@super-repo/envx 0.4.0 → 0.4.1-b.2

package/README.md

@@ -86,7 +86,7 @@ Full subcommand and flag reference: [docs/cli.md](./docs/cli.md). Full schema fo
 | **`.env.keys` location**               | alongside the env file          | one shared file at the workspace root                    |
 | **Cascade discovery**                  | from cwd                        | from workspace root, layered with package overrides      |
 | **`rotate`**                           | per-file                        | walks every encrypted file the resolver picks up         |
-| **Secret-provider plugins**            | not built in                    | `@super-repo/envx-plugins` (AWS, GCP, Azure, Vault, …)   |
+| **Secret-provider plugins**            | not built in                    | `@super-repo/envx/plugins` (AWS, GCP, Azure, Vault, …)   |
 | **Schema validation / profiles / audit / doctor / template / diff / hook / types / watch / bake** | not built in | first-class                                              |
 | **Encryption (wire format)**           | ECIES via `eciesjs`             | **identical** — interoperable                            |
 | **License**                            | BSD-3-Clause                    | MIT                                                      |
@@ -131,7 +131,7 @@ Deep references and worked examples live alongside this package in [./docs/](./d
 ## References
 
 - [`@dotenvx/dotenvx`](https://dotenvx.com) — the upstream package envx builds on. Use it directly for single-app projects.
-- [`@super-repo/envx-plugins`](../plugins) — secret-provider plugins (AWS, GCP, Azure, Vault, 1Password, Doppler, Infisical) consumed via `resolvers:`.
+- [`@super-repo/envx/plugins`](./docs/plugins/overview.md) — secret-provider plugins (AWS, GCP, Azure, Vault, 1Password, Doppler, Infisical) consumed via `resolvers:`.
 - [`eciesjs`](https://www.npmjs.com/package/eciesjs) — the secp256k1 + AES-256-GCM library used for encryption.
 
 ## License

package/dist/auto.js

@@ -1,4 +1,4 @@
-import { t as envx } from "./chunks/src-BM4EdT3z.js";
+import { t as envx } from "./chunks/src-ke3h417V.js";
 //#region src/auto.ts
 envx();
 //#endregion

package/dist/chunks/auto-preload-CrSuZDg1.js

@@ -0,0 +1,75 @@
+import * as fs from "fs";
+import * as path from "path";
+//#region src/plugins/auto-preload.ts
+var REF_RE = /\$\{\{([a-zA-Z][\w-]*):([^}]+)\}\}/g;
+/**
+* Scan a set of env files for `${provider:id}` references and call
+* `preload()` on every plugin whose `name` matches a found provider.
+* Plugins whose names don't appear in any reference are skipped (no
+* round-trip, no SDK warm-up, no surprise charges).
+*
+* Composes with the rest of envx like this:
+*
+* ```ts
+* import envx from "@super-repo/envx";
+* import { awsSecrets } from "@super-repo/envx/plugins/aws";
+* import { gcpSecrets } from "@super-repo/envx/plugins/gcp";
+* import { autoPreload } from "@super-repo/envx/plugins";
+*
+* const aws = awsSecrets({ region: "us-east-1" });
+* const gcp = gcpSecrets({ projectId: "acme-prod" });
+*
+* await autoPreload([aws, gcp], { envFiles: [".env", "vault/.env.prod"] });
+*
+* envx({
+*   resolvers: {
+*     [aws.name]: aws.resolve,
+*     [gcp.name]: gcp.resolve,
+*   },
+* });
+* ```
+*/
+async function autoPreload(providers, opts) {
+	const cwd = opts.cwd ?? process.cwd();
+	const byProvider = /* @__PURE__ */ new Map();
+	for (const p of providers) byProvider.set(p.name, /* @__PURE__ */ new Set());
+	for (const file of opts.envFiles) {
+		const abs = path.isAbsolute(file) ? file : path.resolve(cwd, file);
+		if (!fs.existsSync(abs)) continue;
+		const content = fs.readFileSync(abs, "utf8");
+		let m;
+		REF_RE.lastIndex = 0;
+		while ((m = REF_RE.exec(content)) !== null) {
+			const provider = m[1];
+			const id = m[2];
+			if (provider === void 0 || id === void 0) continue;
+			const set = byProvider.get(provider);
+			if (set) set.add(id);
+		}
+	}
+	const preloaded = {};
+	await Promise.all(providers.map(async (p) => {
+		const ids = [...byProvider.get(p.name) ?? []];
+		if (ids.length === 0) {
+			preloaded[p.name] = [];
+			return;
+		}
+		await p.preload(ids);
+		preloaded[p.name] = ids;
+	}));
+	return { preloaded };
+}
+/**
+* Build a `resolvers:` map from a list of providers — the shape envx's
+* `resolvers` config expects. Saves you from repeating
+* `{ [p.name]: p.resolve }` for every provider.
+*/
+function asResolvers(providers) {
+	const out = {};
+	for (const p of providers) out[p.name] = (id) => p.resolve(id);
+	return out;
+}
+//#endregion
+export { autoPreload as n, asResolvers as t };
+
+//# sourceMappingURL=auto-preload-CrSuZDg1.js.map

