configorama 0.11.0 → 1.0.0

package/src/main.js

@@ -39,7 +39,25 @@ function walkAndUpdate(root, callback) {
   }
   visit(root, [], null, null)
 }
+
+function isNestedFilterArgument(property, matchedString) {
+  if (typeof property !== 'string' || typeof matchedString !== 'string') return false
+  if (property.trim() === matchedString.trim()) return false
+  const matchIdx = property.indexOf(matchedString)
+  const pipeIdx = property.indexOf('|')
+  const openParenIdx = property.lastIndexOf('(', matchIdx)
+  const closeParenIdx = property.indexOf(')', matchIdx)
+  return pipeIdx !== -1 && matchIdx > pipeIdx && openParenIdx > pipeIdx && closeParenIdx > matchIdx
+}
 const dotProp = require('dot-prop')
+
+function resolveStaticFilterArg(arg, config) {
+  const match = String(arg).trim().match(/^\$\{(?:self:)?([^}]+)\}$/)
+  if (!match) return arg
+  if (!dotProp.has(config, match[1])) return arg
+  return encodeFilterArg(dotProp.get(config, match[1]))
+}
+
 /* Utils - root */
 const {
   isArray, isString, isNumber, isObject, isDate, isRegExp, isFunction,
@@ -71,17 +89,28 @@ const { replaceAll } = require('./utils/strings/replaceAll')
 const { getTextAfterOccurrence, findNestedVariable } = require('./utils/strings/textUtils')
 const { ensureQuote, isSurroundedByQuotes, startsWithQuotedPipe } = require('./utils/strings/quoteUtils')
 const { splitOnPipe } = require('./utils/strings/splitOnPipe')
+const { encodeFilterArg } = require('./utils/filters/filterArgs')
+const { validateOneOf } = require('./utils/filters/oneOf')
 /* Utils - ui */
 const chalk = require('./utils/ui/chalk')
 const deepLog = require('./utils/ui/deep-log')
 const { logHeader } = require('./utils/ui/logs')
 const { runConfigWizard } = require('./utils/ui/configWizard')
+const { buildConfigRequirements } = require('./utils/requirements/configRequirements')
+const { redactUserInputsByRequirements } = require('./utils/redaction/setupRedaction')
 /* Display */
 const { displayNoVariablesFound, displayVariableDetails, displayUniqueVariables, displayConfigurableVariables } = require('./display')
 /* Metadata */
 const { collectVariableMetadata: collectMetadata } = require('./metadata')
 /* Utils - validation */
 const { warnIfNotFound, isValidValue } = require('./utils/validation/warnIfNotFound')
+const {
+  assertCustomFunctionsAllowed,
+  assertCustomResolversAllowed,
+  assertSafeConfigInput,
+  normalizeSafetyPolicy,
+} = require('./utils/security/safetyPolicy')
+const { ConfigoramaError } = require('./errors')
 /* Utils - variables */
 const cleanVariable = require('./utils/variables/cleanVariable')
 const appendDeepVariable = require('./utils/variables/appendDeepVariable')
@@ -144,6 +173,8 @@ class Configorama {
     }
   
     const options = opts || {}
+    // Setup wizard runs when --setup flag is passed (CLI) or options.setup is true (library)
+    this.setupMode = SETUP_MODE || options.setup === true
     // Set opts to pass into JS file calls
     this.settings = Object.assign({}, {
       // Allow unknown ${xyz:...} syntax where xyz is not a registered resolver
@@ -168,6 +199,7 @@ class Configorama {
       // CloudFormation Fn::Sub, inline Lambda code, and CloudFront functions.
       ignorePaths: [],
       skipResolutionPaths: [],
+      safeMode: false,
     }, options)
 
     // Backward compat: allowUnknownVars -> allowUnknownVariableTypes
@@ -179,6 +211,13 @@ class Configorama {
       this.settings.allowUnknownVariableTypes = options.allowUnknownVariables
     }
 
