npm - envpkt - Versions diffs - 0.6.10 → 0.7.0 - Mend

envpkt 0.6.10 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/cli.js CHANGED Viewed

@@ -3,8 +3,8 @@ import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync,
 import { dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
+import { Cond, Either, Left, List, Option, Right, Try } from "functype";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
-import { Cond, Left, List, Option, Right, Try } from "functype";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse, stringify } from "smol-toml";
 import { FormatRegistry, Type } from "@sinclair/typebox";
@@ -15,6 +15,105 @@ import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js"
 import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { createInterface } from "node:readline";
+//#region src/core/audit.ts
+const MS_PER_DAY = 864e5;
+const WARN_BEFORE_DAYS = 30;
+const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
+const parseDate = (dateStr) => {
+	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
+	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
+};
+const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
+	const issues = [];
+	const created = Option(meta?.created).flatMap(parseDate);
+	const expires = Option(meta?.expires).flatMap(parseDate);
+	const rotationUrl = Option(meta?.rotation_url);
+	const purpose = Option(meta?.purpose);
+	const service = Option(meta?.service);
+	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
+	const daysSinceCreated = created.map((c) => daysBetween(c, today));
+	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
+	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
+	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
+	const hasSealed = !!meta?.encrypted_value;
+	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
+	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
+	if (isExpired) issues.push("Secret has expired");
+	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
+	if (isStale) issues.push("Secret is stale (no rotation detected)");
+	if (isMissing) issues.push("Key not found in fnox");
+	if (isMissingMetadata) {
+		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
+		if (requireService && service.isNone()) issues.push("Missing required service");
+	}
+	return {
+		key,
+		service,
+		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
+		days_remaining: daysRemaining,
+		rotation_url: rotationUrl,
+		purpose,
+		created: Option(meta?.created),
+		expires: Option(meta?.expires),
+		issues: List(issues)
+	};
+};
+const computeAudit = (config, fnoxKeys, today) => {
+	const now = today ?? /* @__PURE__ */ new Date();
+	const lifecycle = config.lifecycle ?? {};
+	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
+	const requireExpiration = lifecycle.require_expiration ?? false;
+	const requireService = lifecycle.require_service ?? false;
+	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
+	const secretEntries = config.secret ?? {};
+	const metaKeys = new Set(Object.keys(secretEntries));
+	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
+	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
+	const total = secrets.size;
+	const expired = secrets.count((s) => s.status === "expired");
+	const missing = secrets.count((s) => s.status === "missing");
+	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
+	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
+	const stale = secrets.count((s) => s.status === "stale");
+	const healthy = secrets.count((s) => s.status === "healthy");
+	return {
+		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
+		secrets,
+		total,
+		healthy,
+		expiring_soon,
+		expired,
+		stale,
+		missing,
+		missing_metadata,
+		orphaned,
+		identity: config.identity
+	};
+};
+const computeEnvAudit = (config, env = process.env) => {
+	const envEntries = config.env ?? {};
+	const entries = [];
+	for (const [key, entry] of Object.entries(envEntries)) {
+		const currentValue = env[key];
+		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
+		entries.push({
+			key,
+			defaultValue: entry.value,
+			currentValue,
+			status,
+			purpose: entry.purpose
+		});
+	}
+	return {
+		entries,
+		total: entries.length,
+		defaults_applied: entries.filter((e) => e.status === "default").length,
+		overridden: entries.filter((e) => e.status === "overridden").length,
+		missing: entries.filter((e) => e.status === "missing").length
+	};
+};
+//#endregion
 //#region src/core/schema.ts
 const DATE_RE$1 = /^\d{4}-\d{2}-\d{2}$/;
 const URI_RE = /^https?:\/\/.+/;
@@ -270,6 +369,83 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 	}));
 };
+//#endregion
+//#region src/core/catalog.ts
+/** Load and validate a catalog file, mapping ConfigError → CatalogError */
+const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
+	if (err._tag === "FileNotFound") return Left({
+		_tag: "CatalogNotFound",
+		path: err.path
+	});
+	return Left({
+		_tag: "CatalogLoadError",
+		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
+	});
+}, (config) => Right(config));
+/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
+const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
+	const resolved = {};
+	for (const key of agentSecrets) {
+		const catalogEntry = catalogMeta[key];
+		if (!catalogEntry) return Left({
+			_tag: "SecretNotInCatalog",
+			key,
+			catalogPath
+		});
+		const agentOverride = agentMeta[key];
+		if (agentOverride) resolved[key] = {
+			...catalogEntry,
+			...agentOverride
+		};
+		else resolved[key] = catalogEntry;
+	}
+	return Right(resolved);
+};
+/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
+const resolveConfig = (agentConfig, agentConfigDir) => {
+	if (!agentConfig.catalog) return Right({
+		config: agentConfig,
+		merged: [],
+		overridden: [],
+		warnings: []
+	});
+	if (!agentConfig.identity?.secrets || agentConfig.identity.secrets.length === 0) return Left({
+		_tag: "MissingSecretsList",
+		message: "Config has 'catalog' but identity.secrets is missing — declare which catalog secrets this agent needs"
+	});
+	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
+	const agentSecrets = agentConfig.identity.secrets;
+	const agentSecretEntries = agentConfig.secret ?? {};
+	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
+		const merged = [];
+		const overridden = [];
+		const warnings = [];
+		for (const key of agentSecrets) {
+			merged.push(key);
+			if (agentSecretEntries[key]) overridden.push(key);
+		}
+		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
+		const identityData = agentConfig.identity ? (() => {
+			const { secrets: _secrets, ...rest } = agentConfig.identity;
+			return rest;
+		})() : void 0;
