envpkt 0.2.0 → 0.4.1

package/dist/index.js

@@ -1,5 +1,6 @@
 import { FormatRegistry, Type } from "@sinclair/typebox";
 import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { homedir } from "node:os";
 import { dirname, join, resolve } from "node:path";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
 import { Cond, Left, List, Option, Right, Try } from "functype";
@@ -46,6 +47,7 @@ const SecretMetaSchema = Type.Object({
 		description: "URL or reference for secret rotation procedure"
 	})),
 	purpose: Type.Optional(Type.String({ description: "Why this secret exists and what it enables" })),
+	comment: Type.Optional(Type.String({ description: "Free-form annotation or note" })),
 	capabilities: Type.Optional(Type.Array(Type.String(), { description: "What operations this secret grants (e.g. read, write, admin)" })),
 	created: Type.Optional(Type.String({
 		format: "date",
@@ -79,6 +81,12 @@ const CallbackConfigSchema = Type.Object({
 	on_audit_fail: Type.Optional(Type.String({ description: "Command or webhook on audit failure" }))
 }, { description: "Automation callbacks for lifecycle events" });
 const ToolsConfigSchema = Type.Record(Type.String(), Type.Unknown(), { description: "Tool integration configuration — open namespace for third-party extensions" });
+const EnvMetaSchema = Type.Object({
+	value: Type.String({ description: "Default value for this environment variable" }),
+	purpose: Type.Optional(Type.String({ description: "Why this env var exists" })),
+	comment: Type.Optional(Type.String({ description: "Free-form annotation or note" })),
+	tags: Type.Optional(Type.Record(Type.String(), Type.String(), { description: "Key-value tags for grouping and filtering" }))
+}, { description: "Metadata for a plaintext environment default (non-secret)" });
 const EnvpktConfigSchema = Type.Object({
 	version: Type.Number({
 		description: "Schema version number",
@@ -86,7 +94,8 @@ const EnvpktConfigSchema = Type.Object({
 	}),
 	catalog: Type.Optional(Type.String({ description: "Path to shared secret catalog (relative to this config file)" })),
 	agent: Type.Optional(AgentIdentitySchema),
-	meta: Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" }),
+	secret: Type.Optional(Type.Record(Type.String(), SecretMetaSchema, { description: "Per-secret metadata keyed by secret name" })),
+	env: Type.Optional(Type.Record(Type.String(), EnvMetaSchema, { description: "Plaintext environment defaults keyed by variable name" })),
 	lifecycle: Type.Optional(LifecycleConfigSchema),
 	callbacks: Type.Optional(CallbackConfigSchema),
 	tools: Type.Optional(ToolsConfigSchema)
@@ -108,11 +117,75 @@ const normalizeDates = (obj) => {
 	if (obj !== null && typeof obj === "object") return Object.fromEntries(Object.entries(obj).map(([k, v]) => [k, normalizeDates(v)]));
 	return obj;
 };
+/** Expand ~ and $ENV_VAR / ${ENV_VAR} in a path string */
+const expandPath = (p) => {
+	return (p.startsWith("~/") || p === "~" ? join(homedir(), p.slice(1)) : p).replace(/\$\{(\w+)\}|\$(\w+)/g, (_, braced, bare) => {
+		const name = braced ?? bare ?? "";
+		return process.env[name] ?? "";
+	});
+};
 /** Find envpkt.toml in the given directory */
 const findConfigPath = (dir) => {
 	const candidate = join(dir, CONFIG_FILENAME$1);
 	return existsSync(candidate) ? Option(candidate) : Option(void 0);
 };
+/**
+* Expand a path template that may contain a single `*` glob segment.
+* Returns all matching paths (or empty array if parent doesn't exist).
+* Non-glob paths return a single-element array if they exist.
