@super-repo/envx 0.4.0 → 0.4.1-b.2

package/dist/libs/env.d.ts

@@ -0,0 +1,178 @@
+/**
+ * Built-in `NODE_ENV → suffix` mapping. Users can extend or override
+ * via `nodeEnvMap` in `envx.config.{ts,js,json}`. Anything NOT in the
+ * resolved map passes through as the lowercased `NODE_ENV` value —
+ * so `NODE_ENV=staging` becomes the `staging` suffix → `.env.staging`.
+ */
+export declare const DEFAULT_NODE_ENV_MAP: Readonly<Record<string, string>>;
+export interface DetectEnvironmentOptions {
+    /** Override the NODE_ENV → suffix mapping. Merged on top of the defaults. */
+    readonly nodeEnvMap?: Readonly<Record<string, string>>;
+}
+/**
+ * Detect the deployment environment from well-known platform variables.
+ * Order of precedence: Vercel → Netlify → `NODE_ENV` → 'root'.
+ *
+ * `NODE_ENV` resolution:
+ *   1. If the lowercased value is in `opts.nodeEnvMap` (or the built-in
+ *      `DEFAULT_NODE_ENV_MAP`), use the mapped suffix. Empty string
+ *      means "no suffix" (just `.env`).
+ *   2. Otherwise, use the lowercased value directly so unmapped values
+ *      like `staging`, `qa`, `preview` resolve to `.env.<value>`
+ *      automatically.
+ */
+export declare function detectEnvironment(opts?: DetectEnvironmentOptions): string;
+/**
+ * Parse a `KEY=value` string from `-v KEY=value` into a `[key, value]` tuple.
+ * Calls `process.exit(1)` on malformed input.
+ */
+export declare function validateCmdVariable(param: string): [string, string];
+/**
+ * Walk up from `startDir` looking for a `package.json` that declares
+ * `workspaces` (npm/yarn) or `pnpm.workspaces`. Falls back to other
+ * monorepo indicators (pnpm-workspace.yaml, nx.json, …). Returns
+ * `startDir` if nothing is found.
+ */
+export declare function findWorkspaceRoot(startDir?: string): string;
+/**
+ * Resolve a relative path against `cwd` first; if nothing exists at the
+ * cwd-rooted location, walk up to the workspace root and try there. If
+ * neither exists, return the cwd-rooted path so callers downstream (who
+ * may want to *create* the file/dir, e.g. `envx encrypt` writing a fresh
+ * `.env.keys`) get the user's expected location.
+ *
+ * Absolute paths are returned verbatim.
+ *
+ *   resolveCwdOrWorkspace(".env.keys", "/repo/packages/web")
+ *     → "/repo/packages/web/.env.keys"            // exists in cwd
+ *     → "/repo/.env.keys"                          // exists at workspace root
+ *     → "/repo/packages/web/.env.keys"             // neither — caller decides
+ */
+export declare function resolveCwdOrWorkspace(relPath: string, cwd?: string): string;
+/**
+ * List every `.env*` file in `dir`, sorted by name. Skips dotfile
+ * subdirectories. Returns the basenames (not absolute paths) so callers
+ * can hand them straight to `loadEnv` / `encryptFiles` / `decryptFiles`.
+ *
+ * Used by the CLI when `envPath`/`--vault` is set and `--env` is
+ * omitted: the user's intent is "all of the vault", not just `.env`.
+ */
+export declare function listEnvFiles(dir: string): string[];
+/**
+ * Expand env file paths according to the cascade strategy. For each
+ * base path `p` and a `cascadeName` like `"prod"`, produces:
+ *
+ *   [`${p}.prod.local`, `${p}.local`, `${p}.prod`, p]
+ *
+ * Order is most-specific-first so callers (which load them in order
+ * with later entries overriding earlier ones) end up with the most
+ * specific values winning at the lowest index.
+ */
+export declare function expandCascadePaths(paths: string[], cascadeName: string): string[];
+export interface ResolveEnvOptions {
+    readonly envFiles?: string[] | string;
+    /**
+     * - `string` (e.g. `"prod"`) — cascade with this explicit name.
+     * - `true` — cascade with the auto-detected environment name (if
+     *   detection produces `"root"`, no cascade is applied since there's
+     *   nothing to layer).
+     * - `false` / undefined — no cascade.
+     */
+    readonly cascade?: string | boolean;
+    /** Default `true`. Set to `false` to disable platform auto-detection. */
+    readonly autoDetect?: boolean;
+    /** Override the built-in `NODE_ENV → suffix` mapping. */
+    readonly nodeEnvMap?: Readonly<Record<string, string>>;
+}
+/**
+ * Resolve which `.env*` paths to load given the user's options. Handles
+ * the auto-detect default (when only `.env` was passed), prefixing
+ * bare names with `.env.`, and cascade expansion.
+ */
+export declare function resolveEnvPaths(opts: ResolveEnvOptions): string[];
+export interface LoadEnvOptions {
+    readonly envFiles?: string[] | string;
+    readonly variables?: string[] | string;
+    /**
+     * - `string` — cascade with this explicit name.
+     * - `true` — cascade with the auto-detected env name.
+     * - `false` / undefined — no cascade.
+     */
+    readonly cascade?: string | boolean;
+    /**
+     * `true` is shorthand for `envPath: "vault"`. A string sets the
+     * subdirectory explicitly. Either way, relative env files resolve to
+     * `<workspaceRoot>/<envPath>/<file>`.
+     */
+    readonly vault?: boolean;
+    /** Subdirectory of the workspace root where env files live. */
+    readonly envPath?: string;
+    /**
+     * Explicit path to the `.env.keys` file. When unset, envx falls back
+     * to the cwd-first / workspace-root walk-up via `defaultKeysPath()`
+     * (see keys.ts). Forwarded to dotenvx for every env file load —
+     * required when `envFiles` are absolute paths whose directory isn't
+     * the same one holding `.env.keys` (e.g. `vault/.env.prod` while the
+     * keys file lives at the workspace root).
+     */
+    readonly envKeysFile?: string;
+    readonly override?: boolean;
+    readonly quiet?: boolean;
+    /** Default `true`. Set to `false` to disable platform auto-detection. */
+    readonly autoDetect?: boolean;
+    /** Override the built-in `NODE_ENV → suffix` mapping. */
+    readonly nodeEnvMap?: Readonly<Record<string, string>>;
+    /**
+     * Keys that MUST be set in `process.env` after loading completes.
+     * Any missing values cause envx to log + `process.exit(1)`.
+     */
+    readonly required?: readonly string[];
+    /**
+     * Auto-resolve `${VAR}` / `$VAR` / `${VAR:-default}` / `${VAR:?msg}`
+     * references in the loaded values after files load.
+     */
+    readonly expand?: boolean;
+    /**
+     * Fallback values for keys that are still unset after files +
+     * `variables`. Different from `variables`, which always overrides.
+     */
+    readonly defaults?: Readonly<Record<string, string>>;
+    /**
+     * Explicit workspace root. If unset, envx walks up from cwd via
+     * `findWorkspaceRoot()`.
+     */
+    readonly workspaceRoot?: string;
+    /**
+     * Optional schema validator with a `safeParse(input) → { success,
+     * error? }` method (e.g. a Zod schema). Run after files + variables
+     * + defaults + expand and before `required`. Failures cause
+     * `process.exit(1)` with a per-issue diagnostic.
+     */
+    readonly schema?: unknown;
+    /**
+     * Map of provider key → resolver. Values like `${provider:id}` in env
+     * files are passed to the matching resolver and replaced with its
+     * return. Misses are left as the literal `${provider:id}` so they
+     * surface clearly rather than silently emptying.
+     */
+    readonly resolvers?: Readonly<Record<string, (id: string) => string | undefined>>;
+    /**
+     * Framework prefixes to mirror "public" vars under. See
+     * `DotenvxConfig.publicPrefixes` for the full description. Mirrors
+     * are written to `process.env` AFTER expansion and BEFORE schema
+     * validation, so `VITE_API_URL` can be required by a Zod schema
+     * even though the source line was `PUBLIC_API_URL=…`.
+     */
+    readonly publicPrefixes?: readonly string[];
+    /** Source prefix marking public variables. Default `"PUBLIC_"`. */
+    readonly publicSource?: string;
+}
+/**
+ * Load env files (resolving relative paths against both the workspace
+ * root and CWD) and apply `KEY=value` overrides from `--variables`.
+ * Mutates `process.env`.
+ */
+export declare function loadEnv(opts: LoadEnvOptions): {
+    paths: string[];
+};
+//# sourceMappingURL=env.d.ts.map

