envpkt 0.13.3 → 0.13.4

package/dist/cli.js

@@ -571,7 +571,7 @@ const ageVersion = () => Try(() => execFileSync("age", ["--version"], {
 		"pipe"
 	],
 	encoding: "utf-8"
-}).trim()).fold(() => Option.none(), (v) => Option(v));
+}).trim()).toOption();
 /** Platform-aware instructions for installing the age CLI. */
 const ageInstallHint = () => {
 	return `Install age:\n    ${{
@@ -930,90 +930,6 @@ const runConfigPath = (options) => {
 	});
 };
 //#endregion
-//#region src/core/diff.ts
-/** Normalize a metadata value to a comparable/displayable string (`undefined` = absent). */
-const serialize = (value) => value === void 0 ? void 0 : typeof value === "string" ? value : JSON.stringify(value);
-/**
-* Field-level diff of two entries. `encrypted_value` is excluded from value comparison — the same
-* secret re-encrypts to different ciphertext, so diffing it is noise — but a change in *sealed
-* status* (present ↔ absent) is reported as a synthetic `sealed` field.
-*/
-const metaDiff = (a, b) => {
-	const ar = a;
-	const br = b;
-	const sealedChange = !!ar["encrypted_value"] === !!br["encrypted_value"] ? [] : [{
-		field: "sealed",
-		a: ar["encrypted_value"] ? "yes" : "no",
-		b: br["encrypted_value"] ? "yes" : "no"
-	}];
-	const fieldChanges = [...Object.keys(ar), ...Object.keys(br)].filter((k, i, arr) => k !== "encrypted_value" && arr.indexOf(k) === i).flatMap((field) => {
-		const av = serialize(ar[field]);
-		const bv = serialize(br[field]);
-		return av === bv ? [] : [{
-			field,
-			a: av,
-			b: bv
-		}];
-	});
-	return [...sealedChange, ...fieldChanges.sort((x, y) => x.field.localeCompare(y.field))];
-};
-const sectionDiff = (a, b) => {
-	const aKeys = Object.keys(a);
-	const bKeys = Object.keys(b);
-	return {
-		onlyA: aKeys.filter((k) => !(k in b)).sort(),
-		onlyB: bKeys.filter((k) => !(k in a)).sort(),
-		changed: aKeys.filter((k) => k in b).sort().flatMap((key) => {
-			const changes = metaDiff(a[key], b[key]);
-			return changes.length === 0 ? [] : [{
-				key,
-				changes
-			}];
-		})
-	};
-};
-const isEmpty = (s) => s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0;
-/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
-const diffConfigs = (a, b) => {
-	const secret = sectionDiff(a.secret ?? {}, b.secret ?? {});
-	const env = sectionDiff(a.env ?? {}, b.env ?? {});
-	return {
-		secret,
-		env,
-		identical: isEmpty(secret) && isEmpty(env)
-	};
-};
-//#endregion
-//#region src/cli/commands/diff.ts
-const formatSection = (name, s) => {
-	if (s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0) return [];
-	return [
-		`${BOLD}[${name}]${RESET}`,
-		...s.onlyA.map((k) => `  ${RED}- ${k}${RESET}`),
-		...s.onlyB.map((k) => `  ${GREEN}+ ${k}${RESET}`),
-		...s.changed.flatMap((c) => [`  ${YELLOW}~ ${c.key}${RESET}`, ...c.changes.map((ch) => `      ${ch.field}: ${DIM}${ch.a ?? "∅"}${RESET} → ${DIM}${ch.b ?? "∅"}${RESET}`)])
-	];
-};
-const loadOrExit = (path, side) => loadConfig(path).fold((err) => {
-	console.error(`${RED}Error${RESET} (${side} = ${path}): ${formatError(err)}`);
-	process.exit(2);
-}, (config) => config);
-/**
-* Compare two envpkt.toml files by their `[secret.*]` and `[env.*]` entries. Reports keys only in
-* each side and field-level metadata changes for shared keys (ciphertext is ignored; sealed-status
-* changes are reported). With `--exit-code`, exits non-zero when the configs differ.
-*/
-const runDiff = (pathA, pathB, options) => {
-	const diff = diffConfigs(loadOrExit(pathA, "a"), loadOrExit(pathB, "b"));
-	if (options.format === "json") console.log(JSON.stringify(diff, null, 2));
-	else if (diff.identical) console.log(`${GREEN}✓${RESET} no differences`);
-	else {
-		const body = [...formatSection("secret", diff.secret), ...formatSection("env", diff.env)];
-		console.log(`${DIM}- ${pathA}\n+ ${pathB}${RESET}\n\n${body.join("\n")}`);
-	}
-	if (options.exitCode && !diff.identical) process.exit(1);
-};
-//#endregion
 //#region src/fnox/cli.ts
 /** Export all secrets from fnox as key=value pairs for a given profile */
 const fnoxExport = (profile, agentKey) => {
@@ -1695,112 +1611,696 @@ const bootSafe = (options) => {
 	}));
 };
 //#endregion
-//#region src/cli/commands/doctor.ts
-const ok = (label, detail) => console.log(`  ${GREEN}✓${RESET} ${label}  ${DIM}${detail}${RESET}`);
-const warn = (label, detail) => console.log(`  ${YELLOW}—${RESET} ${label}  ${detail}`);
-const bad = (label, detail) => console.log(`  ${RED}✗${RESET} ${label}  ${detail}`);
-/** Print the resolution/key check, returning whether it passed. */
-const reportResolution = (configPath) => bootSafe({
-	configPath,
-	inject: false,
-	warnOnly: true
-}).fold((err) => {
-	if (err._tag === "SealKeyUnavailable") {
-		bad("key   ", `${err.sealedKeys.length} sealed secret(s) but no decryption key`);
-		err.searched.forEach((line) => console.log(`${DIM}        ${line}${RESET}`));
-	} else bad("config", `${err._tag}`);
-	return false;
-}, (boot) => {
-	const resolved = Object.keys(boot.secrets).length;
-	ok("secrets", `${resolved} resolved, ${boot.skipped.length} skipped`);
-	const auditColor = boot.audit.status === "healthy" ? GREEN : YELLOW;
-	console.log(`  ${auditColor}•${RESET} audit   ${DIM}${boot.audit.status}${RESET}`);
-	return true;
-});
+//#region src/core/copy.ts
+/** Escape a string for a TOML basic (double-quoted) string. */
+const tomlString = (s) => `"${s.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\n/g, "\\n")}"`;
+const tomlStringArray = (arr) => `[${arr.map(tomlString).join(", ")}]`;
+const tomlInlineTable = (rec) => {
+	const entries = Object.entries(rec);
+	return entries.length === 0 ? "{}" : `{ ${entries.map(([k, v]) => `${k} = ${tomlString(v)}`).join(", ")} }`;
+};
 /**
-* One-shot environment check: is age installed, is a config resolvable, and do its sealed
-* secrets decrypt with an available key? Read-only; exits non-zero if any check fails.
+* The SecretMeta to write into the destination on copy.
+* - `created` is reset to today: the entry is new *here*, regardless of the source's age.
+* - `last_rotated_at` is dropped — it's the source's rotation history, not the copy's.
+* - `encryptedValue` re-derives the ciphertext: `Some(cipher)` sets the resealed value,
+*   `None` strips it entirely (a metadata-only copy of a secret with no sealed value).
