@vibesdotdev/secrets 0.0.1

package/dist/cli/push/secrets.push.cli-command.impl.js

@@ -0,0 +1,109 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { resolveSecretRequirements, uniqueSecretKeys } from '../../requirements/resolver';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+const LOCAL_BACKENDS = new Set(['env-file', 'encrypted-local']);
+const REMOTE_BACKENDS = new Set(['cloudflare-api', 'cloudflare-secrets-store', 'vault']);
+// Preferred ordering when picking a backend's primary tier as the default
+// source-env. We pick the lowest tier the backend serves (local > dev >
+// staging > production), since that's where a developer's local `secrets set`
+// writes land. Keeps `push --environment production` reading from the user's
+// machine-local store rather than stale data left in vault.environments.production
+// from a long-ago `vibes secrets import`.
+const TIER_PREFERENCE = ['local', 'dev', 'staging', 'production'];
+function pickPrimaryTier(descriptor) {
+    for (const tier of TIER_PREFERENCE) {
+        if (descriptor.tiers.includes(tier))
+            return tier;
+    }
+    return descriptor.tiers[0] ?? 'local';
+}
+function findBackend(descriptors, tier, backendId, filter) {
+    if (backendId)
+        return descriptors.find((d) => d.id === backendId);
+    return descriptors
+        .filter((d) => d.tiers.includes(tier) && filter.has(d.backend))
+        .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+}
+function parseKeyFilter(value) {
+    const rawValues = Array.isArray(value)
+        ? value.filter((entry) => typeof entry === 'string')
+        : typeof value === 'string'
+            ? [value]
+            : [];
+    const keys = rawValues
+        .flatMap((entry) => entry.split(','))
+        .map((entry) => entry.trim())
+        .filter((entry) => entry.length > 0);
+    return keys.length > 0 ? new Set(keys) : undefined;
+}
+export default {
+    async execute(_args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const options = opts;
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        // Pick the source backend independently of the target env tier: typical
+        // flow is "push from machine-local store to production CF store" and
+        // the local store doesn't serve the production tier.
+        const source = options.from
+            ? descriptors.find((d) => d.id === options.from)
+            : descriptors
+                .filter((d) => LOCAL_BACKENDS.has(d.backend))
+                .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0))[0];
+        const target = findBackend(descriptors, envTier, options.to, REMOTE_BACKENDS);
+        if (!source) {
+            ui.error('No local secrets store found. Set secrets with `vibes secrets set` first.');
+            process.exit(1);
+        }
+        if (!target) {
+            ui.error('No remote secrets store available for this environment tier.');
+            process.exit(1);
+        }
+        // Source env defaults to the source backend's primary tier (e.g. 'local'
+        // for encrypted-local), NOT the target env. Reading from `getAll(envName)`
+        // blindly used to pull whatever stale values a prior `vibes secrets import`
+        // left in `vault.environments[envName]`, even though developers' day-to-day
+        // `vibes secrets set` writes always land in the local-tier namespace.
+        // That mismatch would overwrite live prod keys with stale test keys.
+        const sourceEnv = options.sourceEnv ?? pickPrimaryTier(source);
+        if (sourceEnv !== envName) {
+            ui.log(`Reading from [${source.id}] env "${sourceEnv}" (source backend's primary tier); writing to [${target.id}] env "${envName}". Override with --source-env if needed.`);
+        }
+        const sourceImpl = (await runtime
+            .query('secrets/store')
+            .withId(source.id)
+            .resolve());
+        let secrets = await sourceImpl.getAll(sourceEnv);
+        if (options.app) {
+            const requirements = await resolveSecretRequirements(runtime);
+            const appReqs = requirements.filter((r) => r.appId === options.app);
+            const appKeys = new Set(uniqueSecretKeys(appReqs));
+            secrets = Object.fromEntries(Object.entries(secrets).filter(([k]) => appKeys.has(k)));
+        }
+        const keyFilter = parseKeyFilter(options.key);
+        if (keyFilter) {
+            secrets = Object.fromEntries(Object.entries(secrets).filter(([key]) => keyFilter.has(key)));
+        }
+        const keys = Object.keys(secrets);
+        if (keys.length === 0) {
+            ui.info('No secrets to push.');
+            return;
+        }
+        if (options.dryRun) {
+            ui.log(`\nDry run: would push ${keys.length} secret(s) from [${source.id}] to [${target.id}]\n`);
+            for (const key of keys.sort()) {
+                ui.log(`  ${key}`);
+            }
+            ui.log('');
+            return;
+        }
+        const targetImpl = (await runtime
+            .query('secrets/store')
+            .withId(target.id)
+            .resolve());
+        await targetImpl.setAll(envName, secrets);
+        ui.success(`Pushed ${keys.length} secret(s) from [${source.id}] to [${target.id}] for ${envName}`);
+    }
+};
+//# sourceMappingURL=secrets.push.cli-command.impl.js.map

