@xlameiro/env-typegen 0.1.2 → 0.1.3

package/dist/index.cjs

@@ -1,15 +1,16 @@
 'use strict';
 
 var fs = require('fs');
-var path5 = require('path');
+var path6 = require('path');
 var url = require('url');
 var promises = require('fs/promises');
 var prettier = require('prettier');
 var picocolors = require('picocolors');
+var util = require('util');
 
 function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
 
-var path5__default = /*#__PURE__*/_interopDefault(path5);
+var path6__default = /*#__PURE__*/_interopDefault(path6);
 
 // src/parser/comment-parser.ts
 var VALID_ENV_VAR_TYPES = /* @__PURE__ */ new Set([
@@ -25,28 +26,73 @@ var VALID_ENV_VAR_TYPES = /* @__PURE__ */ new Set([
 function isEnvVarType(value) {
   return VALID_ENV_VAR_TYPES.has(value);
 }
+function applyTypeAnnotation(state, content) {
+  const typeStr = content.slice("@type ".length).trim();
+  if (isEnvVarType(typeStr)) state.annotatedType = typeStr;
+}
+function applyEnumAnnotation(state, content) {
+  const values = content.slice("@enum ".length).trim().split(",").map((v) => v.trim()).filter((v) => v.length > 0);
+  if (values.length > 0) state.enumValues = values;
+}
+function applyMinAnnotation(state, content) {
+  const num = Number(content.slice("@min ".length).trim());
+  if (Number.isFinite(num)) state.minConstraint = num;
+}
+function applyMaxAnnotation(state, content) {
+  const num = Number(content.slice("@max ".length).trim());
+  if (Number.isFinite(num)) state.maxConstraint = num;
+}
+function applyRuntimeAnnotation(state, content) {
+  const scope = content.slice("@runtime ".length).trim();
+  if (scope === "server" || scope === "client" || scope === "edge") {
+    state.runtime = scope;
+  }
+}
+function processAnnotationContent(state, content) {
+  const trimmed = content.trim();
+  if (trimmed === "@required") {
+    state.isRequired = true;
+    return;
+  }
+  if (trimmed === "@secret") {
+    state.isSecret = true;
+    return;
+  }
+  if (trimmed === "@optional") return;
+  if (content.startsWith("@description ")) {
+    state.description = content.slice("@description ".length).trim();
+  } else if (content.startsWith("@type ")) {
+    applyTypeAnnotation(state, content);
+  } else if (content.startsWith("@enum ")) {
+    applyEnumAnnotation(state, content);
+  } else if (content.startsWith("@min ")) {
+    applyMinAnnotation(state, content);
+  } else if (content.startsWith("@max ")) {
+    applyMaxAnnotation(state, content);
+  } else if (content.startsWith("@runtime ")) {
+    applyRuntimeAnnotation(state, content);
+  } else if (state.description === void 0 && trimmed.length > 0) {
+    state.description = trimmed;
+  }
+}
 function parseCommentBlock(lines) {
-  let annotatedType;
-  let description;
-  let isRequired = false;
+  const state = { isRequired: false };
   for (const line of lines) {
-    const content = line.replace(/^#\s*/, "").trimEnd();
-    if (content.startsWith("@description ")) {
-      description = content.slice("@description ".length).trim();
-    } else if (content.startsWith("@type ")) {
-      const typeStr = content.slice("@type ".length).trim();
-      if (isEnvVarType(typeStr)) {
-        annotatedType = typeStr;
-      }
-    } else if (content.trim() === "@required") {
-      isRequired = true;
-    } else if (content.trim() === "@optional") ; else if (description === void 0 && content.trim().length > 0) {
-      description = content.trim();
-    }
+    processAnnotationContent(state, line.replace(/^#\s*/, "").trimEnd());
   }
-  const result = { isRequired };
-  if (annotatedType !== void 0) result.annotatedType = annotatedType;
-  if (description !== void 0) result.description = description;
+  let constraints;
+  if (state.minConstraint !== void 0 || state.maxConstraint !== void 0) {
+    constraints = {};
+    if (state.minConstraint !== void 0) constraints.min = state.minConstraint;
+    if (state.maxConstraint !== void 0) constraints.max = state.maxConstraint;
+  }
+  const result = { isRequired: state.isRequired };
+  if (state.annotatedType !== void 0) result.annotatedType = state.annotatedType;
+  if (state.description !== void 0) result.description = state.description;
+  if (state.enumValues !== void 0) result.enumValues = state.enumValues;
+  if (constraints !== void 0) result.constraints = constraints;
+  if (state.runtime !== void 0) result.runtime = state.runtime;
+  if (state.isSecret !== void 0) result.isSecret = state.isSecret;
   return result;
 }
 
@@ -215,6 +261,18 @@ function parseEnvFileContent(content, filePath, options) {
       if (currentGroup !== void 0) {
         parsedVar.group = currentGroup;
       }
+      if (annotations.enumValues !== void 0) {
+        parsedVar.enumValues = annotations.enumValues;
+      }
+      if (annotations.constraints !== void 0) {
+        parsedVar.constraints = annotations.constraints;
+      }
+      if (annotations.runtime !== void 0) {
+        parsedVar.runtime = annotations.runtime;
+      }
+      if (annotations.isSecret !== void 0) {
+        parsedVar.isSecret = annotations.isSecret;
+      }
       vars.push(parsedVar);
       commentBlock = [];
     } else {
@@ -235,7 +293,7 @@ function toTsType(envVarType) {
 function generateTypeScriptTypes(parsed) {
   const clientVars = parsed.vars.filter((v) => v.isClientSide);
   const hasClientVars = clientVars.length > 0;
-  const fileName = path5__default.default.basename(parsed.filePath);
+  const fileName = path6__default.default.basename(parsed.filePath);
   const timestamp = (/* @__PURE__ */ new Date()).toISOString();
   const lines = [];
   lines.push("// Generated by env-typegen \u2014 do not edit manually");
@@ -334,7 +392,7 @@ function generateZodSchema(parsed) {
   return lines.join("\n") + "\n";
 }
 function generateDeclaration(parsed) {
-  const fileName = path5__default.default.basename(parsed.filePath);
+  const fileName = path6__default.default.basename(parsed.filePath);
   const lines = [];
   lines.push("// Generated by env-typegen \u2014 do not edit manually");
   lines.push(`// Source: ${fileName}`);
@@ -415,6 +473,25 @@ function generateT3Env(parsed) {
   lines.push("});");
   return lines.join("\n") + "\n";
 }
+var CONTRACT_FILE_NAMES = [
+  "env.contract.ts",
+  "env.contract.mjs",
+  "env.contract.js"
+];
+function defineContract(contract) {
+  return contract;
+}
+async function loadContract(cwd = process.cwd()) {
+  for (const name of CONTRACT_FILE_NAMES) {
+    const filePath = path6__default.default.resolve(cwd, name);
+    if (fs.existsSync(filePath)) {
+      const fileUrl = url.pathToFileURL(filePath).href;
+      const mod = await import(fileUrl);
+      return mod.default;
+    }
+  }
+  return void 0;
+}
 var CONFIG_FILE_NAMES = [
   "env-typegen.config.ts",
   "env-typegen.config.mjs",
@@ -425,7 +502,7 @@ function defineConfig(config) {
 }
 async function loadConfig(cwd = process.cwd()) {
   for (const name of CONFIG_FILE_NAMES) {
-    const filePath = path5__default.default.resolve(cwd, name);
+    const filePath = path6__default.default.resolve(cwd, name);
     if (fs.existsSync(filePath)) {
       const fileUrl = url.pathToFileURL(filePath).href;
       const mod = await import(fileUrl);
@@ -435,11 +512,11 @@ async function loadConfig(cwd = process.cwd()) {
   return void 0;
 }
 async function readEnvFile(filePath) {
-  return promises.readFile(path5__default.default.resolve(filePath), "utf8");
+  return promises.readFile(path6__default.default.resolve(filePath), "utf8");
 }
 async function writeOutput(filePath, content) {
