@vibesdotdev/secrets 0.0.1

package/README.md

@@ -0,0 +1,59 @@
+# @vibesdotdev/secrets
+
+Runtime-resolved secrets management. Universal core: defines the
+`secrets/store` kind. Backends live in sibling packages.
+
+## Quickstart
+
+### Read a secret
+
+```ts
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+
+const store = await getVibesRuntime().query('secrets/store').resolve();
+const apiKey = await store.get('production', 'STRIPE_API_KEY');
+
+if (!apiKey) {
+  throw new Error('STRIPE_API_KEY not set for production tier');
+}
+```
+
+If no backend is registered for the current scope, `resolve()` throws — apps
+should surface this at bootstrap.
+
+### Declare requirements (consumed by `vibes secrets check`)
+
+Apps declare what secrets they need via `infra/web-app` or `infra/worker`
+descriptors (owned by [`infra-core`](../infra-core/SPEC.md)). The requirements
+resolver extracts them; the CLI compares against the active store.
+
+## CLI
+
+```bash
+vibes secrets check
+vibes secrets list --environment <name>
+vibes secrets list --environment <name> --show-values
+vibes secrets set <key> [value] --environment <name>
+vibes secrets unset <key> --environment <name>
+vibes secrets pull --environment <name>
+vibes secrets push --environment <name>
+```
+
+## Backends
+
+Core ships zero backends. Apps load the backend packages their scope supports:
+
+- [`@vibesdotdev/secrets-backend-env-file`](../secrets-backend-env-file/) — local `.env` files
+- [`@vibesdotdev/secrets-backend-encrypted-local`](../secrets-backend-encrypted-local/) — encrypted local files
+- External vendor integrations (AWS Secrets Manager, Vault, GCP) → [`platform`](../platform/SPEC.md)
+
+## Test
+
+```bash
+bun test
+```
+
+## Docs
+
+- [SPEC.md](./SPEC.md) — package contract, hard rules, migration debt
+- [runtime](../runtime/SPEC.md), [infra-core](../infra-core/SPEC.md)

package/SPEC.md

@@ -0,0 +1,47 @@
+# @vibesdotdev/secrets
+
+Runtime-resolved secrets management. Universal core: defines the `secrets/store` kind, environment-tier resolution, and the requirements resolver. Backends live in sibling packages and register themselves.
+
+## Owns
+
+- **Runtime kind:** `secrets/store`
+- **Kind definition + resolver** (`./kinds/store.kind`): backend resolution by environment tier (`scope.qualifiers.environmentTier`) + descriptor priority
+- **Schemas** (`./kinds/schemas`, `./kinds/store.schema`): Zod descriptors for stores and stored values; `EnvironmentTierSchema`, `SecretsBackendSchema`
+- **Store interface** (`./kinds/store.interface`): TS contract every backend implements (`list`, `get`, `set`, `unset`, `getAll`, `setAll`)
+- **Requirements resolver** (`./requirements/resolver`): reads `infra/web-app` and `infra/worker` descriptors to extract required secrets; helpers for grouping/deduping for `vibes secrets check`
+- **CLI descriptors** (`./cli`): `vibes secrets` group + `check`, `list`, `set`, `unset`, `pull`, `push`, `import`, `export`, `reveal`, `pre-commit-check`. Commands query the runtime; they do not import backends.
+- **Plugin:** `./plugin` (= `./secrets.plugin`) — registers the kind + CLI descriptors only
+
+## Does not own
+
+- **Backend implementations** → each backend is its own package: [`secrets-backend-env-file`](../secrets-backend-env-file/), [`secrets-backend-encrypted-local`](../secrets-backend-encrypted-local/), and future cloud/keychain backends
+- **External vendor integrations** (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, etc.) → [`platform`](../platform/SPEC.md) integrations
+- **Encryption primitive** → [`security`](../security/SPEC.md) / [`config/services`](../config/SPEC.md). Encrypted backends consume it.
+- **Application data persistence** (user/org/business secrets stored as data) → owning module's `storage/manifest`
+- **Auth credentials, sessions, cookies** → [`auth`](../auth/SPEC.md)
+- **Infra descriptor ownership** → [`infra-core`](../infra-core/SPEC.md)
+- **A separate secrets UI surface.** Apps that need a UI consume secrets through the runtime; no standalone secrets app.
+
+## Hard rules
+
+- **The core package is universal.** No FS, crypto, or HTTP imports in core. Anything that breaks browser or Cloudflare bundles belongs in a backend package.
+- **All secret access goes through `runtime.query('secrets/store').resolve()`.** No direct backend imports in features. No reading `.env` files in feature code.
+- **Backend selection is runtime-resolved by scope** (`hardware`, `qualifiers.environmentTier`). Features do not branch on `isCloud`/`connectionMode`.
+- **Environment tiers are canonical** (dev/staging/prod). Backends declare which tiers they serve; the resolver picks the active backend by current tier + priority.
+- **Missing-backend means hard failure.** No silent no-op fallback. `resolve()` throws "no `secrets/store` registered for current scope" if no backend has registered. Apps surface this at bootstrap, not at first secret access.
+- **Backend package contract:** each `secrets-backend-{name}` package exports a plugin that registers a `secrets/store` descriptor + impl. Apps load only the backends their scope can support. Core never imports backend packages.
+- **Requirements resolver is read-only.** It surfaces what's required from infra descriptors. It does not write or modify infra.
+
+## Public entrypoints
+
+`.`, `./kinds`, `./kinds/*`, `./requirements`, `./plugin` (= `./secrets.plugin`).
+
+## Verification
+
+`bun test` from package root. Covers kind registration, environment-tier resolution, requirements resolver against fixture infra descriptors, CLI descriptor wiring. Backend-specific tests live in each backend package.
+
+## Links
+
+- [runtime/SPEC.md](../runtime/SPEC.md)
+- [config/SPEC.md](../config/SPEC.md), [security/SPEC.md](../security/SPEC.md)
+- [infra-core/SPEC.md](../infra-core/SPEC.md), [platform/SPEC.md](../platform/SPEC.md)