+*/
+const expandGlobPath = (expanded) => {
+	if (!expanded.includes("*")) return existsSync(expanded) ? [expanded] : [];
+	const segments = expanded.split("/");
+	const globIdx = segments.findIndex((s) => s.includes("*"));
+	if (globIdx < 0) return [];
+	const parentDir = segments.slice(0, globIdx).join("/");
+	const globSegment = segments[globIdx];
+	const suffix = segments.slice(globIdx + 1).join("/");
+	if (!existsSync(parentDir)) return [];
+	const prefix = globSegment.replace(/\*.*$/, "");
+	return readdirSync(parentDir).filter((entry) => entry.startsWith(prefix)).map((entry) => join(parentDir, entry, suffix)).filter((p) => existsSync(p));
+};
+/** Ordered candidate paths for config discovery beyond CWD */
+const CONFIG_SEARCH_PATHS = [
+	"~/.envpkt/envpkt.toml",
+	"~/OneDrive/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/OneDrive-Personal/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/OneDrive-SharedLibraries-*/.envpkt/envpkt.toml",
+	"$WINHOME/OneDrive/.envpkt/envpkt.toml",
+	"$USERPROFILE/OneDrive/.envpkt/envpkt.toml",
+	"$OneDrive/.envpkt/envpkt.toml",
+	"$OneDriveConsumer/.envpkt/envpkt.toml",
+	"$OneDriveCommercial/.envpkt/envpkt.toml",
+	"/mnt/c/Users/$USER/OneDrive/.envpkt/envpkt.toml",
+	"~/Library/Mobile Documents/com~apple~CloudDocs/.envpkt/envpkt.toml",
+	"~/Dropbox/.envpkt/envpkt.toml",
+	"$DROPBOX_PATH/.envpkt/envpkt.toml",
+	"~/Google Drive/My Drive/.envpkt/envpkt.toml",
+	"~/Library/CloudStorage/GoogleDrive-*/.envpkt/envpkt.toml",
+	"$GOOGLE_DRIVE/.envpkt/envpkt.toml",
+	"$WINHOME/.envpkt/envpkt.toml",
+	"$USERPROFILE/.envpkt/envpkt.toml"
+];
+/** Discover config by checking CWD, then ENVPKT_SEARCH_PATH, then built-in candidate paths */
+const discoverConfig = (cwd) => {
+	const cwdCandidate = join(cwd ?? process.cwd(), CONFIG_FILENAME$1);
+	if (existsSync(cwdCandidate)) return Option({
+		path: cwdCandidate,
+		source: "cwd"
+	});
+	const customPaths = process.env.ENVPKT_SEARCH_PATH?.split(":").filter(Boolean) ?? [];
+	for (const template of [...customPaths, ...CONFIG_SEARCH_PATHS]) {
+		const expanded = expandPath(template);
+		if (!expanded || expanded.startsWith("/.envpkt")) continue;
+		const matches = expandGlobPath(expanded);
+		if (matches.length > 0) return Option({
+			path: matches[0],
+			source: "search"
+		});
+	}
+	return Option(void 0);
+};
 /** Read a config file, returning Either<ConfigError, string> */
 const readConfigFile = (path) => {
 	if (!existsSync(path)) return Left({
@@ -124,14 +197,13 @@ const readConfigFile = (path) => {
 		message: String(err)
 	}), (content) => Right(content));
 };
-/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit meta) */
+/** Ensure required fields have defaults for valid configs (e.g. agent configs with catalog may omit secret) */
 const applyDefaults = (data) => {
 	if (data !== null && typeof data === "object" && !Array.isArray(data)) {
-		const obj = data;
-		if (!("meta" in obj)) return {
-			...obj,
-			meta: {}
-		};
+		const result = { ...data };
+		if (!("secret" in result)) result.secret = {};
+		if (!("env" in result)) result.env = {};
+		return result;
 	}
 	return data;
 };
@@ -150,27 +222,29 @@ const validateConfig = (data) => {
 };
 /** Load and validate an envpkt.toml from a file path */
 const loadConfig = (path) => readConfigFile(path).flatMap(parseToml).flatMap(validateConfig);
-/** Load config from CWD, returning both path and parsed config */
-const loadConfigFromCwd = (cwd) => {
-	const dir = cwd ?? process.cwd();
-	return findConfigPath(dir).fold(() => Left({
-		_tag: "FileNotFound",
-		path: join(dir, CONFIG_FILENAME$1)
-	}), (path) => loadConfig(path).map((config) => ({
-		path,
-		config
-	})));
-};
+/** Load config from CWD or discovery chain, returning path, source, and parsed config */
