dxcomplete 0.2.1 → 0.2.2

package/dist/runtime/auth.d.ts

@@ -1,162 +0,0 @@
-import type { Db } from "mongodb";
-import { type ActorContext } from "./actor.js";
-import type { RuntimeConfig } from "./config.js";
-import type { WorkspaceConfig } from "./workspace.js";
-export declare const WORKSPACE_MEMBERSHIPS_COLLECTION = "workspace_memberships";
-export declare const OAUTH_CLIENTS_COLLECTION = "oauth_clients";
-export declare const OAUTH_AUTH_REQUESTS_COLLECTION = "oauth_authorization_requests";
-export declare const OAUTH_CODES_COLLECTION = "oauth_authorization_codes";
-export declare const OAUTH_TOKENS_COLLECTION = "oauth_tokens";
-export declare const WORKSPACE_SERVICE_CLIENTS_COLLECTION = "workspace_service_clients";
-export type WorkspaceRole = "owner" | "engineer" | "tester" | "operator" | "support_agent" | "end_user";
-export type WorkspaceMembership = {
-    _id: string;
-    workspaceId: string;
-    email: string;
-    roles: WorkspaceRole[];
-    role?: "owner" | "member";
-    provider?: "google";
-    providerSubject?: string;
-    createdAt: string;
-    updatedAt: string;
-    updatedBy: string;
-};
-export type WorkspaceServiceClientRecord = {
-    _id: string;
-    workspaceId: string;
-    clientId: string;
-    secretHash: string;
-    name: string;
-    createdAt: string;
-    createdBy: string;
-    updatedAt: string;
-    updatedBy: string;
-    revokedAt?: string;
-    revokedBy?: string;
-};
-export type OAuthClientRecord = {
-    _id: string;
-    clientId: string;
-    clientName?: string;
-    redirectUris: string[];
-    grantTypes: string[];
-    responseTypes: string[];
-    createdAt: string;
-    updatedAt: string;
-};
-export type OAuthAuthorizationRequest = {
-    _id: string;
-    clientId: string;
-    redirectUri: string;
-    codeChallenge: string;
-    codeChallengeMethod: "S256";
-    state?: string;
-    scope: string;
-    resource: string;
-    workspaceId: string;
-    createdAt: string;
-    expiresAt: Date;
-};
-export type OAuthAuthorizationCode = OAuthAuthorizationRequest & {
-    actor: ActorContext;
-};
-export type OAuthTokenRecord = {
-    _id: string;
-    kind: "access" | "refresh";
-    clientId: string;
-    workspaceId: string;
-    actor: ActorContext;
-    scope: string;
-    resource: string;
-    createdAt: string;
-    expiresAt: Date;
-    revokedAt?: string;
-};
-export type GoogleProfile = {
-    email: string;
-    subject: string;
-    displayName?: string;
-};
-export declare function ensureWorkspaceBootstrap(db: Db, config: WorkspaceConfig, actorId: string): Promise<void>;
-export declare function upsertWorkspaceMembership(db: Db, input: {
-    workspaceId: string;
-    email: string;
-    role?: WorkspaceRole | "member";
-    roles?: WorkspaceRole[];
-    actorId: string;
-    provider?: "google";
-    providerSubject?: string;
-}): Promise<WorkspaceMembership>;
-export declare function assertWorkspaceMembership(db: Db, workspaceId: string, actor: ActorContext): Promise<WorkspaceMembership>;
-export declare function createWorkspaceServiceClient(db: Db, input: {
-    workspaceId: string;
-    name: string;
-    actorId: string;
-}): Promise<{
-    record: WorkspaceServiceClientRecord;
-    secret: string;
-}>;
-export declare function verifyWorkspaceServiceClient(db: Db, input: {
-    clientId?: string;
-    secret?: string;
-    workspaceId?: string;
-}): Promise<WorkspaceServiceClientRecord>;
-export declare function registerOAuthClient(db: Db, input: {
-    clientName?: string;
-    redirectUris: string[];
-    grantTypes?: string[];
-    responseTypes?: string[];
-}): Promise<OAuthClientRecord>;
-export declare function getOAuthClient(db: Db, clientId: string): Promise<OAuthClientRecord | null>;
-export declare function createOAuthAuthorizationRequest(db: Db, input: Omit<OAuthAuthorizationRequest, "_id" | "createdAt" | "expiresAt">): Promise<OAuthAuthorizationRequest>;
