: [
+ *     hcVault({ endpoint: env.VAULT_ADDR, token: env.VAULT_TOKEN }),
+ *   ],
+ *   ttl: 300, // refresh every 5 minutes
+ * });
+ *
+ * // src/handler.ts
+ * export default async function handler(req: Request): Promise<Response> {
+ *   const dbUrl = await secrets.get("vault:prod/db");
+ *   return new Response(...);
+ * }
+ * ```
+ *
+ * Cold starts: each worker instance fetches lazily on first reference.
+ * Subsequent reads within the TTL window hit the in-memory cache.
+ */
+export interface SecretRuntimeOptions {
+    /** Providers to dispatch references to. Identified by their `name`. */
+    readonly providers: readonly SecretProvider[];
+    /**
+     * Cache TTL in seconds. After this window, the next `get()` triggers a
+     * fresh fetch. `0` = no caching (fetch every read — only sensible
+     * for very-low-traffic edges). `Infinity` = cache forever.
+     *
+     * Default: 300 (5 minutes).
+     */
+    readonly ttl?: number;
+    /**
+     * Cache mode for fetch failures.
+     *
+     * - `"throw"` (default): rethrow the error from `get()`. Caller decides.
+     * - `"cache-stale"`: when a refresh fails, return the previously cached
+     *   value (if any) and log a warning. Useful when intermittent
+     *   network blips shouldn't take the whole request down.
+     * - `"cache-error"`: cache the error for `errorTtl` seconds so we don't
+     *   hammer a failing backend. The error is rethrown until expiry.
+     */
+    readonly onFailure?: "throw" | "cache-stale" | "cache-error";
+    /** Seconds to cache a failed lookup when `onFailure: "cache-error"`. Default 30. */
+    readonly errorTtl?: number;
+    /** Optional `console`-like sink for warnings. Defaults to `console`. */
+    readonly logger?: {
+        warn(msg: string): void;
+    };
+}
+export interface SecretRuntime {
+    /**
+     * Resolve `${provider:id}` (or `provider:id` without braces) to the
+     * current value. Async — triggers a network fetch on cache miss /
+     * stale read. Throws on missing provider. Behavior on fetch failure
+     * is governed by `onFailure`.
+     */
+    get(ref: string): Promise<string>;
+    /** Same as `get`, but returns `undefined` instead of throwing on miss. */
+    tryGet(ref: string): Promise<string | undefined>;
+    /**
+     * Force-refresh a specific ref now, ignoring the TTL. Useful for
+     * post-rotation cache busts or webhook-driven invalidation.
+     */
+    invalidate(ref: string): Promise<string>;
+    /** Drop everything. Next reads will fetch fresh. */
+    clear(): void;
+    /** Shape inspection — useful in tests / dashboards. */
+    readonly stats: () => SecretRuntimeStats;
+}
+export interface SecretRuntimeStats {
+    readonly cached: number;
+    readonly inflight: number;
+    readonly errors: number;
+}
+export declare function createSecretRuntime(opts: SecretRuntimeOptions): SecretRuntime;
+//# sourceMappingURL=runtime.d.ts.map

package/dist/runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.d.ts","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAIjD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,MAAM,WAAW,oBAAoB;IACnC,uEAAuE;IACvE,QAAQ,CAAC,SAAS,EAAE,SAAS,cAAc,EAAE,CAAC;IAC9C;;;;;;OAMG;IACH,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;;;;;;OASG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,GAAG,aAAa,GAAG,aAAa,CAAC;IAC7D,oFAAoF;IACpF,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,wEAAwE;IACxE,QAAQ,CAAC,MAAM,CAAC,EAAE;QAAE,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;CAC/C;AAED,MAAM,WAAW,aAAa;IAC5B;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAElC,0EAA0E;IAC1E,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAEjD;;;OAGG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEzC,oDAAoD;IACpD,KAAK,IAAI,IAAI,CAAC;IAEd,uDAAuD;IACvD,QAAQ,CAAC,KAAK,EAAE,MAAM,kBAAkB,CAAC;CAC1C;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAoBD,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,oBAAoB,GAAG,aAAa,CAgI7E"}

