envpkt 0.6.1 → 0.6.3

package/dist/cli.js

@@ -3,8 +3,8 @@ import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync,
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
-import { Cond, Left, List, Option, Right, Try } from "functype";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
+import { Cond, Left, List, Option, Right, Try } from "functype";
 import { Env, Fs, Path } from "functype-os";
 import { TomlDate, parse, stringify } from "smol-toml";
 import { FormatRegistry, Type } from "@sinclair/typebox";
@@ -15,109 +15,10 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { createInterface } from "node:readline";
 
-//#region src/core/audit.ts
-const MS_PER_DAY = 864e5;
-const WARN_BEFORE_DAYS = 30;
-const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
-const parseDate = (dateStr) => {
-	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
-	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
-};
-const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
-	const issues = [];
-	const created = Option(meta?.created).flatMap(parseDate);
-	const expires = Option(meta?.expires).flatMap(parseDate);
-	const rotationUrl = Option(meta?.rotation_url);
-	const purpose = Option(meta?.purpose);
-	const service = Option(meta?.service);
-	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
-	const daysSinceCreated = created.map((c) => daysBetween(c, today));
-	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
-	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
-	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
-	const hasSealed = !!meta?.encrypted_value;
-	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
-	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
-	if (isExpired) issues.push("Secret has expired");
-	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
-	if (isStale) issues.push("Secret is stale (no rotation detected)");
-	if (isMissing) issues.push("Key not found in fnox");
-	if (isMissingMetadata) {
-		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
-		if (requireService && service.isNone()) issues.push("Missing required service");
-	}
-	return {
-		key,
-		service,
-		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
-		days_remaining: daysRemaining,
-		rotation_url: rotationUrl,
-		purpose,
-		created: Option(meta?.created),
-		expires: Option(meta?.expires),
-		issues: List(issues)
-	};
-};
-const computeAudit = (config, fnoxKeys, today) => {
-	const now = today ?? /* @__PURE__ */ new Date();
-	const lifecycle = config.lifecycle ?? {};
-	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
-	const requireExpiration = lifecycle.require_expiration ?? false;
-	const requireService = lifecycle.require_service ?? false;
-	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
-	const secretEntries = config.secret ?? {};
-	const metaKeys = new Set(Object.keys(secretEntries));
-	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
-	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
-	const total = secrets.size;
-	const expired = secrets.count((s) => s.status === "expired");
-	const missing = secrets.count((s) => s.status === "missing");
-	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
-	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
-	const stale = secrets.count((s) => s.status === "stale");
-	const healthy = secrets.count((s) => s.status === "healthy");
-	return {
-		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
-		secrets,
-		total,
-		healthy,
-		expiring_soon,
-		expired,
-		stale,
-		missing,
-		missing_metadata,
-		orphaned,
-		identity: config.identity
-	};
-};
-const computeEnvAudit = (config, env = process.env) => {
-	const envEntries = config.env ?? {};
-	const entries = [];
-	for (const [key, entry] of Object.entries(envEntries)) {
-		const currentValue = env[key];
-		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
-		entries.push({
-			key,
-			defaultValue: entry.value,
-			currentValue,
-			status,
-			purpose: entry.purpose
-		});
-	}
-	return {
-		entries,
-		total: entries.length,
-		defaults_applied: entries.filter((e) => e.status === "default").length,
-		overridden: entries.filter((e) => e.status === "overridden").length,
-		missing: entries.filter((e) => e.status === "missing").length
-	};
-};
-
-//#endregion
 //#region src/core/schema.ts
-const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const DATE_RE$1 = /^\d{4}-\d{2}-\d{2}$/;
 const URI_RE = /^https?:\/\/.+/;
-if (!FormatRegistry.Has("date")) FormatRegistry.Set("date", (v) => DATE_RE.test(v));
+if (!FormatRegistry.Has("date")) FormatRegistry.Set("date", (v) => DATE_RE$1.test(v));
 if (!FormatRegistry.Has("uri")) FormatRegistry.Set("uri", (v) => URI_RE.test(v));
 const ConsumerType = Type.Union([
 	Type.Literal("agent"),
@@ -359,83 +260,6 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 	}));
 };
 
-//#endregion
-//#region src/core/catalog.ts
-/** Load and validate a catalog file, mapping ConfigError → CatalogError */
-const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
-	if (err._tag === "FileNotFound") return Left({
-		_tag: "CatalogNotFound",
-		path: err.path
-	});
-	return Left({
-		_tag: "CatalogLoadError",