+    this.safetyPolicy = normalizeSafetyPolicy(this.settings, {
+      configDir: options.configDir || (typeof fileOrObject === 'string' ? path.dirname(path.resolve(fileOrObject)) : process.cwd())
+    })
+
+    assertCustomResolversAllowed(options.variableSources, this.safetyPolicy)
+    assertCustomFunctionsAllowed(options.functions, this.safetyPolicy)
+
     // Merge legacy allowUnknownParams and allowUnknownFileRefs into allowUnresolvedVariables
     let unresolvedSetting = this.settings.allowUnresolvedVariables
     if (unresolvedSetting !== true) {
@@ -197,6 +236,9 @@ class Configorama {
     // Paths whose current value is a literal with no variables — skip rebuilding
     // their leaf object on every subsequent populateObjectImpl iteration.
     this._resolvedPaths = new Set()
+    // Ignore-path decisions are constant for a run (patterns are fixed per
+    // instance), so cache per path to skip repeated glob matching.
+    this._ignorePathCache = new Map()
     // Cache raw file contents per absolute path so repeated ${file:...} refs
     // to the same file (e.g., merged twice into different keys) don't reread.
     this._fileContentCache = new Map()
@@ -208,7 +250,7 @@ class Configorama {
     this._needsRawClone = !!(
       this.settings.returnMetadata ||
       this.settings.returnPreResolvedVariableDetails ||
-      VERBOSE || SETUP_MODE || showFound
+      VERBOSE || this.setupMode || showFound
     )
 
     this.foundVariables = []
@@ -272,6 +314,7 @@ class Configorama {
       // Set configPath for file references
       this.configPath = options.configDir || process.cwd()
     } else if (typeof fileOrObject === 'string') {
+      assertSafeConfigInput(fileOrObject, this.safetyPolicy)
       // read and parse file
       const fileContents = fs.readFileSync(fileOrObject, 'utf-8')
       const fileDirectory = path.dirname(path.resolve(fileOrObject))
@@ -372,7 +415,12 @@ class Configorama {
         description: `Resolves values from files. Supports sub-properties via :key or .key lookup.`,
         match: fileRefSyntax,
         resolver: (varString, o, x, pathValue) => {
-          return this.getValueFromFile(varString, { context: pathValue })
+          // Inside ignore-path contexts (e.g. Fn::Sub) inline the file as raw text so
+          // embedded CloudFormation refs survive and the body stays a string. Skip
+          // raw mode when a :key/.key accessor is present — that needs a parsed value.
+          const hasAccessor = /\)\s*[:.]/.test(varString)
+          const asRawText = !!(pathValue && this.isIgnorePath(pathValue.path)) && !hasAccessor
+          return this.getValueFromFile(varString, { asRawText, context: pathValue })
         },
       },
 
@@ -484,12 +532,24 @@ class Configorama {
     )
     this.variablesKnownTypes = variablesKnownTypes
 
+    // Explicit configorama types that should still resolve inside ignore-path
+    // contexts like Fn::Sub (file, text, env, opt, cron, git, user sources, ...).
+    // Excludes self/dot.prop refs — those are left verbatim for CloudFormation /
+    // downstream Serverless resolution.
+    this.subResolvableTypes = combineRegexes(
+      /** @type {RegExp[]} */ (this.variableTypes
+        .filter((v) => v.type !== 'string' && v.type !== 'self' && v.type !== 'dot.prop' && v.match instanceof RegExp)
+        .map((v) => v.match))
+    )
+
     // Build prefix lookup map for O(1) type detection (perf optimization)
     this._resolverByPrefix = new Map()
     for (const r of this.variableTypes) {
-      const prefix = r.prefix || r.type
-      if (prefix && r.match instanceof RegExp && !r.internal) {
-        this._resolverByPrefix.set(prefix + ':', r)
+      const prefixes = r.prefixes || [r.prefix || r.type]
+      for (const prefix of prefixes) {
+        if (prefix && r.match instanceof RegExp && !r.internal) {
+          this._resolverByPrefix.set(prefix + ':', r)
+        }
       }
     }
 