package/dist/cli/check/schemas/check-result.d.ts

@@ -0,0 +1,9 @@
+export interface CheckResult {
+    key: string;
+    appId: string;
+    required: boolean;
+    description: string | undefined;
+    status: 'ok' | 'missing' | 'warn';
+    source: string | undefined;
+}
+//# sourceMappingURL=check-result.d.ts.map

package/dist/cli/check/schemas/check-result.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-result.d.ts","sourceRoot":"","sources":["../../../../src/cli/check/schemas/check-result.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,WAAW;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,MAAM,EAAE,IAAI,GAAG,SAAS,GAAG,MAAM,CAAC;IAClC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC;CAC3B"}

package/dist/cli/check/schemas/check-result.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=check-result.js.map

package/dist/cli/check/schemas/check-result.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"check-result.js","sourceRoot":"","sources":["../../../../src/cli/check/schemas/check-result.ts"],"names":[],"mappings":""}

package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.check.cli-command.descriptor.d.ts.map

package/dist/cli/check/secrets.check.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.check.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/check/secrets.check.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAgBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/check/secrets.check.cli-command.descriptor.js

@@ -0,0 +1,19 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.check',
+    name: 'check',
+    description: 'Validate stored secrets against infra manifest requirements',
+    group: 'secrets',
+    options: [
+        { flags: '--environment <name>', description: 'Target environment (default: current)' },
+        { flags: '--app <id>', description: 'Check a specific app or worker only' },
+        { flags: '--manifest', description: 'Also cross-check against the canonical import manifest' },
+        { flags: '--json', description: 'Output as JSON' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 50
+};
+export default descriptor;
+//# sourceMappingURL=secrets.check.cli-command.descriptor.js.map

package/dist/cli/check/secrets.check.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.check.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/check/secrets.check.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,6DAA6D;IAC1E,KAAK,EAAE,SAAS;IAChB,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,qCAAqC,EAAE;QAC3E,EAAE,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,wDAAwD,EAAE;QAC9F,EAAE,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,gBAAgB,EAAE;KAClD;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/check/secrets.check.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.check.cli-command.impl.d.ts.map

package/dist/cli/check/secrets.check.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.check.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/check/secrets.check.cli-command.impl.ts"],"names":[],"mappings":";mBAkBsB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD5F,wBAiJE"}

