declapract-typescript-ehmpathy 0.47.57 → 0.47.58

package/dist/.test/infra/withKeyrackContext.ts

@@ -0,0 +1,50 @@
+import fs from 'node:fs';
+import os from 'os';
+import path from 'node:path';
+
+import type { KeyrackGrantAttempt } from 'rhachet/keyrack';
+
+/**
+ * .what = creates a mock context with keyrack config in a temp directory
+ * .why = enables test of buildWorkflowSecretsBlock with different keyrack configs
+ */
+export const withKeyrackContext = async (
+  input: { keys: string[] },
+  fn: (context: { getProjectRootDirectory: () => string }) => Promise<void>,
+): Promise<void> => {
+  // create temp dir with keyrack.yml
+  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-'));
+  const agentDir = path.join(tempDir, '.agent');
+  fs.mkdirSync(agentDir, { recursive: true });
+  fs.writeFileSync(
+    path.join(agentDir, 'keyrack.yml'),
+    `org: test\nenv.test:\n${input.keys.map((k) => `  - ${k}`).join('\n')}`,
+  );
+
+  // mock keyrack.get to return grant attempts
+  const mockGrants: KeyrackGrantAttempt[] = input.keys.map((key) => ({
+    status: 'granted' as const,
+    grant: {
+      slug: `test.test.${key}`,
+      value: 'mock-value',
+      mech: 'PERMANENT_VIA_REPLICA' as const,
+      vault: 'os.direct' as const,
+    },
+  }));
+
+  // store original module
+  const keyrackModule = await import('rhachet/keyrack');
+  const originalGet = keyrackModule.keyrack.get;
+
+  // replace with mock
+  (keyrackModule.keyrack as { get: typeof originalGet }).get = async () =>
+    mockGrants;
+
+  try {
+    await fn({ getProjectRootDirectory: () => tempDir });
+  } finally {
+    // restore original
+    (keyrackModule.keyrack as { get: typeof originalGet }).get = originalGet;
+    fs.rmSync(tempDir, { recursive: true, force: true });
+  }
+};

package/dist/practices/cicd-common/bad-practices/old-use-apikeys/.agent/repo=.this/role=any/skills/use.apikeys.json.declapract.ts

@@ -0,0 +1,7 @@
+import { FileCheckType, type FileFixFunction } from 'declapract';
+
+export const check = FileCheckType.EXISTS;
+
+export const fix: FileFixFunction = () => {
+  return { contents: null };
+};

package/dist/practices/cicd-common/bad-practices/old-use-apikeys/.agent/repo=.this/role=any/skills/use.apikeys.sh.declapract.ts

@@ -0,0 +1,7 @@
+import { FileCheckType, type FileFixFunction } from 'declapract';
+
+export const check = FileCheckType.EXISTS;
+
+export const fix: FileFixFunction = () => {
+  return { contents: null };
+};

package/dist/practices/cicd-common/best-practice/.github/workflows/.test.yml

@@ -201,6 +201,11 @@ jobs:
           path: ./node_modules
           key: ${{ needs.install.outputs.node-modules-cache-key }}
 
+      # .why = keyrack.yml can extend other manifests via symlinks (e.g., .agent/repo=ehmpathy/role=mechanic/keyrack.yml)
+      #        prepare:rhachet creates these symlinks so keyrack.source() can hydrate extended keys
+      - name: prepare:rhachet
+        run: npm run prepare:rhachet --if-present
+
       - name: get aws auth, if creds supplied
         if: ${{ inputs.creds-aws-role-arn }}
         uses: aws-actions/configure-aws-credentials@v4
@@ -270,6 +275,11 @@ jobs:
           path: ./node_modules
           key: ${{ needs.install.outputs.node-modules-cache-key }}
 