 */
-const runDoctor = (options) => {
-	console.log(`${BOLD}envpkt doctor${RESET}\n`);
-	const ageOk = ageVersion().fold(() => {
-		bad("age   ", "not found on PATH");
-		console.log(`${DIM}        ${ageInstallHint().split("\n").join("\n        ")}${RESET}`);
-		return false;
-	}, (version) => {
-		ok("age   ", version);
-		return true;
-	});
-	const resolveOk = resolveConfigPath(options.config).fold(() => {
-		warn("config", "no envpkt.toml found for this directory");
-		return true;
-	}, ({ path }) => {
-		ok("config", path);
-		return reportResolution(path);
-	});
-	console.log("");
-	if (ageOk && resolveOk) console.log(`${GREEN}✓ no issues${RESET}`);
-	else {
-		console.log(`${RED}✗ ${[!ageOk, !resolveOk].filter(Boolean).length} issue(s) found${RESET} ${CYAN}(see above)${RESET}`);
-		process.exit(1);
-	}
+const copyableSecretMeta = (meta, opts) => {
+	const { last_rotated_at: _lra, encrypted_value: _ev, ...rest } = meta;
+	return opts.encryptedValue.fold(() => ({
+		...rest,
+		created: opts.today
+	}), (cipher) => ({
+		...rest,
+		created: opts.today,
+		encrypted_value: cipher
+	}));
+};
+/** Serialize a `[secret.<name>]` block from its metadata, round-trippable by the TOML parser. */
+const serializeSecretBlock = (name, meta) => {
+	const lines = [`[secret.${name}]`];
+	if (meta.service !== void 0) lines.push(`service = ${tomlString(meta.service)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.created !== void 0) lines.push(`created = ${tomlString(meta.created)}`);
+	if (meta.expires !== void 0) lines.push(`expires = ${tomlString(meta.expires)}`);
+	if (meta.rotates !== void 0) lines.push(`rotates = ${tomlString(meta.rotates)}`);
+	if (meta.rate_limit !== void 0) lines.push(`rate_limit = ${tomlString(meta.rate_limit)}`);
+	if (meta.model_hint !== void 0) lines.push(`model_hint = ${tomlString(meta.model_hint)}`);
+	if (meta.source !== void 0) lines.push(`source = ${tomlString(meta.source)}`);
+	if (meta.rotation_url !== void 0) lines.push(`rotation_url = ${tomlString(meta.rotation_url)}`);
+	if (meta.last_rotated_at !== void 0) lines.push(`last_rotated_at = ${tomlString(meta.last_rotated_at)}`);
+	if (meta.required !== void 0) lines.push(`required = ${meta.required ? "true" : "false"}`);
+	if (meta.capabilities !== void 0) lines.push(`capabilities = ${tomlStringArray(meta.capabilities)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.encrypted_value !== void 0 && meta.encrypted_value !== "") lines.push(`encrypted_value = """`, meta.encrypted_value, `"""`);
+	return `${lines.join("\n")}\n`;
+};
+/** Serialize an `[env.<name>]` block from its metadata. */
+const serializeEnvBlock = (name, meta) => {
+	const lines = [`[env.${name}]`];
+	if (meta.value !== void 0) lines.push(`value = ${tomlString(meta.value)}`);
+	if (meta.from_key !== void 0) lines.push(`from_key = ${tomlString(meta.from_key)}`);
+	if (meta.purpose !== void 0) lines.push(`purpose = ${tomlString(meta.purpose)}`);
+	if (meta.comment !== void 0) lines.push(`comment = ${tomlString(meta.comment)}`);
+	if (meta.tags !== void 0) lines.push(`tags = ${tomlInlineTable(meta.tags)}`);
+	if (meta.namespace !== void 0) lines.push(`namespace = ${tomlString(meta.namespace)}`);
+	return `${lines.join("\n")}\n`;
 };
 //#endregion
-//#region src/core/dotenv.ts
-const BARE_SAFE = /^[A-Za-z0-9_@%+=:,./-]+$/;
+//#region src/core/toml-edit.ts
+const SECTION_RE = /^\[.+\]\s*$/;
+const MULTILINE_OPEN = "\"\"\"";
+const scanSectionBoundary = (state, line, i) => {
+	if (state.done) return state;
+	if (state.inMultiline) return line.includes(MULTILINE_OPEN) ? {
+		...state,
+		inMultiline: false
+	} : state;
+	if (line.includes(MULTILINE_OPEN)) return (line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? {
+		...state,
+		inMultiline: true
+	} : state;
+	return SECTION_RE.test(line) ? {
+		...state,
+		end: i,
+		done: true
+	} : state;
+};
 /**
-* Quote a single value for dotenv output. Returns the value bare when safe,
-* otherwise double-quoted with POSIX-shell-quote escaping (`\`, `"`, `$`) and
-* whitespace collapsed to single-line escapes (`\n`, `\r`, `\t`) for portability.
+* Find the line range [start, end) of a TOML section by its header string.
+* The range includes the header line through to (but not including) the next section header or EOF.
+* Handles multiline `"""..."""` values when scanning for section boundaries.
 */
-const quoteDotenvValue = (value) => {
-	if (value === "") return "";
-	if (BARE_SAFE.test(value)) return value;
-	return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\$/g, "\\$").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t")}"`;
+const findSectionRange = (lines, sectionHeader) => {
+	const start = lines.findIndex((l) => l.trim() === sectionHeader);
+	if (start === -1) return void 0;
+	const initial = {
+		end: lines.length,
+		inMultiline: false,
+		done: false
+	};
+	return {
+		start,
+		end: List(lines.slice(start + 1)).zipWithIndex().foldLeft(initial)((state, entry) => scanSectionBoundary(state, entry[0], start + 1 + entry[1])).end
+	};
 };
-const formatEntry = (entry, includeSecrets) => {
-	if (entry.secret && !includeSecrets) return `# (secret value omitted — re-run without --no-secrets to include)\n${entry.name}=`;
-	return `${entry.name}=${quoteDotenvValue(entry.value)}`;
+/** Check whether a section header exists in the raw TOML */
+const sectionExists = (lines, sectionHeader) => lines.some((l) => l.trim() === sectionHeader);
+/**
+* Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
+* Strips trailing blank lines left behind.
+*/
+const removeSection = (raw, sectionHeader) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	const after = lines.slice(range.end);
+	const beforeAll = lines.slice(0, range.start);
+	const lastNonBlank = beforeAll.findLastIndex((l) => l.trim() !== "");
+	const result = [...lastNonBlank === -1 ? [] : beforeAll.slice(0, lastNonBlank + 1), ...after].join("\n");
+	return Either.right(result);
 };
-/** Serialize entries to dotenv text (no trailing newline). */
-const formatDotenv = (entries, options) => {
-	const includeSecrets = options?.includeSecrets ?? true;
-	const body = entries.map((e) => formatEntry(e, includeSecrets)).join("\n");
-	const header = options?.header;
-	return header ? `${header}\n\n${body}` : body;
+/**
+* Rename a TOML section header (e.g. `[secret.OLD]` → `[secret.NEW]`).
+* Errors if old doesn't exist or new already exists.
+*/
+const renameSection = (raw, oldHeader, newHeader) => {
+	const lines = raw.split("\n");
+	if (!sectionExists(lines, oldHeader)) return Either.left({
+		_tag: "SectionNotFound",
+		section: oldHeader
+	});
+	if (sectionExists(lines, newHeader)) return Either.left({
+		_tag: "SectionAlreadyExists",
+		section: newHeader
+	});
+	const result = lines.map((line) => line.trim() === oldHeader ? newHeader : line).join("\n");
+	return Either.right(result);
 };
-//#endregion
-//#region src/core/patterns.ts
-const EXCLUDED_VARS = Set$1([
-	"PATH",
-	"HOME",
-	"USER",
-	"SHELL",
-	"TERM",
-	"LANG",
-	"LC_ALL",
-	"LC_CTYPE",
-	"DISPLAY",
-	"EDITOR",
-	"VISUAL",
-	"PAGER",
-	"HOSTNAME",
-	"LOGNAME",
-	"MAIL",
-	"OLDPWD",
-	"PWD",
-	"SHLVL",
-	"TMPDIR",
-	"TZ",
-	"XDG_CACHE_HOME",
-	"XDG_CONFIG_HOME",
-	"XDG_DATA_HOME",
-	"XDG_RUNTIME_DIR",
-	"XDG_SESSION_TYPE",
-	"NODE_ENV",
-	"NODE_PATH",
-	"NODE_OPTIONS",
-	"NVM_DIR",
+/**
+* Update, add, or remove fields within an existing TOML section.
+* - A string value replaces or adds the field
+* - A null value removes the field
+* Does NOT re-serialize — operates on raw text lines.
+*/
+const updateSectionFields = (raw, sectionHeader, updates) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	const before = lines.slice(0, range.start + 1);
+	const after = lines.slice(range.end);
+	const sectionBody = lines.slice(range.start + 1, range.end);
+	const findClosingMultiline = (fromIdx) => {
+		const idx = sectionBody.findIndex((l, j) => j > fromIdx && l.includes(MULTILINE_OPEN));
+		return idx === -1 ? sectionBody.length : idx;
+	};
+	const initial = {
+		remaining: [],
+		updatedKeys: Set$1.empty(),
+		skipUntil: -1
+	};
+	const step = (state, line, i) => {
+		if (i <= state.skipUntil) return state;
+		const eqIdx = line.indexOf("=");
+		const isFieldLine = eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[");
+		const key = isFieldLine ? line.slice(0, eqIdx).trim() : "";
+		if (isFieldLine && key in updates) {
+			const afterEquals = line.slice(eqIdx + 1).trim();
+			const skipUntil = afterEquals.includes(MULTILINE_OPEN) && (afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? findClosingMultiline(i) : state.skipUntil;
+			const updatedKeys = state.updatedKeys.add(key);
+			const value = updates[key];
+			if (value === null) return {
+				...state,
+				updatedKeys,
+				skipUntil
+			};
+			return {
+				remaining: [...state.remaining, `${key} = ${value}`],
+				updatedKeys,
+				skipUntil
+			};
+		}
+		return {
+			...state,
+			remaining: [...state.remaining, line]
+		};
+	};
+	const final = List(sectionBody).zipWithIndex().foldLeft(initial)((state, entry) => step(state, entry[0], entry[1]));
+	const newFields = Object.entries(updates).filter(([key, value]) => value !== null && !final.updatedKeys.has(key)).map(([key, value]) => `${key} = ${value}`);
+	const result = [
+		...before,
+		...final.remaining,
+		...newFields,
+		...after
+	].join("\n");
+	return Either.right(result);
+};
+/**
+* Append a new TOML section block to the end of the file.
+* Ensures proper spacing (double newline before the block).
+*/
+const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
+const ENV_HEADER_RE = /^\[env\.(.+)\]\s*$/;
+const SECRET_HEADER_RE = /^\[secret\.(.+)\]\s*$/;
+const ANY_HEADER_RE = /^\[.+\]\s*$/;
+/**
+* Find the end (exclusive) of a section starting at `start`, respecting
+* multiline `"""..."""` values so the scanner does not mistake content inside
+* a multiline string for a section header.
+*/
+const findSectionEnd = (lines, start) => {
+	const initial = {
+		end: lines.length,
+		inMultiline: false,
+		done: false
+	};
+	return List(lines.slice(start + 1)).zipWithIndex().foldLeft(initial)((state, entry) => scanSectionBoundary(state, entry[0], start + 1 + entry[1])).end;
+};
+/**
+* Walking backwards from `headerIdx`, return the index of the first line of the
+* "doc block" that should travel with this section. A doc block is a contiguous
+* run of `#`-comment lines *immediately* above the header (no blank line
+* between). A blank line acts as a paragraph break and stops the walk — so
+* `# Some heading\n\n[secret.X]` does NOT attach the heading to `[secret.X]`.