-  const resolved = path5__default.default.resolve(filePath);
-  await promises.mkdir(path5__default.default.dirname(resolved), { recursive: true });
+  const resolved = path6__default.default.resolve(filePath);
+  await promises.mkdir(path6__default.default.dirname(resolved), { recursive: true });
   await promises.writeFile(resolved, content, "utf8");
 }
 async function formatOutput(content, parser = "typescript") {
@@ -453,6 +530,15 @@ async function formatOutput(content, parser = "typescript") {
     return content;
   }
 }
+function log(message) {
+  console.log(message);
+}
+function warn(message) {
+  console.warn(picocolors.yellow(`\u26A0 ${message}`));
+}
+function error(message) {
+  console.error(picocolors.red(`\u2716 ${message}`));
+}
 function success(message) {
   console.log(picocolors.green(`\u2714 ${message}`));
 }
@@ -460,17 +546,17 @@ function success(message) {
 // src/pipeline.ts
 function deriveOutputPath(base, generator, isSingle) {
   if (isSingle) return base;
-  const ext = path5__default.default.extname(base);
+  const ext = path6__default.default.extname(base);
   const noExt = ext.length > 0 ? base.slice(0, -ext.length) : base;
   const baseExt = ext.length > 0 ? ext : ".ts";
   const outExt = generator === "declaration" ? ".d.ts" : baseExt;
   return `${noExt}.${generator}${outExt}`;
 }
 function deriveOutputBaseForInput(output, inputPath) {
-  const dir = path5__default.default.dirname(output);
-  const ext = path5__default.default.extname(output);
-  const stem = path5__default.default.basename(inputPath, path5__default.default.extname(inputPath));
-  return path5__default.default.join(dir, `${stem}${ext}`);
+  const dir = path6__default.default.dirname(output);
+  const ext = path6__default.default.extname(output);
+  const stem = path6__default.default.basename(inputPath, path6__default.default.extname(inputPath));
+  return path6__default.default.join(dir, `${stem}${ext}`);
 }
 function buildOutput(generator, parsed) {
   switch (generator) {
@@ -551,7 +637,1396 @@ async function runGenerate(options) {
   }
 }
 
+// src/validator/contract-validator.ts
+var SEMVER_RE = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
+function buildExpected(entry) {
+  if (entry.enumValues !== void 0 && entry.enumValues.length > 0) {
+    return { type: "enum", values: entry.enumValues };
+  }
+  switch (entry.expectedType) {
+    case "number":
+      return {
+        type: "number",
+        ...entry.constraints?.min !== void 0 && { min: entry.constraints.min },
+        ...entry.constraints?.max !== void 0 && { max: entry.constraints.max }
+      };
+    case "boolean":
+      return { type: "boolean" };
+    case "url":
+      return { type: "url" };
+    case "email":
+      return { type: "email" };
+    case "json":
+      return { type: "json" };
+    case "semver":
+      return { type: "semver" };
+    case "unknown":
+      return { type: "unknown" };
+    default:
+      return { type: "string" };
+  }
+}
+function checkSecretExposed(variable, entry, environment) {
+  if (entry.isSecret !== true) return void 0;
+  if (variable.rawValue === "") return void 0;
+  return {
+    code: "ENV_SECRET_EXPOSED",
+    key: variable.key,
+    expected: buildExpected(entry),
+    environment,
+    severity: "error"
+  };
+}
+function checkInvalidType(variable, entry, environment) {
+  const value = variable.rawValue;
+  const expected = buildExpected(entry);
+  switch (entry.expectedType) {
+    case "number": {
+      if (!Number.isFinite(Number(value))) {
+        return {
+          code: "ENV_INVALID_TYPE",
+          key: variable.key,
+          expected,
+          environment,
+          severity: "error"
+        };
+      }
+      break;
+    }
+    case "boolean": {
+      if (value !== "true" && value !== "false") {
+        return {
+          code: "ENV_INVALID_TYPE",
+          key: variable.key,
+          expected,
+          environment,
+          severity: "error"
+        };
+      }
+      break;
+    }
+    case "url": {
+      try {
+        new URL(value);
+      } catch {
+        return {
+          code: "ENV_INVALID_TYPE",
+          key: variable.key,
+          expected,
+          environment,
+          severity: "error"
+        };
+      }
+      break;
+    }
+    case "email": {
+      if (!value.includes("@") || !value.includes(".")) {
+        return {
+          code: "ENV_INVALID_TYPE",
+          key: variable.key,
+          expected,
+          environment,
+          severity: "error"
+        };
+      }
+      break;
+    }
+    case "semver": {
+      if (!SEMVER_RE.test(value)) {
+        return {
+          code: "ENV_INVALID_TYPE",
+          key: variable.key,
+          expected,
+          environment,
+          severity: "error"
+        };
+      }
+      break;
+    }
+  }
+  return void 0;
+}
+function checkNumericConstraints(variable, entry, environment) {
+  if (entry.expectedType !== "number" || entry.constraints === void 0) return void 0;
+  const num = Number(variable.rawValue);
+  if (!Number.isFinite(num)) return void 0;
+  const { min, max } = entry.constraints;
+  const outsideMin = min !== void 0 && num < min;
+  const outsideMax = max !== void 0 && num > max;
+  if (outsideMin || outsideMax) {
+    return {
+      code: "ENV_INVALID_VALUE",
+      key: variable.key,
+      expected: buildExpected(entry),
+      environment,
+      severity: "error"
+    };
+  }
+  return void 0;
+}
+function checkInvalidValue(variable, entry, environment) {
+  const value = variable.rawValue;
+  if (entry.enumValues !== void 0 && entry.enumValues.length > 0) {
+    if (!entry.enumValues.includes(value)) {
+      return {
+        code: "ENV_INVALID_VALUE",
+        key: variable.key,
+        expected: { type: "enum", values: entry.enumValues },
+        environment,
+        severity: "error"
+      };
+    }
+    return void 0;
+  }
+  return checkNumericConstraints(variable, entry, environment);
+}
+function checkVariable(variable, context) {
+  const { contractByName, environment, strict } = context;
+  const entry = contractByName.get(variable.key);
+  if (entry === void 0) {
+    return [
+      {
+        code: "ENV_EXTRA",
+        key: variable.key,
+        expected: { type: "string" },
+        environment,
+        severity: strict ? "error" : "warning"
+      }
+    ];
+  }
+  const found = [];
+  const secretIssue = checkSecretExposed(variable, entry, environment);
+  if (secretIssue !== void 0) found.push(secretIssue);
+  if (variable.rawValue === "") return found;
+  const typeIssue = checkInvalidType(variable, entry, environment);
+  if (typeIssue !== void 0) {
+    found.push(typeIssue);
+    return found;
+  }
+  const valueIssue = checkInvalidValue(variable, entry, environment);
+  if (valueIssue !== void 0) found.push(valueIssue);
+  return found;
+}
+function validateContract(parsed, contract, opts = {}) {
+  const environment = opts.environment ?? "local";
+  const strict = opts.strict ?? true;
+  const issues = [];
+  const contractByName = new Map(
+    contract.vars.map((entry) => [entry.name, entry])
+  );
+  const parsedByKey = new Map(parsed.vars.map((v) => [v.key, v]));
+  for (const entry of contract.vars) {
+    if (!entry.required) continue;
+    if (parsedByKey.has(entry.name)) continue;
+    issues.push({
+      code: "ENV_MISSING",
+      key: entry.name,
+      expected: buildExpected(entry),
+      environment,
+      severity: "error"
+    });
+  }