+      # .why = keyrack.yml can extend other manifests via symlinks (e.g., .agent/repo=ehmpathy/role=mechanic/keyrack.yml)
+      #        prepare:rhachet creates these symlinks so keyrack.source() can hydrate extended keys
+      - name: prepare:rhachet
+        run: npm run prepare:rhachet --if-present
+
       - name: get aws auth, if creds supplied
         if: ${{ inputs.creds-aws-role-arn }}
         uses: aws-actions/configure-aws-credentials@v4

package/dist/practices/cicd-common/best-practice/.github/workflows/.test.yml.declapract.ts

@@ -1,24 +1,49 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+
 import type { FileCheckFunction, FileFixFunction } from 'declapract';
+import { keyrack, type KeyrackGrantAttempt } from 'rhachet/keyrack';
 
-import { readUseApikeysConfig } from '../../../../../utils/readUseApikeysConfig';
+/**
+ * .what = gets keyrack key names for test env from target project
+ * .why = single source of truth for key discovery
+ */
+const getKeyrackKeys = async (projectRootDir: string): Promise<string[]> => {
+  const keyrackYmlPath = join(projectRootDir, '.agent/keyrack.yml');
+  if (!existsSync(keyrackYmlPath)) return [];
+
+  const keys = (await keyrack.get({
+    for: { repo: true },
+    env: 'test',
+  })) as KeyrackGrantAttempt[];
+  if (!keys.length) return [];
+
+  // extract key names from slugs (format: org.env.KEY_NAME)
+  // .note = KeyrackGrantAttempt is a union of 4 variants (granted/absent/locked/blocked)
+  //         per rhachet/dist/domain.objects/keyrack/KeyrackGrantAttempt.d.ts:8
+  //         granted has slug at grant.slug; others have slug at top level
+  return keys.map((k) =>
+    (k.status === 'granted' ? k.grant.slug : k.slug).split('.').pop()!,
+  );
+};
 
 /**
- * .what = builds the expected .test.yml content with apikey secrets injected
+ * .what = builds the expected .test.yml content with keyrack secrets injected
  * .why = single source of truth for both check and fix
  */
 export const buildExpectedContent = (input: {
   template: string;
-  apikeys: string[];
+  keys: string[];
 }): string => {
   let result = input.template;
 
-  // if no apikeys, return template as-is
-  if (!input.apikeys.length) {
+  // if no keys, return template as-is
+  if (!input.keys.length) {
     return result;
   }
 
   // build secrets declaration block for workflow_call
-  const secretsDeclaration = input.apikeys
+  const secretsDeclaration = input.keys
     .map(
       (key) =>
         `      ${key}:\n        description: "api key for ${key.toLowerCase().replace(/_/g, ' ')}"\n        required: false`,
@@ -26,7 +51,7 @@ export const buildExpectedContent = (input: {
     .join('\n');
 
   // build env block for test-integration job
-  const envBlock = input.apikeys
+  const envBlock = input.keys
     .map((key) => `          ${key}: \${{ secrets.${key} }}`)
     .join('\n');
 
@@ -48,43 +73,41 @@ export const buildExpectedContent = (input: {
 };
 
 /**
- * .what = ensures .test.yml matches expected content with apikey secrets
+ * .what = ensures .test.yml matches expected content with keyrack secrets
  * .why = enables integration tests to access required api keys via github secrets
  */
 export const check: FileCheckFunction = async (contents, context) => {
-  // read apikeys from project
-  const apikeysConfig = await readUseApikeysConfig({
-    projectRootDirectory: context.getProjectRootDirectory(),
-  });
+  // get keyrack keys from project
+  const keys = await getKeyrackKeys(context.getProjectRootDirectory());
 
-  // build expected content from template + apikeys
+  // build expected content from template + keys
   const expected = buildExpectedContent({
     template: context.declaredFileContents ?? '',
-    apikeys: apikeysConfig?.apikeys?.required ?? [],
+    keys,
   });
 
   // if contents don't match expected, best practice is violated
   if (contents !== expected) {
-    throw new Error('file does not match expected content with apikey secrets');
+    throw new Error(
+      'file does not match expected content with keyrack secrets',
+    );
   }
 