+*/
+const findPreambleStart = (lines, headerIdx) => {
+	const stopOffset = [...lines.slice(0, headerIdx)].reverse().findIndex((l) => !l.trim().startsWith("#"));
+	return stopOffset === -1 ? 0 : headerIdx - stopOffset;
+};
+const classifyHeader = (line, idx) => {
+	if (!ANY_HEADER_RE.test(line)) return Option.none();
+	const envMatch = line.match(ENV_HEADER_RE);
+	if (envMatch) return Option({
+		idx,
+		kind: "env",
+		key: envMatch[1]
+	});
+	const secretMatch = line.match(SECRET_HEADER_RE);
+	if (secretMatch) return Option({
+		idx,
+		kind: "secret",
+		key: secretMatch[1]
+	});
+	return Option({
+		idx,
+		kind: "other",
+		key: ""
+	});
+};
+const scanHeader = (state, line, idx) => {
+	if (state.inMultiline) return line.includes(MULTILINE_OPEN) ? {
+		...state,
+		inMultiline: false
+	} : state;
+	if (line.includes(MULTILINE_OPEN)) return (line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? {
+		...state,
+		inMultiline: true
+	} : state;
+	return classifyHeader(line, idx).fold(() => state, (header) => ({
+		...state,
+		headers: [...state.headers, header]
+	}));
+};
+const partitionSections = (raw) => {
+	const lines = raw.split("\n");
+	const { headers } = List(lines).zipWithIndex().foldLeft({
+		headers: [],
+		inMultiline: false
+	})((state, entry) => scanHeader(state, entry[0], entry[1]));
+	const envSecretHeaders = headers.filter((h) => h.kind === "env" || h.kind === "secret");
+	const trueBodyRange = (headerIdx) => {
+		const naiveEnd = findSectionEnd(lines, headerIdx);
+		const lastContent = lines.slice(headerIdx, naiveEnd).findLastIndex((l) => {
+			const t = l.trim();
+			return t !== "" && !t.startsWith("#");
+		});
+		return {
+			start: headerIdx,
+			end: lastContent === -1 ? headerIdx + 1 : headerIdx + lastContent + 1
+		};
+	};
+	const sections = envSecretHeaders.map((h) => {
+		const headerIdx = h.idx;
+		const preambleStart = findPreambleStart(lines, headerIdx);
+		const body = lines.slice(headerIdx, trueBodyRange(headerIdx).end);
+		const preamble = lines.slice(preambleStart, headerIdx);
+		return {
+			kind: h.kind,
+			key: h.key,
+			body,
+			preamble
+		};
+	});
+	const claimedRanges = envSecretHeaders.map((h) => {
+		const headerIdx = h.idx;
+		return {
+			start: findPreambleStart(lines, headerIdx),
+			end: trueBodyRange(headerIdx).end
+		};
+	});
+	const isClaimed = (idx) => claimedRanges.some((r) => idx >= r.start && idx < r.end);
+	return {
+		preambleLines: lines.map((l, idx) => isClaimed(idx) ? null : l).filter((l) => l !== null),
+		envSections: sections.filter((s) => s.kind === "env"),
+		secretSections: sections.filter((s) => s.kind === "secret")
+	};
+};
+const emitSection = (s) => {
+	return `${s.preamble.length > 0 ? `${s.preamble.join("\n")}\n` : ""}${s.body.join("\n")}`;
+};
+/**
+* Reformat a TOML config with `[env.*]` and `[secret.*]` sections grouped and
+* alphabetized. Top-level content (version key, `[identity]`, `[lifecycle]`,
+* `[callbacks]`, `[tools]`, etc.) stays in its original position. Comment
+* doc-blocks immediately above a section header travel with that section.
+*
+* Pure — no I/O. Returns the raw input unchanged when there is no env or
+* secret content to reorder.
+*/
+const sortConfigToml = (raw) => {
+	const { preambleLines, envSections, secretSections } = partitionSections(raw);
+	if (envSections.length === 0 && secretSections.length === 0) return raw;
+	const sortedEnv = [...envSections].sort((a, b) => a.key.localeCompare(b.key));
+	const sortedSecret = [...secretSections].sort((a, b) => a.key.localeCompare(b.key));
+	const trimTrailing = (xs) => {
+		const lastNonBlank = xs.findLastIndex((l) => l.trim() !== "");
+		return lastNonBlank === -1 ? [] : xs.slice(0, lastNonBlank + 1);
+	};
+	const collapseBlanks = (xs) => xs.reduce((acc, line) => {
+		const isBlank = line.trim() === "";
+		const prevBlank = acc.length > 0 && acc[acc.length - 1].trim() === "";
+		if (isBlank && prevBlank) return acc;
+		return [...acc, line];
+	}, []);
+	const preambleTrimmed = collapseBlanks(trimTrailing(preambleLines));
+	const parts = [];
+	if (preambleTrimmed.length > 0) parts.push(preambleTrimmed.join("\n"));
+	if (sortedEnv.length > 0) parts.push(sortedEnv.map(emitSection).join("\n\n"));
+	if (sortedSecret.length > 0) parts.push(sortedSecret.map(emitSection).join("\n\n"));
+	return `${parts.join("\n\n")}\n`;
+};
+//#endregion
+//#region src/core/validate.ts
+/**
+* Validate a raw TOML string as a complete envpkt config: parse → schema → aliases.
+*
+* Used by write-path CLI commands to verify the post-edit file would still be
+* structurally valid before persisting. Catalog resolution is intentionally
+* excluded — catalog issues depend on external files, not on the local edit,
+* and `envpkt validate` covers them as a separate explicit check.
+*/
+const validateRawConfig = (raw) => parseToml(raw).flatMap(validateConfig).flatMap((config) => validateAliases(config).map(() => config));
+/** Human-readable one-liner for any ValidationError tag. */
+const formatValidationError = (err) => {
+	switch (err._tag) {
+		case "FileNotFound": return `Config file not found: ${err.path}`;
+		case "ParseError": return `TOML parse error: ${err.message}`;
+		case "ValidationError": return `Schema validation failed: ${err.errors.toArray().join("; ")}`;
+		case "ReadError": return `Read error: ${err.message}`;
+		case "AliasInvalidSyntax":
+		case "AliasTargetMissing":
+		case "AliasSelfReference":
+		case "AliasChained":
+		case "AliasCrossType":
+		case "AliasValueConflict": return formatAliasError(err);
+	}
+};
+//#endregion
+//#region src/cli/write-gate.ts
+/**
+* Run structural validation against an in-memory TOML string.
+* On failure, prints the error, leaves the file untouched, and exits with code 1.
+* On success, returns — caller is responsible for writing.
+*
+* Use this when the write step has bespoke logic (e.g. wraps writeFileSync in Try,
+* has multi-line post-write output). Otherwise prefer `writeIfValid`.
+*/
+const validateOrExit = (updated) => {
+	validateRawConfig(updated).fold((err) => {
+		console.error(`${RED}Error:${RESET} Aborted — change would produce an invalid config:`);
+		console.error(`  ${formatValidationError(err)}`);
+		console.error(`${DIM}File unchanged.${RESET}`);
+		process.exit(1);
+	}, () => {});
+};
+/**
+* Validate then persist. Most mutating CLI commands use this — it bundles the
+* validate-or-exit gate with the writeFileSync + success log so each call site
+* stays two lines instead of five.
+*/
+const writeIfValid = (configPath, updated, successMsg) => {
+	validateOrExit(updated);
+	writeFileSync(configPath, updated, "utf-8");
+	console.log(successMsg);
+};
+/**
+* Validate then preview (no write) — the `--dry-run` counterpart of `writeIfValid`.
+* Runs the same structural validation the real write would, so a dry-run can never
+* show a result that the actual write would reject. On invalid output it prints the
+* same error and exits 1, exactly as the write path does.
+*
+* `display` lets callers preview a focused slice (e.g. just the new block for `add`)
+* while still validating the full resulting config.
+*/
+const previewIfValid = (updated, display) => {
+	validateOrExit(updated);
+	console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+	console.log(display ?? updated);
+};
+//#endregion
+//#region src/cli/commands/copy.ts
+/** Unwrap an Either, or print the formatted error and exit with `code`. */
+const orExit = (e, onErr, code) => e.fold((err) => {
+	console.error(onErr(err));
+	return process.exit(code);
+}, (a) => a);
+const todayIso$2 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+/**
+* Build the `[secret.<destName>]` block for a copy: unseal the source value with the
+* source identity and reseal it for the destination recipient. Secrets with no sealed
+* value are copied as metadata only (with a warning) — there's nothing to reseal.