@@ -560,6 +620,37 @@ class Configorama {
         if (value === undefined || value === null || value === 'null') return ''
         return String(value)
       },
+      Array: (value) => {
+        if (Array.isArray(value)) return value
+        if (typeof value !== 'string') {
+          throw new Error(`Configorama Error: Expected Array, got "${value}"`)
+        }
+        const trimmed = value.trim()
+        if (!trimmed) return []
+        try {
+          const parsed = JSON5.parse(trimmed)
+          if (Array.isArray(parsed)) return parsed
+          throw new Error('not-array')
+        } catch (error) {
+          if (trimmed.includes(',')) {
+            return trimmed.split(',').map(item => item.trim()).filter(Boolean)
+          }
+          throw new Error(`Configorama Error: Expected Array, got "${value}"`)
+        }
+      },
+      Object: (value) => {
+        if (value && typeof value === 'object' && !Array.isArray(value)) return value
+        if (typeof value !== 'string') {
+          throw new Error(`Configorama Error: Expected Object, got "${value}"`)
+        }
+        try {
+          const parsed = JSON5.parse(value)
+          if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) return parsed
+        } catch (error) {
+          // Fall through to consistent error below.
+        }
+        throw new Error(`Configorama Error: Expected Object, got "${value}"`)
+      },
       Json: (value) => {
         try {
           return typeof value === 'string' ? JSON.parse(value) : value
@@ -573,6 +664,7 @@ class Configorama {
         // The helpText argument is extracted during metadata collection for the wizard
         return value
       },
+      oneOf: validateOneOf,
     }
 
     // Apply user defined filters
@@ -731,7 +823,7 @@ class Configorama {
         dynamicArgs: this.settings.dynamicArgs
       })
       this.configFileContents = ''
-      if (VERBOSE || showFoundVariables || this.settings.returnPreResolvedVariableDetails || SETUP_MODE) {
+      if (VERBOSE || showFoundVariables || this.settings.returnPreResolvedVariableDetails || this.setupMode) {
         this.configFileContents = fs.readFileSync(this.configFilePath, 'utf8')
       }
       /*
@@ -774,7 +866,7 @@ class Configorama {
     const variableSyntax = this.variableSyntax
     const variablesKnownTypes = this.variablesKnownTypes
 
-    if (VERBOSE || showFoundVariables || this.settings.returnPreResolvedVariableDetails || SETUP_MODE) {
+    if (VERBOSE || showFoundVariables || this.settings.returnPreResolvedVariableDetails || this.setupMode) {
       const metadata = this.collectVariableMetadata()
 
       const enrich = await enrichMetadata(
@@ -829,15 +921,18 @@ class Configorama {
       displayConfigurableVariables(displayParams)
 
 
-      // WALK through CLI prompt if --setup flag is set
-      if (SETUP_MODE) {
+      // WALK through CLI prompt when setup mode is active
+      if (this.setupMode) {
         logHeader('Setup Mode')
         // deepLog('enrich', enrich)
         const userInputs = await runConfigWizard(enrich, this.originalConfig, this.configFilePath)
+        const setupRequirements = buildConfigRequirements(enrich)
+        this.setupRequirements = setupRequirements
+        const displayInputs = redactUserInputsByRequirements(userInputs, setupRequirements)
 
         logHeader('User Inputs Summary')
         console.log()
-        console.log(JSON.stringify(userInputs, null, 2))
+        console.log(JSON.stringify(displayInputs, null, 2))
 