package/dist/cli/check/secrets.check.cli-command.impl.js

@@ -0,0 +1,135 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { resolveSecretRequirements, groupRequirementsByApp } from '../../requirements/resolver';
+import { canonicalImportManifest } from '../../manifest/canonical';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+export default {
+    async execute(_args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const options = opts;
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        let requirements = await resolveSecretRequirements(runtime);
+        if (options.app) {
+            requirements = requirements.filter((r) => r.appId === options.app);
+        }
+        if (requirements.length === 0 && !options.manifest) {
+            ui.info(options.app
+                ? `No secret requirements found for app: ${options.app}`
+                : 'No secret requirements found in infra descriptors');
+            return;
+        }
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        const tierStores = descriptors.filter((d) => d.tiers.includes(envTier));
+        const availableKeys = new Map();
+        for (const desc of tierStores) {
+            const impl = (await runtime
+                .query('secrets/store')
+                .withId(desc.id)
+                .resolve());
+            const entries = await impl.list(envName);
+            for (const entry of entries) {
+                if (entry.hasValue && !availableKeys.has(entry.key)) {
+                    availableKeys.set(entry.key, entry.source);
+                }
+            }
+        }
+        const results = requirements.map((req) => {
+            const source = availableKeys.get(req.key);
+            let status;
+            if (source) {
+                status = 'ok';
+            }
+            else if (req.required) {
+                status = 'missing';
+            }
+            else {
+                status = 'warn';
+            }
+            return { ...req, status, source };
+        });
+        const manifestChecks = options.manifest
+            ? canonicalImportManifest.secrets.map((entry) => {
+                const storedIn = availableKeys.get(entry.key);
+                let status;
+                if (storedIn)
+                    status = 'ok';
+                else if (entry.required)
+                    status = 'missing';
+                else
+                    status = 'warn';
+                return { key: entry.key, required: entry.required, source: entry.source, status, storedIn };
+            })
+            : [];
+        if (options.json) {
+            const summary = {
+                environment: envName,
+                tier: envTier,
+                total: results.length,
+                ok: results.filter((r) => r.status === 'ok').length,
+                missing: results.filter((r) => r.status === 'missing').length,
+                warn: results.filter((r) => r.status === 'warn').length,
+                results
+            };
+            if (options.manifest) {
+                summary.manifest = {
+                    total: manifestChecks.length,
+                    ok: manifestChecks.filter((m) => m.status === 'ok').length,
+                    missing: manifestChecks.filter((m) => m.status === 'missing').length,
+                    warn: manifestChecks.filter((m) => m.status === 'warn').length,
+                    results: manifestChecks
+                };
+            }
+            ui.render(summary, { format: 'json' });
+            const manifestMissing = manifestChecks.filter((m) => m.status === 'missing').length;
+            if (results.filter((r) => r.status === 'missing').length > 0 || manifestMissing > 0) {
+                process.exit(1);
+            }
+            return;
+        }
+        const grouped = groupRequirementsByApp(requirements);
+        const okCount = results.filter((r) => r.status === 'ok').length;
+        const missingCount = results.filter((r) => r.status === 'missing').length;
+        const warnCount = results.filter((r) => r.status === 'warn').length;
+        ui.log(`\nSecrets check for environment: ${envName} (${envTier})\n`);
+        for (const [appId, reqs] of grouped) {
+            ui.log(`  ${appId}`);
+            for (const req of reqs) {
+                const result = results.find((r) => r.key === req.key && r.appId === req.appId);
+                if (!result)
+                    continue;
+                const icon = result.status === 'ok' ? '+' : result.status === 'missing' ? 'x' : '?';
+                const label = result.required ? 'required' : 'optional';
+                const src = result.source ? ` (${result.source})` : '';
+                ui.log(`    [${icon}] ${result.key.padEnd(40)} ${label.padEnd(10)} ${result.status}${src}`);
+            }
+            ui.log('');
+        }
+        ui.log(`  Summary: ${okCount} ok, ${missingCount} missing, ${warnCount} optional not set`);
+        if (missingCount > 0) {
+            ui.log(`  Run 'vibes secrets set <KEY>' to add missing secrets`);
+        }
+        ui.log('');
+        let manifestMissing = 0;
+        if (options.manifest && manifestChecks.length > 0) {
+            ui.log(`  Canonical manifest cross-check (${manifestChecks.length} entries)`);
+            for (const m of manifestChecks) {
+                const icon = m.status === 'ok' ? '+' : m.status === 'missing' ? 'x' : '?';
+                const label = m.required ? 'required' : 'optional';
+                const where = m.storedIn ? ` (${m.storedIn})` : ` <- ${m.source}`;
+                ui.log(`    [${icon}] ${m.key.padEnd(40)} ${label.padEnd(10)} ${m.status}${where}`);
+            }
+            const mOk = manifestChecks.filter((m) => m.status === 'ok').length;
+            manifestMissing = manifestChecks.filter((m) => m.status === 'missing').length;
+            const mWarn = manifestChecks.filter((m) => m.status === 'warn').length;
+            ui.log(`  Manifest summary: ${mOk} ok, ${manifestMissing} missing, ${mWarn} optional not set`);
+            if (manifestMissing > 0) {
+                ui.log(`  Run 'vibes secrets import' to populate from local sources`);
+            }
+            ui.log('');
+        }
+        if (missingCount > 0 || manifestMissing > 0) {
+            process.exit(1);
+        }
+    }
+};
+//# sourceMappingURL=secrets.check.cli-command.impl.js.map

