@wizzlethorpe/vaults 0.6.1 → 0.7.0

package/README.md

@@ -1,6 +1,6 @@
 # vaults
 
-Sync an Obsidian vault to a Cloudflare-hosted wiki. The CLI renders your notes locally to HTML and deploys them to your own Cloudflare Pages account. Supports role-based access (public, patron, dm, …) so different parts of the same vault can be visible to different audiences.
+Sync an Obsidian vault to a Cloudflare-hosted wiki. The CLI renders your notes locally to HTML and deploys them to your own Cloudflare Pages account. Supports role-based access (public, patron, dm, …) so different parts of the same vault can be visible to different audiences. Patrons can be authenticated by password or by Patreon OAuth (linking roles to specific Patreon tier IDs).
 
 ## Install
 
@@ -28,6 +28,8 @@ vaults push                          # render + deploy to Cloudflare Pages
 
 The first push prompts for a Pages project name and runs `wrangler login` if you aren't authenticated. After that it just renders and deploys.
 
+If you'd rather not `cd` into the vault every time, set `VAULT_PATH=~/Documents/MyVault` in your shell rc and run `vaults` from anywhere.
+
 ## How it works
 
 ```
@@ -41,24 +43,49 @@ Cloudflare Pages           ← per-user, your account
 ```
 
 - **Per-tier deploys.** A page tagged `role: dm` in its frontmatter only ships to the dm variant. Public visitors *cannot* fetch it; the file structurally doesn't exist in their variant.
-- **Images are gated too.** Only images embedded by visible pages are copied into a given variant.
-- **Incremental sync.** External clients (the [Foundry VTT module](https://github.com/wizzlethorpe/vaults-foundry)) can pull changes via `/_manifest.json` + `/_batch` endpoints; the CLI computes content hashes so the diff is minimal.
+- **Inline gating with callouts.** Drop a `> [!dm]` callout in an otherwise public page; the entire block is stripped from the public deploy. Same for any other configured role.
+- **Images and media are gated too.** Only images, audio, video, PDFs, and EPUBs embedded by visible pages are copied into a given variant. Unknown extensions are skipped by default (toggle `include_unknown_files`).
+- **Incremental sync.** External clients (the [Foundry VTT module](https://github.com/wizzlethorpe/vaults)) probe `/_manifest.json` to discover the deploy's name, auth requirements, and role order, then pull `/_batch` (text) and `/_batch-images` (binary) for changed content. Manifest hashes fold in per-page frontmatter, so a role flip or title rename triggers a sync without a body diff.
+- **Bases support.** `.base` files render as cards / table / list inside the wiki, just like inside Obsidian.
+- **Social meta.** OG / Twitter card tags are auto-generated. Pages without an explicit `image:` frontmatter use the first body embed (toggle with `auto_image`).
 
 ## Commands
 
+### Build / deploy
+
 | Command | What it does |
 |---|---|
 | `vaults init` | Write a `settings.md` with sensible defaults. |
 | `vaults build` | Render the vault to a local directory (no deploy). |
 | `vaults preview` | Render + serve locally via `wrangler pages dev` so you can click around with auth working. |
 | `vaults push` | Render + deploy to Cloudflare Pages. |
+| `vaults push --dry-run` | Render without deploying. |
+| `vaults push --rotate-secret` | Generate a fresh `SESSION_SECRET`, invalidating every issued auth token at once. |
+| `vaults push --all-warnings` / `vaults build --all-warnings` | Don't truncate the broken-link / missing-image report. |
+
+### Roles and passwords
+
+| Command | What it does |
+|---|---|
 | `vaults role add <name>` | Add an access tier. The first role becomes the default (no password). |
 | `vaults role remove <name>` | Remove an access tier. |
 | `vaults role list` | List configured roles. |
 | `vaults role promote <name>` / `demote <name>` | Reorder tiers. |
 | `vaults password <role>` | Set or change a role's password (PBKDF2-SHA256). |
-| `vaults push --rotate-secret` | Generate a fresh `SESSION_SECRET`, invalidating every issued auth token at once. |
-| `vaults push --all-warnings` / `vaults build --all-warnings` | Don't truncate the broken-link / missing-image report. |
+
+### Patreon OAuth (optional)
+
+Link roles to Patreon tier IDs, so any patron at that tier can sign in with Patreon and pick up the corresponding role. Coexists with passwords; either grants the role.
+
+| Command | What it does |
+|---|---|
+| `vaults patreon configure` | Prompts for Patreon OAuth client credentials and walks you through picking a campaign. The client secret is stored as a Wrangler secret on next push. |
+| `vaults patreon link <role> <tier-id>` | Map a role to a numeric Patreon tier ID. |
+| `vaults patreon unlink <role>` | Remove a role's tier mapping (password access stays). |
+| `vaults patreon status` | Show current configuration and tier mappings. |
+| `vaults patreon clear` | Remove the entire Patreon configuration. |
+
+You'll need to register a Patreon OAuth client at <https://www.patreon.com/portal/registration> and add `https://your-deploy-url/auth/patreon/callback` as a redirect URI before running `configure`.
 
