envpkt 0.1.0

package/dist/cli.js

@@ -0,0 +1,2254 @@
+#!/usr/bin/env node
+import { Command } from "commander";
+import { dirname, join, resolve } from "node:path";
+import { Cond, Left, List, Option, Right, Try } from "functype";
+import { existsSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { TypeCompiler } from "@sinclair/typebox/compiler";
+import { TomlDate, parse, stringify } from "smol-toml";
+import { FormatRegistry, Type } from "@sinclair/typebox";
+import { execFileSync } from "node:child_process";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+
+//#region src/core/audit.ts
+const MS_PER_DAY = 864e5;
+const WARN_BEFORE_DAYS = 30;
+const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
+const parseDate = (dateStr) => {
+	const d = /* @__PURE__ */ new Date(dateStr + "T00:00:00Z");
+	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
+};
+const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
+	const issues = [];
+	const created = Option(meta?.created).flatMap(parseDate);
+	const expires = Option(meta?.expires).flatMap(parseDate);
+	const rotationUrl = Option(meta?.rotation_url);
+	const purpose = Option(meta?.purpose);
+	const service = Option(meta?.service);
+	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
+	const daysSinceCreated = created.map((c) => daysBetween(c, today));
+	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
+	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
+	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
+	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key);
+	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
+	if (isExpired) issues.push("Secret has expired");
+	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
+	if (isStale) issues.push("Secret is stale (no rotation detected)");
+	if (isMissing) issues.push("Key not found in fnox");
+	if (isMissingMetadata) {
+		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
+		if (requireService && service.isNone()) issues.push("Missing required service");
+	}
+	return {
+		key,
+		service,
+		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
+		days_remaining: daysRemaining,
+		rotation_url: rotationUrl,
+		purpose,
+		created: Option(meta?.created),
+		expires: Option(meta?.expires),
+		issues: List(issues)
+	};
+};
+const computeAudit = (config, fnoxKeys, today) => {
+	const now = today ?? /* @__PURE__ */ new Date();
+	const lifecycle = config.lifecycle ?? {};
+	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
+	const requireExpiration = lifecycle.require_expiration ?? false;
+	const requireService = lifecycle.require_service ?? false;
+	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
+	const metaKeys = new Set(Object.keys(config.meta));
+	const secrets = List(Object.entries(config.meta).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
+	const total = secrets.size;
+	const expired = secrets.count((s) => s.status === "expired");
+	const missing = secrets.count((s) => s.status === "missing");
+	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
+	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
+	const stale = secrets.count((s) => s.status === "stale");
+	const healthy = secrets.count((s) => s.status === "healthy");
+	return {
+		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
+		secrets,
+		total,
+		healthy,
+		expiring_soon,
+		expired,
+		stale,
+		missing,
+		missing_metadata,
+		orphaned,
+		agent: config.agent
+	};
+};
+
+//#endregion
+//#region src/core/schema.ts
+const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const URI_RE = /^https?:\/\/.+/;
+if (!FormatRegistry.Has("date")) FormatRegistry.Set("date", (v) => DATE_RE.test(v));
+if (!FormatRegistry.Has("uri")) FormatRegistry.Set("uri", (v) => URI_RE.test(v));
+const ConsumerType = Type.Union([
+	Type.Literal("agent"),
+	Type.Literal("service"),
+	Type.Literal("developer"),
+	Type.Literal("ci")
+], { description: "Classification of the agent's consumer type" });
+const AgentIdentitySchema = Type.Object({
+	name: Type.String({ description: "Agent display name" }),
+	consumer: Type.Optional(ConsumerType),
+	description: Type.Optional(Type.String({ description: "Agent description or role" })),
+	capabilities: Type.Optional(Type.Array(Type.String(), { description: "List of capabilities this agent provides" })),
+	expires: Type.Optional(Type.String({
+		format: "date",
+		description: "Agent credential expiration date (YYYY-MM-DD)"
+	})),
+	services: Type.Optional(Type.Array(Type.String(), { description: "Service dependencies for this agent" })),
+	identity: Type.Optional(Type.String({ description: "Path to encrypted agent key file (relative to config directory)" })),
+	recipient: Type.Optional(Type.String({ description: "Agent's age public key for encryption" })),
+	secrets: Type.Optional(Type.Array(Type.String(), { description: "Secret keys this agent needs from the catalog" }))
+}, { description: "Identity and capabilities of the AI agent using this envpkt" });
+const SecretMetaSchema = Type.Object({
+	service: Type.Optional(Type.String({ description: "Service or system this secret authenticates to" })),
+	expires: Type.Optional(Type.String({
+		format: "date",
+		description: "Date the secret expires (YYYY-MM-DD)"
+	})),
+	rotation_url: Type.Optional(Type.String({
+		format: "uri",
+		description: "URL or reference for secret rotation procedure"
+	})),
+	purpose: Type.Optional(Type.String({ description: "Why this secret exists and what it enables" })),
+	capabilities: Type.Optional(Type.Array(Type.String(), { description: "What operations this secret grants (e.g. read, write, admin)" })),
+	created: Type.Optional(Type.String({
+		format: "date",
+		description: "Date the secret was provisioned (YYYY-MM-DD)"
+	})),
+	rotates: Type.Optional(Type.String({ description: "Rotation schedule (e.g. '90d', 'quarterly')" })),
+	rate_limit: Type.Optional(Type.String({ description: "Rate limit or quota info (e.g. '1000/min')" })),
+	model_hint: Type.Optional(Type.String({ description: "Suggested model or tier for this credential" })),
+	source: Type.Optional(Type.String({ description: "Where the secret value originates (e.g. 'vault', 'ci')" })),
+	required: Type.Optional(Type.Boolean({ description: "Whether this secret is required for operation" })),
+	tags: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "Key-value tags for grouping and filtering" }))
+}, { description: "Metadata about a single secret" });
+const LifecycleConfigSchema = Type.Object({
+	stale_warning_days: Type.Optional(Type.Number({
+		default: 90,
+		description: "Days since creation to consider a secret stale"
+	})),
+	require_expiration: Type.Optional(Type.Boolean({
+		default: false,
+		description: "Require expires on all secrets"
+	})),
+	require_service: Type.Optional(Type.Boolean({
+		default: false,
+		description: "Require service on all secrets"
+	}))
+}, { description: "Policy configuration for credential lifecycle management" });
+const CallbackConfigSchema = Type.Object({
+	on_expiring: Type.Optional(Type.String({ description: "Command or webhook to invoke when secrets are expiring" })),
+	on_expired: Type.Optional(Type.String({ description: "Command or webhook to invoke when secrets have expired" })),
+	on_audit_fail: Type.Optional(Type.String({ description: "Command or webhook on audit failure" }))
+}, { description: "Automation callbacks for lifecycle events" });
+const ToolsConfigSchema = Type.Record(Type.String(), Type.Unknown(), { description: "Tool integration configuration — open namespace for third-party extensions" });
+const EnvpktConfigSchema = Type.Object({
+	version: Type.Number({
+		description: "Schema version number",
+		default: 1
+	}),
+	catalog: Type.Optional(Type.String({ description: "Path to shared secret catalog (relative to this config file)" })),
+	agent: Type.Optional(AgentIdentitySchema),
+	meta: Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" }),
+	lifecycle: Type.Optional(LifecycleConfigSchema),
+	callbacks: Type.Optional(CallbackConfigSchema),
+	tools: Type.Optional(ToolsConfigSchema)
+}, {
+	$id: "envpkt",
+	title: "envpkt configuration",
+	description: "Credential lifecycle and fleet management configuration for AI agents"
+});
+
+//#endregion
+//#region src/core/config.ts
+const CONFIG_FILENAME$2 = "envpkt.toml";
+const ENV_VAR_CONFIG = "ENVPKT_CONFIG";
+const compiledSchema = TypeCompiler.Compile(EnvpktConfigSchema);
+/** Recursively convert TomlDate instances to ISO date strings */
+const normalizeDates = (obj) => {
+	if (obj instanceof TomlDate) return obj.toISOString().split("T")[0];
+	if (Array.isArray(obj)) return obj.map(normalizeDates);
+	if (obj !== null && typeof obj === "object") return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, normalizeDates(v)]));
+	return obj;
+};
+/** Find envpkt.toml in the given directory */
+const findConfigPath = (dir) => {
+	const candidate = join(dir, CONFIG_FILENAME$2);
+	return existsSync(candidate) ? Option(candidate) : Option(void 0);
+};
+/** Read a config file, returning Either<ConfigError, string> */
+const readConfigFile = (path) => {
+	if (!existsSync(path)) return Left({
+		_tag: "FileNotFound",
+		path
+	});
+	return Try(() => readFileSync(path, "utf-8")).fold((err) => Left({
+		_tag: "ReadError",
+		message: String(err)
+	}), (content) => Right(content));
+};
+/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit meta) */