package/dist/runtime.js

@@ -0,0 +1,124 @@
+// Accept all four shapes for ergonomics — the runtime is JS-only so we
+// don't have dotenvx to worry about, but consistency with env-file syntax
+// matters for muscle memory:
+//   - `provider:id`           — bare
+//   - `${provider:id}`        — single-brace (rejected by dotenvx in env files, fine here)
+//   - `${{provider:id}}`      — canonical (matches env-file syntax)
+const REF_RE = /^\$?\{?\{?([a-zA-Z][\w-]*):([^}]+?)\}?\}?$/;
+export function createSecretRuntime(opts) {
+    const ttl = opts.ttl ?? 300;
+    const onFailure = opts.onFailure ?? "throw";
+    const errorTtl = opts.errorTtl ?? 30;
+    const logger = opts.logger ?? {
+        warn: (m) => {
+            // eslint-disable-next-line no-console
+            console.warn(m);
+        },
+    };
+    const byName = new Map();
+    for (const p of opts.providers)
+        byName.set(p.name, p);
+    const cache = new Map();
+    const errors = new Map();
+    // Coalesce concurrent reads of the same ref so we never fan out N
+    // fetches for one secret across N requests. Standard single-flight
+    // pattern, scoped to this runtime instance.
+    const inflight = new Map();
+    const now = () => Date.now();
+    function parseRef(ref) {
+        const m = REF_RE.exec(ref);
+        if (!m) {
+            throw new Error(`[ENVX_RUNTIME_BAD_REF] '${ref}' is not a 'provider:id' reference`);
+        }
+        return { provider: m[1], id: m[2] };
+    }
+    async function fetchOne(ref, providerName, id) {
+        const provider = byName.get(providerName);
+        if (!provider) {
+            throw new Error(`[ENVX_RUNTIME_UNKNOWN_PROVIDER] '${providerName}' (registered: ${[...byName.keys()].join(", ") || "none"})`);
+        }
+        // Bypass the plugin's preload-once cache — the runtime owns the
+        // TTL cache and needs to be able to refresh on its own schedule.
+        // `fetch()` always hits the backend.
+        return provider.fetch(id);
+    }
+    async function load(ref) {
+        const { provider, id } = parseRef(ref);
+        // Check cached error window first (cache-error mode).
+        const errEntry = errors.get(ref);
+        if (errEntry && errEntry.expiresAt > now()) {
+            throw errEntry.error;
+        }
+        // Live cache hit.
+        const cached = cache.get(ref);
+        if (cached && cached.expiresAt > now())
+            return cached.value;
+        // Single-flight: coalesce concurrent fetches.
+        const existing = inflight.get(ref);
+        if (existing)
+            return existing;
+        const promise = (async () => {
+            try {
+                const value = await fetchOne(ref, provider, id);
+                const expiresAt = ttl === Infinity ? Infinity : now() + ttl * 1000;
+                cache.set(ref, { value, expiresAt });
+                errors.delete(ref);
+                return value;
+            }
+            catch (e) {
+                const err = e;
+                if (onFailure === "cache-stale" && cached) {
+                    logger.warn(`envx-runtime: refresh of '${ref}' failed, serving stale value: ${err.message}`);
+                    // Bump the existing entry so we don't retry on every read; we'll
+                    // attempt again after the next TTL window.
+                    const expiresAt = ttl === Infinity ? Infinity : now() + ttl * 1000;
+                    cache.set(ref, { value: cached.value, expiresAt });
+                    return cached.value;
+                }
+                if (onFailure === "cache-error") {
+                    errors.set(ref, {
+                        error: err,
+                        expiresAt: now() + errorTtl * 1000,
+                    });
+                }
+                throw err;
+            }
+            finally {
+                inflight.delete(ref);
+            }
+        })();
+        inflight.set(ref, promise);
+        return promise;
+    }
+    return {
+        async get(ref) {
+            return load(ref);
+        },
+        async tryGet(ref) {
+            try {
+                return await load(ref);
+            }
+            catch {
+                return undefined;
+            }
+        },
+        async invalidate(ref) {
+            cache.delete(ref);
+            errors.delete(ref);
+            return load(ref);
+        },
+        clear() {
+            cache.clear();
+            errors.clear();
+        },
+        stats() {
+            return {
+                cached: cache.size,
+                inflight: inflight.size,
+                errors: errors.size,
+            };
+        },
+    };
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=runtime.js.map