 Run any command with `--help` for the full flag list.
 
@@ -71,18 +98,20 @@ Run any command with `--help` for the full flag list.
 vault_name: My Wiki
 default_role: public
 accent_color: "#7a4a8c"
-accent_color_dark: "#b58af5"
+bg_color: "#1a1a2e"
 favicon: assets/icons/wiki.png
 inline_title: true
-default_image_width: 50vw
+default_image_width: 300px
 center_images: true
+auto_image: true
+include_unknown_files: false
 ignore:
   - Templates/**
   - "*.draft.md"
 ---
 ```
 
-Open it in Obsidian; the frontmatter shows up as a Properties form.
+Open it in Obsidian; the frontmatter shows up as a Properties form. Unknown keys are warned about and stripped on next push, so the file stays canonical. Auth config (roles, passwords, Patreon credentials) is **not** in `settings.md`; it lives in `.vaultrc.json` and is managed by the CLI.
 
 ## Page frontmatter
 
@@ -95,30 +124,118 @@ title: Optional override          # default: filename or first H1
 aliases:                          # extra names that resolve to this page from wikilinks
   - Pale Mountains
   - The Pale Mountains
+image: assets/banner.webp         # optional cover image (OG / Twitter / Bases / Foundry)
+foundry_base: Compendium.dnd5e.monsters.Actor.bandit   # optional Foundry doc to clone
+foundry:                                                # optional doc overrides
+  system.attributes.hp.value: 22
 ---
 ```
 
 Wikilinks (`[[Page]]`, `[[Page|alias]]`, `[[NPCs/Page#section]]`), image embeds (`![[image.png]]`), transclusions (`![[Page]]`), and Obsidian callouts all render the same way they do in Obsidian.
 
+## Custom handlers
+
+Vault authors can extend the renderer with custom inline-code and code-block transforms. Drop a Node ESM module into `.vaults/handlers/<name>.mjs` that exports a `handler` (or `handlers: Handler[]`); vaults-cli loads them at build time and runs them over every page.
+
+- **Inline handler**: matches inline code like `` `prefix: content` ``.
+- **Code-block handler**: matches fenced ` ```language ` blocks.
+
+Both return either `{ markdown }` (re-processed through the rest of the pipeline) or `{ html }` (sanitized and inserted as-is).
+
+```js
+// .vaults/handlers/seealso.mjs
+export const handler = {
+  codeBlock: "seealso",
+  render: (content) => ({
+    markdown: content
+      .split(/\r?\n/)
+      .filter(Boolean)
+      .map((p) => `- [[${p.trim()}]]`)
+      .join("\n"),
+  }),
+};
+```
+
+### Browser-side assets
+
+If your handler needs to ship browser-side JavaScript or CSS, declare them with the `assets` field. Paths are relative to the handler file. Every declared asset across all handlers is concatenated into one `_handlers.js` and one `_handlers.css` at the deploy root, deduped by absolute path so a shared utility file is only included once.
+
+```js
+// .vaults/handlers/widget.mjs
+export const handler = {
+  codeBlock: "widget",
+  assets: {
+    scripts: ["./widget.runtime.js"],
+    styles: ["./widget.css"],
+  },
+  render: (content) => ({
+    html: `<div class="widget" data-config="${content}"></div>`,
+  }),
+};
+```
+
+```js
+// .vaults/handlers/widget.runtime.js
+(function () {
+  document.querySelectorAll('.widget').forEach((el) => {
+    // wire up el.dataset.config into something interactive
+  });
+})();
+```
+
+The deployed page references `/_handlers.js` (deferred) and `/_handlers.css`; the runtime then finds and hydrates the handler's HTML. Wrap your runtime in an IIFE to avoid global pollution.
+
+**File-naming convention.** Handler module files end in `.mjs`. Browser-side runtime / CSS files end in `.js` / `.css`. The loader only treats `.mjs` files as handler modules; `.js` files in the same directory are picked up only if a handler's `assets.scripts` references them.
+
+### Built-ins
+
+- **`dice:` (inline)** — `` `dice: 1d20+5` `` renders as a clickable button on the deploy that re-rolls on click. Mirrors [Obsidian Dice Roller](https://github.com/javalent/dice-roller) syntax.
+
+User handlers can override built-ins of the same name. Trust model: handlers run with the same permissions as the rest of the build, so only run `vaults push` on vaults whose contents you trust.
+
 ## Auth
 