+const applyDefaults = (data) => {
+	if (data !== null && typeof data === "object" && !Array.isArray(data)) {
+		const obj = data;
+		if (!("meta" in obj)) return {
+			...obj,
+			meta: {}
+		};
+	}
+	return data;
+};
+/** Parse a TOML string, returning Either<ConfigError, unknown> */
+const parseToml = (raw) => Try(() => parse(raw)).fold((err) => Left({
+	_tag: "ParseError",
+	message: String(err)
+}), (data) => Right(applyDefaults(normalizeDates(data))));
+/** Validate parsed data against the TypeBox schema */
+const validateConfig = (data) => {
+	if (compiledSchema.Check(data)) return Right(data);
+	return Left({
+		_tag: "ValidationError",
+		errors: List([...compiledSchema.Errors(data)].map((e) => `${e.path}: ${e.message}`))
+	});
+};
+/** Load and validate an envpkt.toml from a file path */
+const loadConfig = (path) => readConfigFile(path).flatMap(parseToml).flatMap(validateConfig);
+/**
+* Resolve config path via priority chain:
+* 1. Explicit flag path
+* 2. ENVPKT_CONFIG env var
+* 3. CWD discovery
+*/
+const resolveConfigPath = (flagPath, envVar, cwd) => {
+	if (flagPath) {
+		const resolved = resolve(flagPath);
+		return existsSync(resolved) ? Right(resolved) : Left({
+			_tag: "FileNotFound",
+			path: resolved
+		});
+	}
+	const envPath = envVar ?? process.env[ENV_VAR_CONFIG];
+	if (envPath) {
+		const resolved = resolve(envPath);
+		return existsSync(resolved) ? Right(resolved) : Left({
+			_tag: "FileNotFound",
+			path: resolved
+		});
+	}
+	const dir = cwd ?? process.cwd();
+	return findConfigPath(dir).fold(() => Left({
+		_tag: "FileNotFound",
+		path: join(dir, CONFIG_FILENAME$2)
+	}), (path) => Right(path));
+};
+
+//#endregion
+//#region src/core/catalog.ts
+/** Load and validate a catalog file, mapping ConfigError → CatalogError */
+const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
+	if (err._tag === "FileNotFound") return Left({
+		_tag: "CatalogNotFound",
+		path: err.path
+	});
+	return Left({
+		_tag: "CatalogLoadError",
+		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
+	});
+}, (config) => Right(config));
+/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
+const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
+	const resolved = {};
+	for (const key of agentSecrets) {
+		const catalogEntry = catalogMeta[key];
+		if (!catalogEntry) return Left({
+			_tag: "SecretNotInCatalog",
+			key,
+			catalogPath
+		});
+		const agentOverride = agentMeta[key];
+		if (agentOverride) resolved[key] = {
+			...catalogEntry,
+			...agentOverride
+		};
+		else resolved[key] = catalogEntry;
+	}
+	return Right(resolved);
+};
+/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
+const resolveConfig = (agentConfig, agentConfigDir) => {
+	if (!agentConfig.catalog) return Right({
+		config: agentConfig,
+		merged: [],
+		overridden: [],
+		warnings: []
+	});
+	if (!agentConfig.agent?.secrets || agentConfig.agent.secrets.length === 0) return Left({
+		_tag: "MissingSecretsList",
+		message: "Config has 'catalog' but agent.secrets is missing — declare which catalog secrets this agent needs"
+	});
+	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
+	const agentSecrets = agentConfig.agent.secrets;
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentConfig.meta, catalogConfig.meta, agentSecrets, catalogPath).map((resolvedMeta) => {
+		const merged = [];
+		const overridden = [];
+		const warnings = [];
+		for (const key of agentSecrets) {
+			merged.push(key);
+			if (agentConfig.meta[key]) overridden.push(key);
+		}
+		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
+		const agentIdentity = agentConfig.agent ? (() => {
+			const { secrets: _secrets, ...rest } = agentConfig.agent;
+			return rest;
+		})() : void 0;
+		return {
+			config: {
+				...agentWithoutCatalog,
+				agent: agentIdentity ? {
+					...agentIdentity,
+					name: agentIdentity.name
+				} : void 0,
+				meta: resolvedMeta
+			},
+			catalogPath,
+			merged,
+			overridden,
+			warnings
+		};
+	}));
+};
+
+//#endregion
+//#region src/cli/output.ts
+const RESET = "\x1B[0m";
+const BOLD = "\x1B[1m";
+const DIM = "\x1B[2m";
+const RED = "\x1B[31m";
+const GREEN = "\x1B[32m";
+const YELLOW = "\x1B[33m";
+const CYAN = "\x1B[36m";
+const statusColor = (status) => {
+	switch (status) {
+		case "healthy": return GREEN;
+		case "degraded": return YELLOW;
+		case "critical": return RED;
+	}
+};
+const statusIcon$1 = (status) => {
+	switch (status) {
+		case "healthy": return `${GREEN}✓${RESET}`;
+		case "degraded": return `${YELLOW}⚠${RESET}`;
+		case "critical": return `${RED}✗${RESET}`;
+	}
+};
+const secretStatusIcon = (status) => {
+	switch (status) {
+		case "healthy": return `${GREEN}✓${RESET}`;
+		case "expiring_soon": return `${YELLOW}⚠${RESET}`;
+		case "expired": return `${RED}✗${RESET}`;
+		case "stale": return `${YELLOW}○${RESET}`;
+		case "missing": return `${RED}?${RESET}`;
+		case "missing_metadata": return `${YELLOW}!${RESET}`;
+		default: return " ";
+	}
+};
+const formatSecretRow = (secret) => {
+	const icon = secretStatusIcon(secret.status);
+	const days = secret.days_remaining.fold(() => "", (d) => `${d}d`);
+	const rotation = secret.rotation_url.fold(() => "", (url) => `${DIM}${url}${RESET}`);
+	const svc = secret.service.fold(() => secret.key, (s) => s);
+	return `  ${icon} ${BOLD}${secret.key}${RESET} ${DIM}(${svc})${RESET} ${secret.status} ${days} ${rotation}`.trimEnd();
+};
+const formatAudit = (audit) => {
+	const color = statusColor(audit.status);
+	return [
+		`${statusIcon$1(audit.status)} ${BOLD}${color}${audit.status.toUpperCase()}${RESET} — ${audit.total} secrets`,
+		[
+			`  ${GREEN}${audit.healthy}${RESET} healthy`,
+			audit.expiring_soon > 0 ? `  ${YELLOW}${audit.expiring_soon}${RESET} expiring soon` : null,
+			audit.expired > 0 ? `  ${RED}${audit.expired}${RESET} expired` : null,
+			audit.stale > 0 ? `  ${YELLOW}${audit.stale}${RESET} stale` : null,
+			audit.missing > 0 ? `  ${RED}${audit.missing}${RESET} missing` : null,
+			audit.missing_metadata > 0 ? `  ${YELLOW}${audit.missing_metadata}${RESET} missing metadata` : null,
+			audit.orphaned > 0 ? `  ${YELLOW}${audit.orphaned}${RESET} orphaned` : null
+		].filter(Boolean).join("\n"),
+		audit.secrets.filter((s) => s.status !== "healthy").map(formatSecretRow).toArray().join("\n")
+	].filter((s) => s.length > 0).join("\n\n");
+};
+const formatAuditJson = (audit) => JSON.stringify({
+	status: audit.status,
+	total: audit.total,
+	healthy: audit.healthy,
+	expiring_soon: audit.expiring_soon,
+	expired: audit.expired,
+	stale: audit.stale,
+	missing: audit.missing,
+	missing_metadata: audit.missing_metadata,
+	orphaned: audit.orphaned,
+	secrets: audit.secrets.map((s) => ({
+		key: s.key,
+		service: s.service.fold(() => null, (sv) => sv),
+		status: s.status,
+		days_remaining: s.days_remaining.fold(() => null, (d) => d),
+		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		purpose: s.purpose.fold(() => null, (p) => p),
+		issues: s.issues.toArray()
+	})).toArray()
+}, null, 2);
+const formatFleetJson = (fleet) => JSON.stringify({
+	status: fleet.status,
+	total_agents: fleet.total_agents,
+	total_secrets: fleet.total_secrets,
+	expired: fleet.expired,
+	expiring_soon: fleet.expiring_soon,
+	agents: fleet.agents.map((a) => ({
+		path: a.path,
+		name: a.agent?.name ?? null,
+		consumer: a.agent?.consumer ?? null,
+		description: a.agent?.description ?? null,
+		status: a.audit.status,
+		secrets: a.audit.total
+	})).toArray()
+}, null, 2);
+const formatError = (error) => {
+	const tag = error._tag;
+	switch (tag) {
+		case "FileNotFound": return `${RED}Error:${RESET} Config file not found: ${error.path}`;
+		case "ParseError": return `${RED}Error:${RESET} Failed to parse TOML: ${error.message}`;
+		case "ValidationError": return `${RED}Error:${RESET} Config validation failed:\n${String(error.errors)}`;
+		case "ReadError": return `${RED}Error:${RESET} Could not read file: ${error.message}`;
+		case "AgeNotFound": return `${RED}Error:${RESET} age CLI not found: ${error.message}`;
+		case "DecryptFailed": return `${RED}Error:${RESET} Decrypt failed: ${error.message}`;
+		case "IdentityNotFound": return `${RED}Error:${RESET} Identity file not found: ${error.path}`;
+		case "AuditFailed": return `${RED}Error:${RESET} Audit failed: ${error.message}`;
+		case "CatalogNotFound": return `${RED}Error:${RESET} Catalog not found: ${error.path}`;
+		case "CatalogLoadError": return `${RED}Error:${RESET} Catalog load error: ${error.message}`;
+		case "SecretNotInCatalog": return `${RED}Error:${RESET} Secret "${error.key}" not found in catalog: ${error.path}`;
+		case "MissingSecretsList": return `${RED}Error:${RESET} ${error.message}`;
+		default: return `${RED}Error:${RESET} ${error.message ?? tag}`;
+	}
+};
+const exitCodeForAudit = (audit) => {
+	switch (audit.status) {
+		case "healthy": return 0;
+		case "degraded": return 1;
+		case "critical": return 2;
+	}
+};
+const confidenceIcon = (confidence) => {
+	switch (confidence) {
+		case "high": return `${GREEN}●${RESET}`;
+		case "medium": return `${YELLOW}◐${RESET}`;
+		case "low": return `${DIM}○${RESET}`;
+	}
+};
+const formatScanTable = (scan) => {
+	return [
+		`${BOLD}Scan Results${RESET} — ${scan.discovered.size} credential(s) found in ${scan.total_scanned} env vars`,
+		[
+			scan.high_confidence > 0 ? `  ${GREEN}${scan.high_confidence}${RESET} high confidence` : null,