package/dist/libs/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/libs/env.ts"],"names":[],"mappings":"AAyHA;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIjE,CAAC;AAEF,MAAM,WAAW,wBAAwB;IACvC,6EAA6E;IAC7E,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACxD;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,GAAE,wBAA6B,GAAG,MAAM,CA8B7E;AAMD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAgBnE;AAeD;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,GAAE,MAAsB,GAAG,MAAM,CA6B1E;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,GAAG,GAAE,MAAsB,GAC1B,MAAM,CAUR;AAMD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CASlD;AAMD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,MAAM,GAClB,MAAM,EAAE,CAMV;AAMD,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IACtC;;;;;;OAMG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACpC,yEAAyE;IACzE,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,yDAAyD;IACzD,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CACxD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,iBAAiB,GAAG,MAAM,EAAE,CAuCjE;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IACtC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IACvC;;;;OAIG;IACH,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACpC;;;;OAIG;IACH,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;;;;OAOG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAC5B,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;IACzB,yEAAyE;IACzE,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;IAC9B,yDAAyD;IACzD,QAAQ,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACvD;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACtC;;;OAGG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IACrD;;;OAGG;IACH,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAC;IAChC;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;;;;OAKG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,QAAQ,CAC3B,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC,CACnD,CAAC;IACF;;;;;;OAMG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC5C,mEAAmE;IACnE,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,cAAc,GAAG;IAAE,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CAoUjE"}

