envpkt 0.2.0 → 0.4.1

package/dist/cli.js

@@ -1,8 +1,10 @@
 #!/usr/bin/env node
+import { createRequire } from "node:module";
 import { Command } from "commander";
 import { dirname, join, resolve } from "node:path";
 import { Cond, Left, List, Option, Right, Try } from "functype";
 import { existsSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
 import { TomlDate, parse, stringify } from "smol-toml";
 import { FormatRegistry, Type } from "@sinclair/typebox";
@@ -17,7 +19,7 @@ const MS_PER_DAY = 864e5;
 const WARN_BEFORE_DAYS = 30;
 const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
 const parseDate = (dateStr) => {
-	const d = /* @__PURE__ */ new Date(dateStr + "T00:00:00Z");
+	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
 	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
 };
 const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
@@ -62,8 +64,9 @@ const computeAudit = (config, fnoxKeys, today) => {
 	const requireExpiration = lifecycle.require_expiration ?? false;
 	const requireService = lifecycle.require_service ?? false;
 	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
-	const metaKeys = new Set(Object.keys(config.meta));
-	const secrets = List(Object.entries(config.meta).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const secretEntries = config.secret ?? {};
+	const metaKeys = new Set(Object.keys(secretEntries));
+	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
 	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
 	const total = secrets.size;
 	const expired = secrets.count((s) => s.status === "expired");
@@ -86,6 +89,28 @@ const computeAudit = (config, fnoxKeys, today) => {
 		agent: config.agent
 	};
 };
+const computeEnvAudit = (config, env = process.env) => {
+	const envEntries = config.env ?? {};
+	const entries = [];
+	for (const [key, entry] of Object.entries(envEntries)) {
+		const currentValue = env[key];
+		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
+		entries.push({
+			key,
+			defaultValue: entry.value,
+			currentValue,
+			status,
+			purpose: entry.purpose
+		});
+	}
+	return {
+		entries,
+		total: entries.length,
+		defaults_applied: entries.filter((e) => e.status === "default").length,
+		overridden: entries.filter((e) => e.status === "overridden").length,
+		missing: entries.filter((e) => e.status === "missing").length
+	};
+};
 
 //#endregion
 //#region src/core/schema.ts
@@ -124,6 +149,7 @@ const SecretMetaSchema = Type.Object({
 		description: "URL or reference for secret rotation procedure"
 	})),
 	purpose: Type.Optional(Type.String({ description: "Why this secret exists and what it enables" })),
+	comment: Type.Optional(Type.String({ description: "Free-form annotation or note" })),
 	capabilities: Type.Optional(Type.Array(Type.String(), { description: "What operations this secret grants (e.g. read, write, admin)" })),
 	created: Type.Optional(Type.String({
 		format: "date",
@@ -157,6 +183,12 @@ const CallbackConfigSchema = Type.Object({
 	on_audit_fail: Type.Optional(Type.String({ description: "Command or webhook on audit failure" }))
 }, { description: "Automation callbacks for lifecycle events" });
 const ToolsConfigSchema = Type.Record(Type.String(), Type.Unknown(), { description: "Tool integration configuration — open namespace for third-party extensions" });
+const EnvMetaSchema = Type.Object({
+	value: Type.String({ description: "Default value for this environment variable" }),
+	purpose: Type.Optional(Type.String({ description: "Why this env var exists" })),
+	comment: Type.Optional(Type.String({ description: "Free-form annotation or note" })),
+	tags: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "Key-value tags for grouping and filtering" }))
+}, { description: "Metadata for a plaintext environment default (non-secret)" });
 const EnvpktConfigSchema = Type.Object({
 	version: Type.Number({
 		description: "Schema version number",
@@ -164,7 +196,8 @@ const EnvpktConfigSchema = Type.Object({
 	}),
 	catalog: Type.Optional(Type.String({ description: "Path to shared secret catalog (relative to this config file)" })),
 	agent: Type.Optional(AgentIdentitySchema),
-	meta: Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" }),
+	secret: Type.Optional(Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" })),
+	env: Type.Optional(Type.Record(Type.String(), EnvMetaSchema, { description: "Plaintext environment defaults keyed by variable name" })),
 	lifecycle: Type.Optional(LifecycleConfigSchema),
 	callbacks: Type.Optional(CallbackConfigSchema),
 	tools: Type.Optional(ToolsConfigSchema)
@@ -186,10 +219,69 @@ const normalizeDates = (obj) => {
 	if (obj !== null && typeof obj === "object") return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, normalizeDates(v)]));
 	return obj;
 };
-/** Find envpkt.toml in the given directory */
-const findConfigPath = (dir) => {
-	const candidate = join(dir, CONFIG_FILENAME$2);
-	return existsSync(candidate) ? Option(candidate) : Option(void 0);
+/** Expand ~ and $ENV_VAR / ${ENV_VAR} in a path string */
+const expandPath = (p) => {
+	return (p.startsWith("~/") || p === "~" ? join(homedir(), p.slice(1)) : p).replace(/\$\{(\w+)\}|\$(\w+)/g, (_, braced, bare) => {
+		const name = braced ?? bare ?? "";
+		return process.env[name] ?? "";
+	});
+};
+/**
+* Expand a path template that may contain a single `*` glob segment.
+* Returns all matching paths (or empty array if parent doesn't exist).
+* Non-glob paths return a single-element array if they exist.
+*/
+const expandGlobPath = (expanded) => {
+	if (!expanded.includes("*")) return existsSync(expanded) ? [expanded] : [];
+	const segments = expanded.split("/");
+	const globIdx = segments.findIndex((s) => s.includes("*"));
+	if (globIdx < 0) return [];
+	const parentDir = segments.slice(0, globIdx).join("/");
+	const globSegment = segments[globIdx];
+	const suffix = segments.slice(globIdx + 1).join("/");
+	if (!existsSync(parentDir)) return [];
+	const prefix = globSegment.replace(/\*.*$/, "");
+	return readdirSync(parentDir).filter((entry) => entry.startsWith(prefix)).map((entry) => join(parentDir, entry, suffix)).filter((p) => existsSync(p));
+};
+/** Ordered candidate paths for config discovery beyond CWD */
+const CONFIG_SEARCH_PATHS = [
+	"~/.envpkt/envpkt.toml",
+	"~/OneDrive/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/OneDrive-Personal/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/OneDrive-SharedLibraries-*/.envpkt/envpkt.toml",
+	"$WINHOME/OneDrive/.envpkt/envpkt.toml",
+	"$USERPROFILE/OneDrive/.envpkt/envpkt.toml",
+	"$OneDrive/.envpkt/envpkt.toml",
+	"$OneDriveConsumer/.envpkt/envpkt.toml",
+	"$OneDriveCommercial/.envpkt/envpkt.toml",
+	"/mnt/c/Users/$USER/OneDrive/.envpkt/envpkt.toml",
+	"~/Library/Mobile Documents/com~apple~CloudDocs/.envpkt/envpkt.toml",
+	"~/Dropbox/.envpkt/envpkt.toml",
+	"$DROPBOX_PATH/.envpkt/envpkt.toml",
+	"~/Google Drive/My Drive/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/GoogleDrive-*/.envpkt/envpkt.toml",
+	"$GOOGLE_DRIVE/.envpkt/envpkt.toml",
+	"$WINHOME/.envpkt/envpkt.toml",
+	"$USERPROFILE/.envpkt/envpkt.toml"
+];
+/** Discover config by checking CWD, then ENVPKT_SEARCH_PATH, then built-in candidate paths */
+const discoverConfig = (cwd) => {
+	const cwdCandidate = join(cwd ?? process.cwd(), CONFIG_FILENAME$2);
+	if (existsSync(cwdCandidate)) return Option({
+		path: cwdCandidate,
+		source: "cwd"
+	});
+	const customPaths = process.env.ENVPKT_SEARCH_PATH?.split(":").filter(Boolean) ?? [];
+	for (const template of [...customPaths, ...CONFIG_SEARCH_PATHS]) {
+		const expanded = expandPath(template);
+		if (!expanded || expanded.startsWith("/.envpkt")) continue;
+		const matches = expandGlobPath(expanded);
