@udondan/avanti 0.19.1 → 0.21.0

package/README.md

@@ -15,11 +15,13 @@ atomic rollbacks, and diff-before-apply safety.
 - [Usage](#usage)
   - [`avanti diff`](#avanti-diff)
   - [`avanti pull`](#avanti-pull)
+  - [`avanti lock`](#avanti-lock)
 - [History](#history)
   - [`avanti log`](#avanti-log)
   - [`avanti diff <pullId>`](#avanti-diff-pullid)
   - [`avanti revert [pullId]`](#avanti-revert-pullid)
   - [`avanti reset`](#avanti-reset)
+  - [`--verbose` / `-v`](#--verbose---v)
 - [Working Directory](#working-directory)
   - [Path Constraints](#path-constraints)
 - [Configuration](#configuration)
@@ -28,6 +30,9 @@ atomic rollbacks, and diff-before-apply safety.
   - [Directory Sources](#directory-sources)
   - [JSON Merging](#json-merging)
   - [YAML Merging](#yaml-merging)
+  - [TOML Merging](#toml-merging)
+  - [Insert Mode](#insert-mode)
+  - [Conditions](#conditions)
   - [Variables](#variables)
   - [$self — Self-managing Config](#self--self-managing-config)
   - [Authentication](#authentication)
@@ -38,7 +43,7 @@ atomic rollbacks, and diff-before-apply safety.
   - [CI/CD: Shared Workflow Fragments](#cicd-shared-workflow-fragments)
   - [CI/CD: Scheduled Sync PR](#cicd-scheduled-sync-pr)
   - [Environment-Specific Config from a Single Spec](#environment-specific-config-from-a-single-spec)
-  - [Secrets from Vault or S3](#secrets-from-vault-or-s3)
+  - [Secrets from Vault or AWS](#secrets-from-vault-or-aws)
   - [Multi-Project Deployment](#multi-project-deployment)
   - [Docker Compose from Upstream Sources](#docker-compose-from-upstream-sources)
   - [Developer Onboarding Bootstrap](#developer-onboarding-bootstrap)
@@ -90,16 +95,20 @@ avanti revert  # roll back instantly if something breaks
 
 ## Features
 
-- Fetch files from **HTTP/HTTPS**, **local paths**, **GitLab** (via `glab`), **GitHub** (via `gh`), **Bitbucket**, **any git remote**, **S3**, **HashiCorp Vault**, **shell commands**, or **inline raw content**
+- Fetch files from **HTTP/HTTPS**, **local paths**, **GitLab** (via `glab`), **GitHub** (via `gh`), **Bitbucket**, **any git remote**, **S3**, **AWS Secrets Manager**, **SSM Parameter Store**, **HashiCorp Vault**, **shell commands**, or **inline raw content**
 - **Multi-source entries** — combine multiple sources into a single file by providing `src` as a list
-- **JSON merging** — deep-merge multiple JSON/JSONC sources with configurable conflict, array, and object strategies
+- **JSON merging** — deep-merge multiple JSON/JSONC sources with configurable conflict, array, and object strategies; format output with configurable indentation, trailing commas, key sorting, minification, and comment stripping
 - **YAML merging** — deep-merge multiple YAML/YML sources with the same strategies, with full comment preservation
-- **Variables** — define reusable values in a `variables:` block and reference them anywhere with `$name`; use `$env:NAME` for environment variables
+- **TOML merging** — deep-merge multiple TOML sources with configurable conflict, array, and table strategies
+- **Variables** — define reusable values in a `variables:` block and reference them anywhere with `$name`; variables can be plain strings, `$env:NAME` environment variable references, or fetched from any remote/local source (the same source types as `files:`)
 - **Post-processing** — apply text replacements (string or regex) and/or pipe content through a shell script
 - **Directory sync** — recursively sync directories from GitLab/GitHub/Bitbucket/git/S3/local sources
+- **SHA pinning** — pin any remote source to a content fingerprint with `sha:`; use `avanti lock` to compute and write SHAs automatically; `avanti pull --accept-changes` reviews a mismatch and updates the pin
+- **`$self`** — avanti can manage its own config file; declare `$self` in `files:` and the fetched content becomes the active config for the rest of the run, including YAML/JSON merge from multiple sources
 - **Diff preview** — see exactly what will change before applying, or compare against any past pull
 - **Atomic writes** — all files are staged to a temp dir first; targets are only written if everything succeeds
 - **History** — every pull is recorded; inspect what changed, revert the whole project to a past state, or fully undo all avanti changes
+- **Conditions** — use `if` and `ifAny` on file entries or individual sources to conditionally skip based on OS, filesystem path existence, shell command exit code, or whether the target file already exists; supports AND/OR logic and negation with `not: true`
 - **Optional sources** — mark `path:` and `url:` sources `optional: true` to silently skip them when the file is missing or the URL returns 404; lets a central config reference per-user local overrides without erroring on machines that haven't created them
 - **Stale file cleanup** — files dropped from a directory source are automatically deleted or restored to their pre-avanti content
 
@@ -374,14 +383,17 @@ files:
 
 End the target path with `/` to write a directory source as a mirror; omit the trailing slash to merge all files from the directory into a single output file (YAML/JSON auto-detected by extension, or forced with `yaml:`/`json:`).
 