package/dist/libs/expand.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Expand `${VAR}`, `$VAR`, `${VAR:-default}`, and `${VAR:?error}` references
+ * in env-file values. Iterative + cycle-safe: builds a dependency graph,
+ * topologically substitutes, and bails with a clear error on cycles.
+ *
+ * More robust than the bash version in `.github/actions/decrypt-vault`:
+ *   - Handles `$VAR` (bare) and `${VAR}` syntactically.
+ *   - Supports `${VAR:-default}` (use default if VAR is unset/empty)
+ *     and `${VAR:?msg}` (error if unset/empty).
+ *   - Supports `\${VAR}` and `\$VAR` escapes for literal `${VAR}` / `$VAR`.
+ *   - Detects cycles instead of silently truncating after N passes.
+ *   - Reports each unresolved variable, doesn't silently leave them.
+ */
+export interface ExpandOptions {
+    /**
+     * Variables to layer in beneath the file's own values. The file's
+     * values take precedence; this is the fallback (typically process.env).
+     */
+    readonly fallback?: Readonly<Record<string, string | undefined>>;
+    /**
+     * What to do when a `${UNSET_VAR}` reference can't be resolved.
+     *   - "leave"  (default): keep the literal `${UNSET_VAR}` in place,
+     *     and add a warning to the result.
+     *   - "empty": substitute an empty string, add a warning.
+     *   - "throw": throw an Error listing all unresolved refs.
+     */
+    readonly onMissing?: "leave" | "empty" | "throw";
+}
+export interface ExpandResult {
+    /** Expanded key→value map (file-only — fallback is not included). */
+    readonly values: Record<string, string>;
+    /** Re-serialized env-file content with all values expanded. */
+    readonly envSrc: string;
+    /** Variables that were referenced but couldn't be resolved. */
+    readonly unresolved: string[];
+    /** Variables that participated in an unresolvable cycle. */
+    readonly cycles: string[][];
+}
+/** Expand a key→value record. Returns the expanded record + diagnostics. */
+export declare function expandRecord(values: Readonly<Record<string, string>>, opts?: ExpandOptions): {
+    values: Record<string, string>;
+    unresolved: string[];
+    cycles: string[][];
+};
+/**
+ * Expand variables in a parsed env file (string in, string out). The
+ * file's own values take precedence; `opts.fallback` (default:
+ * `process.env`) fills in the rest.
+ */
+export declare function expandEnvSrc(envSrc: string, opts?: ExpandOptions): ExpandResult;
+//# sourceMappingURL=expand.d.ts.map

package/dist/libs/expand.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expand.d.ts","sourceRoot":"","sources":["../../src/libs/expand.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;IACjE;;;;;;OAMG;IACH,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;CAClD;AAED,MAAM,WAAW,YAAY;IAC3B,qEAAqE;IACrE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,+DAA+D;IAC/D,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,+DAA+D;IAC/D,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAC9B,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC;CAC7B;AAED,4EAA4E;AAC5E,wBAAgB,YAAY,CAC1B,MAAM,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EACxC,IAAI,GAAE,aAAkB,GACvB;IAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,UAAU,EAAE,MAAM,EAAE,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,EAAE,CAAA;CAAE,CAiG9E;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,GAAE,aAAkB,GAAG,YAAY,CAiBnF"}

