@vhyxvoid/agent 1.0.3 → 1.0.6

package/dist/cli.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 "use strict";
-
-// dist/cli.js
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/error.js
 var require_error = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/error.js"(exports2) {
     var CommanderError = class extends Error {
@@ -39,6 +39,8 @@ var require_error = __commonJS({
     exports2.InvalidArgumentError = InvalidArgumentError;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/argument.js
 var require_argument = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/argument.js"(exports2) {
     var { InvalidArgumentError } = require_error();
@@ -165,6 +167,8 @@ var require_argument = __commonJS({
     exports2.humanReadableArgName = humanReadableArgName;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/help.js
 var require_help = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/help.js"(exports2) {
     var { humanReadableArgName } = require_argument();
@@ -765,6 +769,8 @@ ${itemIndentStr}`);
     exports2.stripColor = stripColor;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/option.js
 var require_option = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/option.js"(exports2) {
     var { InvalidArgumentError } = require_error();
@@ -1076,6 +1082,8 @@ var require_option = __commonJS({
     exports2.DualOptions = DualOptions;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/suggestSimilar.js
 var require_suggestSimilar = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/suggestSimilar.js"(exports2) {
     var maxDistance = 3;
@@ -1154,6 +1162,8 @@ var require_suggestSimilar = __commonJS({
     exports2.suggestSimilar = suggestSimilar;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js
 var require_command = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/lib/command.js"(exports2) {
     var EventEmitter = require("node:events").EventEmitter;
@@ -3398,6 +3408,8 @@ Expecting one of '${allowedValues.join("', '")}'`);
     exports2.useColor = useColor;
   }
 });
+
+// ../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/index.js
 var require_commander = __commonJS({
   "../../node_modules/.pnpm/commander@14.0.3/node_modules/commander/index.js"(exports2) {
     var { Argument } = require_argument();
@@ -3418,25 +3430,29 @@ var require_commander = __commonJS({
     exports2.InvalidOptionArgumentError = InvalidArgumentError;
   }
 });
+
+// ../protocol/dist/messages.js
 var require_messages = __commonJS({
   "../protocol/dist/messages.js"(exports2) {
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
   }
 });
+
+// ../protocol/dist/canonical.js
 var require_canonical = __commonJS({
   "../protocol/dist/canonical.js"(exports2) {
     "use strict";
-    var __importDefault2 = exports2 && exports2.__importDefault || function(mod) {
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.buildCanonical = buildCanonical;
     exports2.signCanonical = signCanonical;
     exports2.verifyCanonical = verifyCanonical;
-    var crypto_12 = __importDefault2(require("crypto"));
+    var crypto_1 = __importDefault(require("crypto"));
     function buildCanonical(params) {
-      const bodyHash = params.body ? crypto_12.default.createHash("sha256").update(params.body, "utf8").digest("hex") : "";
+      const bodyHash = params.body ? crypto_1.default.createHash("sha256").update(params.body, "utf8").digest("hex") : "";
       return [
         params.method.toUpperCase(),
         params.path,
@@ -3446,23 +3462,25 @@ var require_canonical = __commonJS({
         params.ts.toString()
       ].join("|");
     }
-    function signCanonical(canonical, secretHash2) {
-      return crypto_12.default.createHmac("sha256", secretHash2).update(canonical).digest("hex");
+    function signCanonical(canonical, secretHash) {
+      return crypto_1.default.createHmac("sha256", secretHash).update(canonical).digest("hex");
     }
-    function verifyCanonical(canonical, signature, secretHash2) {
