envpkt 0.11.1 → 0.11.3

package/dist/index.js

@@ -1,7 +1,7 @@
 import { FormatRegistry, Type } from "@sinclair/typebox";
 import { dirname, join, resolve } from "node:path";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
-import { Cond, Either, Left, List, None, Option, Right, Some, Try } from "functype";
+import { $, Cond, Do, Either, Left, List, Map as Map$1, None, Option, Right, Set as Set$1, Some, Try } from "functype";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse } from "smol-toml";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
@@ -56,6 +56,10 @@ const SecretMetaSchema = Type.Object({
 		format: "date",
 		description: "Date the secret was provisioned (YYYY-MM-DD)"
 	})),
+	last_rotated_at: Type.Optional(Type.String({
+		format: "date",
+		description: "Date the secret value was most recently rotated (YYYY-MM-DD). Used by audit for staleness."
+	})),
 	rotates: Type.Optional(Type.String({ description: "Rotation schedule (e.g. '90d', 'quarterly')" })),
 	rate_limit: Type.Optional(Type.String({ description: "Rate limit or quota info (e.g. '1000/min')" })),
 	model_hint: Type.Optional(Type.String({ description: "Suggested model or tier for this credential" })),
@@ -294,18 +298,19 @@ const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
 /** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
 const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
 	return agentSecrets.reduce((acc, key) => acc.flatMap((resolved) => {
-		if (!(key in catalogMeta)) return Left({
+		const catalogEntry = catalogMeta[key];
+		if (catalogEntry === void 0) return Left({
 			_tag: "SecretNotInCatalog",
 			key,
 			catalogPath
 		});
-		const catalogEntry = catalogMeta[key];
+		const merged = Option(agentMeta[key]).fold(() => catalogEntry, (override) => ({
+			...catalogEntry,
+			...override
+		}));
 		return Right({
 			...resolved,
-			[key]: key in agentMeta ? {
-				...catalogEntry,
-				...agentMeta[key]
-			} : catalogEntry
+			[key]: merged
 		});
 	}), Right({}));
 };
@@ -372,12 +377,12 @@ const validateOneSecret = (key, meta, secretEntries) => {
 		kind: "secret",
 		field: "encrypted_value"
 	});
-	return parseRef(ref).fold(() => Left({
+	return parseRef(ref).toEither({
 		_tag: "AliasInvalidSyntax",
 		key,
 		kind: "secret",
 		value: ref
-	}), (parsed) => {
+	}).flatMap((parsed) => {
 		if (parsed.kind !== "secret") return Left({
 			_tag: "AliasCrossType",
 			key,
@@ -388,23 +393,23 @@ const validateOneSecret = (key, meta, secretEntries) => {
 			_tag: "AliasSelfReference",
 			key: `secret.${key}`
 		});
-		return Option(secretEntries[parsed.key]).fold(() => Left({
+		return Option(secretEntries[parsed.key]).toEither({
 			_tag: "AliasTargetMissing",
 			key: `secret.${key}`,
 			target: ref
-		}), (target) => {
+		}).flatMap((target) => {
 			if (target.from_key !== void 0) return Left({
 				_tag: "AliasChained",
 				key: `secret.${key}`,
 				target: ref
 			});
-			return Right(Option({
+			return Right({
 				kind: "secret",
 				targetKind: "secret",
 				targetKey: parsed.key
-			}));
+			});
 		});
-	});
+	}).map((entry) => Option(entry));
 };
 const validateOneEnv = (key, meta, envEntries) => {
 	if (meta.from_key === void 0) return Right(Option(void 0));
@@ -415,12 +420,12 @@ const validateOneEnv = (key, meta, envEntries) => {
 		kind: "env",
 		field: "value"
 	});
-	return parseRef(ref).fold(() => Left({
+	return parseRef(ref).toEither({
 		_tag: "AliasInvalidSyntax",
 		key,
 		kind: "env",
 		value: ref
-	}), (parsed) => {
+	}).flatMap((parsed) => {
 		if (parsed.kind !== "env") return Left({
 			_tag: "AliasCrossType",
 			key,
@@ -431,57 +436,32 @@ const validateOneEnv = (key, meta, envEntries) => {
 			_tag: "AliasSelfReference",
 			key: `env.${key}`
 		});
-		return Option(envEntries[parsed.key]).fold(() => Left({
+		return Option(envEntries[parsed.key]).toEither({
 			_tag: "AliasTargetMissing",
 			key: `env.${key}`,
 			target: ref
-		}), (target) => {
+		}).flatMap((target) => {
 			if (target.from_key !== void 0) return Left({
 				_tag: "AliasChained",
 				key: `env.${key}`,
 				target: ref
 			});
-			return Right(Option({
+			return Right({
 				kind: "env",
 				targetKind: "env",
 				targetKey: parsed.key
-			}));
+			});
 		});
-	});
+	}).map((entry) => Option(entry));
 };
-/**
-* Validate all `from_key` references in a resolved config. Produces an
-* AliasTable mapping each alias to its target, or an AliasError describing
-* the first failure.