+		if (matches.length > 0) return Option({
+			path: matches[0],
+			source: "search"
+		});
+	}
+	return Option(void 0);
 };
 /** Read a config file, returning Either<ConfigError, string> */
 const readConfigFile = (path) => {
@@ -202,14 +294,13 @@ const readConfigFile = (path) => {
 		message: String(err)
 	}), (content) => Right(content));
 };
-/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit meta) */
+/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit secret) */
 const applyDefaults = (data) => {
 	if (data !== null && typeof data === "object" && !Array.isArray(data)) {
-		const obj = data;
-		if (!("meta" in obj)) return {
-			...obj,
-			meta: {}
-		};
+		const result = { ...data };
+		if (!("secret" in result)) result.secret = {};
+		if (!("env" in result)) result.env = {};
+		return result;
 	}
 	return data;
 };
@@ -232,12 +323,16 @@ const loadConfig = (path) => readConfigFile(path).flatMap(parseToml).flatMap(val
 * Resolve config path via priority chain:
 * 1. Explicit flag path
 * 2. ENVPKT_CONFIG env var
-* 3. CWD discovery
+* 3. CWD + discovery chain (home dir, cloud storage, custom search paths)
 */
 const resolveConfigPath = (flagPath, envVar, cwd) => {
 	if (flagPath) {
 		const resolved = resolve(flagPath);
-		return existsSync(resolved) ? Right(resolved) : Left({
+		const result = {
+			path: resolved,
+			source: "flag"
+		};
+		return existsSync(resolved) ? Right(result) : Left({
 			_tag: "FileNotFound",
 			path: resolved
 		});
@@ -245,16 +340,22 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 	const envPath = envVar ?? process.env[ENV_VAR_CONFIG];
 	if (envPath) {
 		const resolved = resolve(envPath);
-		return existsSync(resolved) ? Right(resolved) : Left({
+		const result = {
+			path: resolved,
+			source: "env"
+		};
+		return existsSync(resolved) ? Right(result) : Left({
 			_tag: "FileNotFound",
 			path: resolved
 		});
 	}
-	const dir = cwd ?? process.cwd();
-	return findConfigPath(dir).fold(() => Left({
+	return discoverConfig(cwd).fold(() => Left({
 		_tag: "FileNotFound",
-		path: join(dir, CONFIG_FILENAME$2)
-	}), (path) => Right(path));
+		path: join(cwd ?? process.cwd(), CONFIG_FILENAME$2)
+	}), ({ path, source }) => Right({
+		path,
+		source
+	}));
 };
 
 //#endregion
@@ -303,13 +404,14 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 	});
 	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
 	const agentSecrets = agentConfig.agent.secrets;
-	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentConfig.meta, catalogConfig.meta, agentSecrets, catalogPath).map((resolvedMeta) => {
+	const agentSecretEntries = agentConfig.secret ?? {};
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
 		const merged = [];
 		const overridden = [];
 		const warnings = [];
 		for (const key of agentSecrets) {
 			merged.push(key);
-			if (agentConfig.meta[key]) overridden.push(key);
+			if (agentSecretEntries[key]) overridden.push(key);
 		}
 		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
 		const agentIdentity = agentConfig.agent ? (() => {
@@ -323,7 +425,7 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 					...agentIdentity,
 					name: agentIdentity.name
 				} : void 0,
-				meta: resolvedMeta
+				secret: resolvedMeta
 			},
 			catalogPath,
 			merged,
@@ -531,6 +633,10 @@ const formatAuditMinimal = (audit) => {
 	if (audit.missing > 0) parts.push(`${audit.missing} missing`);
 	return `${audit.status === "critical" ? `${RED}✗${RESET}` : `${YELLOW}⚠${RESET}`} ${parts.join(", ")}`;
 };
+const formatConfigSource = (path, source) => {
+	if (source === "cwd") return "";
+	return `${DIM}envpkt: loaded ${path}${RESET}`;
+};
 
 //#endregion
 //#region src/cli/commands/audit.ts
@@ -538,7 +644,9 @@ const runAudit = (options) => {
 	resolveConfigPath(options.config).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-	}, (path) => {
+	}, ({ path, source }) => {
+		const sourceMsg = formatConfigSource(path, source);
+		if (sourceMsg) console.error(sourceMsg);
 		loadConfig(path).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -553,32 +661,373 @@ const runAudit = (options) => {
 		});
 	});
 };
+const formatEnvAuditTable = (config) => {
+	const envAudit = computeEnvAudit(config);
+	if (envAudit.total === 0) {
+		console.log(`${DIM}No [env.*] entries configured.${RESET}`);
+		return;
+	}
+	console.log(`\n${BOLD}Environment Defaults${RESET} (${envAudit.total} entries)`);
+	for (const entry of envAudit.entries) {
+		const statusIcon = entry.status === "default" ? `${GREEN}=${RESET}` : entry.status === "overridden" ? `${YELLOW}~${RESET}` : `${RED}!${RESET}`;
+		const statusLabel = entry.status === "default" ? `${DIM}using default${RESET}` : entry.status === "overridden" ? `${YELLOW}overridden${RESET} (${entry.currentValue})` : `${RED}not set${RESET}`;
+		console.log(`  ${statusIcon} ${BOLD}${entry.key}${RESET} = "${entry.defaultValue}" ${statusLabel}`);
+	}
+};
+const formatEnvAuditJson = (config) => {
+	const envAudit = computeEnvAudit(config);
+	return JSON.stringify(envAudit, null, 2);
+};
 const runAuditOnConfig = (config, options) => {
+	if (options.envOnly) {
+		if (options.format === "json") console.log(formatEnvAuditJson(config));
+		else formatEnvAuditTable(config);
+		process.exit(0);
+		return;
+	}
 	const audit = computeAudit(config);
-	let filtered = audit;
-	if (options.status) {
-		const statusFilter = options.status;
-		const filteredSecrets = audit.secrets.filter((s) => s.status === statusFilter);
-		filtered = {
+	const afterSealed = options.sealed ? (() => {
+		const secretEntries = config.secret ?? {};
+		return {
 			...audit,
-			secrets: filteredSecrets
+			secrets: audit.secrets.filter((s) => !!secretEntries[s.key]?.encrypted_value)
 		};
-	}
-	if (options.expiring !== void 0) {
-		const days = options.expiring;
-		const filteredSecrets = filtered.secrets.filter((s) => s.days_remaining.fold(() => false, (d) => d >= 0 && d <= days));
-		filtered = {
-			...filtered,
-			secrets: filteredSecrets
+	})() : audit;
+	const afterExternal = options.external ? (() => {
+		const secretEntries = config.secret ?? {};
+		return {
+			...afterSealed,
+			secrets: afterSealed.secrets.filter((s) => !secretEntries[s.key]?.encrypted_value)
 		};
-	}
+	})() : afterSealed;
+	const afterStatus = options.status ? {
+		...afterExternal,
+		secrets: afterExternal.secrets.filter((s) => s.status === options.status)
+	} : afterExternal;
+	const filtered = options.expiring !== void 0 ? {
+		...afterStatus,
+		secrets: afterStatus.secrets.filter((s) => s.days_remaining.fold(() => false, (d) => d >= 0 && d <= options.expiring))
+	} : afterStatus;
 	if (options.format === "json") console.log(formatAuditJson(filtered));
 	else if (options.format === "minimal") console.log(formatAuditMinimal(filtered));
 	else console.log(formatAudit(filtered));
+	if (options.all) if (options.format === "json") console.log(formatEnvAuditJson(config));
+	else formatEnvAuditTable(config);
 	const code = options.strict ? exitCodeForAudit(audit) : audit.status === "critical" ? 2 : 0;
 	process.exit(code);
 };
 
+//#endregion
+//#region src/fnox/cli.ts
+/** Export all secrets from fnox as key=value pairs for a given profile */
+const fnoxExport = (profile, agentKey) => {
+	const args = profile ? [
+		"export",
+		"--profile",
+		profile
+	] : ["export"];
+	const env = agentKey ? {
+		...process.env,
+		FNOX_AGE_KEY: agentKey
+	} : void 0;
+	return Try(() => execFileSync("fnox", args, {
+		stdio: "pipe",
+		encoding: "utf-8",
+		env
+	})).fold((err) => Left({
+		_tag: "FnoxCliError",
+		message: `fnox export failed: ${err}`
+	}), (output) => {
+		const entries = {};
+		for (const line of output.split("\n")) {
