@vess-id/vess 0.2.0-alpha.1

package/dist/cli/env-post-integration.js

@@ -0,0 +1,300 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectScriptsToWrap = detectScriptsToWrap;
+exports.wrapPackageJsonScripts = wrapPackageJsonScripts;
+exports.appendClaudeMd = appendClaudeMd;
+exports.mergeClaudeHook = mergeClaudeHook;
+exports.findPackageJsonRoot = findPackageJsonRoot;
+exports.runPostIntegration = runPostIntegration;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const readline = __importStar(require("node:readline/promises"));
+const cli_utils_1 = require("./cli-utils");
+// --- Script detection ---
+const ENV_DEPENDENT_NAMES = new Set([
+    'dev', 'start', 'build', 'serve', 'preview',
+]);
+const ENV_INDEPENDENT_NAMES = new Set([
+    'lint', 'test', 'format', 'typecheck', 'check', 'prettier', 'eslint',
+]);
+const ENV_DEPENDENT_COMMANDS = [
+    'next', 'vite', 'nuxt', 'remix', 'astro', 'webpack', 'turbo',
+    'nest', 'express', 'flask', 'django', 'rails',
+];
+function detectScriptsToWrap(scripts) {
+    const selected = [];
+    const unselected = [];
+    for (const [name, cmd] of Object.entries(scripts)) {
+        const nameLower = name.toLowerCase();
+        const cmdLower = cmd.toLowerCase();
+        if (ENV_INDEPENDENT_NAMES.has(nameLower)) {
+            unselected.push(name);
+            continue;
+        }
+        if (ENV_DEPENDENT_NAMES.has(nameLower)) {
+            selected.push(name);
+            continue;
+        }
+        if (ENV_DEPENDENT_COMMANDS.some(tool => cmdLower.includes(tool))) {
+            selected.push(name);
+        }
+        else {
+            unselected.push(name);
+        }
+    }
+    return { selected, unselected };
+}
+// --- Package.json wrapping ---
+function wrapPackageJsonScripts(pkgPath, scriptNames) {
+    const raw = fs.readFileSync(pkgPath, 'utf-8');
+    const indentMatch = raw.match(/^(\s+)"/m);
+    const indent = indentMatch ? indentMatch[1].length : 2;
+    let pkg;
+    try {
+        pkg = JSON.parse(raw);
+    }
+    catch {
+        return scriptNames; // All skipped due to parse error
+    }
+    const scripts = pkg.scripts ?? {};
+    const originals = pkg.vess?.originals ?? {};
+    const skipped = [];
+    for (const name of scriptNames) {
+        if (originals[name]) {
+            skipped.push(name);
+            continue;
+        }
+        const original = scripts[name];
+        if (!original)
+            continue;
+        if (original.startsWith('vess run')) {
+            skipped.push(name);
+            continue;
+        }
+        originals[name] = original;
+        scripts[name] = `vess run -- ${original}`;
+    }
+    pkg.scripts = scripts;
+    pkg.vess = { ...pkg.vess, originals };
+    fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, indent) + '\n');
+    return skipped;
+}
+// --- CLAUDE.md ---
+const VESS_SECTION_MARKER = '## VESS Environment Protection';
+const CLAUDE_MD_SCRIPTS_WRAPPED = `
+${VESS_SECTION_MARKER}
+This project's .env contains vess:// references. Secret values are stored in OS Keychain
+and are not available to processes started without VESS env resolution.
+
+When executing commands that require environment variables:
+- Use the project's npm scripts (e.g., npm run dev, npm run build) — they are pre-configured with vess run
+- Do NOT execute commands directly (e.g., next dev, flask run) — vess:// references will not be resolved and the command will fail or run with missing configuration
+`;
+const CLAUDE_MD_NO_SCRIPTS = `
+${VESS_SECTION_MARKER}
+This project's .env contains vess:// references. Secret values are stored in OS Keychain
+and are not available to processes started without VESS env resolution.