+    function verifyCanonical(canonical, signature, secretHash) {
       try {
-        const expected = signCanonical(canonical, secretHash2);
+        const expected = signCanonical(canonical, secretHash);
         const a = Buffer.from(expected, "hex");
         const b = Buffer.from(signature, "hex");
         if (a.length !== b.length)
           return false;
-        return crypto_12.default.timingSafeEqual(a, b);
+        return crypto_1.default.timingSafeEqual(a, b);
       } catch {
         return false;
       }
     }
   }
 });
+
+// ../protocol/dist/constants.js
 var require_constants = __commonJS({
   "../protocol/dist/constants.js"(exports2) {
     "use strict";
@@ -3509,6 +3527,8 @@ var require_constants = __commonJS({
     };
   }
 });
+
+// ../protocol/dist/serializer.js
 var require_serializer = __commonJS({
   "../protocol/dist/serializer.js"(exports2) {
     "use strict";
@@ -3554,6 +3574,8 @@ var require_serializer = __commonJS({
     exports2.ProtocolError = ProtocolError;
   }
 });
+
+// ../protocol/dist/errors.js
 var require_errors = __commonJS({
   "../protocol/dist/errors.js"(exports2) {
     "use strict";
@@ -3568,6 +3590,8 @@ var require_errors = __commonJS({
     };
   }
 });
+
+// ../protocol/dist/index.js
 var require_dist = __commonJS({
   "../protocol/dist/index.js"(exports2) {
     "use strict";
@@ -3595,16 +3619,18 @@ var require_dist = __commonJS({
     __exportStar(require_errors(), exports2);
   }
 });
+
+// dist/queue/DurableQueue.js
 var require_DurableQueue = __commonJS({
   "dist/queue/DurableQueue.js"(exports2) {
     "use strict";
-    var __importDefault2 = exports2 && exports2.__importDefault || function(mod) {
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.DurableQueue = void 0;
-    var better_sqlite3_1 = __importDefault2(require("better-sqlite3"));
-    var crypto_12 = require("crypto");
+    var better_sqlite3_1 = __importDefault(require("better-sqlite3"));
+    var crypto_1 = require("crypto");
     var protocol_1 = require_dist();
     var DurableQueue = class {
       db;
@@ -3649,13 +3675,13 @@ var require_DurableQueue = __commonJS({
         this.db.prepare(`
       INSERT INTO queue (id, direction, payload, ts, attempts, max_attempts, next_retry_at)
       VALUES (?, 'inbound', ?, ?, 0, ?, 0)
-    `).run((0, crypto_12.randomUUID)(), JSON.stringify(payload), Date.now(), protocol_1.LIMITS.QUEUE_MAX_ATTEMPTS_INBOUND);
+    `).run((0, crypto_1.randomUUID)(), JSON.stringify(payload), Date.now(), protocol_1.LIMITS.QUEUE_MAX_ATTEMPTS_INBOUND);
       }
       enqueueOutbound(payload) {
         this.db.prepare(`
       INSERT INTO queue (id, direction, payload, ts, attempts, max_attempts, next_retry_at)
       VALUES (?, 'outbound', ?, ?, 0, ?, 0)
-    `).run((0, crypto_12.randomUUID)(), JSON.stringify(payload), Date.now(), protocol_1.LIMITS.QUEUE_MAX_ATTEMPTS_OUTBOUND);
+    `).run((0, crypto_1.randomUUID)(), JSON.stringify(payload), Date.now(), protocol_1.LIMITS.QUEUE_MAX_ATTEMPTS_OUTBOUND);
       }
       /**
        * Returns all items ready for replay, ordered:
@@ -3716,6 +3742,8 @@ var require_DurableQueue = __commonJS({
     exports2.DurableQueue = DurableQueue;
   }
 });
+
+// dist/cache/ResponseCache.js
 var require_ResponseCache = __commonJS({
   "dist/cache/ResponseCache.js"(exports2) {
     "use strict";
@@ -3838,15 +3866,17 @@ var require_ResponseCache = __commonJS({
     exports2.ResponseCache = ResponseCache;
   }
 });
+
+// dist/proxy/BackendProxy.js
 var require_BackendProxy = __commonJS({
   "dist/proxy/BackendProxy.js"(exports2) {
     "use strict";
-    var __importDefault2 = exports2 && exports2.__importDefault || function(mod) {
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.BackendProxy = void 0;
-    var axios_1 = __importDefault2(require("axios"));
+    var axios_1 = __importDefault(require("axios"));
     var protocol_1 = require_dist();
     var ResponseCache_1 = require_ResponseCache();