+			const eq = line.indexOf("=");
+			if (eq > 0) {
+				const key = line.slice(0, eq).trim();
+				entries[key] = line.slice(eq + 1).trim();
+			}
+		}
+		return Right(entries);
+	});
+};
+
+//#endregion
+//#region src/fnox/detect.ts
+const FNOX_CONFIG = "fnox.toml";
+/** Detect fnox.toml in the given directory */
+const detectFnox = (dir) => {
+	const candidate = join(dir, FNOX_CONFIG);
+	return existsSync(candidate) ? Option(candidate) : Option(void 0);
+};
+/** Check if fnox CLI is available on PATH */
+const fnoxAvailable = () => Try(() => {
+	execFileSync("fnox", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+
+//#endregion
+//#region src/fnox/identity.ts
+/** Check if the age CLI is available on PATH */
+const ageAvailable = () => Try(() => {
+	execFileSync("age", ["--version"], { stdio: "pipe" });
+	return true;
+}).fold(() => false, (v) => v);
+/** Unwrap an encrypted agent key using age --decrypt */
+const unwrapAgentKey = (identityPath) => {
+	if (!existsSync(identityPath)) return Left({
+		_tag: "IdentityNotFound",
+		path: identityPath
+	});
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	return Try(() => execFileSync("age", ["--decrypt", identityPath], {
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8"
+	})).fold((err) => Left({
+		_tag: "DecryptFailed",
+		message: `age decrypt failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+
+//#endregion
+//#region src/fnox/parse.ts
+/** Read and parse fnox.toml, extracting secret keys and profiles */
+const readFnoxConfig = (path) => Try(() => readFileSync(path, "utf-8")).fold((err) => Left({
+	_tag: "FnoxParseError",
+	message: `Failed to read ${path}: ${err}`
+}), (content) => Try(() => parse(content)).fold((err) => Left({
+	_tag: "FnoxParseError",
+	message: `Failed to parse fnox.toml: ${err}`
+}), (data) => {
+	const profiles = data["profiles"] && typeof data["profiles"] === "object" ? Option(data["profiles"]) : Option(void 0);
+	const secrets = { ...data };
+	delete secrets["profiles"];
+	return Right({
+		secrets,
+		profiles
+	});
+}));
+/** Extract the set of secret key names from a parsed fnox config */
+const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
+
+//#endregion
+//#region src/core/seal.ts
+/** Encrypt a plaintext string using age with the given recipient public key (armored output) */
+const ageEncrypt = (plaintext, recipient) => {
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	return Try(() => execFileSync("age", [
+		"--encrypt",
+		"--recipient",
+		recipient,
+		"--armor"
+	], {
+		input: plaintext,
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8"
+	})).fold((err) => Left({
+		_tag: "EncryptFailed",
+		key: "",
+		message: `age encrypt failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+/** Decrypt an age-armored ciphertext using the given identity file */
+const ageDecrypt = (ciphertext, identityPath) => {
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	return Try(() => execFileSync("age", [
+		"--decrypt",
+		"--identity",
+		identityPath
+	], {
+		input: ciphertext,
+		stdio: [
+			"pipe",
+			"pipe",
+			"pipe"
+		],
+		encoding: "utf-8"
+	})).fold((err) => Left({
+		_tag: "DecryptFailed",
+		key: "",
+		message: `age decrypt failed: ${err}`
+	}), (output) => Right(output.trim()));
+};
+/** Seal multiple secrets: encrypt each value with the recipient key and set encrypted_value on meta */
+const sealSecrets = (meta, values, recipient) => {
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	const result = {};
+	for (const [key, secretMeta] of Object.entries(meta)) {
+		const plaintext = values[key];
+		if (plaintext === void 0) {
+			result[key] = secretMeta;
+			continue;
+		}
+		const outcome = ageEncrypt(plaintext, recipient).fold((err) => Left({
+			_tag: "EncryptFailed",
+			key,
+			message: err.message
+		}), (ciphertext) => Right(ciphertext));
+		const failed = outcome.fold((err) => err, () => void 0);
+		if (failed) return Left(failed);
+		const ciphertext = outcome.fold(() => "", (v) => v);
+		result[key] = {
+			...secretMeta,
+			encrypted_value: ciphertext
+		};
+	}
+	return Right(result);
+};
+/** Unseal secrets: decrypt encrypted_value for each meta entry that has one */
+const unsealSecrets = (meta, identityPath) => {
+	if (!ageAvailable()) return Left({
+		_tag: "AgeNotFound",
+		message: "age CLI not found on PATH"
+	});
+	const result = {};
+	for (const [key, secretMeta] of Object.entries(meta)) {
+		if (!secretMeta.encrypted_value) continue;
+		const outcome = ageDecrypt(secretMeta.encrypted_value, identityPath).fold((err) => Left({
+			_tag: "DecryptFailed",
+			key,
+			message: err.message
+		}), (plaintext) => Right(plaintext));
+		const failed = outcome.fold((err) => err, () => void 0);
+		if (failed) return Left(failed);
+		result[key] = outcome.fold(() => "", (v) => v);
+	}
+	return Right(result);
+};
+
+//#endregion
+//#region src/core/boot.ts
+const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), ({ path: configPath, source: configSource }) => loadConfig(configPath).fold((err) => Left(err), (config) => {
+	const configDir = dirname(configPath);
+	return resolveConfig(config, configDir).fold((err) => Left(err), (result) => Right({
+		config: result.config,
+		configPath,
+		configDir,
+		configSource
+	}));
+}));
+const resolveAgentKey = (config, configDir) => {
+	if (!config.agent?.identity) return Right(void 0);
+	return unwrapAgentKey(resolve(configDir, expandPath(config.agent.identity))).fold((err) => Left(err), (key) => Right(key));
+};
+const detectFnoxKeys = (configDir) => detectFnox(configDir).fold(() => /* @__PURE__ */ new Set(), (fnoxPath) => readFnoxConfig(fnoxPath).fold(() => /* @__PURE__ */ new Set(), (fnoxConfig) => extractFnoxKeys(fnoxConfig)));
+const checkExpiration = (audit, failOnExpired, warnOnly) => {
+	const warnings = [];
+	if (audit.expired > 0 && failOnExpired && !warnOnly) return Left({
+		_tag: "AuditFailed",
+		audit,
+		message: `${audit.expired} secret(s) have expired`
+	});
+	if (audit.expired > 0 && warnOnly) warnings.push(`${audit.expired} secret(s) have expired (warn-only mode)`);
+	return Right(warnings);
+};
+const SECRET_PATTERNS = [
+	/^sk-/,
+	/^ghp_/,
+	/^ghu_/,
+	/^AKIA[0-9A-Z]{16}/,
+	/^xox[bpras]-/,
+	/:\/\/[^:]+:[^@]+@/,
+	/^ey[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/
+];
+const looksLikeSecret = (value) => {
+	if (SECRET_PATTERNS.some((p) => p.test(value))) return true;
+	if (value.length > 40 && /^[A-Za-z0-9+/=]+$/.test(value)) return true;
+	return false;
+};
+const checkEnvMisclassification = (config) => {
+	const warnings = [];
+	const envEntries = config.env ?? {};
+	for (const [key, entry] of Object.entries(envEntries)) if (looksLikeSecret(entry.value)) warnings.push(`[env.${key}] value looks like a secret — consider moving to [secret.${key}]`);
+	return warnings;
+};
+/** Programmatic boot — returns Either<BootError, BootResult> */
+const bootSafe = (options) => {
+	const opts = options ?? {};
+	const inject = opts.inject !== false;
+	const failOnExpired = opts.failOnExpired !== false;
+	const warnOnly = opts.warnOnly ?? false;
+	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => {
+		const secretEntries = config.secret ?? {};
+		const metaKeys = Object.keys(secretEntries);
+		const hasSealedValues = metaKeys.some((k) => !!secretEntries[k]?.encrypted_value);
+		const agentKeyResult = resolveAgentKey(config, configDir);
+		const agentKey = agentKeyResult.fold(() => void 0, (k) => k);
+		const agentKeyError = agentKeyResult.fold((err) => err, () => void 0);
+		if (agentKeyError && !hasSealedValues) return Left(agentKeyError);
+		const audit = computeAudit(config, detectFnoxKeys(configDir));