+
+When executing commands that require environment variables:
+- Use: vess run -- <command> (e.g., vess run -- next dev, vess run -- flask run)
+- If the project has a task runner with pre-configured scripts, prefer those
+- Do NOT execute commands directly — vess:// references will not be resolved and the command will fail or run with missing configuration
+`;
+function appendClaudeMd(claudeMdPath, scriptsWrapped) {
+    const content = scriptsWrapped ? CLAUDE_MD_SCRIPTS_WRAPPED : CLAUDE_MD_NO_SCRIPTS;
+    if (fs.existsSync(claudeMdPath)) {
+        const existing = fs.readFileSync(claudeMdPath, 'utf-8');
+        if (existing.includes(VESS_SECTION_MARKER)) {
+            return 'skipped';
+        }
+        const separator = existing.endsWith('\n') ? '' : '\n';
+        fs.writeFileSync(claudeMdPath, existing + separator + content);
+        return 'appended';
+    }
+    fs.writeFileSync(claudeMdPath, content.trimStart());
+    return 'created';
+}
+// --- Claude Code Hook ---
+const HOOK_COMMAND = 'vess hook check-env';
+function mergeClaudeHook(settingsDir) {
+    const settingsPath = path.join(settingsDir, 'settings.json');
+    const hookEntry = {
+        type: 'command',
+        command: HOOK_COMMAND,
+    };
+    const matcherEntry = {
+        matcher: 'Bash',
+        hooks: [hookEntry],
+    };
+    if (!fs.existsSync(settingsDir)) {
+        fs.mkdirSync(settingsDir, { recursive: true });
+    }
+    if (fs.existsSync(settingsPath)) {
+        let settings;
+        try {
+            settings = JSON.parse(fs.readFileSync(settingsPath, 'utf-8'));
+        }
+        catch {
+            // Malformed settings.json — skip rather than crash
+            return 'skipped';
+        }
+        const hooks = settings.hooks ?? {};
+        const preToolUse = hooks.PreToolUse ?? [];
+        const exists = preToolUse.some((entry) => entry.hooks?.some((h) => h.command === HOOK_COMMAND));
+        if (exists)
+            return 'skipped';
+        preToolUse.push(matcherEntry);
+        hooks.PreToolUse = preToolUse;
+        settings.hooks = hooks;
+        fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+        return 'merged';
+    }
+    const settings = { hooks: { PreToolUse: [matcherEntry] } };
+    fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + '\n');
+    return 'created';
+}
+// --- Project root detection ---
+function findPackageJsonRoot(startDir) {
+    let dir = path.resolve(startDir);
+    const root = path.parse(dir).root;
+    while (dir !== root) {
+        if (fs.existsSync(path.join(dir, 'package.json'))) {
+            return dir;
+        }
+        dir = path.dirname(dir);
+    }
+    return null;
+}
+async function runPostIntegration(options) {
+    const result = {
+        scriptsWrapped: false,
+        claudeMdResult: 'declined',
+        hookResult: 'declined',
+        wrappedScriptNames: [],
+    };
+    if (options.skipIntegration) {
+        return result;
+    }
+    (0, cli_utils_1.log)('');
+    (0, cli_utils_1.log)('=== Post-Import Integration (optional) ===');
+    (0, cli_utils_1.log)('');
+    const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stderr,
+    });
+    try {
+        // Step 1: package.json
+        const projectRoot = findPackageJsonRoot(options.envFileDir);
+        if (projectRoot) {
+            const pkgPath = path.join(projectRoot, 'package.json');
+            let pkg;
+            try {
+                pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+            }