+		return {
+			config: {
+				...agentWithoutCatalog,
+				identity: identityData ? {
+					...identityData,
+					name: identityData.name
+				} : void 0,
+				secret: resolvedMeta
+			},
+			catalogPath,
+			merged,
+			overridden,
+			warnings
+		};
+	}));
+};
 //#endregion
 //#region src/cli/output.ts
 const RESET = "\x1B[0m";
@@ -454,306 +630,27 @@ const formatCheckTable = (check) => {
 const formatCheckJson = (check) => JSON.stringify({
 	is_clean: check.is_clean,
 	tracked_and_present: check.tracked_and_present,
-	missing_from_env: check.missing_from_env,
-	untracked_credentials: check.untracked_credentials,
-	entries: check.entries.map((e) => ({
-		envVar: e.envVar,
-		service: e.service.fold(() => null, (s) => s),
-		status: e.status,
-		confidence: e.confidence.fold(() => null, (c) => c)
-	})).toArray()
-}, null, 2);
-const formatAuditMinimal = (audit) => {
-	if (audit.status === "healthy") return `${GREEN}✓${RESET} ${audit.total} secrets healthy`;
-	const parts = [];
-	if (audit.expired > 0) parts.push(`${audit.expired} expired`);
-	if (audit.expiring_soon > 0) parts.push(`${audit.expiring_soon} expiring`);
-	if (audit.stale > 0) parts.push(`${audit.stale} stale`);
-	if (audit.missing > 0) parts.push(`${audit.missing} missing`);
-	return `${audit.status === "critical" ? `${RED}✗${RESET}` : `${YELLOW}⚠${RESET}`} ${parts.join(", ")}`;
-};
-const formatConfigSource = (path, source) => {
-	if (source === "cwd") return "";
-	return `${DIM}envpkt: loaded ${path}${RESET}`;
-};
-//#endregion
-//#region src/cli/commands/add.ts
-const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
-const buildSecretBlock = (name, options) => {
-	const lines = [`[secret.${name}]`];
-	const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
-	if (options.service) lines.push(`service = "${options.service}"`);
-	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
-	if (options.comment) lines.push(`comment = "${options.comment}"`);
-	lines.push(`created = "${today}"`);
-	if (options.expires) lines.push(`expires = "${options.expires}"`);
-	if (options.rotates) lines.push(`rotates = "${options.rotates}"`);
-	if (options.rateLimit) lines.push(`rate_limit = "${options.rateLimit}"`);
-	if (options.modelHint) lines.push(`model_hint = "${options.modelHint}"`);
-	if (options.source) lines.push(`source = "${options.source}"`);
-	if (options.rotationUrl) lines.push(`rotation_url = "${options.rotationUrl}"`);
-	if (options.required) lines.push(`required = true`);
-	if (options.capabilities) {
-		const caps = options.capabilities.split(",").map((c) => `"${c.trim()}"`).join(", ");
-		lines.push(`capabilities = [${caps}]`);
-	}
-	if (options.tags) {
-		const pairs = options.tags.split(",").map((pair) => {
-			const [k, v] = pair.split("=").map((s) => s.trim());
-			return `${k} = "${v}"`;
-		});
-		lines.push(`tags = { ${pairs.join(", ")} }`);
-	}
-	return `${lines.join("\n")}\n`;
-};
-const runAdd = (name, options) => {
-	if (options.expires && !DATE_RE.test(options.expires)) {
-		console.error(`${RED}Error:${RESET} Invalid date format for --expires: "${options.expires}" (expected YYYY-MM-DD)`);
-		process.exit(1);
-	}
-	resolveConfigPath(options.config).fold((err) => {
-		console.error(formatError(err));
-		process.exit(2);
-	}, ({ path: configPath, source }) => {
-		const sourceMsg = formatConfigSource(configPath, source);
-		if (sourceMsg) console.error(sourceMsg);
-		loadConfig(configPath).fold((err) => {
-			console.error(formatError(err));
-			process.exit(2);
-		}, (config) => {
-			if (config.secret?.[name]) {
-				console.error(`${RED}Error:${RESET} Secret "${name}" already exists in ${configPath}`);
-				process.exit(1);
-			}
-			const block = buildSecretBlock(name, options);
-			if (options.dryRun) {
-				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
-				console.log(block);
-				return;
-			}
-			writeFileSync(configPath, `${readFileSync(configPath, "utf-8").trimEnd()}\n\n${block}`, "utf-8");
-			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
-		});
-	});
-};
-//#endregion
-//#region src/cli/commands/add-env.ts
-const buildEnvBlock = (name, value, options) => {
-	const lines = [`[env.${name}]`, `value = "${value}"`];
-	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
-	if (options.comment) lines.push(`comment = "${options.comment}"`);
-	if (options.tags) {
-		const pairs = options.tags.split(",").map((pair) => {
-			const [k, v] = pair.split("=").map((s) => s.trim());
-			return `${k} = "${v}"`;
-		});
-		lines.push(`tags = { ${pairs.join(", ")} }`);
-	}
-	return `${lines.join("\n")}\n`;
-};
-const runAddEnv = (name, value, options) => {
-	resolveConfigPath(options.config).fold((err) => {
-		console.error(formatError(err));
-		process.exit(2);
-	}, ({ path: configPath, source }) => {
-		const sourceMsg = formatConfigSource(configPath, source);
-		if (sourceMsg) console.error(sourceMsg);
-		loadConfig(configPath).fold((err) => {
-			console.error(formatError(err));
-			process.exit(2);
-		}, (config) => {
-			if (config.env?.[name]) {
-				console.error(`${RED}Error:${RESET} Env entry "${name}" already exists in ${configPath}`);
-				process.exit(1);
-			}
-			const block = buildEnvBlock(name, value, options);
-			if (options.dryRun) {
-				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
-				console.log(block);
-				return;
-			}
-			writeFileSync(configPath, `${readFileSync(configPath, "utf-8").trimEnd()}\n\n${block}`, "utf-8");
-			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
-		});
-	});
-};
-//#endregion
-//#region src/core/audit.ts
-const MS_PER_DAY = 864e5;
-const WARN_BEFORE_DAYS = 30;
-const daysBetween = (from, to) => Math.floor((to.getTime() - from.getTime()) / MS_PER_DAY);
-const parseDate = (dateStr) => {
-	const d = /* @__PURE__ */ new Date(`${dateStr}T00:00:00Z`);
-	return Number.isNaN(d.getTime()) ? Option(void 0) : Option(d);
-};
-const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
-	const issues = [];
-	const created = Option(meta?.created).flatMap(parseDate);
-	const expires = Option(meta?.expires).flatMap(parseDate);
-	const rotationUrl = Option(meta?.rotation_url);
-	const purpose = Option(meta?.purpose);
-	const service = Option(meta?.service);
-	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
-	const daysSinceCreated = created.map((c) => daysBetween(c, today));
-	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
-	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
-	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
-	const hasSealed = !!meta?.encrypted_value;
-	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
-	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
