envpkt 0.1.0

package/dist/index.js

@@ -0,0 +1,1769 @@
+import { FormatRegistry, Type } from "@sinclair/typebox";
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { TypeCompiler } from "@sinclair/typebox/compiler";
+import { Cond, Left, List, Option, Right, Try } from "functype";
+import { TomlDate, parse } from "smol-toml";
+import { execFileSync } from "node:child_process";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
+
+//#region src/core/schema.ts
+const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const URI_RE = /^https?:\/\/.+/;
+if (!FormatRegistry.Has("date")) FormatRegistry.Set("date", (v) => DATE_RE.test(v));
+if (!FormatRegistry.Has("uri")) FormatRegistry.Set("uri", (v) => URI_RE.test(v));
+const ConsumerType = Type.Union([
+	Type.Literal("agent"),
+	Type.Literal("service"),
+	Type.Literal("developer"),
+	Type.Literal("ci")
+], { description: "Classification of the agent's consumer type" });
+const AgentIdentitySchema = Type.Object({
+	name: Type.String({ description: "Agent display name" }),
+	consumer: Type.Optional(ConsumerType),
+	description: Type.Optional(Type.String({ description: "Agent description or role" })),
+	capabilities: Type.Optional(Type.Array(Type.String(), { description: "List of capabilities this agent provides" })),
+	expires: Type.Optional(Type.String({
+		format: "date",
+		description: "Agent credential expiration date (YYYY-MM-DD)"
+	})),
+	services: Type.Optional(Type.Array(Type.String(), { description: "Service dependencies for this agent" })),
+	identity: Type.Optional(Type.String({ description: "Path to encrypted agent key file (relative to config directory)" })),
+	recipient: Type.Optional(Type.String({ description: "Agent's age public key for encryption" })),
+	secrets: Type.Optional(Type.Array(Type.String(), { description: "Secret keys this agent needs from the catalog" }))
+}, { description: "Identity and capabilities of the AI agent using this envpkt" });
+const SecretMetaSchema = Type.Object({
+	service: Type.Optional(Type.String({ description: "Service or system this secret authenticates to" })),
+	expires: Type.Optional(Type.String({
+		format: "date",
+		description: "Date the secret expires (YYYY-MM-DD)"
+	})),
+	rotation_url: Type.Optional(Type.String({
+		format: "uri",
+		description: "URL or reference for secret rotation procedure"
+	})),
+	purpose: Type.Optional(Type.String({ description: "Why this secret exists and what it enables" })),
+	capabilities: Type.Optional(Type.Array(Type.String(), { description: "What operations this secret grants (e.g. read, write, admin)" })),
+	created: Type.Optional(Type.String({
+		format: "date",
+		description: "Date the secret was provisioned (YYYY-MM-DD)"
+	})),
+	rotates: Type.Optional(Type.String({ description: "Rotation schedule (e.g. '90d', 'quarterly')" })),
+	rate_limit: Type.Optional(Type.String({ description: "Rate limit or quota info (e.g. '1000/min')" })),
+	model_hint: Type.Optional(Type.String({ description: "Suggested model or tier for this credential" })),
+	source: Type.Optional(Type.String({ description: "Where the secret value originates (e.g. 'vault', 'ci')" })),
+	required: Type.Optional(Type.Boolean({ description: "Whether this secret is required for operation" })),
+	tags: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "Key-value tags for grouping and filtering" }))
+}, { description: "Metadata about a single secret" });
+const LifecycleConfigSchema = Type.Object({
+	stale_warning_days: Type.Optional(Type.Number({
+		default: 90,
+		description: "Days since creation to consider a secret stale"
+	})),
+	require_expiration: Type.Optional(Type.Boolean({
+		default: false,
+		description: "Require expires on all secrets"
+	})),
+	require_service: Type.Optional(Type.Boolean({
+		default: false,
+		description: "Require service on all secrets"
+	}))
+}, { description: "Policy configuration for credential lifecycle management" });
+const CallbackConfigSchema = Type.Object({
+	on_expiring: Type.Optional(Type.String({ description: "Command or webhook to invoke when secrets are expiring" })),
+	on_expired: Type.Optional(Type.String({ description: "Command or webhook to invoke when secrets have expired" })),
+	on_audit_fail: Type.Optional(Type.String({ description: "Command or webhook on audit failure" }))
+}, { description: "Automation callbacks for lifecycle events" });
+const ToolsConfigSchema = Type.Record(Type.String(), Type.Unknown(), { description: "Tool integration configuration — open namespace for third-party extensions" });
+const EnvpktConfigSchema = Type.Object({
+	version: Type.Number({
+		description: "Schema version number",
+		default: 1
+	}),
+	catalog: Type.Optional(Type.String({ description: "Path to shared secret catalog (relative to this config file)" })),
+	agent: Type.Optional(AgentIdentitySchema),
+	meta: Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" }),
+	lifecycle: Type.Optional(LifecycleConfigSchema),
+	callbacks: Type.Optional(CallbackConfigSchema),
+	tools: Type.Optional(ToolsConfigSchema)
+}, {
+	$id: "envpkt",
+	title: "envpkt configuration",
+	description: "Credential lifecycle and fleet management configuration for AI agents"
+});
+
+//#endregion
+//#region src/core/config.ts
+const CONFIG_FILENAME$1 = "envpkt.toml";
+const ENV_VAR_CONFIG = "ENVPKT_CONFIG";
+const compiledSchema = TypeCompiler.Compile(EnvpktConfigSchema);
+/** Recursively convert TomlDate instances to ISO date strings */
+const normalizeDates = (obj) => {
+	if (obj instanceof TomlDate) return obj.toISOString().split("T")[0];
+	if (Array.isArray(obj)) return obj.map(normalizeDates);
+	if (obj !== null && typeof obj === "object") return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, normalizeDates(v)]));
+	return obj;
+};
+/** Find envpkt.toml in the given directory */
+const findConfigPath = (dir) => {
+	const candidate = join(dir, CONFIG_FILENAME$1);
+	return existsSync(candidate) ? Option(candidate) : Option(void 0);
+};
+/** Read a config file, returning Either<ConfigError, string> */
+const readConfigFile = (path) => {
+	if (!existsSync(path)) return Left({
+		_tag: "FileNotFound",
+		path
+	});
+	return Try(() => readFileSync(path, "utf-8")).fold((err) => Left({
+		_tag: "ReadError",
+		message: String(err)
+	}), (content) => Right(content));
+};
+/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit meta) */
+const applyDefaults = (data) => {
+	if (data !== null && typeof data === "object" && !Array.isArray(data)) {
+		const obj = data;
+		if (!("meta" in obj)) return {