 Multi-role deploys ship with a small Cloudflare Pages Function (`_middleware.js`) that:
 
 - **Gates per-role variants** via a signed cookie (`SameSite=None; Secure; Partitioned`).
-- **Issues bearer tokens** through an OAuth-style `/connect` flow used by the [Foundry module](https://github.com/wizzlethorpe/vaults-foundry).
+- **Issues bearer tokens** through an OAuth-style `/connect` flow used by the [Foundry module](https://github.com/wizzlethorpe/vaults).
+- **Handles Patreon login** at `/auth/patreon/login` and `/auth/patreon/callback` when configured.
 - **Exposes** `/_batch` (text) and `/_batch-images` (binary) for bulk content sync.
+- **Publishes** `/_manifest.json` with the deploy's name, role order, and auth requirements so external clients can probe the deploy before picking an auth flow.
 
 Tokens are stateless HMAC-signed JWTs; revocation = rotate `SESSION_SECRET` via `vaults push --rotate-secret`.
 
+Single-role (public-only) deploys skip the middleware entirely; everything serves as plain static assets.
+
 ## Files this CLI manages locally
 
-| File | Tracked in git? | What it holds |
-|---|---|---|
-| `settings.md` | yes | User-editable settings. |
-| `.vaultrc.json` | **no** | CLI-managed: `SESSION_SECRET`, role password hashes, project name, cached settings. |
-| `.vault-cache/` | **no** | Build cache: rendered output, image webp cache. |
+```
+MyVault/
+├── settings.md          ← user-editable settings (Obsidian Properties UI)
+├── …content…
+├── .env                 ← secrets only (SESSION_SECRET, PATREON_CLIENT_SECRET) — gitignored
+└── .vaults/             ← all vaults-cli internal state lives here
+    ├── .gitignore       ← keeps cache + config out of git automatically
+    ├── config.json      ← CLI-managed: roles, password hashes, project name, Patreon config
+    ├── cache/           ← build cache (rendered HTML, image webp cache)
+    └── handlers/        ← optional: custom inline / code-block handlers
+```
+
+`settings.md` lives at the vault root (and only there) so Obsidian renders it as an editable Properties form. Everything else is internal and tucked under `.vaults/`. `vaults init` writes `.vaults/.gitignore` automatically; if your vault is a git repo, this is enough to keep the cache + secrets-bearing config from being tracked.
+
+## Migrations
+
+vaults-cli runs schema and layout migrations automatically before every `build` / `push` / `preview`. They're idempotent: already-migrated vaults pay only the cost of a few `stat()` calls.
+
+To run them manually or inspect what would change:
+
+```bash
+vaults migrate --list      # show all known migrations
+vaults migrate --dry-run   # show what would apply on this vault
+vaults migrate             # apply pending migrations
+```
 
-`vaults init` adds `.vaultrc.json` and `.vault-cache` to `.gitignore` if your vault is a git repo.
+If you're upgrading from a pre-0.7 vault, the first run of any command will move `.vaultrc.json` → `.vaults/config.json` and `.vault-cache/` → `.vaults/cache/` and write a `.vaults/.gitignore`. Renames are atomic on the same filesystem so even large caches migrate instantly.
 