-| Field     | Required | Description                                                                                                                                                                                                                             |
-| --------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `src`     | Yes      | Source (see below). May be a single source or a **list** of sources to concatenate.                                                                                                                                                     |
-| `mode`    | No       | File permission mode, e.g. `"0755"`                                                                                                                                                                                                     |
-| `replace` | No       | List of `{from, to}` replacement rules. `from` may be a plain string or `/pattern/flags` regex.                                                                                                                                         |
-| `post`    | No       | Shell script. Content is piped via stdin; stdout is used as the result. Runs after `replace`.                                                                                                                                           |
-| `json`    | No       | JSON merge/format options (see below). When omitted, merging is auto-enabled if all sources have a `.json` or `.jsonc` extension. Use `true`/`false` to force on or off regardless of extension.                                        |
-| `yaml`    | No       | YAML merge/format options (see below). When omitted, merging is auto-enabled if all sources have a `.yaml` or `.yml` extension. Use `true`/`false` to force on or off regardless of extension. Comments are preserved in merged output. |
+| Field      | Required | Description                                                                                                                                                                                                                             |
+| ---------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `src`      | Yes      | Source (see below). May be a single source or a **list** of sources to concatenate.                                                                                                                                                     |
+| `if`       | No       | Condition object (or list of objects). All must pass for the entry to be processed. See [Conditions](#conditions).                                                                                                                      |
+| `ifAny`    | No       | List of condition objects. At least one must pass. See [Conditions](#conditions).                                                                                                                                                       |
+| `mode`     | No       | File permission mode, e.g. `"0755"`                                                                                                                                                                                                     |
+| `replace`  | No       | List of `{from, to}` replacement rules. `from` may be a plain string or `/pattern/flags` regex.                                                                                                                                         |
+| `post`     | No       | Shell script. Content is piped via stdin; stdout is used as the result. Runs after `replace`.                                                                                                                                           |
+| `json`     | No       | JSON merge/format options (see below). When omitted, merging is auto-enabled if all sources have a `.json` or `.jsonc` extension. Use `true`/`false` to force on or off regardless of extension.                                        |
+| `yaml`     | No       | YAML merge/format options (see below). When omitted, merging is auto-enabled if all sources have a `.yaml` or `.yml` extension. Use `true`/`false` to force on or off regardless of extension. Comments are preserved in merged output. |
+| `strategy` | No       | Write strategy: `replace` _(default)_ — overwrite the target file entirely; `insert` — merge content into the existing file without clobbering unrelated content. See [Insert Mode](#insert-mode).                                      |
 
 ### Source Types
 
@@ -393,7 +405,8 @@ src: ~/templates/file.txt
 src: /absolute/path/file.txt
 ```
 
-**Map** — for path, url, exec, gitlab, github, bitbucket, git, s3, vault, http, raw:
+**Map** — for path, url, exec, gitlab, github, bitbucket, git, aws_s3,
+aws_secrets_manager, aws_systems_manager_parameter, vault, http, raw:
 
 ```yaml
 src:
@@ -461,9 +474,22 @@ src:
   url: git+ssh://git@ssh.git.private.de/org/repo.git//path/to/file.txt@main
 
 src:
-  s3: s3://my-bucket/path/to/file.txt      # S3 URI; end with / for a prefix sync
+  aws_s3: s3://my-bucket/path/to/file.txt  # end with / for a prefix sync
   sha: abc123...                           # optional SHA-256 fingerprint
 
+src:
+  aws_secrets_manager:
+    name: myapp/prod/db         # secret name or ARN
+    key: password               # optional: extract one field from a JSON secret
+    region: us-east-1           # optional: AWS region (default: SDK chain)
+    sha: abc123...              # optional SHA-256 fingerprint
+
+src:
+  aws_systems_manager_parameter:
+    name: /myapp/prod/db-host   # parameter name; end with / for path prefix fetch
+    region: us-east-1           # optional: AWS region (default: SDK chain)
+    sha: abc123...              # optional SHA-256 fingerprint
+
 src:
   vault:
     path: secret/myapp/config   # Vault KV path (mount/subpath)
@@ -521,7 +547,7 @@ files:
   # S3 prefix → local directory (trailing / triggers sync)
   configs/:
     src:
-      s3: s3://my-bucket/configs/
+      aws_s3: s3://my-bucket/configs/
 
   # Local directory → local directory
   .githooks/:
@@ -608,6 +634,11 @@ files:
       conflicts: last_wins # abort | first_wins | last_wins (default)
       arrays: replace # replace (default) | concat
       objects: merge # merge (default) | replace
+      indent: 2 # number of spaces, or "tab"
+      trailing_commas: false # add trailing comma after last item (valid JSONC)
+      sort_keys: false # sort object keys alphabetically
+      minify: false # collapse to single line, strips comments
+      strip_comments: false # remove JSONC comments from output
 ```
 
 - `conflicts` — what to do when the same key holds a scalar (or an array/object when their strategy is `replace`):
@@ -620,6 +651,11 @@ files:
 - `objects` — how to combine objects (maps) at the same key:
   - `merge` _(default)_ — deep merge, applying the same rules recursively to nested keys
   - `replace` — the later source's object replaces the earlier one entirely
+- `indent` _(default: `2`)_ — indentation: a non-negative integer for spaces, or `"tab"` for tab characters
+- `trailing_commas` _(default: `false`)_ — append a trailing comma after the last element in every array and object; valid JSONC syntax that produces cleaner diffs
+- `sort_keys` _(default: `false`)_ — sort all object keys alphabetically (recursive); useful for stable diffs regardless of insertion order; rebuilds objects from scratch so JSONC comments are not preserved in the output
+- `minify` _(default: `false`)_ — collapse output to a single line with no whitespace; also strips JSONC comments since they are not valid in strict JSON; overrides `indent` and `trailing_commas`
+- `strip_comments` _(default: `false`)_ — remove all JSONC comments from the output, producing valid strict JSON; also overrides `trailing_commas` (strict JSON does not support trailing commas)
 
 **Pretty-printing a single file** — `json` works on single-source entries too. Auto-detection applies here as well, so a single `.json` source is pretty-printed automatically:
 
@@ -761,6 +797,129 @@ files:
     src: ./config.toml
 ```
 