+			scan.medium_confidence > 0 ? `  ${YELLOW}${scan.medium_confidence}${RESET} medium confidence` : null,
+			scan.low_confidence > 0 ? `  ${DIM}${scan.low_confidence}${RESET} low confidence` : null
+		].filter(Boolean).join("\n"),
+		scan.discovered.map((m) => {
+			const icon = confidenceIcon(m.confidence);
+			const svc = m.service.fold(() => `${DIM}unknown${RESET}`, (s) => s);
+			return `  ${icon} ${BOLD}${m.envVar}${RESET} → ${CYAN}${svc}${RESET} ${DIM}(${m.matchedBy})${RESET}`;
+		}).toArray().join("\n")
+	].filter((s) => s.length > 0).join("\n\n");
+};
+const formatScanJson = (scan) => JSON.stringify({
+	total_scanned: scan.total_scanned,
+	discovered: scan.discovered.size,
+	high_confidence: scan.high_confidence,
+	medium_confidence: scan.medium_confidence,
+	low_confidence: scan.low_confidence,
+	matches: scan.discovered.map((m) => ({
+		envVar: m.envVar,
+		service: m.service.fold(() => null, (s) => s),
+		confidence: m.confidence,
+		matchedBy: m.matchedBy
+	})).toArray()
+}, null, 2);
+const driftIcon = (status) => {
+	switch (status) {
+		case "tracked": return `${GREEN}✓${RESET}`;
+		case "missing_from_env": return `${RED}✗${RESET}`;
+		case "untracked": return `${YELLOW}?${RESET}`;
+		default: return " ";
+	}
+};
+const formatCheckTable = (check) => {
+	const clean = check.is_clean;
+	return [
+		`${clean ? `${GREEN}✓${RESET}` : `${YELLOW}⚠${RESET}`} ${BOLD}${clean ? `${GREEN}CLEAN${RESET}` : `${YELLOW}DRIFT DETECTED${RESET}`}${RESET}`,
+		[
+			`  ${GREEN}${check.tracked_and_present}${RESET} tracked and present`,
+			check.missing_from_env > 0 ? `  ${RED}${check.missing_from_env}${RESET} missing from env` : null,
+			check.untracked_credentials > 0 ? `  ${YELLOW}${check.untracked_credentials}${RESET} untracked credentials` : null
+		].filter(Boolean).join("\n"),
+		check.entries.filter((e) => e.status !== "tracked").map((e) => {
+			const di = driftIcon(e.status);
+			const svc = e.service.fold(() => "", (s) => ` ${DIM}(${s})${RESET}`);
+			const conf = e.confidence.fold(() => "", (c) => ` ${confidenceIcon(c)}`);
+			return `  ${di} ${BOLD}${e.envVar}${RESET}${svc} ${e.status}${conf}`;
+		}).toArray().join("\n")
+	].filter((s) => s.length > 0).join("\n\n");
+};
+const formatCheckJson = (check) => JSON.stringify({
+	is_clean: check.is_clean,
+	tracked_and_present: check.tracked_and_present,
+	missing_from_env: check.missing_from_env,
+	untracked_credentials: check.untracked_credentials,
+	entries: check.entries.map((e) => ({
+		envVar: e.envVar,
+		service: e.service.fold(() => null, (s) => s),
+		status: e.status,
+		confidence: e.confidence.fold(() => null, (c) => c)
+	})).toArray()
+}, null, 2);
+const formatAuditMinimal = (audit) => {
+	if (audit.status === "healthy") return `${GREEN}✓${RESET} ${audit.total} secrets healthy`;
+	const parts = [];
+	if (audit.expired > 0) parts.push(`${audit.expired} expired`);
+	if (audit.expiring_soon > 0) parts.push(`${audit.expiring_soon} expiring`);
+	if (audit.stale > 0) parts.push(`${audit.stale} stale`);
+	if (audit.missing > 0) parts.push(`${audit.missing} missing`);
+	return `${audit.status === "critical" ? `${RED}✗${RESET}` : `${YELLOW}⚠${RESET}`} ${parts.join(", ")}`;
+};
+
+//#endregion
+//#region src/cli/commands/audit.ts
+const runAudit = (options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (path) => {
+		loadConfig(path).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (rawConfig) => {
+			resolveConfig(rawConfig, dirname(path)).fold((err) => {
+				console.error(formatError(err));
+				process.exit(2);
+			}, (resolveResult) => {
+				if (resolveResult.catalogPath) console.log(`${DIM}Catalog: ${CYAN}${resolveResult.catalogPath}${RESET}`);
+				runAuditOnConfig(resolveResult.config, options);
+			});
+		});
+	});
+};
+const runAuditOnConfig = (config, options) => {
+	const audit = computeAudit(config);
+	let filtered = audit;
+	if (options.status) {
+		const statusFilter = options.status;
+		const filteredSecrets = audit.secrets.filter((s) => s.status === statusFilter);
+		filtered = {
+			...audit,
+			secrets: filteredSecrets
+		};
+	}
+	if (options.expiring !== void 0) {
+		const days = options.expiring;
+		const filteredSecrets = filtered.secrets.filter((s) => s.days_remaining.fold(() => false, (d) => d >= 0 && d <= days));
+		filtered = {
+			...filtered,
+			secrets: filteredSecrets
+		};
+	}
+	if (options.format === "json") console.log(formatAuditJson(filtered));
+	else if (options.format === "minimal") console.log(formatAuditMinimal(filtered));
+	else console.log(formatAudit(filtered));
+	const code = options.strict ? exitCodeForAudit(audit) : audit.status === "critical" ? 2 : 0;
+	process.exit(code);
+};
+
+//#endregion
+//#region src/core/patterns.ts
+const EXCLUDED_VARS = new Set([
+	"PATH",
+	"HOME",
+	"USER",
+	"SHELL",
+	"TERM",
+	"LANG",
+	"LC_ALL",
+	"LC_CTYPE",
+	"DISPLAY",
+	"EDITOR",
+	"VISUAL",
+	"PAGER",
+	"HOSTNAME",
+	"LOGNAME",
+	"MAIL",
+	"OLDPWD",
+	"PWD",
+	"SHLVL",
+	"TMPDIR",
+	"TZ",
+	"XDG_CACHE_HOME",
+	"XDG_CONFIG_HOME",
+	"XDG_DATA_HOME",
+	"XDG_RUNTIME_DIR",
+	"XDG_SESSION_TYPE",
+	"NODE_ENV",
+	"NODE_PATH",
+	"NODE_OPTIONS",
+	"NVM_DIR",
+	"NVM_BIN",
+	"NVM_INC",
+	"NVM_CD_FLAGS",
+	"NPM_CONFIG_PREFIX",
+	"GOPATH",
+	"GOROOT",
+	"CARGO_HOME",
+	"RUSTUP_HOME",
+	"JAVA_HOME",
+	"ANDROID_HOME",
+	"PYENV_ROOT",
+	"VIRTUAL_ENV",
+	"CONDA_PREFIX",
+	"CONDA_DEFAULT_ENV",
+	"MANPATH",
+	"INFOPATH",
+	"LESS",
+	"LSCOLORS",
+	"LS_COLORS",
+	"COLORTERM",
+	"TERM_PROGRAM",
+	"TERM_PROGRAM_VERSION",
+	"TERM_SESSION_ID",
+	"ITERM_SESSION_ID",
+	"ITERM_PROFILE",
+	"SSH_AUTH_SOCK",
+	"SSH_AGENT_PID",
+	"GPG_TTY",
+	"GNUPGHOME",
+	"DBUS_SESSION_BUS_ADDRESS",
+	"WAYLAND_DISPLAY",
+	"ZDOTDIR",
+	"ZSH",
+	"HISTFILE",
+	"HISTSIZE",
+	"SAVEHIST",
+	"_",
+	"__CF_USER_TEXT_ENCODING",
+	"Apple_PubSub_Socket_Render",
+	"COMMAND_MODE",
+	"SECURITYSESSIONID",
+	"LaunchInstanceID",
+	"PNPM_HOME",
+	"BUN_INSTALL",
+	"FNM_DIR",
+	"FNM_MULTISHELL_PATH",
+	"FNM_VERSION_FILE_STRATEGY",
+	"FNM_LOGLEVEL",
+	"FNM_NODE_DIST_MIRROR",
+	"FNM_ARCH",
+	"VOLTA_HOME"
+]);
+const EXACT_NAME_PATTERNS = [
+	{
+		kind: "name",
+		pattern: "OPENAI_API_KEY",
+		service: "openai",
+		confidence: "high",
+		description: "OpenAI API key"
+	},
+	{
+		kind: "name",
+		pattern: "OPENAI_ORG_ID",
+		service: "openai",
+		confidence: "high",
+		description: "OpenAI org ID"
+	},
+	{
+		kind: "name",
+		pattern: "ANTHROPIC_API_KEY",
+		service: "anthropic",
+		confidence: "high",
+		description: "Anthropic API key"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_ACCESS_KEY_ID",
+		service: "aws",
+		confidence: "high",
+		description: "AWS access key ID"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_SECRET_ACCESS_KEY",
+		service: "aws",
+		confidence: "high",
+		description: "AWS secret access key"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_SESSION_TOKEN",
+		service: "aws",
+		confidence: "high",
+		description: "AWS session token"
+	},
+	{
+		kind: "name",
+		pattern: "GOOGLE_APPLICATION_CREDENTIALS",
+		service: "gcp",
+		confidence: "high",
+		description: "Google Cloud service account path"
+	},
+	{
+		kind: "name",
+		pattern: "GOOGLE_API_KEY",
+		service: "google",
+		confidence: "high",
+		description: "Google API key"
+	},
+	{
+		kind: "name",
+		pattern: "GCP_PROJECT_ID",
+		service: "gcp",
+		confidence: "medium",
+		description: "GCP project ID"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_CLIENT_ID",
+		service: "azure",
+		confidence: "high",
+		description: "Azure client ID"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_CLIENT_SECRET",
+		service: "azure",
+		confidence: "high",
+		description: "Azure client secret"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_TENANT_ID",
+		service: "azure",
+		confidence: "high",
+		description: "Azure tenant ID"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_SECRET_KEY",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe secret key"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_PUBLISHABLE_KEY",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe publishable key"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_WEBHOOK_SECRET",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe webhook secret"
+	},
+	{
+		kind: "name",
+		pattern: "GITHUB_TOKEN",
+		service: "github",
+		confidence: "high",
+		description: "GitHub token"
+	},
+	{
+		kind: "name",
+		pattern: "GH_TOKEN",
+		service: "github",
+		confidence: "high",
+		description: "GitHub token (gh CLI)"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_BOT_TOKEN",
+		service: "slack",
+		confidence: "high",
+		description: "Slack bot token"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_SIGNING_SECRET",
+		service: "slack",
+		confidence: "high",
+		description: "Slack signing secret"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_WEBHOOK_URL",
+		service: "slack",
+		confidence: "high",
+		description: "Slack webhook URL"
+	},
+	{
+		kind: "name",
+		pattern: "TWILIO_ACCOUNT_SID",
+		service: "twilio",
+		confidence: "high",
+		description: "Twilio account SID"
+	},
+	{
+		kind: "name",
+		pattern: "TWILIO_AUTH_TOKEN",
+		service: "twilio",
+		confidence: "high",
+		description: "Twilio auth token"
+	},
+	{
+		kind: "name",
+		pattern: "SENDGRID_API_KEY",
+		service: "sendgrid",
+		confidence: "high",