package/dist/chunks/auto-preload-CrSuZDg1.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-preload-CrSuZDg1.js","names":[],"sources":["../../src/plugins/auto-preload.ts"],"sourcesContent":["import * as fs from \"fs\";\nimport * as path from \"path\";\n\nimport type { SecretProvider } from \"./types.js\";\n\n// #region -- autoPreload -----------------------------------\n\n// Matches `${{provider:id}}` references — see env.ts for the dotenvx-conflict reasoning.\nconst REF_RE = /\\$\\{\\{([a-zA-Z][\\w-]*):([^}]+)\\}\\}/g;\n\nexport interface AutoPreloadOptions {\n  /**\n   * Env files to scan for `${provider:id}` references. Paths are\n   * resolved against `cwd` (which defaults to `process.cwd()`).\n   * Missing files are silently skipped — the helper assumes you\n   * already know which files will load and just need the references\n   * pre-resolved.\n   */\n  readonly envFiles: readonly string[];\n  /** Defaults to `process.cwd()`. */\n  readonly cwd?: string;\n}\n\n/**\n * Scan a set of env files for `${provider:id}` references and call\n * `preload()` on every plugin whose `name` matches a found provider.\n * Plugins whose names don't appear in any reference are skipped (no\n * round-trip, no SDK warm-up, no surprise charges).\n *\n * Composes with the rest of envx like this:\n *\n * ```ts\n * import envx from \"@super-repo/envx\";\n * import { awsSecrets } from \"@super-repo/envx/plugins/aws\";\n * import { gcpSecrets } from \"@super-repo/envx/plugins/gcp\";\n * import { autoPreload } from \"@super-repo/envx/plugins\";\n *\n * const aws = awsSecrets({ region: \"us-east-1\" });\n * const gcp = gcpSecrets({ projectId: \"acme-prod\" });\n *\n * await autoPreload([aws, gcp], { envFiles: [\".env\", \"vault/.env.prod\"] });\n *\n * envx({\n *   resolvers: {\n *     [aws.name]: aws.resolve,\n *     [gcp.name]: gcp.resolve,\n *   },\n * });\n * ```\n */\nexport async function autoPreload(\n  providers: readonly SecretProvider[],\n  opts: AutoPreloadOptions,\n): Promise<{ readonly preloaded: Record<string, string[]> }> {\n  const cwd = opts.cwd ?? process.cwd();\n  const byProvider: Map<string, Set<string>> = new Map();\n  for (const p of providers) byProvider.set(p.name, new Set());\n\n  for (const file of opts.envFiles) {\n    const abs = path.isAbsolute(file) ? file : path.resolve(cwd, file);\n    if (!fs.existsSync(abs)) continue;\n    const content = fs.readFileSync(abs, \"utf8\");\n    let m: RegExpExecArray | null;\n    REF_RE.lastIndex = 0;\n    while ((m = REF_RE.exec(content)) !== null) {\n      const provider = m[1];\n      const id = m[2];\n      if (provider === undefined || id === undefined) continue;\n      const set = byProvider.get(provider);\n      if (set) set.add(id);\n    }\n  }\n\n  const preloaded: Record<string, string[]> = {};\n  await Promise.all(\n    providers.map(async (p) => {\n      const ids = [...(byProvider.get(p.name) ?? [])];\n      if (ids.length === 0) {\n        preloaded[p.name] = [];\n        return;\n      }\n      await p.preload(ids);\n      preloaded[p.name] = ids;\n    }),\n  );\n  return { preloaded };\n}\n\n// #endregion -----------------------------------------------\n\n// #region -- Convenience ---------------------------------\n\n/**\n * Build a `resolvers:` map from a list of providers — the shape envx's\n * `resolvers` config expects. Saves you from repeating\n * `{ [p.name]: p.resolve }` for every provider.\n */\nexport function asResolvers(\n  providers: readonly SecretProvider[],\n): Record<string, (id: string) => string | undefined> {\n  const out: Record<string, (id: string) => string | undefined> = {};\n  for (const p of providers) out[p.name] = (id) => p.resolve(id);\n  return out;\n}\n\n// #endregion -----------------------------------------------\n"],"mappings":";;;AAQA,IAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0Cf,eAAsB,YACpB,WACA,MAC2D;CAC3D,MAAM,MAAM,KAAK,OAAO,QAAQ,KAAK;CACrC,MAAM,6BAAuC,IAAI,KAAK;CACtD,KAAK,MAAM,KAAK,WAAW,WAAW,IAAI,EAAE,sBAAM,IAAI,KAAK,CAAC;CAE5D,KAAK,MAAM,QAAQ,KAAK,UAAU;EAChC,MAAM,MAAM,KAAK,WAAW,KAAK,GAAG,OAAO,KAAK,QAAQ,KAAK,KAAK;EAClE,IAAI,CAAC,GAAG,WAAW,IAAI,EAAE;EACzB,MAAM,UAAU,GAAG,aAAa,KAAK,OAAO;EAC5C,IAAI;EACJ,OAAO,YAAY;EACnB,QAAQ,IAAI,OAAO,KAAK,QAAQ,MAAM,MAAM;GAC1C,MAAM,WAAW,EAAE;GACnB,MAAM,KAAK,EAAE;GACb,IAAI,aAAa,KAAA,KAAa,OAAO,KAAA,GAAW;GAChD,MAAM,MAAM,WAAW,IAAI,SAAS;GACpC,IAAI,KAAK,IAAI,IAAI,GAAG;;;CAIxB,MAAM,YAAsC,EAAE;CAC9C,MAAM,QAAQ,IACZ,UAAU,IAAI,OAAO,MAAM;EACzB,MAAM,MAAM,CAAC,GAAI,WAAW,IAAI,EAAE,KAAK,IAAI,EAAE,CAAE;EAC/C,IAAI,IAAI,WAAW,GAAG;GACpB,UAAU,EAAE,QAAQ,EAAE;GACtB;;EAEF,MAAM,EAAE,QAAQ,IAAI;EACpB,UAAU,EAAE,QAAQ;GACpB,CACH;CACD,OAAO,EAAE,WAAW;;;;;;;AAYtB,SAAgB,YACd,WACoD;CACpD,MAAM,MAA0D,EAAE;CAClE,KAAK,MAAM,KAAK,WAAW,IAAI,EAAE,SAAS,OAAO,EAAE,QAAQ,GAAG;CAC9D,OAAO"}