+  const context = { contractByName, environment, strict };
+  for (const variable of parsed.vars) {
+    const perVarIssues = checkVariable(variable, context);
+    for (const issue of perVarIssues) {
+      issues.push(issue);
+    }
+  }
+  return { issues };
+}
+
+// src/reporting/ci-reporter.ts
+var ISSUE_TYPE_MAP = {
+  ENV_MISSING: "Required variable is missing from the env file",
+  ENV_EXTRA: "Variable is present in the env file but not declared in the contract",
+  ENV_INVALID_TYPE: "Value cannot be coerced to the declared type",
+  ENV_INVALID_VALUE: "Value fails a constraint check (enum, min, max)",
+  ENV_CONFLICT: "Variable has inconsistent values across environments",
+  ENV_SECRET_EXPOSED: "Secret variable has a non-empty value in a public env file"
+};
+function toIssue(vi) {
+  const issue = {
+    code: vi.code,
+    type: ISSUE_TYPE_MAP[vi.code],
+    key: vi.key,
+    expected: vi.expected,
+    environment: vi.environment,
+    severity: vi.severity,
+    value: null
+  };
+  if (vi.received !== void 0) {
+    issue.received = vi.received;
+  }
+  return issue;
+}
+function buildCiReport(result, meta) {
+  const issues = result.issues.map(toIssue);
+  const errors = issues.filter((i) => i.severity === "error").length;
+  const warnings = issues.filter((i) => i.severity === "warning").length;
+  return {
+    schemaVersion: 1,
+    status: errors > 0 ? "fail" : "ok",
+    summary: { errors, warnings },
+    issues,
+    meta
+  };
+}
+function formatCiReport(report, opts) {
+  return JSON.stringify(report, null, opts?.pretty === true ? 2 : void 0);
+}
+async function resolveContract(contractPath, cwd) {
+  if (contractPath !== void 0) {
+    const absPath = path6__default.default.resolve(cwd ?? process.cwd(), contractPath);
+    if (!fs.existsSync(absPath)) {
+      throw new Error(`Contract file not found: ${absPath}`);
+    }
+    const mod = await import(url.pathToFileURL(absPath).href);
+    if (mod.default === void 0) {
+      throw new Error(`Contract file has no default export: ${absPath}`);
+    }
+    return mod.default;
+  }
+  const contract = await loadContract(cwd);
+  if (contract === void 0) {
+    throw new Error("No contract file found");
+  }
+  return contract;
+}
+function outputJson(result, input, pretty) {
+  const report = buildCiReport(result, {
+    env: input,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  });
+  const formatOpts = {};
+  if (pretty) formatOpts.pretty = true;
+  log(formatCiReport(report, formatOpts));
+}
+function outputHuman(result) {
+  if (result.issues.length === 0) {
+    success("No issues found");
+    return;
+  }
+  for (const issue of result.issues) {
+    const msg = `[${issue.code}] ${issue.key}`;
+    if (issue.severity === "error") {
+      error(msg);
+    } else {
+      warn(msg);
+    }
+  }
+}
+async function runCheck(opts) {
+  const contract = await resolveContract(opts.contract, opts.cwd);
+  const parsed = parseEnvFile(opts.input);
+  const validatorOpts = {};
+  if (opts.environment !== void 0) validatorOpts.environment = opts.environment;
+  if (opts.strict !== void 0) validatorOpts.strict = opts.strict;
+  const result = validateContract(parsed, contract, validatorOpts);
+  const hasErrors = result.issues.some((issue) => issue.severity === "error");
+  const status = hasErrors ? "fail" : "ok";
+  if (!opts.silent) {
+    if (opts.json) {
+      outputJson(result, opts.input, opts.pretty);
+    } else {
+      outputHuman(result);
+    }
+  }
+  return status;
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function readEntryValue(entry, keys) {
+  for (const key of keys) {
+    const value = entry[key];
+    if (typeof value === "string") return value;
+  }
+  return void 0;
+}
+function parseVercelPayload(value) {
+  const entries = Array.isArray(value) ? value : isRecord(value) && Array.isArray(value.envs) ? value.envs : [];
+  const result = {};
+  for (const entry of entries) {
+    if (!isRecord(entry)) continue;
+    const key = readEntryValue(entry, ["key", "name"]);
+    if (key === void 0) continue;
+    const envValue = readEntryValue(entry, ["value", "targetValue", "content"]) ?? "";
+    result[key] = envValue;
+  }
+  return result;
+}
+function parseCloudflarePayload(value) {
+  const entries = Array.isArray(value) ? value : isRecord(value) && Array.isArray(value.result) ? value.result : [];
+  const result = {};
+  for (const entry of entries) {
+    if (!isRecord(entry)) continue;
+    const key = readEntryValue(entry, ["name", "key"]);
+    if (key === void 0) continue;
+    const envValue = readEntryValue(entry, ["text", "value", "secret"]) ?? "";
+    result[key] = envValue;
+  }
+  return result;
+}
+function parseAwsPayload(value) {
+  const entries = isRecord(value) && Array.isArray(value.Parameters) ? value.Parameters : [];
+  const result = {};
+  for (const entry of entries) {
+    if (!isRecord(entry)) continue;
+    const name = readEntryValue(entry, ["Name", "name"]);
+    if (name === void 0) continue;
+    const key = name.split("/").filter((part) => part.length > 0).pop() ?? name;
+    const envValue = readEntryValue(entry, ["Value", "value"]) ?? "";
+    result[key] = envValue;
+  }
+  return result;
+}
+function parseProviderPayload(provider, value) {
+  if (provider === "vercel") return parseVercelPayload(value);
+  if (provider === "cloudflare") return parseCloudflarePayload(value);
+  return parseAwsPayload(value);
+}
+async function loadCloudSource(options) {
+  const resolvedPath = path6__default.default.resolve(options.filePath);
+  const raw = await promises.readFile(resolvedPath, "utf8");
+  const parsed = JSON.parse(raw);
+  return parseProviderPayload(options.provider, parsed);
+}
+var SECRET_KEY_RE = /(SECRET|TOKEN|PASSWORD|PRIVATE|API_KEY|ACCESS_KEY|CLIENT_SECRET)/i;
+var CONTRACT_FILE_NAMES2 = ["env.contract.ts", "env.contract.mjs", "env.contract.js"];
+function isRecord2(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isExpected(value) {
+  if (!isRecord2(value)) return false;
+  const typeValue = value.type;
+  if (typeof typeValue !== "string") return false;
+  const validTypes = /* @__PURE__ */ new Set([
+    "string",
+    "number",
+    "boolean",
+    "enum",
+    "url",
+    "email",
+    "json",
+    "semver",
+    "unknown"
+  ]);
+  if (!validTypes.has(typeValue)) return false;
+  if (typeValue === "enum") {
+    return Array.isArray(value.values) && value.values.every((item) => typeof item === "string");
+  }
+  return true;
+}
+function isEnvContractVariable(value) {
+  if (!isRecord2(value)) return false;
+  if (!isExpected(value.expected)) return false;
+  if (typeof value.required !== "boolean") return false;
+  if (typeof value.clientSide !== "boolean") return false;
+  if (value.description !== void 0 && typeof value.description !== "string") return false;
+  if (value.secret !== void 0 && typeof value.secret !== "boolean") return false;
+  return true;
+}
+function isEnvContract(value) {
+  if (!isRecord2(value)) return false;
+  if (value.schemaVersion !== 1) return false;
+  if (!isRecord2(value.variables)) return false;
+  return Object.values(value.variables).every((item) => isEnvContractVariable(item));
+}
+function isLegacyContract(value) {
+  if (!isRecord2(value)) return false;
+  if (!Array.isArray(value.vars)) return false;
+  return value.vars.every((entry) => isRecord2(entry) && typeof entry.name === "string");
+}
+function mapEnvVarTypeToExpected(type) {
+  if (type === "number") return { type: "number" };
+  if (type === "boolean") return { type: "boolean" };