-*
-* Rules:
-* - Ref must be "secret.<KEY>" or "env.<KEY>"
-* - Target must exist in the same resolved config
-* - Target must be the same type (secret→secret, env→env only)
-* - Target must not itself be a from_key entry (single hop only)
-* - Self-reference is rejected
-* - An alias entry cannot also carry a value field (encrypted_value for
-*   secrets, value for env)
-*/
+/** Fail-fast reduction: accumulates validated entries, short-circuits on first AliasError */
+const collectValidated = (items, validate, prefix) => items.reduce((acc, [key, meta]) => acc.flatMap((entries) => validate(key, meta).map((opt) => opt.fold(() => entries, (entry) => [...entries, [`${prefix}.${key}`, entry]]))), Right([]));
 const validateAliases = (config) => {
 	const secretEntries = config.secret ?? {};
 	const envEntries = config.env ?? {};
-	const entries = /* @__PURE__ */ new Map();
-	const secretResults = Object.entries(secretEntries).map(([key, meta]) => [key, validateOneSecret(key, meta, secretEntries)]);
-	for (const [key, result] of secretResults) {
-		const outcome = result.fold((err) => err, (opt) => opt.orUndefined());
-		if (outcome === void 0) continue;
-		if ("_tag" in outcome) return Left(outcome);
-		entries.set(`secret.${key}`, outcome);
-	}
-	const envResults = Object.entries(envEntries).map(([key, meta]) => [key, validateOneEnv(key, meta, envEntries)]);
-	for (const [key, result] of envResults) {
-		const outcome = result.fold((err) => err, (opt) => opt.orUndefined());
-		if (outcome === void 0) continue;
-		if ("_tag" in outcome) return Left(outcome);
-		entries.set(`env.${key}`, outcome);
-	}
-	return Right({ entries });
+	const secretPairs = collectValidated(Object.entries(secretEntries), (k, m) => validateOneSecret(k, m, secretEntries), "secret");
+	const envPairs = collectValidated(Object.entries(envEntries), (k, m) => validateOneEnv(k, m, envEntries), "env");
+	return secretPairs.flatMap((secrets) => envPairs.map((envs) => [...secrets, ...envs])).map((allEntries) => ({ entries: new Map(allEntries) }));
 };
 /** Does this secret entry point at another entry? */
 const isSecretAlias = (meta) => meta?.from_key !== void 0;
@@ -555,7 +535,7 @@ const formatPacket = (result, options) => {
 	if (envEntriesArr.length > 0) {
 		const envHeader = `env: ${envEntriesArr.length}`;
 		const envLines = envEntriesArr.map(([key, meta]) => {
-			return `  ${key}${meta.from_key ? ` [alias → ${meta.from_key}]` : ""}${meta.value !== void 0 ? ` = ${meta.value}` : ""}${meta.purpose ? `\n    purpose: ${meta.purpose}` : ""}`;
+			return `  ${key}${meta.from_key ? ` [alias → ${meta.from_key}]` : ""}${Option(meta.value).fold(() => "", (v) => ` = ${v}`)}${meta.purpose ? `\n    purpose: ${meta.purpose}` : ""}`;
 		});
 		sections.push([envHeader, ...envLines].join("\n"));
 	}
@@ -589,20 +569,26 @@ const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration
 	const issues = [];
 	const created = Option(meta.created).flatMap(parseDate);
 	const expires = Option(meta.expires).flatMap(parseDate);
+	const lastRotated = Option(meta.last_rotated_at).flatMap(parseDate);
 	const rotationUrl = Option(meta.rotation_url);
 	const purpose = Option(meta.purpose);
 	const service = Option(meta.service);