-		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
-	});
-}, (config) => Right(config));
-/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
-const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
-	const resolved = {};
-	for (const key of agentSecrets) {
-		const catalogEntry = catalogMeta[key];
-		if (!catalogEntry) return Left({
-			_tag: "SecretNotInCatalog",
-			key,
-			catalogPath
-		});
-		const agentOverride = agentMeta[key];
-		if (agentOverride) resolved[key] = {
-			...catalogEntry,
-			...agentOverride
-		};
-		else resolved[key] = catalogEntry;
-	}
-	return Right(resolved);
-};
-/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
-const resolveConfig = (agentConfig, agentConfigDir) => {
-	if (!agentConfig.catalog) return Right({
-		config: agentConfig,
-		merged: [],
-		overridden: [],
-		warnings: []
-	});
-	if (!agentConfig.identity?.secrets || agentConfig.identity.secrets.length === 0) return Left({
-		_tag: "MissingSecretsList",
-		message: "Config has 'catalog' but identity.secrets is missing — declare which catalog secrets this agent needs"
-	});
-	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
-	const agentSecrets = agentConfig.identity.secrets;
-	const agentSecretEntries = agentConfig.secret ?? {};
-	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
-		const merged = [];
-		const overridden = [];
-		const warnings = [];
-		for (const key of agentSecrets) {
-			merged.push(key);
-			if (agentSecretEntries[key]) overridden.push(key);
-		}
-		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
-		const identityData = agentConfig.identity ? (() => {
-			const { secrets: _secrets, ...rest } = agentConfig.identity;
-			return rest;
-		})() : void 0;
-		return {
-			config: {
-				...agentWithoutCatalog,
-				identity: identityData ? {
-					...identityData,
-					name: identityData.name
-				} : void 0,
-				secret: resolvedMeta
-			},
-			catalogPath,
-			merged,
-			overridden,
-			warnings
-		};
-	}));
-};
-
 //#endregion
 //#region src/cli/output.ts
 const RESET = "\x1B[0m";
@@ -643,6 +467,285 @@ const formatConfigSource = (path, source) => {
 	return `${DIM}envpkt: loaded ${path}${RESET}`;
 };
 
+//#endregion
+//#region src/cli/commands/add.ts
+const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const buildSecretBlock = (name, options) => {
+	const lines = [`[secret.${name}]`];
+	const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+	if (options.service) lines.push(`service = "${options.service}"`);
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	lines.push(`created = "${today}"`);
+	if (options.expires) lines.push(`expires = "${options.expires}"`);
+	if (options.rotates) lines.push(`rotates = "${options.rotates}"`);
+	if (options.rateLimit) lines.push(`rate_limit = "${options.rateLimit}"`);
+	if (options.modelHint) lines.push(`model_hint = "${options.modelHint}"`);
+	if (options.source) lines.push(`source = "${options.source}"`);
+	if (options.rotationUrl) lines.push(`rotation_url = "${options.rotationUrl}"`);
+	if (options.required) lines.push(`required = true`);
+	if (options.capabilities) {
+		const caps = options.capabilities.split(",").map((c) => `"${c.trim()}"`).join(", ");
+		lines.push(`capabilities = [${caps}]`);
+	}
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const runAdd = (name, options) => {
+	if (options.expires && !DATE_RE.test(options.expires)) {
+		console.error(`${RED}Error:${RESET} Invalid date format for --expires: "${options.expires}" (expected YYYY-MM-DD)`);
+		process.exit(1);
+	}
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (config.secret?.[name]) {
+				console.error(`${RED}Error:${RESET} Secret "${name}" already exists in ${configPath}`);
+				process.exit(1);
+			}
+			const block = buildSecretBlock(name, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			writeFileSync(configPath, `${readFileSync(configPath, "utf-8").trimEnd()}\n\n${block}`, "utf-8");
+			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+
+//#endregion
+//#region src/cli/commands/add-env.ts
+const buildEnvBlock = (name, value, options) => {
+	const lines = [`[env.${name}]`, `value = "${value}"`];
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const runAddEnv = (name, value, options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (config.env?.[name]) {
+				console.error(`${RED}Error:${RESET} Env entry "${name}" already exists in ${configPath}`);
+				process.exit(1);
+			}
+			const block = buildEnvBlock(name, value, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			writeFileSync(configPath, `${readFileSync(configPath, "utf-8").trimEnd()}\n\n${block}`, "utf-8");
+			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+
+//#endregion
+//#region src/core/audit.ts
+const MS_PER_DAY = 864e5;
+const WARN_BEFORE_DAYS = 30;
+const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
+const parseDate = (dateStr) => {
+	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
+	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
+};
+const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
+	const issues = [];
+	const created = Option(meta?.created).flatMap(parseDate);