+            catch {
+                (0, cli_utils_1.log)('[Step 1/3] package.json is malformed. Skipping script wrapping.');
+                pkg = null;
+            }
+            const scripts = pkg?.scripts ?? {};
+            if (Object.keys(scripts).length > 0) {
+                const { selected, unselected } = detectScriptsToWrap(scripts);
+                (0, cli_utils_1.log)('[Step 1/3] package.json scripts');
+                (0, cli_utils_1.log)('');
+                for (const name of selected) {
+                    (0, cli_utils_1.log)(`  ☑ ${name.padEnd(10)}: ${scripts[name]}`);
+                }
+                for (const name of unselected) {
+                    (0, cli_utils_1.log)(`  ☐ ${name.padEnd(10)}: ${scripts[name]}`);
+                }
+                (0, cli_utils_1.log)('');
+                if (selected.length > 0) {
+                    const yes = await (0, cli_utils_1.promptYesNo)(rl, 'Wrap selected scripts with vess run?');
+                    if (yes) {
+                        const skipped = wrapPackageJsonScripts(pkgPath, selected);
+                        result.scriptsWrapped = true;
+                        result.wrappedScriptNames = selected.filter(s => !skipped.includes(s));
+                        if (skipped.length > 0) {
+                            (0, cli_utils_1.log)(`[vess] Skipped (already wrapped): ${skipped.join(', ')}`);
+                        }
+                        (0, cli_utils_1.log)(`[vess] Wrapped ${result.wrappedScriptNames.length} scripts in package.json`);
+                    }
+                }
+                else {
+                    (0, cli_utils_1.log)('  No env-dependent scripts detected. Skipping.');
+                }
+            }
+            else {
+                (0, cli_utils_1.log)('[Step 1/3] No scripts in package.json. Skipping.');
+            }
+        }
+        else {
+            (0, cli_utils_1.log)('[Step 1/3] No package.json found. Use `vess run -- <command>` for env injection.');
+        }
+        (0, cli_utils_1.log)('');
+        // Step 2: CLAUDE.md
+        (0, cli_utils_1.log)('[Step 2/3] CLAUDE.md AI guidance');
+        const claudeMdPath = path.join(options.envFileDir, 'CLAUDE.md');
+        const claudeYes = await (0, cli_utils_1.promptYesNo)(rl, 'Add VESS environment guidance to CLAUDE.md?');
+        if (claudeYes) {
+            result.claudeMdResult = appendClaudeMd(claudeMdPath, result.scriptsWrapped);
+            if (result.claudeMdResult === 'skipped') {
+                (0, cli_utils_1.log)('[vess] CLAUDE.md already contains VESS guidance');
+            }
+            else {
+                (0, cli_utils_1.log)(`[vess] CLAUDE.md ${result.claudeMdResult}`);
+            }
+        }
+        (0, cli_utils_1.log)('');
+        // Step 3: Claude Code Hook
+        (0, cli_utils_1.log)('[Step 3/3] Claude Code PreToolUse Hook');
+        const hookYes = await (0, cli_utils_1.promptYesNo)(rl, 'Add Claude Code PreToolUse Hook to .claude/settings.json?\n  (Injects advisory context when Bash commands run with vess:// env references)');
+        if (hookYes) {
+            const claudeDir = path.join(options.envFileDir, '.claude');
+            result.hookResult = mergeClaudeHook(claudeDir);
+            if (result.hookResult === 'skipped') {
+                (0, cli_utils_1.log)('[vess] Hook already exists in .claude/settings.json');
+            }
+            else {
+                (0, cli_utils_1.log)(`[vess] .claude/settings.json ${result.hookResult}`);