package/dist/chunks/aws-DgcXfw-Y.js

@@ -0,0 +1,54 @@
+import { n as buildProvider, t as MissingSdkError } from "./types-COrFYR0z.js";
+//#region src/plugins/aws.ts
+/**
+* AWS Secrets Manager provider.
+*
+* ```ts
+* import { awsSecrets } from "@super-repo/envx/plugins/aws";
+*
+* const aws = awsSecrets({ region: "us-east-1" });
+* await aws.preload(["prod/db", "prod/api-key"]);
+*
+* envx({
+*   resolvers: { [aws.name]: aws.resolve },
+* });
+* ```
+*
+* Reference shape in `.env*`:
+*
+* ```
+* DATABASE_URL=${aws-secrets:prod/db}
+* API_KEY=${aws-secrets:prod/api-key}
+* ```
+*
+* The plugin uses `@aws-sdk/client-secrets-manager` (lazy-loaded —
+* only required when `preload()` runs). Install it in your app:
+*
+*     pnpm add @aws-sdk/client-secrets-manager
+*/
+function awsSecrets(opts) {
+	const name = opts.name ?? "aws-secrets";
+	let client = opts.client ?? null;
+	let GetSecretValueCommand = null;
+	return buildProvider(name, async (id) => {
+		if (!client) try {
+			const sdk = await import(
+				/* @vite-ignore */
+				"@aws-sdk/client-secrets-manager"
+);
+			client = new sdk.SecretsManagerClient({ region: opts.region });
+			GetSecretValueCommand = sdk.GetSecretValueCommand;
+		} catch {
+			throw new MissingSdkError("aws", "@aws-sdk/client-secrets-manager");
+		}
+		const cmd = GetSecretValueCommand ? new GetSecretValueCommand({ SecretId: id }) : { SecretId: id };
+		const r = await client.send(cmd);
+		if (typeof r.SecretString === "string") return r.SecretString;
+		if (r.SecretBinary) return Buffer.from(r.SecretBinary).toString("utf8");
+		throw new Error(`secret '${id}' has neither SecretString nor SecretBinary`);
+	});
+}
+//#endregion
+export { awsSecrets as t };
+
+//# sourceMappingURL=aws-DgcXfw-Y.js.map