-export declare function consumeOAuthAuthorizationRequest(db: Db, state: string): Promise<OAuthAuthorizationRequest>;
-export declare function createOAuthAuthorizationCode(db: Db, request: OAuthAuthorizationRequest, actor: ActorContext): Promise<string>;
-export declare function exchangeOAuthAuthorizationCode(db: Db, input: {
-    code: string;
-    clientId: string;
-    redirectUri: string;
-    codeVerifier: string;
-    resource: string;
-}): Promise<{
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-    scope: string;
-}>;
-export declare function exchangeOAuthRefreshToken(db: Db, input: {
-    refreshToken: string;
-    clientId: string;
-    resource: string;
-}): Promise<{
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-    scope: string;
-}>;
-export declare function issueMcpTokenPair(db: Db, input: {
-    clientId: string;
-    scope: string;
-    resource: string;
-    workspaceId: string;
-    actor: ActorContext;
-}): Promise<{
-    accessToken: string;
-    refreshToken: string;
-    expiresIn: number;
-    scope: string;
-}>;
-export declare function verifyMcpAccessToken(db: Db, input: {
-    token: string;
-    workspaceId: string;
-    resource: string;
-}): Promise<OAuthTokenRecord>;
-export declare function exchangeGoogleCodeForProfile(config: RuntimeConfig, input: {
-    code: string;
-    redirectUri: string;
-}): Promise<GoogleProfile>;
-export declare function googleAuthorizationUrl(config: RuntimeConfig, input: {
-    redirectUri: string;
-    state: string;
-}): string;
-export declare function createGoogleActor(profile: GoogleProfile): ActorContext;
-export declare function membershipRoles(membership: WorkspaceMembership): WorkspaceRole[];

package/dist/runtime/auth.js

@@ -1,394 +0,0 @@
-import { createHash, randomBytes, randomUUID } from "node:crypto";
-import { createGoogleActorContext, normalizeEmail } from "./actor.js";
-export const WORKSPACE_MEMBERSHIPS_COLLECTION = "workspace_memberships";
-export const OAUTH_CLIENTS_COLLECTION = "oauth_clients";
-export const OAUTH_AUTH_REQUESTS_COLLECTION = "oauth_authorization_requests";
-export const OAUTH_CODES_COLLECTION = "oauth_authorization_codes";
-export const OAUTH_TOKENS_COLLECTION = "oauth_tokens";
-export const WORKSPACE_SERVICE_CLIENTS_COLLECTION = "workspace_service_clients";
-const MCP_SCOPE = "mcp:tools";
-const ACCESS_TOKEN_TTL_SECONDS = 60 * 60;
-const REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
-const AUTH_REQUEST_TTL_SECONDS = 10 * 60;
-const SERVICE_CLIENT_SECRET_PREFIX = "dxc_service_secret_";
-const SERVICE_CLIENT_HASH_PREFIX = "sha256:";
-export async function ensureWorkspaceBootstrap(db, config, actorId) {
-    const now = new Date().toISOString();
-    await db.collection("workspaces").updateOne({ _id: config.workspaceId }, {
-        $set: {
-            recordType: "workspaces",
-            title: config.name,
-            fields: {
-                name: config.name,
-                ...(config.mode ? { mode: config.mode } : {})
-            },
-            updatedAt: now,
-            updatedBy: actorId
-        },
-        $setOnInsert: {
-            _id: config.workspaceId,
-            links: [],
-            createdAt: now,
-            createdBy: actorId
-        }
-    }, { upsert: true });
-    await Promise.all(config.bootstrapMembers.map((member) => upsertWorkspaceMembership(db, {
-        workspaceId: config.workspaceId,
-        email: member.email,
-        roles: member.roles,
-        actorId
-    })));
-}
-export async function upsertWorkspaceMembership(db, input) {
-    const email = normalizeEmail(input.email);
-    const now = new Date().toISOString();
-    const id = membershipId(input.workspaceId, email);