-	if (isExpired) issues.push("Secret has expired");
-	if (isExpiringSoon) issues.push(`Expires in ${daysRemaining.fold(() => "?", (d) => String(d))} days`);
-	if (isStale) issues.push("Secret is stale (no rotation detected)");
-	if (isMissing) issues.push("Key not found in fnox");
-	if (isMissingMetadata) {
-		if (requireExpiration && expires.isNone()) issues.push("Missing required expiration date");
-		if (requireService && service.isNone()) issues.push("Missing required service");
-	}
-	return {
-		key,
-		service,
-		status: Cond.of().when(isExpired, "expired").elseWhen(isMissing, "missing").elseWhen(isMissingMetadata, "missing_metadata").elseWhen(isExpiringSoon, "expiring_soon").elseWhen(isStale, "stale").else("healthy"),
-		days_remaining: daysRemaining,
-		rotation_url: rotationUrl,
-		purpose,
-		created: Option(meta?.created),
-		expires: Option(meta?.expires),
-		issues: List(issues)
-	};
-};
-const computeAudit = (config, fnoxKeys, today) => {
-	const now = today ?? /* @__PURE__ */ new Date();
-	const lifecycle = config.lifecycle ?? {};
-	const staleWarningDays = lifecycle.stale_warning_days ?? 90;
-	const requireExpiration = lifecycle.require_expiration ?? false;
-	const requireService = lifecycle.require_service ?? false;
-	const keys = fnoxKeys ?? /* @__PURE__ */ new Set();
-	const secretEntries = config.secret ?? {};
-	const metaKeys = new Set(Object.keys(secretEntries));
-	const secrets = List(Object.entries(secretEntries).map(([key, meta]) => classifySecret(key, meta, keys, staleWarningDays, requireExpiration, requireService, now)));
-	const orphaned = keys.size > 0 ? [...metaKeys].filter((k) => !keys.has(k)).length : 0;
-	const total = secrets.size;
-	const expired = secrets.count((s) => s.status === "expired");
-	const missing = secrets.count((s) => s.status === "missing");
-	const missing_metadata = secrets.count((s) => s.status === "missing_metadata");
-	const expiring_soon = secrets.count((s) => s.status === "expiring_soon");
-	const stale = secrets.count((s) => s.status === "stale");
-	const healthy = secrets.count((s) => s.status === "healthy");
-	return {
-		status: Cond.of().when(expired > 0 || missing > 0, "critical").elseWhen(expiring_soon > 0 || stale > 0 || missing_metadata > 0, "degraded").else("healthy"),
-		secrets,
-		total,
-		healthy,
-		expiring_soon,
-		expired,
-		stale,
-		missing,
-		missing_metadata,
-		orphaned,
-		identity: config.identity
-	};
-};
-const computeEnvAudit = (config, env = process.env) => {
-	const envEntries = config.env ?? {};
-	const entries = [];
-	for (const [key, entry] of Object.entries(envEntries)) {
-		const currentValue = env[key];
-		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
-		entries.push({
-			key,
-			defaultValue: entry.value,
-			currentValue,
-			status,
-			purpose: entry.purpose
-		});
-	}
-	return {
-		entries,
-		total: entries.length,
-		defaults_applied: entries.filter((e) => e.status === "default").length,
-		overridden: entries.filter((e) => e.status === "overridden").length,
-		missing: entries.filter((e) => e.status === "missing").length
-	};
-};
-//#endregion
-//#region src/core/catalog.ts
-/** Load and validate a catalog file, mapping ConfigError → CatalogError */
-const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
-	if (err._tag === "FileNotFound") return Left({
-		_tag: "CatalogNotFound",
-		path: err.path
-	});
-	return Left({
-		_tag: "CatalogLoadError",
-		message: `${err._tag}: ${"message" in err ? err.message : String(err)}`
-	});
-}, (config) => Right(config));
-/** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
-const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
-	const resolved = {};
-	for (const key of agentSecrets) {
-		const catalogEntry = catalogMeta[key];
-		if (!catalogEntry) return Left({
-			_tag: "SecretNotInCatalog",
-			key,
-			catalogPath
-		});
-		const agentOverride = agentMeta[key];
-		if (agentOverride) resolved[key] = {
-			...catalogEntry,
-			...agentOverride
-		};
-		else resolved[key] = catalogEntry;
-	}
-	return Right(resolved);
-};
-/** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
-const resolveConfig = (agentConfig, agentConfigDir) => {
-	if (!agentConfig.catalog) return Right({
-		config: agentConfig,
-		merged: [],
-		overridden: [],
-		warnings: []
-	});
-	if (!agentConfig.identity?.secrets || agentConfig.identity.secrets.length === 0) return Left({
-		_tag: "MissingSecretsList",
-		message: "Config has 'catalog' but identity.secrets is missing — declare which catalog secrets this agent needs"
-	});
-	const catalogPath = resolve(agentConfigDir, agentConfig.catalog);
-	const agentSecrets = agentConfig.identity.secrets;
-	const agentSecretEntries = agentConfig.secret ?? {};
-	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
-		const merged = [];
-		const overridden = [];
-		const warnings = [];
-		for (const key of agentSecrets) {
-			merged.push(key);
-			if (agentSecretEntries[key]) overridden.push(key);
-		}
-		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
-		const identityData = agentConfig.identity ? (() => {
-			const { secrets: _secrets, ...rest } = agentConfig.identity;
-			return rest;
-		})() : void 0;
-		return {
-			config: {
-				...agentWithoutCatalog,
-				identity: identityData ? {
-					...identityData,
-					name: identityData.name
-				} : void 0,
-				secret: resolvedMeta
-			},
-			catalogPath,
-			merged,
-			overridden,
-			warnings
-		};
-	}));
+	missing_from_env: check.missing_from_env,
+	untracked_credentials: check.untracked_credentials,
+	entries: check.entries.map((e) => ({
+		envVar: e.envVar,
+		service: e.service.fold(() => null, (s) => s),
+		status: e.status,
+		confidence: e.confidence.fold(() => null, (c) => c)
+	})).toArray()
+}, null, 2);
+const formatAuditMinimal = (audit) => {
+	if (audit.status === "healthy") return `${GREEN}✓${RESET} ${audit.total} secrets healthy`;
+	const parts = [];
+	if (audit.expired > 0) parts.push(`${audit.expired} expired`);
+	if (audit.expiring_soon > 0) parts.push(`${audit.expiring_soon} expiring`);
+	if (audit.stale > 0) parts.push(`${audit.stale} stale`);
+	if (audit.missing > 0) parts.push(`${audit.missing} missing`);
+	return `${audit.status === "critical" ? `${RED}✗${RESET}` : `${YELLOW}⚠${RESET}`} ${parts.join(", ")}`;
+};
+const formatConfigSource = (path, source) => {
+	if (source === "cwd") return "";
+	return `${DIM}envpkt: loaded ${path}${RESET}`;
 };
 //#endregion
@@ -2039,6 +1936,156 @@ created = "${todayIso$1()}"
 	return blocks.join("\n");
 };
+//#endregion
+//#region src/core/toml-edit.ts
+const SECTION_RE = /^\[.+\]\s*$/;
+const MULTILINE_OPEN = "\"\"\"";
+/**
+* Find the line range [start, end) of a TOML section by its header string.