package/dist/cli/push/secrets.push.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.push.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/push/secrets.push.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAIvD,OAAO,EAAE,yBAAyB,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAC;AAC1F,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAChE,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,EAAE,0BAA0B,EAAE,OAAO,CAAC,CAAC,CAAC;AAEzF,0EAA0E;AAC1E,wEAAwE;AACxE,8EAA8E;AAC9E,6EAA6E;AAC7E,mFAAmF;AACnF,0CAA0C;AAC1C,MAAM,eAAe,GAAsB,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,CAAC,CAAC;AAErF,SAAS,eAAe,CAAC,UAAkC;IAC1D,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAClD,CAAC;IACD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;AACvC,CAAC;AAED,SAAS,WAAW,CACnB,WAAqC,EACrC,IAAqB,EACrB,SAA6B,EAC7B,MAAmB;IAEnB,IAAI,SAAS;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;IAClE,OAAO,WAAW;SAChB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SAC9D,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACrC,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACrC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,KAAK,EAAmB,EAAE,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC;QACrE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ;YAC1B,CAAC,CAAC,CAAC,KAAK,CAAC;YACT,CAAC,CAAC,EAAE,CAAC;IACP,MAAM,IAAI,GAAG,SAAS;SACpB,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;SACpC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;SAC5B,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtC,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AACpD,CAAC;AAED,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,KAA8B,EAAE,IAA6B;QAC1E,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,OAAO,GAAG,IAQf,CAAC;QAEF,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,wEAAwE;QACxE,qEAAqE;QACrE,qDAAqD;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI;YAC1B,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC;YAChD,CAAC,CAAC,WAAW;iBACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;iBAC5C,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5D,MAAM,MAAM,GAAG,WAAW,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;QAE9E,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;YACtF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,8DAA8D,CAAC,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,yEAAyE;QACzE,2EAA2E;QAC3E,4EAA4E;QAC5E,4EAA4E;QAC5E,sEAAsE;QACtE,qEAAqE;QACrE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC;QAE/D,IAAI,SAAS,KAAK,OAAO,EAAE,CAAC;YAC3B,EAAE,CAAC,GAAG,CACL,iBAAiB,MAAM,CAAC,EAAE,UAAU,SAAS,kDAAkD,MAAM,CAAC,EAAE,UAAU,OAAO,0CAA0C,CACnK,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,MAAM,OAAO;aAC/B,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAC3C,IAAI,OAAO,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAEjD,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YACjB,MAAM,YAAY,GAAG,MAAM,yBAAyB,CAAC,OAAO,CAAC,CAAC;YAC9D,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;YACpE,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;YACnD,OAAO,GAAG,MAAM,CAAC,WAAW,CAC3B,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CACvD,CAAC;QACH,CAAC;QAED,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9C,IAAI,SAAS,EAAE,CAAC;YACf,OAAO,GAAG,MAAM,CAAC,WAAW,CAC3B,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAC7D,CAAC;QACH,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YAC/B,OAAO;QACR,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,EAAE,CAAC,GAAG,CAAC,yBAAyB,IAAI,CAAC,MAAM,oBAAoB,MAAM,CAAC,EAAE,SAAS,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC;YACjG,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC/B,EAAE,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YACpB,CAAC;YACD,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACX,OAAO;QACR,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,MAAM,OAAO;aAC/B,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAC3C,MAAM,UAAU,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE1C,EAAE,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,MAAM,oBAAoB,MAAM,CAAC,EAAE,SAAS,MAAM,CAAC,EAAE,SAAS,OAAO,EAAE,CAAC,CAAC;IACpG,CAAC;CACD,CAAC"}

package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.reveal.cli-command.descriptor.d.ts.map

package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.reveal.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/reveal/secrets.reveal.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAgBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js