-    const roles = normalizeWorkspaceRoles(input.roles ?? (input.role ? [input.role] : []));
-    await db.collection(WORKSPACE_MEMBERSHIPS_COLLECTION).updateOne({ _id: id }, {
-        $set: {
-            workspaceId: input.workspaceId,
-            email,
-            roles,
-            ...(input.provider ? { provider: input.provider } : {}),
-            ...(input.providerSubject ? { providerSubject: input.providerSubject } : {}),
-            updatedAt: now,
-            updatedBy: input.actorId
-        },
-        $unset: {
-            role: ""
-        },
-        $setOnInsert: {
-            _id: id,
-            createdAt: now
-        }
-    }, { upsert: true });
-    const record = await db.collection(WORKSPACE_MEMBERSHIPS_COLLECTION).findOne({ _id: id });
-    if (!record) {
-        throw new Error("Workspace membership was not written.");
-    }
-    return record;
-}
-export async function assertWorkspaceMembership(db, workspaceId, actor) {
-    if (!actor.email) {
-        throw new Error("Authenticated actor email is required for workspace authorization.");
-    }
-    const email = normalizeEmail(actor.email);
-    const membership = await db
-        .collection(WORKSPACE_MEMBERSHIPS_COLLECTION)
-        .findOne({ _id: membershipId(workspaceId, email) });
-    if (!membership) {
-        throw new Error(`Workspace access denied for ${email}.`);
-    }
-    if (membership.providerSubject && actor.providerSubject && membership.providerSubject !== actor.providerSubject) {
-        throw new Error(`Workspace access denied for ${email}.`);
-    }
-    if (actor.provider === "google" && actor.providerSubject && !membership.providerSubject) {
-        await upsertWorkspaceMembership(db, {
-            workspaceId,
-            email,
-            roles: membershipRoles(membership),
-            actorId: actor.actorId,
-            provider: "google",
-            providerSubject: actor.providerSubject
-        });
-    }
-    if (!Array.isArray(membership.roles) || membership.roles.length === 0 || membership.role) {
-        return upsertWorkspaceMembership(db, {
-            workspaceId,
-            email,
-            roles: membershipRoles(membership),
-            actorId: actor.actorId,
-            ...(membership.provider ? { provider: membership.provider } : {}),
-            ...(membership.providerSubject ? { providerSubject: membership.providerSubject } : {})
-        });
-    }
-    return membership;
-}
-export async function createWorkspaceServiceClient(db, input) {
-    const now = new Date().toISOString();
-    const clientId = `dxc_service_client_${randomUUID()}`;
-    const secret = `${SERVICE_CLIENT_SECRET_PREFIX}${randomBytes(32).toString("base64url")}`;
-    const record = {
-        _id: clientId,
-        workspaceId: input.workspaceId,
-        clientId,
-        secretHash: hashServiceClientSecret(secret),
-        name: input.name,
-        createdAt: now,
-        createdBy: input.actorId,
-        updatedAt: now,
-        updatedBy: input.actorId
-    };
-    await db.collection(WORKSPACE_SERVICE_CLIENTS_COLLECTION).insertOne(record);
-    return { record, secret };
-}
-export async function verifyWorkspaceServiceClient(db, input) {
-    if (!input.clientId || !input.secret) {
-        throw new Error("DX Complete workspace service credentials are required.");
-    }
-    const record = await db
-        .collection(WORKSPACE_SERVICE_CLIENTS_COLLECTION)
-        .findOne({ _id: input.clientId });
-    if (!record || record.revokedAt) {
-        throw new Error("DX Complete workspace service client was not found or is revoked.");
-    }
-    if (input.workspaceId && record.workspaceId !== input.workspaceId) {
-        throw new Error("DX Complete workspace service client is not bound to this workspace.");
-    }
-    if (record.secretHash !== hashServiceClientSecret(input.secret)) {