+			...obj,
+			meta: {}
+		};
+	}
+	return data;
+};
+/** Parse a TOML string, returning Either<ConfigError, unknown> */
+const parseToml = (raw) => Try(() => parse(raw)).fold((err) => Left({
+	_tag: "ParseError",
+	message: String(err)
+}), (data) => Right(applyDefaults(normalizeDates(data))));
+/** Validate parsed data against the TypeBox schema */
+const validateConfig = (data) => {
+	if (compiledSchema.Check(data)) return Right(data);
+	return Left({
+		_tag: "ValidationError",
+		errors: List([...compiledSchema.Errors(data)].map((e) => `${e.path}: ${e.message}`))
+	});
+};
+/** Load and validate an envpkt.toml from a file path */
+const loadConfig = (path) => readConfigFile(path).flatMap(parseToml).flatMap(validateConfig);
+/** Load config from CWD, returning both path and parsed config */
+const loadConfigFromCwd = (cwd) => {
+	const dir = cwd ?? process.cwd();
+	return findConfigPath(dir).fold(() => Left({
+		_tag: "FileNotFound",
+		path: join(dir, CONFIG_FILENAME$1)
+	}), (path) => loadConfig(path).map((config) => ({
+		path,
+		config
+	})));
+};
+/**
+* Resolve config path via priority chain:
+* 1. Explicit flag path
+* 2. ENVPKT_CONFIG env var
+* 3. CWD discovery
+*/
+const resolveConfigPath = (flagPath, envVar, cwd) => {
+	if (flagPath) {
+		const resolved = resolve(flagPath);
+		return existsSync(resolved) ? Right(resolved) : Left({
+			_tag: "FileNotFound",
+			path: resolved
+		});
+	}
+	const envPath = envVar ?? process.env[ENV_VAR_CONFIG];
+	if (envPath) {
+		const resolved = resolve(envPath);
+		return existsSync(resolved) ? Right(resolved) : Left({
+			_tag: "FileNotFound",
+			path: resolved
+		});
+	}
+	const dir = cwd ?? process.cwd();
+	return findConfigPath(dir).fold(() => Left({
+		_tag: "FileNotFound",
+		path: join(dir, CONFIG_FILENAME$1)
+	}), (path) => Right(path));
+};
+
+//#endregion
+//#region src/core/catalog.ts
+/** Load and validate a catalog file, mapping ConfigError → CatalogError */
+const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
+	if (err._tag === "FileNotFound") return Left({
+		_tag: "CatalogNotFound",
+		path: err.path
+	});
+	return Left({
+		_tag: "CatalogLoadError",
+		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
+	});
+}, (config) => Right(config));
+/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
+const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
+	const resolved = {};
+	for (const key of agentSecrets) {
+		const catalogEntry = catalogMeta[key];
+		if (!catalogEntry) return Left({
+			_tag: "SecretNotInCatalog",
+			key,
+			catalogPath
+		});
+		const agentOverride = agentMeta[key];
+		if (agentOverride) resolved[key] = {
+			...catalogEntry,
+			...agentOverride
+		};
+		else resolved[key] = catalogEntry;
+	}
+	return Right(resolved);
+};
+/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
+const resolveConfig = (agentConfig, agentConfigDir) => {
+	if (!agentConfig.catalog) return Right({
+		config: agentConfig,
+		merged: [],
+		overridden: [],
+		warnings: []
+	});
+	if (!agentConfig.agent?.secrets || agentConfig.agent.secrets.length === 0) return Left({
+		_tag: "MissingSecretsList",
+		message: "Config has 'catalog' but agent.secrets is missing — declare which catalog secrets this agent needs"
+	});
+	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
+	const agentSecrets = agentConfig.agent.secrets;
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentConfig.meta, catalogConfig.meta, agentSecrets, catalogPath).map((resolvedMeta) => {
+		const merged = [];
+		const overridden = [];
+		const warnings = [];
+		for (const key of agentSecrets) {
+			merged.push(key);
+			if (agentConfig.meta[key]) overridden.push(key);
+		}
+		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
+		const agentIdentity = agentConfig.agent ? (() => {
+			const { secrets: _secrets, ...rest } = agentConfig.agent;
+			return rest;
+		})() : void 0;
+		return {
+			config: {
+				...agentWithoutCatalog,
+				agent: agentIdentity ? {
+					...agentIdentity,
+					name: agentIdentity.name
+				} : void 0,
+				meta: resolvedMeta
+			},
+			catalogPath,
+			merged,
+			overridden,
+			warnings
+		};
+	}));
+};
+
+//#endregion
+//#region src/core/format.ts
+const maskValue = (value) => {
+	if (value.length > 8) return `${value.slice(0, 3)}${"•".repeat(5)}${value.slice(-4)}`;
+	return "•".repeat(5);
+};
+const formatSecretFields = (meta, indent) => {
+	const lines = [];
+	if (meta.purpose) lines.push(`${indent}purpose: ${meta.purpose}`);
+	if (meta.capabilities) lines.push(`${indent}capabilities: ${meta.capabilities.join(", ")}`);
+	const dateLine = [];
+	if (meta.created) dateLine.push(`created: ${meta.created}`);
+	if (meta.expires) dateLine.push(`expires: ${meta.expires}`);
+	if (dateLine.length > 0) lines.push(`${indent}${dateLine.join("  ")}`);
+	const opsLine = [];
+	if (meta.rotates) opsLine.push(`rotates: ${meta.rotates}`);
+	if (meta.rate_limit) opsLine.push(`rate_limit: ${meta.rate_limit}`);
+	if (opsLine.length > 0) lines.push(`${indent}${opsLine.join("  ")}`);
+	if (meta.source) lines.push(`${indent}source: ${meta.source}`);
+	if (meta.model_hint) lines.push(`${indent}model_hint: ${meta.model_hint}`);
+	if (meta.rotation_url) lines.push(`${indent}rotation_url: ${meta.rotation_url}`);
+	if (meta.required !== void 0) lines.push(`${indent}required: ${meta.required}`);
+	if (meta.tags) {
+		const tagStr = Object.entries(meta.tags).map(([k, v]) => `${k}=${v}`).join(", ");
+		lines.push(`${indent}tags: ${tagStr}`);
+	}
+	return lines.join("\n");
+};
+const formatPacket = (result, options) => {
+	const { config } = result;
+	const sections = [];
+	if (config.agent) {
+		const consumer = config.agent.consumer ? ` (${config.agent.consumer})` : "";
+		sections.push(`envpkt packet: ${config.agent.name}${consumer}`);
+	} else sections.push("envpkt packet");
+	if (config.agent) {
+		const agentLines = [];
+		if (config.agent.description) agentLines.push(`  ${config.agent.description}`);
+		if (config.agent.capabilities) agentLines.push(`  capabilities: ${config.agent.capabilities.join(", ")}`);
+		if (config.agent.services) agentLines.push(`  services: ${config.agent.services.join(", ")}`);
+		if (config.agent.expires) agentLines.push(`  expires: ${config.agent.expires}`);
+		if (agentLines.length > 0) sections.push(agentLines.join("\n"));
+	}
+	const metaEntries = Object.entries(config.meta);
+	const secretHeader = `secrets: ${metaEntries.length}`;
+	const secretLines = metaEntries.map(([key, meta]) => {
+		const service = meta.service ?? key;