+		description: "SendGrid API key"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_URL",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase project URL"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_ANON_KEY",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase anon key"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_SERVICE_ROLE_KEY",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase service role key"
+	},
+	{
+		kind: "name",
+		pattern: "DATABASE_URL",
+		service: "database",
+		confidence: "high",
+		description: "Database URL"
+	},
+	{
+		kind: "name",
+		pattern: "DATABASE_PASSWORD",
+		service: "database",
+		confidence: "high",
+		description: "Database password"
+	},
+	{
+		kind: "name",
+		pattern: "REDIS_URL",
+		service: "redis",
+		confidence: "high",
+		description: "Redis URL"
+	},
+	{
+		kind: "name",
+		pattern: "MONGODB_URI",
+		service: "mongodb",
+		confidence: "high",
+		description: "MongoDB URI"
+	},
+	{
+		kind: "name",
+		pattern: "DD_API_KEY",
+		service: "datadog",
+		confidence: "high",
+		description: "Datadog API key"
+	},
+	{
+		kind: "name",
+		pattern: "DD_APP_KEY",
+		service: "datadog",
+		confidence: "high",
+		description: "Datadog app key"
+	},
+	{
+		kind: "name",
+		pattern: "SENTRY_DSN",
+		service: "sentry",
+		confidence: "high",
+		description: "Sentry DSN"
+	},
+	{
+		kind: "name",
+		pattern: "SENTRY_AUTH_TOKEN",
+		service: "sentry",
+		confidence: "high",
+		description: "Sentry auth token"
+	},
+	{
+		kind: "name",
+		pattern: "VERCEL_TOKEN",
+		service: "vercel",
+		confidence: "high",
+		description: "Vercel token"
+	},
+	{
+		kind: "name",
+		pattern: "NETLIFY_AUTH_TOKEN",
+		service: "netlify",
+		confidence: "high",
+		description: "Netlify auth token"
+	},
+	{
+		kind: "name",
+		pattern: "CLOUDFLARE_API_TOKEN",
+		service: "cloudflare",
+		confidence: "high",
+		description: "Cloudflare API token"
+	},
+	{
+		kind: "name",
+		pattern: "CF_API_TOKEN",
+		service: "cloudflare",
+		confidence: "high",
+		description: "Cloudflare API token"
+	},
+	{
+		kind: "name",
+		pattern: "DOCKER_PASSWORD",
+		service: "docker",
+		confidence: "high",
+		description: "Docker password"
+	},
+	{
+		kind: "name",
+		pattern: "DOCKER_TOKEN",
+		service: "docker",
+		confidence: "high",
+		description: "Docker token"
+	},
+	{
+		kind: "name",
+		pattern: "NPM_TOKEN",
+		service: "npm",
+		confidence: "high",
+		description: "npm token"
+	},
+	{
+		kind: "name",
+		pattern: "HF_TOKEN",
+		service: "huggingface",
+		confidence: "high",
+		description: "Hugging Face token"
+	},
+	{
+		kind: "name",
+		pattern: "HUGGING_FACE_HUB_TOKEN",
+		service: "huggingface",
+		confidence: "high",
+		description: "Hugging Face Hub token"
+	},
+	{
+		kind: "name",
+		pattern: "COHERE_API_KEY",
+		service: "cohere",
+		confidence: "high",
+		description: "Cohere API key"
+	},
+	{
+		kind: "name",
+		pattern: "REPLICATE_API_TOKEN",
+		service: "replicate",
+		confidence: "high",
+		description: "Replicate API token"
+	},
+	{
+		kind: "name",
+		pattern: "PINECONE_API_KEY",
+		service: "pinecone",
+		confidence: "high",
+		description: "Pinecone API key"
+	},
+	{
+		kind: "name",
+		pattern: "LINEAR_API_KEY",
+		service: "linear",
+		confidence: "high",
+		description: "Linear API key"
+	}
+];
+const SUFFIX_PATTERNS = [
+	{
+		suffix: "_API_KEY",
+		description: "API key"
+	},
+	{
+		suffix: "_SECRET_KEY",
+		description: "Secret key"
+	},
+	{
+		suffix: "_SECRET",
+		description: "Secret"
+	},
+	{
+		suffix: "_TOKEN",
+		description: "Token"
+	},
+	{
+		suffix: "_PASSWORD",
+		description: "Password"
+	},
+	{
+		suffix: "_PASS",
+		description: "Password"
+	},
+	{
+		suffix: "_AUTH_TOKEN",
+		description: "Auth token"
+	},
+	{
+		suffix: "_ACCESS_TOKEN",
+		description: "Access token"
+	},
+	{
+		suffix: "_PRIVATE_KEY",
+		description: "Private key"
+	},
+	{
+		suffix: "_SIGNING_KEY",
+		description: "Signing key"
+	},
+	{
+		suffix: "_WEBHOOK_SECRET",
+		description: "Webhook secret"
+	},
+	{
+		suffix: "_DSN",
+		description: "DSN"
+	},
+	{
+		suffix: "_CONNECTION_STRING",
+		description: "Connection string"
+	}
+];
+const VALUE_SHAPE_PATTERNS = [
+	{
+		prefix: "sk-ant-",
+		service: "anthropic",
+		description: "Anthropic API key"
+	},
+	{
+		prefix: "sk-",
+		service: "openai",
+		description: "OpenAI API key"
+	},
+	{
+		prefix: "sk_live_",
+		service: "stripe",
+		description: "Stripe live secret key"
+	},
+	{
+		prefix: "sk_test_",
+		service: "stripe",
+		description: "Stripe test secret key"
+	},
+	{
+		prefix: "pk_live_",
+		service: "stripe",
+		description: "Stripe live publishable key"
+	},
+	{
+		prefix: "pk_test_",
+		service: "stripe",
+		description: "Stripe test publishable key"
+	},
+	{
+		prefix: "whsec_",
+		service: "stripe",
+		description: "Stripe webhook secret"
+	},
+	{
+		prefix: "AKIA",
+		service: "aws",
+		description: "AWS access key ID"
+	},
+	{
+		prefix: "ghp_",
+		service: "github",
+		description: "GitHub personal access token"
+	},
+	{
+		prefix: "gho_",
+		service: "github",
+		description: "GitHub OAuth token"
+	},
+	{
+		prefix: "ghs_",
+		service: "github",
+		description: "GitHub server-to-server token"
+	},
+	{
+		prefix: "ghu_",
+		service: "github",
+		description: "GitHub user-to-server token"
+	},
+	{
+		prefix: "github_pat_",
+		service: "github",
+		description: "GitHub fine-grained PAT"
+	},
+	{
+		prefix: "xoxb-",
+		service: "slack",
+		description: "Slack bot token"
+	},
+	{
+		prefix: "xoxp-",
+		service: "slack",
+		description: "Slack user token"
+	},
+	{
+		prefix: "xoxa-",
+		service: "slack",
+		description: "Slack app token"
+	},
+	{
+		prefix: "xoxs-",
+		service: "slack",
+		description: "Slack legacy token"
+	},
+	{
+		prefix: "SG.",
+		service: "sendgrid",
+		description: "SendGrid API key"
+	},
+	{
+		prefix: "hf_",
+		service: "huggingface",
+		description: "Hugging Face token"
+	},
+	{
+		prefix: "r8_",
+		service: "replicate",
+		description: "Replicate API token"
+	},
+	{
+		prefix: "eyJ",
+		service: "jwt",
+		description: "JWT token"
+	},
+	{
+		prefix: "postgres://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "postgresql://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "mysql://",
+		service: "mysql",
+		description: "MySQL connection string"
+	},
+	{
+		prefix: "mongodb://",
+		service: "mongodb",
+		description: "MongoDB connection string"
+	},
+	{
+		prefix: "mongodb+srv://",
+		service: "mongodb",
+		description: "MongoDB SRV connection string"
+	},
+	{
+		prefix: "redis://",
+		service: "redis",
+		description: "Redis connection string"
+	},
+	{
+		prefix: "rediss://",
+		service: "redis",
+		description: "Redis TLS connection string"
+	},
+	{
+		prefix: "amqp://",
+		service: "rabbitmq",
+		description: "RabbitMQ connection string"
+	},
+	{
+		prefix: "amqps://",
+		service: "rabbitmq",
+		description: "RabbitMQ TLS connection string"
+	}
+];
+/** Detect service from value prefix/shape */
+const matchValueShape = (value) => {
+	for (const vp of VALUE_SHAPE_PATTERNS) if (value.startsWith(vp.prefix)) return Option({
+		service: vp.service,
+		description: vp.description
+	});
+	return Option(void 0);
+};
+/** Strip common suffixes and derive a service name from an env var name */
+const deriveServiceFromName = (name) => {
+	const suffixes = [
+		"_API_KEY",
+		"_SECRET_KEY",
+		"_ACCESS_KEY",
+		"_PRIVATE_KEY",
+		"_SIGNING_KEY",
+		"_AUTH_TOKEN",
+		"_ACCESS_TOKEN",
+		"_WEBHOOK_SECRET",
+		"_CONNECTION_STRING",
+		"_SECRET",
+		"_TOKEN",
+		"_PASSWORD",
+		"_PASS",
+		"_KEY",
+		"_DSN",
+		"_URL",
+		"_URI"
+	];
+	let stripped = name;
+	for (const suffix of suffixes) if (stripped.endsWith(suffix)) {
+		stripped = stripped.slice(0, -suffix.length);
+		break;
+	}
+	return stripped.toLowerCase().replace(/_/g, "-");
+};
+/** Match a single env var against all patterns */
+const matchEnvVar = (name, value) => {
+	if (EXCLUDED_VARS.has(name)) return Option(void 0);
+	for (const p of EXACT_NAME_PATTERNS) if (name === p.pattern) return Option({
+		envVar: name,
+		value,
+		service: Option(p.service),
+		confidence: p.confidence,
+		matchedBy: `exact:${p.pattern}`
+	});
+	return matchValueShape(value).fold(() => {
+		for (const sp of SUFFIX_PATTERNS) if (name.endsWith(sp.suffix)) return Option({
+			envVar: name,
+			value,
+			service: Option(deriveServiceFromName(name)),
+			confidence: "medium",
+			matchedBy: `suffix:${sp.suffix}`
+		});
+		return Option(void 0);
+	}, (vm) => Option({
+		envVar: name,
+		value,
+		service: Option(vm.service),
+		confidence: "high",
+		matchedBy: `value:${vm.description}`
+	}));
+};
+/** Scan full env, sorted by confidence (high first) then alphabetically */
+const scanEnv = (env) => {
+	const results = [];
+	for (const [name, value] of Object.entries(env)) {
+		if (value === void 0 || value === "") continue;
+		matchEnvVar(name, value).fold(() => {}, (m) => results.push(m));
+	}
+	const confidenceOrder = {
+		high: 0,
+		medium: 1,
+		low: 2
+	};
+	results.sort((a, b) => {
+		const conf = confidenceOrder[a.confidence] - confidenceOrder[b.confidence];
+		if (conf !== 0) return conf;
+		return a.envVar.localeCompare(b.envVar);
+	});
+	return results;
+};
+
+//#endregion
+//#region src/core/env.ts
+/** Scan env for credentials, returning structured results */
+const envScan = (env, options) => {
+	const allMatches = scanEnv(env);
+	const discovered = options?.includeUnknown ? allMatches : allMatches.filter((m) => m.service.isSome());
+	const total_scanned = Object.keys(env).length;