+* The range includes the header line through to (but not including) the next section header or EOF.
+* Handles multiline `"""..."""` values when scanning for section boundaries.
+*/
+const findSectionRange = (lines, sectionHeader) => {
+	let start = -1;
+	for (let i = 0; i < lines.length; i++) if (lines[i].trim() === sectionHeader) {
+		start = i;
+		break;
+	}
+	if (start === -1) return void 0;
+	let end = lines.length;
+	let inMultiline = false;
+	for (let i = start + 1; i < lines.length; i++) {
+		const line = lines[i];
+		if (inMultiline) {
+			if (line.includes(MULTILINE_OPEN)) inMultiline = false;
+			continue;
+		}
+		if (line.includes(MULTILINE_OPEN)) {
+			if ((line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) inMultiline = true;
+			continue;
+		}
+		if (SECTION_RE.test(line)) {
+			end = i;
+			break;
+		}
+	}
+	return {
+		start,
+		end
+	};
+};
+/** Check whether a section header exists in the raw TOML */
+const sectionExists = (lines, sectionHeader) => lines.some((l) => l.trim() === sectionHeader);
+/**
+* Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
+* Strips trailing blank lines left behind.
+*/
+const removeSection = (raw, sectionHeader) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	let removeEnd = range.end;
+	while (removeEnd > range.start && removeEnd - 1 >= range.start && lines[removeEnd - 1].trim() === "") removeEnd--;
+	const before = lines.slice(0, range.start);
+	const after = lines.slice(range.end);
+	while (before.length > 0 && before[before.length - 1].trim() === "") before.pop();
+	const result = [...before, ...after].join("\n");
+	return Either.right(result);
+};
+/**
+* Rename a TOML section header (e.g. `[secret.OLD]` → `[secret.NEW]`).
+* Errors if old doesn't exist or new already exists.
+*/
+const renameSection = (raw, oldHeader, newHeader) => {
+	const lines = raw.split("\n");
+	if (!sectionExists(lines, oldHeader)) return Either.left({
+		_tag: "SectionNotFound",
+		section: oldHeader
+	});
+	if (sectionExists(lines, newHeader)) return Either.left({
+		_tag: "SectionAlreadyExists",
+		section: newHeader
+	});
+	const result = lines.map((line) => line.trim() === oldHeader ? newHeader : line).join("\n");
+	return Either.right(result);
+};
+/**
+* Update, add, or remove fields within an existing TOML section.
+* - A string value replaces or adds the field
+* - A null value removes the field
+* Does NOT re-serialize — operates on raw text lines.
+*/
+const updateSectionFields = (raw, sectionHeader, updates) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	const before = lines.slice(0, range.start + 1);
+	const after = lines.slice(range.end);
+	const sectionBody = lines.slice(range.start + 1, range.end);
+	const remaining = [];
+	const updatedKeys = /* @__PURE__ */ new Set();
+	let inMultiline = false;
+	let multilineKey = "";
+	for (let i = 0; i < sectionBody.length; i++) {
+		const line = sectionBody[i];
+		if (inMultiline) {
+			if (line.includes(MULTILINE_OPEN)) {
+				inMultiline = false;
+				if (updates[multilineKey] === null) continue;
+				if (multilineKey in updates) continue;
+			} else {
+				if (updates[multilineKey] === null) continue;
+				if (multilineKey in updates) continue;
+			}
+			remaining.push(line);
+			continue;
+		}
+		const eqIdx = line.indexOf("=");
+		if (eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[")) {
+			const key = line.slice(0, eqIdx).trim();
+			if (key in updates) {
+				updatedKeys.add(key);
+				const afterEquals = line.slice(eqIdx + 1).trim();
+				if (afterEquals.includes(MULTILINE_OPEN)) {
+					if ((afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) {
+						inMultiline = true;
+						multilineKey = key;
+					}
+				}
+				if (updates[key] === null) continue;
+				remaining.push(`${key} = ${updates[key]}`);
+				if (inMultiline) {
+					for (let j = i + 1; j < sectionBody.length; j++) if (sectionBody[j].includes(MULTILINE_OPEN)) {
+						i = j;
+						inMultiline = false;
+						break;
+					}
+				}
+				continue;
+			}
+		}
+		remaining.push(line);
+	}
+	for (const [key, value] of Object.entries(updates)) if (value !== null && !updatedKeys.has(key)) remaining.push(`${key} = ${value}`);
+	const result = [
+		...before,
+		...remaining,
+		...after
+	].join("\n");
+	return Either.right(result);
+};
+/**
+* Append a new TOML section block to the end of the file.
+* Ensures proper spacing (double newline before the block).