+		const secretValue = options?.secrets?.[key];
+		const header = `  ${key} → ${service}${secretValue !== void 0 ? ` = ${(options?.secretDisplay ?? "encrypted") === "plaintext" ? secretValue : maskValue(secretValue)}` : ""}`;
+		const fields = formatSecretFields(meta, "    ");
+		return fields ? `${header}\n${fields}` : header;
+	});
+	sections.push([secretHeader, ...secretLines].join("\n"));
+	if (config.lifecycle) {
+		const lcLines = ["lifecycle:"];
+		if (config.lifecycle.stale_warning_days !== void 0) lcLines.push(`  stale_warning_days: ${config.lifecycle.stale_warning_days}`);
+		if (config.lifecycle.require_expiration !== void 0) lcLines.push(`  require_expiration: ${config.lifecycle.require_expiration}`);
+		if (config.lifecycle.require_service !== void 0) lcLines.push(`  require_service: ${config.lifecycle.require_service}`);
+		if (lcLines.length > 1) sections.push(lcLines.join("\n"));
+	}
+	if (result.catalogPath) {
+		const catLines = [`catalog: ${result.catalogPath}`];
+		catLines.push(`  merged: ${result.merged.length} keys`);
+		if (result.overridden.length > 0) catLines.push(`  overridden: ${result.overridden.join(", ")}`);
+		else catLines.push("  overridden: (none)");
+		if (result.warnings.length > 0) for (const w of result.warnings) catLines.push(`  warning: ${w}`);
+		sections.push(catLines.join("\n"));
+	}
+	return sections.join("\n\n");
+};
+
+//#endregion
+//#region src/core/audit.ts
+const MS_PER_DAY = 864e5;
+const WARN_BEFORE_DAYS = 30;
+const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
+const parseDate = (dateStr) => {
+	const d = /* @__PURE__ */ new Date(dateStr + "T00:00:00Z");
+	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
+};
+const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
+	const issues = [];
+	const created = Option(meta?.created).flatMap(parseDate);
+	const expires = Option(meta?.expires).flatMap(parseDate);
+	const rotationUrl = Option(meta?.rotation_url);
+	const purpose = Option(meta?.purpose);
+	const service = Option(meta?.service);
+	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
+	const daysSinceCreated = created.map((c) => daysBetween(c, today));
+	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
+	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
+	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
+	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key);
+	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
+	if (isExpired) issues.push("Secret has expired");
+	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
+	if (isStale) issues.push("Secret is stale (no rotation detected)");
+	if (isMissing) issues.push("Key not found in fnox");
+	if (isMissingMetadata) {
+		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
+		if (requireService && service.isNone()) issues.push("Missing required service");
+	}
+	return {
+		key,
+		service,
+		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
+		days_remaining: daysRemaining,
+		rotation_url: rotationUrl,
+		purpose,
+		created: Option(meta?.created),
+		expires: Option(meta?.expires),
+		issues: List(issues)
+	};
+};
+const computeAudit = (config, fnoxKeys, today) => {
+	const now = today ?? /* @__PURE__ */ new Date();
+	const lifecycle = config.lifecycle ?? {};
+	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
+	const requireExpiration = lifecycle.require_expiration ?? false;
+	const requireService = lifecycle.require_service ?? false;
+	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
+	const metaKeys = new Set(Object.keys(config.meta));
+	const secrets = List(Object.entries(config.meta).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
+	const total = secrets.size;
+	const expired = secrets.count((s) => s.status === "expired");
+	const missing = secrets.count((s) => s.status === "missing");
+	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
+	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
+	const stale = secrets.count((s) => s.status === "stale");
+	const healthy = secrets.count((s) => s.status === "healthy");
+	return {
+		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
+		secrets,
+		total,
+		healthy,
+		expiring_soon,
+		expired,
+		stale,
+		missing,
+		missing_metadata,
+		orphaned,
+		agent: config.agent
+	};
+};
+
+//#endregion
+//#region src/core/patterns.ts
+const EXCLUDED_VARS = new Set([
+	"PATH",
+	"HOME",
+	"USER",
+	"SHELL",
+	"TERM",
+	"LANG",
+	"LC_ALL",
+	"LC_CTYPE",
+	"DISPLAY",
+	"EDITOR",
+	"VISUAL",
+	"PAGER",
+	"HOSTNAME",
+	"LOGNAME",
+	"MAIL",
+	"OLDPWD",
+	"PWD",
+	"SHLVL",
+	"TMPDIR",
+	"TZ",
+	"XDG_CACHE_HOME",
+	"XDG_CONFIG_HOME",
+	"XDG_DATA_HOME",
+	"XDG_RUNTIME_DIR",
+	"XDG_SESSION_TYPE",
+	"NODE_ENV",
+	"NODE_PATH",
+	"NODE_OPTIONS",
+	"NVM_DIR",
+	"NVM_BIN",
+	"NVM_INC",
+	"NVM_CD_FLAGS",
+	"NPM_CONFIG_PREFIX",
+	"GOPATH",
+	"GOROOT",
+	"CARGO_HOME",
+	"RUSTUP_HOME",
+	"JAVA_HOME",
+	"ANDROID_HOME",
+	"PYENV_ROOT",
+	"VIRTUAL_ENV",
+	"CONDA_PREFIX",
+	"CONDA_DEFAULT_ENV",
+	"MANPATH",
+	"INFOPATH",
+	"LESS",
+	"LSCOLORS",
+	"LS_COLORS",
+	"COLORTERM",
+	"TERM_PROGRAM",
+	"TERM_PROGRAM_VERSION",
+	"TERM_SESSION_ID",
+	"ITERM_SESSION_ID",
+	"ITERM_PROFILE",
+	"SSH_AUTH_SOCK",
+	"SSH_AGENT_PID",
+	"GPG_TTY",
+	"GNUPGHOME",
+	"DBUS_SESSION_BUS_ADDRESS",
+	"WAYLAND_DISPLAY",
+	"ZDOTDIR",
+	"ZSH",
+	"HISTFILE",
+	"HISTSIZE",
+	"SAVEHIST",
+	"_",
+	"__CF_USER_TEXT_ENCODING",
+	"Apple_PubSub_Socket_Render",
+	"COMMAND_MODE",
+	"SECURITYSESSIONID",
+	"LaunchInstanceID",
+	"PNPM_HOME",
+	"BUN_INSTALL",
+	"FNM_DIR",
+	"FNM_MULTISHELL_PATH",
+	"FNM_VERSION_FILE_STRATEGY",
+	"FNM_LOGLEVEL",
+	"FNM_NODE_DIST_MIRROR",
+	"FNM_ARCH",
+	"VOLTA_HOME"
+]);
+const EXACT_NAME_PATTERNS = [
+	{
+		kind: "name",
+		pattern: "OPENAI_API_KEY",
+		service: "openai",
+		confidence: "high",
+		description: "OpenAI API key"
+	},
+	{
+		kind: "name",
+		pattern: "OPENAI_ORG_ID",
+		service: "openai",
+		confidence: "high",
+		description: "OpenAI org ID"
+	},
+	{
+		kind: "name",
+		pattern: "ANTHROPIC_API_KEY",
+		service: "anthropic",
+		confidence: "high",
+		description: "Anthropic API key"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_ACCESS_KEY_ID",
+		service: "aws",
+		confidence: "high",
+		description: "AWS access key ID"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_SECRET_ACCESS_KEY",
+		service: "aws",
+		confidence: "high",
+		description: "AWS secret access key"
+	},
+	{
+		kind: "name",
+		pattern: "AWS_SESSION_TOKEN",
+		service: "aws",
+		confidence: "high",
+		description: "AWS session token"
+	},
+	{