package/dist/chunks/aws-DgcXfw-Y.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws-DgcXfw-Y.js","names":[],"sources":["../../src/plugins/aws.ts"],"sourcesContent":["import { buildProvider, MissingSdkError, type SecretProvider } from \"./types.js\";\n\n// #region -- AWS Secrets Manager ---------------------------\n\nexport interface AwsSecretsOptions {\n  /** AWS region the secrets live in (e.g. \"us-east-1\"). */\n  readonly region: string;\n  /**\n   * Override the default SDK client. Useful for tests, for sharing a\n   * client across plugins, or when your environment needs a custom\n   * credential provider chain. The object only needs a `send(command)`\n   * method that returns a `{ SecretString?: string; SecretBinary?: Uint8Array }`.\n   */\n  readonly client?: {\n    send: (cmd: unknown) => Promise<{\n      SecretString?: string;\n      SecretBinary?: Uint8Array;\n    }>;\n  };\n  /**\n   * Custom name for this provider instance. Defaults to `\"aws-secrets\"`,\n   * matching the conventional `${aws-secrets:my-id}` reference shape. If\n   * you want multiple AWS regions to coexist, give each a distinct name\n   * (`\"aws-us\"`, `\"aws-eu\"`) and reference accordingly.\n   */\n  readonly name?: string;\n}\n\n/**\n * AWS Secrets Manager provider.\n *\n * ```ts\n * import { awsSecrets } from \"@super-repo/envx/plugins/aws\";\n *\n * const aws = awsSecrets({ region: \"us-east-1\" });\n * await aws.preload([\"prod/db\", \"prod/api-key\"]);\n *\n * envx({\n *   resolvers: { [aws.name]: aws.resolve },\n * });\n * ```\n *\n * Reference shape in `.env*`:\n *\n * ```\n * DATABASE_URL=${aws-secrets:prod/db}\n * API_KEY=${aws-secrets:prod/api-key}\n * ```\n *\n * The plugin uses `@aws-sdk/client-secrets-manager` (lazy-loaded —\n * only required when `preload()` runs). Install it in your app:\n *\n *     pnpm add @aws-sdk/client-secrets-manager\n */\nexport function awsSecrets(opts: AwsSecretsOptions): SecretProvider {\n  const name = opts.name ?? \"aws-secrets\";\n  const injected = opts.client;\n  let client: AwsSecretsOptions[\"client\"] | null = injected ?? null;\n  let GetSecretValueCommand:\n    | (new (input: { SecretId: string }) => unknown)\n    | null = null;\n\n  return buildProvider(name, async (id) => {\n    // If the caller didn't inject a client, lazy-load the SDK. With an\n    // injected client the SDK is bypassed entirely — useful for tests\n    // and for users who want a custom credential chain.\n    if (!client) {\n      try {\n        // Avoid `typeof import(...)` here — that would force tsc to\n        // resolve `@aws-sdk/client-secrets-manager` at compile time\n        // and the SDKs are intentionally optional. Duck-type the\n        // shapes we touch instead.\n        interface AwsSdk {\n          readonly SecretsManagerClient: new (cfg: { region: string }) => {\n            send(cmd: unknown): Promise<{ SecretString?: string; SecretBinary?: Uint8Array }>;\n          };\n          readonly GetSecretValueCommand: new (input: { SecretId: string }) => unknown;\n        }\n        // Indirected through a variable so TS doesn't try to resolve\n        // the optional SDK at compile time (it's a peer dep).\n        const specifier = \"@aws-sdk/client-secrets-manager\";\n        const sdk = (await import(/* @vite-ignore */ specifier)) as unknown as AwsSdk;\n        client = new sdk.SecretsManagerClient({\n          region: opts.region,\n        }) as unknown as AwsSecretsOptions[\"client\"];\n        GetSecretValueCommand = sdk.GetSecretValueCommand;\n      } catch {\n        throw new MissingSdkError(\"aws\", \"@aws-sdk/client-secrets-manager\");\n      }\n    }\n\n    // For an injected client we hand `send()` a plain object — the test\n    // / custom client decides what to do with it. For the real SDK\n    // client we use the proper Command class.\n    const cmd = GetSecretValueCommand\n      ? new GetSecretValueCommand({ SecretId: id })\n      : ({ SecretId: id } as unknown);\n    const r = await client!.send(cmd);\n    if (typeof r.SecretString === \"string\") return r.SecretString;\n    if (r.SecretBinary) {\n      return Buffer.from(r.SecretBinary).toString(\"utf8\");\n    }\n    throw new Error(`secret '${id}' has neither SecretString nor SecretBinary`);\n  });\n}\n\n// #endregion -----------------------------------------------\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,SAAgB,WAAW,MAAyC;CAClE,MAAM,OAAO,KAAK,QAAQ;CAE1B,IAAI,SADa,KAAK,UACuC;CAC7D,IAAI,wBAEO;CAEX,OAAO,cAAc,MAAM,OAAO,OAAO;EAIvC,IAAI,CAAC,QACH,IAAI;GAcF,MAAM,MAAO,MAAM;;IAA0B;;GAC7C,SAAS,IAAI,IAAI,qBAAqB,EACpC,QAAQ,KAAK,QACd,CAAC;GACF,wBAAwB,IAAI;UACtB;GACN,MAAM,IAAI,gBAAgB,OAAO,kCAAkC;;EAOvE,MAAM,MAAM,wBACR,IAAI,sBAAsB,EAAE,UAAU,IAAI,CAAC,GAC1C,EAAE,UAAU,IAAI;EACrB,MAAM,IAAI,MAAM,OAAQ,KAAK,IAAI;EACjC,IAAI,OAAO,EAAE,iBAAiB,UAAU,OAAO,EAAE;EACjD,IAAI,EAAE,cACJ,OAAO,OAAO,KAAK,EAAE,aAAa,CAAC,SAAS,OAAO;EAErD,MAAM,IAAI,MAAM,WAAW,GAAG,6CAA6C;GAC3E"}