+		return checkExpiration(audit, failOnExpired, warnOnly).map((warnings) => {
+			const secrets = {};
+			const injected = [];
+			const skipped = [];
+			warnings.push(...checkEnvMisclassification(config));
+			const envEntries = config.env ?? {};
+			const envDefaults = {};
+			const overridden = [];
+			for (const [key, entry] of Object.entries(envEntries)) if (process.env[key] === void 0) {
+				envDefaults[key] = entry.value;
+				if (inject) process.env[key] = entry.value;
+			} else overridden.push(key);
+			const sealedKeys = /* @__PURE__ */ new Set();
+			if (hasSealedValues && config.agent?.identity) unsealSecrets(secretEntries, resolve(configDir, expandPath(config.agent.identity))).fold((err) => {
+				warnings.push(`Sealed value decryption failed: ${err.message}`);
+			}, (unsealed) => {
+				for (const [key, value] of Object.entries(unsealed)) {
+					secrets[key] = value;
+					injected.push(key);
+					sealedKeys.add(key);
+				}
+			});
+			const remainingKeys = metaKeys.filter((k) => !sealedKeys.has(k));
+			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, agentKey).fold((err) => {
+				warnings.push(`fnox export failed: ${err.message}`);
+				for (const key of remainingKeys) skipped.push(key);
+			}, (exported) => {
+				for (const key of remainingKeys) if (key in exported) {
+					secrets[key] = exported[key];
+					injected.push(key);
+				} else skipped.push(key);
+			});
+			else {
+				if (!hasSealedValues) warnings.push("fnox not available — no secrets injected");
+				for (const key of remainingKeys) skipped.push(key);
+			}
+			if (inject) for (const [key, value] of Object.entries(secrets)) process.env[key] = value;
+			return {
+				audit,
+				injected,
+				skipped,
+				secrets,
+				warnings,
+				envDefaults,
+				overridden,
+				configPath,
+				configSource
+			};
+		});
+	});
+};
+
 //#endregion
 //#region src/core/patterns.ts
 const EXCLUDED_VARS = new Set([
@@ -1210,7 +1659,7 @@ const matchValueShape = (value) => {
 };
 /** Strip common suffixes and derive a service name from an env var name */
 const deriveServiceFromName = (name) => {
-	const suffixes = [
+	const matchedSuffix = [
 		"_API_KEY",
 		"_SECRET_KEY",
 		"_ACCESS_KEY",
@@ -1228,13 +1677,8 @@ const deriveServiceFromName = (name) => {
 		"_DSN",
 		"_URL",
 		"_URI"
-	];
-	let stripped = name;
-	for (const suffix of suffixes) if (stripped.endsWith(suffix)) {
-		stripped = stripped.slice(0, -suffix.length);
-		break;
-	}
-	return stripped.toLowerCase().replace(/_/g, "-");
+	].find((s) => name.endsWith(s));
+	return (matchedSuffix ? name.slice(0, -matchedSuffix.length) : name).toLowerCase().replace(/_/g, "-");
 };
 /** Match a single env var against all patterns */
 const matchEnvVar = (name, value) => {
@@ -1304,10 +1748,11 @@ const envScan = (env, options) => {
 /** Bidirectional drift detection between config and live environment */
 const envCheck = (config, env) => {
 	const entries = [];
-	const metaKeys = Object.keys(config.meta);
+	const secretEntries = config.secret ?? {};
+	const metaKeys = Object.keys(secretEntries);
 	const trackedSet = new Set(metaKeys);
 	for (const key of metaKeys) {
-		const meta = config.meta[key];
+		const meta = secretEntries[key];
 		const present = env[key] !== void 0 && env[key] !== "";
 		entries.push({
 			envVar: key,
@@ -1316,6 +1761,17 @@ const envCheck = (config, env) => {
 			confidence: Option(void 0)
 		});
 	}
+	const envDefaults = config.env ?? {};
+	for (const key of Object.keys(envDefaults)) if (!trackedSet.has(key)) {
+		trackedSet.add(key);
+		const present = env[key] !== void 0 && env[key] !== "";
+		entries.push({
+			envVar: key,
+			service: Option(void 0),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
+		});
+	}
 	const envMatches = scanEnv(env);
 	for (const match of envMatches) if (!trackedSet.has(match.envVar)) entries.push({
 		envVar: match.envVar,
@@ -1335,12 +1791,12 @@ const envCheck = (config, env) => {
 	};
 };
 const todayIso$1 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+/** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
 const generateTomlFromScan = (matches) => {
 	const blocks = [];
 	for (const match of matches) {
 		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
-		blocks.push(`[meta.${match.envVar}]
+		blocks.push(`[secret.${match.envVar}]
 service = "${svc}"
 # purpose = ""               # Why: what this secret enables
 # capabilities = []          # What operations this grants
@@ -1371,16 +1827,16 @@ const runEnvScan = (options) => {
 			console.log(toml);
 			return;
 		}
-		const configPath = join(process.cwd(), "envpkt.toml");
+		const configPath = resolve(options.config ?? join(process.cwd(), "envpkt.toml"));
 		if (existsSync(configPath)) {
 			const existing = Try(() => readFileSync(configPath, "utf-8")).fold(() => "", (c) => c);
-			const newEntries = scan.discovered.toArray().filter((m) => !existing.includes(`[meta.${m.envVar}]`));
+			const newEntries = scan.discovered.toArray().filter((m) => !existing.includes(`[secret.${m.envVar}]`));
 			if (newEntries.length === 0) {
-				console.log(`\n${GREEN}✓${RESET} All discovered credentials already tracked in envpkt.toml`);
+				console.log(`\n${GREEN}✓${RESET} All discovered credentials already tracked in ${CYAN}${configPath}${RESET}`);
 				return;
 			}
 			const newToml = generateTomlFromScan(newEntries);
-			Try(() => writeFileSync(configPath, existing.trimEnd() + "\n\n" + newToml, "utf-8")).fold((err) => {
+			Try(() => writeFileSync(configPath, `${existing.trimEnd()}\n\n${newToml}`, "utf-8")).fold((err) => {
 				console.error(`\n${RED}Error:${RESET} Failed to write: ${err}`);
 				process.exit(1);
 			}, () => {
@@ -1392,7 +1848,7 @@ const runEnvScan = (options) => {
 				console.error(`\n${RED}Error:${RESET} Failed to write: ${err}`);
 				process.exit(1);
 			}, () => {
-				console.log(`\n${GREEN}✓${RESET} Created ${BOLD}envpkt.toml${RESET} with ${CYAN}${scan.discovered.size}${RESET} credential(s)`);
+				console.log(`\n${GREEN}✓${RESET} Created ${CYAN}${configPath}${RESET} with ${BOLD}${scan.discovered.size}${RESET} credential(s)`);
 			});
 		}
 	}
@@ -1401,7 +1857,9 @@ const runEnvCheck = (options) => {
 	resolveConfigPath(options.config).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-	}, (path) => {
+	}, ({ path, source }) => {
+		const sourceMsg = formatConfigSource(path, source);
+		if (sourceMsg) console.error(sourceMsg);
 		loadConfig(path).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -1418,43 +1876,23 @@ const runEnvCheck = (options) => {
 		});
 	});
 };
-
-//#endregion
-//#region src/fnox/detect.ts
-/** Check if fnox CLI is available on PATH */
-const fnoxAvailable = () => Try(() => {
-	execFileSync("fnox", ["--version"], { stdio: "pipe" });
-	return true;
-}).fold(() => false, (v) => v);
-
-//#endregion
-//#region src/fnox/identity.ts
-/** Check if the age CLI is available on PATH */
-const ageAvailable = () => Try(() => {
-	execFileSync("age", ["--version"], { stdio: "pipe" });
-	return true;
-}).fold(() => false, (v) => v);
-/** Unwrap an encrypted agent key using age --decrypt */
-const unwrapAgentKey = (identityPath) => {
-	if (!existsSync(identityPath)) return Left({
-		_tag: "IdentityNotFound",
-		path: identityPath
-	});
-	if (!ageAvailable()) return Left({
-		_tag: "AgeNotFound",
-		message: "age CLI not found on PATH"
+const shellEscape = (value) => value.replace(/'/g, "'\\''");
+const runEnvExport = (options) => {
+	bootSafe({
+		inject: false,
+		configPath: options.config,
+		profile: options.profile,
+		warnOnly: true
+	}).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, (boot) => {
+		const sourceMsg = formatConfigSource(boot.configPath, boot.configSource);