+		kind: "name",
+		pattern: "GOOGLE_APPLICATION_CREDENTIALS",
+		service: "gcp",
+		confidence: "high",
+		description: "Google Cloud service account path"
+	},
+	{
+		kind: "name",
+		pattern: "GOOGLE_API_KEY",
+		service: "google",
+		confidence: "high",
+		description: "Google API key"
+	},
+	{
+		kind: "name",
+		pattern: "GCP_PROJECT_ID",
+		service: "gcp",
+		confidence: "medium",
+		description: "GCP project ID"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_CLIENT_ID",
+		service: "azure",
+		confidence: "high",
+		description: "Azure client ID"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_CLIENT_SECRET",
+		service: "azure",
+		confidence: "high",
+		description: "Azure client secret"
+	},
+	{
+		kind: "name",
+		pattern: "AZURE_TENANT_ID",
+		service: "azure",
+		confidence: "high",
+		description: "Azure tenant ID"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_SECRET_KEY",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe secret key"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_PUBLISHABLE_KEY",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe publishable key"
+	},
+	{
+		kind: "name",
+		pattern: "STRIPE_WEBHOOK_SECRET",
+		service: "stripe",
+		confidence: "high",
+		description: "Stripe webhook secret"
+	},
+	{
+		kind: "name",
+		pattern: "GITHUB_TOKEN",
+		service: "github",
+		confidence: "high",
+		description: "GitHub token"
+	},
+	{
+		kind: "name",
+		pattern: "GH_TOKEN",
+		service: "github",
+		confidence: "high",
+		description: "GitHub token (gh CLI)"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_BOT_TOKEN",
+		service: "slack",
+		confidence: "high",
+		description: "Slack bot token"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_SIGNING_SECRET",
+		service: "slack",
+		confidence: "high",
+		description: "Slack signing secret"
+	},
+	{
+		kind: "name",
+		pattern: "SLACK_WEBHOOK_URL",
+		service: "slack",
+		confidence: "high",
+		description: "Slack webhook URL"
+	},
+	{
+		kind: "name",
+		pattern: "TWILIO_ACCOUNT_SID",
+		service: "twilio",
+		confidence: "high",
+		description: "Twilio account SID"
+	},
+	{
+		kind: "name",
+		pattern: "TWILIO_AUTH_TOKEN",
+		service: "twilio",
+		confidence: "high",
+		description: "Twilio auth token"
+	},
+	{
+		kind: "name",
+		pattern: "SENDGRID_API_KEY",
+		service: "sendgrid",
+		confidence: "high",
+		description: "SendGrid API key"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_URL",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase project URL"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_ANON_KEY",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase anon key"
+	},
+	{
+		kind: "name",
+		pattern: "SUPABASE_SERVICE_ROLE_KEY",
+		service: "supabase",
+		confidence: "high",
+		description: "Supabase service role key"
+	},
+	{
+		kind: "name",
+		pattern: "DATABASE_URL",
+		service: "database",
+		confidence: "high",
+		description: "Database URL"
+	},
+	{
+		kind: "name",
+		pattern: "DATABASE_PASSWORD",
+		service: "database",
+		confidence: "high",
+		description: "Database password"
+	},
+	{
+		kind: "name",
+		pattern: "REDIS_URL",
+		service: "redis",
+		confidence: "high",
+		description: "Redis URL"
+	},
+	{
+		kind: "name",
+		pattern: "MONGODB_URI",
+		service: "mongodb",
+		confidence: "high",
+		description: "MongoDB URI"
+	},
+	{
+		kind: "name",
+		pattern: "DD_API_KEY",
+		service: "datadog",
+		confidence: "high",
+		description: "Datadog API key"
+	},
+	{
+		kind: "name",
+		pattern: "DD_APP_KEY",
+		service: "datadog",
+		confidence: "high",
+		description: "Datadog app key"
+	},
+	{
+		kind: "name",
+		pattern: "SENTRY_DSN",
+		service: "sentry",
+		confidence: "high",
+		description: "Sentry DSN"
+	},
+	{
+		kind: "name",
+		pattern: "SENTRY_AUTH_TOKEN",
+		service: "sentry",
+		confidence: "high",
+		description: "Sentry auth token"
+	},
+	{
+		kind: "name",
+		pattern: "VERCEL_TOKEN",
+		service: "vercel",
+		confidence: "high",
+		description: "Vercel token"
+	},
+	{
+		kind: "name",
+		pattern: "NETLIFY_AUTH_TOKEN",
+		service: "netlify",
+		confidence: "high",
+		description: "Netlify auth token"
+	},
+	{
+		kind: "name",
+		pattern: "CLOUDFLARE_API_TOKEN",
+		service: "cloudflare",
+		confidence: "high",
+		description: "Cloudflare API token"
+	},
+	{
+		kind: "name",
+		pattern: "CF_API_TOKEN",
+		service: "cloudflare",
+		confidence: "high",
+		description: "Cloudflare API token"
+	},
+	{
+		kind: "name",
+		pattern: "DOCKER_PASSWORD",
+		service: "docker",
+		confidence: "high",
+		description: "Docker password"
+	},
+	{
+		kind: "name",
+		pattern: "DOCKER_TOKEN",
+		service: "docker",
+		confidence: "high",
+		description: "Docker token"
+	},
+	{
+		kind: "name",
+		pattern: "NPM_TOKEN",
+		service: "npm",
+		confidence: "high",
+		description: "npm token"
+	},
+	{
+		kind: "name",
+		pattern: "HF_TOKEN",
+		service: "huggingface",
+		confidence: "high",
+		description: "Hugging Face token"
+	},
+	{
+		kind: "name",
+		pattern: "HUGGING_FACE_HUB_TOKEN",
+		service: "huggingface",
+		confidence: "high",
+		description: "Hugging Face Hub token"
+	},
+	{
+		kind: "name",
+		pattern: "COHERE_API_KEY",
+		service: "cohere",
+		confidence: "high",
+		description: "Cohere API key"
+	},
+	{
+		kind: "name",
+		pattern: "REPLICATE_API_TOKEN",
+		service: "replicate",
+		confidence: "high",
+		description: "Replicate API token"
+	},
+	{
+		kind: "name",
+		pattern: "PINECONE_API_KEY",
+		service: "pinecone",
+		confidence: "high",
+		description: "Pinecone API key"
+	},
+	{
+		kind: "name",
+		pattern: "LINEAR_API_KEY",
+		service: "linear",
+		confidence: "high",
+		description: "Linear API key"
+	}
+];
+const SUFFIX_PATTERNS = [
+	{
+		suffix: "_API_KEY",
+		description: "API key"
+	},
+	{
+		suffix: "_SECRET_KEY",
+		description: "Secret key"
+	},
+	{
+		suffix: "_SECRET",
+		description: "Secret"
+	},
+	{
+		suffix: "_TOKEN",
+		description: "Token"
+	},
+	{
+		suffix: "_PASSWORD",
+		description: "Password"
+	},
+	{
+		suffix: "_PASS",
+		description: "Password"
+	},
+	{
+		suffix: "_AUTH_TOKEN",
+		description: "Auth token"
+	},
+	{
+		suffix: "_ACCESS_TOKEN",
+		description: "Access token"
+	},
+	{
+		suffix: "_PRIVATE_KEY",
+		description: "Private key"
+	},
+	{
+		suffix: "_SIGNING_KEY",
+		description: "Signing key"
+	},
+	{
+		suffix: "_WEBHOOK_SECRET",
+		description: "Webhook secret"
+	},
+	{
+		suffix: "_DSN",
+		description: "DSN"
+	},
+	{
+		suffix: "_CONNECTION_STRING",
+		description: "Connection string"
+	}
+];
+const VALUE_SHAPE_PATTERNS = [