+  if (type === "url") return { type: "url" };
+  if (type === "email") return { type: "email" };
+  if (type === "json") return { type: "json" };
+  if (type === "semver") return { type: "semver" };
+  if (type === "unknown") return { type: "unknown" };
+  return { type: "string" };
+}
+function shouldTreatAsSecret(key) {
+  return SECRET_KEY_RE.test(key);
+}
+function toExpectedFromLegacyEntry(entry) {
+  if (entry.enumValues !== void 0 && entry.enumValues.length > 0) {
+    return { type: "enum", values: entry.enumValues };
+  }
+  if (entry.expectedType === "number") {
+    return {
+      type: "number",
+      ...entry.constraints?.min !== void 0 && { min: entry.constraints.min },
+      ...entry.constraints?.max !== void 0 && { max: entry.constraints.max }
+    };
+  }
+  if (entry.expectedType === "boolean") return { type: "boolean" };
+  if (entry.expectedType === "url") return { type: "url" };
+  if (entry.expectedType === "email") return { type: "email" };
+  if (entry.expectedType === "json") return { type: "json" };
+  if (entry.expectedType === "semver") return { type: "semver" };
+  if (entry.expectedType === "unknown") return { type: "unknown" };
+  return { type: "string" };
+}
+function convertLegacyContract(contract) {
+  const variables = {};
+  for (const entry of contract.vars) {
+    const clientSide = entry.runtime === "client" || entry.name.startsWith("NEXT_PUBLIC_");
+    variables[entry.name] = {
+      expected: toExpectedFromLegacyEntry(entry),
+      required: entry.required,
+      clientSide,
+      ...entry.description !== void 0 && { description: entry.description },
+      ...(entry.isSecret ?? shouldTreatAsSecret(entry.name)) && { secret: true }
+    };
+  }
+  return {
+    schemaVersion: 1,
+    variables
+  };
+}
+function buildContractFromExample(examplePath) {
+  const parsed = parseEnvFile(examplePath);
+  const variables = {};
+  for (const variable of parsed.vars) {
+    const effectiveType = variable.annotatedType ?? variable.inferredType;
+    variables[variable.key] = {
+      expected: mapEnvVarTypeToExpected(effectiveType),
+      required: variable.isRequired,
+      clientSide: variable.isClientSide,
+      ...variable.description !== void 0 && { description: variable.description },
+      ...shouldTreatAsSecret(variable.key) && { secret: true }
+    };
+  }
+  return {
+    schemaVersion: 1,
+    variables
+  };
+}
+function findDefaultContractPath(cwd) {
+  for (const fileName of CONTRACT_FILE_NAMES2) {
+    const candidatePath = path6__default.default.resolve(cwd, fileName);
+    if (fs.existsSync(candidatePath)) return candidatePath;
+  }
+  return void 0;
+}
+async function loadValidationContract(options) {
+  const { fallbackExamplePath, contractPath, cwd = process.cwd() } = options;
+  const discoveredContractPath = findDefaultContractPath(cwd);
+  const resolvedContractPath = contractPath !== void 0 ? path6__default.default.resolve(cwd, contractPath) : discoveredContractPath;
+  if (resolvedContractPath !== void 0 && fs.existsSync(resolvedContractPath)) {
+    const moduleUrl = url.pathToFileURL(resolvedContractPath).href;
+    const moduleValue = await import(moduleUrl);
+    const candidate = moduleValue.default ?? moduleValue.contract;
+    if (isEnvContract(candidate)) {
+      return candidate;
+    }
+    if (isLegacyContract(candidate)) {
+      return convertLegacyContract(candidate);
+    }
+    throw new Error(
+      `Invalid contract at ${resolvedContractPath}. Export default must match EnvContract.`
+    );
+  }
+  return buildContractFromExample(path6__default.default.resolve(cwd, fallbackExamplePath));
+}
+function isRecord3(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isPlugin(value) {
+  if (!isRecord3(value)) return false;
+  if (typeof value.name !== "string") return false;
+  if (value.transformContract !== void 0 && typeof value.transformContract !== "function") {
+    return false;
+  }
+  if (value.transformSource !== void 0 && typeof value.transformSource !== "function") {
+    return false;
+  }
+  if (value.transformReport !== void 0 && typeof value.transformReport !== "function") {
+    return false;
+  }
+  return true;
+}
+async function loadPluginFromPath(pluginPath, cwd) {
+  const resolvedPath = path6__default.default.resolve(cwd, pluginPath);
+  const moduleValue = await import(url.pathToFileURL(resolvedPath).href);
+  const candidate = moduleValue.default ?? moduleValue.plugin;
+  if (isPlugin(candidate)) return candidate;
+  throw new Error(`Invalid plugin at ${resolvedPath}. Expected a plugin object export.`);
+}
+async function loadPlugins(options) {
+  const cwd = options.cwd ?? process.cwd();
+  const plugins = [];
+  const references = [...options.configPlugins ?? [], ...options.pluginPaths];
+  for (const reference of references) {
+    if (typeof reference === "string") {
+      plugins.push(await loadPluginFromPath(reference, cwd));
+      continue;
+    }
+    if (isPlugin(reference)) {
+      plugins.push(reference);
+      continue;
+    }
+    throw new Error("Invalid plugin reference in configuration.");
+  }
+  return plugins;
+}
+function applyContractPlugins(contract, plugins) {
+  let next = contract;
+  for (const plugin of plugins) {
+    if (plugin.transformContract === void 0) continue;
+    next = plugin.transformContract(next);
+  }
+  return next;
+}
+function applySourcePlugins(params, plugins) {
+  let next = params.values;
+  for (const plugin of plugins) {
+    if (plugin.transformSource === void 0) continue;
+    next = plugin.transformSource({ environment: params.environment, values: next });
+  }
+  return next;
+}
+function applyReportPlugins(report, plugins) {
+  let next = report;
+  for (const plugin of plugins) {
+    if (plugin.transformReport === void 0) continue;
+    next = plugin.transformReport(next);
+  }
+  return next;
+}
+
+// src/validation/engine.ts
+var EMAIL_RE = /^[^@\s]+@[^@\s]+\.[^@\s]+$/;
+var SEMVER_RE2 = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z-.]+)?(?:\+[0-9A-Za-z-.]+)?$/;
+function detectReceivedType(value) {
+  const normalized = value.trim();
+  if (normalized.length === 0) return "unknown";
+  if (["true", "false", "1", "0", "yes", "no"].includes(normalized.toLowerCase())) return "boolean";
+  if (!Number.isNaN(Number(normalized)) && Number.isFinite(Number(normalized))) return "number";
+  if (SEMVER_RE2.test(normalized)) return "semver";
+  try {
+    const url = new URL(normalized);
+    if (url.protocol.length > 0) return "url";
+  } catch {
+  }
+  if (EMAIL_RE.test(normalized)) return "email";
+  try {
+    const parsed = JSON.parse(normalized);
+    if (typeof parsed === "object" && parsed !== null) return "json";
+  } catch {
+  }
+  return "string";
+}
+function validateValueAgainstExpected(expected, rawValue) {
+  const normalized = rawValue.trim();
+  const receivedType = detectReceivedType(normalized);
+  if (expected.type === "unknown") return { isValid: true, receivedType };
+  if (expected.type === "string") return { isValid: true, receivedType };
+  if (expected.type === "number") {
+    const parsed = Number(normalized);
+    if (Number.isNaN(parsed) || !Number.isFinite(parsed)) {
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    }
+    if (expected.min !== void 0 && parsed < expected.min) {
+      return { isValid: false, receivedType, issueType: "invalid_value" };
+    }
+    if (expected.max !== void 0 && parsed > expected.max) {
+      return { isValid: false, receivedType, issueType: "invalid_value" };