package/dist/cli/check/secrets.check.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.check.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/check/secrets.check.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAKvD,OAAO,EAAE,yBAAyB,EAAE,sBAAsB,EAAE,MAAM,6BAA6B,CAAC;AAChG,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAU1E,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAA6B;QAC1E,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,OAAO,GAAG,IAKf,CAAC;QAEF,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,IAAI,YAAY,GAAG,MAAM,yBAAyB,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,YAAY,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACpD,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG;gBAClB,CAAC,CAAC,yCAAyC,OAAO,CAAC,GAAG,EAAE;gBACxD,CAAC,CAAC,mDAAmD,CAAC,CAAC;YACxD,OAAO;QACR,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QAExE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;QAChD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;iBACzB,KAAK,CAAC,eAAe,CAAC;iBACtB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;iBACf,OAAO,EAAE,CAA+B,CAAC;YAC3C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC7B,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;oBACrD,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;gBAC5C,CAAC;YACF,CAAC;QACF,CAAC;QAED,MAAM,OAAO,GAAkB,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YACvD,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,MAAiC,CAAC;YACtC,IAAI,MAAM,EAAE,CAAC;gBACZ,MAAM,GAAG,IAAI,CAAC;YACf,CAAC;iBAAM,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACzB,MAAM,GAAG,SAAS,CAAC;YACpB,CAAC;iBAAM,CAAC;gBACP,MAAM,GAAG,MAAM,CAAC;YACjB,CAAC;YACD,OAAO,EAAE,GAAG,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;QACnC,CAAC,CAAC,CAAC;QAEH,MAAM,cAAc,GAAoB,OAAO,CAAC,QAAQ;YACvD,CAAC,CAAC,uBAAuB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC9C,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC9C,IAAI,MAAiC,CAAC;gBACtC,IAAI,QAAQ;oBAAE,MAAM,GAAG,IAAI,CAAC;qBACvB,IAAI,KAAK,CAAC,QAAQ;oBAAE,MAAM,GAAG,SAAS,CAAC;;oBACvC,MAAM,GAAG,MAAM,CAAC;gBACrB,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;YAC7F,CAAC,CAAC;YACH,CAAC,CAAC,EAAE,CAAC;QAEN,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YAClB,MAAM,OAAO,GAA4B;gBACxC,WAAW,EAAE,OAAO;gBACpB,IAAI,EAAE,OAAO;gBACb,KAAK,EAAE,OAAO,CAAC,MAAM;gBACrB,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM;gBACnD,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;gBAC7D,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM;gBACvD,OAAO;aACP,CAAC;YACF,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACtB,OAAO,CAAC,QAAQ,GAAG;oBAClB,KAAK,EAAE,cAAc,CAAC,MAAM;oBAC5B,EAAE,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM;oBAC1D,OAAO,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM;oBACpE,IAAI,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM;oBAC9D,OAAO,EAAE,cAAc;iBACvB,CAAC;YACH,CAAC;YACD,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;YACvC,MAAM,eAAe,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;YACpF,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACrF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;YACD,OAAO;QACR,CAAC;QAED,MAAM,OAAO,GAAG,sBAAsB,CAAC,YAAY,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC;QAChE,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;QAC1E,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;QAEpE,EAAE,CAAC,GAAG,CAAC,oCAAoC,OAAO,KAAK,OAAO,KAAK,CAAC,CAAC;QAErE,KAAK,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,IAAI,OAAO,EAAE,CAAC;YACrC,EAAE,CAAC,GAAG,CAAC,KAAK,KAAK,EAAE,CAAC,CAAC;YACrB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACxB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,KAAK,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC;gBAC/E,IAAI,CAAC,MAAM;oBAAE,SAAS;gBACtB,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBACpF,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;gBACxD,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvD,EAAE,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC,CAAC;YAC7F,CAAC;YACD,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACZ,CAAC;QAED,EAAE,CAAC,GAAG,CAAC,cAAc,OAAO,QAAQ,YAAY,aAAa,SAAS,mBAAmB,CAAC,CAAC;QAC3F,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;YACtB,EAAE,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;QAClE,CAAC;QACD,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEX,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,OAAO,CAAC,QAAQ,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACnD,EAAE,CAAC,GAAG,CAAC,qCAAqC,cAAc,CAAC,MAAM,WAAW,CAAC,CAAC;YAC9E,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1E,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;gBACnD,MAAM,KAAK,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;gBAClE,EAAE,CAAC,GAAG,CAAC,QAAQ,IAAI,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC,CAAC;YACrF,CAAC;YACD,MAAM,GAAG,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC;YACnE,eAAe,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;YAC9E,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;YACvE,EAAE,CAAC,GAAG,CAAC,uBAAuB,GAAG,QAAQ,eAAe,aAAa,KAAK,mBAAmB,CAAC,CAAC;YAC/F,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;gBACzB,EAAE,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;YACvE,CAAC;YACD,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACZ,CAAC;QAED,IAAI,YAAY,GAAG,CAAC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;CACD,CAAC"}