package/dist/runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime.js","sourceRoot":"","sources":["../src/runtime.ts"],"names":[],"mappings":"AA+GA,uEAAuE;AACvE,0EAA0E;AAC1E,6BAA6B;AAC7B,qCAAqC;AACrC,2FAA2F;AAC3F,oEAAoE;AACpE,MAAM,MAAM,GAAG,4CAA4C,CAAC;AAE5D,MAAM,UAAU,mBAAmB,CAAC,IAA0B;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC;IAC5B,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI;QAC5B,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE;YAClB,sCAAsC;YACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;KACF,CAAC;IAEF,MAAM,MAAM,GAAG,IAAI,GAAG,EAA0B,CAAC;IACjD,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS;QAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAEtD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC5C,MAAM,MAAM,GAAG,IAAI,GAAG,EAAsB,CAAC;IAC7C,kEAAkE;IAClE,mEAAmE;IACnE,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA2B,CAAC;IAEpD,MAAM,GAAG,GAAG,GAAW,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;IAErC,SAAS,QAAQ,CAAC,GAAW;QAC3B,MAAM,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC3B,IAAI,CAAC,CAAC,EAAE,CAAC;YACP,MAAM,IAAI,KAAK,CACb,2BAA2B,GAAG,oCAAoC,CACnE,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAE,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,CAAE,EAAE,CAAC;IACxC,CAAC;IAED,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,YAAoB,EAAE,EAAU;QACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,oCAAoC,YAAY,kBAC9C,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MACnC,GAAG,CACJ,CAAC;QACJ,CAAC;QACD,gEAAgE;QAChE,iEAAiE;QACjE,qCAAqC;QACrC,OAAO,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,UAAU,IAAI,CAAC,GAAW;QAC7B,MAAM,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvC,sDAAsD;QACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,QAAQ,IAAI,QAAQ,CAAC,SAAS,GAAG,GAAG,EAAE,EAAE,CAAC;YAC3C,MAAM,QAAQ,CAAC,KAAK,CAAC;QACvB,CAAC;QAED,kBAAkB;QAClB,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE;YAAE,OAAO,MAAM,CAAC,KAAK,CAAC;QAE5D,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAE9B,MAAM,OAAO,GAAG,CAAC,KAAK,IAAqB,EAAE;YAC3C,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,GAAG,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;gBAChD,MAAM,SAAS,GAAG,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC;gBACnE,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;gBACrC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBACnB,OAAO,KAAK,CAAC;YACf,CAAC;YAAC,OAAO,CAAC,EAAE,CAAC;gBACX,MAAM,GAAG,GAAG,CAAU,CAAC;gBACvB,IAAI,SAAS,KAAK,aAAa,IAAI,MAAM,EAAE,CAAC;oBAC1C,MAAM,CAAC,IAAI,CACT,6BAA6B,GAAG,kCAAkC,GAAG,CAAC,OAAO,EAAE,CAChF,CAAC;oBACF,iEAAiE;oBACjE,2CAA2C;oBAC3C,MAAM,SAAS,GAAG,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC;oBACnE,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;oBACnD,OAAO,MAAM,CAAC,KAAK,CAAC;gBACtB,CAAC;gBACD,IAAI,SAAS,KAAK,aAAa,EAAE,CAAC;oBAChC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE;wBACd,KAAK,EAAE,GAAG;wBACV,SAAS,EAAE,GAAG,EAAE,GAAG,QAAQ,GAAG,IAAI;qBACnC,CAAC,CAAC;gBACL,CAAC;gBACD,MAAM,GAAG,CAAC;YACZ,CAAC;oBAAS,CAAC;gBACT,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QAEL,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC3B,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO;QACL,KAAK,CAAC,GAAG,CAAC,GAAW;YACnB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,GAAW;YACtB,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,GAAW;YAC1B,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClB,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACnB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;QACD,KAAK;YACH,KAAK,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,CAAC;QACD,KAAK;YACH,OAAO;gBACL,MAAM,EAAE,KAAK,CAAC,IAAI;gBAClB,QAAQ,EAAE,QAAQ,CAAC,IAAI;gBACvB,MAAM,EAAE,MAAM,CAAC,IAAI;aACpB,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,6DAA6D"}