         // TODO set values
 
@@ -887,6 +982,12 @@ class Configorama {
 
     const useDotEnv = this.originalConfig.useDotenv || this.originalConfig.useDotEnv
     if ((useDotEnv && useDotEnv === true) || this.settings.useDotEnvFiles) {
+      if (this.safetyPolicy.blockDotEnv) {
+        throw new ConfigoramaError('blocked_by_safe_mode', 'Dotenv loading is blocked in safe mode', {
+          surface: 'dotenv',
+          configPath: this.configFilePath,
+        })
+      }
       let providerStage
       /* has hardcoded stage */
       if (
@@ -1111,8 +1212,29 @@ class Configorama {
   // #######################
   // ## PROPERTY HANDLING ##
   // #######################
-  shouldSkipResolution(pathValue) {
-    return shouldIgnorePath(pathValue, this.ignorePathPatterns)
+  isIgnorePath(pathValue) {
+    if (!this.ignorePathPatterns.length) return false
+    // NUL-join so distinct path arrays can never collide on a shared key.
+    const key = isArray(pathValue) ? pathValue.join('\x00') : String(pathValue)
+    const cached = this._ignorePathCache.get(key)
+    if (cached !== undefined) return cached
+    const result = shouldIgnorePath(pathValue, this.ignorePathPatterns)
+    this._ignorePathCache.set(key, result)
+    return result
+  }
+  // True when the value has a configorama-typed token that resolves even inside an
+  // ignore-path (file/text/env/opt/cron/git/custom) — i.e. not just self/CFN refs.
+  hasSubResolvableToken(value) {
+    if (typeof value !== 'string') return false
+    const matches = this.getMatches(value)
+    if (!isArray(matches)) return false
+    return matches.some((m) => this.subResolvableTypes.test(m.variable))
+  }
+  shouldSkipResolution(pathValue, value) {
+    if (!this.isIgnorePath(pathValue)) return false
+    // Under an ignore path (Fn::Sub etc.) keep resolving configorama's own typed
+    // refs; only skip when nothing but self/CFN refs remain.
+    return !this.hasSubResolvableToken(value)
   }
 
   /**
@@ -1275,7 +1397,7 @@ class Configorama {
     /* Leave opaque paths verbatim. These often contain non-configorama
        `${...}` syntax from CloudFormation, JavaScript, shell, VTL, etc. */
     variables = variables.filter((property) => {
-      return !this.shouldSkipResolution(property.path)
+      return !this.shouldSkipResolution(property.path, property.value)
     })
     /*
     console.log(`variables at call count ${this.callCount}`, variables)
@@ -1563,7 +1685,7 @@ class Configorama {
       console.log(valueObject)
     }
     const property = valueObject.value
-    if (this.shouldSkipResolution(valueObject.path)) {
+    if (this.shouldSkipResolution(valueObject.path, property)) {
       return Promise.resolve(property)
     }
     const matches = this.getMatches(property)
@@ -1779,6 +1901,9 @@ class Configorama {
           valueToPopulate = `"${valueToPopulate}"`
         }
       }
+      if (isNestedFilterArgument(property, currentMatchedString)) {
+        valueToPopulate = encodeFilterArg(valueToPopulate)
+      }
       property = replaceAll(currentMatchedString, valueToPopulate, property)
       // console.log('property replaceAll', property)
 
@@ -1789,7 +1914,10 @@ class Configorama {
     // partial replacement, number
     } else if (isNumber(valueToPopulate)) {
       if (DEBUG_TYPE) console.log('DEBUG_TYPE isNumber')
-      property = replaceAll(matchedString, String(valueToPopulate), property)
+      const replacementValue = isNestedFilterArgument(property, matchedString)
+        ? encodeFilterArg(valueToPopulate)
+        : String(valueToPopulate)
+      property = replaceAll(matchedString, replacementValue, property)
       // TODO This was temp fix for array value mismatch from filters. This fixes filterInner: ${commas | split(${self:inner}, 2) }
       // } else if (isArray(valueToPopulate) && valueToPopulate.length === 1) {
       //  property = replaceAll(matchedString, String(valueToPopulate[0]), property)
@@ -1812,7 +1940,9 @@ class Configorama {
         )
         // Only encode for file() or text() references where JSON braces break regex matching
         const isFileOrTextRef = /\bfile\s*\(|\btext\s*\(/.test(property)
-        if (isNestedInVariable && isFileOrTextRef) {
+        if (isNestedFilterArgument(property, matchedString)) {
+          property = replaceAll(matchedString, encodeFilterArg(valueToPopulate), property)
+        } else if (isNestedInVariable && isFileOrTextRef) {
           // Encode object as base64 to avoid breaking variable syntax with nested braces
           const encodedObj = encodeJsonForVariable(valueToPopulate)
           property = replaceAll(matchedString, encodedObj, property)
@@ -2040,7 +2170,7 @@ Missing Value ${missingValue} - ${matchedString}
           const rawArgs = funcMatch[2]
           if (rawArgs) {
             const splitter = splitCsv(rawArgs, ', ')
-            filterArgs = formatFunctionArgs(splitter)
+            filterArgs = formatFunctionArgs(splitter.map(arg => resolveStaticFilterArg(arg, this.config)))
           }
         }
 