+	const expires = Option(meta?.expires).flatMap(parseDate);
+	const rotationUrl = Option(meta?.rotation_url);
+	const purpose = Option(meta?.purpose);
+	const service = Option(meta?.service);
+	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
+	const daysSinceCreated = created.map((c) => daysBetween(c, today));
+	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
+	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
+	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
+	const hasSealed = !!meta?.encrypted_value;
+	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
+	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
+	if (isExpired) issues.push("Secret has expired");
+	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
+	if (isStale) issues.push("Secret is stale (no rotation detected)");
+	if (isMissing) issues.push("Key not found in fnox");
+	if (isMissingMetadata) {
+		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
+		if (requireService && service.isNone()) issues.push("Missing required service");
+	}
+	return {
+		key,
+		service,
+		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
+		days_remaining: daysRemaining,
+		rotation_url: rotationUrl,
+		purpose,
+		created: Option(meta?.created),
+		expires: Option(meta?.expires),
+		issues: List(issues)
+	};
+};
+const computeAudit = (config, fnoxKeys, today) => {
+	const now = today ?? /* @__PURE__ */ new Date();
+	const lifecycle = config.lifecycle ?? {};
+	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
+	const requireExpiration = lifecycle.require_expiration ?? false;
+	const requireService = lifecycle.require_service ?? false;
+	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
+	const secretEntries = config.secret ?? {};
+	const metaKeys = new Set(Object.keys(secretEntries));
+	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
+	const total = secrets.size;
+	const expired = secrets.count((s) => s.status === "expired");
+	const missing = secrets.count((s) => s.status === "missing");
+	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
+	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
+	const stale = secrets.count((s) => s.status === "stale");
+	const healthy = secrets.count((s) => s.status === "healthy");
+	return {
+		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
+		secrets,
+		total,
+		healthy,
+		expiring_soon,
+		expired,
+		stale,
+		missing,
+		missing_metadata,
+		orphaned,
+		identity: config.identity
+	};
+};
+const computeEnvAudit = (config, env = process.env) => {
+	const envEntries = config.env ?? {};
+	const entries = [];
+	for (const [key, entry] of Object.entries(envEntries)) {
+		const currentValue = env[key];
+		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
+		entries.push({
+			key,
+			defaultValue: entry.value,
+			currentValue,
+			status,
+			purpose: entry.purpose
+		});
+	}
+	return {
+		entries,
+		total: entries.length,
+		defaults_applied: entries.filter((e) => e.status === "default").length,
+		overridden: entries.filter((e) => e.status === "overridden").length,
+		missing: entries.filter((e) => e.status === "missing").length
+	};
+};
+
+//#endregion
+//#region src/core/catalog.ts
+/** Load and validate a catalog file, mapping ConfigError → CatalogError */
+const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
+	if (err._tag === "FileNotFound") return Left({
+		_tag: "CatalogNotFound",
+		path: err.path
+	});
+	return Left({
+		_tag: "CatalogLoadError",
+		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
+	});
+}, (config) => Right(config));
+/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
+const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
+	const resolved = {};
+	for (const key of agentSecrets) {
+		const catalogEntry = catalogMeta[key];
+		if (!catalogEntry) return Left({
+			_tag: "SecretNotInCatalog",
+			key,
+			catalogPath
+		});
+		const agentOverride = agentMeta[key];
+		if (agentOverride) resolved[key] = {
+			...catalogEntry,
+			...agentOverride
+		};
+		else resolved[key] = catalogEntry;
+	}
+	return Right(resolved);
+};
+/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
+const resolveConfig = (agentConfig, agentConfigDir) => {
+	if (!agentConfig.catalog) return Right({
+		config: agentConfig,
+		merged: [],
+		overridden: [],
+		warnings: []
+	});
+	if (!agentConfig.identity?.secrets || agentConfig.identity.secrets.length === 0) return Left({
+		_tag: "MissingSecretsList",
+		message: "Config has 'catalog' but identity.secrets is missing — declare which catalog secrets this agent needs"
+	});
+	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
+	const agentSecrets = agentConfig.identity.secrets;
+	const agentSecretEntries = agentConfig.secret ?? {};
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
+		const merged = [];
+		const overridden = [];
+		const warnings = [];
+		for (const key of agentSecrets) {
+			merged.push(key);
+			if (agentSecretEntries[key]) overridden.push(key);
+		}
+		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
+		const identityData = agentConfig.identity ? (() => {
+			const { secrets: _secrets, ...rest } = agentConfig.identity;
+			return rest;
+		})() : void 0;
+		return {