-        throw new Error("DX Complete workspace service client secret is invalid.");
-    }
-    return record;
-}
-export async function registerOAuthClient(db, input) {
-    if (input.redirectUris.length === 0) {
-        throw new Error("redirect_uris must contain at least one URI.");
-    }
-    const now = new Date().toISOString();
-    const clientId = `dxc_client_${randomUUID()}`;
-    const record = {
-        _id: clientId,
-        clientId,
-        clientName: input.clientName,
-        redirectUris: input.redirectUris,
-        grantTypes: input.grantTypes?.length ? input.grantTypes : ["authorization_code", "refresh_token"],
-        responseTypes: input.responseTypes?.length ? input.responseTypes : ["code"],
-        createdAt: now,
-        updatedAt: now
-    };
-    await db.collection(OAUTH_CLIENTS_COLLECTION).insertOne(record);
-    return record;
-}
-export async function getOAuthClient(db, clientId) {
-    return db.collection(OAUTH_CLIENTS_COLLECTION).findOne({ _id: clientId });
-}
-export async function createOAuthAuthorizationRequest(db, input) {
-    const now = new Date();
-    const record = {
-        _id: `dxc_state_${randomBytes(24).toString("base64url")}`,
-        ...input,
-        createdAt: now.toISOString(),
-        expiresAt: new Date(now.getTime() + AUTH_REQUEST_TTL_SECONDS * 1000)
-    };
-    await db.collection(OAUTH_AUTH_REQUESTS_COLLECTION).insertOne(record);
-    return record;
-}
-export async function consumeOAuthAuthorizationRequest(db, state) {
-    const collection = db.collection(OAUTH_AUTH_REQUESTS_COLLECTION);
-    const record = await collection.findOne({ _id: state });
-    if (!record || isExpired(record.expiresAt)) {
-        throw new Error("OAuth authorization request expired or was not found.");
-    }
-    await collection.deleteOne({ _id: state });
-    return record;
-}
-export async function createOAuthAuthorizationCode(db, request, actor) {
-    const code = `dxc_code_${randomBytes(32).toString("base64url")}`;
-    const record = {
-        ...request,
-        _id: code,
-        actor
-    };
-    await db.collection(OAUTH_CODES_COLLECTION).insertOne(record);
-    return code;
-}
-export async function exchangeOAuthAuthorizationCode(db, input) {
-    const collection = db.collection(OAUTH_CODES_COLLECTION);
-    const record = await collection.findOne({ _id: input.code });
-    if (!record || isExpired(record.expiresAt)) {
-        throw new Error("Authorization code expired or was not found.");
-    }
-    if (record.clientId !== input.clientId ||
-        record.redirectUri !== input.redirectUri ||
-        record.resource !== input.resource) {
-        throw new Error("Authorization code request does not match the original authorization.");
-    }
-    if (!verifyPkce(input.codeVerifier, record.codeChallenge)) {
-        throw new Error("Invalid PKCE verifier.");
-    }
-    await collection.deleteOne({ _id: input.code });
-    return issueMcpTokenPair(db, record);
-}
-export async function exchangeOAuthRefreshToken(db, input) {
-    const existing = await findUsableToken(db, input.refreshToken, "refresh");
-    if (existing.clientId !== input.clientId || existing.resource !== input.resource) {
-        throw new Error("Refresh token does not match this client or resource.");
-    }
-    await db.collection(OAUTH_TOKENS_COLLECTION).updateOne({ _id: existing._id }, {
-        $set: {
-            revokedAt: new Date().toISOString()
-        }
-    });
-    return issueMcpTokenPair(db, {
-        clientId: existing.clientId,
-        scope: existing.scope,
-        resource: existing.resource,
-        workspaceId: existing.workspaceId,
-        actor: existing.actor
-    });
-}
-export async function issueMcpTokenPair(db, input) {
-    const accessToken = `dxc_access_${randomBytes(32).toString("base64url")}`;