@@ -2166,6 +2296,7 @@ Missing Value ${missingValue} - ${matchedString}
     // Cache joined path to avoid repeated array.join('.') calls
     const pathJoined = pathValue && pathValue.length ? pathValue.join('.') : null
 
+
     // Track every call to getValueFromSource for metadata
     if (this._trackCalls && pathJoined) {
       const pathKey = pathJoined
@@ -2318,6 +2449,14 @@ Missing Value ${missingValue} - ${matchedString}
     // console.log('resolverFunction', resolverFunction)
     /** */
 
+    // Inside ignore-path contexts (Fn::Sub, inline code, VTL templates, ...) leave
+    // self refs, bare config refs, and CloudFormation refs verbatim for CloudFormation
+    // / downstream Serverless to resolve. Everything configorama can resolve on its own
+    // (file/text/env/opt/cron/eval/git/custom/string/number) still resolves.
+    if (this.isIgnorePath(pathValue) && (!found || resolverType === 'self' || resolverType === 'dot.prop')) {
+      return Promise.resolve(encodeUnknown(this.varPrefix + variableString + this.varSuffix))
+    }
+
     if (found && resolverFunction) {
       /*
       console.log(`----------Resolver [${resolverType}]----------------------`)
@@ -2477,7 +2616,7 @@ Missing Value ${missingValue} - ${matchedString}
             // Parse arguments using the same logic as functions
             if (rawArgs) {
               const splitter = splitCsv(rawArgs, ', ')
-              filterArgs = formatFunctionArgs(splitter)
+              filterArgs = formatFunctionArgs(splitter.map(arg => resolveStaticFilterArg(arg, this.config)))
             }
           }
 
@@ -2749,7 +2888,8 @@ Missing Value ${missingValue} - ${matchedString}
       textRefSyntax: textRefSyntax,
       varPrefix: this.varPrefix,
       varSuffix: this.varSuffix,
-      fileContentCache: this._fileContentCache
+      fileContentCache: this._fileContentCache,
+      safetyPolicy: this.safetyPolicy
     }
     return getValueFromFileResolver(ctx, variableString, options)
   }

package/src/parsers/esm.js

@@ -7,22 +7,7 @@ const path = require('path')
  * @returns {Promise<*>} The result of executing the ESM file
  */
 async function executeESMFile(filePath, opts = {}) {
-  try {
-    // Use require for now since ESM dynamic import in async context is complex
-    // We'll use jiti to handle ESM syntax
-    const { createJiti } = require('jiti')
-    const jiti = createJiti(__filename, {
-      interopDefault: true
-    })
-
-    // Load the ESM file - resolve to absolute path first
-    const resolvedPath = path.resolve(filePath)
-    let esmModule = jiti(resolvedPath)
-
-    return esmModule
-  } catch (err) {
-    throw new Error(`Failed to load ESM file ${filePath}: ${err.message}`)
-  }
+  return executeESMFileSync(filePath, opts)
 }
 