     var HOP_BY_HOP = /* @__PURE__ */ new Set([
@@ -3954,6 +3984,8 @@ var require_BackendProxy = __commonJS({
     exports2.BackendProxy = BackendProxy;
   }
 });
+
+// dist/batcher/MessageBatcher.js
 var require_MessageBatcher = __commonJS({
   "dist/batcher/MessageBatcher.js"(exports2) {
     "use strict";
@@ -4029,6 +4061,8 @@ var require_MessageBatcher = __commonJS({
     exports2.MessageBatcher = MessageBatcher;
   }
 });
+
+// dist/replay/replayQueue.js
 var require_replayQueue = __commonJS({
   "dist/replay/replayQueue.js"(exports2) {
     "use strict";
@@ -4080,15 +4114,17 @@ var require_replayQueue = __commonJS({
     }
   }
 });
+
+// dist/discovery/LocalDiscoveryServer.js
 var require_LocalDiscoveryServer = __commonJS({
   "dist/discovery/LocalDiscoveryServer.js"(exports2) {
     "use strict";
-    var __importDefault2 = exports2 && exports2.__importDefault || function(mod) {
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.LocalDiscoveryServer = void 0;
-    var http_1 = __importDefault2(require("http"));
+    var http_1 = __importDefault(require("http"));
     var protocol_1 = require_dist();
     var LocalDiscoveryServer = class {
       server = null;
@@ -4133,19 +4169,20 @@ var require_LocalDiscoveryServer = __commonJS({
     exports2.LocalDiscoveryServer = LocalDiscoveryServer;
   }
 });
+
+// dist/AgentClient.js
 var require_AgentClient = __commonJS({
   "dist/AgentClient.js"(exports2) {
     "use strict";
-    var __importDefault2 = exports2 && exports2.__importDefault || function(mod) {
+    var __importDefault = exports2 && exports2.__importDefault || function(mod) {
       return mod && mod.__esModule ? mod : { "default": mod };
     };
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.AgentClient = void 0;
-    var ws_1 = __importDefault2(require("ws"));
-    var crypto_12 = require("crypto");
-    var path_1 = __importDefault2(require("path"));
-    var os_1 = __importDefault2(require("os"));
-    var fs_1 = __importDefault2(require("fs"));
+    var ws_1 = __importDefault(require("ws"));
+    var path_1 = __importDefault(require("path"));
+    var os_1 = __importDefault(require("os"));
+    var fs_1 = __importDefault(require("fs"));
     var protocol_1 = require_dist();
     var DurableQueue_1 = require_DurableQueue();
     var BackendProxy_1 = require_BackendProxy();
@@ -4239,24 +4276,14 @@ var require_AgentClient = __commonJS({
       onOpen() {
         this.setState("AUTHENTICATING");
         this.reconnectDelay = protocol_1.TIMING.RECONNECT_INITIAL_MS;
-        const now = Date.now();
-        const requestId = (0, crypto_12.randomUUID)();
-        const canonical = (0, protocol_1.buildCanonical)({
-          method: "AGENT_REGISTER",
-          path: "/agent/register",
-          query: "",
-          body: this.config.label,
-          requestId,
-          ts: now
-        });
         const msg = {
           v: protocol_1.PROTOCOL_VERSION,
           type: "agent:register",
           keyId: this.config.keyId,
           label: this.config.label,
-          requestId,
-          ts: now,
-          signature: (0, protocol_1.signCanonical)(canonical, this.config.secretHash),
+          // agentVersion: this.config.agentVersion,
+          rawSecret: this.config.secret,
+          // ← raw secret, hub applies pepper
           agentVersion: this.config.agentVersion
         };
         this.sendRaw((0, protocol_1.serialize)(msg));
@@ -4295,6 +4322,20 @@ var require_AgentClient = __commonJS({
       async onRegistered(msg) {
         this.agentId = msg.agentId;
         this.setState("CONNECTED");
+        console.log("");
+        console.log("  \u2705  Tunnel active");
+        console.log("");
+        if (msg.tunnelUrl) {
+          console.log(`  Local:   http://localhost:${this.config.port}`);
+          console.log(`  Public:  ${msg.tunnelUrl}`);
+          console.log("");
+          console.log("  Share the Public URL \u2014 it is stable and never changes.");