@@ -0,0 +1,19 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.reveal',
+    name: 'reveal',
+    description: 'Reveal a secret value (writes to stderr with audit log)',
+    group: 'secrets',
+    arguments: [{ name: 'key', description: 'Secret key to reveal', required: true }],
+    options: [
+        { flags: '--environment <name>', description: 'Target environment (default: current)' },
+        { flags: '--backend <id>', description: 'Filter to a specific backend' },
+        { flags: '--force', description: 'Skip confirmation prompt' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 20
+};
+export default descriptor;
+//# sourceMappingURL=secrets.reveal.cli-command.descriptor.js.map

package/dist/cli/reveal/secrets.reveal.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.reveal.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/reveal/secrets.reveal.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,gBAAgB;IACpB,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,yDAAyD;IACtE,KAAK,EAAE,SAAS;IAChB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,sBAAsB,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACjF,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,8BAA8B,EAAE;QACxE,EAAE,KAAK,EAAE,SAAS,EAAE,WAAW,EAAE,0BAA0B,EAAE;KAC7D;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.reveal.cli-command.impl.d.ts.map

package/dist/cli/reveal/secrets.reveal.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.reveal.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/reveal/secrets.reveal.cli-command.impl.ts"],"names":[],"mappings":";kBA4BqB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD3F,wBAgFE"}

package/dist/cli/reveal/secrets.reveal.cli-command.impl.js

@@ -0,0 +1,85 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+function resolveBackend(descriptors, tier, backendId) {
+    if (backendId)
+        return descriptors.find((d) => d.id === backendId);
+    const tierStores = descriptors
+        .filter((d) => d.tiers.includes(tier))
+        .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+    return tierStores[0];
+}
+function emitAudit(input) {
+    process.stderr.write(`[AUDIT] ${JSON.stringify({
+        id: crypto.randomUUID(),
+        timestamp: new Date().toISOString(),
+        ...input
+    })}\n`);
+}
+export default {
+    async execute(args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const key = args.key;
+        const options = opts;
+        if (!key) {
+            ui.error('Usage: vibes secrets reveal <KEY>');
+            process.exit(1);
+        }
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        const target = resolveBackend(descriptors, envTier, options.backend);
+        if (!target) {
+            ui.error(`No secrets store available for tier: ${envTier}`);
+            process.exit(1);
+        }
+        const impl = (await runtime
+            .query('secrets/store')
+            .withId(target.id)
+            .resolve());
+        const value = await impl.get(envName, key);
+        if (value === undefined || value === '') {
+            ui.error(`Secret not found: ${key}`);
+            process.exit(1);
+        }
+        // Skip the interactive confirmation when:
+        //   - explicit --force flag
+        //   - VIBES_SECRETS_REVEAL_NO_PROMPT=1 set (CI / scripts opt-in)
+        //   - stdin or stderr is not a TTY (automation context — there's no
+        //     human to answer the prompt, and blocking on stdin would hang)
+        const noPromptEnv = process.env.VIBES_SECRETS_REVEAL_NO_PROMPT === '1';
+        const stdinIsTty = Boolean(process.stdin.isTTY);
+        const stderrIsTty = Boolean(process.stderr.isTTY);
+        const skipPrompt = options.force || noPromptEnv || !stdinIsTty || !stderrIsTty;
+        if (!skipPrompt) {
+            process.stderr.write(`\n[REVEAL] About to reveal secret "${key}" to terminal.\n`);
+            process.stderr.write(`This value will be printed to stderr and logged to the audit trail.\n`);
+            process.stderr.write(`Continue? [y/N] `);
+            let confirmation = '';
+            for await (const chunk of process.stdin) {
+                confirmation = chunk.toString('utf-8').trim().toLowerCase();
+                break;
+            }
+            if (confirmation !== 'y' && confirmation !== 'yes') {
+                ui.info('Reveal cancelled.');
+                process.exit(0);
+            }
+        }
+        emitAudit({
+            category: 'data_access',
+            severity: 'high',
+            action: 'secrets.reveal',
+            actor: { id: 'cli', type: 'user', name: 'CLI user' },
+            target: { id: key, type: 'secret', name: key },
+            outcome: 'success',
+            context: {
+                environment: envName,
+                backend: target.id
+            }
+        });
+        // Value goes to STDOUT so scripts can capture it via `$(vibes secrets reveal X)`.
+        // Audit/notice messaging stays on STDERR so a piped consumer gets a clean value.
+        process.stdout.write(`${value}\n`);
+        process.stderr.write(`\n[REVEAL] ${key} revealed (logged to audit trail).\n`);
+    }
+};
+//# sourceMappingURL=secrets.reveal.cli-command.impl.js.map