 ## License
 

package/dist/build.js

@@ -24,9 +24,16 @@ import { resolvePageImage } from "./render/cover.js";
 import { DEFAULT_CSS, renderThemeOverride } from "./render/styles.js";
 import { loadObsidianSnippets } from "./obsidian.js";
 import { loadSettings, writeSettings, SETTINGS_FILE } from "./settings.js";
-import { loadConfig, saveConfig } from "./config.js";
+import { loadConfig } from "./config.js";
 import matter from "gray-matter";
 import { renderAuthMiddleware, LOGIN_HTML } from "./render/auth-template.js";
+import { renderFooterHtml } from "./render/footer.js";
+import { buildRegistry } from "./render/handlers/types.js";
+import { loadUserHandlers } from "./render/handlers/loader.js";
+import { BUILTIN_HANDLERS } from "./render/handlers/builtin/index.js";
+import { bundleHandlerAssets } from "./render/handlers/assets.js";
+import { runMigrations } from "./migrate/run.js";
+import { cacheDir } from "./paths.js";
 import { formatDuration, pMap, Progress } from "./util.js";
 /**
  * Output layout when there are multiple roles:
@@ -48,10 +55,10 @@ import { formatDuration, pMap, Progress } from "./util.js";
 export async function buildSite(opts) {
     const start = Date.now();
     const concurrency = Math.max(2, availableParallelism());
-    // One-shot migration for vaults from before auth config moved to
-    // .vaultrc.json. If the user's settings.md still has roles/auth_type/
-    // role_passwords, copy them over before the canonicalizer strips them.
-    await migrateLegacyAuthFromSettings(opts.vaultPath);
+    // Run any pending schema / layout migrations before reading anything
+    // else. The framework is idempotent: already-migrated vaults pay only
+    // the cost of a few stat() calls. See cli/src/migrate/.
+    await runMigrations(opts.vaultPath);
     // ── Settings (user-editable) ─────────────────────────────────────────────
     const settings = await loadSettings(opts.vaultPath);
     for (const w of settings.warnings)
@@ -66,6 +73,29 @@ export async function buildSite(opts) {
         imageQuality: opts.imageQuality === 85 ? settings.values.image_quality : opts.imageQuality,
         maxFileBytes: opts.maxFileBytes === 25 * 1024 * 1024 ? settings.values.max_file_bytes : opts.maxFileBytes,
     };
+    // ── Custom handlers ──────────────────────────────────────────────────────
+    // Built-ins ship with the CLI; user handlers live in `.vaults/handlers/`
+    // and can override built-in names (last-registered wins). One registry
+    // is built once and shared across every variant render.
+    const userHandlers = await loadUserHandlers(opts.vaultPath);
+    const handlerRegistry = buildRegistry([
+        ...BUILTIN_HANDLERS,
+        ...userHandlers.map((h) => h.handler),
+    ]);
+    if (userHandlers.length > 0) {
+        console.log(`  loaded ${userHandlers.length} custom handler(s) from .vaults/handlers/`);
+    }
+    // Concatenate browser-side assets declared by built-in and user handlers
+    // into a single _handlers.js / _handlers.css emitted at the deploy root.
+    // Each unique source is included once, regardless of invocation count.
+    // Two independent flags so a deploy with only-JS or only-CSS doesn't
+    // reference a file that wasn't written.
+    const handlerAssets = await bundleHandlerAssets(userHandlers, BUILTIN_HANDLERS, opts.vaultPath);
+    const hasHandlerJs = handlerAssets.js.length > 0;
+    const hasHandlerCss = handlerAssets.css.length > 0;
+    // Footer markdown rendered once per build; the resulting HTML is
+    // embedded verbatim in every page's layout. Empty string = no footer.
+    const footerHtml = await renderFooterHtml(settings.values.footer);
     // ── CLI-managed state (auth) ─────────────────────────────────────────────
     const cfg = await loadConfig(opts.vaultPath, {});
     const roles = cfg.roles.length > 0 ? cfg.roles : ["public"];
@@ -183,8 +213,8 @@ export async function buildSite(opts) {
     const imageStagingDir = join(opts.outputDir, ".image-staging");
     const imageIndex = new Map();
     if (imageFiles.length > 0) {
-        const cacheDir = join(opts.vaultPath, ".vault-cache", "images", `q${opts.imageQuality}`);
-        await mkdir(cacheDir, { recursive: true });
+        const cacheImageDir = join(cacheDir(opts.vaultPath), "images", `q${opts.imageQuality}`);
+        await mkdir(cacheImageDir, { recursive: true });
         let cacheHits = 0;