+			config: {
+				...agentWithoutCatalog,
+				identity: identityData ? {
+					...identityData,
+					name: identityData.name
+				} : void 0,
+				secret: resolvedMeta
+			},
+			catalogPath,
+			merged,
+			overridden,
+			warnings
+		};
+	}));
+};
+
 //#endregion
 //#region src/cli/commands/audit.ts
 const runAudit = (options) => {
@@ -2842,6 +2945,7 @@ const writeSealedToml = (configPath, sealedMeta) => {
 				output.push(`encrypted_value = """`);
 				output.push(pendingSeals.get(currentMetaKey));
 				output.push(`"""`);
+				output.push("");
 				pendingSeals.delete(currentMetaKey);
 			}
 			currentMetaKey = metaMatch[1];
@@ -2855,6 +2959,7 @@ const writeSealedToml = (configPath, sealedMeta) => {
 				output.push(`encrypted_value = """`);
 				output.push(pendingSeals.get(currentMetaKey));
 				output.push(`"""`);
+				output.push("");
 				pendingSeals.delete(currentMetaKey);
 			}
 			insideMetaBlock = false;
@@ -2869,6 +2974,7 @@ const writeSealedToml = (configPath, sealedMeta) => {
 				output.push(`encrypted_value = """`);
 				output.push(pendingSeals.get(currentMetaKey));
 				output.push(`"""`);
+				output.push("");
 				pendingSeals.delete(currentMetaKey);
 			} else output.push(line);
 			if (line.slice(line.indexOf("=") + 1).trim().includes("\"\"\"")) {
@@ -2947,7 +3053,30 @@ const runSeal = async (options) => {
 	const metaKeys = targetKeys;
 	console.log(`${BOLD}Sealing ${metaKeys.length} secret(s)${RESET} with recipient ${CYAN}${recipient.slice(0, 20)}...${RESET}`);
 	console.log("");
-	const values = await resolveValues(metaKeys, options.profile, identityKey);
+	const values = await (async () => {
+		if (options.reseal && alreadySealed.length > 0) {
+			const identityPath = config.identity?.key_file ? resolve(configDir, expandPath(config.identity.key_file)) : void 0;
+			if (!identityPath) {
+				console.error(`${RED}Error:${RESET} identity.key_file is required for --reseal (needed to decrypt existing secrets)`);
+				console.error("");
+				console.error(`${DIM}Add to your envpkt.toml:${RESET}`);
+				console.error(`${DIM}  [identity]${RESET}`);
+				console.error(`${DIM}  key_file = "path/to/identity.txt"${RESET}`);
+				process.exit(2);
+			}
+			const decrypted = unsealSecrets(Object.fromEntries(alreadySealed.map((k) => [k, allSecretEntries[k]])), identityPath).fold((err) => {
+				console.error(`${RED}Error:${RESET} Failed to decrypt existing secrets: ${err.message}`);
+				process.exit(2);
+				return {};
+			}, (d) => d);
+			const newValues = unsealed.length > 0 ? await resolveValues(unsealed, options.profile, identityKey) : {};
+			return {
+				...decrypted,
+				...newValues
+			};
+		}
+		return resolveValues(metaKeys, options.profile, identityKey);
+	})();
 	const resolved = Object.keys(values).length;
 	const skipped = metaKeys.length - resolved;
 	if (resolved === 0) {
@@ -3020,6 +3149,12 @@ program.name("envpkt").description("Credential lifecycle and fleet management fo
 	const pkgPath = findPkgJson(dirname(fileURLToPath(import.meta.url)));
 	return pkgPath ? JSON.parse(readFileSync(pkgPath, "utf-8")).version : "0.0.0";
 })());
+program.command("add").description("Add a new secret entry to envpkt.toml").argument("<name>", "Secret name (becomes the env var key)").option("-c, --config <path>", "Path to envpkt.toml").option("--service <service>", "Service this secret authenticates to").option("--purpose <purpose>", "Why this secret exists").option("--comment <comment>", "Free-form annotation").option("--expires <date>", "Expiration date (YYYY-MM-DD)").option("--capabilities <caps>", "Comma-separated capabilities (e.g. read,write)").option("--rotates <schedule>", "Rotation schedule (e.g. 90d, quarterly)").option("--rate-limit <limit>", "Rate limit info (e.g. 1000/min)").option("--model-hint <hint>", "Suggested model or tier").option("--source <source>", "Where the value originates (e.g. vault, ci)").option("--required", "Mark this secret as required").option("--rotation-url <url>", "URL for secret rotation procedure").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, options) => {
+	runAdd(name, options);
+});
+program.command("add-env").description("Add a new environment default entry to envpkt.toml").argument("<name>", "Environment variable name").argument("<value>", "Default value").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this env var exists").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, value, options) => {
+	runAddEnv(name, value, options);
+});
 program.command("init").description("Initialize a new envpkt.toml in the current directory").option("--from-fnox [path]", "Scaffold from fnox.toml (optionally specify path)").option("--catalog <path>", "Path to shared secret catalog").option("--identity", "Include [identity] section").option("--name <name>", "Identity name (requires --identity)").option("--capabilities <caps>", "Comma-separated capabilities (requires --identity)").option("--expires <date>", "Credential expiration YYYY-MM-DD (requires --identity)").option("--force", "Overwrite existing envpkt.toml").action((options) => {
 	runInit(process.cwd(), options);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",