 /**

package/src/parsers/typescript.js

@@ -8,54 +8,7 @@ const fs = require('fs')
  * @returns {Promise<*>} The exported module from the TypeScript file
  */
 async function executeTypeScriptFile(filePath, opts = {}) {
-  // Check if tsx is available first (preferred)
-  let useTsx = false
-  try {
-    require.resolve('tsx/cjs/api')
-    useTsx = true
-  } catch (err) {
-    // Fallback to ts-node if tsx is not available
-    try {
-      require.resolve('ts-node/register')
-    } catch (tsNodeErr) {
-      throw new Error(
-        'TypeScript support requires either "tsx" or "ts-node" to be installed. ' +
-        'Please install one of them:\n' +
-        '  npm install tsx --save-dev (recommended)\n' +
-        '  npm install ts-node typescript --save-dev'
-      )
-    }
-  }
-
-  // Clear require cache to ensure fresh execution
-  const resolvedPath = require.resolve(filePath)
-  delete require.cache[resolvedPath]
-
-  let tsFile
-  if (useTsx) {
-    // Use tsx for modern, fast TypeScript execution
-    // @ts-ignore - tsx doesn't have type declarations
-    const { register } = require('tsx/cjs/api')
-    const restore = register()
-    try {
-      tsFile = require(filePath)
-    } catch (err) {
-      throw new Error(`Failed to load TypeScript file: ${err.message}`)
-    } finally {
-      restore()
-    }
-  } else {
-    // Fallback to ts-node
-    try {
-      // @ts-ignore - ts-node is optional peer dependency
-      require('ts-node/register')
-      tsFile = require(filePath)
-    } catch (err) {
-      throw new Error(`Failed to load TypeScript file with ts-node: ${err.message}`)
-    }
-  }
-
-  return tsFile
+  return executeTypeScriptFileSync(filePath, opts)
 }
 
 /**

package/src/resolvers/valueFromCron.js

@@ -91,34 +91,13 @@ function parseCronExpression(input) {
     return `${minute} ${hour} * * *`
   }
 
-  // Parse "every X minutes/hours/days" patterns
-  const everyMatch = normalizedInput.match(/^every (\d+) (minute|minutes|hour|hours|day|days|week|weeks|month|months)s?$/i)
-  if (everyMatch) {
-    const interval = parseInt(everyMatch[1])
-    const unit = everyMatch[2].toLowerCase().replace(/s$/, '') // Remove trailing 's' if present
-    
-    switch (unit) {
-      case 'minute':
-        return `*/${interval} * * * *`
-      case 'hour':
-        return `0 */${interval} * * *`
-      case 'day':
-        return `0 0 */${interval} * *`
-      case 'week':
-        return `0 0 * * 0/${interval}`
-      case 'month':
-        return `0 0 1 */${interval} *`
-      default:
-        throw new Error(`Unsupported interval unit: ${unit}`)
-    }
-  }
-
-  // Parse "X minute(s)/hour(s)/day(s)" patterns (e.g., "1 minute", "5 minutes", "1 hour")
-  const intervalMatch = normalizedInput.match(/^(\d+) (minute|minutes|hour|hours|day|days|week|weeks|month|months)s?$/i)
+  // Parse "every X minutes/hours/days" and bare "X minute(s)/hour(s)/day(s)" patterns
+  // (e.g., "every 5 minutes", "1 minute", "5 minutes", "1 hour")
+  const intervalMatch = normalizedInput.match(/^(?:every )?(\d+) (minute|minutes|hour|hours|day|days|week|weeks|month|months)s?$/i)
   if (intervalMatch) {
     const interval = parseInt(intervalMatch[1])
     const unit = intervalMatch[2].toLowerCase().replace(/s$/, '') // Remove trailing 's' if present
-    
+
     switch (unit) {
       case 'minute':
         return `*/${interval} * * * *`

package/src/resolvers/valueFromEval.js

@@ -1,6 +1,7 @@
 // const evalRefSyntax = RegExp(/^eval\((~?[\{\}\:\${}a-zA=>+!-Z0-9._\-\/,'"\*\` ]+?)?\)/g)
 const evalRefSyntax = RegExp(/^eval\((.*)?\)/g)
 const { replaceOutsideQuotes } = require('../utils/strings/quoteAware')
+const { assertSafeEvalExpression } = require('../utils/security/evalSafety')
 