 	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
-	const daysSinceCreated = created.map((c) => daysBetween(c, today));
+	const staleFromRotation = lastRotated.isSome();
+	const daysSinceRotation = (staleFromRotation ? lastRotated : created).map((d) => daysBetween(d, today));
 	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
 	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
-	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
+	const isStale = daysSinceRotation.fold(() => false, (d) => d > staleWarningDays);
 	const hasSealed = !!meta.encrypted_value;
 	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
 	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
 	if (isExpired) issues.push("Secret has expired");
 	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
-	if (isStale) issues.push("Secret is stale (no rotation detected)");
+	if (isStale) {
+		const since = daysSinceRotation.fold(() => "?", (d) => String(d));
+		const label = staleFromRotation ? "last rotated" : "created";
+		issues.push(`Secret is stale (${label} ${since} days ago)`);
+	}
 	if (isMissing) issues.push("Key not found in fnox");
 	if (isMissingMetadata) {
 		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
@@ -617,6 +603,7 @@ const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration
 		purpose,
 		created: Option(meta.created),
 		expires: Option(meta.expires),
+		last_rotated_at: Option(meta.last_rotated_at),
 		issues: List(issues),
 		alias_of: Option(void 0)
 	};
@@ -632,9 +619,10 @@ const classifyAlias = (key, meta, targetHealth, targetRef) => ({
 	status: targetHealth.status,
 	days_remaining: targetHealth.days_remaining,
 	rotation_url: targetHealth.rotation_url,
-	purpose: meta.purpose !== void 0 ? Option(meta.purpose) : targetHealth.purpose,
+	purpose: Option(meta.purpose).fold(() => targetHealth.purpose, (v) => Option(v)),
 	created: targetHealth.created,
 	expires: targetHealth.expires,
+	last_rotated_at: targetHealth.last_rotated_at,
 	issues: List([]),
 	alias_of: Option(targetRef)
 });
@@ -648,17 +636,18 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 	const secretEntries = config.secret ?? {};
 	const nonAliasEntries = Object.entries(secretEntries).filter(([, meta]) => meta.from_key === void 0);
 	const aliasEntries = Object.entries(secretEntries).filter(([, meta]) => meta.from_key !== void 0);
-	const nonAliasMetaKeys = new Set(nonAliasEntries.map(([k]) => k));
+	const nonAliasMetaKeys = Set$1(nonAliasEntries.map(([k]) => k));
 	const nonAliasHealth = nonAliasEntries.map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now));
-	const healthByKey = new Map(nonAliasHealth.map((h) => [h.key, h]));
+	const healthByKey = Map$1(nonAliasHealth.map((h) => [h.key, h]));
 	const parseTargetKey = (from_key) => {
-		return /^secret\.(.+)$/.exec(from_key)?.[1];
+		return Option(from_key.match(/^secret\.(.+)$/)?.[1]);
 	};
 	const aliasHealth = aliasEntries.map(([key, meta]) => {
-		const targetKey = (aliasTable?.entries.get(`secret.${key}`))?.targetKey ?? (meta.from_key !== void 0 ? parseTargetKey(meta.from_key) : void 0);
-		const targetHealth = targetKey !== void 0 ? healthByKey.get(targetKey) : void 0;
-		const targetRef = meta.from_key ?? (targetKey !== void 0 ? `secret.${targetKey}` : "");