-    const refreshToken = `dxc_refresh_${randomBytes(32).toString("base64url")}`;
-    const now = new Date();
-    await db.collection(OAUTH_TOKENS_COLLECTION).insertMany([
-        {
-            _id: hashToken(accessToken),
-            kind: "access",
-            clientId: input.clientId,
-            workspaceId: input.workspaceId,
-            actor: input.actor,
-            scope: input.scope || MCP_SCOPE,
-            resource: input.resource,
-            createdAt: now.toISOString(),
-            expiresAt: new Date(now.getTime() + ACCESS_TOKEN_TTL_SECONDS * 1000)
-        },
-        {
-            _id: hashToken(refreshToken),
-            kind: "refresh",
-            clientId: input.clientId,
-            workspaceId: input.workspaceId,
-            actor: input.actor,
-            scope: input.scope || MCP_SCOPE,
-            resource: input.resource,
-            createdAt: now.toISOString(),
-            expiresAt: new Date(now.getTime() + REFRESH_TOKEN_TTL_SECONDS * 1000)
-        }
-    ]);
-    return {
-        accessToken,
-        refreshToken,
-        expiresIn: ACCESS_TOKEN_TTL_SECONDS,
-        scope: input.scope || MCP_SCOPE
-    };
-}
-export async function verifyMcpAccessToken(db, input) {
-    const record = await findUsableToken(db, input.token, "access");
-    if (record.workspaceId !== input.workspaceId || record.resource !== input.resource) {
-        throw new Error("Access token is not valid for this workspace resource.");
-    }
-    await assertWorkspaceMembership(db, input.workspaceId, record.actor);
-    return record;
-}
-export async function exchangeGoogleCodeForProfile(config, input) {
-    if (!config.googleClientId || !config.googleClientSecret) {
-        throw new Error("Google OAuth is not configured.");
-    }
-    const response = await fetch("https://oauth2.googleapis.com/token", {
-        method: "POST",
-        headers: {
-            "content-type": "application/x-www-form-urlencoded"
-        },
-        body: new URLSearchParams({
-            code: input.code,
-            client_id: config.googleClientId,
-            client_secret: config.googleClientSecret,
-            redirect_uri: input.redirectUri,
-            grant_type: "authorization_code"
-        })
-    });
-    if (!response.ok) {
-        throw new Error(`Google token exchange failed: ${await response.text()}`);
-    }
-    const tokens = (await response.json());
-    if (!tokens.id_token) {
-        throw new Error("Google token exchange did not return an id_token.");
-    }
-    const profileResponse = await fetch(`https://oauth2.googleapis.com/tokeninfo?id_token=${encodeURIComponent(tokens.id_token)}`);
-    if (!profileResponse.ok) {
-        throw new Error(`Google token verification failed: ${await profileResponse.text()}`);
-    }
-    const profile = (await profileResponse.json());
-    if (profile.aud !== config.googleClientId) {
-        throw new Error("Google token audience did not match this DX Complete deployment.");
-    }
-    if (profile.email_verified !== true && profile.email_verified !== "true") {
-        throw new Error("Google email is not verified.");
-    }
-    if (!profile.email || !profile.sub) {
-        throw new Error("Google profile did not include email and subject.");
-    }
-    return {
-        email: normalizeEmail(profile.email),
-        subject: profile.sub,
-        displayName: profile.name
-    };
-}
-export function googleAuthorizationUrl(config, input) {
-    if (!config.googleClientId) {
-        throw new Error("Google OAuth is not configured.");
-    }
-    const url = new URL("https://accounts.google.com/o/oauth2/v2/auth");
-    url.searchParams.set("client_id", config.googleClientId);
-    url.searchParams.set("redirect_uri", input.redirectUri);