package/dist/chunks/azure-Cmh5-dPn.js

@@ -0,0 +1,62 @@
+import { n as buildProvider, t as MissingSdkError } from "./types-COrFYR0z.js";
+//#region src/plugins/azure.ts
+/**
+* Azure Key Vault provider.
+*
+* ```ts
+* import { azureKeyVault } from "@super-repo/envx/plugins/azure";
+*
+* const az = azureKeyVault({ vaultUrl: "https://my-vault.vault.azure.net" });
+* await az.preload(["prod-db", "prod-api"]);
+*
+* envx({ resolvers: { [az.name]: az.resolve } });
+* ```
+*
+* Reference shape:
+*
+* ```
+* DB_URL=${azure-keyvault:prod-db}
+* API_KEY=${azure-keyvault:prod-api@<version>}
+* ```
+*
+* Uses `@azure/keyvault-secrets` + `@azure/identity` (lazy-loaded):
+*
+*     pnpm add @azure/keyvault-secrets @azure/identity
+*/
+function azureKeyVault(opts) {
+	const name = opts.name ?? "azure-keyvault";
+	let client = opts.client ?? null;
+	return buildProvider(name, async (id) => {
+		if (!client) {
+			let secretsSdk = null;
+			let credential = opts.credential;
+			try {
+				secretsSdk = await import(
+					/* @vite-ignore */
+					"@azure/keyvault-secrets"
+);
+			} catch {
+				throw new MissingSdkError("azure", "@azure/keyvault-secrets");
+			}
+			if (!credential) try {
+				credential = new (await (import(
+					/* @vite-ignore */
+					"@azure/identity"
+))).DefaultAzureCredential();
+			} catch {
+				throw new MissingSdkError("azure", "@azure/identity");
+			}
+			client = new secretsSdk.SecretClient(opts.vaultUrl, credential);
+		}
+		const at = id.indexOf("@");
+		const secretName = at >= 0 ? id.slice(0, at) : id;
+		const version = at >= 0 ? id.slice(at + 1) : void 0;
+		const result = version ? await client.getSecret(secretName, { version }) : await client.getSecret(secretName);
+		if (typeof result.value !== "string") throw new Error(`secret '${id}' had no value`);
+		return result.value;
+	});
+}
+//#endregion
+export { azureKeyVault as t };
+
+//# sourceMappingURL=azure-Cmh5-dPn.js.map

