envpkt 0.7.2 → 0.7.3

package/dist/cli.js

@@ -14,7 +14,6 @@ import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 import { createInterface } from "node:readline";
-
 //#region src/core/audit.ts
 const MS_PER_DAY = 864e5;
 const WARN_BEFORE_DAYS = 30;
@@ -112,7 +111,6 @@ const computeEnvAudit = (config, env = process.env) => {
 		missing: entries.filter((e) => e.status === "missing").length
 	};
 };
-
 //#endregion
 //#region src/core/schema.ts
 const DATE_RE$1 = /^\d{4}-\d{2}-\d{2}$/;
@@ -207,7 +205,6 @@ const EnvpktConfigSchema = Type.Object({
 	title: "envpkt configuration",
 	description: "Credential lifecycle and fleet management configuration for AI agents"
 });
-
 //#endregion
 //#region src/core/config.ts
 const CONFIG_FILENAME$2 = "envpkt.toml";
@@ -368,7 +365,6 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 		source
 	}));
 };
-
 //#endregion
 //#region src/core/catalog.ts
 /** Load and validate a catalog file, mapping ConfigError → CatalogError */
@@ -445,7 +441,6 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 		};
 	}));
 };
-
 //#endregion
 //#region src/cli/output.ts
 const RESET = "\x1B[0m";
@@ -652,7 +647,6 @@ const formatConfigSource = (path, source) => {
 	if (source === "cwd") return "";
 	return `${DIM}envpkt: loaded ${path}${RESET}`;
 };
-
 //#endregion
 //#region src/cli/commands/audit.ts
 const runAudit = (options) => {
@@ -731,7 +725,6 @@ const runAuditOnConfig = (config, options) => {
 	const code = options.strict ? exitCodeForAudit(audit) : audit.status === "critical" ? 2 : 0;
 	process.exit(code);
 };
-
 //#endregion
 //#region src/fnox/cli.ts
 /** Export all secrets from fnox as key=value pairs for a given profile */
@@ -764,7 +757,6 @@ const fnoxExport = (profile, agentKey) => {
 		return Right(entries);
 	});
 };
-
 //#endregion
 //#region src/fnox/detect.ts
 const FNOX_CONFIG = "fnox.toml";
@@ -778,7 +770,6 @@ const fnoxAvailable = () => Try(() => {
 	execFileSync("fnox", ["--version"], { stdio: "pipe" });
 	return true;
 }).fold(() => false, (v) => v);
-
 //#endregion
 //#region src/fnox/identity.ts
 /** Check if the age CLI is available on PATH */
@@ -808,7 +799,6 @@ const unwrapAgentKey = (identityPath) => {
 		message: `age decrypt failed: ${err}`
 	}), (output) => Right(output.trim()));
 };
-
 //#endregion
 //#region src/fnox/parse.ts
 /** Read and parse fnox.toml, extracting secret keys and profiles */
@@ -829,7 +819,6 @@ const readFnoxConfig = (path) => Try(() => readFileSync(path, "utf-8")).fold((er
 }));
 /** Extract the set of secret key names from a parsed fnox config */
 const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
-
 //#endregion
 //#region src/core/keygen.ts
 /** Resolve the age identity file path: ENVPKT_AGE_KEY_FILE env var > ~/.envpkt/age-key.txt */
@@ -929,7 +918,6 @@ const updateConfigRecipient = (configPath, recipient) => {
 		}), () => Right(true));
 	});
 };
-
 //#endregion
 //#region src/core/seal.ts
 /** Encrypt a plaintext string using age with the given recipient public key (armored output) */
@@ -1029,7 +1017,6 @@ const unsealSecrets = (meta, identityPath) => {
 	}
 	return Right(result);
 };
-
 //#endregion
 //#region src/core/boot.ts
 const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), ({ path: configPath, source: configSource }) => loadConfig(configPath).fold((err) => Left(err), (config) => {
@@ -1153,7 +1140,6 @@ const bootSafe = (options) => {
 		});
 	});
 };
-
 //#endregion
 //#region src/core/patterns.ts
 const EXCLUDED_VARS = new Set([
@@ -1852,7 +1838,6 @@ const scanEnv = (env) => {
 	});
 	return results;
 };
-
 //#endregion
 //#region src/core/env.ts
 /** Scan env for credentials, returning structured results */
@@ -1935,7 +1920,6 @@ created = "${todayIso$1()}"
 	}
 	return blocks.join("\n");
 };
-
 //#endregion
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
@@ -2085,7 +2069,6 @@ const updateSectionFields = (raw, sectionHeader, updates) => {
 * Ensures proper spacing (double newline before the block).
 */
 const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
-
 //#endregion
 //#region src/cli/commands/env.ts