+*/
+const sealedSecretBlock = (key, destName, srcConfig, srcPath, destConfig) => {
+	const meta = srcConfig.secret[key];
+	const today = todayIso$2();
+	if (meta.encrypted_value === void 0 || meta.encrypted_value === "") {
+		console.error(`${YELLOW}Warning:${RESET} secret "${key}" has no sealed value — copying metadata only.`);
+		return serializeSecretBlock(destName, copyableSecretMeta(meta, {
+			today,
+			encryptedValue: Option.none()
+		}));
+	}
+	const identity = resolveSealIdentity(srcConfig, dirname(srcPath)).fold(() => {
+		console.error(`${RED}Error:${RESET} cannot unseal "${key}" from source — no age key found.`);
+		describeSealKeySearch(srcConfig, dirname(srcPath)).forEach((line) => console.error(`${DIM}  ${line}${RESET}`));
+		return process.exit(2);
+	}, (id) => id);
+	const recipient = destConfig.identity?.recipient;
+	if (recipient === void 0) {
+		identity.dispose();
+		console.error(`${RED}Error:${RESET} destination needs identity.recipient to reseal "${destName}".`);
+		console.error(`${DIM}  Run ${CYAN}envpkt keygen${DIM} in the destination, or add an [identity] recipient.${RESET}`);
+		return process.exit(1);
+	}
+	const unsealed = unsealSecrets({ [key]: meta }, identity.path);
+	identity.dispose();
+	const plaintext = orExit(unsealed, (err) => `${RED}Error:${RESET} decrypt failed for "${key}": ${err.message}`, 2)[key];
+	if (plaintext === void 0) {
+		console.error(`${RED}Error:${RESET} "${key}" produced no plaintext on unseal.`);
+		return process.exit(2);
+	}
+	return serializeSecretBlock(destName, copyableSecretMeta(meta, {
+		today,
+		encryptedValue: Option(orExit(ageEncrypt(plaintext, recipient), (err) => `${RED}Error:${RESET} reseal failed for "${destName}": ${err.message}`, 2))
+	}));
+};
+const writeBlock = (destPath, header, block, overwrite, dryRun, successMsg) => {
+	const raw = readFileSync(destPath, "utf-8");
+	const updated = appendSection(overwrite ? orExit(removeSection(raw, header), (err) => `${RED}Error:${RESET} ${err._tag}: ${err.section}`, 2) : raw, block);
+	if (dryRun) {
+		previewIfValid(updated, block);
+		return;
+	}
+	writeIfValid(destPath, updated, successMsg);
+};
+/**
+* Copy a secret or env entry from one config to another. Secrets are unsealed with the
+* source's age key and resealed for the destination's recipient automatically. The kind
+* (secret vs env) is detected from where the key lives in the source. `--from`/`--to`
+* default to the resolved config for the current directory.
+*/
+const runCopy = (key, options) => {
+	const src = orExit(resolveConfigPath(options.from), formatError, 2);
+	const dest = orExit(resolveConfigPath(options.to), formatError, 2);
+	const srcConfig = orExit(loadConfig(src.path), formatError, 2);
+	const destConfig = orExit(loadConfig(dest.path), formatError, 2);
+	console.error(`${DIM}copy: ${src.path} → ${dest.path}${RESET}`);
+	const inSecret = srcConfig.secret?.[key] !== void 0;
+	const inEnv = srcConfig.env?.[key] !== void 0;
+	if (inSecret && inEnv) {
+		console.error(`${RED}Error:${RESET} "${key}" exists as both a secret and an env entry in ${src.path}; copy them separately.`);
+		process.exit(1);
+	}
+	if (!inSecret && !inEnv) {
+		console.error(`${RED}Error:${RESET} "${key}" not found in ${src.path}`);
+		process.exit(1);
+	}
+	const destName = options.as ?? key;
+	const kindWord = inSecret ? "secret" : "env";
+	if (src.path === dest.path && destName === key) {
+		console.error(`${RED}Error:${RESET} source and destination are the same entry — use --as to copy under a new name.`);
+		process.exit(1);
+	}
+	const existsInDest = inSecret ? destConfig.secret?.[destName] !== void 0 : destConfig.env?.[destName] !== void 0;
+	if (existsInDest && options.force !== true) {
+		console.error(`${RED}Error:${RESET} ${kindWord} "${destName}" already exists in ${dest.path}. Use --force to overwrite.`);
+		process.exit(1);
+	}
+	const block = inSecret ? sealedSecretBlock(key, destName, srcConfig, src.path, destConfig) : serializeEnvBlock(destName, srcConfig.env[key]);
+	const successMsg = `${GREEN}✓${RESET} Copied ${kindWord} ${BOLD}${key}${RESET}${destName !== key ? ` → ${BOLD}${destName}${RESET}` : ""} to ${CYAN}${dest.path}${RESET}`;
+	writeBlock(dest.path, `[${kindWord}.${destName}]`, block, existsInDest, options.dryRun === true, successMsg);
+};
+//#endregion
+//#region src/core/diff.ts
+/** Normalize a metadata value to a comparable/displayable string (`undefined` = absent). */
+const serialize = (value) => value === void 0 ? void 0 : typeof value === "string" ? value : JSON.stringify(value);
+/**
+* Field-level diff of two entries. `encrypted_value` is excluded from value comparison — the same
+* secret re-encrypts to different ciphertext, so diffing it is noise — but a change in *sealed
+* status* (present ↔ absent) is reported as a synthetic `sealed` field.
+*/
+const metaDiff = (a, b) => {
+	const ar = a;
+	const br = b;
+	const sealedChange = !!ar["encrypted_value"] === !!br["encrypted_value"] ? [] : [{
+		field: "sealed",
+		a: ar["encrypted_value"] ? "yes" : "no",
+		b: br["encrypted_value"] ? "yes" : "no"
+	}];
+	const fieldChanges = [...Object.keys(ar), ...Object.keys(br)].filter((k, i, arr) => k !== "encrypted_value" && arr.indexOf(k) === i).flatMap((field) => {
+		const av = serialize(ar[field]);
+		const bv = serialize(br[field]);
+		return av === bv ? [] : [{
+			field,
+			a: av,
+			b: bv
+		}];
+	});
+	return [...sealedChange, ...fieldChanges.sort((x, y) => x.field.localeCompare(y.field))];
+};
+const sectionDiff = (a, b) => {
+	const aKeys = Object.keys(a);
+	const bKeys = Object.keys(b);
+	return {
+		onlyA: aKeys.filter((k) => !(k in b)).sort(),
+		onlyB: bKeys.filter((k) => !(k in a)).sort(),
+		changed: aKeys.filter((k) => k in b).sort().flatMap((key) => {
+			const changes = metaDiff(a[key], b[key]);
+			return changes.length === 0 ? [] : [{
+				key,
+				changes
+			}];
+		})
+	};
+};
+const isEmpty = (s) => s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0;
+/** Compare two configs by their `[secret.*]` and `[env.*]` entries (metadata, not ciphertext). */
+const diffConfigs = (a, b) => {
+	const secret = sectionDiff(a.secret ?? {}, b.secret ?? {});
+	const env = sectionDiff(a.env ?? {}, b.env ?? {});
+	return {
+		secret,
+		env,
+		identical: isEmpty(secret) && isEmpty(env)
+	};
+};
+//#endregion
+//#region src/cli/commands/diff.ts
+const formatSection = (name, s) => {
+	if (s.onlyA.length === 0 && s.onlyB.length === 0 && s.changed.length === 0) return [];
+	return [
+		`${BOLD}[${name}]${RESET}`,
+		...s.onlyA.map((k) => `  ${RED}- ${k}${RESET}`),
+		...s.onlyB.map((k) => `  ${GREEN}+ ${k}${RESET}`),
+		...s.changed.flatMap((c) => [`  ${YELLOW}~ ${c.key}${RESET}`, ...c.changes.map((ch) => `      ${ch.field}: ${DIM}${ch.a ?? "∅"}${RESET} → ${DIM}${ch.b ?? "∅"}${RESET}`)])
+	];
+};
+const loadOrExit = (path, side) => loadConfig(path).fold((err) => {
+	console.error(`${RED}Error${RESET} (${side} = ${path}): ${formatError(err)}`);
+	process.exit(2);
+}, (config) => config);
+/**
+* Compare two envpkt.toml files by their `[secret.*]` and `[env.*]` entries. Reports keys only in
+* each side and field-level metadata changes for shared keys (ciphertext is ignored; sealed-status
+* changes are reported). With `--exit-code`, exits non-zero when the configs differ.
+*/
+const runDiff = (pathA, pathB, options) => {
+	const diff = diffConfigs(loadOrExit(pathA, "a"), loadOrExit(pathB, "b"));
+	if (options.format === "json") console.log(JSON.stringify(diff, null, 2));
+	else if (diff.identical) console.log(`${GREEN}✓${RESET} no differences`);
+	else {
+		const body = [...formatSection("secret", diff.secret), ...formatSection("env", diff.env)];
+		console.log(`${DIM}- ${pathA}\n+ ${pathB}${RESET}\n\n${body.join("\n")}`);
+	}
+	if (options.exitCode && !diff.identical) process.exit(1);
+};
+//#endregion
+//#region src/cli/commands/doctor.ts
+const ok = (label, detail) => console.log(`  ${GREEN}✓${RESET} ${label}  ${DIM}${detail}${RESET}`);
+const warn = (label, detail) => console.log(`  ${YELLOW}—${RESET} ${label}  ${detail}`);
+const bad = (label, detail) => console.log(`  ${RED}✗${RESET} ${label}  ${detail}`);
+/** Print the resolution/key check, returning whether it passed. */
+const reportResolution = (configPath) => bootSafe({
+	configPath,
+	inject: false,
+	warnOnly: true
+}).fold((err) => {
+	if (err._tag === "SealKeyUnavailable") {
+		bad("key   ", `${err.sealedKeys.length} sealed secret(s) but no decryption key`);
+		err.searched.forEach((line) => console.log(`${DIM}        ${line}${RESET}`));
+	} else bad("config", `${err._tag}`);
+	return false;
+}, (boot) => {
+	const resolved = Object.keys(boot.secrets).length;
+	ok("secrets", `${resolved} resolved, ${boot.skipped.length} skipped`);
+	const auditColor = boot.audit.status === "healthy" ? GREEN : YELLOW;
+	console.log(`  ${auditColor}•${RESET} audit   ${DIM}${boot.audit.status}${RESET}`);
+	return true;
+});
+/**
+* One-shot environment check: is age installed, is a config resolvable, and do its sealed
+* secrets decrypt with an available key? Read-only; exits non-zero if any check fails.