package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.export.cli-command.descriptor.d.ts.map

package/dist/cli/export/secrets.export.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.export.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/export/secrets.export.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAiBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/export/secrets.export.cli-command.descriptor.js

@@ -0,0 +1,20 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.export',
+    name: 'export',
+    description: 'Export secrets from a local backend to an env-formatted file (audit-logged)',
+    group: 'secrets',
+    options: [
+        { flags: '--environment <name>', description: 'Source environment (default: current)' },
+        { flags: '--from <backend>', description: 'Source backend (default: highest-priority local)' },
+        { flags: '--out <path>', description: 'Output file path (required; created mode 0600)' },
+        { flags: '--manifest-only', description: 'Limit to keys declared in the canonical manifest' },
+        { flags: '--force', description: 'Skip the interactive bulk-reveal confirmation' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 35
+};
+export default descriptor;
+//# sourceMappingURL=secrets.export.cli-command.descriptor.js.map

package/dist/cli/export/secrets.export.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.export.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/export/secrets.export.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,6EAA6E;IAC1F,KAAK,EAAE,SAAS;IAChB,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,kDAAkD,EAAE;QAC9F,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,gDAAgD,EAAE;QACxF,EAAE,KAAK,EAAE,iBAAiB,EAAE,WAAW,EAAE,kDAAkD,EAAE;QAC7F,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,+CAA+C,EAAE;KAClF;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/export/secrets.export.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.export.cli-command.impl.d.ts.map

package/dist/cli/export/secrets.export.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.export.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/export/secrets.export.cli-command.impl.ts"],"names":[],"mappings":";mBA8DsB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD5F,wBA6EE"}