package/dist/cli/reveal/secrets.reveal.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.reveal.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/reveal/secrets.reveal.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAKvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,SAAS,cAAc,CACtB,WAAqC,EACrC,IAAqB,EACrB,SAAkB;IAElB,IAAI,SAAS;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;IAClE,MAAM,UAAU,GAAG,WAAW;SAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;SACrC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;AACtB,CAAC;AAED,SAAS,SAAS,CAAC,KAAoB;IACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC;QAC9C,EAAE,EAAE,MAAM,CAAC,UAAU,EAAE;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,GAAG,KAAK;KACR,CAAC,IAAI,CAAC,CAAC;AACT,CAAC;AAED,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,IAA6B,EAAE,IAA6B;QACzE,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAa,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAmE,CAAC;QAEpF,IAAI,CAAC,GAAG,EAAE,CAAC;YACV,EAAE,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;YAC9C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;aACzB,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAE3C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,EAAE,EAAE,CAAC;YACzC,EAAE,CAAC,KAAK,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;YACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,0CAA0C;QAC1C,4BAA4B;QAC5B,iEAAiE;QACjE,oEAAoE;QACpE,oEAAoE;QACpE,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,8BAA8B,KAAK,GAAG,CAAC;QACvE,MAAM,UAAU,GAAG,OAAO,CAAE,OAAO,CAAC,KAA6B,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,WAAW,GAAG,OAAO,CAAE,OAAO,CAAC,MAA8B,CAAC,KAAK,CAAC,CAAC;QAC3E,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,IAAI,WAAW,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC;QAC/E,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,GAAG,kBAAkB,CAAC,CAAC;YAClF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;YAC9F,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YAEzC,IAAI,YAAY,GAAG,EAAE,CAAC;YACtB,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBACzC,YAAY,GAAI,KAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBACxE,MAAM;YACP,CAAC;YAED,IAAI,YAAY,KAAK,GAAG,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;gBACpD,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;gBAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,CAAC;QACF,CAAC;QAED,SAAS,CAAC;YACT,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,gBAAgB;YACxB,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE;YACpD,MAAM,EAAE,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,EAAE;YAC9C,OAAO,EAAE,SAAS;YAClB,OAAO,EAAE;gBACR,WAAW,EAAE,OAAO;gBACpB,OAAO,EAAE,MAAM,CAAC,EAAE;aAClB;SACD,CAAC,CAAC;QAEH,kFAAkF;QAClF,iFAAiF;QACjF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC;QACnC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,GAAG,sCAAsC,CAAC,CAAC;IAC/E,CAAC;CACD,CAAC"}

package/dist/cli/secrets.cli-group.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLIGroupAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLIGroupAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.cli-group.descriptor.d.ts.map

package/dist/cli/secrets.cli-group.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.cli-group.descriptor.d.ts","sourceRoot":"","sources":["../../src/cli/secrets.cli-group.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AAE9E,QAAA,MAAM,UAAU,EAAE,uBAQjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/secrets.cli-group.descriptor.js