+	{
+		prefix: "sk-ant-",
+		service: "anthropic",
+		description: "Anthropic API key"
+	},
+	{
+		prefix: "sk-",
+		service: "openai",
+		description: "OpenAI API key"
+	},
+	{
+		prefix: "sk_live_",
+		service: "stripe",
+		description: "Stripe live secret key"
+	},
+	{
+		prefix: "sk_test_",
+		service: "stripe",
+		description: "Stripe test secret key"
+	},
+	{
+		prefix: "pk_live_",
+		service: "stripe",
+		description: "Stripe live publishable key"
+	},
+	{
+		prefix: "pk_test_",
+		service: "stripe",
+		description: "Stripe test publishable key"
+	},
+	{
+		prefix: "whsec_",
+		service: "stripe",
+		description: "Stripe webhook secret"
+	},
+	{
+		prefix: "AKIA",
+		service: "aws",
+		description: "AWS access key ID"
+	},
+	{
+		prefix: "ghp_",
+		service: "github",
+		description: "GitHub personal access token"
+	},
+	{
+		prefix: "gho_",
+		service: "github",
+		description: "GitHub OAuth token"
+	},
+	{
+		prefix: "ghs_",
+		service: "github",
+		description: "GitHub server-to-server token"
+	},
+	{
+		prefix: "ghu_",
+		service: "github",
+		description: "GitHub user-to-server token"
+	},
+	{
+		prefix: "github_pat_",
+		service: "github",
+		description: "GitHub fine-grained PAT"
+	},
+	{
+		prefix: "xoxb-",
+		service: "slack",
+		description: "Slack bot token"
+	},
+	{
+		prefix: "xoxp-",
+		service: "slack",
+		description: "Slack user token"
+	},
+	{
+		prefix: "xoxa-",
+		service: "slack",
+		description: "Slack app token"
+	},
+	{
+		prefix: "xoxs-",
+		service: "slack",
+		description: "Slack legacy token"
+	},
+	{
+		prefix: "SG.",
+		service: "sendgrid",
+		description: "SendGrid API key"
+	},
+	{
+		prefix: "hf_",
+		service: "huggingface",
+		description: "Hugging Face token"
+	},
+	{
+		prefix: "r8_",
+		service: "replicate",
+		description: "Replicate API token"
+	},
+	{
+		prefix: "eyJ",
+		service: "jwt",
+		description: "JWT token"
+	},
+	{
+		prefix: "postgres://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "postgresql://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "mysql://",
+		service: "mysql",
+		description: "MySQL connection string"
+	},
+	{
+		prefix: "mongodb://",
+		service: "mongodb",
+		description: "MongoDB connection string"
+	},
+	{
+		prefix: "mongodb+srv://",
+		service: "mongodb",
+		description: "MongoDB SRV connection string"
+	},
+	{
+		prefix: "redis://",
+		service: "redis",
+		description: "Redis connection string"
+	},
+	{
+		prefix: "rediss://",
+		service: "redis",
+		description: "Redis TLS connection string"
+	},
+	{
+		prefix: "amqp://",
+		service: "rabbitmq",
+		description: "RabbitMQ connection string"
+	},
+	{
+		prefix: "amqps://",
+		service: "rabbitmq",
+		description: "RabbitMQ TLS connection string"
+	}
+];
+/** Detect service from value prefix/shape */
+const matchValueShape = (value) => {
+	for (const vp of VALUE_SHAPE_PATTERNS) if (value.startsWith(vp.prefix)) return Option({
+		service: vp.service,
+		description: vp.description
+	});
+	return Option(void 0);
+};
+/** Strip common suffixes and derive a service name from an env var name */
+const deriveServiceFromName = (name) => {
+	const suffixes = [
+		"_API_KEY",
+		"_SECRET_KEY",
+		"_ACCESS_KEY",
+		"_PRIVATE_KEY",
+		"_SIGNING_KEY",
+		"_AUTH_TOKEN",
+		"_ACCESS_TOKEN",
+		"_WEBHOOK_SECRET",
+		"_CONNECTION_STRING",
+		"_SECRET",
+		"_TOKEN",
+		"_PASSWORD",
+		"_PASS",
+		"_KEY",
+		"_DSN",
+		"_URL",
+		"_URI"
+	];
+	let stripped = name;
+	for (const suffix of suffixes) if (stripped.endsWith(suffix)) {
+		stripped = stripped.slice(0, -suffix.length);
+		break;
+	}
+	return stripped.toLowerCase().replace(/_/g, "-");
+};
+/** Match a single env var against all patterns */
+const matchEnvVar = (name, value) => {
+	if (EXCLUDED_VARS.has(name)) return Option(void 0);
+	for (const p of EXACT_NAME_PATTERNS) if (name === p.pattern) return Option({
+		envVar: name,
+		value,
+		service: Option(p.service),
+		confidence: p.confidence,
+		matchedBy: `exact:${p.pattern}`
+	});
+	return matchValueShape(value).fold(() => {
+		for (const sp of SUFFIX_PATTERNS) if (name.endsWith(sp.suffix)) return Option({
+			envVar: name,
+			value,
+			service: Option(deriveServiceFromName(name)),
+			confidence: "medium",
+			matchedBy: `suffix:${sp.suffix}`
+		});
+		return Option(void 0);
+	}, (vm) => Option({
+		envVar: name,
+		value,
+		service: Option(vm.service),
+		confidence: "high",
+		matchedBy: `value:${vm.description}`
+	}));
+};
+/** Scan full env, sorted by confidence (high first) then alphabetically */
+const scanEnv = (env) => {
+	const results = [];
+	for (const [name, value] of Object.entries(env)) {
+		if (value === void 0 || value === "") continue;
+		matchEnvVar(name, value).fold(() => {}, (m) => results.push(m));
+	}
+	const confidenceOrder = {
+		high: 0,
+		medium: 1,
+		low: 2
+	};
+	results.sort((a, b) => {
+		const conf = confidenceOrder[a.confidence] - confidenceOrder[b.confidence];
+		if (conf !== 0) return conf;
+		return a.envVar.localeCompare(b.envVar);
+	});
+	return results;
+};
+
+//#endregion
+//#region src/core/env.ts
+/** Scan env for credentials, returning structured results */
+const envScan = (env, options) => {
+	const allMatches = scanEnv(env);
+	const discovered = options?.includeUnknown ? allMatches : allMatches.filter((m) => m.service.isSome());
+	const total_scanned = Object.keys(env).length;
+	const high_confidence = discovered.filter((m) => m.confidence === "high").length;
+	const medium_confidence = discovered.filter((m) => m.confidence === "medium").length;
+	const low_confidence = discovered.filter((m) => m.confidence === "low").length;
+	return {
+		discovered: List(discovered),
+		total_scanned,
+		high_confidence,
+		medium_confidence,
+		low_confidence
+	};
+};
+/** Bidirectional drift detection between config and live environment */
+const envCheck = (config, env) => {
+	const entries = [];
+	const metaKeys = Object.keys(config.meta);
+	const trackedSet = new Set(metaKeys);
+	for (const key of metaKeys) {
+		const meta = config.meta[key];
+		const present = env[key] !== void 0 && env[key] !== "";
+		entries.push({
+			envVar: key,
+			service: Option(meta?.service),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
+		});
+	}
+	const envMatches = scanEnv(env);
+	for (const match of envMatches) if (!trackedSet.has(match.envVar)) entries.push({
+		envVar: match.envVar,
+		service: match.service,
+		status: "untracked",
+		confidence: Option(match.confidence)
+	});
+	const tracked_and_present = entries.filter((e) => e.status === "tracked").length;