+### Insert Mode
+
+By default (`strategy: replace`) avanti overwrites the target file with the fully processed source content. Set `strategy: insert` to **merge** content into an existing file instead of replacing it.
+
+```yaml
+files:
+  .vscode/settings.json:
+    src: ./shared/vscode-settings.json
+    json: true
+    strategy: insert
+```
+
+**How it works:**
+
+- **First run** — the fetched content is merged into the existing file (or written as-is if the file does not exist yet).
+- **Subsequent runs (no-op)** — avanti detects that the raw source and the post-processed output (`replace`/`post`) are both unchanged and skips the file entirely.
+- **Subsequent runs (source changed)** — avanti removes the keys/text it previously contributed, then merges the updated content in.
+- **User edits are preserved** — keys or text the user added or modified are left untouched. If a user overrides an avanti-managed key, avanti will not remove it even if the source no longer includes it.
+
+**Structured files (JSON / YAML / TOML):**
+
+Avanti tracks which keys it contributed in the previous pull. On the next pull it removes only those keys (if they still match) and then merges the new contribution. This means:
+
+- Keys removed from the remote source are removed from the local file.
+- Keys the user added or modified independently are preserved.
+- Nested objects and arrays are handled recursively. For arrays, combine with `arrays: concat` so avanti appends items; avanti removes only the items it previously appended, leaving user-owned items intact.
+
+```yaml
+files:
+  tsconfig.json:
+    src: https://example.com/shared-tsconfig.json
+    json:
+      objects: merge
+      arrays: concat
+    strategy: insert
+```
+
+**Plain text:**
+
+On the first insert, the text is appended to the existing file. On subsequent runs, the old block is replaced in-place when the source changes; if it is no longer found (e.g. the user removed it), the new block is appended.
+
+### Conditions
+
+Use `if` and `ifAny` on a file entry or on an individual source to control when it is processed.
+
+**`if`** — a condition object (or list of objects) where **all** checks must pass (AND).
+
+**`ifAny`** — a list of condition objects where **at least one** must pass (OR).
+
+When both are present, both must pass. Each condition object may also include `not: true` to invert its result.
+
+#### Condition fields
+
+| Field           | Type           | Description                                                                 |
+| --------------- | -------------- | --------------------------------------------------------------------------- |
+| `os`            | string or list | Platform must match. Values: `linux`, `mac`, `windows`. List = any matches. |
+| `exists`        | string         | Path (file or directory) must exist. Variables are resolved.                |
+| `exec`          | string         | Shell command must exit with code `0`.                                      |
+| `target_exists` | `true`         | Skip entry if the target path does not already exist (update-only guard).   |
+| `not`           | boolean        | `true` — invert the result of all checks in this condition object.          |
+
+#### Examples
+
+```yaml
+files:
+  # Only on Linux
+  /etc/app.conf:
+    if:
+      os: linux
+    src: ...
+
+  # Skip on Windows
+  ~/.config/app.conf:
+    if:
+      os: windows
+      not: true
+    src: ...
+
+  # Only if Docker is installed
+  ~/.docker/config.json:
+    if:
+      exec: which docker
+    src: ...
+
+  # Only update — never create
+  ~/.ssh/config:
+    if:
+      target_exists: true
+    src: ...
+
+  # OR: write if on mac OR if app is installed
+  app.conf:
+    ifAny:
+      - os: mac
+      - exec: which app
+    src: ...
+
+  # Combined AND + OR
+  combined.conf:
+    if:
+      os: windows
+      not: true
+    ifAny:
+      - exists: /opt/app
+      - exec: which app
+    src: ...
+```
+
+Conditions also apply at the **source level** within a multi-source entry (plain string sources excluded — use `path:` or `url:` wrapper form):
+
+```yaml
+files:
+  platform.conf:
+    src:
+      - raw: "# linux config\n"
+        if:
+          os: linux
+      - raw: "# mac config\n"
+        if:
+          os: mac
+      - path: /common/base.conf
+```
+
 ### Variables
 
 Define reusable values at the top level under `variables:`:
@@ -826,6 +985,52 @@ replace:
 
 Referencing an undefined variable or a missing environment variable is an error.
 
+#### Source-based variables
+
+A variable can be populated from any remote or local source — the same source types supported by `files:`. Instead of a plain string value, provide a `src:` key:
+
+```yaml
+variables:
+  auth_token:
+    src:
+      aws_secrets_manager:
+        name: my-artifactory-token
+  registry_host: my-registry.example.com
+
+files:
+  .npmrc:
+    src:
+      raw: |
+        registry=https://$registry_host
+        //$registry_host/:_authToken=$auth_token
+```
+
+The fetched content is trimmed of leading and trailing whitespace before being used as the variable value (secrets from AWS Secrets Manager, SSM Parameter Store, Vault, etc. often include a trailing newline).
+
+All source types are supported: `http`, `path`, `url`, `exec`, `github`, `gitlab`, `bitbucket`, `git`, `aws_s3`, `aws_secrets_manager`, `aws_systems_manager_parameter`, `vault`, and `raw`. Multi-source arrays and `json`/`yaml`/`toml` merging work exactly as they do in `files:`:
+
+```yaml
+variables:
+  config:
+    src:
+      - raw: '{"base":"value"}'
+      - raw: '{"extra":"added"}'
+    json:
+      conflicts: last_wins
+```
+
+**Evaluation order** — variables are resolved one by one in the order they are defined. A variable may reference any variable defined above it. Referencing a variable that has not yet been defined (a forward reference) is an error. This rule also prevents circular dependencies.
+
+```yaml
+variables:
+  host: registry.example.com
+  token:
+    src:
+      aws_secrets_manager:
+        name: my-token # fetched first; $host is already resolved
+  registry_line: //$host/:_authToken=$token # both $host and $token are available
+```
+
 `$latest` is a reserved keyword that resolves to the latest published version and cannot be used as a variable name. For GitLab it resolves to the latest tag sorted by semantic version. For GitHub it resolves to the tag of the latest release; if the repository has no releases, it falls back to the most recently created tag. For Bitbucket it resolves to the latest tag sorted by name; if no tags exist, it falls back to the repository's default branch.
 