@@ -0,0 +1,11 @@
+const descriptor = {
+    kind: 'cli/group',
+    id: 'secrets',
+    name: 'secrets',
+    description: 'Manage environment secrets across backends',
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true
+};
+export default descriptor;
+//# sourceMappingURL=secrets.cli-group.descriptor.js.map

package/dist/cli/secrets.cli-group.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.cli-group.descriptor.js","sourceRoot":"","sources":["../../src/cli/secrets.cli-group.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA4B;IAC3C,IAAI,EAAE,WAAW;IACjB,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,4CAA4C;IACzD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;CACb,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.set.cli-command.descriptor.d.ts.map

package/dist/cli/set/secrets.set.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.set.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/set/secrets.set.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAkBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/set/secrets.set.cli-command.descriptor.js

@@ -0,0 +1,21 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.set',
+    name: 'set',
+    description: 'Set a secret value for the current environment',
+    group: 'secrets',
+    arguments: [
+        { name: 'key', description: 'Secret key name (e.g., VIBES_AUTH_SECRET)', required: true },
+        { name: 'value', description: 'Secret value (omit to prompt securely)', required: false }
+    ],
+    options: [
+        { flags: '--environment <name>', description: 'Target environment (default: current)' },
+        { flags: '--backend <id>', description: 'Target backend (default: primary for tier)' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 20
+};
+export default descriptor;
+//# sourceMappingURL=secrets.set.cli-command.descriptor.js.map

package/dist/cli/set/secrets.set.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.set.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/set/secrets.set.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,aAAa;IACjB,IAAI,EAAE,KAAK;IACX,WAAW,EAAE,gDAAgD;IAC7D,KAAK,EAAE,SAAS;IAChB,SAAS,EAAE;QACV,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,2CAA2C,EAAE,QAAQ,EAAE,IAAI,EAAE;QACzF,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,wCAAwC,EAAE,QAAQ,EAAE,KAAK,EAAE;KACzF;IACD,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,4CAA4C,EAAE;KACtF;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/set/secrets.set.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.set.cli-command.impl.d.ts.map

package/dist/cli/set/secrets.set.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.set.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/set/secrets.set.cli-command.impl.ts"],"names":[],"mappings":";kBA4BqB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD3F,wBAiDE"}

package/dist/cli/set/secrets.set.cli-command.impl.js

@@ -0,0 +1,59 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment';
+// `set` is the write side of the local-development workflow: the user types
+// a value and expects it to land in their machine-local store. Remote
+// backends (vault, cloudflare-secrets-store, ...) are the *deploy* side —
+// reached via `secrets push` after the user explicitly opts in. Default
+// routing therefore restricts to local backend kinds; an explicit
+// `--backend <id>` still wins.
+const LOCAL_BACKEND_KINDS = new Set(['env-file', 'encrypted-local']);
+function resolveBackend(descriptors, tier, backendId) {
+    if (backendId)
+        return descriptors.find((d) => d.id === backendId);
+    const tierStores = descriptors
+        .filter((d) => d.tiers.includes(tier))
+        .filter((d) => LOCAL_BACKEND_KINDS.has(d.backend))
+        .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+    return tierStores[0];
+}
+export default {
+    async execute(args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const key = args.key;
+        let value = args.value;
+        const options = opts;
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        if (!key || !/^[_A-Z0-9]+$/.test(key)) {
+            ui.error('Secret key must match pattern: ^[_A-Z0-9]+$');
+            process.exit(1);
+        }
+        if (!value) {
+            process.stdout.write(`Enter value for ${key}: `);
+            const chunks = [];
+            for await (const chunk of process.stdin) {
+                chunks.push(chunk);
+                if (chunk.includes(10))
+                    break;
+            }
+            value = Buffer.concat(chunks).toString('utf-8').trim();
+        }
+        if (!value) {
+            ui.error('No value provided');
+            process.exit(1);
+        }
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        const target = resolveBackend(descriptors, envTier, options.backend);
+        if (!target) {
+            ui.error(`No secrets store available for tier: ${envTier}`);
+            process.exit(1);
+        }
+        const impl = (await runtime
+            .query('secrets/store')
+            .withId(target.id)
+            .resolve());
+        await impl.set(envName, key, value);
+        ui.success(`Set ${key} in [${target.id}] for environment: ${envName}`);
+    }
+};
+//# sourceMappingURL=secrets.set.cli-command.impl.js.map