+	const missing_from_env = entries.filter((e) => e.status === "missing_from_env").length;
+	const untracked_credentials = entries.filter((e) => e.status === "untracked").length;
+	return {
+		entries: List(entries),
+		tracked_and_present,
+		missing_from_env,
+		untracked_credentials,
+		is_clean: missing_from_env === 0 && untracked_credentials === 0
+	};
+};
+const todayIso = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+const generateTomlFromScan = (matches) => {
+	const blocks = [];
+	for (const match of matches) {
+		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
+		blocks.push(`[meta.${match.envVar}]
+service = "${svc}"
+# purpose = ""               # Why: what this secret enables
+# capabilities = []          # What operations this grants
+created = "${todayIso()}"
+# expires = ""               # When: YYYY-MM-DD expiration date
+# rotation_url = ""          # URL for rotation procedure
+# source = ""                # Where the value originates (e.g. vault, ci)
+# tags = {}
+`);
+	}
+	return blocks.join("\n");
+};
+
+//#endregion
+//#region src/fnox/cli.ts
+/** Export all secrets from fnox as key=value pairs for a given profile */
+const fnoxExport = (profile, agentKey) => {
+	const args = profile ? [
+		"export",
+		"--profile",
+		profile
+	] : ["export"];
+	const env = agentKey ? {
+		...process.env,
+		FNOX_AGE_KEY: agentKey
+	} : void 0;
+	return Try(() => execFileSync("fnox", args, {
+		stdio: "pipe",
+		encoding: "utf-8",
+		env
+	})).fold((err) => Left({
+		_tag: "FnoxCliError",
+		message: `fnox export failed: ${err}`
+	}), (output) => {
+		const entries = {};
+		for (const line of output.split("\n")) {
+			const eq = line.indexOf("=");
+			if (eq > 0) {
+				const key = line.slice(0, eq).trim();
+				entries[key] = line.slice(eq + 1).trim();
+			}
+		}
+		return Right(entries);
+	});
+};
+/** Get a single secret value from fnox */
+const fnoxGet = (key, profile, agentKey) => {
+	const args = profile ? [
+		"get",
+		key,
+		"--profile",
+		profile
+	] : ["get", key];
+	const env = agentKey ? {
+		...process.env,
+		FNOX_AGE_KEY: agentKey
+	} : void 0;
+	return Try(() => execFileSync("fnox", args, {
+		stdio: "pipe",
+		encoding: "utf-8",
+		env
+	})).fold((err) => Left({
+		_tag: "FnoxCliError",
+		message: `fnox get ${key} failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+
+//#endregion
+//#region src/fnox/detect.ts
+const FNOX_CONFIG = "fnox.toml";
+/** Detect fnox.toml in the given directory */
+const detectFnox = (dir) => {
+	const candidate = join(dir, FNOX_CONFIG);
+	return existsSync(candidate) ? Option(candidate) : Option(void 0);
+};
+/** Check if fnox CLI is available on PATH */
+const fnoxAvailable = () => Try(() => {
+	execFileSync("fnox", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+
+//#endregion
+//#region src/fnox/identity.ts
+/** Check if the age CLI is available on PATH */
+const ageAvailable = () => Try(() => {
+	execFileSync("age", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+/** Unwrap an encrypted agent key using age --decrypt */
+const unwrapAgentKey = (identityPath) => {
+	if (!existsSync(identityPath)) return Left({
+		_tag: "IdentityNotFound",
+		path: identityPath
+	});
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	return Try(() => execFileSync("age", ["--decrypt", identityPath], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8"
+	})).fold((err) => Left({
+		_tag: "DecryptFailed",
+		message: `age decrypt failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+
+//#endregion
+//#region src/fnox/parse.ts
+/** Read and parse fnox.toml, extracting secret keys and profiles */
+const readFnoxConfig = (path) => Try(() => readFileSync(path, "utf-8")).fold((err) => Left({
+	_tag: "FnoxParseError",
+	message: `Failed to read ${path}: ${err}`
+}), (content) => Try(() => parse(content)).fold((err) => Left({
+	_tag: "FnoxParseError",
+	message: `Failed to parse fnox.toml: ${err}`
+}), (data) => {
+	const profiles = data["profiles"] && typeof data["profiles"] === "object" ? Option(data["profiles"]) : Option(void 0);
+	const secrets = { ...data };
+	delete secrets["profiles"];
+	return Right({
+		secrets,
+		profiles
+	});
+}));
+/** Extract the set of secret key names from a parsed fnox config */
+const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
+
+//#endregion
+//#region src/core/boot.ts
+const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), (configPath) => loadConfig(configPath).fold((err) => Left(err), (config) => {
+	const configDir = dirname(configPath);
+	return resolveConfig(config, configDir).fold((err) => Left(err), (result) => Right({
+		config: result.config,
+		configPath,
+		configDir
+	}));
+}));
+const resolveAgentKey = (config, configDir) => {
+	if (!config.agent?.identity) return Right(void 0);
+	return unwrapAgentKey(resolve(configDir, config.agent.identity)).fold((err) => Left(err), (key) => Right(key));
+};
+const detectFnoxKeys = (configDir) => detectFnox(configDir).fold(() => /* @__PURE__ */ new Set(), (fnoxPath) => readFnoxConfig(fnoxPath).fold(() => /* @__PURE__ */ new Set(), (fnoxConfig) => extractFnoxKeys(fnoxConfig)));
+const checkExpiration = (audit, failOnExpired, warnOnly) => {
+	const warnings = [];
+	if (audit.expired > 0 && failOnExpired && !warnOnly) return Left({
+		_tag: "AuditFailed",
+		audit,
+		message: `${audit.expired} secret(s) have expired`
+	});
+	if (audit.expired > 0 && warnOnly) warnings.push(`${audit.expired} secret(s) have expired (warn-only mode)`);
+	return Right(warnings);
+};
+/** Programmatic boot — returns Either<BootError, BootResult> */
+const bootSafe = (options) => {
+	const opts = options ?? {};
+	const inject = opts.inject !== false;
+	const failOnExpired = opts.failOnExpired !== false;
+	const warnOnly = opts.warnOnly ?? false;
+	return resolveAndLoad(opts).flatMap(({ config, configDir }) => resolveAgentKey(config, configDir).flatMap((agentKey) => {
+		const audit = computeAudit(config, detectFnoxKeys(configDir));
+		return checkExpiration(audit, failOnExpired, warnOnly).map((warnings) => {
+			const secrets = {};
+			const injected = [];
+			const skipped = [];
+			const metaKeys = Object.keys(config.meta);
+			if (fnoxAvailable()) fnoxExport(opts.profile, agentKey).fold((err) => {
+				warnings.push(`fnox export failed: ${err.message}`);
+				for (const key of metaKeys) skipped.push(key);
+			}, (exported) => {
+				for (const key of metaKeys) if (key in exported) {
+					secrets[key] = exported[key];
+					injected.push(key);
+				} else skipped.push(key);