 const printPostWriteGuidance = () => {
@@ -2324,7 +2307,6 @@ const registerEnvCommands = (program) => {
 		runEnvRename(oldName, newName, options);
 	});
 };
-
 //#endregion
 //#region src/cli/commands/exec.ts
 const runExec = (args, options) => {
@@ -2378,7 +2360,6 @@ const runExec = (args, options) => {
 		process.exit(exitCode);
 	}
 };
-
 //#endregion
 //#region src/core/fleet.ts
 const CONFIG_FILENAME$1 = "envpkt.toml";
@@ -2443,7 +2424,6 @@ const scanFleet = (rootDir, options) => {
 		expiring_soon
 	};
 };
-
 //#endregion
 //#region src/cli/commands/fleet.ts
 const statusIcon = (status) => {
@@ -2473,7 +2453,6 @@ const runFleet = (options) => {
 	}
 	process.exit(fleet.status === "critical" ? 2 : 0);
 };
-
 //#endregion
 //#region src/cli/commands/init.ts
 const CONFIG_FILENAME = "envpkt.toml";
@@ -2584,14 +2563,12 @@ const runInit = (dir, options) => {
 		console.log(`  ${BOLD}Next:${RESET} Fill in metadata for each secret`);
 	});
 };
-
 //#endregion
 //#region src/core/format.ts
 const maskValue = (value) => {
 	if (value.length > 8) return `${value.slice(0, 3)}${"•".repeat(5)}${value.slice(-4)}`;
 	return "•".repeat(5);
 };
-
 //#endregion
 //#region src/cli/commands/inspect.ts
 const printSecretMeta = (meta, indent) => {
@@ -2711,7 +2688,6 @@ const runInspect = (options) => {
 		});
 	});
 };
-
 //#endregion
 //#region src/cli/commands/keygen.ts
 const runKeygen = (options) => {
@@ -2748,7 +2724,6 @@ const runKeygen = (options) => {
 		}
 	});
 };
-
 //#endregion
 //#region src/mcp/resources.ts
 const loadConfigSafe = () => {
@@ -2826,7 +2801,6 @@ const readResource = (uri) => {
 	const handler = resourceHandlers[uri];
 	return handler?.();
 };
-
 //#endregion
 //#region src/mcp/tools.ts
 const textResult = (text) => ({ content: [{
@@ -3017,7 +2991,6 @@ const callTool = (name, args) => {
 	if (!handler) return errorResult(`Unknown tool: ${name}`);
 	return handler(args);
 };
-
 //#endregion
 //#region src/mcp/server.ts
 const createServer = () => {
@@ -3058,7 +3031,6 @@ const startServer = async () => {
 	const transport = new StdioServerTransport();
 	await server.connect(transport);
 };
-
 //#endregion
 //#region src/cli/commands/mcp.ts
 const runMcp = (_options) => {
@@ -3067,7 +3039,6 @@ const runMcp = (_options) => {
 		process.exit(1);
 	});
 };
-
 //#endregion
 //#region src/cli/commands/resolve.ts
 const runResolve = (options) => {
@@ -3102,7 +3073,6 @@ const runResolve = (options) => {
 		});
 	});
 };
-
 //#endregion
 //#region src/core/resolve-values.ts
 /** Resolve plaintext values for the given keys via cascade: fnox → env → interactive prompt */
@@ -3138,7 +3108,6 @@ const resolveValues = async (keys, profile, agentKey) => {
 	}
 	return result;
 };
-
 //#endregion
 //#region src/cli/commands/seal.ts
 /** Write sealed values back into the TOML file, preserving structure */
@@ -3363,7 +3332,6 @@ const runSeal = async (options) => {
 		console.log(`${GREEN}Sealed${RESET} ${sealedCount} secret(s) into ${DIM}${configPath}${RESET}${summary}`);
 	});
 };
-
 //#endregion
 //#region src/cli/commands/secret.ts
 const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
@@ -3535,7 +3503,6 @@ const registerSecretCommands = (program) => {
 		runSecretRename(oldName, newName, options);
 	});
 };
-
 //#endregion
 //#region src/cli/commands/shell-hook.ts
 const ZSH_HOOK = `# envpkt shell hook — add to your .zshrc
@@ -3577,7 +3544,6 @@ const runShellHook = (shell) => {
 			process.exit(1);
 	}
 };
-
 //#endregion
 //#region src/cli/commands/upgrade.ts
 const getCurrentVersion = () => {
@@ -3639,7 +3605,6 @@ const runUpgrade = () => {
 	if (before === after && before !== "unknown") console.log(`\n${GREEN}✓${RESET} Already on latest version ${BOLD}${after}${RESET}`);
 	else console.log(`\n${GREEN}✓${RESET} Upgraded ${YELLOW}${before}${RESET} → ${BOLD}${after}${RESET}`);
 };
-
 //#endregion
 //#region src/cli/index.ts
 const program = new Command();
@@ -3688,6 +3653,5 @@ program.command("shell-hook").description("Output shell function for ambient cre
 	runShellHook(shell);
 });
 program.parse();
-
 //#endregion
-export {  };
+export {};