package/dist/cli/set/secrets.set.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.set.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/set/secrets.set.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAIvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,4EAA4E;AAC5E,sEAAsE;AACtE,0EAA0E;AAC1E,wEAAwE;AACxE,kEAAkE;AAClE,+BAA+B;AAC/B,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAErE,SAAS,cAAc,CACtB,WAAqC,EACrC,IAAqB,EACrB,SAAkB;IAElB,IAAI,SAAS;QAAE,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;IAClE,MAAM,UAAU,GAAG,WAAW;SAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;SACrC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;SACjD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;IACxD,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC;AACtB,CAAC;AAED,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,IAA6B,EAAE,IAA6B;QACzE,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAa,CAAC;QAC/B,IAAI,KAAK,GAAG,IAAI,CAAC,KAA2B,CAAC;QAC7C,MAAM,OAAO,GAAG,IAAkD,CAAC;QAEnE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,IAAI,CAAC,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,EAAE,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;YACxD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;YACjD,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;gBACzC,MAAM,CAAC,IAAI,CAAC,KAAe,CAAC,CAAC;gBAC7B,IAAK,KAAgB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAAE,MAAM;YAC3C,CAAC;YACD,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACxD,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,MAAM,MAAM,GAAG,cAAc,CAAC,WAAW,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;aACzB,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAC3C,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAEpC,EAAE,CAAC,OAAO,CAAC,OAAO,GAAG,QAAQ,MAAM,CAAC,EAAE,sBAAsB,OAAO,EAAE,CAAC,CAAC;IACxE,CAAC;CACD,CAAC"}

package/dist/cli/shared/resolve-environment.d.ts

@@ -0,0 +1,14 @@
+import type { UIContext } from '@vibesdotdev/cli/providers';
+import type { EnvironmentTier } from '../../kinds/store.schema';
+export interface ResolvedSecretsEnvironment {
+    name: string;
+    tier: EnvironmentTier;
+}
+/**
+ * Resolve the active environment for secrets commands.
+ *
+ * Falls back to local when the environment config manifest/plugin graph is
+ * unavailable so end-users can still run local secrets workflows.
+ */
+export declare function resolveSecretsEnvironment(ui: UIContext, environmentOverride?: string): Promise<ResolvedSecretsEnvironment>;
+//# sourceMappingURL=resolve-environment.d.ts.map

package/dist/cli/shared/resolve-environment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-environment.d.ts","sourceRoot":"","sources":["../../../src/cli/shared/resolve-environment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,4BAA4B,CAAC;AAE5D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAEhE,MAAM,WAAW,0BAA0B;IAC1C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,eAAe,CAAC;CACtB;AASD;;;;;GAKG;AACH,wBAAsB,yBAAyB,CAC9C,EAAE,EAAE,SAAS,EACb,mBAAmB,CAAC,EAAE,MAAM,GAC1B,OAAO,CAAC,0BAA0B,CAAC,CA+BrC"}

package/dist/cli/shared/resolve-environment.js

@@ -0,0 +1,45 @@
+import { resolveCurrentEnvironmentConfig } from '@vibesdotdev/config/environment/current';
+const ENVIRONMENT_TIERS = new Set([
+    'local',
+    'dev',
+    'staging',
+    'production'
+]);
+/**
+ * Resolve the active environment for secrets commands.
+ *
+ * Falls back to local when the environment config manifest/plugin graph is
+ * unavailable so end-users can still run local secrets workflows.
+ */
+export async function resolveSecretsEnvironment(ui, environmentOverride) {
+    if (environmentOverride && environmentOverride.length > 0) {
+        if (ENVIRONMENT_TIERS.has(environmentOverride)) {
+            return {
+                name: environmentOverride,
+                tier: environmentOverride
+            };
+        }
+        try {
+            const envConfig = await resolveCurrentEnvironmentConfig();
+            return {
+                name: environmentOverride,
+                tier: (envConfig.tier ?? 'local')
+            };
+        }
+        catch {
+            return { name: environmentOverride, tier: 'local' };
+        }
+    }
+    try {
+        const envConfig = await resolveCurrentEnvironmentConfig();
+        return {
+            name: envConfig.name,
+            tier: (envConfig.tier ?? 'local')
+        };
+    }
+    catch {
+        ui.warn("Environment config manifest is unavailable; defaulting to 'local'. Register @vibesdotdev/config/environment/plugin to enable named environment selection.");
+        return { name: 'local', tier: 'local' };
+    }
+}
+//# sourceMappingURL=resolve-environment.js.map