+*/
+const runDoctor = (options) => {
+	console.log(`${BOLD}envpkt doctor${RESET}\n`);
+	const ageOk = ageVersion().fold(() => {
+		bad("age   ", "not found on PATH");
+		console.log(`${DIM}        ${ageInstallHint().split("\n").join("\n        ")}${RESET}`);
+		return false;
+	}, (version) => {
+		ok("age   ", version);
+		return true;
+	});
+	const resolveOk = resolveConfigPath(options.config).fold(() => {
+		warn("config", "no envpkt.toml found for this directory");
+		return true;
+	}, ({ path }) => {
+		ok("config", path);
+		return reportResolution(path);
+	});
+	console.log("");
+	if (ageOk && resolveOk) console.log(`${GREEN}✓ no issues${RESET}`);
+	else {
+		console.log(`${RED}✗ ${[!ageOk, !resolveOk].filter(Boolean).length} issue(s) found${RESET} ${CYAN}(see above)${RESET}`);
+		process.exit(1);
+	}
+};
+//#endregion
+//#region src/core/dotenv.ts
+const BARE_SAFE = /^[A-Za-z0-9_@%+=:,./-]+$/;
+/**
+* Quote a single value for dotenv output. Returns the value bare when safe,
+* otherwise double-quoted with POSIX-shell-quote escaping (`\`, `"`, `$`) and
+* whitespace collapsed to single-line escapes (`\n`, `\r`, `\t`) for portability.
+*/
+const quoteDotenvValue = (value) => {
+	if (value === "") return "";
+	if (BARE_SAFE.test(value)) return value;
+	return `"${value.replace(/\\/g, "\\\\").replace(/"/g, "\\\"").replace(/\$/g, "\\$").replace(/\n/g, "\\n").replace(/\r/g, "\\r").replace(/\t/g, "\\t")}"`;
+};
+const formatEntry = (entry, includeSecrets) => {
+	if (entry.secret && !includeSecrets) return `# (secret value omitted — re-run without --no-secrets to include)\n${entry.name}=`;
+	return `${entry.name}=${quoteDotenvValue(entry.value)}`;
+};
+/** Serialize entries to dotenv text (no trailing newline). */
+const formatDotenv = (entries, options) => {
+	const includeSecrets = options?.includeSecrets ?? true;
+	const body = entries.map((e) => formatEntry(e, includeSecrets)).join("\n");
+	const header = options?.header;
+	return header ? `${header}\n\n${body}` : body;
+};
+//#endregion
+//#region src/core/patterns.ts
+const EXCLUDED_VARS = Set$1([
+	"PATH",
+	"HOME",
+	"USER",
+	"SHELL",
+	"TERM",
+	"LANG",
+	"LC_ALL",
+	"LC_CTYPE",
+	"DISPLAY",
+	"EDITOR",
+	"VISUAL",
+	"PAGER",
+	"HOSTNAME",
+	"LOGNAME",
+	"MAIL",
+	"OLDPWD",
+	"PWD",
+	"SHLVL",
+	"TMPDIR",
+	"TZ",
+	"XDG_CACHE_HOME",
+	"XDG_CONFIG_HOME",
+	"XDG_DATA_HOME",
+	"XDG_RUNTIME_DIR",
+	"XDG_SESSION_TYPE",
+	"NODE_ENV",
+	"NODE_PATH",
+	"NODE_OPTIONS",
+	"NVM_DIR",
 	"NVM_BIN",
 	"NVM_INC",
 	"NVM_CD_FLAGS",
@@ -2295,626 +2795,279 @@ const VALUE_SHAPE_PATTERNS = [
 		description: "GitHub server-to-server token"
 	},
 	{
-		prefix: "ghu_",
-		service: "github",
-		description: "GitHub user-to-server token"
-	},
-	{
-		prefix: "github_pat_",
-		service: "github",
-		description: "GitHub fine-grained PAT"
-	},
-	{
-		prefix: "xoxb-",
-		service: "slack",
-		description: "Slack bot token"
-	},
-	{
-		prefix: "xoxp-",
-		service: "slack",
-		description: "Slack user token"
-	},
-	{
-		prefix: "xoxa-",
-		service: "slack",
-		description: "Slack app token"
-	},
-	{
-		prefix: "xoxs-",
-		service: "slack",
-		description: "Slack legacy token"
-	},
-	{
-		prefix: "SG.",
-		service: "sendgrid",
-		description: "SendGrid API key"
-	},
-	{
-		prefix: "hf_",
-		service: "huggingface",
-		description: "Hugging Face token"
-	},
-	{
-		prefix: "r8_",
-		service: "replicate",
-		description: "Replicate API token"
-	},
-	{
-		prefix: "eyJ",
-		service: "jwt",
-		description: "JWT token"
-	},
-	{
-		prefix: "postgres://",
-		service: "postgresql",
-		description: "PostgreSQL connection string"
-	},
-	{
-		prefix: "postgresql://",
-		service: "postgresql",
-		description: "PostgreSQL connection string"
-	},
-	{
-		prefix: "mysql://",
-		service: "mysql",
-		description: "MySQL connection string"
-	},
-	{
-		prefix: "mongodb://",
-		service: "mongodb",
-		description: "MongoDB connection string"
-	},
-	{
-		prefix: "mongodb+srv://",
-		service: "mongodb",
-		description: "MongoDB SRV connection string"
-	},
-	{
-		prefix: "redis://",
-		service: "redis",
-		description: "Redis connection string"
+		prefix: "ghu_",
+		service: "github",
+		description: "GitHub user-to-server token"
 	},
 	{
-		prefix: "rediss://",
-		service: "redis",
-		description: "Redis TLS connection string"
+		prefix: "github_pat_",
+		service: "github",
+		description: "GitHub fine-grained PAT"
 	},
 	{
-		prefix: "amqp://",
-		service: "rabbitmq",
-		description: "RabbitMQ connection string"
+		prefix: "xoxb-",
+		service: "slack",
+		description: "Slack bot token"
 	},
 	{
-		prefix: "amqps://",
-		service: "rabbitmq",
-		description: "RabbitMQ TLS connection string"
-	}
-];
-/** Detect service from value prefix/shape */
-const matchValueShape = (value) => {
-	return Option(VALUE_SHAPE_PATTERNS.find((vp) => value.startsWith(vp.prefix))).map((vp) => ({
-		service: vp.service,
-		description: vp.description
-	}));
-};
-/** Strip common suffixes and derive a service name from an env var name */
-const deriveServiceFromName = (name) => {
-	const matchedSuffix = [
-		"_API_KEY",
-		"_SECRET_KEY",
-		"_ACCESS_KEY",
-		"_PRIVATE_KEY",
-		"_SIGNING_KEY",
-		"_AUTH_TOKEN",
-		"_ACCESS_TOKEN",
-		"_WEBHOOK_SECRET",
-		"_CONNECTION_STRING",
-		"_SECRET",
-		"_TOKEN",
-		"_PASSWORD",
-		"_PASS",
-		"_KEY",
-		"_DSN",
-		"_URL",
-		"_URI"
-	].find((s) => name.endsWith(s));
-	return (matchedSuffix ? name.slice(0, -matchedSuffix.length) : name).toLowerCase().replace(/_/g, "-");
-};
-/** Match a single env var against all patterns */
-const matchEnvVar = (name, value) => {
-	if (EXCLUDED_VARS.has(name)) return Option(void 0);
-	const exactMatch = EXACT_NAME_PATTERNS.find((p) => name === p.pattern);
-	if (exactMatch) return Option({
-		envVar: name,
-		value,
-		service: Option(exactMatch.service),
-		confidence: exactMatch.confidence,
-		matchedBy: `exact:${exactMatch.pattern}`
-	});
-	return matchValueShape(value).fold(() => {
-		return Option(SUFFIX_PATTERNS.find((sp) => name.endsWith(sp.suffix))).map((sp) => ({
-			envVar: name,
-			value,
-			service: Option(deriveServiceFromName(name)),
-			confidence: "medium",
-			matchedBy: `suffix:${sp.suffix}`
-		}));
-	}, (vm) => Option({
-		envVar: name,
-		value,
-		service: Option(vm.service),
-		confidence: "high",
-		matchedBy: `value:${vm.description}`
-	}));
-};
-/** Scan full env, sorted by confidence (high first) then alphabetically */
-const scanEnv = (env) => {
-	const results = Object.entries(env).flatMap(([name, value]) => {
-		if (value === void 0 || value === "") return [];
-		return matchEnvVar(name, value).fold(() => [], (m) => [m]);
-	});
-	const confidenceOrder = {
-		high: 0,
-		medium: 1,
-		low: 2
-	};
-	results.sort((a, b) => {
-		const conf = confidenceOrder[a.confidence] - confidenceOrder[b.confidence];
-		if (conf !== 0) return conf;
-		return a.envVar.localeCompare(b.envVar);
-	});
-	return results;
-};
-//#endregion
-//#region src/core/env.ts
-/** Scan env for credentials, returning structured results */
-const envScan = (env, options) => {
-	const allMatches = scanEnv(env);
-	const discovered = options?.includeUnknown ? allMatches : allMatches.filter((m) => m.service.isSome());
-	const total_scanned = Object.keys(env).length;
-	const high_confidence = discovered.filter((m) => m.confidence === "high").length;
-	const medium_confidence = discovered.filter((m) => m.confidence === "medium").length;
-	const low_confidence = discovered.filter((m) => m.confidence === "low").length;
-	return {
-		discovered: List(discovered),
-		total_scanned,
-		high_confidence,
-		medium_confidence,
-		low_confidence
-	};
-};
-const parseAliasRef = (raw, expectedKind) => {
-	const match = raw.match(/^(secret|env)\.(.+)$/);
-	if (match?.[1] !== expectedKind) return Option(void 0);
-	return Option(match[2]);
-};
-/** Bidirectional drift detection between config and live environment */
-const envCheck = (config, env) => {
-	const secretEntries = config.secret ?? {};
-	const metaKeys = Object.keys(secretEntries);
-	const metaKeysSet = Set$1(metaKeys);