+			});
+			else {
+				warnings.push("fnox not available — no secrets injected");
+				for (const key of metaKeys) skipped.push(key);
+			}
+			if (inject) for (const [key, value] of Object.entries(secrets)) process.env[key] = value;
+			return {
+				audit,
+				injected,
+				skipped,
+				secrets,
+				warnings
+			};
+		});
+	}));
+};
+/** Programmatic boot — throws EnvpktBootError on failure */
+const boot = (options) => bootSafe(options).fold((err) => {
+	throw new EnvpktBootError(err);
+}, (r) => r);
+/** Error class for boot() failures */
+var EnvpktBootError = class extends Error {
+	error;
+	constructor(error) {
+		super(formatBootError(error));
+		this.name = "EnvpktBootError";
+		this.error = error;
+	}
+};
+const formatBootError = (error) => {
+	switch (error._tag) {
+		case "FileNotFound": return `Config not found: ${error.path}`;
+		case "ParseError": return `Config parse error: ${error.message}`;
+		case "ValidationError": return `Config validation failed: ${error.errors.toArray().join(", ")}`;
+		case "ReadError": return `Config read error: ${error.message}`;
+		case "FnoxNotFound": return `fnox not found: ${error.message}`;
+		case "FnoxCliError": return `fnox CLI error: ${error.message}`;
+		case "FnoxParseError": return `fnox parse error: ${error.message}`;
+		case "AuditFailed": return `Audit failed: ${error.message}`;
+		case "CatalogNotFound": return `Catalog not found: ${error.path}`;
+		case "CatalogLoadError": return `Catalog load error: ${error.message}`;
+		case "SecretNotInCatalog": return `Secret "${error.key}" not found in catalog: ${error.catalogPath}`;
+		case "MissingSecretsList": return `Missing secrets list: ${error.message}`;
+		case "AgeNotFound": return `age not found: ${error.message}`;
+		case "DecryptFailed": return `Decrypt failed: ${error.message}`;
+		case "IdentityNotFound": return `Identity file not found: ${error.path}`;
+		default: return `Boot error: ${JSON.stringify(error)}`;
+	}
+};
+
+//#endregion
+//#region src/core/fleet.ts
+const CONFIG_FILENAME = "envpkt.toml";
+const SKIP_DIRS = new Set([
+	"node_modules",
+	".git",
+	".hg",
+	".svn",
+	"dist",
+	"build",
+	"lib",
+	".claude",
+	"__pycache__",
+	"target",
+	"out",
+	"tmp",
+	".terraform",
+	".gradle",
+	".cargo",
+	".venv",
+	".next",
+	".cache",
+	".tox",
+	"vendor",
+	"coverage",
+	".nyc_output",
+	".turbo"
+]);
+function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
+	if (currentDepth > maxDepth) return;
+	const configPath = join(dir, CONFIG_FILENAME);
+	if (Try(() => statSync(configPath).isFile()).fold(() => false, (v) => v)) yield configPath;
+	if (currentDepth >= maxDepth) return;
+	let entries = [];
+	Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => {}, (e) => {
+		entries = e;
+	});
+	for (const entry of entries) if (entry.isDirectory() && !SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".")) yield* findEnvpktFiles(join(dir, entry.name), maxDepth, currentDepth + 1);
+}
+const scanFleet = (rootDir, options) => {
+	const maxDepth = options?.maxDepth ?? 3;
+	const agents = [];
+	for (const configPath of findEnvpktFiles(rootDir, maxDepth)) loadConfig(configPath).fold(() => {}, (config) => {
+		const audit = computeAudit(config);
+		agents.push({
+			path: configPath,
+			agent: config.agent,
+			min_expiry_days: audit.secrets.toArray().reduce((min, s) => s.days_remaining.fold(() => min, (d) => min === void 0 ? d : Math.min(min, d)), void 0),
+			audit
+		});
+	});
+	const agentList = List(agents);
+	const total_agents = agentList.size;
+	const total_secrets = agentList.toArray().reduce((acc, a) => acc + a.audit.total, 0);
+	const expired = agentList.toArray().reduce((acc, a) => acc + a.audit.expired, 0);
+	const expiring_soon = agentList.toArray().reduce((acc, a) => acc + a.audit.expiring_soon, 0);
+	const criticalCount = agentList.count((a) => a.audit.status === "critical");
+	const degradedCount = agentList.count((a) => a.audit.status === "degraded");
+	return {
+		status: Cond.of().when(criticalCount > 0, "critical").elseWhen(degradedCount > 0, "degraded").else("healthy"),
+		agents: agentList,
+		total_agents,
+		total_secrets,
+		expired,
+		expiring_soon
+	};
+};
+
+//#endregion
+//#region src/fnox/sync.ts
+/** Compare fnox keys and envpkt meta keys to find mismatches */
+const compareFnoxAndEnvpkt = (fnoxKeys, envpktKeys) => {
+	return {
+		missing: List([...fnoxKeys].filter((k) => !envpktKeys.has(k))),
+		orphaned: List([...envpktKeys].filter((k) => !fnoxKeys.has(k)))
+	};
+};
+
+//#endregion
+//#region src/mcp/resources.ts
+const loadConfigSafe = () => {
+	return resolveConfigPath().fold(() => void 0, (path) => loadConfig(path).fold(() => void 0, (config) => ({
+		config,
+		path
+	})));
+};
+const resourceDefinitions = [{
+	uri: "envpkt://health",
+	name: "Credential Health",
+	description: "Current health status of the envpkt credential packet",
+	mimeType: "application/json"
+}, {
+	uri: "envpkt://capabilities",
+	name: "Agent Capabilities",
+	description: "Capabilities declared by the agent and per-secret capability grants",
+	mimeType: "application/json"
+}];
+const readHealth = () => {
+	const loaded = loadConfigSafe();
+	if (!loaded) return { contents: [{
+		uri: "envpkt://health",
+		mimeType: "application/json",
+		text: JSON.stringify({ error: "No envpkt.toml found" })
+	}] };
+	const { config, path } = loaded;
+	const audit = computeAudit(config);
+	return { contents: [{
+		uri: "envpkt://health",
+		mimeType: "application/json",
+		text: JSON.stringify({
+			path,
+			status: audit.status,
+			total: audit.total,
+			healthy: audit.healthy,
+			expiring_soon: audit.expiring_soon,
+			expired: audit.expired,
+			stale: audit.stale,
+			missing: audit.missing
+		}, null, 2)
+	}] };
+};
+const readCapabilities = () => {
+	const loaded = loadConfigSafe();
+	if (!loaded) return { contents: [{
+		uri: "envpkt://capabilities",
+		mimeType: "application/json",
+		text: JSON.stringify({ error: "No envpkt.toml found" })
+	}] };
+	const { config } = loaded;
+	const agentCapabilities = config.agent?.capabilities ?? [];
+	const secretCapabilities = {};
+	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	return { contents: [{
+		uri: "envpkt://capabilities",
+		mimeType: "application/json",
+		text: JSON.stringify({
+			agent: config.agent ? {
+				name: config.agent.name,
+				consumer: config.agent.consumer,
+				description: config.agent.description,
+				capabilities: agentCapabilities
+			} : null,
+			secrets: secretCapabilities
+		}, null, 2)
+	}] };