+const loadConfigFromCwd = (cwd) => discoverConfig(cwd).fold(() => Left({
+	_tag: "FileNotFound",
+	path: join(cwd ?? process.cwd(), CONFIG_FILENAME$1)
+}), ({ path, source }) => loadConfig(path).map((config) => ({
+	path,
+	source,
+	config
+})));
 /**
 * Resolve config path via priority chain:
 * 1. Explicit flag path
 * 2. ENVPKT_CONFIG env var
-* 3. CWD discovery
+* 3. CWD + discovery chain (home dir, cloud storage, custom search paths)
 */
 const resolveConfigPath = (flagPath, envVar, cwd) => {
 	if (flagPath) {
 		const resolved = resolve(flagPath);
-		return existsSync(resolved) ? Right(resolved) : Left({
+		const result = {
+			path: resolved,
+			source: "flag"
+		};
+		return existsSync(resolved) ? Right(result) : Left({
 			_tag: "FileNotFound",
 			path: resolved
 		});
@@ -178,16 +252,22 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 	const envPath = envVar ?? process.env[ENV_VAR_CONFIG];
 	if (envPath) {
 		const resolved = resolve(envPath);
-		return existsSync(resolved) ? Right(resolved) : Left({
+		const result = {
+			path: resolved,
+			source: "env"
+		};
+		return existsSync(resolved) ? Right(result) : Left({
 			_tag: "FileNotFound",
 			path: resolved
 		});
 	}
-	const dir = cwd ?? process.cwd();
-	return findConfigPath(dir).fold(() => Left({
+	return discoverConfig(cwd).fold(() => Left({
 		_tag: "FileNotFound",
-		path: join(dir, CONFIG_FILENAME$1)
-	}), (path) => Right(path));
+		path: join(cwd ?? process.cwd(), CONFIG_FILENAME$1)
+	}), ({ path, source }) => Right({
+		path,
+		source
+	}));
 };
 
 //#endregion
@@ -236,13 +316,14 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 	});
 	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
 	const agentSecrets = agentConfig.agent.secrets;
-	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentConfig.meta, catalogConfig.meta, agentSecrets, catalogPath).map((resolvedMeta) => {
+	const agentSecretEntries = agentConfig.secret ?? {};
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
 		const merged = [];
 		const overridden = [];
 		const warnings = [];
 		for (const key of agentSecrets) {
 			merged.push(key);
-			if (agentConfig.meta[key]) overridden.push(key);
+			if (agentSecretEntries[key]) overridden.push(key);
 		}
 		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
 		const agentIdentity = agentConfig.agent ? (() => {
@@ -256,7 +337,7 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 					...agentIdentity,
 					name: agentIdentity.name
 				} : void 0,
-				meta: resolvedMeta
+				secret: resolvedMeta
 			},
 			catalogPath,
 			merged,
@@ -309,7 +390,8 @@ const formatPacket = (result, options) => {
 		if (config.agent.expires) agentLines.push(`  expires: ${config.agent.expires}`);
 		if (agentLines.length > 0) sections.push(agentLines.join("\n"));
 	}
-	const metaEntries = Object.entries(config.meta);
+	const secretConfig = config.secret ?? {};
+	const metaEntries = Object.entries(secretConfig);
 	const secretHeader = `secrets: ${metaEntries.length}`;
 	const secretLines = metaEntries.map(([key, meta]) => {
 		const service = meta.service ?? key;
@@ -344,7 +426,7 @@ const MS_PER_DAY = 864e5;
 const WARN_BEFORE_DAYS = 30;
 const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
 const parseDate = (dateStr) => {
-	const d = /* @__PURE__ */ new Date(dateStr + "T00:00:00Z");
+	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
 	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
 };
 const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
@@ -389,8 +471,9 @@ const computeAudit = (config, fnoxKeys, today) => {
 	const requireExpiration = lifecycle.require_expiration ?? false;
 	const requireService = lifecycle.require_service ?? false;
 	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