+    }
+    return { isValid: true, receivedType };
+  }
+  if (expected.type === "boolean") {
+    if (!["true", "false", "1", "0", "yes", "no"].includes(normalized.toLowerCase())) {
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    }
+    return { isValid: true, receivedType };
+  }
+  if (expected.type === "enum") {
+    if (!expected.values.includes(normalized)) {
+      return { isValid: false, receivedType, issueType: "invalid_value" };
+    }
+    return { isValid: true, receivedType };
+  }
+  if (expected.type === "url") {
+    try {
+      const value = new URL(normalized);
+      if (value.protocol.length === 0)
+        return { isValid: false, receivedType, issueType: "invalid_type" };
+      return { isValid: true, receivedType };
+    } catch {
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    }
+  }
+  if (expected.type === "email") {
+    if (!EMAIL_RE.test(normalized))
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    return { isValid: true, receivedType };
+  }
+  if (expected.type === "json") {
+    try {
+      const parsed = JSON.parse(normalized);
+      if (typeof parsed === "object" && parsed !== null) return { isValid: true, receivedType };
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    } catch {
+      return { isValid: false, receivedType, issueType: "invalid_type" };
+    }
+  }
+  if (expected.type === "semver") {
+    if (!SEMVER_RE2.test(normalized))
+      return { isValid: false, receivedType, issueType: "invalid_value" };
+    return { isValid: true, receivedType };
+  }
+  return { isValid: true, receivedType };
+}
+function toIssueCode(issueType) {
+  if (issueType === "missing") return "ENV_MISSING";
+  if (issueType === "extra") return "ENV_EXTRA";
+  if (issueType === "invalid_type") return "ENV_INVALID_TYPE";
+  if (issueType === "invalid_value") return "ENV_INVALID_VALUE";
+  if (issueType === "conflict") return "ENV_CONFLICT";
+  return "ENV_SECRET_EXPOSED";
+}
+function toIssueValue(value, debugValues) {
+  if (!debugValues) return null;
+  if (value === void 0) return null;
+  return value;
+}
+function createIssue(params) {
+  return {
+    code: toIssueCode(params.type),
+    type: params.type,
+    severity: params.severity,
+    key: params.key,
+    environment: params.environment,
+    message: params.message,
+    value: toIssueValue(params.value, params.debugValues),
+    ...params.expected !== void 0 && { expected: params.expected },
+    ...params.receivedType !== void 0 && { receivedType: params.receivedType }
+  };
+}
+function dedupeIssues(issues) {
+  const seen = /* @__PURE__ */ new Set();
+  const unique = [];
+  for (const issue of issues) {
+    const token = [
+      issue.code,
+      issue.type,
+      issue.severity,
+      issue.environment,
+      issue.key,
+      issue.message,
+      issue.receivedType ?? ""
+    ].join("|");
+    if (seen.has(token)) continue;
+    seen.add(token);
+    unique.push(issue);
+  }
+  return unique;
+}
+function buildReport(env, issues, recommendations) {
+  const dedupedIssues = dedupeIssues(issues);
+  const errors = dedupedIssues.filter((item) => item.severity === "error").length;
+  const warnings = dedupedIssues.filter((item) => item.severity === "warning").length;
+  const status = errors > 0 ? "fail" : "ok";
+  return {
+    schemaVersion: 1,
+    status,
+    summary: {
+      errors,
+      warnings,
+      total: dedupedIssues.length
+    },
+    issues: dedupedIssues,
+    meta: {
+      env,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    },
+    ...recommendations !== void 0 && recommendations.length > 0 && { recommendations }
+  };
+}
+function isClientSecret(variable, key) {
+  return variable.secret === true && (variable.clientSide || key.startsWith("NEXT_PUBLIC_"));
+}
+function validateAgainstContract(options) {
+  const issues = [];
+  const contractKeys = new Set(Object.keys(options.contract.variables));
+  for (const [key, variable] of Object.entries(options.contract.variables)) {
+    const value = options.values[key];
+    const hasValue = value !== void 0 && value.trim().length > 0;
+    if (variable.required && !hasValue) {
+      issues.push(
+        createIssue({
+          type: "missing",
+          severity: "error",
+          key,
+          environment: options.environment,
+          message: `Required variable ${key} is missing.`,
+          debugValues: options.debugValues,
+          expected: variable.expected
+        })
+      );
+      continue;
+    }
+    if (!hasValue) continue;
+    const validation = validateValueAgainstExpected(variable.expected, value);
+    if (!validation.isValid) {
+      issues.push(
+        createIssue({
+          type: validation.issueType,
+          severity: "error",
+          key,
+          environment: options.environment,
+          message: validation.issueType === "invalid_type" ? `Variable ${key} has invalid type.` : `Variable ${key} has invalid value.`,
+          value,
+          debugValues: options.debugValues,
+          expected: variable.expected,
+          receivedType: validation.receivedType
+        })
+      );
+    }
+    if (isClientSecret(variable, key)) {
+      issues.push(
+        createIssue({
+          type: "secret_exposed",
+          severity: "error",
+          key,
+          environment: options.environment,
+          message: `Secret variable ${key} is marked as client-side.`,
+          value,
+          debugValues: options.debugValues,
+          expected: variable.expected
+        })
+      );
+    }
+  }
+  for (const [key, value] of Object.entries(options.values)) {
+    if (contractKeys.has(key)) continue;
+    const severity = options.strict ? "error" : "warning";
+    issues.push(
+      createIssue({
+        type: "extra",
+        severity,
+        key,
+        environment: options.environment,
+        message: `Variable ${key} is not defined in the contract.`,
+        value,
+        debugValues: options.debugValues
+      })
+    );
+  }
+  return buildReport(options.environment, issues);
+}
+function collectUnionKeys(contract, sources) {
+  const union = new Set(Object.keys(contract.variables));
+  for (const source of Object.values(sources)) {
+    for (const key of Object.keys(source)) {
+      union.add(key);
+    }
+  }
+  return union;
+}
+function diffEnvironmentSources(options) {
+  const issues = [];
+  const sourceNames = Object.keys(options.sources);
+  const unionKeys = collectUnionKeys(options.contract, options.sources);
+  for (const key of unionKeys) {
+    const variable = options.contract.variables[key];
+    const valuesBySource = sourceNames.map((sourceName) => ({
+      sourceName,
+      value: options.sources[sourceName]?.[key]
+    }));
+    const present = valuesBySource.filter(
+      (entry) => entry.value !== void 0 && entry.value !== ""
+    );
+    const missing = valuesBySource.filter(
+      (entry) => entry.value === void 0 || entry.value === ""
+    );
+    if (present.length === 0 && variable?.required === true) {
+      for (const entry of missing) {
+        issues.push(
+          createIssue({
+            type: "missing",
+            severity: "error",
+            key,
+            environment: entry.sourceName,
+            message: `Required variable ${key} is missing in ${entry.sourceName}.`,
+            debugValues: options.debugValues,
+            expected: variable.expected
+          })
+        );
+      }
+      continue;
+    }
+    if (present.length > 0) {