+		if (sourceMsg) console.error(sourceMsg);
+		for (const warning of boot.warnings) console.error(`${YELLOW}Warning:${RESET} ${warning}`);
+		for (const [key, value] of Object.entries(boot.envDefaults)) console.log(`export ${key}='${shellEscape(value)}'`);
+		for (const [key, value] of Object.entries(boot.secrets)) console.log(`export ${key}='${shellEscape(value)}'`);
 	});
-	return Try(() => execFileSync("age", ["--decrypt", identityPath], {
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8"
-	})).fold((err) => Left({
-		_tag: "DecryptFailed",
-		message: `age decrypt failed: ${err}`
-	}), (output) => Right(output.trim()));
 };
 
 //#endregion
@@ -1465,71 +1903,40 @@ const runExec = (args, options) => {
 		process.exit(2);
 		return;
 	}
-	const skipAudit = options.skipAudit || options.check === false;
-	const configData = resolveConfigPath(options.config).fold((err) => {
+	const skipAudit = options.skipAudit ?? options.check === false;
+	const boot = bootSafe({
+		inject: false,
+		configPath: options.config,
+		profile: options.profile,
+		failOnExpired: false,
+		warnOnly: true
+	}).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-	}, (path) => loadConfig(path).fold((err) => {
-		console.error(formatError(err));
-		process.exit(2);
-	}, (config) => ({
-		config,
-		path
-	})));
-	if (!configData) return;
-	const { config, path } = configData;
-	const configDir = dirname(path);
+	}, (b) => b);
+	if (!boot) return;
+	const sourceMsg = formatConfigSource(boot.configPath, boot.configSource);
+	if (sourceMsg) console.error(sourceMsg);
 	if (!skipAudit) {
-		const audit = computeAudit(config);
-		console.error(`${BOLD}envpkt${RESET} pre-flight audit ${path}`);
-		console.error(formatAudit(audit));
+		console.error(`${BOLD}envpkt${RESET} pre-flight audit`);
+		console.error(formatAudit(boot.audit));
 		console.error("");
-		if (options.strict && audit.status !== "healthy") {
-			console.error(`${RED}Aborting:${RESET} --strict mode and audit status is ${audit.status}`);
-			process.exit(exitCodeForAudit(audit));
+		if (options.strict && boot.audit.status !== "healthy") {
+			console.error(`${RED}Aborting:${RESET} --strict mode and audit status is ${boot.audit.status}`);
+			process.exit(exitCodeForAudit(boot.audit));
 			return;
 		}
-		if (audit.status === "critical" && !options.warnOnly) {
+		if (boot.audit.status === "critical" && !options.warnOnly) {
 			console.error(`${RED}Aborting:${RESET} audit status is critical (use --warn-only to proceed)`);
-			process.exit(exitCodeForAudit(audit));
+			process.exit(exitCodeForAudit(boot.audit));
 			return;
 		}
-		if (audit.status === "critical" && options.warnOnly) console.error(`${YELLOW}Warning:${RESET} Proceeding despite critical audit status (--warn-only)`);
+		if (boot.audit.status === "critical" && options.warnOnly) console.error(`${YELLOW}Warning:${RESET} Proceeding despite critical audit status (--warn-only)`);
 	}
-	let agentKey;
-	if (config.agent?.identity) unwrapAgentKey(resolve(configDir, config.agent.identity)).fold((err) => {
-		console.error(`${YELLOW}Warning:${RESET} Agent key unwrap failed: ${err._tag}`);
-	}, (key) => {
-		agentKey = key;
-	});
-	if (!fnoxAvailable()) console.error(`${YELLOW}Warning:${RESET} fnox not available — running command without secret injection`);
+	for (const warning of boot.warnings) console.error(`${YELLOW}Warning:${RESET} ${warning}`);
 	const env = { ...process.env };
-	if (fnoxAvailable()) {
-		const fnoxArgs = options.profile ? [
-			"export",
-			"--profile",
-			options.profile
-		] : ["export"];
-		const fnoxEnv = agentKey ? {
-			...process.env,
-			FNOX_AGE_KEY: agentKey
-		} : void 0;
-		Try(() => execFileSync("fnox", fnoxArgs, {
-			stdio: "pipe",
-			encoding: "utf-8",
-			env: fnoxEnv
-		})).fold((err) => {
-			console.error(`${YELLOW}Warning:${RESET} fnox export failed: ${err}`);
-		}, (output) => {
-			for (const line of output.split("\n")) {
-				const eq = line.indexOf("=");
-				if (eq > 0) {
-					const key = line.slice(0, eq).trim();
-					env[key] = line.slice(eq + 1).trim();
-				}
-			}
-		});
-	}
+	for (const [key, value] of Object.entries(boot.envDefaults)) if (!(key in env)) env[key] = value;
+	for (const [key, value] of Object.entries(boot.secrets)) env[key] = value;
 	const [cmd, ...cmdArgs] = args;
 	try {
 		execFileSync(cmd, cmdArgs, {
@@ -1575,10 +1982,7 @@ function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
 	const configPath = join(dir, CONFIG_FILENAME$1);
 	if (Try(() => statSync(configPath).isFile()).fold(() => false, (v) => v)) yield configPath;
 	if (currentDepth >= maxDepth) return;
-	let entries = [];
-	Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => {}, (e) => {
-		entries = e;
-	});
+	const entries = Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => [], (e) => e);
 	for (const entry of entries) if (entry.isDirectory() && !SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".")) yield* findEnvpktFiles(join(dir, entry.name), maxDepth, currentDepth + 1);
 }
 const scanFleet = (rootDir, options) => {
@@ -1645,7 +2049,7 @@ const runFleet = (options) => {
 const CONFIG_FILENAME = "envpkt.toml";
 const todayIso = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
 const generateSecretBlock = (key, service) => {
-	return `[meta.${key}]
+	return `[secret.${key}]
 service = "${service ?? key}"
 # purpose = ""               # Why: what this secret enables
 # capabilities = []          # What operations this grants
@@ -1684,18 +2088,26 @@ const generateTemplate = (options, fnoxKeys) => {
 		lines.push(`# require_expiration = false`);
 		lines.push(`# require_service = false`);
 		lines.push(``);
+		lines.push(`# Plaintext environment defaults (non-secret, safe to commit)`);
+		lines.push(`# [env.PORT]`);
+		lines.push(`# value = "3000"`);
+		lines.push(`# purpose = "Application port"`);
+		lines.push(`# [env.NODE_ENV]`);
+		lines.push(`# value = "production"`);
+		lines.push(`# purpose = "Runtime environment"`);
+		lines.push(``);
 		if (fnoxKeys && fnoxKeys.length > 0) {
 			lines.push(`# Secrets detected from fnox.toml`);
 			for (const key of fnoxKeys) lines.push(generateSecretBlock(key));
 		} else {
 			lines.push(`# Add your secret metadata below.`);
-			lines.push(`# Each [meta.<key>] describes a secret your agent needs.`);
+			lines.push(`# Each [secret.<key>] describes a secret your agent needs.`);
 			lines.push(``);
 			lines.push(generateSecretBlock("EXAMPLE_API_KEY", "example-service"));
 		}
 	} else {
 		lines.push(`# Optional: override catalog metadata for specific secrets`);
-		lines.push(`# [meta.KEY_NAME]`);
+		lines.push(`# [secret.KEY_NAME]`);
 		lines.push(`# capabilities = ["read"]  # narrows catalog's broader definition`);
 	}
 	return lines.join("\n");
@@ -1721,20 +2133,17 @@ const runInit = (dir, options) => {
 		console.error(`${RED}Error:${RESET} ${CONFIG_FILENAME} already exists. Use --force to overwrite.`);
 		process.exit(1);
 	}
-	let fnoxKeys;
-	if (options.fromFnox) {
+	const fnoxKeys = options.fromFnox ? (() => {
 		const fnoxPath = options.fromFnox === "true" || options.fromFnox === "" ? join(dir, "fnox.toml") : options.fromFnox;
 		if (!existsSync(fnoxPath)) {
 			console.error(`${RED}Error:${RESET} fnox.toml not found at ${fnoxPath}`);
 			process.exit(1);
 		}
-		readFnoxKeys(fnoxPath).fold((err) => {
+		return readFnoxKeys(fnoxPath).fold((err) => {
 			console.error(`${RED}Error:${RESET} Failed to read fnox.toml: ${formatConfigError(err)}`);
 			process.exit(1);
-		}, (keys) => {
-			fnoxKeys = keys;
-		});
-	}
+		}, (keys) => keys);
+	})() : void 0;
 	const content = generateTemplate(options, fnoxKeys);
 	Try(() => writeFileSync(outPath, content, "utf-8")).fold((err) => {