         const progress = new Progress("Images");
         progress.update(0, imageFiles.length);
@@ -192,7 +222,7 @@ export async function buildSite(opts) {
             // SVGs / non-compressible images pass through; everything else gets
             // recoded to webp for size. Either way they land in the staging dir.
             const compressed = opts.imageQuality > 0 && COMPRESSIBLE_EXT_RE.test(f.path)
-                ? await compressImageCached(f, opts.imageQuality, cacheDir, () => { cacheHits++; })
+                ? await compressImageCached(f, opts.imageQuality, cacheImageDir, () => { cacheHits++; })
                 : { body: await readFile(f.absolute), outputPath: f.path };
             const dest = join(imageStagingDir, compressed.outputPath);
             await mkdir(dirname(dest), { recursive: true });
@@ -240,6 +270,13 @@ export async function buildSite(opts) {
     await writeFile(join(opts.outputDir, "user.css"), userCss);
     if (userCss)
         console.log(`  loaded user.css from .obsidian/snippets/`);
+    // Browser-side handler assets (built-in + user) concatenated into a
+    // single deploy-root JS and CSS file. Skipped entirely if no handler
+    // declared any assets (purely declarative handlers stay overhead-free).
+    if (hasHandlerJs)
+        await writeFile(join(opts.outputDir, "_handlers.js"), handlerAssets.js);
+    if (hasHandlerCss)
+        await writeFile(join(opts.outputDir, "_handlers.css"), handlerAssets.css);
     // Favicon; either user-supplied via settings.favicon, or a generated
     // default with the vault's first letter in accent on the theme background.
     try {
@@ -296,6 +333,10 @@ export async function buildSite(opts) {
             passthroughStagingDir: otherStagingDir,
             settings: settings.values,
             authConfigured: roles.length > 1,
+            handlerRegistry,
+            hasHandlerJs,
+            hasHandlerCss,
+            footerHtml,
             concurrency,
             allWarnings: opts.allWarnings,
         });
@@ -374,7 +415,7 @@ async function buildVariant(a) {
         visibleSources.set(m.path, a.sources.get(m.path));
     }
     // Synthesize folder indexes from the visible set only.
-    const folderIndexes = generateFolderIndexes(visibleMetas, a.role);
+    const folderIndexes = generateFolderIndexes(visibleMetas, a.role, a.settings.inline_title);
     for (const fi of folderIndexes) {
         visibleMetas.push({ path: fi.path, title: fi.title, role: a.role });
         visibleSources.set(fi.path, fi.markdown);
@@ -406,6 +447,7 @@ async function buildVariant(a) {
         bases: a.baseSources,
         defaultImageWidth: a.settings.default_image_width,
         redactRoles: a.redactRoles,
+        handlers: a.handlerRegistry,
     };
     const rendered = new Map();
     const progress = new Progress(`Pages (${a.role})`);
@@ -453,6 +495,9 @@ async function buildVariant(a) {
             centerImages: a.settings.center_images,
             backlinks,
             authConfigured: a.authConfigured,
+            hasHandlerJs: a.hasHandlerJs,
+            hasHandlerCss: a.hasHandlerCss,
+            footerHtml: a.footerHtml,
             ...(p.mtime != null ? { mtime: p.mtime } : {}),
             ...(p.birthtime != null ? { birthtime: p.birthtime } : {}),
             ...(p.coverImage ? { coverImage: p.coverImage } : {}),
@@ -482,6 +527,9 @@ async function buildVariant(a) {
         defaultImageWidth: a.settings.default_image_width,
         centerImages: a.settings.center_images,
         authConfigured: a.authConfigured,
+        hasHandlerJs: a.hasHandlerJs,
+        hasHandlerCss: a.hasHandlerCss,
+        footerHtml: a.footerHtml,
     }));
     // Per-variant search index. `text` is the page's RENDERED HTML body
     // collapsed to plain text (tags stripped, entities decoded), so search
@@ -624,9 +672,11 @@ async function copyReferencedPassthroughs(visibleSources, passthroughIndex, stag
 }
 /**
  * Build synthesised index.md for any folder (including the root) that has
- * pages but no existing index.md.
+ * pages but no existing index.md. When `inlineTitle` is true, the layout
+ * already injects an <h1> from the page's title, so the synthesised body
+ * skips its own `# Title` heading to avoid the duplicate.
  */
-function generateFolderIndexes(existing, _role) {
+function generateFolderIndexes(existing, _role, inlineTitle) {