 When `ref` is omitted, all source types (GitHub, GitLab, Bitbucket, git) resolve to the repository's default branch.
@@ -878,14 +1083,16 @@ files:
 
 Public repositories on github.com and gitlab.com work without any configuration. For private repositories or instances, supply credentials via environment variables:
 
-| Platform  | Environment variable(s)                                          | Notes                                      |
-| --------- | ---------------------------------------------------------------- | ------------------------------------------ |
-| GitHub    | `GITHUB_TOKEN`                                                   | `Authorization: Bearer <token>`            |
-| GitLab    | `GITLAB_TOKEN` or `GITLAB_PRIVATE_TOKEN`                         | `PRIVATE-TOKEN: <token>`                   |
-| Bitbucket | `BITBUCKET_TOKEN`                                                | `Authorization: Bearer <token>`            |
-| Bitbucket | `BITBUCKET_USERNAME` + `BITBUCKET_APP_PASSWORD`                  | Basic auth (alternative to token)          |
-| S3        | Standard AWS env vars (`AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, etc.) | Delegates entirely to the `aws` CLI        |
-| Vault     | `VAULT_TOKEN` + `VAULT_ADDR` (and optionally `VAULT_NAMESPACE`)  | Used when the `vault` CLI is not installed |
+| Platform        | Environment variable(s)                                          | Notes                                      |
+| --------------- | ---------------------------------------------------------------- | ------------------------------------------ |
+| GitHub          | `GITHUB_TOKEN`                                                   | `Authorization: Bearer <token>`            |
+| GitLab          | `GITLAB_TOKEN` or `GITLAB_PRIVATE_TOKEN`                         | `PRIVATE-TOKEN: <token>`                   |
+| Bitbucket       | `BITBUCKET_TOKEN`                                                | `Authorization: Bearer <token>`            |
+| Bitbucket       | `BITBUCKET_USERNAME` + `BITBUCKET_APP_PASSWORD`                  | Basic auth (alternative to token)          |
+| S3              | Standard AWS env vars (`AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, etc.) | AWS SDK credential chain                   |
+| Secrets Manager | Standard AWS env vars (`AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, etc.) | AWS SDK credential chain                   |
+| SSM             | Standard AWS env vars (`AWS_ACCESS_KEY_ID`, `AWS_PROFILE`, etc.) | AWS SDK credential chain                   |
+| Vault           | `VAULT_TOKEN` + `VAULT_ADDR` (and optionally `VAULT_NAMESPACE`)  | Used when the `vault` CLI is not installed |
 
 If a GitHub or GitLab request fails with a 401, 403, or 404 response, or with a network-level connectivity error, and `gh` / `glab` is installed and authenticated, the tool falls back to the CLI automatically. This means existing CLI setups continue to work for private repos without any extra configuration.
 
@@ -900,7 +1107,8 @@ HTTP server errors (5xx) do not trigger CLI fallback regardless of the `via` ord
 
 **Vault** uses the `vault` CLI when it is installed (picks up `VAULT_TOKEN`, `~/.vault-token`, and any other auth methods configured in the CLI). If the CLI is not available, it falls back to the HTTP API using `VAULT_ADDR` and `VAULT_TOKEN`.
 
-**S3** delegates entirely to the `aws` CLI, so any credential method that works with `aws s3 cp` (env vars, `~/.aws/credentials`, instance profiles, etc.) works here too.
+**S3, Secrets Manager, and SSM** use the AWS SDK default credential chain (env
+vars, `~/.aws/credentials`, instance profiles, etc.).
 
 ### Private Instances
 
@@ -1123,9 +1331,13 @@ files:
 
 CI sets `DEPLOY_VERSION` and `ENVIRONMENT`; the config pins every file to exactly the version being deployed.
 
-### Secrets from Vault or S3
+### Secrets from Vault or AWS
 
-Pull secrets at runtime and write them to local files with tight permissions. The native `vault:` and `s3:` sources handle auth automatically via the CLI or env vars — no shell scripting needed.
+Pull secrets at runtime and write them to local files with tight permissions.
+The native `vault:` source authenticates via the Vault CLI or `VAULT_TOKEN` env
+var. The `aws_s3:`, `aws_secrets_manager:`, and `aws_systems_manager_parameter:`
+sources authenticate via the AWS SDK credential chain (env vars, `~/.aws/credentials`,
+IAM roles). No shell scripting needed.
 
 ```yaml
 files:
@@ -1147,7 +1359,7 @@ files:
   # Config file stored in S3
   config/app.json:
     src:
-      s3: s3://my-bucket/configs/app.json
+      aws_s3: s3://my-bucket/configs/app.json
     mode: '0600'
 ```
 

package/dist/commands/diff.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAyFpC,wBAAgB,WAAW,IAAI,OAAO,CAsIrC"}
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAmKpC,wBAAgB,WAAW,IAAI,OAAO,CAoJrC"}