+            }
+        }
+    }
+    finally {
+        rl.close();
+    }
+    return result;
+}
+//# sourceMappingURL=env-post-integration.js.map

package/dist/cli/env-post-integration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-post-integration.js","sourceRoot":"","sources":["../../src/cli/env-post-integration.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,kDA0BC;AAID,wDAqCC;AA2BD,wCAkBC;AAMD,0CAyCC;AAID,kDAWC;AAgBD,gDA4GC;AAnUD,uCAAwB;AACxB,2CAA4B;AAC5B,iEAAkD;AAClD,2CAA8C;AAE9C,2BAA2B;AAE3B,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS;CAC5C,CAAC,CAAA;AAEF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ;CACrE,CAAC,CAAA;AAEF,MAAM,sBAAsB,GAAG;IAC7B,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO;IAC5D,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO;CAC9C,CAAA;AAOD,SAAgB,mBAAmB,CAAC,OAA+B;IACjE,MAAM,QAAQ,GAAa,EAAE,CAAA;IAC7B,MAAM,UAAU,GAAa,EAAE,CAAA;IAE/B,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAClD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAA;QACpC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;QAElC,IAAI,qBAAqB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACzC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACrB,SAAQ;QACV,CAAC;QAED,IAAI,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;YACvC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YACnB,SAAQ;QACV,CAAC;QAED,IAAI,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACjE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACrB,CAAC;aAAM,CAAC;YACN,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACvB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAA;AACjC,CAAC;AAED,gCAAgC;AAEhC,SAAgB,sBAAsB,CACpC,OAAe,EACf,WAAqB;IAErB,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IAC7C,MAAM,WAAW,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IACzC,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAA;IACtD,IAAI,GAAQ,CAAA;IACZ,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,WAAW,CAAA,CAAC,iCAAiC;IACtD,CAAC;IACD,MAAM,OAAO,GAA2B,GAAG,CAAC,OAAO,IAAI,EAAE,CAAA;IACzD,MAAM,SAAS,GAA2B,GAAG,CAAC,IAAI,EAAE,SAAS,IAAI,EAAE,CAAA;IACnE,MAAM,OAAO,GAAa,EAAE,CAAA;IAE5B,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,IAAI,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAClB,SAAQ;QACV,CAAC;QACD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;QAC9B,IAAI,CAAC,QAAQ;YAAE,SAAQ;QACvB,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;YAClB,SAAQ;QACV,CAAC;QACD,SAAS,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAA;QAC1B,OAAO,CAAC,IAAI,CAAC,GAAG,eAAe,QAAQ,EAAE,CAAA;IAC3C,CAAC;IAED,GAAG,CAAC,OAAO,GAAG,OAAO,CAAA;IACrB,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAA;IAErC,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,CAAA;IACnE,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,oBAAoB;AAEpB,MAAM,mBAAmB,GAAG,gCAAgC,CAAA;AAE5D,MAAM,yBAAyB,GAAG;EAChC,mBAAmB;;;;;;;CAOpB,CAAA;AAED,MAAM,oBAAoB,GAAG;EAC3B,mBAAmB;;;;;;;;CAQpB,CAAA;AAED,SAAgB,cAAc,CAC5B,YAAoB,EACpB,cAAuB;IAEvB,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,oBAAoB,CAAA;IAEjF,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;QACvD,IAAI,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC3C,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAA;QACrD,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC,CAAA;QAC9D,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,OAAO,CAAC,SAAS,EAAE,CAAC,CAAA;IACnD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,2BAA2B;AAE3B,MAAM,YAAY,GAAG,qBAAqB,CAAA;AAE1C,SAAgB,eAAe,CAAC,WAAmB;IACjD,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,eAAe,CAAC,CAAA;IAC5D,MAAM,SAAS,GAAG;QAChB,IAAI,EAAE,SAAkB;QACxB,OAAO,EAAE,YAAY;KACtB,CAAA;IACD,MAAM,YAAY,GAAG;QACnB,OAAO,EAAE,MAAM;QACf,KAAK,EAAE,CAAC,SAAS,CAAC;KACnB,CAAA;IAED,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,EAAE,CAAC,SAAS,CAAC,WAAW,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IAChD,CAAC;IAED,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAChC,IAAI,QAAa,CAAA;QACjB,IAAI,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAA;QAC/D,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;YACnD,OAAO,SAAS,CAAA;QAClB,CAAC;QACD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,IAAI,EAAE,CAAA;QAClC,MAAM,UAAU,GAAU,KAAK,CAAC,UAAU,IAAI,EAAE,CAAA;QAEhD,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,KAAU,EAAE,EAAE,CAC5C,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,YAAY,CAAC,CAC1D,CAAA;QACD,IAAI,MAAM;YAAE,OAAO,SAAS,CAAA;QAE5B,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAA;QAC7B,KAAK,CAAC,UAAU,GAAG,UAAU,CAAA;QAC7B,QAAQ,CAAC,KAAK,GAAG,KAAK,CAAA;QACtB,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;QACxE,OAAO,QAAQ,CAAA;IACjB,CAAC;IAED,MAAM,QAAQ,GAAG,EAAE,KAAK,EAAE,EAAE,UAAU,EAAE,CAAC,YAAY,CAAC,EAAE,EAAE,CAAA;IAC1D,EAAE,CAAC,aAAa,CAAC,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;IACxE,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,iCAAiC;AAEjC,SAAgB,mBAAmB,CAAC,QAAgB;IAClD,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAA;IAChC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAA;IAEjC,OAAO,GAAG,KAAK,IAAI,EAAE,CAAC;QACpB,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,EAAE,CAAC;YAClD,OAAO,GAAG,CAAA;QACZ,CAAC;QACD,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAgBM,KAAK,UAAU,kBAAkB,CACtC,OAA+B;IAE/B,MAAM,MAAM,GAA0B;QACpC,cAAc,EAAE,KAAK;QACrB,cAAc,EAAE,UAAU;QAC1B,UAAU,EAAE,UAAU;QACtB,kBAAkB,EAAE,EAAE;KACvB,CAAA;IAED,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;IACP,IAAA,eAAG,EAAC,4CAA4C,CAAC,CAAA;IACjD,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;IAEP,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC;QAClC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC,CAAA;IAEF,IAAI,CAAC;QACH,uBAAuB;QACvB,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QAC3D,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,cAAc,CAAC,CAAA;YACtD,IAAI,GAAQ,CAAA;YACZ,IAAI,CAAC;gBACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAA;YACrD,CAAC;YAAC,MAAM,CAAC;gBACP,IAAA,eAAG,EAAC,iEAAiE,CAAC,CAAA;gBACtE,GAAG,GAAG,IAAI,CAAA;YACZ,CAAC;YACD,MAAM,OAAO,GAA2B,GAAG,EAAE,OAAO,IAAI,EAAE,CAAA;YAE1D,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAA;gBAE7D,IAAA,eAAG,EAAC,iCAAiC,CAAC,CAAA;gBACtC,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;gBACP,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;oBAC5B,IAAA,eAAG,EAAC,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;gBACjD,CAAC;gBACD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;oBAC9B,IAAA,eAAG,EAAC,OAAO,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;gBACjD,CAAC;gBACD,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;gBAEP,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,GAAG,GAAG,MAAM,IAAA,uBAAW,EAAC,EAAE,EAAE,sCAAsC,CAAC,CAAA;oBACzE,IAAI,GAAG,EAAE,CAAC;wBACR,MAAM,OAAO,GAAG,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;wBACzD,MAAM,CAAC,cAAc,GAAG,IAAI,CAAA;wBAC5B,MAAM,CAAC,kBAAkB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAA;wBACtE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