package/dist/types.d.ts

@@ -0,0 +1,54 @@
+/**
+ * The shape every plugin returns. envx's `resolvers:` config is sync
+ * (we don't want loadEnv to become async-everywhere), but every real
+ * secret-store SDK is async — so plugins split the concern in two:
+ *
+ *   1. `preload(ids)` — async batch fetch, populates an in-memory cache.
+ *   2. `resolve(id)`  — sync cache lookup. This is what envx wires into `resolvers`.
+ *
+ * Call `preload(...)` once during your bootstrap (top-level `await` in an
+ * async entry, or a small `await main()` wrapper), then hand `resolve` to
+ * envx. The cache is per-provider-instance — instantiate once and share.
+ */
+export interface SecretProvider {
+    /** Stable provider name. Matches the prefix in `${name:id}` env-file refs. */
+    readonly name: string;
+    /**
+     * Fetch and cache the named secrets. Safe to call multiple times — the
+     * implementation should de-duplicate and skip already-cached IDs.
+     * Errors fetching individual secrets are surfaced as exceptions so
+     * the bootstrap fails fast (rather than silently leaving secrets unset).
+     */
+    preload(ids: readonly string[]): Promise<void>;
+    /**
+     * Fetch a single secret directly from the backend, bypassing the
+     * plugin's cache. Used by the runtime/edge accessor (which owns its
+     * own TTL cache and can't accept a "stuck-forever" plugin cache).
+     */
+    fetch(id: string): Promise<string>;
+    /**
+     * Read a previously preloaded value. Returns `undefined` for unknown
+     * IDs so envx leaves the literal `${name:id}` in place — that way
+     * misconfigurations surface visibly instead of producing an empty
+     * string at runtime.
+     */
+    resolve(id: string): string | undefined;
+    /** Direct access to the cache for tooling (testing, debugging, snapshotting). */
+    readonly cache: ReadonlyMap<string, string>;
+}
+/**
+ * Internal factory used by every plugin to wire up the preload / resolve
+ * / cache trio. Plugin authors hand it a `fetchOne(id)` and we handle
+ * the cache + parallelism. Keeps the per-provider files focused on the
+ * SDK call.
+ */
+export declare function buildProvider(name: string, fetchOne: (id: string) => Promise<string>): SecretProvider;
+/**
+ * Thrown by every plugin's lazy SDK loader when the consumer hasn't
+ * installed the relevant SDK package. The message includes the
+ * `pnpm add <pkg>` line so users get the exact remediation.
+ */
+export declare class MissingSdkError extends Error {
+    constructor(plugin: string, sdk: string);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,cAAc;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;;;;OAKG;IACH,OAAO,CAAC,GAAG,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE/C;;;;OAIG;IACH,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAEnC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IAExC,iFAAiF;IACjF,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC7C;AAMD;;;;;GAKG;AACH,wBAAgB,aAAa,CAC3B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,GACxC,cAAc,CAwChB;AAMD;;;;GAIG;AACH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;CAQxC"}