package/dist/commands/diff.js

@@ -35,26 +35,52 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.diffCommand = diffCommand;
 const commander_1 = require("commander");
+const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const config_1 = require("../config");
 const sources_1 = require("../sources");
 const replace_1 = require("../processors/replace");
 const post_1 = require("../processors/post");
+const insert_1 = require("../processors/insert");
 const binary_1 = require("../binary");
 const diff_1 = require("../diff");
 const history_1 = require("../history");
-async function runDiffLoop(config, workingDir, cache) {
-    const vars = config.variables ?? {};
+const variables_remote_1 = require("../variables-remote");
+const condition_1 = require("../condition");
+async function runDiffLoop(config, workingDir, cache, configPath, history) {
+    let vars;
+    try {
+        vars = await (0, variables_remote_1.resolveVariableSpec)(config.variables ?? {}, workingDir, cache);
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : String(err));
+        return { allDiffs: [], hasError: true };
+    }
     const allDiffs = [];
     let hasError = false;
     let selfContent;
-    const hasSelf = config_1.SELF_KEY in config.files;
+    let hasSelf = config_1.SELF_KEY in config.files;
+    if (hasSelf) {
+        const selfEntry = config.files[config_1.SELF_KEY];
+        try {
+            hasSelf = (0, condition_1.evaluateConditions)(selfEntry['if'], selfEntry.ifAny, () => configPath !== undefined
+                ? configPath
+                : (0, diff_1.resolveTargetPath)(selfEntry, '', workingDir, vars), workingDir, vars);
+        }
+        catch (err) {
+            console.error(`Error processing ${config_1.SELF_KEY}: ${err instanceof Error ? err.message : String(err)}`);
+            return { allDiffs: [], hasError: true };
+        }
+    }
     for (const [key, entry] of Object.entries(config.files)) {
         const isSelf = key === config_1.SELF_KEY;
-        if (hasSelf && !isSelf)
+        if (hasSelf !== isSelf)
             continue;
         try {
-            const result = await (0, sources_1.fetchSource)(entry, workingDir, vars, cache);
+            if (!isSelf &&
+                !(0, condition_1.evaluateConditions)(entry['if'], entry.ifAny, () => (0, diff_1.resolveTargetPath)(entry, '', workingDir, vars), workingDir, vars))
+                continue;
+            const result = await (0, sources_1.fetchSource)(entry, workingDir, vars, cache, isSelf && configPath !== undefined ? () => configPath : undefined);
             for (const rec of result.sourceRecords) {
                 if (!rec.matched) {
                     console.error(`⚠  SHA mismatch for ${rec.sourceLabel}\n` +
@@ -68,11 +94,23 @@ async function runDiffLoop(config, workingDir, cache) {
             for (const [relPath, rawContent] of result.files) {
                 let content = rawContent;
                 if (!(0, binary_1.isBinary)(content)) {
-                    let text = content.toString('utf8');
+                    const rawText = content.toString('utf8');
+                    let text = rawText;
                     if (entry.replace?.length)
                         text = (0, replace_1.applyReplace)(text, entry.replace, vars);
                     if (entry.post)
                         text = (0, post_1.applyPost)(text, entry.post, vars);
+                    if (entry.strategy === 'insert' && !isSelf) {
+                        const targetPath = (0, diff_1.resolveTargetPath)(entry, relPath, workingDir, vars);
+                        const lastInserted = history?.getInsertedFragment(targetPath) ?? null;
+                        if (lastInserted !== null &&
+                            rawText === lastInserted.raw &&
+                            text === lastInserted.processed &&
+                            fs.existsSync(targetPath)) {
+                            continue; // source and processed output unchanged — would be a no-op write, skip diff
+                        }
+                        text = (0, insert_1.applyInsertMode)(entry, text, lastInserted?.processed ?? null, targetPath);
+                    }
                     content = Buffer.from(text, 'utf8');
                 }
                 if (isSelf) {
@@ -84,7 +122,7 @@ async function runDiffLoop(config, workingDir, cache) {
             }
         }
         catch (err) {
-            console.error(`Error processing ${JSON.stringify(entry.src)}: ${err.message}`);
+            console.error(`Error processing ${JSON.stringify(entry.src)}: ${err instanceof Error ? err.message : String(err)}`);
             hasError = true;
         }
     }
@@ -110,11 +148,12 @@ function diffCommand() {
             config = await (0, config_1.loadConfig)(configPath, via);
         }
         catch (err) {
-            console.error(err.message);
+            console.error(err instanceof Error ? err.message : String(err));
             process.exit(2);
         }
         const fetchCache = new Map();
-        const firstPass = await runDiffLoop(config, workingDir, fetchCache);
+        const history = new history_1.HistoryManager((0, config_1.normalizeConfigKey)(configPath), workingDir);
+        const firstPass = await runDiffLoop(config, workingDir, fetchCache, configPath, history);
         let { allDiffs, hasError } = firstPass;
         if (hasError)
             process.exit(2);
@@ -128,7 +167,7 @@ function diffCommand() {
                     currentConfig = (0, config_1.parseConfigContent)(currentSelfContent);
                 }
                 catch (err) {
-                    console.error(`$self config is invalid: ${err.message}`);
+                    console.error(`$self config is invalid: ${err instanceof Error ? err.message : String(err)}`);
                     process.exit(2);
                 }
                 if (!(config_1.SELF_KEY in currentConfig.files) ||
@@ -137,7 +176,7 @@ function diffCommand() {
                     break;
                 }
                 console.log('$self config resolved; re-evaluating with merged config...');
-                const next = await runDiffLoop(currentConfig, workingDir, fetchCache);
+                const next = await runDiffLoop(currentConfig, workingDir, fetchCache, configPath, history);
                 if (next.hasError) {
                     hasError = true;
                     break;
@@ -158,7 +197,7 @@ function diffCommand() {
                         filesWithoutSelf[k] = v;
                 }
                 if (Object.keys(filesWithoutSelf).length > 0) {
-                    const second = await runDiffLoop({ ...stableConfig, files: filesWithoutSelf }, workingDir, fetchCache);
+                    const second = await runDiffLoop({ ...stableConfig, files: filesWithoutSelf }, workingDir, fetchCache, configPath, history);
                     allDiffs = second.allDiffs;
                     hasError = second.hasError;
                 }