   // return = file matches expected (best practice followed)
 };
 
 /**
- * .what = fixes .test.yml to include apikey secrets declaration and env vars
+ * .what = fixes .test.yml to include keyrack secrets declaration and env vars
  * .why = ensures integration tests have access to required api keys
  */
 export const fix: FileFixFunction = async (_contents, context) => {
-  // read apikeys from project
-  const apikeysConfig = await readUseApikeysConfig({
-    projectRootDirectory: context.getProjectRootDirectory(),
-  });
+  // get keyrack keys from project
+  const keys = await getKeyrackKeys(context.getProjectRootDirectory());
 
-  // build expected content from template + apikeys
+  // build expected content from template + keys
   const expected = buildExpectedContent({
     template: context.declaredFileContents ?? '',
-    apikeys: apikeysConfig?.apikeys?.required ?? [],
+    keys,
   });
 
   return { contents: expected };

package/dist/practices/tests/best-practice/jest.acceptance.env.ts

@@ -3,6 +3,7 @@ import { join } from 'node:path';
 import util from 'node:util';
 
 import { jest } from '@jest/globals';
+import { keyrack } from 'rhachet/keyrack';
 
 jest.setTimeout(90000); // we're calling downstream apis
 
@@ -35,36 +36,11 @@ if (
   );
 
 /**
- * .what = verify that required api keys are present; otherwise, fail fast
+ * .what = source credentials from keyrack for test env
  * .why =
- *   - prevent time wasted waiting on tests to fail due to missing api keys
- *   - prevent agents from giving up when they have access to credentials
+ *   - auto-inject keys into process.env
+ *   - fail fast with helpful error if keyrack locked or keys absent
  */
-const apikeysConfigPath = join(
-  process.cwd(),
-  '.agent/repo=.this/role=any/skills/use.apikeys.json',
-);
-if (existsSync(apikeysConfigPath)) {
-  // direct import via require (json resolves automatically)
-  const config = require(apikeysConfigPath);
-  const requiredKeys: string[] = config?.apikeys?.required ?? [];
-  const keysAbsent = requiredKeys.filter((key) => !process.env[key]);
-
-  if (keysAbsent.length > 0) {
-    throw new Error(`
-⛈️  apikeys required to run these acceptance tests were not supplied.
-
-   absent keys: ${keysAbsent.join(', ')}
-
-   you have access to these keys - you just forgot to source them.
-
-   run:
-     source .agent/repo=.this/role=any/skills/use.apikeys.sh && npm run test:acceptance
-
-   you must run these tests with these api keys.
-   you're forbidden to give up.
-   if you don't have privs to run use.apikeys.sh, ask a human for support.
-   chances are, you already have privs to do so though.
-`);
-  }
-}
+const keyrackYmlPath = join(process.cwd(), '.agent/keyrack.yml');
+if (existsSync(keyrackYmlPath))
+  keyrack.source({ env: 'test', owner: 'ehmpath', mode: 'strict' });

package/dist/practices/tests/best-practice/jest.integration.env.ts

@@ -4,6 +4,7 @@ import { join } from 'node:path';
 import util from 'node:util';
 
 import { jest } from '@jest/globals';
+import { keyrack } from 'rhachet/keyrack';
 
 jest.setTimeout(90000); // since we're calling downstream apis
 
@@ -77,44 +78,20 @@ if (requiresTestDb) {
       `PGPASSWORD="${testConfig.database.role.crud.password}" psql -h ${testConfig.database.tunnel.local.host} -p ${testConfig.database.tunnel.local.port} -U ${testConfig.database.role.crud.username} -d ${testConfig.database.target.database} -c "SELECT 1" > /dev/null 2>&1`,
       { timeout: 3000 },
     );
-  } catch {
+  } catch (error) {
     throw new Error(
       `did you forget to \`npm run start:testdb\`? cant connect to database`,
+      { cause: error },
     );
   }
 }
 