package/dist/libs/index.d.ts

@@ -0,0 +1,22 @@
+import { ProcessedEnv } from './types.js';
+export type { ProcessedEnv, ProcessingError, ErrorCode, RunOptions, RunResult, } from './types.js';
+export { ENCRYPTED_PREFIX, encryptValueAsymmetric, decryptValueAsymmetric, generateKeyPair, isEncrypted, } from './crypto.js';
+export { parseEnv, serializeEnv, toRecord, type EnvLine, type KvLine, type RawLine, } from './parser.js';
+export { ENVX_PRIVATE_KEY_PREFIX, ENVX_PUBLIC_KEY_PREFIX, KEYS_FILE_BANNER, LEGACY_PRIVATE_KEY_PREFIX, LEGACY_PUBLIC_KEY_PREFIX, PUBLIC_KEY_BANNER, defaultKeysPath, defaultKeysPathFor, privateKeyCandidateNamesFor, privateKeyNameFor, publicKeyCandidateNamesFor, publicKeyNameFor, readKeysFile, writeKeysFile, } from './keys.js';
+export { isSelected, matchesAny } from './match.js';
+export { encryptFiles } from './encrypt.js';
+export { decryptFiles } from './decrypt.js';
+export { rotateFiles } from './rotate.js';
+export { expandRecord, expandEnvSrc, type ExpandOptions, type ExpandResult, } from './expand.js';
+export { auditFiles, BUILT_IN_PATTERNS, type AuditFinding, type AuditOptions, type SecretPattern, } from './audit.js';
+export { defineConfig, loadDotenvxConfig, type DotenvxConfig, type LoadConfigOptions, type LoadedConfig, } from './config.js';
+export { DEFAULT_NODE_ENV_MAP, detectEnvironment, validateCmdVariable, findWorkspaceRoot, resolveCwdOrWorkspace, expandCascadePaths, listEnvFiles, resolveEnvPaths, loadEnv, type DetectEnvironmentOptions, type ResolveEnvOptions, type LoadEnvOptions, } from './env.js';
+/**
+ * Persist any changed processedEnvs to disk. Returns the absolute paths
+ * that were actually written. Skips entries with errors and entries
+ * marked unchanged.
+ */
+export declare function writeProcessed(processed: readonly ProcessedEnv[]): {
+    written: string[];
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/libs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/libs/index.ts"],"names":[],"mappings":"AAEA,YAAY,EACV,YAAY,EACZ,eAAe,EACf,SAAS,EACT,UAAU,EACV,SAAS,GACV,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,EACtB,eAAe,EACf,WAAW,GACZ,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,QAAQ,EACR,YAAY,EACZ,QAAQ,EACR,KAAK,OAAO,EACZ,KAAK,MAAM,EACX,KAAK,OAAO,GACb,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,gBAAgB,EAChB,yBAAyB,EACzB,wBAAwB,EACxB,iBAAiB,EACjB,eAAe,EACf,kBAAkB,EAClB,2BAA2B,EAC3B,iBAAiB,EACjB,0BAA0B,EAC1B,gBAAgB,EAChB,YAAY,EACZ,aAAa,GACd,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAGpD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,KAAK,aAAa,EAClB,KAAK,YAAY,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,aAAa,GACnB,MAAM,YAAY,CAAC;AAGpB,OAAO,EACL,YAAY,EACZ,iBAAiB,EACjB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,YAAY,GAClB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,mBAAmB,EACnB,iBAAiB,EACjB,qBAAqB,EACrB,kBAAkB,EAClB,YAAY,EACZ,eAAe,EACf,OAAO,EACP,KAAK,wBAAwB,EAC7B,KAAK,iBAAiB,EACtB,KAAK,cAAc,GACpB,MAAM,UAAU,CAAC;AAQlB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C;;;;GAIG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,SAAS,YAAY,EAAE,GACjC;IAAE,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAQvB"}

package/dist/libs/index.js

@@ -0,0 +1,2 @@
+import { A as loadEnv, B as ENCRYPTED_PREFIX, C as readKeysFile, D as expandCascadePaths, E as detectEnvironment, F as expandRecord, H as encryptValueAsymmetric, L as parseEnv, M as resolveEnvPaths, N as validateCmdVariable, O as findWorkspaceRoot, P as expandEnvSrc, R as serializeEnv, S as publicKeyNameFor, T as DEFAULT_NODE_ENV_MAP, U as generateKeyPair, V as decryptValueAsymmetric, W as isEncrypted, _ as defaultKeysPath, a as auditFiles, b as privateKeyNameFor, c as encryptFiles, d as ENVX_PRIVATE_KEY_PREFIX, f as ENVX_PUBLIC_KEY_PREFIX, g as PUBLIC_KEY_BANNER, h as LEGACY_PUBLIC_KEY_PREFIX, i as BUILT_IN_PATTERNS, j as resolveCwdOrWorkspace, k as listEnvFiles, l as isSelected, m as LEGACY_PRIVATE_KEY_PREFIX, n as defineConfig, o as rotateFiles, p as KEYS_FILE_BANNER, r as loadDotenvxConfig, s as decryptFiles, t as writeProcessed, u as matchesAny, v as defaultKeysPathFor, w as writeKeysFile, x as publicKeyCandidateNamesFor, y as privateKeyCandidateNamesFor, z as toRecord } from "../chunks/libs-CqVa6LY9.js";
+export { BUILT_IN_PATTERNS, DEFAULT_NODE_ENV_MAP, ENCRYPTED_PREFIX, ENVX_PRIVATE_KEY_PREFIX, ENVX_PUBLIC_KEY_PREFIX, KEYS_FILE_BANNER, LEGACY_PRIVATE_KEY_PREFIX, LEGACY_PUBLIC_KEY_PREFIX, PUBLIC_KEY_BANNER, auditFiles, decryptFiles, decryptValueAsymmetric, defaultKeysPath, defaultKeysPathFor, defineConfig, detectEnvironment, encryptFiles, encryptValueAsymmetric, expandCascadePaths, expandEnvSrc, expandRecord, findWorkspaceRoot, generateKeyPair, isEncrypted, isSelected, listEnvFiles, loadDotenvxConfig, loadEnv, matchesAny, parseEnv, privateKeyCandidateNamesFor, privateKeyNameFor, publicKeyCandidateNamesFor, publicKeyNameFor, readKeysFile, resolveCwdOrWorkspace, resolveEnvPaths, rotateFiles, serializeEnv, toRecord, validateCmdVariable, writeKeysFile, writeProcessed };