;4BACvB,IAAA,eAAG,EAAC,qCAAqC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;wBAChE,CAAC;wBACD,IAAA,eAAG,EAAC,kBAAkB,MAAM,CAAC,kBAAkB,CAAC,MAAM,0BAA0B,CAAC,CAAA;oBACnF,CAAC;gBACH,CAAC;qBAAM,CAAC;oBACN,IAAA,eAAG,EAAC,gDAAgD,CAAC,CAAA;gBACvD,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,IAAA,eAAG,EAAC,kDAAkD,CAAC,CAAA;YACzD,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAA,eAAG,EAAC,kFAAkF,CAAC,CAAA;QACzF,CAAC;QAED,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;QAEP,oBAAoB;QACpB,IAAA,eAAG,EAAC,kCAAkC,CAAC,CAAA;QACvC,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;QAC/D,MAAM,SAAS,GAAG,MAAM,IAAA,uBAAW,EAAC,EAAE,EAAE,6CAA6C,CAAC,CAAA;QACtF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,cAAc,GAAG,cAAc,CAAC,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC,CAAA;YAC3E,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;gBACxC,IAAA,eAAG,EAAC,iDAAiD,CAAC,CAAA;YACxD,CAAC;iBAAM,CAAC;gBACN,IAAA,eAAG,EAAC,oBAAoB,MAAM,CAAC,cAAc,EAAE,CAAC,CAAA;YAClD,CAAC;QACH,CAAC;QAED,IAAA,eAAG,EAAC,EAAE,CAAC,CAAA;QAEP,2BAA2B;QAC3B,IAAA,eAAG,EAAC,wCAAwC,CAAC,CAAA;QAC7C,MAAM,OAAO,GAAG,MAAM,IAAA,uBAAW,EAC/B,EAAE,EACF,4IAA4I,CAC7I,CAAA;QACD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,CAAA;YAC1D,MAAM,CAAC,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAA;YAC9C,IAAI,MAAM,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBACpC,IAAA,eAAG,EAAC,qDAAqD,CAAC,CAAA;YAC5D,CAAC;iBAAM,CAAC;gBACN,IAAA,eAAG,EAAC,gCAAgC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAA;YAC1D,CAAC;QACH,CAAC;IACH,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAA;IACZ,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/cli/env-restore.d.ts

@@ -0,0 +1,15 @@
+export interface EnvRestoreOptions {
+    profile: string;
+    output?: string;
+}
+/**
+ * Restore plaintext .env from Keychain secrets, gated by biometric authentication.
+ *
+ * Security note (Phase 1): Touch ID serves as a UX gate — it prevents
+ * accidental secret exposure by requiring physical user presence. The
+ * authentication and Keychain read are separate operations within the same
+ * process. Phase 2 will merge these into a single native call using
+ * Security.framework's kSecAccessControlUserPresence for OS-level protection.
+ */
+export declare function runEnvRestore(options: EnvRestoreOptions): Promise<void>;
+//# sourceMappingURL=env-restore.d.ts.map

package/dist/cli/env-restore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-restore.d.ts","sourceRoot":"","sources":["../../src/cli/env-restore.ts"],"names":[],"mappings":"AAUA,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmF7E"}

package/dist/cli/env-restore.js

@@ -0,0 +1,130 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runEnvRestore = runEnvRestore;
+const fs = __importStar(require("fs"));
+const fs_utils_1 = require("../env/fs-utils");
+const key_manager_1 = require("../identity/key-manager");
+const cli_db_1 = require("./cli-db");
+const cli_utils_1 = require("./cli-utils");
+const user_authenticator_1 = require("../auth/user-authenticator");
+/**
+ * Restore plaintext .env from Keychain secrets, gated by biometric authentication.
+ *
+ * Security note (Phase 1): Touch ID serves as a UX gate — it prevents
+ * accidental secret exposure by requiring physical user presence. The
+ * authentication and Keychain read are separate operations within the same
+ * process. Phase 2 will merge these into a single native call using
+ * Security.framework's kSecAccessControlUserPresence for OS-level protection.