package/dist/cli/shared/resolve-environment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-environment.js","sourceRoot":"","sources":["../../../src/cli/shared/resolve-environment.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,+BAA+B,EAAE,MAAM,yCAAyC,CAAC;AAQ1F,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAkB;IAClD,OAAO;IACP,KAAK;IACL,SAAS;IACT,YAAY;CACZ,CAAC,CAAC;AAEH;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC9C,EAAa,EACb,mBAA4B;IAE5B,IAAI,mBAAmB,IAAI,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3D,IAAI,iBAAiB,CAAC,GAAG,CAAC,mBAAsC,CAAC,EAAE,CAAC;YACnE,OAAO;gBACN,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,mBAAsC;aAC5C,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACJ,MAAM,SAAS,GAAG,MAAM,+BAA+B,EAAE,CAAC;YAC1D,OAAO;gBACN,IAAI,EAAE,mBAAmB;gBACzB,IAAI,EAAE,CAAC,SAAS,CAAC,IAAI,IAAI,OAAO,CAAoB;aACpD,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;QACrD,CAAC;IACF,CAAC;IAED,IAAI,CAAC;QACJ,MAAM,SAAS,GAAG,MAAM,+BAA+B,EAAE,CAAC;QAC1D,OAAO;YACN,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,IAAI,EAAE,CAAC,SAAS,CAAC,IAAI,IAAI,OAAO,CAAoB;SACpD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACR,EAAE,CAAC,IAAI,CACN,2JAA2J,CAC3J,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACzC,CAAC;AACF,CAAC"}

package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { CLICommandAssetDescriptor } from '@vibesdotdev/cli/schemas/types';
+declare const descriptor: CLICommandAssetDescriptor;
+export default descriptor;
+//# sourceMappingURL=secrets.unset.cli-command.descriptor.d.ts.map

package/dist/cli/unset/secrets.unset.cli-command.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.unset.cli-command.descriptor.d.ts","sourceRoot":"","sources":["../../../src/cli/unset/secrets.unset.cli-command.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,yBAAyB,EAAE,MAAM,gCAAgC,CAAC;AAEhF,QAAA,MAAM,UAAU,EAAE,yBAiBjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/unset/secrets.unset.cli-command.descriptor.js

@@ -0,0 +1,20 @@
+const descriptor = {
+    kind: 'cli/command',
+    id: 'secrets.unset',
+    name: 'unset',
+    description: 'Remove a secret from the current environment',
+    group: 'secrets',
+    arguments: [
+        { name: 'key', description: 'Secret key name to remove', required: true }
+    ],
+    options: [
+        { flags: '--environment <name>', description: 'Target environment (default: current)' },
+        { flags: '--backend <id>', description: 'Target backend (default: primary for tier)' }
+    ],
+    surfaces: ['cli'],
+    hardware: ['consumer'],
+    enabled: true,
+    order: 30
+};
+export default descriptor;
+//# sourceMappingURL=secrets.unset.cli-command.descriptor.js.map

package/dist/cli/unset/secrets.unset.cli-command.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.unset.cli-command.descriptor.js","sourceRoot":"","sources":["../../../src/cli/unset/secrets.unset.cli-command.descriptor.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAA8B;IAC7C,IAAI,EAAE,aAAa;IACnB,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,OAAO;IACb,WAAW,EAAE,8CAA8C;IAC3D,KAAK,EAAE,SAAS;IAChB,SAAS,EAAE;QACV,EAAE,IAAI,EAAE,KAAK,EAAE,WAAW,EAAE,2BAA2B,EAAE,QAAQ,EAAE,IAAI,EAAE;KACzE;IACD,OAAO,EAAE;QACR,EAAE,KAAK,EAAE,sBAAsB,EAAE,WAAW,EAAE,uCAAuC,EAAE;QACvF,EAAE,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,4CAA4C,EAAE;KACtF;IACD,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,UAAU,CAAC;IACtB,OAAO,EAAE,IAAI;IACb,KAAK,EAAE,EAAE;CACT,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts

@@ -0,0 +1,5 @@
+declare const _default: {
+    execute(args: Record<string, unknown>, opts: Record<string, unknown>): Promise<void>;
+};
+export default _default;
+//# sourceMappingURL=secrets.unset.cli-command.impl.d.ts.map

package/dist/cli/unset/secrets.unset.cli-command.impl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.unset.cli-command.impl.d.ts","sourceRoot":"","sources":["../../../src/cli/unset/secrets.unset.cli-command.impl.ts"],"names":[],"mappings":";kBAOqB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC;;AAD3F,wBAkCE"}

package/dist/cli/unset/secrets.unset.cli-command.impl.js

@@ -0,0 +1,31 @@
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+import { resolveSecretsEnvironment } from '../shared/resolve-environment.js';
+export default {
+    async execute(args, opts) {
+        const runtime = getVibesRuntime();
+        const ui = (await runtime.context('cli/ui'));
+        const key = args.key;
+        const options = opts;
+        const { name: envName, tier: envTier } = await resolveSecretsEnvironment(ui, options.environment);
+        const descriptors = runtime.assets('secrets/store').descriptors();
+        const tierStores = descriptors
+            .filter((d) => {
+            if (options.backend)
+                return d.id === options.backend;
+            return d.tiers.includes(envTier);
+        })
+            .sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+        const target = tierStores[0];
+        if (!target) {
+            ui.error(`No secrets store available for tier: ${envTier}`);
+            process.exit(1);
+        }
+        const impl = (await runtime
+            .query('secrets/store')
+            .withId(target.id)
+            .resolve());
+        await impl.unset(envName, key);
+        ui.success(`Removed ${key} from [${target.id}] for environment: ${envName}`);
+    }
+};
+//# sourceMappingURL=secrets.unset.cli-command.impl.js.map

package/dist/cli/unset/secrets.unset.cli-command.impl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.unset.cli-command.impl.js","sourceRoot":"","sources":["../../../src/cli/unset/secrets.unset.cli-command.impl.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAIvD,OAAO,EAAE,yBAAyB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,eAAe;IACd,KAAK,CAAC,OAAO,CAAC,IAA6B,EAAE,IAA6B;QACzE,MAAM,OAAO,GAAG,eAAe,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,MAAM,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAc,CAAC;QAC1D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAa,CAAC;QAC/B,MAAM,OAAO,GAAG,IAAkD,CAAC;QAEnE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,yBAAyB,CACvE,EAAE,EACF,OAAO,CAAC,WAAW,CACnB,CAAC;QAEF,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,WAAW,EAA8B,CAAC;QAC9F,MAAM,UAAU,GAAG,WAAW;aAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YACb,IAAI,OAAO,CAAC,OAAO;gBAAE,OAAO,CAAC,CAAC,EAAE,KAAK,OAAO,CAAC,OAAO,CAAC;YACrD,OAAO,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClC,CAAC,CAAC;aACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC;QAExD,MAAM,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,EAAE,CAAC,KAAK,CAAC,wCAAwC,OAAO,EAAE,CAAC,CAAC;YAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;aACzB,KAAK,CAAC,eAAe,CAAC;aACtB,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;aACjB,OAAO,EAAE,CAA+B,CAAC;QAC3C,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAE/B,EAAE,CAAC,OAAO,CAAC,WAAW,GAAG,UAAU,MAAM,CAAC,EAAE,sBAAsB,OAAO,EAAE,CAAC,CAAC;IAC9E,CAAC;CACD,CAAC"}

package/dist/docs/backends.docs.descriptor.d.ts

@@ -0,0 +1,4 @@
+import type { DocsTopicDescriptor } from '@vibesdotdev/docs';
+declare const descriptor: DocsTopicDescriptor;
+export default descriptor;
+//# sourceMappingURL=backends.docs.descriptor.d.ts.map

package/dist/docs/backends.docs.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"backends.docs.descriptor.d.ts","sourceRoot":"","sources":["../../src/docs/backends.docs.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAE7D,QAAA,MAAM,UAAU,EAAE,mBAkJjB,CAAC;AAEF,eAAe,UAAU,CAAC"}