+*/
+const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
 //#endregion
 //#region src/cli/commands/env.ts
 const printPostWriteGuidance = () => {
@@ -2131,6 +2178,148 @@ const runEnvExport = (options) => {
 		for (const [key, value] of Object.entries(boot.secrets)) console.log(`export ${key}='${shellEscape(value)}'`);
 	});
 };
+const buildEnvBlock = (name, value, options) => {
+	const lines = [`[env.${name}]`, `value = "${value}"`];
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const withConfig$1 = (configFlag, fn) => {
+	resolveConfigPath(configFlag).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		fn(configPath, readFileSync(configPath, "utf-8"));
+	});
+};
+const runEnvAdd = (name, value, options) => {
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (config.env?.[name]) {
+				console.error(`${RED}Error:${RESET} Env entry "${name}" already exists in ${configPath}`);
+				process.exit(1);
+			}
+			const block = buildEnvBlock(name, value, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			writeFileSync(configPath, appendSection(readFileSync(configPath, "utf-8"), block), "utf-8");
+			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const runEnvEdit = (name, options) => {
+	withConfig$1(options.config, (configPath, raw) => {
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (!config.env?.[name]) {
+				console.error(`${RED}Error:${RESET} Env entry "${name}" not found in ${configPath}`);
+				process.exit(1);
+			}
+			const updates = {};
+			if (options.value !== void 0) updates["value"] = `"${options.value}"`;
+			if (options.purpose !== void 0) updates["purpose"] = `"${options.purpose}"`;
+			if (options.comment !== void 0) updates["comment"] = `"${options.comment}"`;
+			if (options.tags !== void 0) updates["tags"] = `{ ${options.tags.split(",").map((pair) => {
+				const [k, v] = pair.split("=").map((s) => s.trim());
+				return `${k} = "${v}"`;
+			}).join(", ")} }`;
+			if (Object.keys(updates).length === 0) {
+				console.error(`${RED}Error:${RESET} No fields to update. Provide at least one --flag.`);
+				process.exit(1);
+			}
+			updateSectionFields(raw, `[env.${name}]`, updates).fold((err) => {
+				console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+				process.exit(2);
+			}, (updated) => {
+				if (options.dryRun) {
+					console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+					console.log(updated);
+					return;
+				}
+				writeFileSync(configPath, updated, "utf-8");
+				console.log(`${GREEN}✓${RESET} Updated ${BOLD}${name}${RESET} in ${CYAN}${configPath}${RESET}`);
+			});
+		});
+	});
+};
+const runEnvRm = (name, options) => {
+	withConfig$1(options.config, (configPath, raw) => {
+		removeSection(raw, `[env.${name}]`).fold((err) => {
+			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+			process.exit(1);
+		}, (updated) => {
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(updated);
+				return;
+			}
+			writeFileSync(configPath, updated, "utf-8");
+			console.log(`${GREEN}✓${RESET} Removed ${BOLD}${name}${RESET} from ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const runEnvRename = (oldName, newName, options) => {
+	withConfig$1(options.config, (configPath, raw) => {
+		renameSection(raw, `[env.${oldName}]`, `[env.${newName}]`).fold((err) => {
+			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+			process.exit(1);
+		}, (updated) => {
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(updated);
+				return;
+			}
+			writeFileSync(configPath, updated, "utf-8");
+			console.log(`${GREEN}✓${RESET} Renamed ${BOLD}${oldName}${RESET} → ${BOLD}${newName}${RESET} in ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const registerEnvCommands = (program) => {
+	const env = program.command("env").description("Manage environment defaults and discover credentials");
+	env.command("scan").description("Auto-discover credentials from process.env and scaffold TOML entries — first step in the developer workflow").option("-c, --config <path>", "Path to envpkt.toml (write target for --write)").option("--format <format>", "Output format: table | json", "table").option("--write", "Write discovered credentials to envpkt.toml").option("--dry-run", "Preview TOML that would be written (implies --write)").option("--include-unknown", "Include vars where service could not be inferred").action((options) => {
+		runEnvScan(options);
+	});
+	env.command("check").description("Bidirectional drift detection between envpkt.toml and live environment").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--strict", "Exit non-zero on any drift").action((options) => {
+		runEnvCheck(options);
+	});
+	env.command("export").description("Output export statements for eval-ing secrets into the current shell. Usage: eval \"$(envpkt env export)\"").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit").action((options) => {
+		runEnvExport(options);
+	});
+	env.command("add").description("Add a new environment default entry to envpkt.toml").argument("<name>", "Environment variable name").argument("<value>", "Default value").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this env var exists").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, value, options) => {
+		runEnvAdd(name, value, options);
+	});
+	env.command("edit").description("Update fields on an existing env entry").argument("<name>", "Environment variable name to edit").option("-c, --config <path>", "Path to envpkt.toml").option("--value <value>", "New default value").option("--purpose <purpose>", "Why this env var exists").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the changes without writing").action((name, options) => {
+		runEnvEdit(name, options);
+	});
+	env.command("rm").description("Remove an env entry from envpkt.toml").argument("<name>", "Environment variable name to remove").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((name, options) => {
+		runEnvRm(name, options);
+	});
+	env.command("rename").description("Rename an env entry, preserving all fields").argument("<old>", "Current env variable name").argument("<new>", "New env variable name").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((oldName, newName, options) => {
+		runEnvRename(oldName, newName, options);
+	});
+};
 //#endregion
 //#region src/cli/commands/exec.ts
@@ -3171,6 +3360,178 @@ const runSeal = async (options) => {
 	});
 };
+//#endregion
+//#region src/cli/commands/secret.ts
+const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
+const buildSecretBlock = (name, options) => {
+	const lines = [`[secret.${name}]`];
+	const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
+	if (options.service) lines.push(`service = "${options.service}"`);
+	if (options.purpose) lines.push(`purpose = "${options.purpose}"`);
+	if (options.comment) lines.push(`comment = "${options.comment}"`);
+	lines.push(`created = "${today}"`);
+	if (options.expires) lines.push(`expires = "${options.expires}"`);
+	if (options.rotates) lines.push(`rotates = "${options.rotates}"`);
+	if (options.rateLimit) lines.push(`rate_limit = "${options.rateLimit}"`);
+	if (options.modelHint) lines.push(`model_hint = "${options.modelHint}"`);
+	if (options.source) lines.push(`source = "${options.source}"`);
+	if (options.rotationUrl) lines.push(`rotation_url = "${options.rotationUrl}"`);
+	if (options.required) lines.push(`required = true`);
+	if (options.capabilities) {
+		const caps = options.capabilities.split(",").map((c) => `"${c.trim()}"`).join(", ");
+		lines.push(`capabilities = [${caps}]`);
+	}
+	if (options.tags) {
+		const pairs = options.tags.split(",").map((pair) => {
+			const [k, v] = pair.split("=").map((s) => s.trim());
+			return `${k} = "${v}"`;
+		});
+		lines.push(`tags = { ${pairs.join(", ")} }`);
+	}
+	return `${lines.join("\n")}\n`;
+};
+const buildFieldUpdates = (options) => {
+	const updates = {};