package/dist/libs/keys.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Canonical (default) prefix for envx private-key variables. Used when
+ * encrypt writes a fresh entry to `.env.keys`.
+ */
+export declare const ENVX_PRIVATE_KEY_PREFIX = "ENVX_PRIVATE_KEY";
+/**
+ * Canonical prefix for envx public-key variables. Stored in plaintext at
+ * the top of the encrypted `.env*` file so anyone with read access can
+ * encrypt new values; only the holder of the matching private key (in
+ * `.env.keys`) can decrypt.
+ */
+export declare const ENVX_PUBLIC_KEY_PREFIX = "ENVX_PUBLIC_KEY";
+/**
+ * Legacy prefix kept for backwards compatibility with the upstream
+ * `dotenvx` convention. envx will read keys stored under this prefix
+ * but never *writes* new ones with it.
+ */
+export declare const LEGACY_PRIVATE_KEY_PREFIX = "DOTENV_PRIVATE_KEY";
+/** Legacy public-key prefix (upstream dotenvx). Read-only fallback. */
+export declare const LEGACY_PUBLIC_KEY_PREFIX = "DOTENV_PUBLIC_KEY";
+/**
+ * Canonical private-key variable name for an env file:
+ * `ENVX_PRIVATE_KEY` for `.env`, `ENVX_PRIVATE_KEY_PROD` for `.env.prod`,
+ * etc. This is the name encrypt writes to `.env.keys`.
+ *
+ * Decrypt accepts both this and the legacy `DOTENV_PRIVATE_KEY*` form
+ * — see {@link privateKeyCandidateNamesFor}.
+ */
+export declare function privateKeyNameFor(envFilePath: string): string;
+/**
+ * Both names a `.env.keys` file may use for the given env file's private
+ * key, in resolution order:
+ *
+ *   1. `ENVX_PRIVATE_KEY*` (canonical — written by current envx)
+ *   2. `DOTENV_PRIVATE_KEY*` (legacy — written by upstream dotenvx
+ *      and earlier envx versions)
+ *
+ * Callers should check each name against the keys map and use the first
+ * match. New keys are always written under the canonical name.
+ */
+export declare function privateKeyCandidateNamesFor(envFilePath: string): readonly string[];
+/** Canonical `ENVX_PUBLIC_KEY*` variable name for an env file. */
+export declare function publicKeyNameFor(envFilePath: string): string;
+/**
+ * Public-key candidate names, canonical first then legacy
+ * `DOTENV_PUBLIC_KEY*`. Decrypt callers don't need the public key
+ * (decryption uses the private key), but encrypt may read an existing
+ * public-key header from a `.env*` file to skip re-generating one.
+ */
+export declare function publicKeyCandidateNamesFor(envFilePath: string): readonly string[];
+/** Read a .env.keys file as a key→value map. Returns an empty map when the file doesn't exist. */
+export declare function readKeysFile(keysPath: string): Map<string, string>;
+/**
+ * Banner for `.env.keys` files. Mirrors the upstream `dotenvx`
+ * formatting so the file is self-describing and visually distinct.
+ */
+export declare const KEYS_FILE_BANNER: string;
+/**
+ * Banner placed above an `ENVX_PUBLIC_KEY*` entry inside a `.env*` file.
+ * Public keys are safe to commit — anyone with them can encrypt; only
+ * the private-key holder can decrypt.
+ */
+export declare const PUBLIC_KEY_BANNER: string;
+/**
+ * Persist a key→value map to `.env.keys`. Overwrites the file. Preserves
+ * order from the input map (so consumers get stable diffs) and emits the
+ * private-keys banner when writing a non-empty map.
+ *
+ * `sectionFor` (optional): a function that, given a key name, returns a
+ * section header to write above it (e.g. `# .env.dev`). Used by encrypt
+ * to group keys by their associated env file.
+ */
+export declare function writeKeysFile(keysPath: string, keys: Map<string, string>, opts?: {
+    readonly sectionFor?: (keyName: string) => string | undefined;
+}): void;
+/**
+ * Default location for `.env.keys`: cwd first, with a walk-up to the
+ * workspace root if no `.env.keys` exists at cwd. This lets users run
+ * envx from a subpackage and still find the workspace-level keys file
+ * without passing `-fk`.
+ *
+ * If neither location has a file, falls back to `<cwd>/.env.keys` so a
+ * fresh `envx encrypt` creates the file where the user expects it.
+ */
+export declare function defaultKeysPath(): string;
+/**
+ * @deprecated Use `defaultKeysPath()` instead. Kept as a thin re-export so
+ * external callers don't break — the `envFilepath` argument is now ignored
+ * and the returned path is always `<cwd>/.env.keys`.
+ */
+export declare function defaultKeysPathFor(_envFilepath: string): string;
+//# sourceMappingURL=keys.d.ts.map