-		if (!targetHealth) return {
+		const tableEntry = aliasTable?.entries.get(`secret.${key}`);
+		const targetKey = Option(tableEntry?.targetKey).fold(() => Option(meta.from_key).flatMap(parseTargetKey), (k) => Option(k));
+		const targetHealth = targetKey.flatMap((k) => healthByKey.get(k));
+		const targetRef = Option(meta.from_key).fold(() => targetKey.map((k) => `secret.${k}`), (v) => Option(v)).orElse("");
+		return targetHealth.fold(() => ({
 			key,
 			service: Option(meta.service),
 			status: "missing",
@@ -667,13 +656,13 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 			purpose: Option(meta.purpose),
 			created: Option(meta.created),
 			expires: Option(meta.expires),
+			last_rotated_at: Option(meta.last_rotated_at),
 			issues: List(["Alias target not resolvable"]),
 			alias_of: Option(targetRef)
-		};
-		return classifyAlias(key, meta, targetHealth, targetRef);
+		}), (health) => classifyAlias(key, meta, health, targetRef));
 	});
 	const secrets = List([...nonAliasHealth, ...aliasHealth]);
-	const orphaned = keys.size > 0 ? [...nonAliasMetaKeys].filter((k) => !keys.has(k)).length : 0;
+	const orphaned = keys.size > 0 ? nonAliasMetaKeys.toArray().filter((k) => !keys.has(k)).length : 0;
 	const total = secrets.size;
 	const expired = secrets.count((s) => s.status === "expired");
 	const missing = secrets.count((s) => s.status === "missing");
@@ -699,12 +688,14 @@ const computeAudit = (config, fnoxKeys, today, aliasTable) => {
 };
 const computeEnvAudit = (config, env = process.env) => {
 	const envEntries = config.env ?? {};
+	const resolveEffectiveDefault = (entry) => {
+		return Do(function* () {
+			return yield* $(Option((yield* $(Option(envEntries[yield* $(Option((yield* $(Option(entry.from_key))).match(/^env\.(.+)$/)?.[1]))]))).value));
+		}).orElse(entry.value ?? "");
+	};
 	const entries = Object.entries(envEntries).map(([key, entry]) => {
 		const currentValue = env[key];
-		const effectiveDefault = entry.from_key !== void 0 ? (() => {
-			const targetKey = /^env\.(.+)$/.exec(entry.from_key)?.[1];
-			return (targetKey !== void 0 ? envEntries[targetKey] : void 0)?.value ?? "";
-		})() : entry.value ?? "";
+		const effectiveDefault = resolveEffectiveDefault(entry);
 		return {
 			key,
 			defaultValue: effectiveDefault,
@@ -724,7 +715,7 @@ const computeEnvAudit = (config, env = process.env) => {
 };
 //#endregion
 //#region src/core/patterns.ts
-const EXCLUDED_VARS = new Set([
+const EXCLUDED_VARS = Set$1([
 	"PATH",
 	"HOME",
 	"USER",
@@ -1437,25 +1428,22 @@ const envScan = (env, options) => {
 	};
 };
 const parseAliasRef = (raw, expectedKind) => {
-	const match = /^(secret|env)\.(.+)$/.exec(raw);
-	if (!match) return void 0;
-	if (match[1] !== expectedKind) return void 0;
-	return match[2];
+	const match = raw.match(/^(secret|env)\.(.+)$/);
+	if (match?.[1] !== expectedKind) return Option(void 0);
+	return Option(match[2]);
 };
 /** Bidirectional drift detection between config and live environment */
 const envCheck = (config, env) => {
 	const secretEntries = config.secret ?? {};
 	const metaKeys = Object.keys(secretEntries);
-	const trackedSet = new Set(metaKeys);
+	const metaKeysSet = Set$1(metaKeys);