package/dist/types.js

@@ -0,0 +1,64 @@
+// #region -- Plugin Contract -------------------------------
+// #endregion -----------------------------------------------
+// #region -- Common factory helper -------------------------
+/**
+ * Internal factory used by every plugin to wire up the preload / resolve
+ * / cache trio. Plugin authors hand it a `fetchOne(id)` and we handle
+ * the cache + parallelism. Keeps the per-provider files focused on the
+ * SDK call.
+ */
+export function buildProvider(name, fetchOne) {
+    const cache = new Map();
+    return {
+        name,
+        cache,
+        fetch: fetchOne,
+        async preload(ids) {
+            const todo = [...new Set(ids)].filter((id) => !cache.has(id));
+            if (todo.length === 0)
+                return;
+            const results = await Promise.all(todo.map(async (id) => {
+                try {
+                    const value = await fetchOne(id);
+                    return { id, value, ok: true };
+                }
+                catch (e) {
+                    return { id, error: e, ok: false };
+                }
+            }));
+            const errors = [];
+            for (const r of results) {
+                if (r.ok)
+                    cache.set(r.id, r.value);
+                else
+                    errors.push({ id: r.id, error: r.error });
+            }
+            if (errors.length > 0) {
+                const summary = errors
+                    .map((e) => `  ${e.id}: ${e.error.message}`)
+                    .join("\n");
+                throw new Error(`[ENVX_PLUGIN_${name.toUpperCase()}] failed to preload ${String(errors.length)} secret(s):\n${summary}`);
+            }
+        },
+        resolve(id) {
+            return cache.get(id);
+        },
+    };
+}
+// #endregion -----------------------------------------------
+// #region -- Missing-SDK error -----------------------------
+/**
+ * Thrown by every plugin's lazy SDK loader when the consumer hasn't
+ * installed the relevant SDK package. The message includes the
+ * `pnpm add <pkg>` line so users get the exact remediation.
+ */
+export class MissingSdkError extends Error {
+    constructor(plugin, sdk) {
+        super(`[ENVX_PLUGIN_MISSING_SDK] the '${plugin}' plugin needs '${sdk}'.\n` +
+            `  install it: pnpm add ${sdk}\n` +
+            `  (or your equivalent — npm / yarn / bun)`);
+        this.name = "MissingSdkError";
+    }
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,6DAA6D;AA6C7D,6DAA6D;AAE7D,6DAA6D;AAE7D;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAC3B,IAAY,EACZ,QAAyC;IAEzC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IAExC,OAAO;QACL,IAAI;QACJ,KAAK;QACL,KAAK,EAAE,QAAQ;QACf,KAAK,CAAC,OAAO,CAAC,GAAsB;YAClC,MAAM,IAAI,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAC9D,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAC9B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBACpB,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,EAAE,CAAC,CAAC;oBACjC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,IAAa,EAAE,CAAC;gBAC1C,CAAC;gBAAC,OAAO,CAAC,EAAE,CAAC;oBACX,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAU,EAAE,EAAE,EAAE,KAAc,EAAE,CAAC;gBACvD,CAAC;YACH,CAAC,CAAC,CACH,CAAC;YACF,MAAM,MAAM,GAAwC,EAAE,CAAC;YACvD,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,CAAC,EAAE;oBAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;;oBAC9B,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,OAAO,GAAG,MAAM;qBACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;qBAC3C,IAAI,CAAC,IAAI,CAAC,CAAC;gBACd,MAAM,IAAI,KAAK,CACb,gBAAgB,IAAI,CAAC,WAAW,EAAE,uBAAuB,MAAM,CAC7D,MAAM,CAAC,MAAM,CACd,gBAAgB,OAAO,EAAE,CAC3B,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,CAAC,EAAU;YAChB,OAAO,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACvB,CAAC;KACF,CAAC;AACJ,CAAC;AAED,6DAA6D;AAE7D,6DAA6D;AAE7D;;;;GAIG;AACH,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,MAAc,EAAE,GAAW;QACrC,KAAK,CACH,kCAAkC,MAAM,mBAAmB,GAAG,MAAM;YAClE,0BAA0B,GAAG,IAAI;YACjC,2CAA2C,CAC9C,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,6DAA6D"}

package/dist/vault.d.ts

@@ -0,0 +1,47 @@
+import { type SecretProvider } from "./types.js";
+export interface HcVaultOptions {
+    /** Vault server URL, e.g. "https://vault.example.com:8200". */
+    readonly endpoint: string;
+    /** Vault token (from `VAULT_TOKEN`, machine identity, etc.). */
+    readonly token: string;
+    /**
+     * KV v2 mount path (default: `"secret"`). KV v1 callers should set
+     * `kvVersion: 1`.
+     */
+    readonly mount?: string;
+    /** KV engine version. Default `2`. */
+    readonly kvVersion?: 1 | 2;
+    /** Override the global fetch (testing). */
+    readonly fetchImpl?: typeof fetch;
+    /** Provider name, defaults to `"vault"`. */
+    readonly name?: string;
+}
+/**
+ * HashiCorp Vault (KV v1 / v2) provider.
+ *
+ * ```ts
+ * import { hcVault } from "@super-repo/envx-plugins/vault";
+ *
+ * const vault = hcVault({
+ *   endpoint: process.env.VAULT_ADDR!,
+ *   token: process.env.VAULT_TOKEN!,
+ *   mount: "secret",
+ * });
+ * await vault.preload(["prod/db", "prod/api"]);
+ *
+ * envx({ resolvers: { [vault.name]: vault.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * # KV v2 path: <mount>/data/<id>, returns the "value" field by default.
+ * # Or pin a specific JSON field:  ${vault:prod/db#username}
+ * DB_URL=${vault:prod/db}
+ * USER=${vault:prod/db#username}
+ * ```
+ *
+ * No SDK install required — uses native `fetch` (Node 20+).
+ */
+export declare function hcVault(opts: HcVaultOptions): SecretProvider;
+//# sourceMappingURL=vault.d.ts.map