package/dist/libs/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/libs/keys.ts"],"names":[],"mappings":"AAQA;;;GAGG;AACH,eAAO,MAAM,uBAAuB,qBAAqB,CAAC;AAE1D;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,oBAAoB,CAAC;AAExD;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,uBAAuB,CAAC;AAE9D,uEAAuE;AACvE,eAAO,MAAM,wBAAwB,sBAAsB,CAAC;AAE5D;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,2BAA2B,CACzC,WAAW,EAAE,MAAM,GAClB,SAAS,MAAM,EAAE,CAKnB;AAED,kEAAkE;AAClE,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,MAAM,GAClB,SAAS,MAAM,EAAE,CAKnB;AAoBD,kGAAkG;AAClG,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAIlE;AAED;;;GAGG;AACH,eAAO,MAAM,gBAAgB,QAIsC,CAAC;AAEpE;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,QAIqC,CAAC;AAEpE;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EACzB,IAAI,GAAE;IACJ,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC;CAC1D,GACL,IAAI,CA+BN;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,IAAI,MAAM,CAExC;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAE/D"}

package/dist/libs/match.d.ts

@@ -0,0 +1,7 @@
+export declare function matchesAny(key: string, patterns: readonly string[]): boolean;
+/**
+ * Decide whether to operate on a key given include + exclude filters.
+ * Empty includes means "all keys". Excludes always win.
+ */
+export declare function isSelected(key: string, includes: readonly string[], excludes: readonly string[]): boolean;
+//# sourceMappingURL=match.d.ts.map

package/dist/libs/match.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"match.d.ts","sourceRoot":"","sources":["../../src/libs/match.ts"],"names":[],"mappings":"AAcA,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAK5E;AAED;;;GAGG;AACH,wBAAgB,UAAU,CACxB,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,SAAS,MAAM,EAAE,EAC3B,QAAQ,EAAE,SAAS,MAAM,EAAE,GAC1B,OAAO,CAIT"}

package/dist/libs/parser.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Line-preserving env-file parser. We parse to a typed line array
+ * rather than a flat key→value map so that round-tripping (encrypt
+ * one value, write file back) preserves comments, blank lines, and
+ * declaration order — the signal-to-noise ratio of an env file's diff
+ * is critical when these files live in version control.
+ */
+export interface KvLine {
+    readonly type: "kv";
+    readonly key: string;
+    /** Raw value as it appeared in the file (still quoted if it was). */
+    readonly raw: string;
+    /** Logical value — quotes stripped, escape sequences resolved. */
+    value: string;
+    /** Quote style for serialization. Mutable so transforms (e.g. encrypt)
+     *  can drop quotes when the new value is self-quote-safe (URL-safe base64). */
+    quote: '"' | "'" | "";
+    /** Trailing comment, including the leading '#' and whitespace. */
+    readonly trailing: string;
+}
+export interface RawLine {
+    readonly type: "raw";
+    /** Comment lines, blank lines, malformed lines — preserved verbatim. */
+    readonly raw: string;
+}
+export type EnvLine = KvLine | RawLine;
+/** Parse a raw env-file string into a line array. */
+export declare function parseEnv(content: string): EnvLine[];
+/** Re-serialize a parsed line array. Round-trip safe for unmodified inputs. */
+export declare function serializeEnv(lines: readonly EnvLine[]): string;
+/** Build a flat key→value map from a parsed line array. Last write wins. */
+export declare function toRecord(lines: readonly EnvLine[]): Record<string, string>;
+//# sourceMappingURL=parser.d.ts.map

package/dist/libs/parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parser.d.ts","sourceRoot":"","sources":["../../src/libs/parser.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,WAAW,MAAM;IACrB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,qEAAqE;IACrE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,kEAAkE;IAClE,KAAK,EAAE,MAAM,CAAC;IACd;mFAC+E;IAC/E,KAAK,EAAE,GAAG,GAAG,GAAG,GAAG,EAAE,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,OAAO;IACtB,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC;IACrB,wEAAwE;IACxE,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,MAAM,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAIvC,qDAAqD;AACrD,wBAAgB,QAAQ,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,EAAE,CAwBnD;AAED,+EAA+E;AAC/E,wBAAgB,YAAY,CAAC,KAAK,EAAE,SAAS,OAAO,EAAE,GAAG,MAAM,CAQ9D;AAsFD,4EAA4E;AAC5E,wBAAgB,QAAQ,CAAC,KAAK,EAAE,SAAS,OAAO,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAM1E"}