 		console.error(`${RED}Error:${RESET} Failed to write ${CONFIG_FILENAME}: ${err}`);
@@ -1757,6 +2166,7 @@ const maskValue = (value) => {
 //#region src/cli/commands/inspect.ts
 const printSecretMeta = (meta, indent) => {
 	if (meta.purpose) console.log(`${indent}purpose: ${meta.purpose}`);
+	if (meta.comment) console.log(`${indent}comment: ${DIM}${meta.comment}${RESET}`);
 	if (meta.capabilities) console.log(`${indent}capabilities: ${DIM}${meta.capabilities.join(", ")}${RESET}`);
 	const dateParts = [];
 	if (meta.created) dateParts.push(`created: ${meta.created}`);
@@ -1790,14 +2200,29 @@ const printConfig = (config, path, resolveResult, opts) => {
 		if (config.agent.secrets) console.log(`  secrets: ${config.agent.secrets.join(", ")}`);
 		console.log("");
 	}
-	console.log(`${BOLD}Secrets:${RESET} ${Object.keys(config.meta).length}`);
-	for (const [key, meta] of Object.entries(config.meta)) {
+	const secretEntries = config.secret ?? {};
+	console.log(`${BOLD}Secrets:${RESET} ${Object.keys(secretEntries).length}`);
+	for (const [key, meta] of Object.entries(secretEntries)) {
 		const secretValue = opts?.secrets?.[key];
 		const valueSuffix = secretValue !== void 0 ? ` = ${YELLOW}${(opts?.secretDisplay ?? "encrypted") === "plaintext" ? secretValue : maskValue(secretValue)}${RESET}` : "";
 		const sealedTag = meta.encrypted_value ? ` ${CYAN}[sealed]${RESET}` : "";
 		console.log(`  ${BOLD}${key}${RESET} → ${meta.service ?? key}${sealedTag}${valueSuffix}`);
 		printSecretMeta(meta, "    ");
 	}
+	const envEntries = config.env ?? {};
+	const envKeys = Object.keys(envEntries);
+	if (envKeys.length > 0) {
+		console.log("");
+		console.log(`${BOLD}Environment Defaults:${RESET} ${envKeys.length}`);
+		for (const [key, entry] of Object.entries(envEntries)) {
+			const currentValue = process.env[key];
+			const statusIcon = currentValue === void 0 ? `${RED}!${RESET}` : currentValue === entry.value ? `${GREEN}=${RESET}` : `${YELLOW}~${RESET}`;
+			const statusLabel = currentValue === void 0 ? `${DIM}not set${RESET}` : currentValue === entry.value ? `${DIM}using default${RESET}` : `${YELLOW}overridden${RESET}`;
+			console.log(`  ${statusIcon} ${BOLD}${key}${RESET} = "${entry.value}" ${statusLabel}`);
+			if (entry.purpose) console.log(`    purpose: ${entry.purpose}`);
+			if (entry.comment) console.log(`    comment: ${DIM}${entry.comment}${RESET}`);
+		}
+	}
 	if (config.lifecycle) {
 		console.log("");
 		console.log(`${BOLD}Lifecycle:${RESET}`);
@@ -1818,7 +2243,9 @@ const runInspect = (options) => {
 	resolveConfigPath(options.config).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-	}, (path) => {
+	}, ({ path, source }) => {
+		const sourceMsg = formatConfigSource(path, source);
+		if (sourceMsg) console.error(sourceMsg);
 		loadConfig(path).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -1827,14 +2254,15 @@ const runInspect = (options) => {
 				console.error(formatError(err));
 				process.exit(2);
 			}, (resolveResult) => {
-				const showResolved = options.resolved || !!resolveResult.catalogPath;
+				const showResolved = options.resolved ?? !!resolveResult.catalogPath;
 				const showConfig = showResolved ? resolveResult.config : config;
 				if (options.format === "json") {
 					console.log(JSON.stringify(showConfig, null, 2));
 					return;
 				}
+				const showSecrets = showConfig.secret ?? {};
 				const printOpts = options.secrets ? {
-					secrets: Object.fromEntries(Object.keys(showConfig.meta).filter((key) => process.env[key] !== void 0).map((key) => [key, process.env[key]])),
+					secrets: Object.fromEntries(Object.keys(showSecrets).filter((key) => process.env[key] !== void 0).map((key) => [key, process.env[key]])),
 					secretDisplay: options.plaintext ? "plaintext" : "encrypted"
 				} : void 0;
 				printConfig(showConfig, path, showResolved ? resolveResult : void 0, printOpts);
@@ -1846,7 +2274,7 @@ const runInspect = (options) => {
 //#endregion
 //#region src/mcp/resources.ts
 const loadConfigSafe = () => {
-	return resolveConfigPath().fold(() => void 0, (path) => loadConfig(path).fold(() => void 0, (config) => ({
+	return resolveConfigPath().fold(() => void 0, ({ path }) => loadConfig(path).fold(() => void 0, (config) => ({
 		config,
 		path
 	})));
@@ -1896,7 +2324,8 @@ const readCapabilities = () => {
 	const { config } = loaded;
 	const agentCapabilities = config.agent?.capabilities ?? [];
 	const secretCapabilities = {};
-	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	const secretEntries = config.secret ?? {};
+	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
 	return { contents: [{
 		uri: "envpkt://capabilities",
 		mimeType: "application/json",
@@ -1937,7 +2366,7 @@ const loadConfigForTool = (configPath) => {
 	return resolveConfigPath(configPath).fold((err) => ({
 		ok: false,
 		result: errorResult(`Config error: ${err._tag} — ${err._tag === "FileNotFound" ? err.path : ""}`)
-	}), (path) => loadConfig(path).fold((err) => ({
+	}), ({ path }) => loadConfig(path).fold((err) => ({
 		ok: false,
 		result: errorResult(`Config error: ${err._tag} — ${err._tag === "ValidationError" ? err.errors.toArray().join(", ") : ""}`)
 	}), (config) => ({
@@ -2004,6 +2433,17 @@ const toolDefinitions = [
 			},
 			required: ["key"]
 		}
+	},
+	{
+		name: "getEnvMeta",
+		description: "Get metadata for environment defaults — returns configured default values, purposes, and current drift status",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
 	}
 ];
 const handleGetPacketHealth = (args) => {
@@ -2037,7 +2477,8 @@ const handleListCapabilities = (args) => {
 	const { config } = loaded;
 	const agentCapabilities = config.agent?.capabilities ?? [];
 	const secretCapabilities = {};
-	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	const secretEntries = config.secret ?? {};
+	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
 	return textResult(JSON.stringify({
 		agent: config.agent ? {
 			name: config.agent.name,
@@ -2045,7 +2486,8 @@ const handleListCapabilities = (args) => {
 			description: config.agent.description,
 			capabilities: agentCapabilities
 		} : null,
-		secrets: secretCapabilities
+		secrets: secretCapabilities,
+		env_defaults: Object.keys(config.env ?? {}).length
 	}, null, 2));
 };
 const handleGetSecretMeta = (args) => {
@@ -2054,11 +2496,12 @@ const handleGetSecretMeta = (args) => {
 	const loaded = loadConfigForTool(args.configPath);
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
-	const meta = config.meta[key];
+	const meta = (config.secret ?? {})[key];
 	if (!meta) return errorResult(`Secret not found: ${key}`);
+	const { encrypted_value: _, ...safeMeta } = meta;
 	return textResult(JSON.stringify({
 		key,
-		...meta
+		...safeMeta
 	}, null, 2));
 };
 const handleCheckExpiration = (args) => {
@@ -2077,11 +2520,19 @@ const handleCheckExpiration = (args) => {
 		issues: s.issues.toArray()
 	}, null, 2)));
 };
+const handleGetEnvMeta = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const envAudit = computeEnvAudit(config);
+	return textResult(JSON.stringify(envAudit, null, 2));
+};
 const handlers = {
 	getPacketHealth: handleGetPacketHealth,
 	listCapabilities: handleListCapabilities,
 	getSecretMeta: handleGetSecretMeta,
-	checkExpiration: handleCheckExpiration
+	checkExpiration: handleCheckExpiration,
+	getEnvMeta: handleGetEnvMeta
 };
 const callTool = (name, args) => {
 	const handler = handlers[name];
@@ -2102,17 +2553,17 @@ const createServer = () => {
 		},
 		instructions: "envpkt provides credential lifecycle awareness for AI agents. Use tools to check health, capabilities, and secret metadata. No secret values are ever exposed."