 /**
- * .what = verify that required api keys are present; otherwise, fail fast
+ * .what = source credentials from keyrack for test env
  * .why =
- *   - prevent time wasted waiting on tests to fail due to missing api keys
- *   - prevent agents from giving up when they have access to credentials
+ *   - auto-inject keys into process.env
+ *   - fail fast with helpful error if keyrack locked or keys absent
  */
-const apikeysConfigPath = join(
-  process.cwd(),
-  '.agent/repo=.this/role=any/skills/use.apikeys.json',
-);
-if (existsSync(apikeysConfigPath)) {
-  // direct import via require (json resolves automatically)
-  const config = require(apikeysConfigPath);
-  const requiredKeys: string[] = config?.apikeys?.required ?? [];
-  const keysAbsent = requiredKeys.filter((key) => !process.env[key]);
-
-  if (keysAbsent.length > 0) {
-    throw new Error(`
-⛈️  apikeys required to run these integration tests were not supplied.
-
-   absent keys: ${keysAbsent.join(', ')}
-
-   you have access to these keys - you just forgot to source them.
-
-   run:
-     source .agent/repo=.this/role=any/skills/use.apikeys.sh && npm run test:integration
-
-   you must run these tests with these api keys.
-   you're forbidden to give up.
-   if you don't have privs to run use.apikeys.sh, ask a human for support.
-   chances are, you already have privs to do so though.
-`);
-  }
-}
+const keyrackYmlPath = join(process.cwd(), '.agent/keyrack.yml');
+if (existsSync(keyrackYmlPath))
+  keyrack.source({ env: 'test', owner: 'ehmpath', mode: 'strict' });

package/dist/practices/tests/best-practice/package.json

@@ -9,11 +9,10 @@
     "@swc/jest": "@declapract{check.minVersion('0.2.39')}"
   },
   "scripts": {
-    "test:auth": "[ \"${ECHO:-}\" = 'true' ] && echo '. .agent/repo=.this/role=any/skills/use.apikeys.sh' || . .agent/repo=.this/role=any/skills/use.apikeys.sh",
     "test:unit": "set -eu && jest -c ./jest.unit.config.ts --forceExit --verbose --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -z \"${THOROUGH:-}\" ] && echo '--changedSince=main') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
     "test:integration": "set -eu && jest -c ./jest.integration.config.ts --forceExit --verbose --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -z \"${THOROUGH:-}\" ] && echo '--changedSince=main') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
     "test:acceptance:locally": "set -eu && npm run build && LOCALLY=true jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
-    "test": "set -eu && eval $(ECHO=true npm run --silent test:auth) && npm run test:commits && npm run test:types && npm run test:format && npm run test:lint && npm run test:unit && npm run test:integration && npm run test:acceptance:locally",
+    "test": "set -eu && npm run test:commits && npm run test:types && npm run test:format && npm run test:lint && npm run test:unit && npm run test:integration && npm run test:acceptance:locally",
     "test:acceptance": "set -eu && npm run build && jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')"
   }
 }

package/dist/utils/buildWorkflowSecretsBlock.ts

@@ -1,35 +1,46 @@
-import { readUseApikeysConfig } from './readUseApikeysConfig';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+
+import { keyrack, type KeyrackGrantAttempt } from 'rhachet/keyrack';
 
 /**
- * .what = builds workflow content with apikey secrets block for .test.yml
+ * .what = builds workflow content with keyrack secrets block for .test.yml
  * .why = single source of truth for test.yml, publish.yml, deploy.yml check+fix
  */
 export const buildWorkflowSecretsBlock = async (
   input: { template: string },
   context: { getProjectRootDirectory: () => string },
 ): Promise<string> => {
-  // read apikeys from project
-  const apikeysConfig = await readUseApikeysConfig({
-    projectRootDirectory: context.getProjectRootDirectory(),
-  });
-  const apikeys = apikeysConfig?.apikeys?.required ?? [];
+  // check if keyrack.yml exists
+  const keyrackYmlPath = join(
+    context.getProjectRootDirectory(),
+    '.agent/keyrack.yml',
+  );
+  if (!existsSync(keyrackYmlPath)) return input.template;
 