package/dist/cli/export/secrets.export.cli-command.impl.js

@@ -0,0 +1,104 @@
+import { resolve, dirname } from 'node:path';
+import { mkdir, writeFile, chmod, rename } from 'node:fs/promises';
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { canonicalImportManifest } from '../../manifest/canonical.js';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment.js';
+const LOCAL_BACKENDS = new Set(['env-file', 'encrypted-local']);
+function findSourceBackend(descriptors, tier, backendId) {
+    if (backendId)
+        return descriptors.find((d) => d.id === backendId);
+    return descriptors
+        .filter((d) => d.tiers.includes(tier) && LOCAL_BACKENDS.has(d.backend))
+        .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+}
+function serializeEnv(secrets) {
+    const lines = Object.keys(secrets)
+        .sort()
+        .map((key) => {
+        const value = secrets[key] ?? '';
+        const needsQuote = value.includes(' ') || value.includes('#') || value.includes('"');
+        const escaped = needsQuote ? `"${value.replace(/"/g, '\\"')}"` : value;
+        return `${key}=${escaped}`;
+    });
+    return `# Generated by 'vibes secrets export' — DO NOT COMMIT\n${lines.join('\n')}\n`;
+}
+async function writeEnvFile(path, content) {
+    const absolute = resolve(process.cwd(), path);
+    await mkdir(dirname(absolute), { recursive: true });
+    const tmp = `${absolute}.tmp.${Date.now()}.${Math.random().toString(36).slice(2)}`;
+    await writeFile(tmp, content, { encoding: 'utf-8', mode: 0o600 });
+    await rename(tmp, absolute);
+    await chmod(absolute, 0o600);
+}
+async function promptConfirm(prompt) {
+    process.stderr.write(prompt);
+    for await (const chunk of process.stdin) {
+        const answer = chunk.toString('utf-8').trim().toLowerCase();
+        return answer === 'y' || answer === 'yes';
+    }
+    return false;
+}
+function emitAudit(input) {
+    process.stderr.write(`[AUDIT] ${JSON.stringify({
+        id: crypto.randomUUID(),
+        timestamp: new Date().toISOString(),
+        ...input
+    })}\n`);
+}
+export default {
+    async execute(_args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const options = opts;
+        if (!options.out) {
+            ui.error('--out <path> is required. Export refuses to write secrets to stdout.');
+            process.exit(1);
+        }
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        const source = findSourceBackend(descriptors, envTier, options.from);
+        if (!source) {
+            ui.error('No local secrets store found to export from.');
+            process.exit(1);
+        }
+        const impl = (await runtime
+            .query('secrets/store')
+            .withId(source.id)
+            .resolve());
+        let secrets = await impl.getAll(envName);
+        if (options.manifestOnly) {
+            const manifestKeys = new Set(canonicalImportManifest.secrets.map((s) => s.key));
+            secrets = Object.fromEntries(Object.entries(secrets).filter(([k]) => manifestKeys.has(k)));
+        }
+        const count = Object.keys(secrets).length;
+        if (count === 0) {
+            ui.info(`No secrets to export from [${source.id}] for ${envName}.`);
+            return;
+        }
+        if (!options.force) {
+            const confirmed = await promptConfirm(`\n[EXPORT] About to write ${count} secret value(s) from [${source.id}] (${envName}) to ${options.out}.\nThis bulk reveal is logged to the audit trail.\nContinue? [y/N] `);
+            if (!confirmed) {
+                ui.info('Export cancelled.');
+                return;
+            }
+        }
+        emitAudit({
+            category: 'data_access',
+            severity: 'high',
+            action: 'secrets.export',
+            actor: { id: 'cli', type: 'user', name: 'CLI user' },
+            target: { id: source.id, type: 'secrets-store', name: source.id },
+            outcome: 'success',
+            context: {
+                environment: envName,
+                backend: source.id,
+                count,
+                manifestOnly: options.manifestOnly === true,
+                outPath: options.out
+            }
+        });
+        await writeEnvFile(options.out, serializeEnv(secrets));
+        ui.success(`Exported ${count} secret(s) from [${source.id}] to ${options.out} (mode 0600)`);
+    }
+};
+//# sourceMappingURL=secrets.export.cli-command.impl.js.map