-	const metaKeys = new Set(Object.keys(config.meta));
-	const secrets = List(Object.entries(config.meta).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const secretEntries = config.secret ?? {};
+	const metaKeys = new Set(Object.keys(secretEntries));
+	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
 	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
 	const total = secrets.size;
 	const expired = secrets.count((s) => s.status === "expired");
@@ -413,6 +496,28 @@ const computeAudit = (config, fnoxKeys, today) => {
 		agent: config.agent
 	};
 };
+const computeEnvAudit = (config, env = process.env) => {
+	const envEntries = config.env ?? {};
+	const entries = [];
+	for (const [key, entry] of Object.entries(envEntries)) {
+		const currentValue = env[key];
+		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
+		entries.push({
+			key,
+			defaultValue: entry.value,
+			currentValue,
+			status,
+			purpose: entry.purpose
+		});
+	}
+	return {
+		entries,
+		total: entries.length,
+		defaults_applied: entries.filter((e) => e.status === "default").length,
+		overridden: entries.filter((e) => e.status === "overridden").length,
+		missing: entries.filter((e) => e.status === "missing").length
+	};
+};
 
 //#endregion
 //#region src/core/patterns.ts
@@ -1045,7 +1150,7 @@ const matchValueShape = (value) => {
 };
 /** Strip common suffixes and derive a service name from an env var name */
 const deriveServiceFromName = (name) => {
-	const suffixes = [
+	const matchedSuffix = [
 		"_API_KEY",
 		"_SECRET_KEY",
 		"_ACCESS_KEY",
@@ -1063,13 +1168,8 @@ const deriveServiceFromName = (name) => {
 		"_DSN",
 		"_URL",
 		"_URI"
-	];
-	let stripped = name;
-	for (const suffix of suffixes) if (stripped.endsWith(suffix)) {
-		stripped = stripped.slice(0, -suffix.length);
-		break;
-	}
-	return stripped.toLowerCase().replace(/_/g, "-");
+	].find((s) => name.endsWith(s));
+	return (matchedSuffix ? name.slice(0, -matchedSuffix.length) : name).toLowerCase().replace(/_/g, "-");
 };
 /** Match a single env var against all patterns */
 const matchEnvVar = (name, value) => {
@@ -1139,10 +1239,11 @@ const envScan = (env, options) => {
 /** Bidirectional drift detection between config and live environment */
 const envCheck = (config, env) => {
 	const entries = [];
-	const metaKeys = Object.keys(config.meta);
+	const secretEntries = config.secret ?? {};
+	const metaKeys = Object.keys(secretEntries);
 	const trackedSet = new Set(metaKeys);
 	for (const key of metaKeys) {
-		const meta = config.meta[key];
+		const meta = secretEntries[key];
 		const present = env[key] !== void 0 && env[key] !== "";
 		entries.push({
 			envVar: key,
@@ -1151,6 +1252,17 @@ const envCheck = (config, env) => {
 			confidence: Option(void 0)
 		});
 	}
+	const envDefaults = config.env ?? {};
+	for (const key of Object.keys(envDefaults)) if (!trackedSet.has(key)) {
+		trackedSet.add(key);
+		const present = env[key] !== void 0 && env[key] !== "";
+		entries.push({
+			envVar: key,
+			service: Option(void 0),
+			status: present ? "tracked" : "missing_from_env",
+			confidence: Option(void 0)
+		});
+	}
 	const envMatches = scanEnv(env);
 	for (const match of envMatches) if (!trackedSet.has(match.envVar)) entries.push({
 		envVar: match.envVar,
@@ -1170,12 +1282,12 @@ const envCheck = (config, env) => {
 	};
 };
 const todayIso = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-/** Generate TOML [meta.*] blocks from scan results, mirroring init.ts pattern */
+/** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
 const generateTomlFromScan = (matches) => {
 	const blocks = [];
 	for (const match of matches) {
 		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
-		blocks.push(`[meta.${match.envVar}]