+          console.log("  Put it in webhooks, .env files, or share with teammates.");
+        } else {
+          console.log(`  Local:  http://localhost:${this.config.port}`);
+          console.log(`  Label:  ${this.config.label}`);
+        }
+        console.log("");
         this.log.info({
           agentId: msg.agentId,
           accountId: msg.accountId,
@@ -4391,11 +4432,13 @@ var require_AgentClient = __commonJS({
     exports2.AgentClient = AgentClient;
   }
 });
+
+// package.json
 var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@vhyxvoid/agent",
-      version: "1.0.2",
+      version: "1.0.6",
       description: "Platform tunnel agent \u2014 connect your local server to the platform",
       keywords: [
         "tunnel",
@@ -4422,6 +4465,7 @@ var require_package = __commonJS({
         axios: "^1.13.2",
         "better-sqlite3": "^12.8.0",
         commander: "^14.0.3",
+        dotenv: "^17.2.3",
         ws: "^8.18.3"
       },
       devDependencies: {
@@ -4435,16 +4479,413 @@ var require_package = __commonJS({
     };
   }
 });
-var __importDefault = exports && exports.__importDefault || function(mod) {
-  return mod && mod.__esModule ? mod : { "default": mod };
-};
+
+// ../../node_modules/.pnpm/dotenv@17.2.3/node_modules/dotenv/package.json
+var require_package2 = __commonJS({
+  "../../node_modules/.pnpm/dotenv@17.2.3/node_modules/dotenv/package.json"(exports2, module2) {
+    module2.exports = {
+      name: "dotenv",
+      version: "17.2.3",
+      description: "Loads environment variables from .env file",
+      main: "lib/main.js",
+      types: "lib/main.d.ts",
+      exports: {
+        ".": {
+          types: "./lib/main.d.ts",
+          require: "./lib/main.js",
+          default: "./lib/main.js"
+        },
+        "./config": "./config.js",
+        "./config.js": "./config.js",
+        "./lib/env-options": "./lib/env-options.js",
+        "./lib/env-options.js": "./lib/env-options.js",
+        "./lib/cli-options": "./lib/cli-options.js",
+        "./lib/cli-options.js": "./lib/cli-options.js",
+        "./package.json": "./package.json"
+      },
+      scripts: {
+        "dts-check": "tsc --project tests/types/tsconfig.json",
+        lint: "standard",
+        pretest: "npm run lint && npm run dts-check",
+        test: "tap run tests/**/*.js --allow-empty-coverage --disable-coverage --timeout=60000",
+        "test:coverage": "tap run tests/**/*.js --show-full-coverage --timeout=60000 --coverage-report=text --coverage-report=lcov",
+        prerelease: "npm test",
+        release: "standard-version"
+      },
+      repository: {
+        type: "git",
+        url: "git://github.com/motdotla/dotenv.git"
+      },
+      homepage: "https://github.com/motdotla/dotenv#readme",
+      funding: "https://dotenvx.com",
+      keywords: [
+        "dotenv",
+        "env",
+        ".env",
+        "environment",
+        "variables",
+        "config",
+        "settings"
+      ],
+      readmeFilename: "README.md",
+      license: "BSD-2-Clause",
+      devDependencies: {
+        "@types/node": "^18.11.3",
+        decache: "^4.6.2",
+        sinon: "^14.0.1",
+        standard: "^17.0.0",
+        "standard-version": "^9.5.0",
+        tap: "^19.2.0",
+        typescript: "^4.8.4"
+      },
+      engines: {
+        node: ">=12"
+      },
+      browser: {
+        fs: false
+      }
+    };
+  }
+});
+
+// ../../node_modules/.pnpm/dotenv@17.2.3/node_modules/dotenv/lib/main.js
+var require_main = __commonJS({
+  "../../node_modules/.pnpm/dotenv@17.2.3/node_modules/dotenv/lib/main.js"(exports2, module2) {
+    var fs = require("fs");
+    var path = require("path");
+    var os = require("os");
+    var crypto = require("crypto");
+    var packageJson = require_package2();
+    var version = packageJson.version;
+    var TIPS = [
+      "\u{1F510} encrypt with Dotenvx: https://dotenvx.com",