package/dist/cli/export/secrets.export.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.export.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/export/secrets.export.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAKvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,0BAA0B,CAAC;AACnE,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAEhE,SAAS,iBAAiB,CACzB,WAAqC,EACrC,IAAqB,EACrB,SAAkB;IAElB,IAAI,SAAS;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;IAClE,OAAO,WAAW;SAChB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SACtE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,YAAY,CAAC,OAA+B;IACpD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC;SAChC,IAAI,EAAE;SACN,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QACZ,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACrF,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC;QACvE,OAAO,GAAG,GAAG,IAAI,OAAO,EAAE,CAAC;IAC5B,CAAC,CAAC,CAAC;IACJ,OAAO,0DAA0D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACvF,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,IAAY,EAAE,OAAe;IACxD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,GAAG,GAAG,GAAG,QAAQ,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;IACnF,MAAM,SAAS,CAAC,GAAG,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClE,MAAM,MAAM,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC5B,MAAM,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAc;IAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC7B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACzC,MAAM,MAAM,GAAI,KAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACxE,OAAO,MAAM,KAAK,GAAG,IAAI,MAAM,KAAK,KAAK,CAAC;IAC3C,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,KAAoB;IACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC;QAC9C,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,GAAG,KAAK;KACR,CAAC,IAAI,CAAC,CAAC;AACT,CAAC;AAED,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAA6B;QAC1E,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,OAAO,GAAG,IAMf,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAClB,EAAE,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;YACjF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,MAAM,MAAM,GAAG,iBAAiB,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;YACzD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;aACzB,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAC3C,IAAI,OAAO,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEzC,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,uBAAuB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAChF,OAAO,GAAG,MAAM,CAAC,WAAW,CAC3B,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAC5D,CAAC;QACH,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QAC1C,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;YACjB,EAAE,CAAC,IAAI,CAAC,8BAA8B,MAAM,CAAC,EAAE,SAAS,OAAO,GAAG,CAAC,CAAC;YACpE,OAAO;QACR,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACpB,MAAM,SAAS,GAAG,MAAM,aAAa,CACpC,6BAA6B,KAAK,0BAA0B,MAAM,CAAC,EAAE,MAAM,OAAO,QAAQ,OAAO,CAAC,GAAG,qEAAqE,CAC1K,CAAC;YACF,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChB,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;gBAC7B,OAAO;YACR,CAAC;QACF,CAAC;QAED,SAAS,CAAC;YACT,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,gBAAgB;YACxB,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE;YACpD,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE;YACjE,OAAO,EAAE,SAAS;YAClB,OAAO,EAAE;gBACR,WAAW,EAAE,OAAO;gBACpB,OAAO,EAAE,MAAM,CAAC,EAAE;gBAClB,KAAK;gBACL,YAAY,EAAE,OAAO,CAAC,YAAY,KAAK,IAAI;gBAC3C,OAAO,EAAE,OAAO,CAAC,GAAG;aACpB;SACD,CAAC,CAAC;QAEH,MAAM,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;QACvD,EAAE,CAAC,OAAO,CAAC,YAAY,KAAK,oBAAoB,MAAM,CAAC,EAAE,QAAQ,OAAO,CAAC,GAAG,cAAc,CAAC,CAAC;IAC7F,CAAC;CACD,CAAC"}

package/dist/cli/hooks/pre-commit-secrets.d.ts

@@ -0,0 +1,2 @@
+export declare function runSecretsPreCommitCheck(workspacePath: string): Promise<number>;
+//# sourceMappingURL=pre-commit-secrets.d.ts.map

package/dist/cli/hooks/pre-commit-secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-commit-secrets.d.ts","sourceRoot":"","sources":["../../../src/cli/hooks/pre-commit-secrets.ts"],"names":[],"mappings":"AASA,wBAAsB,wBAAwB,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA+DrF"}

package/dist/cli/hooks/pre-commit-secrets.js

@@ -0,0 +1,68 @@
+const SECRET_PATTERNS = [
+    { pattern: /sk_live_[a-zA-Z0-9]{24,}/, name: 'Stripe live secret key (sk_live_)' },
+    { pattern: /pk_live_[a-zA-Z0-9]{24,}/, name: 'Stripe live public key (pk_live_)' },
+    { pattern: /do_[a-zA-Z0-9]{32,}/, name: 'DigitalOcean API key (do_)' },
+    { pattern: /AKIA[a-zA-Z0-9]{16,}/, name: 'AWS access key ID (AKIA)' },
+    { pattern: /ghp_[a-zA-Z0-9]{36}/, name: 'GitHub personal access token (ghp_)' },
+    { pattern: /gho_[a-zA-Z0-9]{36}/, name: 'GitHub OAuth token (gho_)' }
+];
+export async function runSecretsPreCommitCheck(workspacePath) {
+    const { execSync } = await import('node:child_process');
+    let stagedFiles;
+    try {
+        const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
+            cwd: workspacePath,
+            encoding: 'utf-8'
+        });
+        stagedFiles = output.trim().split('\n').filter(Boolean);
+    }
+    catch {
+        return 0;
+    }
+    if (!stagedFiles.length)
+        return 0;
+    const violations = [];
+    const { readFileSync } = await import('node:fs');
+    for (const file of stagedFiles) {
+        const fullPath = `${workspacePath}/${file}`;
+        let content;
+        try {
+            content = readFileSync(fullPath, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            for (const { pattern, name } of SECRET_PATTERNS) {
+                if (pattern.test(line)) {
+                    violations.push({
+                        file,
+                        name,
+                        line: line.trim().substring(0, 80)
+                    });
+                    break;
+                }
+            }
+        }
+    }
+    if (violations.length > 0) {
+        process.stderr.write(`\n[SECRETS-001] ${violations.length} secret pattern(s) detected in staged files.\n\n`);
+        for (const v of violations) {
+            process.stderr.write(`  BLOCKED  ${v.file}\n`);
+            process.stderr.write(`    Pattern: ${v.name}\n`);
+            if (v.line) {
+                process.stderr.write(`    Line: ${v.line}\n`);
+            }
+            process.stderr.write('\n');
+        }
+        process.stderr.write('Commit blocked: production secrets must not be committed.\n');
+        process.stderr.write('  - Rotate any exposed keys immediately.\n');
+        process.stderr.write('  - Use `vibes secrets set` to store in a secret manager.\n');
+        process.stderr.write('  - Add to .gitignore if genuinely not a secret.\n\n');
+        return 1;
+    }
+    return 0;
+}
+//# sourceMappingURL=pre-commit-secrets.js.map