+ */
+async function runEnvRestore(options) {
+    const { profile, output } = options;
+    const writeToStdout = !output || output === '-';
+    // 1. Load profile keys from SQLite metadata
+    const ctx = (0, cli_db_1.openProfileStore)('env restore');
+    if (!ctx)
+        return;
+    const { db, profileStore } = ctx;
+    try {
+        const keys = profileStore.listKeys(profile);
+        if (keys.length === 0) {
+            throw new Error(`No secrets found for profile '${profile}'`);
+        }
+        // 2. Authenticate user (Touch ID on macOS)
+        const authenticator = (0, user_authenticator_1.createAuthenticator)();
+        const available = await authenticator.isAvailable();
+        if (!available) {
+            throw new user_authenticator_1.AuthenticationUnavailableError('Touch ID is required to restore secrets. Biometric authentication is not available on this platform.');
+        }
+        (0, cli_utils_1.log)(`[vess] Requesting authentication to restore ${keys.length} secrets for profile "${profile}"...`);
+        await authenticator.authenticate(`VESS wants to restore env secrets for profile '${profile}'`);
+        // 3. Read secrets from Keychain
+        const keyManager = new key_manager_1.KeyManager();
+        const entries = [];
+        let missingCount = 0;
+        for (const { keyName } of keys) {
+            const value = keyManager.getEnvSecret(profile, keyName);
+            if (value == null) {
+                (0, cli_utils_1.log)(`[vess] Warning: secret '${keyName}' not found in keychain, skipping`);
+                missingCount++;
+                continue;
+            }
+            entries.push({ key: keyName, value });
+        }
+        // 4. Sort alphabetically and format output
+        entries.sort((a, b) => a.key.localeCompare(b.key));
+        const lines = entries.map(({ key, value }) => {
+            if (needsQuoting(value)) {
+                const escaped = value
+                    .replace(/\\/g, '\\\\')
+                    .replace(/\$/g, '\\$')
+                    .replace(/`/g, '\\`')
+                    .replace(/"/g, '\\"')
+                    .replace(/\n/g, '\\n');
+                return `${key}="${escaped}"`;
+            }
+            return `${key}=${value}`;
+        });
+        const content = lines.join('\n') + '\n';
+        // 5. Write output
+        if (writeToStdout) {
+            process.stdout.write(content);
+        }
+        else {
+            if (fs.existsSync(output)) {
+                (0, cli_utils_1.log)(`[vess] Warning: overwriting existing ${output}`);
+            }
+            (0, fs_utils_1.atomicWriteFile)(output, content);
+        }
+        // 6. Summary
+        const dest = writeToStdout ? 'stdout' : output;
+        (0, cli_utils_1.log)(`[vess] Restored ${entries.length} secrets for profile "${profile}" to ${dest}`);
+        if (missingCount > 0) {
+            (0, cli_utils_1.log)(`[vess] ${missingCount} secret(s) were not found in keychain`);
+        }
+    }
+    finally {
+        db.close();
+    }
+}
+/** Check if a value needs double-quoting in .env format */
+function needsQuoting(value) {
+    if (value.length === 0)
+        return true; // produce KEY="" for empty values
+    if (value.startsWith(' ') || value.endsWith(' '))
+        return true;
+    return /[#"'$`\n\t\\]/.test(value) || value.includes(' ');
+}
+//# sourceMappingURL=env-restore.js.map