-  // if no apikeys, return template as-is
-  if (!apikeys.length) {
-    return input.template;
-  }
+  // get required keys from keyrack sdk
+  const keys = (await keyrack.get({
+    for: { repo: true },
+    env: 'test',
+  })) as KeyrackGrantAttempt[];
+  if (!keys.length) return input.template;
+
+  // extract key names from slugs (format: org.env.KEY_NAME)
+  // .note = KeyrackGrantAttempt is a union of 4 variants (granted/absent/locked/blocked)
+  //         per rhachet/dist/domain.objects/keyrack/KeyrackGrantAttempt.d.ts:8
+  //         granted has slug at grant.slug; others have slug at top level
+  const keyrackVars = keys.map((k) =>
+    (k.status === 'granted' ? k.grant.slug : k.slug).split('.').pop()!,
+  );
 
   // build secrets block
-  const secretsBlock = apikeys
+  const secretsBlock = keyrackVars
     .map((key) => `      ${key}: \${{ secrets.${key} }}`)
     .join('\n');
 
   // find jobs that call .test.yml with 'with:' block and add secrets block after
-  // handle cases with optional 'if:' before 'with:'
-  const result = input.template.replace(
+  return input.template.replace(
     /(uses: \.\/\.github\/workflows\/\.test\.yml\n(?:    if: [^\n]+\n)?    with:\n(?:      [^\n]+\n)+)/g,
     `$1    secrets:\n${secretsBlock}\n`,
   );
-
-  return result;
 };

package/package.json

@@ -2,7 +2,7 @@
   "name": "declapract-typescript-ehmpathy",
   "author": "ehmpathy",
   "description": "declapract best practices declarations for typescript",
-  "version": "0.47.57",
+  "version": "0.47.58",
   "license": "MIT",
   "main": "src/index.js",
   "repository": "ehmpathy/declapract-typescript-ehmpathy",
@@ -36,14 +36,14 @@
     "test:unit": "set -eu && jest -c ./jest.unit.config.ts --forceExit --verbose --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -z \"${THOROUGH:-}\" ] && echo '--changedSince=main') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
     "test:integration": "set -eu && jest -c ./jest.integration.config.ts --forceExit --verbose --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -z \"${THOROUGH:-}\" ] && echo '--changedSince=main') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
     "test:acceptance:locally": "set -eu && npm run build && LOCALLY=true jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
-    "test": "set -eu && npm run test:commits && npm run test:types && npm run test:format && npm run test:lint && npm run test:unit && npm run test:integration && npm run test:acceptance:locally && test:validate",
+    "test": "set -eu && npm run test:commits && npm run test:types && npm run test:format && npm run test:lint && npm run test:unit && npm run test:integration && npm run test:acceptance:locally && npm run test:validate",
     "test:acceptance": "set -eu && npm run build && jest -c ./jest.acceptance.config.ts --forceExit --verbose --runInBand --passWithNoTests $([ -n \"${CI:-}\" ] && echo '--ci') $([ -n \"${RESNAP:-}\" ] && echo '--updateSnapshot')",
     "prepush": "npm run test && npm run build",
     "prepublish": "npm run build",
     "preversion": "npm run prepush",
     "postversion": "git push origin HEAD --tags --no-verify",
     "prepare:husky": "husky install && chmod ug+x .husky/*",
-    "prepare:rhachet": "rhachet init --hooks --roles mechanic behaver driver reviewer librarian ergonomist architect",
+    "prepare:rhachet": "rhachet init --hooks --roles mechanic behaver driver reviewer librarian ergonomist architect reflector dreamer",
     "prepare": "if [ -e .git ] && [ -z \"${CI:-}\" ]; then npm run prepare:husky && npm run prepare:rhachet; fi"
   },
   "dependencies": {
@@ -75,12 +75,12 @@
     "esbuild-register": "3.6.0",
     "husky": "8.0.3",
     "jest": "30.2.0",
-    "rhachet": "1.37.19",
+    "rhachet": "1.39.2",
     "rhachet-brains-anthropic": "0.4.0",
     "rhachet-brains-xai": "0.3.2",
-    "rhachet-roles-bhrain": "0.23.6",
-    "rhachet-roles-bhuild": "0.14.4",
-    "rhachet-roles-ehmpathy": "1.34.3",
+    "rhachet-roles-bhrain": "0.23.10",
+    "rhachet-roles-bhuild": "0.14.6",
+    "rhachet-roles-ehmpathy": "1.34.11",
     "tsc-alias": "1.8.10",
     "tsx": "4.20.6",
     "type-fns": "0.8.1",