package/dist/libs/rotate.d.ts

@@ -0,0 +1,24 @@
+import { RunOptions, RunResult } from './types.js';
+/**
+ * Rotate the keypair on one or more `.env*` files. For each file:
+ *
+ *   1. Locate the existing public-key header (`ENVX_PUBLIC_KEY*` —
+ *      or `DOTENV_PUBLIC_KEY*` for dotenvx-compat reads). Files without
+ *      a header surface an `INVALID_CIPHERTEXT` error: rotation needs
+ *      the existing keypair to round-trip the values.
+ *   2. Look up the matching private key in `.env.keys` (canonical
+ *      `ENVX_PRIVATE_KEY*` first, then `DOTENV_PRIVATE_KEY*`).
+ *   3. Generate a fresh secp256k1 keypair.
+ *   4. Decrypt every encrypted value with the *old* private key,
+ *      re-encrypt with the *new* public key.
+ *   5. Replace the public-key header line in the env file with the
+ *      new public key, and write the new private key under the
+ *      canonical name in `.env.keys`. The keys file is written eagerly
+ *      so the returned envSrc is decryptable on disk if persisted.
+ *
+ * Pure (per the encrypt/decrypt convention): returns new file contents
+ * but does not write the env files themselves to disk. Use
+ * {@link writeProcessed} on the returned `processedEnvs` to persist.
+ */
+export declare function rotateFiles(opts: RunOptions): RunResult;
+//# sourceMappingURL=rotate.d.ts.map

package/dist/libs/rotate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.d.ts","sourceRoot":"","sources":["../../src/libs/rotate.ts"],"names":[],"mappings":"AAoBA,OAAO,KAAK,EAAiC,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,UAAU,GAAG,SAAS,CA2LvD"}

package/dist/libs/types.d.ts

@@ -0,0 +1,42 @@
+/** Per-file processing result. Mirrors the shape of upstream dotenvx
+ * for familiarity, but is fully owned by this package. */
+export interface ProcessedEnv {
+    /** Path the caller supplied (may be relative). */
+    readonly envFilepath: string;
+    /** Absolute resolved path on disk. */
+    readonly filepath: string;
+    /** New file contents after the operation. */
+    readonly envSrc: string;
+    /** True when envSrc differs from the on-disk file. */
+    readonly changed: boolean;
+    /** All keys observed in the file. */
+    readonly keys: string[];
+    /** Set when a private key was newly generated and stored in .env.keys. */
+    readonly privateKeyAdded?: boolean;
+    readonly privateKeyName?: string;
+    readonly privateKey?: string;
+    /** Set when the file failed to process. */
+    readonly error?: ProcessingError;
+}
+export interface ProcessingError {
+    readonly code: ErrorCode;
+    readonly message: string;
+    readonly help?: string;
+}
+export type ErrorCode = "MISSING_ENV_FILE" | "MISSING_PRIVATE_KEY" | "DECRYPTION_FAILED" | "INVALID_CIPHERTEXT";
+export interface RunOptions {
+    /** Env file paths to operate on. */
+    readonly envFiles: readonly string[];
+    /** Specific keys (or globs) to include. Default: all keys. */
+    readonly keys?: readonly string[];
+    /** Keys (or globs) to skip. */
+    readonly excludeKeys?: readonly string[];
+    /** Path to the .env.keys file (default: alongside the env file). */
+    readonly envKeysFile?: string;
+}
+export interface RunResult {
+    readonly processedEnvs: ProcessedEnv[];
+    readonly changedFilepaths: string[];
+    readonly unchangedFilepaths: string[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/libs/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/libs/types.ts"],"names":[],"mappings":"AAEA;0DAC0D;AAC1D,MAAM,WAAW,YAAY;IAC3B,kDAAkD;IAClD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,sCAAsC;IACtC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6CAA6C;IAC7C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,sDAAsD;IACtD,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,qCAAqC;IACrC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC;IACxB,0EAA0E;IAC1E,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;IACjC,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,2CAA2C;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,eAAe,CAAC;CAClC;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,MAAM,SAAS,GACjB,kBAAkB,GAClB,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,CAAC;AAEzB,MAAM,WAAW,UAAU;IACzB,oCAAoC;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClC,+BAA+B;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IACzC,oEAAoE;IACpE,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,aAAa,EAAE,YAAY,EAAE,CAAC;IACvC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IACpC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;CACvC"}

package/dist/plugins/auto-preload.d.ts

@@ -0,0 +1,50 @@
+import { SecretProvider } from './types.js';
+export interface AutoPreloadOptions {
+    /**
+     * Env files to scan for `${provider:id}` references. Paths are
+     * resolved against `cwd` (which defaults to `process.cwd()`).
+     * Missing files are silently skipped — the helper assumes you
+     * already know which files will load and just need the references
+     * pre-resolved.
+     */
+    readonly envFiles: readonly string[];
+    /** Defaults to `process.cwd()`. */
+    readonly cwd?: string;
+}
+/**
+ * Scan a set of env files for `${provider:id}` references and call
+ * `preload()` on every plugin whose `name` matches a found provider.
+ * Plugins whose names don't appear in any reference are skipped (no
+ * round-trip, no SDK warm-up, no surprise charges).
+ *
+ * Composes with the rest of envx like this:
+ *
+ * ```ts
+ * import envx from "@super-repo/envx";
+ * import { awsSecrets } from "@super-repo/envx/plugins/aws";
+ * import { gcpSecrets } from "@super-repo/envx/plugins/gcp";
+ * import { autoPreload } from "@super-repo/envx/plugins";
+ *
+ * const aws = awsSecrets({ region: "us-east-1" });
+ * const gcp = gcpSecrets({ projectId: "acme-prod" });
+ *
+ * await autoPreload([aws, gcp], { envFiles: [".env", "vault/.env.prod"] });
+ *
+ * envx({
+ *   resolvers: {
+ *     [aws.name]: aws.resolve,
+ *     [gcp.name]: gcp.resolve,
+ *   },
+ * });
+ * ```
+ */
+export declare function autoPreload(providers: readonly SecretProvider[], opts: AutoPreloadOptions): Promise<{
+    readonly preloaded: Record<string, string[]>;
+}>;
+/**
+ * Build a `resolvers:` map from a list of providers — the shape envx's
+ * `resolvers` config expects. Saves you from repeating
+ * `{ [p.name]: p.resolve }` for every provider.
+ */
+export declare function asResolvers(providers: readonly SecretProvider[]): Record<string, (id: string) => string | undefined>;
+//# sourceMappingURL=auto-preload.d.ts.map