 	});
-	server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: toolDefinitions.map((t) => ({
+	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: toolDefinitions.map((t) => ({
 		name: t.name,
 		description: t.description,
 		inputSchema: t.inputSchema
 	})) }));
-	server.setRequestHandler(CallToolRequestSchema, async (request) => {
+	server.setRequestHandler(CallToolRequestSchema, (request) => {
 		const { name, arguments: args } = request.params;
 		return callTool(name, args ?? {});
 	});
-	server.setRequestHandler(ListResourcesRequestSchema, async () => ({ resources: [...resourceDefinitions] }));
-	server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+	server.setRequestHandler(ListResourcesRequestSchema, () => ({ resources: [...resourceDefinitions] }));
+	server.setRequestHandler(ReadResourceRequestSchema, (request) => {
 		const { uri } = request.params;
 		const result = readResource(uri);
 		if (!result) return { contents: [{
@@ -2145,7 +2596,9 @@ const runResolve = (options) => {
 	resolveConfigPath(options.config).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-	}, (configPath) => {
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
 		loadConfig(configPath).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -2154,10 +2607,7 @@ const runResolve = (options) => {
 				console.error(formatError(err));
 				process.exit(2);
 			}, (result) => {
-				const outputFormat = options.format ?? "toml";
-				let content;
-				if (outputFormat === "json") content = JSON.stringify(result.config, null, 2) + "\n";
-				else content = `# Generated by envpkt resolve — do not edit\n${stringify(result.config)}\n`;
+				const content = (options.format ?? "toml") === "json" ? `${JSON.stringify(result.config, null, 2)}\n` : `# Generated by envpkt resolve — do not edit\n${stringify(result.config)}\n`;
 				if (options.dryRun) {
 					console.log(`${DIM}# Dry run — would write:${RESET}`);
 					console.log(content);
@@ -2167,7 +2617,7 @@ const runResolve = (options) => {
 				} else process.stdout.write(content);
 				if (result.catalogPath) {
 					const summaryTarget = options.output ? process.stdout : process.stderr;
-					summaryTarget.write(`\n${CYAN}Catalog:${RESET} ${result.catalogPath}\n${GREEN}Merged:${RESET} ${result.merged.length} key(s)` + (result.overridden.length > 0 ? ` ${YELLOW}(${result.overridden.length} overridden: ${result.overridden.join(", ")})${RESET}` : "") + "\n");
+					summaryTarget.write(`\n${CYAN}Catalog:${RESET} ${result.catalogPath}\n${GREEN}Merged:${RESET} ${result.merged.length} key(s)${result.overridden.length > 0 ? ` ${YELLOW}(${result.overridden.length} overridden: ${result.overridden.join(", ")})${RESET}` : ""}\n`);
 					for (const w of result.warnings) summaryTarget.write(`${RED}Warning:${RESET} ${w}\n`);
 				}
 			});
@@ -2175,39 +2625,6 @@ const runResolve = (options) => {
 	});
 };
 
-//#endregion
-//#region src/fnox/cli.ts
-/** Export all secrets from fnox as key=value pairs for a given profile */
-const fnoxExport = (profile, agentKey) => {
-	const args = profile ? [
-		"export",
-		"--profile",
-		profile
-	] : ["export"];
-	const env = agentKey ? {
-		...process.env,
-		FNOX_AGE_KEY: agentKey
-	} : void 0;
-	return Try(() => execFileSync("fnox", args, {
-		stdio: "pipe",
-		encoding: "utf-8",
-		env
-	})).fold((err) => Left({
-		_tag: "FnoxCliError",
-		message: `fnox export failed: ${err}`
-	}), (output) => {
-		const entries = {};
-		for (const line of output.split("\n")) {
-			const eq = line.indexOf("=");
-			if (eq > 0) {
-				const key = line.slice(0, eq).trim();
-				entries[key] = line.slice(eq + 1).trim();
-			}
-		}
-		return Right(entries);
-	});
-};
-
 //#endregion
 //#region src/core/resolve-values.ts
 /** Resolve plaintext values for the given keys via cascade: fnox → env → interactive prompt */
@@ -2244,62 +2661,6 @@ const resolveValues = async (keys, profile, agentKey) => {
 	return result;
 };
 
-//#endregion
-//#region src/core/seal.ts
-/** Encrypt a plaintext string using age with the given recipient public key (armored output) */
-const ageEncrypt = (plaintext, recipient) => {
-	if (!ageAvailable()) return Left({
-		_tag: "AgeNotFound",
-		message: "age CLI not found on PATH"
-	});
-	return Try(() => execFileSync("age", [
-		"--encrypt",
-		"--recipient",
-		recipient,
-		"--armor"
-	], {
-		input: plaintext,
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8"
-	})).fold((err) => Left({
-		_tag: "EncryptFailed",
-		key: "",
-		message: `age encrypt failed: ${err}`
-	}), (output) => Right(output.trim()));
-};
-/** Seal multiple secrets: encrypt each value with the recipient key and set encrypted_value on meta */
-const sealSecrets = (meta, values, recipient) => {
-	if (!ageAvailable()) return Left({
-		_tag: "AgeNotFound",
-		message: "age CLI not found on PATH"
-	});
-	const result = {};
-	for (const [key, secretMeta] of Object.entries(meta)) {
-		const plaintext = values[key];
-		if (plaintext === void 0) {
-			result[key] = secretMeta;
-			continue;
-		}
-		const outcome = ageEncrypt(plaintext, recipient).fold((err) => Left({
-			_tag: "EncryptFailed",
-			key,
-			message: err.message
-		}), (ciphertext) => Right(ciphertext));
-		const failed = outcome.fold((err) => err, () => void 0);
-		if (failed) return Left(failed);
-		const ciphertext = outcome.fold(() => "", (v) => v);
-		result[key] = {
-			...secretMeta,
-			encrypted_value: ciphertext
-		};
-	}
-	return Right(result);
-};
-
 //#endregion
 //#region src/cli/commands/seal.ts
 /** Write sealed values back into the TOML file, preserving structure */
@@ -2311,7 +2672,7 @@ const writeSealedToml = (configPath, sealedMeta) => {
 	let hasEncryptedValue = false;
 	const pendingSeals = /* @__PURE__ */ new Map();
 	for (const [key, meta] of Object.entries(sealedMeta)) if (meta.encrypted_value) pendingSeals.set(key, meta.encrypted_value);
-	const metaSectionRe = /^\[meta\.(.+)\]\s*$/;
+	const metaSectionRe = /^\[secret\.(.+)\]\s*$/;
 	const encryptedValueRe = /^encrypted_value\s*=/;
 	const newSectionRe = /^\[/;
 	for (let i = 0; i < lines.length; i++) {
@@ -2370,11 +2731,16 @@ const writeSealedToml = (configPath, sealedMeta) => {
 	writeFileSync(configPath, output.join("\n"));
 };
 const runSeal = async (options) => {
-	const configPath = resolveConfigPath(options.config).fold((err) => {
+	const { path: configPath, source: configSource } = resolveConfigPath(options.config).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
-		return "";
-	}, (p) => p);
+		return {
+			path: "",
+			source: "flag"
+		};
+	}, (r) => r);
+	const sourceMsg = formatConfigSource(configPath, configSource);
+	if (sourceMsg) console.error(sourceMsg);
 	const config = loadConfig(configPath).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
@@ -2384,14 +2750,34 @@ const runSeal = async (options) => {
 		console.error(`${DIM}Add [agent] section with recipient = "age1..." to your envpkt.toml${RESET}`);
 		process.exit(2);
 	}
-	const recipient = config.agent.recipient;
+	const { recipient } = config.agent;
 	const configDir = dirname(configPath);
-	let agentKey;
-	if (config.agent.identity) agentKey = unwrapAgentKey(resolve(configDir, config.agent.identity)).fold((err) => {
+	const envEntries = config.env ?? {};
+	const secretEntries0 = config.secret ?? {};
+	const envConflicts = Object.keys(secretEntries0).filter((k) => k in envEntries);
+	if (envConflicts.length > 0) {
+		console.error(`${RED}Error:${RESET} Cannot seal keys that are also defined in [env.*]: ${envConflicts.join(", ")}`);
+		console.error(`${DIM}Move these to [secret.*] only, or remove from [env.*] before sealing.${RESET}`);
+		process.exit(2);
+	}
+	const agentKey = config.agent.identity ? unwrapAgentKey(resolve(configDir, expandPath(config.agent.identity))).fold((err) => {
 		const msg = err._tag === "IdentityNotFound" ? `not found: ${err.path}` : err.message;
 		console.error(`${YELLOW}Warning:${RESET} Could not unwrap agent key: ${msg}`);
-	}, (k) => k);
-	const metaKeys = Object.keys(config.meta);
+	}, (k) => k) : void 0;
+	const allSecretEntries = config.secret ?? {};
+	const allKeys = Object.keys(allSecretEntries);
+	const alreadySealed = allKeys.filter((k) => allSecretEntries[k]?.encrypted_value);
+	const unsealed = allKeys.filter((k) => !allSecretEntries[k]?.encrypted_value);
+	if (!options.reseal && alreadySealed.length > 0) {
+		if (unsealed.length === 0) {
+			console.log(`${GREEN}✓${RESET} All ${BOLD}${alreadySealed.length}${RESET} secret(s) already sealed. Use ${CYAN}--reseal${RESET} to re-encrypt.`);
+			process.exit(0);
+		}
+		console.log(`${DIM}Skipping ${alreadySealed.length} already-sealed secret(s). Use --reseal to re-encrypt all.${RESET}`);
+	}
+	const targetKeys = options.reseal ? allKeys : unsealed;
+	const secretEntries = Object.fromEntries(targetKeys.map((k) => [k, allSecretEntries[k]]));
+	const metaKeys = targetKeys;
 	console.log(`${BOLD}Sealing ${metaKeys.length} secret(s)${RESET} with recipient ${CYAN}${recipient.slice(0, 20)}...${RESET}`);
 	console.log("");
 	const values = await resolveValues(metaKeys, options.profile, agentKey);
@@ -2405,12 +2791,15 @@ const runSeal = async (options) => {