+      "\u{1F510} prevent committing .env to code: https://dotenvx.com/precommit",
+      "\u{1F510} prevent building .env in docker: https://dotenvx.com/prebuild",
+      "\u{1F4E1} add observability to secrets: https://dotenvx.com/ops",
+      "\u{1F465} sync secrets across teammates & machines: https://dotenvx.com/ops",
+      "\u{1F5C2}\uFE0F backup and recover secrets: https://dotenvx.com/ops",
+      "\u2705 audit secrets and track compliance: https://dotenvx.com/ops",
+      "\u{1F504} add secrets lifecycle management: https://dotenvx.com/ops",
+      "\u{1F511} add access controls to secrets: https://dotenvx.com/ops",
+      "\u{1F6E0}\uFE0F  run anywhere with `dotenvx run -- yourcommand`",
+      "\u2699\uFE0F  specify custom .env file path with { path: '/custom/path/.env' }",
+      "\u2699\uFE0F  enable debug logging with { debug: true }",
+      "\u2699\uFE0F  override existing env vars with { override: true }",
+      "\u2699\uFE0F  suppress all logs with { quiet: true }",
+      "\u2699\uFE0F  write to custom object with { processEnv: myObject }",
+      "\u2699\uFE0F  load multiple .env files with { path: ['.env.local', '.env'] }"
+    ];
+    function _getRandomTip() {
+      return TIPS[Math.floor(Math.random() * TIPS.length)];
+    }
+    function parseBoolean(value) {
+      if (typeof value === "string") {
+        return !["false", "0", "no", "off", ""].includes(value.toLowerCase());
+      }
+      return Boolean(value);
+    }
+    function supportsAnsi() {
+      return process.stdout.isTTY;
+    }
+    function dim(text) {
+      return supportsAnsi() ? `\x1B[2m${text}\x1B[0m` : text;
+    }
+    var LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;
+    function parse(src) {
+      const obj = {};
+      let lines = src.toString();
+      lines = lines.replace(/\r\n?/mg, "\n");
+      let match;
+      while ((match = LINE.exec(lines)) != null) {
+        const key = match[1];
+        let value = match[2] || "";
+        value = value.trim();
+        const maybeQuote = value[0];
+        value = value.replace(/^(['"`])([\s\S]*)\1$/mg, "$2");
+        if (maybeQuote === '"') {
+          value = value.replace(/\\n/g, "\n");
+          value = value.replace(/\\r/g, "\r");
+        }
+        obj[key] = value;
+      }
+      return obj;
+    }
+    function _parseVault(options) {
+      options = options || {};
+      const vaultPath = _vaultPath(options);
+      options.path = vaultPath;
+      const result = DotenvModule.configDotenv(options);
+      if (!result.parsed) {
+        const err = new Error(`MISSING_DATA: Cannot parse ${vaultPath} for an unknown reason`);
+        err.code = "MISSING_DATA";
+        throw err;
+      }
+      const keys = _dotenvKey(options).split(",");
+      const length = keys.length;
+      let decrypted;
+      for (let i = 0; i < length; i++) {
+        try {
+          const key = keys[i].trim();
+          const attrs = _instructions(result, key);
+          decrypted = DotenvModule.decrypt(attrs.ciphertext, attrs.key);
+          break;
+        } catch (error) {
+          if (i + 1 >= length) {
+            throw error;
+          }
+        }
+      }
+      return DotenvModule.parse(decrypted);
+    }
+    function _warn(message) {
+      console.error(`[dotenv@${version}][WARN] ${message}`);
+    }
+    function _debug(message) {
+      console.log(`[dotenv@${version}][DEBUG] ${message}`);
+    }
+    function _log(message) {
+      console.log(`[dotenv@${version}] ${message}`);
+    }
+    function _dotenvKey(options) {
+      if (options && options.DOTENV_KEY && options.DOTENV_KEY.length > 0) {
+        return options.DOTENV_KEY;
+      }
+      if (process.env.DOTENV_KEY && process.env.DOTENV_KEY.length > 0) {
+        return process.env.DOTENV_KEY;
+      }
+      return "";
+    }
+    function _instructions(result, dotenvKey) {
+      let uri;
+      try {
+        uri = new URL(dotenvKey);
+      } catch (error) {