-	const namer = makeEnvNamer(config);
-	const envDefaultsForWire = config.env ?? {};
-	const secretWire = (key) => namer(key, secretEntries[key]?.namespace);
-	const envWire = (key) => namer(key, envDefaultsForWire[key]?.namespace);
-	const isPresentAt = (wire) => env[wire] !== void 0 && env[wire] !== "";
-	const isSecretPresent = (key) => {
-		if (isPresentAt(secretWire(key))) return true;
-		const meta = secretEntries[key];
-		if (meta?.from_key === void 0) return false;
-		return parseAliasRef(meta.from_key, "secret").fold(() => false, (targetKey) => isPresentAt(secretWire(targetKey)));
-	};
-	const secretDriftEntries = Object.entries(secretEntries).map(([key, meta]) => {
-		const present = isSecretPresent(key);
-		return {
-			envVar: key,
-			service: Option(meta.service),
-			status: present ? "tracked" : "missing_from_env",
-			confidence: Option(void 0)
-		};
-	});
-	const envDefaults = config.env ?? {};
-	const isEnvPresent = (key) => {
-		if (isPresentAt(envWire(key))) return true;
-		const meta = envDefaults[key];
-		if (meta?.from_key === void 0) return false;
-		return parseAliasRef(meta.from_key, "env").fold(() => false, (targetKey) => isPresentAt(envWire(targetKey)));
-	};
-	const envDefaultEntries = Object.keys(envDefaults).filter((key) => !metaKeysSet.has(key)).map((key) => {
-		const present = isEnvPresent(key);
-		return {
-			envVar: key,
-			service: Option(void 0),
-			status: present ? "tracked" : "missing_from_env",
-			confidence: Option(void 0)
-		};
-	});
-	const trackedKeys = Set$1([...metaKeys.map(secretWire), ...envDefaultEntries.map((e) => envWire(e.envVar))]);
-	const untrackedEntries = scanEnv(env).filter((match) => !trackedKeys.has(match.envVar)).map((match) => ({
-		envVar: match.envVar,
-		service: match.service,
-		status: "untracked",
-		confidence: Option(match.confidence)
-	}));
-	const entries = [
-		...secretDriftEntries,
-		...envDefaultEntries,
-		...untrackedEntries
-	];
-	const tracked_and_present = entries.filter((e) => e.status === "tracked").length;
-	const missing_from_env = entries.filter((e) => e.status === "missing_from_env").length;
-	const untracked_credentials = entries.filter((e) => e.status === "untracked").length;
-	return {
-		entries: List(entries),
-		tracked_and_present,
-		missing_from_env,
-		untracked_credentials,
-		is_clean: missing_from_env === 0 && untracked_credentials === 0
-	};
-};
-const todayIso$1 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-/** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
-const generateTomlFromScan = (matches) => {
-	return matches.map((match) => {
-		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
-		return `[secret.${match.envVar}]
-service = "${svc}"
-# purpose = ""               # Why: what this secret enables
-# capabilities = []          # What operations this grants
-created = "${todayIso$1()}"
-# expires = ""               # When: YYYY-MM-DD expiration date
-# rotation_url = ""          # URL for rotation procedure
-# source = ""                # Where the value originates (e.g. vault, ci)
-# tags = {}
-`;
-	}).join("\n");
-};
-//#endregion
-//#region src/core/toml-edit.ts
-const SECTION_RE = /^\[.+\]\s*$/;
-const MULTILINE_OPEN = "\"\"\"";
-const scanSectionBoundary = (state, line, i) => {
-	if (state.done) return state;
-	if (state.inMultiline) return line.includes(MULTILINE_OPEN) ? {
-		...state,
-		inMultiline: false
-	} : state;
-	if (line.includes(MULTILINE_OPEN)) return (line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? {
-		...state,
-		inMultiline: true
-	} : state;
-	return SECTION_RE.test(line) ? {
-		...state,
-		end: i,
-		done: true
-	} : state;
-};
-/**
-* Find the line range [start, end) of a TOML section by its header string.
-* The range includes the header line through to (but not including) the next section header or EOF.
-* Handles multiline `"""..."""` values when scanning for section boundaries.
-*/
-const findSectionRange = (lines, sectionHeader) => {
-	const start = lines.findIndex((l) => l.trim() === sectionHeader);
-	if (start === -1) return void 0;
-	const initial = {
-		end: lines.length,
-		inMultiline: false,
-		done: false
-	};
-	return {
-		start,
-		end: List(lines.slice(start + 1)).zipWithIndex().foldLeft(initial)((state, entry) => scanSectionBoundary(state, entry[0], start + 1 + entry[1])).end
-	};
-};
-/** Check whether a section header exists in the raw TOML */
-const sectionExists = (lines, sectionHeader) => lines.some((l) => l.trim() === sectionHeader);
-/**
-* Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
-* Strips trailing blank lines left behind.
-*/
-const removeSection = (raw, sectionHeader) => {
-	const lines = raw.split("\n");
-	const range = findSectionRange(lines, sectionHeader);
-	if (!range) return Either.left({
-		_tag: "SectionNotFound",
-		section: sectionHeader
-	});
-	const after = lines.slice(range.end);
-	const beforeAll = lines.slice(0, range.start);
-	const lastNonBlank = beforeAll.findLastIndex((l) => l.trim() !== "");
-	const result = [...lastNonBlank === -1 ? [] : beforeAll.slice(0, lastNonBlank + 1), ...after].join("\n");
-	return Either.right(result);
+		prefix: "xoxp-",
+		service: "slack",
+		description: "Slack user token"
+	},
+	{
+		prefix: "xoxa-",
+		service: "slack",
+		description: "Slack app token"
+	},
+	{
+		prefix: "xoxs-",
+		service: "slack",
+		description: "Slack legacy token"
+	},
+	{
+		prefix: "SG.",
+		service: "sendgrid",
+		description: "SendGrid API key"
+	},
+	{
+		prefix: "hf_",
+		service: "huggingface",
+		description: "Hugging Face token"
+	},
+	{
+		prefix: "r8_",
+		service: "replicate",
+		description: "Replicate API token"
+	},
+	{
+		prefix: "eyJ",
+		service: "jwt",
+		description: "JWT token"
+	},
+	{
+		prefix: "postgres://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "postgresql://",
+		service: "postgresql",
+		description: "PostgreSQL connection string"
+	},
+	{
+		prefix: "mysql://",
+		service: "mysql",
+		description: "MySQL connection string"
+	},
+	{
+		prefix: "mongodb://",
+		service: "mongodb",
+		description: "MongoDB connection string"
+	},
+	{
+		prefix: "mongodb+srv://",
+		service: "mongodb",
+		description: "MongoDB SRV connection string"
+	},
+	{
+		prefix: "redis://",
+		service: "redis",
+		description: "Redis connection string"
+	},
+	{
+		prefix: "rediss://",
+		service: "redis",
+		description: "Redis TLS connection string"
+	},
+	{
+		prefix: "amqp://",
+		service: "rabbitmq",
+		description: "RabbitMQ connection string"
+	},
+	{
+		prefix: "amqps://",
+		service: "rabbitmq",
+		description: "RabbitMQ TLS connection string"
+	}
+];
+/** Detect service from value prefix/shape */
+const matchValueShape = (value) => {
+	return Option(VALUE_SHAPE_PATTERNS.find((vp) => value.startsWith(vp.prefix))).map((vp) => ({
+		service: vp.service,
+		description: vp.description
+	}));
 };
-/**
-* Rename a TOML section header (e.g. `[secret.OLD]` → `[secret.NEW]`).
-* Errors if old doesn't exist or new already exists.
-*/
-const renameSection = (raw, oldHeader, newHeader) => {
-	const lines = raw.split("\n");
-	if (!sectionExists(lines, oldHeader)) return Either.left({
-		_tag: "SectionNotFound",
-		section: oldHeader
-	});
-	if (sectionExists(lines, newHeader)) return Either.left({
-		_tag: "SectionAlreadyExists",
-		section: newHeader
-	});
-	const result = lines.map((line) => line.trim() === oldHeader ? newHeader : line).join("\n");
-	return Either.right(result);
+/** Strip common suffixes and derive a service name from an env var name */
+const deriveServiceFromName = (name) => {
+	const matchedSuffix = [
+		"_API_KEY",
+		"_SECRET_KEY",
+		"_ACCESS_KEY",
+		"_PRIVATE_KEY",
+		"_SIGNING_KEY",
+		"_AUTH_TOKEN",
+		"_ACCESS_TOKEN",
+		"_WEBHOOK_SECRET",
+		"_CONNECTION_STRING",
+		"_SECRET",
+		"_TOKEN",
+		"_PASSWORD",
+		"_PASS",
+		"_KEY",
+		"_DSN",
+		"_URL",
+		"_URI"
+	].find((s) => name.endsWith(s));
+	return (matchedSuffix ? name.slice(0, -matchedSuffix.length) : name).toLowerCase().replace(/_/g, "-");
 };
-/**
-* Update, add, or remove fields within an existing TOML section.