+      for (const entry of missing) {
+        issues.push(
+          createIssue({
+            type: "missing",
+            severity: "error",
+            key,
+            environment: entry.sourceName,
+            message: `Variable ${key} is missing in ${entry.sourceName}.`,
+            debugValues: options.debugValues,
+            ...variable !== void 0 && { expected: variable.expected }
+          })
+        );
+      }
+    }
+    const typeBySource = /* @__PURE__ */ new Map();
+    for (const entry of present) {
+      const detected = detectReceivedType(entry.value ?? "");
+      typeBySource.set(entry.sourceName, detected);
+    }
+    if (new Set(typeBySource.values()).size > 1) {
+      for (const [sourceName, detectedType] of typeBySource.entries()) {
+        issues.push(
+          createIssue({
+            type: "conflict",
+            severity: "error",
+            key,
+            environment: sourceName,
+            message: `Variable ${key} has conflicting inferred type across environments.`,
+            debugValues: options.debugValues,
+            receivedType: detectedType,
+            ...options.sources[sourceName]?.[key] !== void 0 && {
+              value: options.sources[sourceName]?.[key]
+            },
+            ...variable !== void 0 && { expected: variable.expected }
+          })
+        );
+      }
+    }
+    for (const entry of present) {
+      if (entry.value === void 0) continue;
+      if (variable === void 0) {
+        const severity = options.strict ? "error" : "warning";
+        issues.push(
+          createIssue({
+            type: "extra",
+            severity,
+            key,
+            environment: entry.sourceName,
+            message: `Variable ${key} is not defined in the contract.`,
+            value: entry.value,
+            debugValues: options.debugValues
+          })
+        );
+        continue;
+      }
+      const validation = validateValueAgainstExpected(variable.expected, entry.value);
+      if (!validation.isValid) {
+        issues.push(
+          createIssue({
+            type: validation.issueType,
+            severity: "error",
+            key,
+            environment: entry.sourceName,
+            message: validation.issueType === "invalid_type" ? `Variable ${key} has invalid type in ${entry.sourceName}.` : `Variable ${key} has invalid value in ${entry.sourceName}.`,
+            value: entry.value,
+            debugValues: options.debugValues,
+            expected: variable.expected,
+            receivedType: validation.receivedType
+          })
+        );
+      }
+      if (isClientSecret(variable, key)) {
+        issues.push(
+          createIssue({
+            type: "secret_exposed",
+            severity: "error",
+            key,
+            environment: entry.sourceName,
+            message: `Secret variable ${key} is marked as client-side.`,
+            value: entry.value,
+            debugValues: options.debugValues,
+            expected: variable.expected
+          })
+        );
+      }
+    }
+  }
+  return buildReport("diff", issues);
+}
+function buildRecommendations(issues) {
+  const codes = new Set(issues.map((item) => item.code));
+  const recommendations = [];
+  if (codes.has("ENV_MISSING")) {
+    recommendations.push("Add missing required variables to each target environment.");
+  }
+  if (codes.has("ENV_EXTRA")) {
+    recommendations.push(
+      "Remove undeclared variables or add them to env.contract.ts intentionally."
+    );
+  }
+  if (codes.has("ENV_INVALID_TYPE") || codes.has("ENV_INVALID_VALUE")) {
+    recommendations.push(
+      "Normalize variable values so they match the expected contract types and constraints."
+    );
+  }
+  if (codes.has("ENV_CONFLICT")) {
+    recommendations.push("Align variable semantics across environments to avoid drift.");
+  }
+  if (codes.has("ENV_SECRET_EXPOSED")) {
+    recommendations.push(
+      "Move secret variables to server-only scope and avoid NEXT_PUBLIC_ exposure for secrets."
+    );
+  }
+  return recommendations;
+}
+function buildDoctorReport(options) {
+  const merged = [...options.checkReport.issues, ...options.diffReport.issues];
+  const recommendations = buildRecommendations(merged);
+  return buildReport("doctor", merged, recommendations);
+}
+function stripWrappingQuotes(value) {
+  if (value.length < 2) return value;
+  if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+    return value.slice(1, -1);
+  }
+  return value;
+}
+function parseEnvSourceContent(content) {
+  const result = {};
+  const lines = content.split("\n");
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.length === 0 || trimmed.startsWith("#")) continue;
+    const match = /^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)=(.*)$/.exec(trimmed);
+    if (match === null) continue;
+    const key = match[1] ?? "";
+    const rawValue = match[2] ?? "";
+    result[key] = stripWrappingQuotes(rawValue.trim());
+  }
+  return result;
+}
+async function loadEnvSource(options) {
+  const resolvedPath = path6__default.default.resolve(options.filePath);
+  try {
+    const content = await promises.readFile(resolvedPath, "utf8");
+    return parseEnvSourceContent(content);
+  } catch (errorValue) {
+    if (options.allowMissing === true && errorValue instanceof Error && "code" in errorValue && errorValue.code === "ENOENT") {
+      return {};
+    }
+    throw errorValue;
+  }
+}
+function toJsonString(report, mode) {
+  if (mode === "pretty") return `${JSON.stringify(report, null, 2)}
+`;
+  return `${JSON.stringify(report)}
+`;
+}
+function formatIssue(issue) {
+  const expected = issue.expected !== void 0 ? ` expected=${issue.expected.type}` : "";
+  const received = issue.receivedType !== void 0 ? ` received=${issue.receivedType}` : "";
+  return `${issue.severity.toUpperCase()} [${issue.code}] ${issue.environment}:${issue.key} ${issue.message}${expected}${received}`;
+}
+function formatHumanReport(report) {
+  const lines = [];
+  lines.push(
+    `Status: ${report.status.toUpperCase()} (errors=${report.summary.errors}, warnings=${report.summary.warnings}, total=${report.summary.total})`
+  );
+  if (report.issues.length > 0) {
+    lines.push("");
+    lines.push("Issues:");
+    for (const issue of report.issues) {
+      lines.push(`- ${formatIssue(issue)}`);
+    }
+  }
+  if (report.recommendations !== void 0 && report.recommendations.length > 0) {
+    lines.push("");
+    lines.push("Recommendations:");
+    for (const recommendation of report.recommendations) {
+      lines.push(`- ${recommendation}`);
+    }
+  }
+  return `${lines.join("\n")}
+`;
+}
+async function persistJsonOutput(outputFile, report) {
+  const resolvedPath = path6__default.default.resolve(outputFile);
+  await promises.mkdir(path6__default.default.dirname(resolvedPath), { recursive: true });
+  await promises.writeFile(resolvedPath, `${JSON.stringify(report, null, 2)}
+`, "utf8");
+}
+async function emitValidationReport(options) {
+  const { report, outputFile, jsonMode } = options;
+  if (outputFile !== void 0) {
+    await persistJsonOutput(outputFile, report);
+  }
+  if (jsonMode === "off") {
+    process.stdout.write(formatHumanReport(report));
+    return;
+  }
+  process.stdout.write(toJsonString(report, jsonMode));
+}
+
+// src/validation-command.ts
+var HELP_TEXT = {
+  check: [
+    "Usage: env-typegen check [options]",
+    "",
+    "Options:",
+    "  --env <path>              Environment file to validate (default: .env)",