+	if (options.service !== void 0) updates["service"] = `"${options.service}"`;
+	if (options.purpose !== void 0) updates["purpose"] = `"${options.purpose}"`;
+	if (options.comment !== void 0) updates["comment"] = `"${options.comment}"`;
+	if (options.expires !== void 0) updates["expires"] = `"${options.expires}"`;
+	if (options.rotates !== void 0) updates["rotates"] = `"${options.rotates}"`;
+	if (options.rateLimit !== void 0) updates["rate_limit"] = `"${options.rateLimit}"`;
+	if (options.modelHint !== void 0) updates["model_hint"] = `"${options.modelHint}"`;
+	if (options.source !== void 0) updates["source"] = `"${options.source}"`;
+	if (options.rotationUrl !== void 0) updates["rotation_url"] = `"${options.rotationUrl}"`;
+	if (options.required !== void 0) updates["required"] = options.required ? "true" : "false";
+	if (options.capabilities !== void 0) updates["capabilities"] = `[${options.capabilities.split(",").map((c) => `"${c.trim()}"`).join(", ")}]`;
+	if (options.tags !== void 0) updates["tags"] = `{ ${options.tags.split(",").map((pair) => {
+		const [k, v] = pair.split("=").map((s) => s.trim());
+		return `${k} = "${v}"`;
+	}).join(", ")} }`;
+	return updates;
+};
+const withConfig = (configFlag, fn) => {
+	resolveConfigPath(configFlag).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		fn(configPath, readFileSync(configPath, "utf-8"));
+	});
+};
+const runSecretAdd = (name, options) => {
+	if (options.expires && !DATE_RE.test(options.expires)) {
+		console.error(`${RED}Error:${RESET} Invalid date format for --expires: "${options.expires}" (expected YYYY-MM-DD)`);
+		process.exit(1);
+	}
+	resolveConfigPath(options.config).fold((err) => {
+		console.error(formatError(err));
+		process.exit(2);
+	}, ({ path: configPath, source }) => {
+		const sourceMsg = formatConfigSource(configPath, source);
+		if (sourceMsg) console.error(sourceMsg);
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (config.secret?.[name]) {
+				console.error(`${RED}Error:${RESET} Secret "${name}" already exists in ${configPath}`);
+				process.exit(1);
+			}
+			const block = buildSecretBlock(name, options);
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(block);
+				return;
+			}
+			writeFileSync(configPath, appendSection(readFileSync(configPath, "utf-8"), block), "utf-8");
+			console.log(`${GREEN}✓${RESET} Added ${BOLD}${name}${RESET} to ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const runSecretEdit = (name, options) => {
+	if (options.expires && !DATE_RE.test(options.expires)) {
+		console.error(`${RED}Error:${RESET} Invalid date format for --expires: "${options.expires}" (expected YYYY-MM-DD)`);
+		process.exit(1);
+	}
+	withConfig(options.config, (configPath, raw) => {
+		loadConfig(configPath).fold((err) => {
+			console.error(formatError(err));
+			process.exit(2);
+		}, (config) => {
+			if (!config.secret?.[name]) {
+				console.error(`${RED}Error:${RESET} Secret "${name}" not found in ${configPath}`);
+				process.exit(1);
+			}
+			const updates = buildFieldUpdates(options);
+			if (Object.keys(updates).length === 0) {
+				console.error(`${RED}Error:${RESET} No fields to update. Provide at least one --flag.`);
+				process.exit(1);
+			}
+			updateSectionFields(raw, `[secret.${name}]`, updates).fold((err) => {
+				console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+				process.exit(2);
+			}, (updated) => {
+				if (options.dryRun) {
+					console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+					console.log(updated);
+					return;
+				}
+				writeFileSync(configPath, updated, "utf-8");
+				console.log(`${GREEN}✓${RESET} Updated ${BOLD}${name}${RESET} in ${CYAN}${configPath}${RESET}`);
+			});
+		});
+	});
+};
+const runSecretRm = (name, options) => {
+	withConfig(options.config, (configPath, raw) => {
+		removeSection(raw, `[secret.${name}]`).fold((err) => {
+			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+			process.exit(1);
+		}, (updated) => {
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(updated);
+				return;
+			}
+			writeFileSync(configPath, updated, "utf-8");
+			console.log(`${GREEN}✓${RESET} Removed ${BOLD}${name}${RESET} from ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const runSecretRename = (oldName, newName, options) => {
+	withConfig(options.config, (configPath, raw) => {
+		renameSection(raw, `[secret.${oldName}]`, `[secret.${newName}]`).fold((err) => {
+			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
+			process.exit(1);
+		}, (updated) => {
+			if (options.dryRun) {
+				console.log(`${DIM}# Preview (--dry-run):${RESET}\n`);
+				console.log(updated);
+				return;
+			}
+			writeFileSync(configPath, updated, "utf-8");
+			console.log(`${GREEN}✓${RESET} Renamed ${BOLD}${oldName}${RESET} → ${BOLD}${newName}${RESET} in ${CYAN}${configPath}${RESET}`);
+		});
+	});
+};
+const addSecretFlags = (cmd) => cmd.option("--service <service>", "Service this secret authenticates to").option("--purpose <purpose>", "Why this secret exists").option("--comment <comment>", "Free-form annotation").option("--expires <date>", "Expiration date (YYYY-MM-DD)").option("--capabilities <caps>", "Comma-separated capabilities (e.g. read,write)").option("--rotates <schedule>", "Rotation schedule (e.g. 90d, quarterly)").option("--rate-limit <limit>", "Rate limit info (e.g. 1000/min)").option("--model-hint <hint>", "Suggested model or tier").option("--source <source>", "Where the value originates (e.g. vault, ci)").option("--rotation-url <url>", "URL for secret rotation procedure").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)");
+const registerSecretCommands = (program) => {
+	const secret = program.command("secret").description("Manage secret entries in envpkt.toml");
+	addSecretFlags(secret.command("add").description("Add a new secret entry to envpkt.toml").argument("<name>", "Secret name (becomes the env var key)").option("-c, --config <path>", "Path to envpkt.toml").option("--required", "Mark this secret as required").option("--dry-run", "Preview the TOML block without writing")).action((name, options) => {
+		runSecretAdd(name, options);
+	});
+	addSecretFlags(secret.command("edit").description("Update metadata fields on an existing secret").argument("<name>", "Secret name to edit").option("-c, --config <path>", "Path to envpkt.toml").option("--required", "Mark this secret as required").option("--no-required", "Mark this secret as not required").option("--dry-run", "Preview the changes without writing")).action((name, options) => {
+		runSecretEdit(name, options);
+	});
+	secret.command("rm").description("Remove a secret entry from envpkt.toml").argument("<name>", "Secret name to remove").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((name, options) => {
+		runSecretRm(name, options);
+	});
+	secret.command("rename").description("Rename a secret entry, preserving all metadata").argument("<old>", "Current secret name").argument("<new>", "New secret name").option("-c, --config <path>", "Path to envpkt.toml").option("--dry-run", "Preview the result without writing").action((oldName, newName, options) => {
+		runSecretRename(oldName, newName, options);
+	});
+};
 //#endregion
 //#region src/cli/commands/shell-hook.ts
 const ZSH_HOOK = `# envpkt shell hook — add to your .zshrc
@@ -3225,12 +3586,6 @@ program.name("envpkt").description("Credential lifecycle and fleet management fo
 	const pkgPath = findPkgJson(dirname(fileURLToPath(import.meta.url)));
 	return pkgPath ? JSON.parse(readFileSync(pkgPath, "utf-8")).version : "0.0.0";
 })());