+};
+const resourceHandlers = {
+	"envpkt://health": readHealth,
+	"envpkt://capabilities": readCapabilities
+};
+const readResource = (uri) => {
+	const handler = resourceHandlers[uri];
+	return handler?.();
+};
+
+//#endregion
+//#region src/mcp/tools.ts
+const textResult = (text) => ({ content: [{
+	type: "text",
+	text
+}] });
+const errorResult = (message) => ({
+	content: [{
+		type: "text",
+		text: message
+	}],
+	isError: true
+});
+const loadConfigForTool = (configPath) => {
+	return resolveConfigPath(configPath).fold((err) => ({
+		ok: false,
+		result: errorResult(`Config error: ${err._tag} — ${err._tag === "FileNotFound" ? err.path : ""}`)
+	}), (path) => loadConfig(path).fold((err) => ({
+		ok: false,
+		result: errorResult(`Config error: ${err._tag} — ${err._tag === "ValidationError" ? err.errors.toArray().join(", ") : ""}`)
+	}), (config) => ({
+		ok: true,
+		config,
+		path
+	})));
+};
+const toolDefinitions = [
+	{
+		name: "getPacketHealth",
+		description: "Get overall health status of the envpkt credential packet — returns audit results including secret statuses, expiration info, and issues",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
+	},
+	{
+		name: "listCapabilities",
+		description: "List capabilities declared by the agent and per-secret capabilities",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
+	},
+	{
+		name: "getSecretMeta",
+		description: "Get metadata for a specific secret by key name — returns service, purpose, expiration, provisioner, and other five-W details",
+		inputSchema: {
+			type: "object",
+			properties: {
+				key: {
+					type: "string",
+					description: "Secret key name to look up"
+				},
+				configPath: {
+					type: "string",
+					description: "Optional path to envpkt.toml"
+				}
+			},
+			required: ["key"]
+		}
+	},
+	{
+		name: "checkExpiration",
+		description: "Check expiration status of a specific secret — returns days remaining and whether it needs rotation",
+		inputSchema: {
+			type: "object",
+			properties: {
+				key: {
+					type: "string",
+					description: "Secret key name to check"
+				},
+				configPath: {
+					type: "string",
+					description: "Optional path to envpkt.toml"
+				}
+			},
+			required: ["key"]
+		}
+	}
+];
+const handleGetPacketHealth = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config, path } = loaded;
+	const audit = computeAudit(config);
+	const secretDetails = audit.secrets.toArray().map((s) => ({
+		key: s.key,
+		service: s.service.fold(() => null, (sv) => sv),
+		status: s.status,
+		days_remaining: s.days_remaining.fold(() => null, (d) => d),
+		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		issues: s.issues.toArray()
+	}));
+	return textResult(JSON.stringify({
+		path,
+		status: audit.status,
+		total: audit.total,
+		healthy: audit.healthy,
+		expiring_soon: audit.expiring_soon,
+		expired: audit.expired,
+		stale: audit.stale,
+		missing: audit.missing,
+		secrets: secretDetails
+	}, null, 2));
+};
+const handleListCapabilities = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const agentCapabilities = config.agent?.capabilities ?? [];
+	const secretCapabilities = {};
+	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	return textResult(JSON.stringify({
+		agent: config.agent ? {
+			name: config.agent.name,
+			consumer: config.agent.consumer,
+			description: config.agent.description,
+			capabilities: agentCapabilities
+		} : null,
+		secrets: secretCapabilities
+	}, null, 2));
+};
+const handleGetSecretMeta = (args) => {
+	const key = args.key;
+	if (!key) return errorResult("Missing required argument: key");
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const meta = config.meta[key];
+	if (!meta) return errorResult(`Secret not found: ${key}`);
+	return textResult(JSON.stringify({
+		key,
+		...meta
+	}, null, 2));
+};
+const handleCheckExpiration = (args) => {
+	const key = args.key;
+	if (!key) return errorResult("Missing required argument: key");
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	return computeAudit(config).secrets.find((s) => s.key === key).fold(() => errorResult(`Secret not found: ${key}`), (s) => textResult(JSON.stringify({
+		key: s.key,
+		status: s.status,
+		days_remaining: s.days_remaining.fold(() => null, (d) => d),
+		expires: s.expires.fold(() => null, (e) => e),
+		rotation_url: s.rotation_url.fold(() => null, (u) => u),
+		needs_rotation: s.status === "expired" || s.status === "expiring_soon",
+		issues: s.issues.toArray()
+	}, null, 2)));
+};
+const handlers = {
+	getPacketHealth: handleGetPacketHealth,
+	listCapabilities: handleListCapabilities,
+	getSecretMeta: handleGetSecretMeta,
+	checkExpiration: handleCheckExpiration
+};
+const callTool = (name, args) => {
+	const handler = handlers[name];
+	if (!handler) return errorResult(`Unknown tool: ${name}`);
+	return handler(args);
+};
+
+//#endregion
+//#region src/mcp/server.ts
+const createServer = () => {
+	const server = new Server({
+		name: "envpkt",
+		version: "0.1.0"
+	}, {
+		capabilities: {
+			tools: {},
+			resources: {}
+		},
+		instructions: "envpkt provides credential lifecycle awareness for AI agents. Use tools to check health, capabilities, and secret metadata. No secret values are ever exposed."
+	});
+	server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: toolDefinitions.map((t) => ({
+		name: t.name,
+		description: t.description,
+		inputSchema: t.inputSchema
+	})) }));
+	server.setRequestHandler(CallToolRequestSchema, async (request) => {
+		const { name, arguments: args } = request.params;
+		return callTool(name, args ?? {});
+	});
+	server.setRequestHandler(ListResourcesRequestSchema, async () => ({ resources: [...resourceDefinitions] }));
+	server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+		const { uri } = request.params;
+		const result = readResource(uri);
+		if (!result) return { contents: [{
+			uri,
+			mimeType: "text/plain",
+			text: `Resource not found: ${uri}`
+		}] };
+		return result;
+	});
+	return server;
+};
+const startServer = async () => {
+	const server = createServer();
+	const transport = new StdioServerTransport();
+	await server.connect(transport);
+};
+
+//#endregion
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvpktBootError, EnvpktConfigSchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, createServer, deriveServiceFromName, detectFnox, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resourceDefinitions, scanEnv, scanFleet, startServer, toolDefinitions, unwrapAgentKey, validateConfig };