+    "  --contract <path>         Contract file path (default: env.contract.ts)",
+    "  --example <path>          Fallback .env.example used to bootstrap contract",
+    "  --strict                  Validate extras as errors (default: true)",
+    "  --no-strict               Downgrade extras to warnings",
+    "  --json                    Emit machine-readable JSON report",
+    "  --json=pretty             Emit pretty JSON report",
+    "  --output-file <path>      Persist JSON report to a file",
+    "  --debug-values            Include raw values in issues (unsafe for CI logs)",
+    "  --cloud-provider <name>   vercel | cloudflare | aws",
+    "  --cloud-file <path>       Cloud snapshot JSON file",
+    "  --plugin <path>           Plugin module path (repeatable)",
+    "  -c, --config <path>       Config file path",
+    "  -h, --help                Show this help"
+  ].join("\n"),
+  diff: [
+    "Usage: env-typegen diff [options]",
+    "",
+    "Options:",
+    "  --targets <list>          Comma-separated targets (default: .env,.env.example,.env.production)",
+    "  --contract <path>         Contract file path (default: env.contract.ts)",
+    "  --example <path>          Fallback .env.example used to bootstrap contract",
+    "  --strict                  Validate extras as errors (default: true)",
+    "  --no-strict               Downgrade extras to warnings",
+    "  --json                    Emit machine-readable JSON report",
+    "  --json=pretty             Emit pretty JSON report",
+    "  --output-file <path>      Persist JSON report to a file",
+    "  --debug-values            Include raw values in issues (unsafe for CI logs)",
+    "  --cloud-provider <name>   vercel | cloudflare | aws",
+    "  --cloud-file <path>       Cloud snapshot JSON file added to diff sources",
+    "  --plugin <path>           Plugin module path (repeatable)",
+    "  -c, --config <path>       Config file path",
+    "  -h, --help                Show this help"
+  ].join("\n"),
+  doctor: [
+    "Usage: env-typegen doctor [options]",
+    "",
+    "Options:",
+    "  --env <path>              Environment file to validate (default: .env)",
+    "  --targets <list>          Comma-separated targets for drift analysis",
+    "  --contract <path>         Contract file path (default: env.contract.ts)",
+    "  --example <path>          Fallback .env.example used to bootstrap contract",
+    "  --strict                  Validate extras as errors (default: true)",
+    "  --no-strict               Downgrade extras to warnings",
+    "  --json                    Emit machine-readable JSON report",
+    "  --json=pretty             Emit pretty JSON report",
+    "  --output-file <path>      Persist JSON report to a file",
+    "  --debug-values            Include raw values in issues (unsafe for CI logs)",
+    "  --cloud-provider <name>   vercel | cloudflare | aws",
+    "  --cloud-file <path>       Cloud snapshot JSON file",
+    "  --plugin <path>           Plugin module path (repeatable)",
+    "  -c, --config <path>       Config file path",
+    "  -h, --help                Show this help"
+  ].join("\n")
+};
+function resolveConfigRelative(value, configDir) {
+  if (value === void 0 || path6__default.default.isAbsolute(value)) return value;
+  return path6__default.default.resolve(configDir, value);
+}
+function resolvePluginReference(reference, configDir) {
+  if (typeof reference === "string" && !path6__default.default.isAbsolute(reference)) {
+    return path6__default.default.resolve(configDir, reference);
+  }
+  return reference;
+}
+function applyConfigPaths(config, configDir) {
+  let input;
+  if (Array.isArray(config.input)) {
+    input = config.input.map((item) => resolveConfigRelative(item, configDir) ?? item);
+  } else {
+    input = resolveConfigRelative(config.input, configDir);
+  }
+  const output = resolveConfigRelative(config.output, configDir);
+  const schemaFile = resolveConfigRelative(config.schemaFile, configDir);
+  return {
+    ...config,
+    ...input !== void 0 && { input },
+    ...output !== void 0 && { output },
+    ...schemaFile !== void 0 && { schemaFile },
+    ...config.diffTargets !== void 0 && {
+      diffTargets: config.diffTargets.map(
+        (target) => resolveConfigRelative(target, configDir) ?? target
+      )
+    },
+    ...config.plugins !== void 0 && {
+      plugins: config.plugins.map((reference) => resolvePluginReference(reference, configDir))
+    }
+  };
+}
+async function loadCommandConfig(configPath) {
+  if (configPath === void 0) {
+    return loadConfig(process.cwd());
+  }
+  const resolvedPath = path6__default.default.resolve(configPath);
+  const configDir = path6__default.default.dirname(resolvedPath);
+  const moduleValue = await import(url.pathToFileURL(resolvedPath).href);
+  if (moduleValue.default === void 0) return void 0;
+  return applyConfigPaths(moduleValue.default, configDir);
+}
+function preprocessJsonArguments(argv) {
+  const normalizedArgs = [];
+  let assignedMode = "off";
+  for (const item of argv) {
+    if (item === "--json=pretty") {
+      normalizedArgs.push("--json");
+      assignedMode = "pretty";
+      continue;
+    }
+    if (item === "--json=compact") {
+      normalizedArgs.push("--json");
+      assignedMode = "compact";
+      continue;
+    }
+    normalizedArgs.push(item);
+  }
+  return { normalizedArgs, assignedMode };
+}
+function parseValidationArgs(argv) {
+  const { normalizedArgs, assignedMode } = preprocessJsonArguments(argv);
+  const { values } = util.parseArgs({
+    args: normalizedArgs,
+    options: {
+      env: { type: "string", multiple: true },
+      targets: { type: "string" },
+      contract: { type: "string" },
+      example: { type: "string" },
+      strict: { type: "boolean" },
+      "no-strict": { type: "boolean" },
+      json: { type: "boolean" },
+      "output-file": { type: "string" },
+      "debug-values": { type: "boolean" },
+      "cloud-provider": { type: "string" },
+      "cloud-file": { type: "string" },
+      plugin: { type: "string", multiple: true },
+      config: { type: "string", short: "c" },
+      help: { type: "boolean", short: "h" }
+    }
+  });
+  const castValues = values;
+  const jsonMode = castValues.json === true ? assignedMode === "off" ? "compact" : assignedMode : "off";
+  return { values: castValues, jsonMode };
+}
+function resolveStrict(values, fileConfig) {
+  if (values["no-strict"] === true) return false;
+  if (values.strict !== void 0) return values.strict;
+  if (fileConfig?.strict !== void 0) return fileConfig.strict;
+  return true;
+}
+function parseCloudProvider(value) {
+  if (value === void 0) return void 0;
+  if (value === "vercel" || value === "cloudflare" || value === "aws") return value;
+  throw new Error(`Unknown cloud provider: ${value}. Valid: vercel, cloudflare, aws`);
+}
+function parseTargets(values, fileConfig) {
+  const fromCli = values.targets;
+  if (fromCli !== void 0) {
+    return fromCli.split(",").map((item) => item.trim()).filter((item) => item.length > 0);
+  }
+  if (fileConfig?.diffTargets !== void 0 && fileConfig.diffTargets.length > 0) {
+    return fileConfig.diffTargets;
+  }
+  return [".env", ".env.example", ".env.production"];
+}
+async function prepareCommonContext(values) {
+  const fileConfig = await loadCommandConfig(values.config);
+  const strict = resolveStrict(values, fileConfig);
+  const debugValues = values["debug-values"] ?? false;