+		blocks.push(`[secret.${match.envVar}]
 service = "${svc}"
 # purpose = ""               # Why: what this secret enables
 # capabilities = []          # What operations this grants
@@ -1410,17 +1522,18 @@ const unsealSecrets = (meta, identityPath) => {
 
 //#endregion
 //#region src/core/boot.ts
-const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), (configPath) => loadConfig(configPath).fold((err) => Left(err), (config) => {
+const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), ({ path: configPath, source: configSource }) => loadConfig(configPath).fold((err) => Left(err), (config) => {
 	const configDir = dirname(configPath);
 	return resolveConfig(config, configDir).fold((err) => Left(err), (result) => Right({
 		config: result.config,
 		configPath,
-		configDir
+		configDir,
+		configSource
 	}));
 }));
 const resolveAgentKey = (config, configDir) => {
 	if (!config.agent?.identity) return Right(void 0);
-	return unwrapAgentKey(resolve(configDir, config.agent.identity)).fold((err) => Left(err), (key) => Right(key));
+	return unwrapAgentKey(resolve(configDir, expandPath(config.agent.identity))).fold((err) => Left(err), (key) => Right(key));
 };
 const detectFnoxKeys = (configDir) => detectFnox(configDir).fold(() => /* @__PURE__ */ new Set(), (fnoxPath) => readFnoxConfig(fnoxPath).fold(() => /* @__PURE__ */ new Set(), (fnoxConfig) => extractFnoxKeys(fnoxConfig)));
 const checkExpiration = (audit, failOnExpired, warnOnly) => {
@@ -1433,15 +1546,36 @@ const checkExpiration = (audit, failOnExpired, warnOnly) => {
 	if (audit.expired > 0 && warnOnly) warnings.push(`${audit.expired} secret(s) have expired (warn-only mode)`);
 	return Right(warnings);
 };
+const SECRET_PATTERNS = [
+	/^sk-/,
+	/^ghp_/,
+	/^ghu_/,
+	/^AKIA[0-9A-Z]{16}/,
+	/^xox[bpras]-/,
+	/:\/\/[^:]+:[^@]+@/,
+	/^ey[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}/
+];
+const looksLikeSecret = (value) => {
+	if (SECRET_PATTERNS.some((p) => p.test(value))) return true;
+	if (value.length > 40 && /^[A-Za-z0-9+/=]+$/.test(value)) return true;
+	return false;
+};
+const checkEnvMisclassification = (config) => {
+	const warnings = [];
+	const envEntries = config.env ?? {};
+	for (const [key, entry] of Object.entries(envEntries)) if (looksLikeSecret(entry.value)) warnings.push(`[env.${key}] value looks like a secret — consider moving to [secret.${key}]`);
+	return warnings;
+};
 /** Programmatic boot — returns Either<BootError, BootResult> */
 const bootSafe = (options) => {
 	const opts = options ?? {};
 	const inject = opts.inject !== false;
 	const failOnExpired = opts.failOnExpired !== false;
 	const warnOnly = opts.warnOnly ?? false;
-	return resolveAndLoad(opts).flatMap(({ config, configDir }) => {
-		const metaKeys = Object.keys(config.meta);
-		const hasSealedValues = metaKeys.some((k) => !!config.meta[k]?.encrypted_value);
+	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => {
+		const secretEntries = config.secret ?? {};
+		const metaKeys = Object.keys(secretEntries);
+		const hasSealedValues = metaKeys.some((k) => !!secretEntries[k]?.encrypted_value);
 		const agentKeyResult = resolveAgentKey(config, configDir);
 		const agentKey = agentKeyResult.fold(() => void 0, (k) => k);
 		const agentKeyError = agentKeyResult.fold((err) => err, () => void 0);
@@ -1451,19 +1585,24 @@ const bootSafe = (options) => {
 			const secrets = {};
 			const injected = [];
 			const skipped = [];
+			warnings.push(...checkEnvMisclassification(config));
+			const envEntries = config.env ?? {};
+			const envDefaults = {};
+			const overridden = [];
+			for (const [key, entry] of Object.entries(envEntries)) if (process.env[key] === void 0) {
+				envDefaults[key] = entry.value;
+				if (inject) process.env[key] = entry.value;