+        if (error.code === "ERR_INVALID_URL") {
+          const err = new Error("INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        }
+        throw error;
+      }
+      const key = uri.password;
+      if (!key) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing key part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environment = uri.searchParams.get("environment");
+      if (!environment) {
+        const err = new Error("INVALID_DOTENV_KEY: Missing environment part");
+        err.code = "INVALID_DOTENV_KEY";
+        throw err;
+      }
+      const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`;
+      const ciphertext = result.parsed[environmentKey];
+      if (!ciphertext) {
+        const err = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${environmentKey} in your .env.vault file.`);
+        err.code = "NOT_FOUND_DOTENV_ENVIRONMENT";
+        throw err;
+      }
+      return { ciphertext, key };
+    }
+    function _vaultPath(options) {
+      let possibleVaultPath = null;
+      if (options && options.path && options.path.length > 0) {
+        if (Array.isArray(options.path)) {
+          for (const filepath of options.path) {
+            if (fs.existsSync(filepath)) {
+              possibleVaultPath = filepath.endsWith(".vault") ? filepath : `${filepath}.vault`;
+            }
+          }
+        } else {
+          possibleVaultPath = options.path.endsWith(".vault") ? options.path : `${options.path}.vault`;
+        }
+      } else {
+        possibleVaultPath = path.resolve(process.cwd(), ".env.vault");
+      }
+      if (fs.existsSync(possibleVaultPath)) {
+        return possibleVaultPath;
+      }
+      return null;
+    }
+    function _resolveHome(envPath) {
+      return envPath[0] === "~" ? path.join(os.homedir(), envPath.slice(1)) : envPath;
+    }
+    function _configVault(options) {
+      const debug = parseBoolean(process.env.DOTENV_CONFIG_DEBUG || options && options.debug);
+      const quiet = parseBoolean(process.env.DOTENV_CONFIG_QUIET || options && options.quiet);
+      if (debug || !quiet) {
+        _log("Loading env from encrypted .env.vault");
+      }
+      const parsed = DotenvModule._parseVault(options);
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      DotenvModule.populate(processEnv, parsed, options);
+      return { parsed };
+    }
+    function configDotenv(options) {
+      const dotenvPath = path.resolve(process.cwd(), ".env");
+      let encoding = "utf8";
+      let processEnv = process.env;
+      if (options && options.processEnv != null) {
+        processEnv = options.processEnv;
+      }
+      let debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || options && options.debug);
+      let quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || options && options.quiet);
+      if (options && options.encoding) {
+        encoding = options.encoding;
+      } else {
+        if (debug) {
+          _debug("No encoding is specified. UTF-8 is used by default");
+        }
+      }
+      let optionPaths = [dotenvPath];
+      if (options && options.path) {
+        if (!Array.isArray(options.path)) {
+          optionPaths = [_resolveHome(options.path)];
+        } else {
+          optionPaths = [];
+          for (const filepath of options.path) {
+            optionPaths.push(_resolveHome(filepath));
+          }
+        }
+      }
+      let lastError;
+      const parsedAll = {};
+      for (const path2 of optionPaths) {
+        try {
+          const parsed = DotenvModule.parse(fs.readFileSync(path2, { encoding }));
+          DotenvModule.populate(parsedAll, parsed, options);
+        } catch (e) {
+          if (debug) {
+            _debug(`Failed to load ${path2} ${e.message}`);
+          }
+          lastError = e;
+        }
+      }
+      const populated = DotenvModule.populate(processEnv, parsedAll, options);
+      debug = parseBoolean(processEnv.DOTENV_CONFIG_DEBUG || debug);