package/dist/vault.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.d.ts","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAiB,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIhE,MAAM,WAAW,cAAc;IAC7B,+DAA+D;IAC/D,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,gEAAgE;IAChE,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;OAGG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,sCAAsC;IACtC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;IAC3B,2CAA2C;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAC;IAClC,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG,cAAc,CAuC5D"}

package/dist/vault.js

@@ -0,0 +1,63 @@
+import { buildProvider } from "./types.js";
+/**
+ * HashiCorp Vault (KV v1 / v2) provider.
+ *
+ * ```ts
+ * import { hcVault } from "@super-repo/envx-plugins/vault";
+ *
+ * const vault = hcVault({
+ *   endpoint: process.env.VAULT_ADDR!,
+ *   token: process.env.VAULT_TOKEN!,
+ *   mount: "secret",
+ * });
+ * await vault.preload(["prod/db", "prod/api"]);
+ *
+ * envx({ resolvers: { [vault.name]: vault.resolve } });
+ * ```
+ *
+ * Reference shape:
+ *
+ * ```
+ * # KV v2 path: <mount>/data/<id>, returns the "value" field by default.
+ * # Or pin a specific JSON field:  ${vault:prod/db#username}
+ * DB_URL=${vault:prod/db}
+ * USER=${vault:prod/db#username}
+ * ```
+ *
+ * No SDK install required — uses native `fetch` (Node 20+).
+ */
+export function hcVault(opts) {
+    const name = opts.name ?? "vault";
+    const mount = opts.mount ?? "secret";
+    const kvVersion = opts.kvVersion ?? 2;
+    const doFetch = opts.fetchImpl ?? fetch;
+    return buildProvider(name, async (idWithField) => {
+        // `id` may include `#<field>` to pick a specific JSON field.
+        const hash = idWithField.indexOf("#");
+        const id = hash >= 0 ? idWithField.slice(0, hash) : idWithField;
+        const field = hash >= 0 ? idWithField.slice(hash + 1) : "value";
+        const segment = kvVersion === 2 ? "data/" : "";
+        const url = `${opts.endpoint.replace(/\/$/, "")}/v1/${mount}/${segment}${id}`;
+        const r = await doFetch(url, {
+            headers: { "X-Vault-Token": opts.token },
+        });
+        if (!r.ok) {
+            throw new Error(`vault GET ${url} → ${String(r.status)} ${r.statusText}`);
+        }
+        const body = (await r.json());
+        // KV v2 nests under data.data; v1 puts it directly under data.
+        const data = kvVersion === 2
+            ? (body.data
+                ?.data ?? {})
+            : (body.data ?? {});
+        const value = data[field];
+        if (typeof value === "string")
+            return value;
+        if (value === undefined) {
+            throw new Error(`vault: '${id}' has no field '${field}' (available: ${Object.keys(data).join(", ") || "none"})`);
+        }
+        return JSON.stringify(value);
+    });
+}
+// #endregion -----------------------------------------------
+//# sourceMappingURL=vault.js.map

package/dist/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../src/vault.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAuB,MAAM,YAAY,CAAC;AAsBhE;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,OAAO,CAAC,IAAoB;IAC1C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,OAAO,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,CAAC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,IAAI,KAAK,CAAC;IAExC,OAAO,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE;QAC/C,6DAA6D;QAC7D,MAAM,IAAI,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,EAAE,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QAChE,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAEhE,MAAM,OAAO,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/C,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,OAAO,KAAK,IAAI,OAAO,GAAG,EAAE,EAAE,CAAC;QAE9E,MAAM,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE;YAC3B,OAAO,EAAE,EAAE,eAAe,EAAE,IAAI,CAAC,KAAK,EAAE;SACzC,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,MAAM,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5E,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAE3B,CAAC;QACF,+DAA+D;QAC/D,MAAM,IAAI,GACR,SAAS,KAAK,CAAC;YACb,CAAC,CAAC,CAAE,IAAI,CAAC,IAAuD;gBAC5D,EAAE,IAAI,IAAI,EAAE,CAAC;YACjB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACxB,MAAM,KAAK,GAAI,IAAgC,CAAC,KAAK,CAAC,CAAC;QACvD,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC5C,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,WAAW,EAAE,mBAAmB,KAAK,iBAAiB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,MAAM,GAAG,CAChG,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,6DAA6D"}