+			} else overridden.push(key);
 			const sealedKeys = /* @__PURE__ */ new Set();
-			if (hasSealedValues && config.agent?.identity) {
-				const identityPath = resolve(configDir, config.agent.identity);
-				unsealSecrets(config.meta, identityPath).fold((err) => {
-					warnings.push(`Sealed value decryption failed: ${err.message}`);
-				}, (unsealed) => {
-					for (const [key, value] of Object.entries(unsealed)) {
-						secrets[key] = value;
-						injected.push(key);
-						sealedKeys.add(key);
-					}
-				});
-			}
+			if (hasSealedValues && config.agent?.identity) unsealSecrets(secretEntries, resolve(configDir, expandPath(config.agent.identity))).fold((err) => {
+				warnings.push(`Sealed value decryption failed: ${err.message}`);
+			}, (unsealed) => {
+				for (const [key, value] of Object.entries(unsealed)) {
+					secrets[key] = value;
+					injected.push(key);
+					sealedKeys.add(key);
+				}
+			});
 			const remainingKeys = metaKeys.filter((k) => !sealedKeys.has(k));
 			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, agentKey).fold((err) => {
 				warnings.push(`fnox export failed: ${err.message}`);
@@ -1484,7 +1623,11 @@ const bootSafe = (options) => {
 				injected,
 				skipped,
 				secrets,
-				warnings
+				warnings,
+				envDefaults,
+				overridden,
+				configPath,
+				configSource
 			};
 		});
 	});
@@ -1592,10 +1735,7 @@ function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
 	const configPath = join(dir, CONFIG_FILENAME);
 	if (Try(() => statSync(configPath).isFile()).fold(() => false, (v) => v)) yield configPath;
 	if (currentDepth >= maxDepth) return;
-	let entries = [];
-	Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => {}, (e) => {
-		entries = e;
-	});
+	const entries = Try(() => readdirSync(dir, { withFileTypes: true })).fold(() => [], (e) => e);
 	for (const entry of entries) if (entry.isDirectory() && !SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".")) yield* findEnvpktFiles(join(dir, entry.name), maxDepth, currentDepth + 1);
 }
 const scanFleet = (rootDir, options) => {
@@ -1640,7 +1780,7 @@ const compareFnoxAndEnvpkt = (fnoxKeys, envpktKeys) => {
 //#endregion
 //#region src/mcp/resources.ts
 const loadConfigSafe = () => {
-	return resolveConfigPath().fold(() => void 0, (path) => loadConfig(path).fold(() => void 0, (config) => ({
+	return resolveConfigPath().fold(() => void 0, ({ path }) => loadConfig(path).fold(() => void 0, (config) => ({
 		config,
 		path
 	})));
@@ -1690,7 +1830,8 @@ const readCapabilities = () => {
 	const { config } = loaded;
 	const agentCapabilities = config.agent?.capabilities ?? [];
 	const secretCapabilities = {};
-	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	const secretEntries = config.secret ?? {};
+	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
 	return { contents: [{
 		uri: "envpkt://capabilities",
 		mimeType: "application/json",
@@ -1731,7 +1872,7 @@ const loadConfigForTool = (configPath) => {
 	return resolveConfigPath(configPath).fold((err) => ({
 		ok: false,
 		result: errorResult(`Config error: ${err._tag} — ${err._tag === "FileNotFound" ? err.path : ""}`)
-	}), (path) => loadConfig(path).fold((err) => ({
+	}), ({ path }) => loadConfig(path).fold((err) => ({
 		ok: false,
 		result: errorResult(`Config error: ${err._tag} — ${err._tag === "ValidationError" ? err.errors.toArray().join(", ") : ""}`)
 	}), (config) => ({
@@ -1798,6 +1939,17 @@ const toolDefinitions = [
 			},
 			required: ["key"]
 		}
+	},
+	{
+		name: "getEnvMeta",
+		description: "Get metadata for environment defaults — returns configured default values, purposes, and current drift status",
+		inputSchema: {
+			type: "object",
+			properties: { configPath: {
+				type: "string",
+				description: "Optional path to envpkt.toml"