     const existingPaths = new Set(existing.map((p) => p.path));
     const folders = new Map();
     folders.set("", { folders: new Set(), pages: [] });
@@ -675,11 +725,28 @@ function generateFolderIndexes(existing, _role) {
             const propsBlock = propsYaml ? `properties:\n${propsYaml}\n` : "";
             sections.push(`## Pages\n\n\`\`\`base\n${filtersBlock}\n${propsBlock}views:\n  - type: table\n    name: Contents\n    order:\n${orderYaml}\n\`\`\``);
         }
-        const heading = title ? `# ${title}\n\n` : "";
-        out.push({ path: indexPath, title: title || "Home", markdown: `${heading}${sections.join("\n\n")}\n` });
+        // With inline_title on, the layout injects an <h1> from the page's
+        // title — which it learns from the markdown's title source. We can
+        // either author the title as a `# Heading` (off-mode) or as YAML
+        // frontmatter (on-mode); the latter avoids the duplicated <h1> while
+        // still letting the renderer surface the right title.
+        const displayTitle = title || "Home";
+        const heading = inlineTitle ? "" : (title ? `# ${title}\n\n` : "");
+        const frontmatter = inlineTitle ? `---\ntitle: ${yamlString(displayTitle)}\n---\n\n` : "";
+        out.push({
+            path: indexPath,
+            title: displayTitle,
+            markdown: `${frontmatter}${heading}${sections.join("\n\n")}\n`,
+        });
     }
     return out;
 }
+/** YAML-quote a string only when needed (special chars or ambiguous flow). */
+function yamlString(s) {
+    if (/^[A-Za-z0-9_ .-]+$/.test(s) && !/^(true|false|null|yes|no)$/i.test(s))
+        return s;
+    return JSON.stringify(s);
+}
 /**
  * Pick a small set of columns for an auto-generated folder index based on
  * what frontmatter the pages in that folder actually have. The first
@@ -970,64 +1037,6 @@ function contentTypeForExt(filename) {
     };
     return map[ext] ?? "application/octet-stream";
 }
-/**
- * Pre-canonicalisation migration. Earlier versions stored roles, auth_type,
- * and role_passwords in settings.md frontmatter; they now live in
- * .vaultrc.json. If we still see them in settings.md (legacy vault), copy
- * over what's missing in .vaultrc.json so the imminent canonicaliser doesn't
- * silently drop them.
- *
- * Idempotent: returns true and logs only if it actually moved something.
- */
-async function migrateLegacyAuthFromSettings(vaultPath) {
-    const settingsPath = join(vaultPath, SETTINGS_FILE);
-    let raw;
-    try {
-        raw = await readFile(settingsPath, "utf8");
-    }
-    catch {
-        return false;
-    }
-    const fm = (matter(raw).data ?? {});
-    const hasLegacy = "roles" in fm || "auth_type" in fm || "role_passwords" in fm;
-    if (!hasLegacy)
-        return false;
-    const cfg = await loadConfig(vaultPath, {});
-    const moved = [];
-    // roles: only migrate if cfg is still at the default ["public"].
-    if (Array.isArray(fm.roles)) {
-        const list = fm.roles.filter((r) => typeof r === "string");
-        const isDefault = cfg.roles.length === 0 || (cfg.roles.length === 1 && cfg.roles[0] === "public");
-        if (list.length > 0 && isDefault && !arraysEqual(list, ["public"])) {
-            cfg.roles = list;
-            moved.push("roles");
-        }
-    }
-    if (typeof fm.auth_type === "string" && cfg.authType === "password" && fm.auth_type !== "password") {
-        cfg.authType = fm.auth_type;
-        moved.push("auth_type");
-    }
-    if (fm.role_passwords && typeof fm.role_passwords === "object" && !Array.isArray(fm.role_passwords)
-        && Object.keys(cfg.rolePasswords).length === 0) {
-        const map = fm.role_passwords;
-        const cleaned = {};
-        for (const [k, v] of Object.entries(map))
-            if (typeof v === "string")
-                cleaned[k] = v;
-        if (Object.keys(cleaned).length > 0) {
-            cfg.rolePasswords = cleaned;
-            moved.push("role_passwords");
-        }
-    }
-    if (moved.length === 0)
-        return false;
-    await saveConfig(vaultPath, cfg);
-    console.log(`  migrated ${moved.join(", ")} from settings.md → .vaultrc.json`);
-    return true;
-}
-function arraysEqual(a, b) {
-    return a.length === b.length && a.every((x, i) => x === b[i]);
-}
 function extractPlainText(source, max) {
     return source
         .replace(/^---\r?\n[\s\S]*?\r?\n---\r?\n?/, "")