 	const isSecretPresent = (key) => {
 		if (env[key] !== void 0 && env[key] !== "") return true;
 		const meta = secretEntries[key];
 		if (meta?.from_key === void 0) return false;
-		const targetKey = parseAliasRef(meta.from_key, "secret");
-		return targetKey !== void 0 && env[targetKey] !== void 0 && env[targetKey] !== "";
+		return parseAliasRef(meta.from_key, "secret").fold(() => false, (targetKey) => env[targetKey] !== void 0 && env[targetKey] !== "");
 	};
-	const secretDriftEntries = metaKeys.map((key) => {
-		const meta = secretEntries[key];
+	const secretDriftEntries = Object.entries(secretEntries).map(([key, meta]) => {
 		const present = isSecretPresent(key);
 		return {
 			envVar: key,
@@ -1469,14 +1457,9 @@ const envCheck = (config, env) => {
 		if (env[key] !== void 0 && env[key] !== "") return true;
 		const meta = envDefaults[key];
 		if (meta?.from_key === void 0) return false;
-		const targetKey = parseAliasRef(meta.from_key, "env");
-		return targetKey !== void 0 && env[targetKey] !== void 0 && env[targetKey] !== "";
+		return parseAliasRef(meta.from_key, "env").fold(() => false, (targetKey) => env[targetKey] !== void 0 && env[targetKey] !== "");
 	};
-	const envDefaultEntries = Object.keys(envDefaults).filter((key) => {
-		if (trackedSet.has(key)) return false;
-		trackedSet.add(key);
-		return true;
-	}).map((key) => {
+	const envDefaultEntries = Object.keys(envDefaults).filter((key) => !metaKeysSet.has(key)).map((key) => {
 		const present = isEnvPresent(key);
 		return {
 			envVar: key,
@@ -1485,7 +1468,8 @@ const envCheck = (config, env) => {
 			confidence: Option(void 0)
 		};
 	});
-	const untrackedEntries = scanEnv(env).filter((match) => !trackedSet.has(match.envVar)).map((match) => ({
+	const trackedKeys = Set$1([...metaKeys, ...envDefaultEntries.map((e) => e.envVar)]);
+	const untrackedEntries = scanEnv(env).filter((match) => !trackedKeys.has(match.envVar)).map((match) => ({
 		envVar: match.envVar,
 		service: match.service,
 		status: "untracked",
@@ -1843,11 +1827,12 @@ const sealSecrets = (meta, values, recipient) => {
 		message: "age CLI not found on PATH"
 	});
 	return Object.entries(meta).reduce((acc, [key, secretMeta]) => acc.flatMap((result) => {
-		if (!(key in values)) return Right({
+		const value = values[key];
+		if (value === void 0) return Right({
 			...result,
 			[key]: secretMeta
 		});
-		return ageEncrypt(values[key], recipient).mapLeft((err) => ({
+		return ageEncrypt(value, recipient).mapLeft((err) => ({
 			_tag: "EncryptFailed",
 			key,
 			message: err.message
@@ -1943,11 +1928,11 @@ const bootSafe = (options) => {
 		const secretEntries = config.secret ?? {};
 		const envEntries = config.env ?? {};
 		const nonAliasSecretEntries = Object.fromEntries(Object.entries(secretEntries).filter(([, meta]) => meta.from_key === void 0));
-		const aliasSecretKeys = Object.keys(secretEntries).filter((k) => secretEntries[k].from_key !== void 0);
+		const aliasSecretKeys = Object.entries(secretEntries).filter(([, meta]) => meta.from_key !== void 0).map(([k]) => k);
 		const nonAliasEnvEntries = Object.entries(envEntries).filter(([, meta]) => meta.from_key === void 0);
-		const aliasEnvKeys = Object.keys(envEntries).filter((k) => envEntries[k].from_key !== void 0);