+	const high_confidence = discovered.filter((m) => m.confidence === "high").length;
+	const medium_confidence = discovered.filter((m) => m.confidence === "medium").length;
+	const low_confidence = discovered.filter((m) => m.confidence === "low").length;
+	return {
+		discovered: List(discovered),
+		total_scanned,
+		high_confidence,
+		medium_confidence,
+		low_confidence
+	};
+};
+/** Bidirectional drift detection between config and live environment */
+const envCheck = (config, env) => {
+	const entries = [];
+	const metaKeys = Object.keys(config.meta);
+	const trackedSet = new Set(metaKeys);
+	for (const key of metaKeys) {
+		const meta = config.meta[key];
+		const present = env[key] !== void 0 && env[key] !== "";
+		entries.push({
+			envVar: key,
+			service: Option(meta?.service),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
+		});
+	}
+	const envMatches = scanEnv(env);
+	for (const match of envMatches) if (!trackedSet.has(match.envVar)) entries.push({
+		envVar: match.envVar,
+		service: match.service,
+		status: "untracked",
+		confidence: Option(match.confidence)
+	});
+	const tracked_and_present = entries.filter((e) => e.status === "tracked").length;
+	const missing_from_env = entries.filter((e) => e.status === "missing_from_env").length;
+	const untracked_credentials = entries.filter((e) => e.status === "untracked").length;
+	return {
+		entries: List(entries),
+		tracked_and_present,
+		missing_from_env,
+		untracked_credentials,
+		is_clean: missing_from_env === 0 && untracked_credentials === 0
+	};
+};
+const todayIso$1 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+const generateTomlFromScan = (matches) => {
+	const blocks = [];
+	for (const match of matches) {
+		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
+		blocks.push(`[meta.${match.envVar}]
+service = "${svc}"
+# purpose = ""               # Why: what this secret enables
+# capabilities = []          # What operations this grants
+created = "${todayIso$1()}"
+# expires = ""               # When: YYYY-MM-DD expiration date
+# rotation_url = ""          # URL for rotation procedure
+# source = ""                # Where the value originates (e.g. vault, ci)
+# tags = {}
+`);
+	}
+	return blocks.join("\n");
+};
+
+//#endregion
+//#region src/cli/commands/env.ts
+const runEnvScan = (options) => {
+	const scan = envScan(process.env, { includeUnknown: options.includeUnknown });
+	if (scan.discovered.size === 0) {
+		console.log(`${DIM}No credentials detected in environment.${RESET}`);
+		process.exit(0);
+	}
+	if (options.format === "json") console.log(formatScanJson(scan));
+	else console.log(formatScanTable(scan));
+	if (options.write || options.dryRun) {
+		const toml = generateTomlFromScan(scan.discovered.toArray());
+		if (options.dryRun) {
+			console.log(`\n${BOLD}Preview (--dry-run):${RESET}\n`);
+			console.log(toml);
+			return;
+		}
+		const configPath = join(process.cwd(), "envpkt.toml");
+		if (existsSync(configPath)) {
+			const existing = Try(() => readFileSync(configPath, "utf-8")).fold(() => "", (c) => c);
+			const newEntries = scan.discovered.toArray().filter((m) => !existing.includes(`[meta.${m.envVar}]`));
+			if (newEntries.length === 0) {
+				console.log(`\n${GREEN}✓${RESET} All discovered credentials already tracked in envpkt.toml`);
+				return;
+			}
+			const newToml = generateTomlFromScan(newEntries);
+			Try(() => writeFileSync(configPath, existing.trimEnd() + "\n\n" + newToml, "utf-8")).fold((err) => {
+				console.error(`\n${RED}Error:${RESET} Failed to write: ${err}`);
+				process.exit(1);
+			}, () => {
+				console.log(`\n${GREEN}✓${RESET} Appended ${BOLD}${newEntries.length}${RESET} new entry/entries to ${CYAN}${configPath}${RESET}`);
+			});
+		} else {
+			const header = `#:schema https://raw.githubusercontent.com/jordanburke/envpkt/main/schemas/envpkt.schema.json\n\nversion = 1\n\n[lifecycle]\nstale_warning_days = 90\n\n`;
+			Try(() => writeFileSync(configPath, header + toml, "utf-8")).fold((err) => {
+				console.error(`\n${RED}Error:${RESET} Failed to write: ${err}`);
+				process.exit(1);
+			}, () => {
+				console.log(`\n${GREEN}✓${RESET} Created ${BOLD}envpkt.toml${RESET} with ${CYAN}${scan.discovered.size}${RESET} credential(s)`);
+			});
+		}
+	}
+};
+const runEnvCheck = (options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (path) => {
+		loadConfig(path).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (rawConfig) => {
+			resolveConfig(rawConfig, dirname(path)).fold((err) => {
+				console.error(formatError(err));
+				process.exit(2);
+			}, (resolveResult) => {
+				const check = envCheck(resolveResult.config, process.env);
+				if (options.format === "json") console.log(formatCheckJson(check));
+				else console.log(formatCheckTable(check));
+				if (options.strict && !check.is_clean) process.exit(1);
+			});
+		});
+	});
+};
+
+//#endregion
+//#region src/fnox/detect.ts
+/** Check if fnox CLI is available on PATH */
+const fnoxAvailable = () => Try(() => {
+	execFileSync("fnox", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+
+//#endregion
+//#region src/fnox/identity.ts
+/** Check if the age CLI is available on PATH */
+const ageAvailable = () => Try(() => {
+	execFileSync("age", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+/** Unwrap an encrypted agent key using age --decrypt */
+const unwrapAgentKey = (identityPath) => {
+	if (!existsSync(identityPath)) return Left({
+		_tag: "IdentityNotFound",
+		path: identityPath
+	});
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	return Try(() => execFileSync("age", ["--decrypt", identityPath], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8"
+	})).fold((err) => Left({
+		_tag: "DecryptFailed",
+		message: `age decrypt failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+
+//#endregion
+//#region src/cli/commands/exec.ts
+const runExec = (args, options) => {
+	if (args.length === 0) {
+		console.error(`${RED}Error:${RESET} No command specified`);
+		process.exit(2);
+		return;
+	}
+	const skipAudit = options.skipAudit || options.check === false;
+	const configData = resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (path) => loadConfig(path).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (config) => ({
+		config,
+		path
+	})));
+	if (!configData) return;
+	const { config, path } = configData;
+	const configDir = dirname(path);
+	if (!skipAudit) {
+		const audit = computeAudit(config);
+		console.error(`${BOLD}envpkt${RESET} pre-flight audit ${path}`);
+		console.error(formatAudit(audit));
+		console.error("");
+		if (options.strict && audit.status !== "healthy") {
+			console.error(`${RED}Aborting:${RESET} --strict mode and audit status is ${audit.status}`);
+			process.exit(exitCodeForAudit(audit));
+			return;
+		}
+		if (audit.status === "critical" && !options.warnOnly) {
+			console.error(`${RED}Aborting:${RESET} audit status is critical (use --warn-only to proceed)`);
+			process.exit(exitCodeForAudit(audit));
+			return;
+		}
+		if (audit.status === "critical" && options.warnOnly) console.error(`${YELLOW}Warning:${RESET} Proceeding despite critical audit status (--warn-only)`);
+	}
+	let agentKey;
+	if (config.agent?.identity) unwrapAgentKey(resolve(configDir, config.agent.identity)).fold((err) => {
+		console.error(`${YELLOW}Warning:${RESET} Agent key unwrap failed: ${err._tag}`);
+	}, (key) => {
+		agentKey = key;
+	});
+	if (!fnoxAvailable()) console.error(`${YELLOW}Warning:${RESET} fnox not available — running command without secret injection`);
+	const env = { ...process.env };
+	if (fnoxAvailable()) {
+		const fnoxArgs = options.profile ? [
+			"export",
+			"--profile",
+			options.profile
+		] : ["export"];
+		const fnoxEnv = agentKey ? {
+			...process.env,
+			FNOX_AGE_KEY: agentKey
+		} : void 0;
+		Try(() => execFileSync("fnox", fnoxArgs, {
+			stdio: "pipe",
+			encoding: "utf-8",
+			env: fnoxEnv
+		})).fold((err) => {
+			console.error(`${YELLOW}Warning:${RESET} fnox export failed: ${err}`);
+		}, (output) => {
+			for (const line of output.split("\n")) {
+				const eq = line.indexOf("=");
+				if (eq > 0) {
+					const key = line.slice(0, eq).trim();
+					env[key] = line.slice(eq + 1).trim();
+				}
+			}
+		});
+	}
+	const [cmd, ...cmdArgs] = args;
+	try {
+		execFileSync(cmd, cmdArgs, {
+			env,
+			stdio: "inherit"
+		});
+	} catch (err) {
+		const exitCode = err.status ?? 1;
+		process.exit(exitCode);
+	}
+};
+
+//#endregion
+//#region src/core/fleet.ts
+const CONFIG_FILENAME$1 = "envpkt.toml";
+const SKIP_DIRS = new Set([
+	"node_modules",
+	".git",
+	".hg",
+	".svn",
+	"dist",
+	"build",
+	"lib",
+	".claude",
+	"__pycache__",
+	"target",
+	"out",
+	"tmp",
+	".terraform",
+	".gradle",
+	".cargo",
+	".venv",
+	".next",
+	".cache",
+	".tox",
+	"vendor",
+	"coverage",
+	".nyc_output",
+	".turbo"
+]);
+function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
+	if (currentDepth > maxDepth) return;
+	const configPath = join(dir, CONFIG_FILENAME$1);
+	if (Try(() => statSync(configPath).isFile()).fold(() => false, (v) => v)) yield configPath;
+	if (currentDepth >= maxDepth) return;
+	let entries = [];
+	Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => {}, (e) => {
+		entries = e;
+	});
+	for (const entry of entries) if (entry.isDirectory() && !SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".")) yield* findEnvpktFiles(join(dir, entry.name), maxDepth, currentDepth + 1);
+}
+const scanFleet = (rootDir, options) => {