-program.command("add").description("Add a new secret entry to envpkt.toml").argument("<name>", "Secret name (becomes the env var key)").option("-c, --config <path>", "Path to envpkt.toml").option("--service <service>", "Service this secret authenticates to").option("--purpose <purpose>", "Why this secret exists").option("--comment <comment>", "Free-form annotation").option("--expires <date>", "Expiration date (YYYY-MM-DD)").option("--capabilities <caps>", "Comma-separated capabilities (e.g. read,write)").option("--rotates <schedule>", "Rotation schedule (e.g. 90d, quarterly)").option("--rate-limit <limit>", "Rate limit info (e.g. 1000/min)").option("--model-hint <hint>", "Suggested model or tier").option("--source <source>", "Where the value originates (e.g. vault, ci)").option("--required", "Mark this secret as required").option("--rotation-url <url>", "URL for secret rotation procedure").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, options) => {
-	runAdd(name, options);
-});
-program.command("add-env").description("Add a new environment default entry to envpkt.toml").argument("<name>", "Environment variable name").argument("<value>", "Default value").option("-c, --config <path>", "Path to envpkt.toml").option("--purpose <purpose>", "Why this env var exists").option("--comment <comment>", "Free-form annotation").option("--tags <tags>", "Comma-separated key=value tags (e.g. env=prod,team=payments)").option("--dry-run", "Preview the TOML block without writing").action((name, value, options) => {
-	runAddEnv(name, value, options);
-});
 program.command("init").description("Initialize a new envpkt.toml in the current directory").option("--from-fnox [path]", "Scaffold from fnox.toml (optionally specify path)").option("--catalog <path>", "Path to shared secret catalog").option("--identity", "Include [identity] section").option("--name <name>", "Identity name (requires --identity)").option("--capabilities <caps>", "Comma-separated capabilities (requires --identity)").option("--expires <date>", "Credential expiration YYYY-MM-DD (requires --identity)").option("--force", "Overwrite existing envpkt.toml").action((options) => {
 	runInit(process.cwd(), options);
 });
@@ -3258,16 +3613,8 @@ program.command("seal").description("Encrypt secret values into envpkt.toml usin
 program.command("mcp").description("Start the envpkt MCP server (stdio transport)").option("-c, --config <path>", "Path to envpkt.toml").action((options) => {
 	runMcp(options);
 });
-const env = program.command("env").description("Discover and check credentials in your shell environment");
-env.command("scan").description("Auto-discover credentials from process.env and scaffold TOML entries — first step in the developer workflow").option("-c, --config <path>", "Path to envpkt.toml (write target for --write)").option("--format <format>", "Output format: table | json", "table").option("--write", "Write discovered credentials to envpkt.toml").option("--dry-run", "Preview TOML that would be written (implies --write)").option("--include-unknown", "Include vars where service could not be inferred").action((options) => {
-	runEnvScan(options);
-});
-env.command("check").description("Bidirectional drift detection between envpkt.toml and live environment").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json", "table").option("--strict", "Exit non-zero on any drift").action((options) => {
-	runEnvCheck(options);
-});
-env.command("export").description("Output export statements for eval-ing secrets into the current shell. Usage: eval \"$(envpkt env export)\"").option("-c, --config <path>", "Path to envpkt.toml").option("--profile <profile>", "fnox profile to use").option("--skip-audit", "Skip the pre-flight audit").action((options) => {
-	runEnvExport(options);
-});
+registerSecretCommands(program);
+registerEnvCommands(program);
 program.command("shell-hook").description("Output shell function for ambient credential warnings on cd — combine with env export for full setup").argument("<shell>", "Shell type: zsh | bash").action((shell) => {
 	runShellHook(shell);
 });

package/dist/index.d.ts CHANGED Viewed

@@ -307,6 +307,13 @@ type KeygenResult = {
   readonly identityPath: string;
   readonly configUpdated: boolean;
 };
+type TomlEditError = {
+  readonly _tag: "SectionNotFound";
+  readonly section: string;
+} | {
+  readonly _tag: "SectionAlreadyExists";
+  readonly section: string;
+};
 //#endregion
 //#region src/core/config.d.ts
 /** Find envpkt.toml in the given directory */
@@ -458,6 +465,30 @@ declare const updateConfigRecipient: (configPath: string, recipient: string) =>
 /** Resolve plaintext values for the given keys via cascade: fnox → env → interactive prompt */
 declare const resolveValues: (keys: ReadonlyArray<string>, profile?: string, agentKey?: string) => Promise<Record<string, string>>;
 //#endregion
+//#region src/core/toml-edit.d.ts
+/**
+ * Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
+ * Strips trailing blank lines left behind.
+ */
+declare const removeSection: (raw: string, sectionHeader: string) => Either<TomlEditError, string>;
+/**
+ * Rename a TOML section header (e.g. `[secret.OLD]` → `[secret.NEW]`).
+ * Errors if old doesn't exist or new already exists.
+ */
+declare const renameSection: (raw: string, oldHeader: string, newHeader: string) => Either<TomlEditError, string>;
+/**
+ * Update, add, or remove fields within an existing TOML section.
+ * - A string value replaces or adds the field
+ * - A null value removes the field
+ * Does NOT re-serialize — operates on raw text lines.
+ */
+declare const updateSectionFields: (raw: string, sectionHeader: string, updates: Readonly<Record<string, string | null>>) => Either<TomlEditError, string>;
+/**
+ * Append a new TOML section block to the end of the file.
+ * Ensures proper spacing (double newline before the block).
+ */
+declare const appendSection: (raw: string, block: string) => string;
+//#endregion
 //#region src/core/fleet.d.ts
 declare const scanFleet: (rootDir: string, options?: {
   maxDepth?: number;
@@ -515,4 +546,4 @@ type ToolDef = {
 declare const toolDefinitions: readonly ToolDef[];
 declare const callTool: (name: string, args: Record<string, unknown>) => CallToolResult;
 //#endregion
-export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, validateConfig };
+export { type AgentIdentity, AgentIdentitySchema, type AuditResult, type BootError, type BootOptions, type BootResult, type CallbackConfig, CallbackConfigSchema, type CatalogError, type CheckResult, type ConfidenceLevel, type ConfigError, type ConfigSource, type ConsumerType, type CredentialPattern, type DriftEntry, type DriftStatus, type EnvAuditResult, type EnvDriftEntry, type EnvDriftStatus, type EnvMeta, EnvMetaSchema, EnvpktBootError, type EnvpktConfig, EnvpktConfigSchema, type FleetAgent, type FleetHealth, type FnoxConfig, type FnoxError, type FnoxSecret, type FormatPacketOptions, type HealthStatus, type Identity, type IdentityError, IdentitySchema, type KeygenError, type KeygenResult, type LifecycleConfig, LifecycleConfigSchema, type MatchResult, type ResolveOptions, type ResolveResult, type ResolvedPath, type ScanOptions, type ScanResult, type SealError, type SecretDisplay, type SecretHealth, type SecretMeta, SecretMetaSchema, type SecretStatus, type TomlEditError, type ToolsConfig, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, updateSectionFields, validateConfig };

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 import { FormatRegistry, Type } from "@sinclair/typebox";
 import { dirname, join, resolve } from "node:path";
 import { TypeCompiler } from "@sinclair/typebox/compiler";
-import { Cond, Left, List, None, Option, Right, Some, Try } from "functype";
+import { Cond, Either, Left, List, None, Option, Right, Some, Try } from "functype";
 import { Env, Fs, Path, Platform } from "functype-os";
 import { TomlDate, parse } from "smol-toml";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
@@ -1831,6 +1831,156 @@ const resolveValues = async (keys, profile, agentKey) => {
 	return result;
 };
+//#endregion
+//#region src/core/toml-edit.ts
+const SECTION_RE = /^\[.+\]\s*$/;
+const MULTILINE_OPEN = "\"\"\"";
+/**
+* Find the line range [start, end) of a TOML section by its header string.