+		const aliasEnvKeys = Object.entries(envEntries).filter(([, meta]) => meta.from_key !== void 0).map(([k]) => k);
 		const nonAliasMetaKeys = Object.keys(nonAliasSecretEntries);
-		const hasSealedValues = nonAliasMetaKeys.some((k) => !!nonAliasSecretEntries[k].encrypted_value);
+		const hasSealedValues = Object.values(nonAliasSecretEntries).some((meta) => !!meta.encrypted_value);
 		const identityKeyResult = resolveIdentityKey(config, configDir);
 		const identityKey = identityKeyResult.fold(() => Option(void 0), (k) => k);
 		if (identityKeyResult.isLeft() && !hasSealedValues) return identityKeyResult.fold((err) => Left(err), () => Left({
@@ -1960,7 +1945,7 @@ const bootSafe = (options) => {
 			const injected = [];
 			const skipped = [];
 			warnings.push(...checkEnvMisclassification(config));
-			const envDefaults = Object.fromEntries(nonAliasEnvEntries.flatMap(([key, entry]) => Option(process.env[key]).fold(() => entry.value !== void 0 ? [[key, entry.value]] : [], () => [])));
+			const envDefaults = Object.fromEntries(nonAliasEnvEntries.flatMap(([key, entry]) => Option(process.env[key]).fold(() => Option(entry.value).fold(() => [], (v) => [[key, v]]), () => [])));
 			const overridden = nonAliasEnvEntries.flatMap(([key]) => Option(process.env[key]).fold(() => [], () => [key]));
 			if (inject) Object.entries(envDefaults).forEach(([key, value]) => {
 				process.env[key] = value;
@@ -2020,21 +2005,20 @@ const bootSafe = (options) => {
 			aliasSecretKeys.forEach((aliasKey) => {
 				const entry = aliasTable.entries.get(`secret.${aliasKey}`);
 				if (!entry) return;
-				const targetValue = secrets[entry.targetKey];
-				if (targetValue !== void 0) {
-					secrets[aliasKey] = targetValue;
-					injected.push(aliasKey);
-					log.debug("phase.alias.copied", {
+				Option(secrets[entry.targetKey]).fold(() => {
+					skipped.push(aliasKey);
+					log.debug("phase.alias.target_unresolved", {
 						alias: aliasKey,
 						target: entry.targetKey
 					});
-				} else {
-					skipped.push(aliasKey);
-					log.debug("phase.alias.target_unresolved", {
+				}, (targetValue) => {
+					secrets[aliasKey] = targetValue;
+					injected.push(aliasKey);
+					log.debug("phase.alias.copied", {
 						alias: aliasKey,
 						target: entry.targetKey
 					});
-				}
+				});
 			});
 			aliasEnvKeys.forEach((aliasKey) => {
 				const entry = aliasTable.entries.get(`env.${aliasKey}`);
@@ -2149,6 +2133,22 @@ const resolveValues = async (keys, profile, agentKey) => {
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
 const MULTILINE_OPEN = "\"\"\"";
+const scanSectionBoundary = (state, line, i) => {
+	if (state.done) return state;
+	if (state.inMultiline) return line.includes(MULTILINE_OPEN) ? {
+		...state,
+		inMultiline: false
+	} : state;
+	if (line.includes(MULTILINE_OPEN)) return (line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? {
+		...state,
+		inMultiline: true
+	} : state;
+	return SECTION_RE.test(line) ? {
+		...state,
+		end: i,
+		done: true
+	} : state;
+};
 /**
 * Find the line range [start, end) of a TOML section by its header string.
 * The range includes the header line through to (but not including) the next section header or EOF.