 // Pattern for encoded objects/arrays: __OBJ:base64__ or __ARR:base64__
 const ENCODED_PATTERN = /__(?:OBJ|ARR):([A-Za-z0-9+/=]+)__/g
@@ -52,7 +53,9 @@ async function getValueFromEval(variableString) {
 
   // Use "justin" variant to support strict comparison (===, !==) and other JS-like operators
   try {
-    const { default: subscript } = await import('subscript/justin')
+    // justin re-exports `parse` from subscript; importing the subpath directly
+    // ('subscript/parse') is not resolvable under classic module resolution.
+    const { default: subscript, parse } = await import('subscript/justin')
 
     // Handle string comparisons by ensuring both sides are quoted
     let processedExpression = expression.replace(/([a-zA-Z0-9_]+)\s*([=!<>]=?)\s*['"]([^'"]+)['"]/g, '"$1"$2"$3"')
@@ -79,6 +82,13 @@ async function getValueFromEval(variableString) {
     processedExpression = wrapComparisons(processedExpression)
 
     if (process.env.DEBUG_EVAL) console.log('eval processed:', processedExpression)
+
+    // Block prototype-chain escapes (e.g. "".constructor.constructor) before
+    // compiling, whether or not safe mode is enabled.
+    let ast = null
+    try { ast = parse(processedExpression) } catch (parseError) { ast = null }
+    assertSafeEvalExpression(processedExpression, ast)
+
     const fn = subscript(processedExpression)
     const result = fn(Object.keys(context).length > 0 ? context : undefined)
     return result

package/src/resolvers/valueFromFile.js

@@ -8,6 +8,7 @@ const { resolveFilePathFromMatch, resolveFilePath } = require('../utils/paths/ge
 const { findNestedVariables } = require('../utils/variables/findNestedVariables')
 const { makeBox } = require('@davidwells/box-logger')
 const { encodeJsSyntax, decodeJsonInVariable, hasEncodedJson } = require('../utils/encoders/js-fixes')
+const { checkFileAccess } = require('../utils/security/safetyPolicy')
 
 /* File Parsers */
 const YAML = require('../parsers/yaml')
@@ -109,13 +110,16 @@ function parseFileContents(content, filePath) {
  * @param {string} ctx.varPrefix - Variable prefix (e.g., '${')
  * @param {string} ctx.varSuffix - Variable suffix (e.g., '}')
  * @param {Map<string, string>} [ctx.fileContentCache] - Optional per-instance read cache keyed by absolute file path
+ * @param {object} [ctx.safetyPolicy] - Optional safe-mode policy for executable and root checks
  * @param {string} variableString - The variable string to resolve
  * @param {object} options - Resolution options
  * @returns {Promise<any>}
  */
 async function getValueFromFile(ctx, variableString, options) {
   const opts = options || {}
-  const syntax = opts.asRawText ? ctx.textRefSyntax : ctx.fileRefSyntax
+  // Pick syntax from the ref keyword, not the raw-text flag, so a file() ref can
+  // also be inlined as raw text (e.g. inside an Fn::Sub) without losing its match.
+  const syntax = /^\s*text\(/.test(variableString) ? ctx.textRefSyntax : ctx.fileRefSyntax
   // console.log('From file', `"${variableString}"`)
   let matchedFileString = variableString.match(syntax)[0]
   // console.log('matchedFileString', matchedFileString)
@@ -185,6 +189,9 @@ async function getValueFromFile(ctx, variableString, options) {
   }
 
   const exists = fs.existsSync(fullFilePath)
+  if (ctx.safetyPolicy) {
+    checkFileAccess(fullFilePath, ctx.safetyPolicy, { variableString })
+  }
 
   const fileRefEntry = {
     filePath: fullFilePath,