package/dist/cli/env-restore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-restore.js","sourceRoot":"","sources":["../../src/cli/env-restore.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,sCAmFC;AA3GD,uCAAwB;AACxB,8CAAiD;AACjD,yDAAoD;AACpD,qCAA2C;AAC3C,2CAAiC;AACjC,mEAGmC;AAOnC;;;;;;;;GAQG;AACI,KAAK,UAAU,aAAa,CAAC,OAA0B;IAC5D,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAA;IACnC,MAAM,aAAa,GAAG,CAAC,MAAM,IAAI,MAAM,KAAK,GAAG,CAAA;IAE/C,4CAA4C;IAC5C,MAAM,GAAG,GAAG,IAAA,yBAAgB,EAAC,aAAa,CAAC,CAAA;IAC3C,IAAI,CAAC,GAAG;QAAE,OAAM;IAEhB,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,GAAG,GAAG,CAAA;IAEhC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;QAE3C,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iCAAiC,OAAO,GAAG,CAAC,CAAA;QAC9D,CAAC;QAED,2CAA2C;QAC3C,MAAM,aAAa,GAAG,IAAA,wCAAmB,GAAE,CAAA;QAC3C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,WAAW,EAAE,CAAA;QACnD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,mDAA8B,CACtC,sGAAsG,CACvG,CAAA;QACH,CAAC;QAED,IAAA,eAAG,EAAC,+CAA+C,IAAI,CAAC,MAAM,yBAAyB,OAAO,MAAM,CAAC,CAAA;QACrG,MAAM,aAAa,CAAC,YAAY,CAC9B,kDAAkD,OAAO,GAAG,CAC7D,CAAA;QAED,gCAAgC;QAChC,MAAM,UAAU,GAAG,IAAI,wBAAU,EAAE,CAAA;QACnC,MAAM,OAAO,GAA0C,EAAE,CAAA;QACzD,IAAI,YAAY,GAAG,CAAC,CAAA;QAEpB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,UAAU,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;YACvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,IAAA,eAAG,EAAC,2BAA2B,OAAO,mCAAmC,CAAC,CAAA;gBAC1E,YAAY,EAAE,CAAA;gBACd,SAAQ;YACV,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAA;QACvC,CAAC;QAED,2CAA2C;QAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAA;QAElD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE;YAC3C,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,KAAK;qBAClB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;qBACtB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;qBACrB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;qBACpB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;qBACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;gBACxB,OAAO,GAAG,GAAG,KAAK,OAAO,GAAG,CAAA;YAC9B,CAAC;YACD,OAAO,GAAG,GAAG,IAAI,KAAK,EAAE,CAAA;QAC1B,CAAC,CAAC,CAAA;QAEF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAA;QAEvC,kBAAkB;QAClB,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAC/B,CAAC;aAAM,CAAC;YACN,IAAI,EAAE,CAAC,UAAU,CAAC,MAAO,CAAC,EAAE,CAAC;gBAC3B,IAAA,eAAG,EAAC,wCAAwC,MAAM,EAAE,CAAC,CAAA;YACvD,CAAC;YACD,IAAA,0BAAe,EAAC,MAAO,EAAE,OAAO,CAAC,CAAA;QACnC,CAAC;QAED,aAAa;QACb,MAAM,IAAI,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAA;QAC9C,IAAA,eAAG,EAAC,mBAAmB,OAAO,CAAC,MAAM,yBAAyB,OAAO,QAAQ,IAAI,EAAE,CAAC,CAAA;QACpF,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACrB,IAAA,eAAG,EAAC,UAAU,YAAY,uCAAuC,CAAC,CAAA;QACpE,CAAC;IACH,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,KAAK,EAAE,CAAA;IACZ,CAAC;AACH,CAAC;AAED,2DAA2D;AAC3D,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA,CAAE,kCAAkC;IACvE,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IAC7D,OAAO,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAA;AAC3D,CAAC"}

package/dist/cli/env.d.ts

@@ -0,0 +1,14 @@
+import { SecretMode } from '../env/env-classifier';
+export interface EnvImportOptions {
+    envFile: string;
+    profile: string;
+    skipKeychain?: boolean;
+    mode?: SecretMode;
+    secretKeys?: string[];
+    plaintextKeys?: string[];
+    dryRun?: boolean;
+    interactive?: boolean;
+    skipIntegration?: boolean;
+}
+export declare function runEnvImport(options: EnvImportOptions): Promise<void>;
+//# sourceMappingURL=env.d.ts.map

package/dist/cli/env.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.d.ts","sourceRoot":"","sources":["../../src/cli/env.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,UAAU,EAA8D,MAAM,uBAAuB,CAAA;AAE9G,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAA;IACf,OAAO,EAAE,MAAM,CAAA;IACf,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;IACrB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAA;IACxB,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB,eAAe,CAAC,EAAE,OAAO,CAAA;CAC1B;AAED,wBAAsB,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CA2J3E"}