@@ -2157,26 +2157,14 @@ const MULTILINE_OPEN = "\"\"\"";
 const findSectionRange = (lines, sectionHeader) => {
 	const start = lines.findIndex((l) => l.trim() === sectionHeader);
 	if (start === -1) return void 0;
-	let end = lines.length;
-	let inMultiline = false;
-	for (let i = start + 1; i < lines.length; i++) {
-		const line = lines[i];
-		if (inMultiline) {
-			if (line.includes(MULTILINE_OPEN)) inMultiline = false;
-			continue;
-		}
-		if (line.includes(MULTILINE_OPEN)) {
-			if ((line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) inMultiline = true;
-			continue;
-		}
-		if (SECTION_RE.test(line)) {
-			end = i;
-			break;
-		}
-	}
+	const initial = {
+		end: lines.length,
+		inMultiline: false,
+		done: false
+	};
 	return {
 		start,
-		end
+		end: List(lines.slice(start + 1)).zipWithIndex().foldLeft(initial)((state, entry) => scanSectionBoundary(state, entry[0], start + 1 + entry[1])).end
 	};
 };
 /** Check whether a section header exists in the raw TOML */
@@ -2192,12 +2180,10 @@ const removeSection = (raw, sectionHeader) => {
 		_tag: "SectionNotFound",
 		section: sectionHeader
 	});
-	let removeEnd = range.end;
-	while (removeEnd > range.start && removeEnd - 1 >= range.start && lines[removeEnd - 1].trim() === "") removeEnd--;
-	const before = lines.slice(0, range.start);
 	const after = lines.slice(range.end);
-	while (before.length > 0 && before[before.length - 1].trim() === "") before.pop();
-	const result = [...before, ...after].join("\n");
+	const beforeAll = lines.slice(0, range.start);
+	const lastNonBlank = beforeAll.findLastIndex((l) => l.trim() !== "");
+	const result = [...lastNonBlank === -1 ? [] : beforeAll.slice(0, lastNonBlank + 1), ...after].join("\n");
 	return Either.right(result);
 };
 /**
@@ -2233,55 +2219,47 @@ const updateSectionFields = (raw, sectionHeader, updates) => {
 	const before = lines.slice(0, range.start + 1);
 	const after = lines.slice(range.end);
 	const sectionBody = lines.slice(range.start + 1, range.end);
-	const remaining = [];
-	const updatedKeys = /* @__PURE__ */ new Set();
-	let inMultiline = false;
-	let multilineKey = "";
-	for (let i = 0; i < sectionBody.length; i++) {
-		const line = sectionBody[i];
-		if (inMultiline) {
-			if (line.includes(MULTILINE_OPEN)) {
-				inMultiline = false;
-				if (updates[multilineKey] === null) continue;
-				if (multilineKey in updates) continue;
-			} else {
-				if (updates[multilineKey] === null) continue;
-				if (multilineKey in updates) continue;
-			}
-			remaining.push(line);
-			continue;
-		}
+	const findClosingMultiline = (fromIdx) => {
+		const idx = sectionBody.findIndex((l, j) => j > fromIdx && l.includes(MULTILINE_OPEN));
+		return idx === -1 ? sectionBody.length : idx;
+	};
+	const initial = {
+		remaining: [],
+		updatedKeys: Set$1.empty(),
+		skipUntil: -1
+	};
+	const step = (state, line, i) => {
+		if (i <= state.skipUntil) return state;
 		const eqIdx = line.indexOf("=");
-		if (eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[")) {
-			const key = line.slice(0, eqIdx).trim();
-			if (key in updates) {
-				updatedKeys.add(key);
-				const afterEquals = line.slice(eqIdx + 1).trim();
-				if (afterEquals.includes(MULTILINE_OPEN)) {
-					if ((afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) {
-						inMultiline = true;
-						multilineKey = key;
-					}
-				}
-				if (updates[key] === null) continue;
-				remaining.push(`${key} = ${updates[key]}`);
-				if (inMultiline) {
-					for (let j = i + 1; j < sectionBody.length; j++) if (sectionBody[j].includes(MULTILINE_OPEN)) {