package/dist/cli/hooks/pre-commit-secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-commit-secrets.js","sourceRoot":"","sources":["../../../src/cli/hooks/pre-commit-secrets.ts"],"names":[],"mappings":"AAAA,MAAM,eAAe,GAA6C;IACjE,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,mCAAmC,EAAE;IAClF,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,mCAAmC,EAAE;IAClF,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,4BAA4B,EAAE;IACtE,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,0BAA0B,EAAE;IACrE,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,qCAAqC,EAAE;IAC/E,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,2BAA2B,EAAE;CACrE,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAAC,aAAqB;IACnE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAExD,IAAI,WAAqB,CAAC;IAC1B,IAAI,CAAC;QACJ,MAAM,MAAM,GAAG,QAAQ,CAAC,iDAAiD,EAAE;YAC1E,GAAG,EAAE,aAAa;YAClB,QAAQ,EAAE,OAAO;SACjB,CAAC,CAAC;QACH,WAAW,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,CAAC,CAAC;IACV,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IAElC,MAAM,UAAU,GAAyD,EAAE,CAAC;IAC5E,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,GAAG,aAAa,IAAI,IAAI,EAAE,CAAC;QAE5C,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACJ,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACR,SAAS;QACV,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,eAAe,EAAE,CAAC;gBACjD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxB,UAAU,CAAC,IAAI,CAAC;wBACf,IAAI;wBACJ,IAAI;wBACJ,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;qBAClC,CAAC,CAAC;oBACH,MAAM;gBACP,CAAC;YACF,CAAC;QACF,CAAC;IACF,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,UAAU,CAAC,MAAM,kDAAkD,CAAC,CAAC;QAC7G,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;YAC/C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;YACjD,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;gBACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;YAC/C,CAAC;YACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACpF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QACnE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACpF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC7E,OAAO,CAAC,CAAC;IACV,CAAC;IAED,OAAO,CAAC,CAAC;AACV,CAAC"}

package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.import.cli-command.descriptor.d.ts.map

package/dist/cli/import/secrets.import.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.import.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/import/secrets.import.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAgBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/import/secrets.import.cli-command.descriptor.js

@@ -0,0 +1,19 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.import',
+    name: 'import',
+    description: 'Import secrets from local root env files into a backend, driven by the canonical manifest',
+    group: 'secrets',
+    options: [
+        { flags: '--environment <name>', description: 'Target environment (default: current)' },
+        { flags: '--to <backend>', description: 'Target backend (default: encrypted-local)' },
+        { flags: '--source <id>', description: 'Restrict to one source from the manifest' },
+        { flags: '--dry-run', description: 'Show what would be imported without writing' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 30
+};
+export default descriptor;
+//# sourceMappingURL=secrets.import.cli-command.descriptor.js.map

package/dist/cli/import/secrets.import.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.import.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/import/secrets.import.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,2FAA2F;IACxG,KAAK,EAAE,SAAS;IAChB,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,2CAA2C,EAAE;QACrF,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,0CAA0C,EAAE;QACnF,EAAE,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,6CAA6C,EAAE;KAClF;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/import/secrets.import.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(_args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.import.cli-command.impl.d.ts.map

package/dist/cli/import/secrets.import.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.import.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/import/secrets.import.cli-command.impl.ts"],"names":[],"mappings":";mBAsDsB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD5F,wBA4HE"}