-    url.searchParams.set("response_type", "code");
-    url.searchParams.set("scope", "openid email profile");
-    url.searchParams.set("state", input.state);
-    url.searchParams.set("prompt", "select_account");
-    return url.href;
-}
-export function createGoogleActor(profile) {
-    return createGoogleActorContext({
-        email: profile.email,
-        subject: profile.subject,
-        displayName: profile.displayName
-    });
-}
-export function membershipRoles(membership) {
-    return normalizeWorkspaceRoles(Array.isArray(membership.roles) && membership.roles.length > 0
-        ? membership.roles
-        : membership.role
-            ? [membership.role]
-            : []);
-}
-async function findUsableToken(db, token, kind) {
-    const record = await db.collection(OAUTH_TOKENS_COLLECTION).findOne({
-        _id: hashToken(token),
-        kind,
-        revokedAt: { $exists: false }
-    });
-    if (!record || isExpired(record.expiresAt)) {
-        throw new Error("Token expired or was not found.");
-    }
-    return record;
-}
-function verifyPkce(verifier, challenge) {
-    const actual = createHash("sha256").update(verifier).digest("base64url");
-    return actual === challenge;
-}
-function hashToken(token) {
-    return createHash("sha256").update(token).digest("hex");
-}
-function hashServiceClientSecret(secret) {
-    return `${SERVICE_CLIENT_HASH_PREFIX}${createHash("sha256").update(secret).digest("hex")}`;
-}
-function isExpired(value) {
-    return new Date(value).getTime() <= Date.now();
-}
-function membershipId(workspaceId, email) {
-    return `${workspaceId}:${normalizeEmail(email)}`;
-}
-function normalizeWorkspaceRoles(values) {
-    const roles = new Set();
-    for (const value of values) {
-        if (value === "member") {
-            roles.add("end_user");
-            continue;
-        }
-        if (isWorkspaceRole(value)) {
-            roles.add(value);
-        }
-    }
-    if (roles.size === 0) {
-        roles.add("end_user");
-    }
-    return [...roles].sort();
-}
-function isWorkspaceRole(value) {
-    return (value === "owner" ||
-        value === "engineer" ||
-        value === "tester" ||
-        value === "operator" ||
-        value === "support_agent" ||
-        value === "end_user");
-}

package/dist/runtime/check.d.ts

@@ -1,7 +0,0 @@
-import type { RuntimeOptions } from "./config.js";
-export declare function checkRuntime(options?: RuntimeOptions): Promise<{
-    ok: boolean;
-    databaseName: string;
-    envFilePath: string | undefined;
-    collections: readonly ["workspaces", "statements", "journal_entries", "environments", "components", "estimates", "benefits", "expectations", "requirements", "tasks", "commitments", "deferrals", "changes", "incidents", "problems", "maintenance_schedules", "support_requests", "value_realizations", "decisions", "risks"];
-}>;

package/dist/runtime/check.js

@@ -1,16 +0,0 @@
-import { connectRuntime } from "./mongo.js";
-import { COLLECTION_NAMES } from "./records.js";
-export async function checkRuntime(options = {}) {
-    const runtime = await connectRuntime(options);
-    try {
-        return {
-            ok: true,
-            databaseName: runtime.config.databaseName,
-            envFilePath: runtime.config.envFilePath,
-            collections: COLLECTION_NAMES
-        };
-    }
-    finally {
-        await runtime.close();
-    }
-}

package/dist/runtime/config.d.ts

@@ -1,17 +0,0 @@
-export type RuntimeOptions = {
-    cwd?: string;
-    env?: NodeJS.ProcessEnv;
-    envFile?: string;
-};
-export type RuntimeConfig = {
-    mongodbUri: string;
-    databaseName: string;
-    googleClientId?: string;
-    googleClientSecret?: string;
-    serviceProvisioningSecret?: string;
-    envFilePath?: string;
-};
-export declare class RuntimeConfigError extends Error {