package/dist/commands/diff.js.map

@@ -1 +1 @@
-{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyFA,kCAsIC;AA/ND,yCAAoC;AACpC,2CAA6B;AAC7B,sCAQmB;AACnB,wCAAqD;AACrD,mDAAqD;AACrD,6CAA+C;AAC/C,sCAAqC;AACrC,kCAKiB;AAGjB,wCAA4C;AAQ5C,KAAK,UAAU,WAAW,CACxB,MAAoB,EACpB,UAAkB,EAClB,KAAkB;IAElB,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;IACpC,MAAM,QAAQ,GAAe,EAAE,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,WAA+B,CAAC;IAEpC,MAAM,OAAO,GAAG,iBAAQ,IAAI,MAAM,CAAC,KAAK,CAAC;IACzC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,GAAG,KAAK,iBAAQ,CAAC;QAChC,IAAI,OAAO,IAAI,CAAC,MAAM;YAAE,SAAS;QACjC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAA,qBAAW,EAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YACjE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACvC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC,KAAK,CACX,uBAAuB,GAAG,CAAC,WAAW,IAAI;wBACxC,gBAAgB,GAAG,CAAC,WAAW,IAAI;wBACnC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CACpC,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,KAAK,CAAC,IAAI,oEAAoE,CACrI,CAAC;YACJ,CAAC;YAED,KAAK,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjD,IAAI,OAAO,GAAG,UAAU,CAAC;gBACzB,IAAI,CAAC,IAAA,iBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC;oBACvB,IAAI,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACpC,IAAI,KAAK,CAAC,OAAO,EAAE,MAAM;wBACvB,IAAI,GAAG,IAAA,sBAAY,EAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;oBACjD,IAAI,KAAK,CAAC,IAAI;wBAAE,IAAI,GAAG,IAAA,gBAAS,EAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBACzD,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBACtC,CAAC;gBACD,IAAI,MAAM,EAAE,CAAC;oBACX,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACvC,SAAS;gBACX,CAAC;gBACD,MAAM,UAAU,GAAG,IAAA,wBAAiB,EAAC,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,oBAAoB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,KAAM,GAAa,CAAC,OAAO,EAAE,CAC3E,CAAC;YACF,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AAC7C,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,IAAI,mBAAO,CAAC,MAAM,CAAC;SACvB,WAAW,CACV,0FAA0F,CAC3F;SACA,QAAQ,CACP,UAAU,EACV,uDAAuD,CACxD;SACA,MAAM,CACL,KAAK,EAAE,MAA0B,EAAE,QAAiB,EAAE,GAAY,EAAE,EAAE;QACpE,MAAM,UAAU,GAAG,IAAA,0BAAiB,EAClC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,MAA4B,CAChD,CAAC;QACF,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,UAE5B,CAAC;QACd,MAAM,UAAU,GAAG,aAAa;YAC9B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7B,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,IAAA,iBAAQ,EAClB,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,GAAyB,EAC5C,OAAO,CACR,CAAC;QAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,kBAAkB,CAChB,MAAM,EACN,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAC9B,UAAU,CACX,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,IAAA,mBAAU,EAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAE,GAAa,CAAC,OAAO,CAAC,CAAC;YACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,UAAU,GAAe,IAAI,GAAG,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QACpE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;QAEvC,IAAI,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE9B,IAAI,SAAS,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACxC,IAAI,eAAmC,CAAC;YACxC,IAAI,kBAAkB,GAAG,SAAS,CAAC,WAAW,CAAC;YAC/C,IAAI,YAAsC,CAAC;YAE3C,OAAO,YAAY,KAAK,SAAS,EAAE,CAAC;gBAClC,IAAI,aAA2B,CAAC;gBAChC,IAAI,CAAC;oBACH,aAAa,GAAG,IAAA,2BAAkB,EAAC,kBAAkB,CAAC,CAAC;gBACzD,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,OAAO,CAAC,KAAK,CACX,4BAA6B,GAAa,CAAC,OAAO,EAAE,CACrD,CAAC;oBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBAED,IACE,CAAC,CAAC,iBAAQ,IAAI,aAAa,CAAC,KAAK,CAAC;oBAClC,kBAAkB,KAAK,eAAe,EACtC,CAAC;oBACD,YAAY,GAAG,aAAa,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,OAAO,CAAC,GAAG,CACT,4DAA4D,CAC7D,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,WAAW,CAC5B,aAAa,EACb,UAAU,EACV,UAAU,CACX,CAAC;gBAEF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAClB,QAAQ,GAAG,IAAI,CAAC;oBAChB,MAAM;gBACR,CAAC;gBAED,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;oBACnC,YAAY,GAAG,aAAa,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,eAAe,GAAG,kBAAkB,CAAC;gBACrC,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC;YACxC,CAAC;YAED,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,mEAAmE;gBACnE,mEAAmE;gBACnE,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CACpC,IAAI,CACwB,CAAC;gBAC/B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxD,IAAI,CAAC,KAAK,iBAAQ;wBAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC9C,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC7C,MAAM,MAAM,GAAG,MAAM,WAAW,CAC9B,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAC5C,UAAU,EACV,UAAU,CACX,CAAC;oBACF,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;oBAC3B,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;gBAC7B,CAAC;gBACD,IAAI,CAAC,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAAE,CAAC;oBACpC,MAAM,WAAW,GAAG,QAAQ,CAAC,SAAS,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CACnC,CAAC;oBACF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;oBACxD,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;oBAClD,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,WAAW,CAAC,GAAG,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;oBAC3D,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAA,iBAAU,EAAC,QAAQ,CAAC,CAAC;QAErB,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CACF,CAAC;AACN,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,UAAkB,EAClB,UAAkB;IAElB,MAAM,OAAO,GAAG,IAAI,wBAAc,CAChC,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAC9B,UAAU,CACX,CAAC;IACF,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAClC,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAC1D,CAAC;IACF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,8BAA8B,MAAM,IAAI,CAAC,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,YAAY,EAAE,EAAE,OAAO,EAAE,CAAC,IAAI,QAAQ,EAAE,CAAC;QACnD,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrE,IAAI,iBAAiB,KAAK,IAAI;YAAE,SAAS;QACzC,KAAK,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,oFAAoF;IACpF,MAAM,UAAU,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;YAAE,SAAS;QACnD,sEAAsE;QACtE,KAAK,CAAC,IAAI,CAAC,IAAA,wBAAiB,EAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,IAAA,iBAAU,EAAC,KAAK,CAAC,CAAC;IAClB,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC"}
+{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmKA,kCAoJC;AAvTD,yCAAoC;AACpC,uCAAyB;AACzB,2CAA6B;AAC7B,sCAQmB;AACnB,wCAAqD;AACrD,mDAAqD;AACrD,6CAA+C;AAC/C,iDAAuD;AACvD,sCAAqC;AACrC,kCAKiB;AAGjB,wCAA4C;AAC5C,0DAA0D;AAC1D,4CAAkD;AAQlD,KAAK,UAAU,WAAW,CACxB,MAAoB,EACpB,UAAkB,EAClB,KAAkB,EAClB,UAAmB,EACnB,OAAwB;IAExB,IAAI,IAAI,CAAC;IACT,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,IAAA,sCAAmB,EAAC,MAAM,CAAC,SAAS,IAAI,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IAC9E,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC1C,CAAC;IACD,MAAM,QAAQ,GAAe,EAAE,CAAC;IAChC,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,WAA+B,CAAC;IAEpC,IAAI,OAAO,GAAG,iBAAQ,IAAI,MAAM,CAAC,KAAK,CAAC;IACvC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,iBAAQ,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,OAAO,GAAG,IAAA,8BAAkB,EAC1B,SAAS,CAAC,IAAI,CAAC,EACf,SAAS,CAAC,KAAK,EACf,GAAG,EAAE,CACH,UAAU,KAAK,SAAS;gBACtB,CAAC,CAAC,UAAU;gBACZ,CAAC,CAAC,IAAA,wBAAiB,EAAC,SAAS,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,EACxD,UAAU,EACV,IAAI,CACL,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,oBAAoB,iBAAQ,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACpF,CAAC;YACF,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