-* - A string value replaces or adds the field
-* - A null value removes the field
-* Does NOT re-serialize — operates on raw text lines.
-*/
-const updateSectionFields = (raw, sectionHeader, updates) => {
-	const lines = raw.split("\n");
-	const range = findSectionRange(lines, sectionHeader);
-	if (!range) return Either.left({
-		_tag: "SectionNotFound",
-		section: sectionHeader
+/** Match a single env var against all patterns */
+const matchEnvVar = (name, value) => {
+	if (EXCLUDED_VARS.has(name)) return Option(void 0);
+	const exactMatch = EXACT_NAME_PATTERNS.find((p) => name === p.pattern);
+	if (exactMatch) return Option({
+		envVar: name,
+		value,
+		service: Option(exactMatch.service),
+		confidence: exactMatch.confidence,
+		matchedBy: `exact:${exactMatch.pattern}`
 	});
-	const before = lines.slice(0, range.start + 1);
-	const after = lines.slice(range.end);
-	const sectionBody = lines.slice(range.start + 1, range.end);
-	const findClosingMultiline = (fromIdx) => {
-		const idx = sectionBody.findIndex((l, j) => j > fromIdx && l.includes(MULTILINE_OPEN));
-		return idx === -1 ? sectionBody.length : idx;
-	};
-	const initial = {
-		remaining: [],
-		updatedKeys: Set$1.empty(),
-		skipUntil: -1
-	};
-	const step = (state, line, i) => {
-		if (i <= state.skipUntil) return state;
-		const eqIdx = line.indexOf("=");
-		const isFieldLine = eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[");
-		const key = isFieldLine ? line.slice(0, eqIdx).trim() : "";
-		if (isFieldLine && key in updates) {
-			const afterEquals = line.slice(eqIdx + 1).trim();
-			const skipUntil = afterEquals.includes(MULTILINE_OPEN) && (afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? findClosingMultiline(i) : state.skipUntil;
-			const updatedKeys = state.updatedKeys.add(key);
-			const value = updates[key];
-			if (value === null) return {
-				...state,
-				updatedKeys,
-				skipUntil
-			};
-			return {
-				remaining: [...state.remaining, `${key} = ${value}`],
-				updatedKeys,
-				skipUntil
-			};
-		}
-		return {
-			...state,
-			remaining: [...state.remaining, line]
-		};
-	};
-	const final = List(sectionBody).zipWithIndex().foldLeft(initial)((state, entry) => step(state, entry[0], entry[1]));
-	const newFields = Object.entries(updates).filter(([key, value]) => value !== null && !final.updatedKeys.has(key)).map(([key, value]) => `${key} = ${value}`);
-	const result = [
-		...before,
-		...final.remaining,
-		...newFields,
-		...after
-	].join("\n");
-	return Either.right(result);
-};
-/**
-* Append a new TOML section block to the end of the file.
-* Ensures proper spacing (double newline before the block).
-*/
-const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
-const ENV_HEADER_RE = /^\[env\.(.+)\]\s*$/;
-const SECRET_HEADER_RE = /^\[secret\.(.+)\]\s*$/;
-const ANY_HEADER_RE = /^\[.+\]\s*$/;
-/**
-* Find the end (exclusive) of a section starting at `start`, respecting
-* multiline `"""..."""` values so the scanner does not mistake content inside
-* a multiline string for a section header.
-*/
-const findSectionEnd = (lines, start) => {
-	const initial = {
-		end: lines.length,
-		inMultiline: false,
-		done: false
-	};
-	return List(lines.slice(start + 1)).zipWithIndex().foldLeft(initial)((state, entry) => scanSectionBoundary(state, entry[0], start + 1 + entry[1])).end;
-};
-/**
-* Walking backwards from `headerIdx`, return the index of the first line of the
-* "doc block" that should travel with this section. A doc block is a contiguous
-* run of `#`-comment lines *immediately* above the header (no blank line
-* between). A blank line acts as a paragraph break and stops the walk — so
-* `# Some heading\n\n[secret.X]` does NOT attach the heading to `[secret.X]`.
-*/
-const findPreambleStart = (lines, headerIdx) => {
-	const stopOffset = [...lines.slice(0, headerIdx)].reverse().findIndex((l) => !l.trim().startsWith("#"));
-	return stopOffset === -1 ? 0 : headerIdx - stopOffset;
+	return matchValueShape(value).fold(() => {
+		return Option(SUFFIX_PATTERNS.find((sp) => name.endsWith(sp.suffix))).map((sp) => ({
+			envVar: name,
+			value,
+			service: Option(deriveServiceFromName(name)),
+			confidence: "medium",
+			matchedBy: `suffix:${sp.suffix}`
+		}));
+	}, (vm) => Option({
+		envVar: name,
+		value,
+		service: Option(vm.service),
+		confidence: "high",
+		matchedBy: `value:${vm.description}`
+	}));
 };
-const classifyHeader = (line, idx) => {
-	if (!ANY_HEADER_RE.test(line)) return Option.none();
-	const envMatch = line.match(ENV_HEADER_RE);
-	if (envMatch) return Option({
-		idx,
-		kind: "env",
-		key: envMatch[1]
-	});
-	const secretMatch = line.match(SECRET_HEADER_RE);
-	if (secretMatch) return Option({
-		idx,
-		kind: "secret",
-		key: secretMatch[1]
+/** Scan full env, sorted by confidence (high first) then alphabetically */
+const scanEnv = (env) => {
+	const results = Object.entries(env).flatMap(([name, value]) => {
+		if (value === void 0 || value === "") return [];
+		return matchEnvVar(name, value).fold(() => [], (m) => [m]);
 	});
-	return Option({
-		idx,
-		kind: "other",
-		key: ""
+	const confidenceOrder = {
+		high: 0,
+		medium: 1,
+		low: 2
+	};
+	results.sort((a, b) => {
+		const conf = confidenceOrder[a.confidence] - confidenceOrder[b.confidence];
+		if (conf !== 0) return conf;
+		return a.envVar.localeCompare(b.envVar);
 	});
+	return results;
 };
-const scanHeader = (state, line, idx) => {
-	if (state.inMultiline) return line.includes(MULTILINE_OPEN) ? {
-		...state,
-		inMultiline: false
-	} : state;
-	if (line.includes(MULTILINE_OPEN)) return (line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1 ? {
-		...state,
-		inMultiline: true
-	} : state;
-	return classifyHeader(line, idx).fold(() => state, (header) => ({
-		...state,
-		headers: [...state.headers, header]
-	}));
+//#endregion
+//#region src/core/env.ts
+/** Scan env for credentials, returning structured results */
+const envScan = (env, options) => {
+	const allMatches = scanEnv(env);
+	const discovered = options?.includeUnknown ? allMatches : allMatches.filter((m) => m.service.isSome());
+	const total_scanned = Object.keys(env).length;
+	const high_confidence = discovered.filter((m) => m.confidence === "high").length;
+	const medium_confidence = discovered.filter((m) => m.confidence === "medium").length;
+	const low_confidence = discovered.filter((m) => m.confidence === "low").length;
+	return {
+		discovered: List(discovered),
+		total_scanned,
+		high_confidence,
+		medium_confidence,
+		low_confidence
+	};
 };
-const partitionSections = (raw) => {
-	const lines = raw.split("\n");
-	const { headers } = List(lines).zipWithIndex().foldLeft({
-		headers: [],
-		inMultiline: false
-	})((state, entry) => scanHeader(state, entry[0], entry[1]));
-	const envSecretHeaders = headers.filter((h) => h.kind === "env" || h.kind === "secret");
-	const trueBodyRange = (headerIdx) => {
-		const naiveEnd = findSectionEnd(lines, headerIdx);
-		const lastContent = lines.slice(headerIdx, naiveEnd).findLastIndex((l) => {
-			const t = l.trim();
-			return t !== "" && !t.startsWith("#");
-		});
-		return {
-			start: headerIdx,
-			end: lastContent === -1 ? headerIdx + 1 : headerIdx + lastContent + 1
-		};
+const parseAliasRef = (raw, expectedKind) => {
+	const match = raw.match(/^(secret|env)\.(.+)$/);
+	if (match?.[1] !== expectedKind) return Option(void 0);
+	return Option(match[2]);
+};
+/** Bidirectional drift detection between config and live environment */
+const envCheck = (config, env) => {
+	const secretEntries = config.secret ?? {};
+	const metaKeys = Object.keys(secretEntries);
+	const metaKeysSet = Set$1(metaKeys);
+	const namer = makeEnvNamer(config);
+	const envDefaultsForWire = config.env ?? {};
+	const secretWire = (key) => namer(key, secretEntries[key]?.namespace);
+	const envWire = (key) => namer(key, envDefaultsForWire[key]?.namespace);
+	const isPresentAt = (wire) => env[wire] !== void 0 && env[wire] !== "";
+	const isSecretPresent = (key) => {
+		if (isPresentAt(secretWire(key))) return true;
+		const meta = secretEntries[key];
+		if (meta?.from_key === void 0) return false;
+		return parseAliasRef(meta.from_key, "secret").fold(() => false, (targetKey) => isPresentAt(secretWire(targetKey)));
 	};
-	const sections = envSecretHeaders.map((h) => {
-		const headerIdx = h.idx;
-		const preambleStart = findPreambleStart(lines, headerIdx);
-		const body = lines.slice(headerIdx, trueBodyRange(headerIdx).end);
-		const preamble = lines.slice(preambleStart, headerIdx);
+	const secretDriftEntries = Object.entries(secretEntries).map(([key, meta]) => {
+		const present = isSecretPresent(key);
 		return {
-			kind: h.kind,
-			key: h.key,
-			body,
-			preamble
+			envVar: key,