+	const maxDepth = options?.maxDepth ?? 3;
+	const agents = [];
+	for (const configPath of findEnvpktFiles(rootDir, maxDepth)) loadConfig(configPath).fold(() => {}, (config) => {
+		const audit = computeAudit(config);
+		agents.push({
+			path: configPath,
+			agent: config.agent,
+			min_expiry_days: audit.secrets.toArray().reduce((min, s) => s.days_remaining.fold(() => min, (d) => min === void 0 ? d : Math.min(min, d)), void 0),
+			audit
+		});
+	});
+	const agentList = List(agents);
+	const total_agents = agentList.size;
+	const total_secrets = agentList.toArray().reduce((acc, a) => acc + a.audit.total, 0);
+	const expired = agentList.toArray().reduce((acc, a) => acc + a.audit.expired, 0);
+	const expiring_soon = agentList.toArray().reduce((acc, a) => acc + a.audit.expiring_soon, 0);
+	const criticalCount = agentList.count((a) => a.audit.status === "critical");
+	const degradedCount = agentList.count((a) => a.audit.status === "degraded");
+	return {
+		status: Cond.of().when(criticalCount > 0, "critical").elseWhen(degradedCount > 0, "degraded").else("healthy"),
+		agents: agentList,
+		total_agents,
+		total_secrets,
+		expired,
+		expiring_soon
+	};
+};
+
+//#endregion
+//#region src/cli/commands/fleet.ts
+const statusIcon = (status) => {
+	switch (status) {
+		case "healthy": return `${GREEN}✓${RESET}`;
+		case "degraded": return `${YELLOW}⚠${RESET}`;
+		case "critical": return `${RED}✗${RESET}`;
+	}
+};
+const runFleet = (options) => {
+	const fleet = scanFleet(resolve(options.dir ?? "."), { maxDepth: options.depth });
+	if (options.format === "json") {
+		console.log(formatFleetJson(fleet));
+		process.exit(fleet.status === "critical" ? 2 : 0);
+		return;
+	}
+	const statusFilter = options.status;
+	const agents = statusFilter ? fleet.agents.filter((a) => a.audit.status === statusFilter) : fleet.agents;
+	console.log(`${statusIcon(fleet.status)} ${BOLD}Fleet: ${fleet.status.toUpperCase()}${RESET} — ${fleet.total_agents} agents, ${fleet.total_secrets} secrets`);
+	if (fleet.expired > 0) console.log(`  ${RED}${fleet.expired}${RESET} expired`);
+	if (fleet.expiring_soon > 0) console.log(`  ${YELLOW}${fleet.expiring_soon}${RESET} expiring soon`);
+	console.log("");
+	for (const agent of agents) {
+		const name = agent.agent?.name ? BOLD + agent.agent.name + RESET : DIM + agent.path + RESET;
+		const icon = statusIcon(agent.audit.status);
+		console.log(`  ${icon} ${name} ${DIM}(${agent.audit.total} secrets)${RESET}`);
+	}
+	process.exit(fleet.status === "critical" ? 2 : 0);
+};
+
+//#endregion
+//#region src/cli/commands/init.ts
+const CONFIG_FILENAME = "envpkt.toml";
+const todayIso = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+const generateSecretBlock = (key, service) => {
+	return `[meta.${key}]
+service = "${service ?? key}"
+# purpose = ""               # Why: what this secret enables
+# capabilities = []          # What operations this grants
+created = "${todayIso()}"
+# expires = ""               # When: YYYY-MM-DD expiration date
+# rotation_url = ""          # URL for rotation procedure
+# source = ""                # Where the value originates (e.g. vault, ci)
+# tags = {}
+`;
+};
+const generateAgentSection = (name, capabilities, expires) => {
+	return `[agent]
+name = "${name}"
+# consumer = "agent"         # agent | service | developer | ci${capabilities ? `\ncapabilities = [${capabilities.split(",").map((c) => `"${c.trim()}"`).join(", ")}]` : ""}${expires ? `\nexpires = "${expires}"` : ""}
+`;
+};
+const generateTemplate = (options, fnoxKeys) => {
+	const lines = [];
+	lines.push(`#:schema https://raw.githubusercontent.com/jordanburke/envpkt/main/schemas/envpkt.schema.json`);
+	lines.push(``);
+	lines.push(`version = 1`);
+	lines.push(``);
+	if (options.catalog) {
+		lines.push(`catalog = "${options.catalog}"`);
+		lines.push(``);
+	}
+	if (options.agent && options.name) {
+		lines.push(generateAgentSection(options.name, options.capabilities, options.expires));
+		if (options.catalog) lines.push(`secrets = []  # Add catalog secret keys this agent needs`);
+		lines.push(``);
+	}
+	if (!options.catalog) {
+		lines.push(`# Lifecycle policy`);
+		lines.push(`[lifecycle]`);
+		lines.push(`stale_warning_days = 90`);
+		lines.push(`# require_expiration = false`);
+		lines.push(`# require_service = false`);
+		lines.push(``);
+		if (fnoxKeys && fnoxKeys.length > 0) {
+			lines.push(`# Secrets detected from fnox.toml`);
+			for (const key of fnoxKeys) lines.push(generateSecretBlock(key));
+		} else {
+			lines.push(`# Add your secret metadata below.`);
+			lines.push(`# Each [meta.<key>] describes a secret your agent needs.`);
+			lines.push(``);
+			lines.push(generateSecretBlock("EXAMPLE_API_KEY", "example-service"));
+		}
+	} else {
+		lines.push(`# Optional: override catalog metadata for specific secrets`);
+		lines.push(`# [meta.KEY_NAME]`);
+		lines.push(`# capabilities = ["read"]  # narrows catalog's broader definition`);
+	}
+	return lines.join("\n");
+};
+const readFnoxKeys = (fnoxPath) => Try(() => readFileSync(fnoxPath, "utf-8")).fold((err) => Left({
+	_tag: "ReadError",
+	message: String(err)
+}), (content) => Try(() => parse(content)).fold((err) => Left({
+	_tag: "ParseError",
+	message: String(err)
+}), (data) => Right(Object.keys(data))));
+const formatConfigError = (err) => {
+	switch (err._tag) {
+		case "FileNotFound": return err.path;
+		case "ParseError": return err.message;
+		case "ReadError": return err.message;
+		case "ValidationError": return err.errors.toArray().join(", ");
+	}
+};
+const runInit = (dir, options) => {
+	const outPath = join(dir, CONFIG_FILENAME);
+	if (existsSync(outPath) && !options.force) {
+		console.error(`${RED}Error:${RESET} ${CONFIG_FILENAME} already exists. Use --force to overwrite.`);
+		process.exit(1);
+	}
+	let fnoxKeys;
+	if (options.fromFnox) {
+		const fnoxPath = options.fromFnox === "true" || options.fromFnox === "" ? join(dir, "fnox.toml") : options.fromFnox;
+		if (!existsSync(fnoxPath)) {
+			console.error(`${RED}Error:${RESET} fnox.toml not found at ${fnoxPath}`);
+			process.exit(1);
+		}
+		readFnoxKeys(fnoxPath).fold((err) => {
+			console.error(`${RED}Error:${RESET} Failed to read fnox.toml: ${formatConfigError(err)}`);
+			process.exit(1);
+		}, (keys) => {
+			fnoxKeys = keys;
+		});
+	}
+	const content = generateTemplate(options, fnoxKeys);
+	Try(() => writeFileSync(outPath, content, "utf-8")).fold((err) => {
+		console.error(`${RED}Error:${RESET} Failed to write ${CONFIG_FILENAME}: ${err}`);
+		process.exit(1);
+	}, () => {
+		console.log(`${GREEN}✓${RESET} Created ${BOLD}${CONFIG_FILENAME}${RESET} in ${CYAN}${dir}${RESET}`);
+		if (fnoxKeys) console.log(`  Scaffolded ${fnoxKeys.length} secret(s) from fnox.toml`);
+		console.log(`  ${BOLD}Next:${RESET} Fill in metadata for each secret`);
+	});
+};
+
+//#endregion
+//#region src/core/format.ts
+const maskValue = (value) => {
+	if (value.length > 8) return `${value.slice(0, 3)}${"•".repeat(5)}${value.slice(-4)}`;
+	return "•".repeat(5);
+};
+
+//#endregion
+//#region src/cli/commands/inspect.ts
+const printSecretMeta = (meta, indent) => {
+	if (meta.purpose) console.log(`${indent}purpose: ${meta.purpose}`);
+	if (meta.capabilities) console.log(`${indent}capabilities: ${DIM}${meta.capabilities.join(", ")}${RESET}`);
+	const dateParts = [];
+	if (meta.created) dateParts.push(`created: ${meta.created}`);
+	if (meta.expires) dateParts.push(`expires: ${meta.expires}`);
+	if (dateParts.length > 0) console.log(`${indent}${dateParts.join("  ")}`);
+	const opsParts = [];
+	if (meta.rotates) opsParts.push(`rotates: ${meta.rotates}`);
+	if (meta.rate_limit) opsParts.push(`rate_limit: ${meta.rate_limit}`);
+	if (opsParts.length > 0) console.log(`${indent}${opsParts.join("  ")}`);
+	if (meta.source) console.log(`${indent}source: ${meta.source}`);
+	if (meta.model_hint) console.log(`${indent}model_hint: ${meta.model_hint}`);
+	if (meta.rotation_url) console.log(`${indent}rotation_url: ${DIM}${meta.rotation_url}${RESET}`);
+	if (meta.required !== void 0) console.log(`${indent}required: ${meta.required}`);
+	if (meta.tags) {
+		const tagStr = Object.entries(meta.tags).map(([k, v]) => `${k}=${v}`).join(", ");
+		console.log(`${indent}tags: ${tagStr}`);
+	}
+};
+const printConfig = (config, path, resolveResult, opts) => {
+	console.log(`${BOLD}envpkt.toml${RESET} ${DIM}(${path})${RESET}`);
+	if (resolveResult?.catalogPath) console.log(`${DIM}Catalog: ${CYAN}${resolveResult.catalogPath}${RESET}`);
+	console.log(`version: ${config.version}`);
+	console.log("");
+	if (config.agent) {
+		console.log(`${BOLD}Agent:${RESET} ${config.agent.name}`);
+		if (config.agent.consumer) console.log(`  consumer: ${config.agent.consumer}`);
+		if (config.agent.description) console.log(`  description: ${config.agent.description}`);
+		if (config.agent.capabilities) console.log(`  capabilities: ${config.agent.capabilities.join(", ")}`);
+		if (config.agent.expires) console.log(`  expires: ${config.agent.expires}`);
+		if (config.agent.services) console.log(`  services: ${config.agent.services.join(", ")}`);
+		if (config.agent.secrets) console.log(`  secrets: ${config.agent.secrets.join(", ")}`);
+		console.log("");
+	}
+	console.log(`${BOLD}Secrets:${RESET} ${Object.keys(config.meta).length}`);
+	for (const [key, meta] of Object.entries(config.meta)) {
+		const secretValue = opts?.secrets?.[key];