+			} }
+		}
 	}
 ];
 const handleGetPacketHealth = (args) => {
@@ -1831,7 +1983,8 @@ const handleListCapabilities = (args) => {
 	const { config } = loaded;
 	const agentCapabilities = config.agent?.capabilities ?? [];
 	const secretCapabilities = {};
-	for (const [key, meta] of Object.entries(config.meta)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	const secretEntries = config.secret ?? {};
+	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
 	return textResult(JSON.stringify({
 		agent: config.agent ? {
 			name: config.agent.name,
@@ -1839,7 +1992,8 @@ const handleListCapabilities = (args) => {
 			description: config.agent.description,
 			capabilities: agentCapabilities
 		} : null,
-		secrets: secretCapabilities
+		secrets: secretCapabilities,
+		env_defaults: Object.keys(config.env ?? {}).length
 	}, null, 2));
 };
 const handleGetSecretMeta = (args) => {
@@ -1848,11 +2002,12 @@ const handleGetSecretMeta = (args) => {
 	const loaded = loadConfigForTool(args.configPath);
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
-	const meta = config.meta[key];
+	const meta = (config.secret ?? {})[key];
 	if (!meta) return errorResult(`Secret not found: ${key}`);
+	const { encrypted_value: _, ...safeMeta } = meta;
 	return textResult(JSON.stringify({
 		key,
-		...meta
+		...safeMeta
 	}, null, 2));
 };
 const handleCheckExpiration = (args) => {
@@ -1871,11 +2026,19 @@ const handleCheckExpiration = (args) => {
 		issues: s.issues.toArray()
 	}, null, 2)));
 };
+const handleGetEnvMeta = (args) => {
+	const loaded = loadConfigForTool(args.configPath);
+	if (!loaded.ok) return loaded.result;
+	const { config } = loaded;
+	const envAudit = computeEnvAudit(config);
+	return textResult(JSON.stringify(envAudit, null, 2));
+};
 const handlers = {
 	getPacketHealth: handleGetPacketHealth,
 	listCapabilities: handleListCapabilities,
 	getSecretMeta: handleGetSecretMeta,
-	checkExpiration: handleCheckExpiration
+	checkExpiration: handleCheckExpiration,
+	getEnvMeta: handleGetEnvMeta
 };
 const callTool = (name, args) => {
 	const handler = handlers[name];
@@ -1896,17 +2059,17 @@ const createServer = () => {
 		},
 		instructions: "envpkt provides credential lifecycle awareness for AI agents. Use tools to check health, capabilities, and secret metadata. No secret values are ever exposed."
 	});
-	server.setRequestHandler(ListToolsRequestSchema, async () => ({ tools: toolDefinitions.map((t) => ({
+	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: toolDefinitions.map((t) => ({
 		name: t.name,
 		description: t.description,
 		inputSchema: t.inputSchema
 	})) }));
-	server.setRequestHandler(CallToolRequestSchema, async (request) => {
+	server.setRequestHandler(CallToolRequestSchema, (request) => {
 		const { name, arguments: args } = request.params;
 		return callTool(name, args ?? {});
 	});
-	server.setRequestHandler(ListResourcesRequestSchema, async () => ({ resources: [...resourceDefinitions] }));
-	server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+	server.setRequestHandler(ListResourcesRequestSchema, () => ({ resources: [...resourceDefinitions] }));
+	server.setRequestHandler(ReadResourceRequestSchema, (request) => {
 		const { uri } = request.params;
 		const result = readResource(uri);
 		if (!result) return { contents: [{
@@ -1925,4 +2088,4 @@ const startServer = async () => {
 };
 
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvpktBootError, EnvpktConfigSchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, createServer, deriveServiceFromName, detectFnox, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, validateConfig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.2.0",
+  "version": "0.4.1",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",