+      quiet = parseBoolean(processEnv.DOTENV_CONFIG_QUIET || quiet);
+      if (debug || !quiet) {
+        const keysCount = Object.keys(populated).length;
+        const shortPaths = [];
+        for (const filePath of optionPaths) {
+          try {
+            const relative = path.relative(process.cwd(), filePath);
+            shortPaths.push(relative);
+          } catch (e) {
+            if (debug) {
+              _debug(`Failed to load ${filePath} ${e.message}`);
+            }
+            lastError = e;
+          }
+        }
+        _log(`injecting env (${keysCount}) from ${shortPaths.join(",")} ${dim(`-- tip: ${_getRandomTip()}`)}`);
+      }
+      if (lastError) {
+        return { parsed: parsedAll, error: lastError };
+      } else {
+        return { parsed: parsedAll };
+      }
+    }
+    function config(options) {
+      if (_dotenvKey(options).length === 0) {
+        return DotenvModule.configDotenv(options);
+      }
+      const vaultPath = _vaultPath(options);
+      if (!vaultPath) {
+        _warn(`You set DOTENV_KEY but you are missing a .env.vault file at ${vaultPath}. Did you forget to build it?`);
+        return DotenvModule.configDotenv(options);
+      }
+      return DotenvModule._configVault(options);
+    }
+    function decrypt(encrypted, keyStr) {
+      const key = Buffer.from(keyStr.slice(-64), "hex");
+      let ciphertext = Buffer.from(encrypted, "base64");
+      const nonce = ciphertext.subarray(0, 12);
+      const authTag = ciphertext.subarray(-16);
+      ciphertext = ciphertext.subarray(12, -16);
+      try {
+        const aesgcm = crypto.createDecipheriv("aes-256-gcm", key, nonce);
+        aesgcm.setAuthTag(authTag);
+        return `${aesgcm.update(ciphertext)}${aesgcm.final()}`;
+      } catch (error) {
+        const isRange = error instanceof RangeError;
+        const invalidKeyLength = error.message === "Invalid key length";
+        const decryptionFailed = error.message === "Unsupported state or unable to authenticate data";
+        if (isRange || invalidKeyLength) {
+          const err = new Error("INVALID_DOTENV_KEY: It must be 64 characters long (or more)");
+          err.code = "INVALID_DOTENV_KEY";
+          throw err;
+        } else if (decryptionFailed) {
+          const err = new Error("DECRYPTION_FAILED: Please check your DOTENV_KEY");
+          err.code = "DECRYPTION_FAILED";
+          throw err;
+        } else {
+          throw error;
+        }
+      }
+    }
+    function populate(processEnv, parsed, options = {}) {
+      const debug = Boolean(options && options.debug);
+      const override = Boolean(options && options.override);
+      const populated = {};
+      if (typeof parsed !== "object") {
+        const err = new Error("OBJECT_REQUIRED: Please check the processEnv argument being passed to populate");
+        err.code = "OBJECT_REQUIRED";
+        throw err;
+      }
+      for (const key of Object.keys(parsed)) {
+        if (Object.prototype.hasOwnProperty.call(processEnv, key)) {
+          if (override === true) {
+            processEnv[key] = parsed[key];
+            populated[key] = parsed[key];
+          }
+          if (debug) {
+            if (override === true) {
+              _debug(`"${key}" is already defined and WAS overwritten`);
+            } else {
+              _debug(`"${key}" is already defined and was NOT overwritten`);
+            }
+          }
+        } else {
+          processEnv[key] = parsed[key];
+          populated[key] = parsed[key];
+        }
+      }
+      return populated;
+    }
+    var DotenvModule = {
+      configDotenv,
+      _configVault,
+      _parseVault,
+      config,
+      decrypt,
+      parse,
+      populate
+    };
+    module2.exports.configDotenv = DotenvModule.configDotenv;
+    module2.exports._configVault = DotenvModule._configVault;
+    module2.exports._parseVault = DotenvModule._parseVault;