package/dist/chunks/azure-Cmh5-dPn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-Cmh5-dPn.js","names":[],"sources":["../../src/plugins/azure.ts"],"sourcesContent":["import { buildProvider, MissingSdkError, type SecretProvider } from \"./types.js\";\n\n// #region -- Azure Key Vault -------------------------------\n\nexport interface AzureKeyVaultOptions {\n  /** Vault URL (e.g. \"https://my-vault.vault.azure.net\"). */\n  readonly vaultUrl: string;\n  /**\n   * Custom credential. Defaults to `new DefaultAzureCredential()` from\n   * `@azure/identity` — which walks env vars, managed identity, Azure\n   * CLI, etc. Override for tests or specialized credential chains.\n   */\n  readonly credential?: unknown;\n  /** Pre-built SecretClient for tests. */\n  readonly client?: {\n    getSecret: (name: string, opts?: { version?: string }) => Promise<{\n      value?: string | null;\n    }>;\n  };\n  /** Provider name, defaults to `\"azure-keyvault\"`. */\n  readonly name?: string;\n}\n\n/**\n * Azure Key Vault provider.\n *\n * ```ts\n * import { azureKeyVault } from \"@super-repo/envx/plugins/azure\";\n *\n * const az = azureKeyVault({ vaultUrl: \"https://my-vault.vault.azure.net\" });\n * await az.preload([\"prod-db\", \"prod-api\"]);\n *\n * envx({ resolvers: { [az.name]: az.resolve } });\n * ```\n *\n * Reference shape:\n *\n * ```\n * DB_URL=${azure-keyvault:prod-db}\n * API_KEY=${azure-keyvault:prod-api@<version>}\n * ```\n *\n * Uses `@azure/keyvault-secrets` + `@azure/identity` (lazy-loaded):\n *\n *     pnpm add @azure/keyvault-secrets @azure/identity\n */\nexport function azureKeyVault(opts: AzureKeyVaultOptions): SecretProvider {\n  const name = opts.name ?? \"azure-keyvault\";\n  let client: AzureKeyVaultOptions[\"client\"] | null = opts.client ?? null;\n\n  return buildProvider(name, async (id) => {\n    if (!client) {\n      // Duck-typed SDK shapes — avoids tsc's `typeof import(\"...\")`\n      // requirement that the optional Azure SDKs be installed.\n      interface AzureSecretsSdk {\n        readonly SecretClient: new (vaultUrl: string, credential: unknown) => unknown;\n      }\n      interface AzureIdentitySdk {\n        readonly DefaultAzureCredential: new () => unknown;\n      }\n      let secretsSdk: AzureSecretsSdk | null = null;\n      let credential = opts.credential;\n      try {\n        const secretsSpecifier = \"@azure/keyvault-secrets\";\n        secretsSdk = (await import(/* @vite-ignore */ secretsSpecifier)) as unknown as AzureSecretsSdk;\n      } catch {\n        throw new MissingSdkError(\"azure\", \"@azure/keyvault-secrets\");\n      }\n      if (!credential) {\n        try {\n          const identitySpecifier = \"@azure/identity\";\n          const identity = (await import(/* @vite-ignore */ identitySpecifier)) as unknown as AzureIdentitySdk;\n          credential = new identity.DefaultAzureCredential();\n        } catch {\n          throw new MissingSdkError(\"azure\", \"@azure/identity\");\n        }\n      }\n      client = new secretsSdk.SecretClient(\n        opts.vaultUrl,\n        credential,\n      ) as unknown as AzureKeyVaultOptions[\"client\"];\n    }\n\n    const at = id.indexOf(\"@\");\n    const secretName = at >= 0 ? id.slice(0, at) : id;\n    const version = at >= 0 ? id.slice(at + 1) : undefined;\n    const result = version\n      ? await client!.getSecret(secretName, { version })\n      : await client!.getSecret(secretName);\n    if (typeof result.value !== \"string\") {\n      throw new Error(`secret '${id}' had no value`);\n    }\n    return result.value;\n  });\n}\n\n// #endregion -----------------------------------------------\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA8CA,SAAgB,cAAc,MAA4C;CACxE,MAAM,OAAO,KAAK,QAAQ;CAC1B,IAAI,SAAgD,KAAK,UAAU;CAEnE,OAAO,cAAc,MAAM,OAAO,OAAO;EACvC,IAAI,CAAC,QAAQ;GASX,IAAI,aAAqC;GACzC,IAAI,aAAa,KAAK;GACtB,IAAI;IAEF,aAAc,MAAM;;KAA0B;;WACxC;IACN,MAAM,IAAI,gBAAgB,SAAS,0BAA0B;;GAE/D,IAAI,CAAC,YACH,IAAI;IAGF,aAAa,KAAI,OADO;;KAA0B;IACxB,wBAAwB;WAC5C;IACN,MAAM,IAAI,gBAAgB,SAAS,kBAAkB;;GAGzD,SAAS,IAAI,WAAW,aACtB,KAAK,UACL,WACD;;EAGH,MAAM,KAAK,GAAG,QAAQ,IAAI;EAC1B,MAAM,aAAa,MAAM,IAAI,GAAG,MAAM,GAAG,GAAG,GAAG;EAC/C,MAAM,UAAU,MAAM,IAAI,GAAG,MAAM,KAAK,EAAE,GAAG,KAAA;EAC7C,MAAM,SAAS,UACX,MAAM,OAAQ,UAAU,YAAY,EAAE,SAAS,CAAC,GAChD,MAAM,OAAQ,UAAU,WAAW;EACvC,IAAI,OAAO,OAAO,UAAU,UAC1B,MAAM,IAAI,MAAM,WAAW,GAAG,gBAAgB;EAEhD,OAAO,OAAO;GACd"}