+			service: Option(meta.service),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
 		};
 	});
-	const claimedRanges = envSecretHeaders.map((h) => {
-		const headerIdx = h.idx;
+	const envDefaults = config.env ?? {};
+	const isEnvPresent = (key) => {
+		if (isPresentAt(envWire(key))) return true;
+		const meta = envDefaults[key];
+		if (meta?.from_key === void 0) return false;
+		return parseAliasRef(meta.from_key, "env").fold(() => false, (targetKey) => isPresentAt(envWire(targetKey)));
+	};
+	const envDefaultEntries = Object.keys(envDefaults).filter((key) => !metaKeysSet.has(key)).map((key) => {
+		const present = isEnvPresent(key);
 		return {
-			start: findPreambleStart(lines, headerIdx),
-			end: trueBodyRange(headerIdx).end
+			envVar: key,
+			service: Option(void 0),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
 		};
 	});
-	const isClaimed = (idx) => claimedRanges.some((r) => idx >= r.start && idx < r.end);
+	const trackedKeys = Set$1([...metaKeys.map(secretWire), ...envDefaultEntries.map((e) => envWire(e.envVar))]);
+	const untrackedEntries = scanEnv(env).filter((match) => !trackedKeys.has(match.envVar)).map((match) => ({
+		envVar: match.envVar,
+		service: match.service,
+		status: "untracked",
+		confidence: Option(match.confidence)
+	}));
+	const entries = [
+		...secretDriftEntries,
+		...envDefaultEntries,
+		...untrackedEntries
+	];
+	const tracked_and_present = entries.filter((e) => e.status === "tracked").length;
+	const missing_from_env = entries.filter((e) => e.status === "missing_from_env").length;
+	const untracked_credentials = entries.filter((e) => e.status === "untracked").length;
 	return {
-		preambleLines: lines.map((l, idx) => isClaimed(idx) ? null : l).filter((l) => l !== null),
-		envSections: sections.filter((s) => s.kind === "env"),
-		secretSections: sections.filter((s) => s.kind === "secret")
-	};
-};
-const emitSection = (s) => {
-	return `${s.preamble.length > 0 ? `${s.preamble.join("\n")}\n` : ""}${s.body.join("\n")}`;
-};
-/**
-* Reformat a TOML config with `[env.*]` and `[secret.*]` sections grouped and
-* alphabetized. Top-level content (version key, `[identity]`, `[lifecycle]`,
-* `[callbacks]`, `[tools]`, etc.) stays in its original position. Comment
-* doc-blocks immediately above a section header travel with that section.
-*
-* Pure — no I/O. Returns the raw input unchanged when there is no env or
-* secret content to reorder.
-*/
-const sortConfigToml = (raw) => {
-	const { preambleLines, envSections, secretSections } = partitionSections(raw);
-	if (envSections.length === 0 && secretSections.length === 0) return raw;
-	const sortedEnv = [...envSections].sort((a, b) => a.key.localeCompare(b.key));
-	const sortedSecret = [...secretSections].sort((a, b) => a.key.localeCompare(b.key));
-	const trimTrailing = (xs) => {
-		const lastNonBlank = xs.findLastIndex((l) => l.trim() !== "");
-		return lastNonBlank === -1 ? [] : xs.slice(0, lastNonBlank + 1);
+		entries: List(entries),
+		tracked_and_present,
+		missing_from_env,
+		untracked_credentials,
+		is_clean: missing_from_env === 0 && untracked_credentials === 0
 	};
-	const collapseBlanks = (xs) => xs.reduce((acc, line) => {
-		const isBlank = line.trim() === "";
-		const prevBlank = acc.length > 0 && acc[acc.length - 1].trim() === "";
-		if (isBlank && prevBlank) return acc;
-		return [...acc, line];
-	}, []);
-	const preambleTrimmed = collapseBlanks(trimTrailing(preambleLines));
-	const parts = [];
-	if (preambleTrimmed.length > 0) parts.push(preambleTrimmed.join("\n"));
-	if (sortedEnv.length > 0) parts.push(sortedEnv.map(emitSection).join("\n\n"));
-	if (sortedSecret.length > 0) parts.push(sortedSecret.map(emitSection).join("\n\n"));
-	return `${parts.join("\n\n")}\n`;
-};
-//#endregion
-//#region src/core/validate.ts
-/**
-* Validate a raw TOML string as a complete envpkt config: parse → schema → aliases.
-*
-* Used by write-path CLI commands to verify the post-edit file would still be
-* structurally valid before persisting. Catalog resolution is intentionally
-* excluded — catalog issues depend on external files, not on the local edit,
-* and `envpkt validate` covers them as a separate explicit check.
-*/
-const validateRawConfig = (raw) => parseToml(raw).flatMap(validateConfig).flatMap((config) => validateAliases(config).map(() => config));
-/** Human-readable one-liner for any ValidationError tag. */
-const formatValidationError = (err) => {
-	switch (err._tag) {
-		case "FileNotFound": return `Config file not found: ${err.path}`;
-		case "ParseError": return `TOML parse error: ${err.message}`;
-		case "ValidationError": return `Schema validation failed: ${err.errors.toArray().join("; ")}`;
-		case "ReadError": return `Read error: ${err.message}`;
-		case "AliasInvalidSyntax":
-		case "AliasTargetMissing":
-		case "AliasSelfReference":
-		case "AliasChained":
-		case "AliasCrossType":
-		case "AliasValueConflict": return formatAliasError(err);
-	}
-};
-//#endregion
-//#region src/cli/write-gate.ts
-/**
-* Run structural validation against an in-memory TOML string.
-* On failure, prints the error, leaves the file untouched, and exits with code 1.
-* On success, returns — caller is responsible for writing.
-*
-* Use this when the write step has bespoke logic (e.g. wraps writeFileSync in Try,
-* has multi-line post-write output). Otherwise prefer `writeIfValid`.
-*/
-const validateOrExit = (updated) => {
-	validateRawConfig(updated).fold((err) => {
-		console.error(`${RED}Error:${RESET} Aborted — change would produce an invalid config:`);
-		console.error(`  ${formatValidationError(err)}`);
-		console.error(`${DIM}File unchanged.${RESET}`);
-		process.exit(1);
-	}, () => {});
-};
-/**
-* Validate then persist. Most mutating CLI commands use this — it bundles the
-* validate-or-exit gate with the writeFileSync + success log so each call site
-* stays two lines instead of five.
-*/
-const writeIfValid = (configPath, updated, successMsg) => {
-	validateOrExit(updated);
-	writeFileSync(configPath, updated, "utf-8");
-	console.log(successMsg);
 };
-/**
-* Validate then preview (no write) — the `--dry-run` counterpart of `writeIfValid`.
-* Runs the same structural validation the real write would, so a dry-run can never
-* show a result that the actual write would reject. On invalid output it prints the
-* same error and exits 1, exactly as the write path does.
-*
-* `display` lets callers preview a focused slice (e.g. just the new block for `add`)
-* while still validating the full resulting config.
-*/
-const previewIfValid = (updated, display) => {
-	validateOrExit(updated);
-	console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
-	console.log(display ?? updated);
+const todayIso$1 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+/** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
+const generateTomlFromScan = (matches) => {
+	return matches.map((match) => {
+		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
+		return `[secret.${match.envVar}]
+service = "${svc}"
+# purpose = ""               # Why: what this secret enables
+# capabilities = []          # What operations this grants
+created = "${todayIso$1()}"
+# expires = ""               # When: YYYY-MM-DD expiration date
+# rotation_url = ""          # URL for rotation procedure
+# source = ""                # Where the value originates (e.g. vault, ci)
+# tags = {}
+`;
+	}).join("\n");
 };
 //#endregion
 //#region src/cli/commands/env.ts
@@ -5230,6 +5383,9 @@ program.command("sort").description("Group [env.*] and [secret.*] sections and a
 program.command("upgrade").description("Upgrade envpkt to the latest version (npm install -g envpkt@latest)").action(() => {
 	runUpgrade();
 });
+program.command("copy").description("Copy a secret or env entry from one config to another (auto unseal → reseal for secrets)").argument("<key>", "The secret or env key to copy").option("--from <path>", "Source config path (default: resolved config for this directory)").option("--to <path>", "Destination config path (default: resolved config for this directory)").option("--as <newKey>", "Copy under a different key name in the destination").option("--force", "Overwrite the entry if it already exists in the destination").option("--dry-run", "Preview the change without writing").action((key, options) => {
+	runCopy(key, options);
+});
 program.command("diff").description("Compare two envpkt.toml configs by their secret/env entries (keys + metadata)").argument("<a>", "First config path").argument("<b>", "Second config path").option("--format <format>", "Output format: text | json", "text").option("--exit-code", "Exit non-zero when the configs differ (for CI drift gates)").action((a, b, options) => {
 	runDiff(a, b, options);
 });