+  const contractPath = values.contract ?? fileConfig?.schemaFile;
+  const fallbackExamplePath = values.example ?? ".env.example";
+  const cloudProvider = parseCloudProvider(values["cloud-provider"]);
+  const cloudFile = values["cloud-file"];
+  const pluginLoadOptions = {
+    pluginPaths: values.plugin ?? [],
+    cwd: process.cwd(),
+    ...fileConfig?.plugins !== void 0 && { configPlugins: fileConfig.plugins }
+  };
+  const plugins = await loadPlugins(pluginLoadOptions);
+  return {
+    fileConfig,
+    strict,
+    debugValues,
+    outputFile: values["output-file"],
+    contractPath,
+    fallbackExamplePath,
+    cloudProvider,
+    cloudFile,
+    plugins
+  };
+}
+async function emitAndReturnExitCode(report, params) {
+  const emitOptions = {
+    report,
+    jsonMode: params.jsonMode,
+    ...params.outputFile !== void 0 && { outputFile: params.outputFile }
+  };
+  await emitValidationReport(emitOptions);
+  return report.status === "fail" ? 1 : 0;
+}
+async function runCheckCommand(args) {
+  const context = await prepareCommonContext(args.values);
+  const loadContractOptions = {
+    fallbackExamplePath: context.fallbackExamplePath,
+    cwd: process.cwd(),
+    ...context.contractPath !== void 0 && { contractPath: context.contractPath }
+  };
+  const contract = applyContractPlugins(
+    await loadValidationContract(loadContractOptions),
+    context.plugins
+  );
+  const provider = context.cloudProvider;
+  let environment = args.values.env?.[0] ?? ".env";
+  let sourceValues;
+  if (provider !== void 0) {
+    const cloudFile = context.cloudFile ?? `${provider}.env.json`;
+    sourceValues = await loadCloudSource({ provider, filePath: cloudFile });
+    environment = `cloud:${provider}`;
+  } else {
+    sourceValues = await loadEnvSource({ filePath: environment, allowMissing: true });
+  }
+  sourceValues = applySourcePlugins({ environment, values: sourceValues }, context.plugins);
+  const report = applyReportPlugins(
+    validateAgainstContract({
+      contract,
+      values: sourceValues,
+      environment,
+      strict: context.strict,
+      debugValues: context.debugValues
+    }),
+    context.plugins
+  );
+  return emitAndReturnExitCode(report, {
+    jsonMode: args.jsonMode,
+    ...context.outputFile !== void 0 && { outputFile: context.outputFile }
+  });
+}
+async function runDiffCommand(args) {
+  const context = await prepareCommonContext(args.values);
+  const loadContractOptions = {
+    fallbackExamplePath: context.fallbackExamplePath,
+    cwd: process.cwd(),
+    ...context.contractPath !== void 0 && { contractPath: context.contractPath }
+  };
+  const contract = applyContractPlugins(
+    await loadValidationContract(loadContractOptions),
+    context.plugins
+  );
+  const sources = {};
+  for (const target of parseTargets(args.values, context.fileConfig)) {
+    const values = await loadEnvSource({ filePath: target, allowMissing: true });
+    sources[target] = applySourcePlugins({ environment: target, values }, context.plugins);
+  }
+  if (context.cloudProvider !== void 0) {
+    const cloudFile = context.cloudFile ?? `${context.cloudProvider}.env.json`;
+    const cloudEnvironment = `cloud:${context.cloudProvider}`;
+    const cloudValues = await loadCloudSource({
+      provider: context.cloudProvider,
+      filePath: cloudFile
+    });
+    sources[cloudEnvironment] = applySourcePlugins(
+      { environment: cloudEnvironment, values: cloudValues },
+      context.plugins
+    );
+  }
+  const report = applyReportPlugins(
+    diffEnvironmentSources({
+      contract,
+      sources,
+      strict: context.strict,
+      debugValues: context.debugValues
+    }),
+    context.plugins
+  );
+  return emitAndReturnExitCode(report, {
+    jsonMode: args.jsonMode,
+    ...context.outputFile !== void 0 && { outputFile: context.outputFile }
+  });
+}
+async function runDoctorCommand(args) {
+  const context = await prepareCommonContext(args.values);
+  const loadContractOptions = {
+    fallbackExamplePath: context.fallbackExamplePath,
+    cwd: process.cwd(),
+    ...context.contractPath !== void 0 && { contractPath: context.contractPath }
+  };
+  const contract = applyContractPlugins(
+    await loadValidationContract(loadContractOptions),
+    context.plugins
+  );
+  const checkEnvironment = args.values.env?.[0] ?? ".env";
+  let checkValues = await loadEnvSource({ filePath: checkEnvironment, allowMissing: true });
+  checkValues = applySourcePlugins(
+    { environment: checkEnvironment, values: checkValues },
+    context.plugins
+  );
+  const checkReport = validateAgainstContract({
+    contract,
+    values: checkValues,
+    environment: checkEnvironment,
+    strict: context.strict,
+    debugValues: context.debugValues
+  });
+  const sources = {};
+  for (const target of parseTargets(args.values, context.fileConfig)) {
+    const values = await loadEnvSource({ filePath: target, allowMissing: true });
+    sources[target] = applySourcePlugins({ environment: target, values }, context.plugins);
+  }
+  if (context.cloudProvider !== void 0) {
+    const cloudFile = context.cloudFile ?? `${context.cloudProvider}.env.json`;
+    const cloudEnvironment = `cloud:${context.cloudProvider}`;
+    const cloudValues = await loadCloudSource({
+      provider: context.cloudProvider,
+      filePath: cloudFile
+    });
+    sources[cloudEnvironment] = applySourcePlugins(
+      { environment: cloudEnvironment, values: cloudValues },
+      context.plugins
+    );
+  }
+  const diffReport = diffEnvironmentSources({
+    contract,
+    sources,
+    strict: context.strict,
+    debugValues: context.debugValues
+  });
+  const report = applyReportPlugins(
+    buildDoctorReport({ checkReport, diffReport }),
+    context.plugins
+  );
+  return emitAndReturnExitCode(report, {
+    jsonMode: args.jsonMode,
+    ...context.outputFile !== void 0 && { outputFile: context.outputFile }
+  });
+}
+async function runValidationCommand(params) {
+  const parsed = parseValidationArgs(params.argv);
+  if (parsed.values.help === true) {
+    console.log(HELP_TEXT[params.command]);
+    return 0;
+  }
+  if (params.command === "check") {
+    return runCheckCommand(parsed);
+  }
+  if (params.command === "diff") {
+    return runDiffCommand(parsed);
+  }
+  return runDoctorCommand(parsed);
+}
+
+exports.CONTRACT_FILE_NAMES = CONTRACT_FILE_NAMES;
+exports.applyContractPlugins = applyContractPlugins;
+exports.applyReportPlugins = applyReportPlugins;
+exports.applySourcePlugins = applySourcePlugins;
+exports.buildCiReport = buildCiReport;
 exports.defineConfig = defineConfig;
+exports.defineContract = defineContract;
+exports.formatCiReport = formatCiReport;
 exports.generateDeclaration = generateDeclaration;
 exports.generateEnvValidation = generateEnvValidation;
 exports.generateT3Env = generateT3Env;
@@ -560,10 +2035,16 @@ exports.generateZodSchema = generateZodSchema;
 exports.inferType = inferType;
 exports.inferTypes = inferTypesFromParsedVars;
 exports.inferenceRules = inferenceRules;
+exports.loadCloudSource = loadCloudSource;
 exports.loadConfig = loadConfig;
+exports.loadContract = loadContract;
+exports.loadPlugins = loadPlugins;
 exports.parseCommentBlock = parseCommentBlock;
 exports.parseEnvFile = parseEnvFile;
 exports.parseEnvFileContent = parseEnvFileContent;
+exports.runCheck = runCheck;
 exports.runGenerate = runGenerate;
+exports.runValidationCommand = runValidationCommand;
+exports.validateContract = validateContract;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map