;QAC1C,CAAC;IACH,CAAC;IACD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACxD,MAAM,MAAM,GAAG,GAAG,KAAK,iBAAQ,CAAC;QAChC,IAAI,OAAO,KAAK,MAAM;YAAE,SAAS;QACjC,IAAI,CAAC;YACH,IACE,CAAC,MAAM;gBACP,CAAC,IAAA,8BAAkB,EACjB,KAAK,CAAC,IAAI,CAAC,EACX,KAAK,CAAC,KAAK,EACX,GAAG,EAAE,CAAC,IAAA,wBAAiB,EAAC,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,CAAC,EACpD,UAAU,EACV,IAAI,CACL;gBAED,SAAS;YACX,MAAM,MAAM,GAAG,MAAM,IAAA,qBAAW,EAC9B,KAAK,EACL,UAAU,EACV,IAAI,EACJ,KAAK,EACL,MAAM,IAAI,UAAU,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAClE,CAAC;YACF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACvC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC,KAAK,CACX,uBAAuB,GAAG,CAAC,WAAW,IAAI;wBACxC,gBAAgB,GAAG,CAAC,WAAW,IAAI;wBACnC,gBAAgB,GAAG,CAAC,WAAW,EAAE,CACpC,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,+CAA+C,MAAM,CAAC,KAAK,CAAC,IAAI,oEAAoE,CACrI,CAAC;YACJ,CAAC;YAED,KAAK,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjD,IAAI,OAAO,GAAG,UAAU,CAAC;gBACzB,IAAI,CAAC,IAAA,iBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC;oBACvB,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACzC,IAAI,IAAI,GAAG,OAAO,CAAC;oBACnB,IAAI,KAAK,CAAC,OAAO,EAAE,MAAM;wBACvB,IAAI,GAAG,IAAA,sBAAY,EAAC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;oBACjD,IAAI,KAAK,CAAC,IAAI;wBAAE,IAAI,GAAG,IAAA,gBAAS,EAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;oBACzD,IAAI,KAAK,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;wBAC3C,MAAM,UAAU,GAAG,IAAA,wBAAiB,EAClC,KAAK,EACL,OAAO,EACP,UAAU,EACV,IAAI,CACL,CAAC;wBACF,MAAM,YAAY,GAChB,OAAO,EAAE,mBAAmB,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC;wBACnD,IACE,YAAY,KAAK,IAAI;4BACrB,OAAO,KAAK,YAAY,CAAC,GAAG;4BAC5B,IAAI,KAAK,YAAY,CAAC,SAAS;4BAC/B,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EACzB,CAAC;4BACD,SAAS,CAAC,4EAA4E;wBACxF,CAAC;wBACD,IAAI,GAAG,IAAA,wBAAe,EACpB,KAAK,EACL,IAAI,EACJ,YAAY,EAAE,SAAS,IAAI,IAAI,EAC/B,UAAU,CACX,CAAC;oBACJ,CAAC;oBACD,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBACtC,CAAC;gBACD,IAAI,MAAM,EAAE,CAAC;oBACX,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACvC,SAAS;gBACX,CAAC;gBACD,MAAM,UAAU,GAAG,IAAA,wBAAiB,EAAC,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,CAAC,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CACX,oBAAoB,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACrG,CAAC;YACF,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AAC7C,CAAC;AAED,SAAgB,WAAW;IACzB,OAAO,IAAI,mBAAO,CAAC,MAAM,CAAC;SACvB,WAAW,CACV,0FAA0F,CAC3F;SACA,QAAQ,CACP,UAAU,EACV,uDAAuD,CACxD;SACA,MAAM,CACL,KAAK,EAAE,MAA0B,EAAE,QAAiB,EAAE,GAAY,EAAE,EAAE;QACpE,MAAM,UAAU,GAAG,IAAA,0BAAiB,EAClC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,MAA4B,CAChD,CAAC;QACF,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,UAE5B,CAAC;QACd,MAAM,UAAU,GAAG,aAAa;YAC9B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;YAC7B,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,IAAA,iBAAQ,EAClB,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,GAAyB,EAC5C,OAAO,CACR,CAAC;QAEF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,kBAAkB,CAChB,MAAM,EACN,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAC9B,UAAU,CACX,CAAC;YACF,OAAO;QACT,CAAC;QAED,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,IAAA,mBAAU,EAAC,UAAU,EAAE,GAAG,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,MAAM,UAAU,GAAe,IAAI,GAAG,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,wBAAc,CAChC,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAC9B,UAAU,CACX,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,WAAW,CACjC,MAAM,EACN,UAAU,EACV,UAAU,EACV,UAAU,EACV,OAAO,CACR,CAAC;QACF,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,SAAS,CAAC;QAEvC,IAAI,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE9B,IAAI,SAAS,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACxC,IAAI,eAAmC,CAAC;YACxC,IAAI,kBAAkB,GAAG,SAAS,CAAC,WAAW,CAAC;YAC/C,IAAI,YAAsC,CAAC;YAE3C,OAAO,YAAY,KAAK,SAAS,EAAE,CAAC;gBAClC,IAAI,aAA2B,CAAC;gBAChC,IAAI,CAAC;oBACH,aAAa,GAAG,IAAA,2BAAkB,EAAC,kBAAkB,CAAC,CAAC;gBACzD,CAAC;gBAAC,OAAO,GAAY,EAAE,CAAC;oBACtB,OAAO,CAAC,KAAK,CACX,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;oBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,CAAC;gBAED,IACE,CAAC,CAAC,iBAAQ,IAAI,aAAa,CAAC,KAAK,CAAC;oBAClC,kBAAkB,KAAK,eAAe,EACtC,CAAC;oBACD,YAAY,GAAG,aAAa,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,OAAO,CAAC,GAAG,CACT,4DAA4D,CAC7D,CAAC;gBACF,MAAM,IAAI,GAAG,MAAM,WAAW,CAC5B,aAAa,EACb,UAAU,EACV,UAAU,EACV,UAAU,EACV,OAAO,CACR,CAAC;gBAEF,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAClB,QAAQ,GAAG,IAAI,CAAC;oBAChB,MAAM;gBACR,CAAC;gBAED,IAAI,IAAI,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;oBACnC,YAAY,GAAG,aAAa,CAAC;oBAC7B,MAAM;gBACR,CAAC;gBAED,eAAe,GAAG,kBAAkB,CAAC;gBACrC,kBAAkB,GAAG,IAAI,CAAC,WAAW,CAAC;YACxC,CAAC;YAED,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,mEAAmE;gBACnE,mEAAmE;gBACnE,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CACpC,IAAI,CACwB,CAAC;gBAC/B,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;oBACxD,IAAI,CAAC,KAAK,iBAAQ;wBAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC9C,CAAC;gBACD,IAAI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC7C,MAAM,MAAM,GAAG,MAAM,WAAW,CAC9B,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAC5C,UAAU,EACV,UAAU,EACV,UAAU,EACV,OAAO,CACR,CAAC;oBACF,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;oBAC3B,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;gBAC7B,CAAC;gBACD,IAAI,CAAC,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAAE,CAAC;oBACpC,MAAM,WAAW,GAAG,QAAQ,CAAC,SAAS,CACpC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,UAAU,CACnC,CAAC;oBACF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;oBACxD,IAAI,WAAW,KAAK,CAAC,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;oBAClD,CAAC;yBAAM,CAAC;wBACN,QAAQ,CAAC,WAAW,CAAC,GAAG,IAAA,kBAAW,EAAC,UAAU,EAAE,OAAO,CAAC,CAAC;oBAC3D,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAA,iBAAU,EAAC,QAAQ,CAAC,CAAC;QAErB,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACtD,IAAI,QAAQ;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC9B,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC,CACF,CAAC;AACN,CAAC;AAED,SAAS,kBAAkB,CACzB,MAAc,EACd,UAAkB,EAClB,UAAkB;IAElB,MAAM,OAAO,GAAG,IAAI,wBAAc,CAChC,IAAA,2BAAkB,EAAC,UAAU,CAAC,EAC9B,UAAU,CACX,CAAC;IACF,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;QAC1B,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC1D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAClC,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC5B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAC1D,CAAC;IACF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,CAAC,KAAK,CAAC,8BAA8B,MAAM,IAAI,CAAC,CAAC;QACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IAC5D,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAC;QACpE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,YAAY,EAAE,EAAE,OAAO,EAAE,CAAC,IAAI,QAAQ,EAAE,CAAC;QACnD,MAAM,iBAAiB,GAAG,OAAO,CAAC,WAAW,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACrE,IAAI,iBAAiB,KAAK,IAAI;YAAE,SAAS;QACzC,KAAK,CAAC,IAAI,CAAC,IAAA,kBAAW,EAAC,YAAY,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,oFAAoF;IACpF,MAAM,UAAU,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAC9C,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC/C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC;YAAE,SAAS;QACnD,sEAAsE;QACtE,KAAK,CAAC,IAAI,CAAC,IAAA,wBAAiB,EAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;IACnD,CAAC;IAED,IAAA,iBAAU,EAAC,KAAK,CAAC,CAAC;IAClB,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACnC,CAAC"}