package/dist/plugins/auto-preload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auto-preload.d.ts","sourceRoot":"","sources":["../../src/plugins/auto-preload.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAOjD,MAAM,WAAW,kBAAkB;IACjC;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAC;IACrC,mCAAmC;IACnC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,SAAS,cAAc,EAAE,EACpC,IAAI,EAAE,kBAAkB,GACvB,OAAO,CAAC;IAAE,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;CAAE,CAAC,CAiC3D;AAMD;;;;GAIG;AACH,wBAAgB,WAAW,CACzB,SAAS,EAAE,SAAS,cAAc,EAAE,GACnC,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAC,CAIpD"}

package/dist/plugins/auto-preload.js

@@ -0,0 +1,2 @@
+import { n as autoPreload, t as asResolvers } from "../chunks/auto-preload-CrSuZDg1.js";
+export { asResolvers, autoPreload };

package/dist/plugins/aws.d.ts

@@ -0,0 +1,52 @@
+import { SecretProvider } from './types.js';
+export interface AwsSecretsOptions {
+    /** AWS region the secrets live in (e.g. "us-east-1"). */
+    readonly region: string;
+    /**
+     * Override the default SDK client. Useful for tests, for sharing a
+     * client across plugins, or when your environment needs a custom
+     * credential provider chain. The object only needs a `send(command)`
+     * method that returns a `{ SecretString?: string; SecretBinary?: Uint8Array }`.
+     */
+    readonly client?: {
+        send: (cmd: unknown) => Promise<{
+            SecretString?: string;
+            SecretBinary?: Uint8Array;
+        }>;
+    };
+    /**
+     * Custom name for this provider instance. Defaults to `"aws-secrets"`,
+     * matching the conventional `${aws-secrets:my-id}` reference shape. If
+     * you want multiple AWS regions to coexist, give each a distinct name
+     * (`"aws-us"`, `"aws-eu"`) and reference accordingly.
+     */
+    readonly name?: string;
+}
+/**
+ * AWS Secrets Manager provider.
+ *
+ * ```ts
+ * import { awsSecrets } from "@super-repo/envx/plugins/aws";
+ *
+ * const aws = awsSecrets({ region: "us-east-1" });
+ * await aws.preload(["prod/db", "prod/api-key"]);
+ *
+ * envx({
+ *   resolvers: { [aws.name]: aws.resolve },
+ * });
+ * ```
+ *
+ * Reference shape in `.env*`:
+ *
+ * ```
+ * DATABASE_URL=${aws-secrets:prod/db}
+ * API_KEY=${aws-secrets:prod/api-key}
+ * ```
+ *
+ * The plugin uses `@aws-sdk/client-secrets-manager` (lazy-loaded —
+ * only required when `preload()` runs). Install it in your app:
+ *
+ *     pnpm add @aws-sdk/client-secrets-manager
+ */
+export declare function awsSecrets(opts: AwsSecretsOptions): SecretProvider;
+//# sourceMappingURL=aws.d.ts.map

package/dist/plugins/aws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aws.d.ts","sourceRoot":"","sources":["../../src/plugins/aws.ts"],"names":[],"mappings":"AAAA,OAAO,EAAkC,KAAK,cAAc,EAAE,MAAM,YAAY,CAAC;AAIjF,MAAM,WAAW,iBAAiB;IAChC,yDAAyD;IACzD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,QAAQ,CAAC,MAAM,CAAC,EAAE;QAChB,IAAI,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC;YAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;YACtB,YAAY,CAAC,EAAE,UAAU,CAAC;SAC3B,CAAC,CAAC;KACJ,CAAC;IACF;;;;;OAKG;IACH,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,iBAAiB,GAAG,cAAc,CAkDlE"}

package/dist/plugins/aws.js

@@ -0,0 +1,2 @@
+import { t as awsSecrets } from "../chunks/aws-DgcXfw-Y.js";
+export { awsSecrets };