 		const skippedKeys = metaKeys.filter((k) => !(k in values));
 		console.log(`${YELLOW}Skipped${RESET} ${skipped} key(s) with no value: ${skippedKeys.join(", ")}`);
 	}
-	sealSecrets(config.meta, values, recipient).fold((err) => {
+	sealSecrets(secretEntries, values, recipient).fold((err) => {
 		console.error(`${RED}Error:${RESET} Seal failed: ${err.message}`);
 		process.exit(2);
 	}, (sealedMeta) => {
 		writeSealedToml(configPath, sealedMeta);
-		console.log(`${GREEN}Sealed${RESET} ${resolved} secret(s) into ${DIM}${configPath}${RESET}`);
+		const sealedCount = resolved;
+		const prevSealed = options.reseal ? 0 : alreadySealed.length;
+		const summary = prevSealed > 0 ? ` (${prevSealed} previously sealed kept)` : "";
+		console.log(`${GREEN}Sealed${RESET} ${sealedCount} secret(s) into ${DIM}${configPath}${RESET}${summary}`);
 	});
 };
 
@@ -2418,9 +2807,7 @@ const runSeal = async (options) => {
 //#region src/cli/commands/shell-hook.ts
 const ZSH_HOOK = `# envpkt shell hook — add to your .zshrc
 _envpkt_chpwd() {
-  if [[ -f envpkt.toml ]]; then
-    envpkt audit --format minimal 2>/dev/null
-  fi
+  envpkt audit --format minimal 2>/dev/null
 }
 
 if (( $+functions[add-zsh-hook] )); then
@@ -2433,9 +2820,7 @@ fi
 `;
 const BASH_HOOK = `# envpkt shell hook — add to your .bashrc
 _envpkt_prompt() {
-  if [[ -f envpkt.toml ]]; then
-    envpkt audit --format minimal 2>/dev/null
-  fi
+  envpkt audit --format minimal 2>/dev/null
 }
 
 if [[ ! "$PROMPT_COMMAND" == *"_envpkt_prompt"* ]]; then
@@ -2459,39 +2844,42 @@ const runShellHook = (shell) => {
 //#endregion
 //#region src/cli/index.ts
 const program = new Command();
-program.name("envpkt").description("Credential lifecycle and fleet management for AI agents").version("0.1.0");
+program.name("envpkt").description("Credential lifecycle and fleet management for AI agents\n\n  Developer workflow:  env scan → catalog → cloud-synced folder → eval $(envpkt env export)\n  Agent / CI workflow: catalog → audit --strict → seal → exec --strict → fleet").version(createRequire(import.meta.url)("../../package.json").version);
 program.command("init").description("Initialize a new envpkt.toml in the current directory").option("--from-fnox [path]", "Scaffold from fnox.toml (optionally specify path)").option("--catalog <path>", "Path to shared secret catalog").option("--agent", "Include [agent] section").option("--name <name>", "Agent name (requires --agent)").option("--capabilities <caps>", "Comma-separated capabilities (requires --agent)").option("--expires <date>", "Agent credential expiration YYYY-MM-DD (requires --agent)").option("--force", "Overwrite existing envpkt.toml").action((options) => {
 	runInit(process.cwd(), options);
 });
-program.command("audit").description("Audit credential health from envpkt.toml").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json | minimal", "table").option("--expiring <days>", "Show secrets expiring within N days", parseInt).option("--status <status>", "Filter by status: healthy | expiring_soon | expired | stale | missing").option("--strict", "Exit non-zero on any non-healthy secret").action((options) => {
+program.command("audit").description("Audit credential health from envpkt.toml (use --strict in CI pipelines to gate deploys)").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json | minimal", "table").option("--expiring <days>", "Show secrets expiring within N days", parseInt).option("--status <status>", "Filter by status: healthy | expiring_soon | expired | stale | missing").option("--strict", "Exit non-zero on any non-healthy secret").option("--all", "Show both secrets and env defaults").option("--env-only", "Show only env defaults (drift detection)").option("--sealed", "Show only secrets with encrypted_value").option("--external", "Show only secrets without encrypted_value").action((options) => {
 	runAudit(options);
 });
-program.command("fleet").description("Scan directory tree for envpkt.toml files and aggregate health").option("-d, --dir <path>", "Root directory to scan", ".").option("--depth <n>", "Max directory depth", parseInt).option("--format <format>", "Output format: table | json", "table").option("--status <status>", "Filter agents by health status").action((options) => {
+program.command("fleet").description("Scan directory tree for envpkt.toml files and aggregate health (use in CI for fleet-wide monitoring)").option("-d, --dir <path>", "Root directory to scan", ".").option("--depth <n>", "Max directory depth", parseInt).option("--format <format>", "Output format: table | json", "table").option("--status <status>", "Filter agents by health status").action((options) => {
 	runFleet(options);
 });
 program.command("inspect").description("Display structured view of envpkt.toml").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--resolved", "Show resolved view (catalog merged)").option("--secrets", "Show secret values from environment (masked by default)").option("--plaintext", "Show secret values in plaintext (requires --secrets)").action((options) => {
 	runInspect(options);
 });
-program.command("exec").description("Run pre-flight audit then execute a command with fnox-injected env").argument("<command...>", "Command to execute").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit (alias: --no-check)").option("--no-check", "Skip the pre-flight audit").option("--warn-only", "Warn on critical audit but do not abort").option("--strict", "Abort on any non-healthy secret").action((args, options) => {
+program.command("exec").description("Run pre-flight audit then execute a command with injected secrets (sealed → fnox → env cascade)").argument("<command...>", "Command to execute").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit (alias: --no-check)").option("--no-check", "Skip the pre-flight audit").option("--warn-only", "Warn on critical audit but do not abort").option("--strict", "Abort on any non-healthy secret").action((args, options) => {
 	runExec(args, options);
 });
 program.command("resolve").description("Resolve catalog references and output a flat, self-contained config").option("-c, --config <path>", "Path to envpkt.toml").option("-o, --output <path>", "Write resolved config to file (default: stdout)").option("--format <format>", "Output format: toml | json", "toml").option("--dry-run", "Show what would be resolved without writing").action((options) => {
 	runResolve(options);
 });
-program.command("seal").description("Encrypt secret values into envpkt.toml using age (sealed packets)").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use for value resolution").action(async (options) => {
+program.command("seal").description("Encrypt secret values into envpkt.toml using age — sealed packets are safe to commit to git").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use for value resolution").option("--reseal", "Re-encrypt all secrets, including already sealed (for key rotation)").action(async (options) => {
 	await runSeal(options);
 });
 program.command("mcp").description("Start the envpkt MCP server (stdio transport)").option("-c, --config <path>", "Path to envpkt.toml").action((options) => {
 	runMcp(options);
 });
 const env = program.command("env").description("Discover and check credentials in your shell environment");
-env.command("scan").description("Auto-discover credentials from process.env and scaffold TOML entries").option("--format <format>", "Output format: table | json", "table").option("--write", "Write discovered credentials to envpkt.toml").option("--dry-run", "Preview TOML that would be written (implies --write)").option("--include-unknown", "Include vars where service could not be inferred").action((options) => {
+env.command("scan").description("Auto-discover credentials from process.env and scaffold TOML entries — first step in the developer workflow").option("-c, --config <path>", "Path to envpkt.toml (write target for --write)").option("--format <format>", "Output format: table | json", "table").option("--write", "Write discovered credentials to envpkt.toml").option("--dry-run", "Preview TOML that would be written (implies --write)").option("--include-unknown", "Include vars where service could not be inferred").action((options) => {
 	runEnvScan(options);
 });
 env.command("check").description("Bidirectional drift detection between envpkt.toml and live environment").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--strict", "Exit non-zero on any drift").action((options) => {
 	runEnvCheck(options);
 });
-program.command("shell-hook").description("Output shell function for ambient credential warnings on cd").argument("<shell>", "Shell type: zsh | bash").action((shell) => {
+env.command("export").description("Output export statements for eval-ing secrets into the current shell. Usage: eval \"$(envpkt env export)\"").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit").action((options) => {
+	runEnvExport(options);
+});
+program.command("shell-hook").description("Output shell function for ambient credential warnings on cd — combine with env export for full setup").argument("<shell>", "Shell type: zsh | bash").action((shell) => {
 	runShellHook(shell);
 });
 program.parse();