package/dist/chunks/{commands-KUyDszno.js → commands-Br0Z7uUF.js}

@@ -1,4 +1,4 @@
-import { A as isEncrypted, C as parseEnv, D as decryptValueAsymmetric, S as log, T as toRecord, _ as resolveCwdOrWorkspace, a as auditFiles, b as expandEnvSrc, c as encryptFiles, f as DEFAULT_NODE_ENV_MAP, g as loadEnv, h as listEnvFiles, l as defaultKeysPath, m as findWorkspaceRoot, o as rotateFiles, p as detectEnvironment, r as loadDotenvxConfig, s as decryptFiles, t as writeProcessed, u as readKeysFile, v as resolveEnvPaths, x as expandRecord, y as validateCmdVariable } from "./src-Ln2uXfYC.js";
+import { A as loadEnv, C as readKeysFile, E as detectEnvironment, F as expandRecord, I as log, L as parseEnv, M as resolveEnvPaths, N as validateCmdVariable, O as findWorkspaceRoot, P as expandEnvSrc, T as DEFAULT_NODE_ENV_MAP, V as decryptValueAsymmetric, W as isEncrypted, _ as defaultKeysPath, a as auditFiles, c as encryptFiles, j as resolveCwdOrWorkspace, k as listEnvFiles, o as rotateFiles, r as loadDotenvxConfig, s as decryptFiles, t as writeProcessed, z as toRecord } from "./libs-CqVa6LY9.js";
 import * as fs from "fs";
 import * as path from "path";
 import yargs from "yargs";
@@ -1916,4 +1916,4 @@ function createCli(argvInput) {
 //#endregion
 export { createCli as t };
 
-//# sourceMappingURL=commands-KUyDszno.js.map
+//# sourceMappingURL=commands-Br0Z7uUF.js.map