-    constructor(message: string);
-}
-export declare function loadRuntimeConfig(options?: RuntimeOptions): Promise<RuntimeConfig>;

package/dist/runtime/config.js

@@ -1,93 +0,0 @@
-import { constants as fsConstants } from "node:fs";
-import { access, readFile } from "node:fs/promises";
-import path from "node:path";
-export class RuntimeConfigError extends Error {
-    constructor(message) {
-        super(message);
-        this.name = "RuntimeConfigError";
-    }
-}
-const DEFAULT_ENV_FILE = ".env.local";
-const DEFAULT_DATABASE_NAME = "dxcomplete";
-export async function loadRuntimeConfig(options = {}) {
-    const cwd = path.resolve(options.cwd ?? process.cwd());
-    const envFilePath = await resolveEnvFile(cwd, options.envFile);
-    const fileEnv = envFilePath ? await parseEnvFile(envFilePath) : {};
-    const env = {
-        ...fileEnv,
-        ...(options.env ?? process.env)
-    };
-    const mongodbUri = readRequiredEnv(env, "DXC_MONGODB_URI");
-    const databaseName = readOptionalEnv(env, "DXC_DATABASE_NAME") ?? DEFAULT_DATABASE_NAME;
-    const googleClientId = readOptionalEnv(env, "DXC_GOOGLE_CLIENT_ID");
-    const googleClientSecret = readOptionalEnv(env, "DXC_GOOGLE_CLIENT_SECRET");
-    const serviceProvisioningSecret = readOptionalEnv(env, "DXC_SERVICE_PROVISIONING_SECRET");
-    return {
-        mongodbUri,
-        databaseName,
-        ...(googleClientId ? { googleClientId } : {}),
-        ...(googleClientSecret ? { googleClientSecret } : {}),
-        ...(serviceProvisioningSecret ? { serviceProvisioningSecret } : {}),
-        envFilePath
-    };
-}
-async function resolveEnvFile(cwd, envFile) {
-    if (envFile) {
-        const explicitPath = path.resolve(cwd, envFile);
-        if (!(await fileExists(explicitPath))) {
-            throw new RuntimeConfigError(`Env file not found: ${explicitPath}`);
-        }
-        return explicitPath;
-    }
-    const defaultPath = path.join(cwd, DEFAULT_ENV_FILE);
-    return (await fileExists(defaultPath)) ? defaultPath : undefined;
-}
-async function parseEnvFile(filePath) {
-    const content = await readFile(filePath, "utf8");
-    const parsed = {};
-    for (const [index, rawLine] of content.split(/\r?\n/).entries()) {
-        const trimmed = rawLine.trim();
-        if (!trimmed || trimmed.startsWith("#")) {
-            continue;
-        }
-        const line = trimmed.startsWith("export ") ? trimmed.slice("export ".length).trim() : trimmed;
-        const equalsIndex = line.indexOf("=");
-        if (equalsIndex === -1) {
-            throw new RuntimeConfigError(`Invalid env line ${index + 1} in ${filePath}. Expected KEY=value.`);
-        }
-        const key = line.slice(0, equalsIndex).trim();
-        const value = line.slice(equalsIndex + 1).trim();
-        if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
-            throw new RuntimeConfigError(`Invalid env key "${key}" on line ${index + 1} in ${filePath}.`);
-        }
-        parsed[key] = unquote(value);
-    }
-    return parsed;
-}
-function readRequiredEnv(env, key) {
-    const value = readOptionalEnv(env, key);
-    if (!value) {
-        throw new RuntimeConfigError(`${key} is required. Create .env.local from .env.example or export ${key} before running this command.`);
-    }
-    return value;
-}
-function readOptionalEnv(env, key) {
-    const value = env[key]?.trim();
-    return value ? value : undefined;
-}
-function unquote(value) {
-    if ((value.startsWith("\"") && value.endsWith("\"")) ||
-        (value.startsWith("'") && value.endsWith("'"))) {
-        return value.slice(1, -1);
-    }
-    return value;
-}
-async function fileExists(filePath) {
-    try {
-        await access(filePath, fsConstants.F_OK);
-        return true;
-    }
-    catch {
-        return false;
-    }
-}