+		const valueSuffix = secretValue !== void 0 ? ` = ${YELLOW}${(opts?.secretDisplay ?? "encrypted") === "plaintext" ? secretValue : maskValue(secretValue)}${RESET}` : "";
+		console.log(`  ${BOLD}${key}${RESET} → ${meta.service ?? key}${valueSuffix}`);
+		printSecretMeta(meta, "    ");
+	}
+	if (config.lifecycle) {
+		console.log("");
+		console.log(`${BOLD}Lifecycle:${RESET}`);
+		if (config.lifecycle.stale_warning_days !== void 0) console.log(`  stale_warning_days: ${config.lifecycle.stale_warning_days}`);
+		if (config.lifecycle.require_expiration !== void 0) console.log(`  require_expiration: ${config.lifecycle.require_expiration}`);
+		if (config.lifecycle.require_service !== void 0) console.log(`  require_service: ${config.lifecycle.require_service}`);
+	}
+	if (resolveResult?.catalogPath) {
+		console.log("");
+		console.log(`${BOLD}Catalog Resolution:${RESET}`);
+		console.log(`  merged: ${resolveResult.merged.length} keys`);
+		if (resolveResult.overridden.length > 0) console.log(`  overridden: ${resolveResult.overridden.join(", ")}`);
+		else console.log(`  overridden: ${DIM}(none)${RESET}`);
+		for (const w of resolveResult.warnings) console.log(`  ${YELLOW}warning:${RESET} ${w}`);
+	}
+};
+const runInspect = (options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (path) => {
+		loadConfig(path).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			resolveConfig(config, dirname(path)).fold((err) => {
+				console.error(formatError(err));
+				process.exit(2);
+			}, (resolveResult) => {
+				const showResolved = options.resolved || !!resolveResult.catalogPath;
+				const showConfig = showResolved ? resolveResult.config : config;
+				if (options.format === "json") {
+					console.log(JSON.stringify(showConfig, null, 2));
+					return;
+				}
+				const printOpts = options.secrets ? {
+					secrets: Object.fromEntries(Object.keys(showConfig.meta).filter((key) => process.env[key] !== void 0).map((key) => [key, process.env[key]])),
+					secretDisplay: options.plaintext ? "plaintext" : "encrypted"
+				} : void 0;
+				printConfig(showConfig, path, showResolved ? resolveResult : void 0, printOpts);
+			});
+		});
+	});
+};
+
+//#endregion
+//#region src/mcp/resources.ts
+const loadConfigSafe = () => {
+	return resolveConfigPath().fold(() => void 0, (path) => loadConfig(path).fold(() => void 0, (config) => ({
+		config,
+		path
+	})));
+};
+const resourceDefinitions = [{
+	uri: "envpkt://health",
+	name: "Credential Health",
+	description: "Current health status of the envpkt credential packet",
+	mimeType: "application/json"
+}, {
+	uri: "envpkt://capabilities",
+	name: "Agent Capabilities",
+	description: "Capabilities declared by the agent and per-secret capability grants",
+	mimeType: "application/json"
+}];
+const readHealth = () => {
+	const loaded = loadConfigSafe();
+	if (!loaded) return { contents: [{
+		uri: "envpkt://health",
+		mimeType: "application/json",
+		text: JSON.stringify({ error: "No envpkt.toml found" })
+	}] };
+	const { config, path } = loaded;
+	const audit = computeAudit(config);
+	return { contents: [{
+		uri: "envpkt://health",
+		mimeType: "application/json",
+		text: JSON.stringify({
+			path,
+			status: audit.status,
+			total: audit.total,
+			healthy: audit.healthy,
+			expiring_soon: audit.expiring_soon,
+			expired: audit.expired,
+			stale: audit.stale,
+			missing: audit.missing
+		}, null, 2)
+	}] };
+};
+const readCapabilities = () => {
+	const loaded = loadConfigSafe();
+	if (!loaded) return { contents: [{
+		uri: "envpkt://capabilities",
+		mimeType: "application/json",
+		text: JSON.stringify({ error: "No envpkt.toml found" })
+	}] };
+	const { config } = loaded;
+	const agentCapabilities = config.agent?.capabilities ?? [];
+	const secretCapabilities = {};
+	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	return { contents: [{
+		uri: "envpkt://capabilities",
+		mimeType: "application/json",
+		text: JSON.stringify({
+			agent: config.agent ? {
+				name: config.agent.name,
+				consumer: config.agent.consumer,
+				description: config.agent.description,
+				capabilities: agentCapabilities
+			} : null,
+			secrets: secretCapabilities
+		}, null, 2)
+	}] };
+};
+const resourceHandlers = {
+	"envpkt://health": readHealth,
+	"envpkt://capabilities": readCapabilities
+};
+const readResource = (uri) => {
+	const handler = resourceHandlers[uri];
+	return handler?.();
+};
+
+//#endregion
+//#region src/mcp/tools.ts
+const textResult = (text) => ({ content: [{
+	type: "text",
+	text
+}] });
+const errorResult = (message) => ({
+	content: [{
+		type: "text",
+		text: message
+	}],
+	isError: true
+});
+const loadConfigForTool = (configPath) => {
+	return resolveConfigPath(configPath).fold((err) => ({
+		ok: false,
+		result: errorResult(`Config error: ${err._tag} — ${err._tag === "FileNotFound" ? err.path : ""}`)
+	}), (path) => loadConfig(path).fold((err) => ({
+		ok: false,
+		result: errorResult(`Config error: ${err._tag} — ${err._tag === "ValidationError" ? err.errors.toArray().join(", ") : ""}`)
+	}), (config) => ({
+		ok: true,
+		config,
+		path
+	})));
+};
+const toolDefinitions = [
+	{
+		name: "getPacketHealth",
+		description: "Get overall health status of the envpkt credential packet — returns audit results including secret statuses, expiration info, and issues",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
+	},
+	{
+		name: "listCapabilities",
+		description: "List capabilities declared by the agent and per-secret capabilities",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
+	},
+	{
+		name: "getSecretMeta",
+		description: "Get metadata for a specific secret by key name — returns service, purpose, expiration, provisioner, and other five-W details",
+		inputSchema: {
+			type: "object",
+			properties: {
+				key: {
+					type: "string",
+					description: "Secret key name to look up"
+				},
+				configPath: {
+					type: "string",
+					description: "Optional path to envpkt.toml"
+				}
+			},
+			required: ["key"]
+		}
+	},
+	{
+		name: "checkExpiration",
+		description: "Check expiration status of a specific secret — returns days remaining and whether it needs rotation",
+		inputSchema: {
+			type: "object",
+			properties: {
+				key: {
+					type: "string",
+					description: "Secret key name to check"
+				},
+				configPath: {
+					type: "string",
+					description: "Optional path to envpkt.toml"
+				}
+			},
+			required: ["key"]
+		}
+	}
+];
+const handleGetPacketHealth = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config, path } = loaded;
+	const audit = computeAudit(config);
+	const secretDetails = audit.secrets.toArray().map((s) => ({
+		key: s.key,
+		service: s.service.fold(() => null, (sv) => sv),
+		status: s.status,
+		days_remaining: s.days_remaining.fold(() => null, (d) => d),
+		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		issues: s.issues.toArray()
+	}));
+	return textResult(JSON.stringify({
+		path,
+		status: audit.status,
+		total: audit.total,
+		healthy: audit.healthy,
+		expiring_soon: audit.expiring_soon,
+		expired: audit.expired,
+		stale: audit.stale,
+		missing: audit.missing,
+		secrets: secretDetails
+	}, null, 2));
+};
+const handleListCapabilities = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const agentCapabilities = config.agent?.capabilities ?? [];
+	const secretCapabilities = {};
+	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	return textResult(JSON.stringify({
+		agent: config.agent ? {
+			name: config.agent.name,
+			consumer: config.agent.consumer,
+			description: config.agent.description,
+			capabilities: agentCapabilities
+		} : null,
+		secrets: secretCapabilities
+	}, null, 2));
+};
+const handleGetSecretMeta = (args) => {
+	const key = args.key;
+	if (!key) return errorResult("Missing required argument: key");
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const meta = config.meta[key];
+	if (!meta) return errorResult(`Secret not found: ${key}`);
+	return textResult(JSON.stringify({
+		key,
+		...meta
+	}, null, 2));
+};
+const handleCheckExpiration = (args) => {
+	const key = args.key;
+	if (!key) return errorResult("Missing required argument: key");
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	return computeAudit(config).secrets.find((s) => s.key === key).fold(() => errorResult(`Secret not found: ${key}`), (s) => textResult(JSON.stringify({
+		key: s.key,
+		status: s.status,
+		days_remaining: s.days_remaining.fold(() => null, (d) => d),
+		expires: s.expires.fold(() => null, (e) => e),
+		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		needs_rotation: s.status === "expired" || s.status === "expiring_soon",
+		issues: s.issues.toArray()
+	}, null, 2)));
+};
+const handlers = {
+	getPacketHealth: handleGetPacketHealth,
+	listCapabilities: handleListCapabilities,
+	getSecretMeta: handleGetSecretMeta,
+	checkExpiration: handleCheckExpiration
+};
+const callTool = (name, args) => {
+	const handler = handlers[name];
+	if (!handler) return errorResult(`Unknown tool: ${name}`);
+	return handler(args);
+};
+
+//#endregion
+//#region src/mcp/server.ts
+const createServer = () => {
+	const server = new Server({
+		name: "envpkt",
+		version: "0.1.0"
+	}, {
+		capabilities: {
+			tools: {},
+			resources: {}
+		},
+		instructions: "envpkt provides credential lifecycle awareness for AI agents. Use tools to check health, capabilities, and secret metadata. No secret values are ever exposed."