package/dist/.test/infra/withApikeysContext.ts

@@ -1,31 +0,0 @@
-import fs from 'node:fs';
-import os from 'os';
-import path from 'node:path';
-
-/**
- * .what = creates a mock context with apikeys config in a temp directory
- * .why = enables testing buildWorkflowSecretsBlock with different apikey configs
- */
-export const withApikeysContext = async (
-  input: { apikeys: string[] },
-  fn: (context: { getProjectRootDirectory: () => string }) => Promise<void>,
-): Promise<void> => {
-  const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), 'test-'));
-  const configDir = path.join(
-    tempDir,
-    '.agent',
-    'repo=.this',
-    'role=any',
-    'skills',
-  );
-  fs.mkdirSync(configDir, { recursive: true });
-  fs.writeFileSync(
-    path.join(configDir, 'use.apikeys.json'),
-    JSON.stringify({ apikeys: { required: input.apikeys } }, null, 2),
-  );
-  try {
-    await fn({ getProjectRootDirectory: () => tempDir });
-  } finally {
-    fs.rmSync(tempDir, { recursive: true, force: true });
-  }
-};

package/dist/practices/cicd-common/best-practice/.agent/repo=.this/role=any/skills/use.apikeys.json

@@ -1,5 +0,0 @@
-{
-  "apikeys": {
-    "required": []
-  }
-}

package/dist/practices/cicd-common/best-practice/.agent/repo=.this/role=any/skills/use.apikeys.json.declapract.ts

@@ -1,32 +0,0 @@
-import { FileCheckType, type FileFixFunction } from 'declapract';
-
-/**
- * .what = check that use.apikeys.json exists
- * .why = enables projects to declare which api keys are required for integration tests
- */
-export const check = FileCheckType.EXISTS;
-
-/**
- * .what = creates default use.apikeys.json structure if file doesn't exist
- * .why = ensures all projects have the config file with proper schema
- */
-export const fix: FileFixFunction = (contents) => {
-  // if file already exists, preserve its content
-  if (contents) {
-    return { contents };
-  }
-
-  // create default structure
-  return {
-    contents:
-      JSON.stringify(
-        {
-          apikeys: {
-            required: [],
-          },
-        },
-        null,
-        2,
-      ) + '\n',
-  };
-};

package/dist/practices/cicd-common/best-practice/.agent/repo=.this/role=any/skills/use.apikeys.sh