+* The range includes the header line through to (but not including) the next section header or EOF.
+* Handles multiline `"""..."""` values when scanning for section boundaries.
+*/
+const findSectionRange = (lines, sectionHeader) => {
+	let start = -1;
+	for (let i = 0; i < lines.length; i++) if (lines[i].trim() === sectionHeader) {
+		start = i;
+		break;
+	}
+	if (start === -1) return void 0;
+	let end = lines.length;
+	let inMultiline = false;
+	for (let i = start + 1; i < lines.length; i++) {
+		const line = lines[i];
+		if (inMultiline) {
+			if (line.includes(MULTILINE_OPEN)) inMultiline = false;
+			continue;
+		}
+		if (line.includes(MULTILINE_OPEN)) {
+			if ((line.slice(line.indexOf("=") + 1).trim().match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) inMultiline = true;
+			continue;
+		}
+		if (SECTION_RE.test(line)) {
+			end = i;
+			break;
+		}
+	}
+	return {
+		start,
+		end
+	};
+};
+/** Check whether a section header exists in the raw TOML */
+const sectionExists = (lines, sectionHeader) => lines.some((l) => l.trim() === sectionHeader);
+/**
+* Remove a TOML section (e.g. `[secret.X]`) and all its fields through the next section or EOF.
+* Strips trailing blank lines left behind.
+*/
+const removeSection = (raw, sectionHeader) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	let removeEnd = range.end;
+	while (removeEnd > range.start && removeEnd - 1 >= range.start && lines[removeEnd - 1].trim() === "") removeEnd--;
+	const before = lines.slice(0, range.start);
+	const after = lines.slice(range.end);
+	while (before.length > 0 && before[before.length - 1].trim() === "") before.pop();
+	const result = [...before, ...after].join("\n");
+	return Either.right(result);
+};
+/**
+* Rename a TOML section header (e.g. `[secret.OLD]` → `[secret.NEW]`).
+* Errors if old doesn't exist or new already exists.
+*/
+const renameSection = (raw, oldHeader, newHeader) => {
+	const lines = raw.split("\n");
+	if (!sectionExists(lines, oldHeader)) return Either.left({
+		_tag: "SectionNotFound",
+		section: oldHeader
+	});
+	if (sectionExists(lines, newHeader)) return Either.left({
+		_tag: "SectionAlreadyExists",
+		section: newHeader
+	});
+	const result = lines.map((line) => line.trim() === oldHeader ? newHeader : line).join("\n");
+	return Either.right(result);
+};
+/**
+* Update, add, or remove fields within an existing TOML section.
+* - A string value replaces or adds the field
+* - A null value removes the field
+* Does NOT re-serialize — operates on raw text lines.
+*/
+const updateSectionFields = (raw, sectionHeader, updates) => {
+	const lines = raw.split("\n");
+	const range = findSectionRange(lines, sectionHeader);
+	if (!range) return Either.left({
+		_tag: "SectionNotFound",
+		section: sectionHeader
+	});
+	const before = lines.slice(0, range.start + 1);
+	const after = lines.slice(range.end);
+	const sectionBody = lines.slice(range.start + 1, range.end);
+	const remaining = [];
+	const updatedKeys = /* @__PURE__ */ new Set();
+	let inMultiline = false;
+	let multilineKey = "";
+	for (let i = 0; i < sectionBody.length; i++) {
+		const line = sectionBody[i];
+		if (inMultiline) {
+			if (line.includes(MULTILINE_OPEN)) {
+				inMultiline = false;
+				if (updates[multilineKey] === null) continue;
+				if (multilineKey in updates) continue;
+			} else {
+				if (updates[multilineKey] === null) continue;
+				if (multilineKey in updates) continue;
+			}
+			remaining.push(line);
+			continue;
+		}
+		const eqIdx = line.indexOf("=");
+		if (eqIdx > 0 && !line.trimStart().startsWith("#") && !line.trimStart().startsWith("[")) {
+			const key = line.slice(0, eqIdx).trim();
+			if (key in updates) {
+				updatedKeys.add(key);
+				const afterEquals = line.slice(eqIdx + 1).trim();
+				if (afterEquals.includes(MULTILINE_OPEN)) {
+					if ((afterEquals.match(/* @__PURE__ */ new RegExp("\"\"\"", "g")) ?? []).length === 1) {
+						inMultiline = true;
+						multilineKey = key;
+					}
+				}
+				if (updates[key] === null) continue;
+				remaining.push(`${key} = ${updates[key]}`);
+				if (inMultiline) {
+					for (let j = i + 1; j < sectionBody.length; j++) if (sectionBody[j].includes(MULTILINE_OPEN)) {
+						i = j;
+						inMultiline = false;
+						break;
+					}
+				}
+				continue;
+			}
+		}
+		remaining.push(line);
+	}
+	for (const [key, value] of Object.entries(updates)) if (value !== null && !updatedKeys.has(key)) remaining.push(`${key} = ${value}`);
+	const result = [
+		...before,
+		...remaining,
+		...after
+	].join("\n");
+	return Either.right(result);
+};
+/**
+* Append a new TOML section block to the end of the file.
+* Ensures proper spacing (double newline before the block).
+*/
+const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
 //#endregion
 //#region src/core/fleet.ts
 const CONFIG_FILENAME = "envpkt.toml";
@@ -2217,4 +2367,4 @@ const startServer = async () => {
 };
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, updateSectionFields, validateConfig };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.6.10",
+  "version": "0.7.0",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",