+	});
+	server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: toolDefinitions.map((t) => ({
+		name: t.name,
+		description: t.description,
+		inputSchema: t.inputSchema
+	})) }));
+	server.setRequestHandler(CallToolRequestSchema, async (request) => {
+		const { name, arguments: args } = request.params;
+		return callTool(name, args ?? {});
+	});
+	server.setRequestHandler(ListResourcesRequestSchema, async () => ({ resources: [...resourceDefinitions] }));
+	server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+		const { uri } = request.params;
+		const result = readResource(uri);
+		if (!result) return { contents: [{
+			uri,
+			mimeType: "text/plain",
+			text: `Resource not found: ${uri}`
+		}] };
+		return result;
+	});
+	return server;
+};
+const startServer = async () => {
+	const server = createServer();
+	const transport = new StdioServerTransport();
+	await server.connect(transport);
+};
+
+//#endregion
+//#region src/cli/commands/mcp.ts
+const runMcp = (_options) => {
+	startServer().catch((err) => {
+		console.error("MCP server error:", err);
+		process.exit(1);
+	});
+};
+
+//#endregion
+//#region src/cli/commands/resolve.ts
+const runResolve = (options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (configPath) => {
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			resolveConfig(config, dirname(configPath)).fold((err) => {
+				console.error(formatError(err));
+				process.exit(2);
+			}, (result) => {
+				const outputFormat = options.format ?? "toml";
+				let content;
+				if (outputFormat === "json") content = JSON.stringify(result.config, null, 2) + "\n";
+				else content = `# Generated by envpkt resolve — do not edit\n${stringify(result.config)}\n`;
+				if (options.dryRun) {
+					console.log(`${DIM}# Dry run — would write:${RESET}`);
+					console.log(content);
+				} else if (options.output) {
+					writeFileSync(options.output, content, "utf-8");
+					console.log(`${GREEN}✓${RESET} Resolved config written to ${BOLD}${options.output}${RESET}`);
+				} else process.stdout.write(content);
+				if (result.catalogPath) {
+					const summaryTarget = options.output ? process.stdout : process.stderr;
+					summaryTarget.write(`\n${CYAN}Catalog:${RESET} ${result.catalogPath}\n${GREEN}Merged:${RESET} ${result.merged.length} key(s)` + (result.overridden.length > 0 ? ` ${YELLOW}(${result.overridden.length} overridden: ${result.overridden.join(", ")})${RESET}` : "") + "\n");
+					for (const w of result.warnings) summaryTarget.write(`${RED}Warning:${RESET} ${w}\n`);
+				}
+			});
+		});
+	});
+};
+
+//#endregion
+//#region src/cli/commands/shell-hook.ts
+const ZSH_HOOK = `# envpkt shell hook — add to your .zshrc
+_envpkt_chpwd() {
+  if [[ -f envpkt.toml ]]; then
+    envpkt audit --format minimal 2>/dev/null
+  fi
+}
+
+if (( $+functions[add-zsh-hook] )); then
+  autoload -Uz add-zsh-hook
+  add-zsh-hook chpwd _envpkt_chpwd
+else
+  autoload -Uz add-zsh-hook
+  add-zsh-hook chpwd _envpkt_chpwd
+fi
+`;
+const BASH_HOOK = `# envpkt shell hook — add to your .bashrc
+_envpkt_prompt() {
+  if [[ -f envpkt.toml ]]; then
+    envpkt audit --format minimal 2>/dev/null
+  fi
+}
+
+if [[ ! "$PROMPT_COMMAND" == *"_envpkt_prompt"* ]]; then
+  PROMPT_COMMAND="_envpkt_prompt;$PROMPT_COMMAND"
+fi
+`;
+const runShellHook = (shell) => {
+	switch (shell) {
+		case "zsh":
+			console.log(ZSH_HOOK);
+			break;
+		case "bash":
+			console.log(BASH_HOOK);
+			break;
+		default:
+			console.error(`${RED}Error:${RESET} Unsupported shell: ${shell}. Use "zsh" or "bash".`);
+			process.exit(1);
+	}
+};
+
+//#endregion
+//#region src/cli/index.ts
+const program = new Command();
+program.name("envpkt").description("Credential lifecycle and fleet management for AI agents").version("0.1.0");
+program.command("init").description("Initialize a new envpkt.toml in the current directory").option("--from-fnox [path]", "Scaffold from fnox.toml (optionally specify path)").option("--catalog <path>", "Path to shared secret catalog").option("--agent", "Include [agent] section").option("--name <name>", "Agent name (requires --agent)").option("--capabilities <caps>", "Comma-separated capabilities (requires --agent)").option("--expires <date>", "Agent credential expiration YYYY-MM-DD (requires --agent)").option("--force", "Overwrite existing envpkt.toml").action((options) => {
+	runInit(process.cwd(), options);
+});
+program.command("audit").description("Audit credential health from envpkt.toml").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json | minimal", "table").option("--expiring <days>", "Show secrets expiring within N days", parseInt).option("--status <status>", "Filter by status: healthy | expiring_soon | expired | stale | missing").option("--strict", "Exit non-zero on any non-healthy secret").action((options) => {
+	runAudit(options);
+});
+program.command("fleet").description("Scan directory tree for envpkt.toml files and aggregate health").option("-d, --dir <path>", "Root directory to scan", ".").option("--depth <n>", "Max directory depth", parseInt).option("--format <format>", "Output format: table | json", "table").option("--status <status>", "Filter agents by health status").action((options) => {
+	runFleet(options);
+});
+program.command("inspect").description("Display structured view of envpkt.toml").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--resolved", "Show resolved view (catalog merged)").option("--secrets", "Show secret values from environment (masked by default)").option("--plaintext", "Show secret values in plaintext (requires --secrets)").action((options) => {
+	runInspect(options);
+});
+program.command("exec").description("Run pre-flight audit then execute a command with fnox-injected env").argument("<command...>", "Command to execute").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit (alias: --no-check)").option("--no-check", "Skip the pre-flight audit").option("--warn-only", "Warn on critical audit but do not abort").option("--strict", "Abort on any non-healthy secret").action((args, options) => {
+	runExec(args, options);
+});
+program.command("resolve").description("Resolve catalog references and output a flat, self-contained config").option("-c, --config <path>", "Path to envpkt.toml").option("-o, --output <path>", "Write resolved config to file (default: stdout)").option("--format <format>", "Output format: toml | json", "toml").option("--dry-run", "Show what would be resolved without writing").action((options) => {
+	runResolve(options);
+});
+program.command("mcp").description("Start the envpkt MCP server (stdio transport)").option("-c, --config <path>", "Path to envpkt.toml").action((options) => {
+	runMcp(options);
+});
+const env = program.command("env").description("Discover and check credentials in your shell environment");
+env.command("scan").description("Auto-discover credentials from process.env and scaffold TOML entries").option("--format <format>", "Output format: table | json", "table").option("--write", "Write discovered credentials to envpkt.toml").option("--dry-run", "Preview TOML that would be written (implies --write)").option("--include-unknown", "Include vars where service could not be inferred").action((options) => {
+	runEnvScan(options);
+});
+env.command("check").description("Bidirectional drift detection between envpkt.toml and live environment").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--strict", "Exit non-zero on any drift").action((options) => {
+	runEnvCheck(options);
+});
+program.command("shell-hook").description("Output shell function for ambient credential warnings on cd").argument("<shell>", "Shell type: zsh | bash").action((shell) => {
+	runShellHook(shell);
+});
+program.parse();
+
+//#endregion
+export {  };