-						i = j;
-						inMultiline = false;
-						break;
-					}
-				}
-				continue;
-			}
+		const isFieldLine = eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[");
+		const key = isFieldLine ? line.slice(0, eqIdx).trim() : "";
+		if (isFieldLine && key in updates) {
+			const afterEquals = line.slice(eqIdx + 1).trim();
+			const skipUntil = afterEquals.includes(MULTILINE_OPEN) && (afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? findClosingMultiline(i) : state.skipUntil;
+			const updatedKeys = state.updatedKeys.add(key);
+			const value = updates[key];
+			if (value === null) return {
+				...state,
+				updatedKeys,
+				skipUntil
+			};
+			return {
+				remaining: [...state.remaining, `${key} = ${value}`],
+				updatedKeys,
+				skipUntil
+			};
 		}
-		remaining.push(line);
-	}
-	const newFields = Object.entries(updates).filter(([key, value]) => value !== null && !updatedKeys.has(key)).map(([key, value]) => `${key} = ${value}`);
-	remaining.push(...newFields);
+		return {
+			...state,
+			remaining: [...state.remaining, line]
+		};
+	};
+	const final = List(sectionBody).zipWithIndex().foldLeft(initial)((state, entry) => step(state, entry[0], entry[1]));
+	const newFields = Object.entries(updates).filter(([key, value]) => value !== null && !final.updatedKeys.has(key)).map(([key, value]) => `${key} = ${value}`);
 	const result = [
 		...before,
-		...remaining,
+		...final.remaining,
+		...newFields,
 		...after
 	].join("\n");
 	return Either.right(result);
@@ -2294,31 +2272,7 @@ const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
 //#endregion
 //#region src/core/fleet.ts
 const CONFIG_FILENAME = "envpkt.toml";
-const SKIP_DIRS = new Set([
-	"node_modules",
-	".git",
-	".hg",
-	".svn",
-	"dist",
-	"build",
-	"lib",
-	".claude",
-	"__pycache__",
-	"target",
-	"out",
-	"tmp",
-	".terraform",
-	".gradle",
-	".cargo",
-	".venv",
-	".next",
-	".cache",
-	".tox",
-	"vendor",
-	"coverage",
-	".nyc_output",
-	".turbo"
-]);
+const SKIP_DIRS = Set$1.of("node_modules", ".git", ".hg", ".svn", "dist", "build", "lib", ".claude", "__pycache__", "target", "out", "tmp", ".terraform", ".gradle", ".cargo", ".venv", ".next", ".cache", ".tox", "vendor", "coverage", ".nyc_output", ".turbo");
 function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
 	if (currentDepth > maxDepth) return;
 	const configPath = join(dir, CONFIG_FILENAME);
@@ -2585,24 +2539,19 @@ const handleGetSecretMeta = (args) => {
 	const secretEntries = config.secret ?? {};
 	return Option(secretEntries[key]).fold(() => errorResult(`Secret not found: ${key}`), (meta) => {
 		const { encrypted_value: _, from_key: fromKey, ...rest } = meta;
-		if (fromKey !== void 0) {
-			const targetKey = /^secret\.(.+)$/.exec(fromKey)?.[1];
-			const target = targetKey !== void 0 ? secretEntries[targetKey] : void 0;
-			if (target) {
-				const { encrypted_value: __, from_key: ___, ...targetRest } = target;
-				return textResult(JSON.stringify({
-					key,
-					...targetRest,
-					...rest,
-					alias_of: fromKey
-				}, null, 2));
-			}
+		if (fromKey !== void 0) return Option(fromKey.match(/^secret\.(.+)$/)?.[1]).flatMap((k) => Option(secretEntries[k])).fold(() => textResult(JSON.stringify({
+			key,
+			...rest,
+			alias_of: fromKey
+		}, null, 2)), (t) => {
+			const { encrypted_value: __, from_key: ___, ...targetRest } = t;
 			return textResult(JSON.stringify({
 				key,
+				...targetRest,
 				...rest,
 				alias_of: fromKey
 			}, null, 2));
-		}
+		});
 		return textResult(JSON.stringify({
 			key,
 			...rest