+    module2.exports.config = DotenvModule.config;
+    module2.exports.decrypt = DotenvModule.decrypt;
+    module2.exports.parse = DotenvModule.parse;
+    module2.exports.populate = DotenvModule.populate;
+    module2.exports = DotenvModule;
+  }
+});
+
+// dist/cli.js
 Object.defineProperty(exports, "__esModule", { value: true });
 var commander_1 = require_commander();
 var AgentClient_1 = require_AgentClient();
-var crypto_1 = __importDefault(require("crypto"));
 var package_json_1 = require_package();
+var dotenv_1 = require_main();
+(0, dotenv_1.config)();
 var program = new commander_1.Command();
-program.name("vhyxvoid").description("Platform tunnel agent.\nConnects your local server to the platform so the frontend SDK can reach it.").version(package_json_1.version).option("-k, --key <keyId>", "API key ID (e.g. vhyxvoid_dev_abc123). Env: VHYXVOID_API_KEY", process.env.VHYXVOID_API_KEY).option("-s, --secret <secret>", "API key secret (shown once at creation). Env: VHYXVOID_SECRET", process.env.VHYXVOID_SECRET).option("-p, --port <port>", "Local backend port to tunnel (e.g. 3000). Env: VHYXVOID_PORT", process.env.VHYXVOID_PORT ?? "3000").option("-l, --label <label>", "Tunnel label \u2014 identifies this agent if you run multiple. Env: VHYXVOID_LABEL", process.env.VHYXVOID_LABEL ?? "default").option("--hub <url>", "Hub WebSocket URL. Env: VHYXVOID_HUB_URL", process.env.VHYXVOID_HUB_URL ?? "wss://hub.yourplatform.com/agent").option("--pepper <pepper>", "Server HMAC pepper (from platform settings). Env: SERVER_HMAC_PEPPER", process.env.SERVER_HMAC_PEPPER ?? "").option("--queue-path <path>", "SQLite queue file path. Default: ~/.vhyxvoid/queue.db", process.env.VHYXVOID_QUEUE_PATH).option("--no-local-discovery", "Disable local discovery server on port 4242").parse(process.argv);
+program.name("vhyxvoid").description("Platform tunnel agent.\nConnects your local server to the platform so the frontend SDK can reach it.").version(package_json_1.version).option("-k, --key <keyId>", "API key ID (e.g. vhyxvoid_dev_abc123). Env: VHYXVOID_API_KEY", process.env.VHYXVOID_API_KEY).option("-s, --secret <secret>", "API key secret (shown once at creation). Env: VHYXVOID_SECRET", process.env.VHYXVOID_SECRET).option("-p, --port <port>", "Local backend port to tunnel (e.g. 3000). Env: VHYXVOID_PORT", process.env.VHYXVOID_PORT ?? "3000").option("-l, --label <label>", "Tunnel label \u2014 identifies this agent if you run multiple. Env: VHYXVOID_LABEL", process.env.VHYXVOID_LABEL ?? "default").option("--hub <url>", "Hub WebSocket URL. Env: VHYXVOID_HUB_URL", process.env.VHYXVOID_HUB_URL ?? "wss://hub.vhyxvoid.com/agent").option("--queue-path <path>", "SQLite queue file path. Default: ~/.vhyxvoid/queue.db", process.env.VHYXVOID_QUEUE_PATH).option("--no-local-discovery", "Disable local discovery server on port 4242").parse(process.argv);
 var opts = program.opts();
 if (!opts.key) {
   console.error("\u274C  --key is required. Get your API key from the platform dashboard.");
@@ -4456,11 +4897,6 @@ if (!opts.secret) {
   console.error("    If you lost it, rotate the key from the dashboard to get a new secret.");
   process.exit(1);
 }
-var pepper = opts.pepper;
-var secretHash = pepper ? crypto_1.default.createHmac("sha256", pepper).update(opts.secret).digest("hex") : crypto_1.default.createHmac("sha256", "dev-pepper").update(opts.secret).digest("hex");
-if (!pepper) {
-  console.warn("\u26A0  --pepper not set. Using dev-pepper \u2014 this will not work in production.\n   Set SERVER_HMAC_PEPPER to match the value in your hub environment.");
-}
 var port = parseInt(opts.port, 10);
 if (isNaN(port) || port < 1 || port > 65535) {
   console.error(`\u274C  Invalid port: "${opts.port}"`);
@@ -4478,7 +4914,7 @@ console.log("");
 var agent = new AgentClient_1.AgentClient({
   hubUrl: opts.hub,
   keyId: opts.key,
-  secretHash,
+  secret: opts.secret,
   label: opts.label,
   port,
   agentVersion: package_json_1.version,