package/dist/commands/lock.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../../src/commands/lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAMpC,wBAAgB,WAAW,IAAI,OAAO,CAkFrC"}
+{"version":3,"file":"lock.d.ts","sourceRoot":"","sources":["../../src/commands/lock.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAcpC,wBAAgB,WAAW,IAAI,OAAO,CA2GrC"}

package/dist/commands/lock.js

@@ -37,8 +37,11 @@ exports.lockCommand = lockCommand;
 const commander_1 = require("commander");
 const path = __importStar(require("path"));
 const config_1 = require("../config");
+const condition_1 = require("../condition");
 const sources_1 = require("../sources");
+const diff_1 = require("../diff");
 const config_writeback_1 = require("../config-writeback");
+const variables_remote_1 = require("../variables-remote");
 function lockCommand() {
     return new commander_1.Command('lock')
         .description('Compute and pin SHA values for all remote sources in the config')
@@ -59,16 +62,27 @@ function lockCommand() {
             config = await (0, config_1.loadConfig)(configPath);
         }
         catch (err) {
-            console.error(err.message);
+            console.error(err instanceof Error ? err.message : String(err));
+            process.exit(2);
+        }
+        let vars;
+        try {
+            vars = await (0, variables_remote_1.resolveVariableSpec)(config.variables ?? {}, workingDir);
+        }
+        catch (err) {
+            console.error(err instanceof Error ? err.message : String(err));
             process.exit(2);
         }
-        const vars = config.variables ?? {};
         const toPin = new Map(); // label → sha
         let hasError = false;
         let remoteSourceCount = 0;
-        for (const entry of Object.values(config.files)) {
+        for (const [key, entry] of Object.entries(config.files)) {
             try {
-                const result = await (0, sources_1.fetchSource)(entry, workingDir, vars);
+                if (!(0, condition_1.evaluateConditions)(entry['if'], entry.ifAny, () => key === config_1.SELF_KEY
+                    ? configPath
+                    : (0, diff_1.resolveTargetPath)(entry, '', workingDir, vars), workingDir, vars))
+                    continue;
+                const result = await (0, sources_1.fetchSource)(entry, workingDir, vars, undefined, key === config_1.SELF_KEY ? () => configPath : undefined);
                 remoteSourceCount += result.sourceRecords.length;
                 for (const rec of result.sourceRecords) {
                     if (!opts.force && rec.expectedSha !== undefined)
@@ -77,7 +91,7 @@ function lockCommand() {
                 }
             }
             catch (err) {
-                console.error(`Error processing ${JSON.stringify(entry.src)}: ${err.message}`);
+                console.error(`Error processing ${JSON.stringify(entry.src)}: ${err instanceof Error ? err.message : String(err)}`);
                 hasError = true;
             }
         }