@@ -1,63 +0,0 @@
-#!/bin/sh
-######################################################################
-# .what = export api keys for integration tests
-# .why = enables tests that require api keys to run
-#
-# usage:
-#   . .agent/repo=.this/role=any/skills/use.apikeys.sh
-#
-# note:
-#   - must be called with `.` or `source` to export vars to current shell
-#   - loads from ~/.config/rhachet/apikeys.env if available
-#   - falls back to .env.local (gitignored) in repo root
-######################################################################
-
-# fail if not sourced (return only succeeds when sourced)
-(return 0 2>/dev/null) || {
-  echo "error: this file must be sourced, not executed"
-  echo "usage: . $0"
-  exit 1
-}
-
-# alias source to `.` for posix compat
-source() { . "$@"; }
-
-# try to load from user config first
-if [ -f ~/.config/rhachet/apikeys.env ]; then
-  source ~/.config/rhachet/apikeys.env
-  echo "✓ loaded api keys from ~/.config/rhachet/apikeys.env"
-
-# fallback to local gitignored file
-elif [ -f .env.local ]; then
-  source .env.local
-  echo "✓ loaded api keys from .env.local"
-
-else
-  echo "⚠ no api keys file found"
-  echo ""
-  echo "create one of:"
-  echo "  ~/.config/rhachet/apikeys.env"
-  echo "  .env.local (in repo root)"
-  echo ""
-  echo "with contents like:"
-  echo "  export OPENAI_API_KEY=sk-..."
-  echo "  export ANTHROPIC_API_KEY=sk-..."
-  return 1 2>/dev/null || exit 1
-fi
-
-# read required keys from json config if present
-APIKEYS_CONFIG=".agent/repo=.this/role=any/skills/use.apikeys.json"
-if [ -f "$APIKEYS_CONFIG" ]; then
-  # extract required keys via jq
-  REQUIRED_KEYS=$(jq -r '.apikeys.required[]?' "$APIKEYS_CONFIG" 2>/dev/null)
-
-  # verify each required key is set
-  for KEY in $REQUIRED_KEYS; do
-    VALUE=$(eval "echo \"\$$KEY\"")
-    if [ -z "$VALUE" ]; then
-      echo "⚠ $KEY not set (required by $APIKEYS_CONFIG)"
-      return 1 2>/dev/null || exit 1
-    fi
-    echo "✓ $KEY set"
-  done
-fi

package/dist/practices/cicd-common/best-practice/.agent/repo=.this/role=any/skills/use.apikeys.sh.declapract.ts

@@ -1,19 +0,0 @@
-import { FileCheckType, type FileFixFunction } from 'declapract';
-
-import { readFileSync } from 'node:fs';
-import { dirname, join } from 'node:path';
-
-// check that the file contains the core structure
-export const check = FileCheckType.CONTAINS;
-
-/**
- * .what = replaces target file with expected content
- * .why = ensures the skill file matches the best-practice version
- */
-export const fix: FileFixFunction = () => {
-  const expectedContent = readFileSync(
-    join(dirname(__filename), 'use.apikeys.sh'),
-    'utf-8',
-  );
-  return { contents: expectedContent };
-};

package/dist/utils/readUseApikeysConfig.ts

@@ -1,43 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import util from 'node:util';
-
-/**
- * .what = configuration structure for use.apikeys.json
- * .why = defines which api keys are required for integration tests
- */
-export interface UseApikeysConfig {
-  apikeys: {
-    required: string[];
-  };
-}
-
-const USE_APIKEYS_PATH = '.agent/repo=.this/role=any/skills/use.apikeys.json';
-
-/**
- * .what = reads and parses use.apikeys.json from target project
- * .why = centralizes apikey config access for all workflow practices
- */
-export const readUseApikeysConfig = async (input: {
-  projectRootDirectory: string;
-}): Promise<UseApikeysConfig | null> => {
-  // build full path to config file
-  const configPath = path.join(input.projectRootDirectory, USE_APIKEYS_PATH);
-
-  // check if file exists
-  const exists = await util
-    .promisify(fs.access)(configPath, fs.constants.F_OK)
-    .then(() => true)
-    .catch(() => false);
-  if (!exists) return null;
-
-  // read and parse the file
-  try {
-    const contents = await util.promisify(fs.readFile)(configPath, 'utf-8');
-    const parsed = JSON.parse(contents) as UseApikeysConfig;
-    return parsed;
-  } catch {
-    // handle malformed json gracefully
-    return null;
-  }
-};