package/dist/index.d.ts

@@ -1,121 +1,121 @@
-import * as _sinclair_typebox0 from "@sinclair/typebox";
+import * as _$_sinclair_typebox0 from "@sinclair/typebox";
 import { Static } from "@sinclair/typebox";
 import { Either, List, Option } from "functype";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { CallToolResult, ReadResourceResult, Resource } from "@modelcontextprotocol/sdk/types.js";
 
 //#region src/core/schema.d.ts
-declare const ConsumerType: _sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>;
+declare const ConsumerType: _$_sinclair_typebox0.TUnion<[_$_sinclair_typebox0.TLiteral<"agent">, _$_sinclair_typebox0.TLiteral<"service">, _$_sinclair_typebox0.TLiteral<"developer">, _$_sinclair_typebox0.TLiteral<"ci">]>;
 type ConsumerType = Static<typeof ConsumerType>;
-declare const IdentitySchema: _sinclair_typebox0.TObject<{
-  name: _sinclair_typebox0.TString;
-  consumer: _sinclair_typebox0.TOptional<_sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>>;
-  description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-  expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  services: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-  key_file: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+declare const IdentitySchema: _$_sinclair_typebox0.TObject<{
+  name: _$_sinclair_typebox0.TString;
+  consumer: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TUnion<[_$_sinclair_typebox0.TLiteral<"agent">, _$_sinclair_typebox0.TLiteral<"service">, _$_sinclair_typebox0.TLiteral<"developer">, _$_sinclair_typebox0.TLiteral<"ci">]>>;
+  description: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  capabilities: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+  expires: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  services: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+  key_file: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  recipient: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  secrets: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
 }>;
 type Identity = Static<typeof IdentitySchema>;
 /** @deprecated Use `IdentitySchema` instead */
-declare const AgentIdentitySchema: _sinclair_typebox0.TObject<{
-  name: _sinclair_typebox0.TString;
-  consumer: _sinclair_typebox0.TOptional<_sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>>;
-  description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-  expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  services: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-  key_file: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+declare const AgentIdentitySchema: _$_sinclair_typebox0.TObject<{
+  name: _$_sinclair_typebox0.TString;
+  consumer: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TUnion<[_$_sinclair_typebox0.TLiteral<"agent">, _$_sinclair_typebox0.TLiteral<"service">, _$_sinclair_typebox0.TLiteral<"developer">, _$_sinclair_typebox0.TLiteral<"ci">]>>;
+  description: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  capabilities: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+  expires: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  services: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+  key_file: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  recipient: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  secrets: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
 }>;
-declare const SecretMetaSchema: _sinclair_typebox0.TObject<{
-  service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-  created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  encrypted_value: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-  tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+declare const SecretMetaSchema: _$_sinclair_typebox0.TObject<{
+  service: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  expires: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  rotation_url: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  capabilities: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+  created: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  rotates: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  rate_limit: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  model_hint: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  source: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  encrypted_value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  required: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
+  tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
 }>;
 type SecretMeta = Static<typeof SecretMetaSchema>;
-declare const LifecycleConfigSchema: _sinclair_typebox0.TObject<{
-  stale_warning_days: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
-  require_expiration: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-  require_service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+declare const LifecycleConfigSchema: _$_sinclair_typebox0.TObject<{
+  stale_warning_days: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TNumber>;
+  require_expiration: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
+  require_service: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
 }>;
 type LifecycleConfig = Static<typeof LifecycleConfigSchema>;
-declare const CallbackConfigSchema: _sinclair_typebox0.TObject<{
-  on_expiring: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  on_expired: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  on_audit_fail: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+declare const CallbackConfigSchema: _$_sinclair_typebox0.TObject<{
+  on_expiring: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  on_expired: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  on_audit_fail: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
 }>;
 type CallbackConfig = Static<typeof CallbackConfigSchema>;
-declare const ToolsConfigSchema: _sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TUnknown>;
+declare const ToolsConfigSchema: _$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TUnknown>;
 type ToolsConfig = Static<typeof ToolsConfigSchema>;
-declare const EnvMetaSchema: _sinclair_typebox0.TObject<{
-  value: _sinclair_typebox0.TString;
-  purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+declare const EnvMetaSchema: _$_sinclair_typebox0.TObject<{
+  value: _$_sinclair_typebox0.TString;
+  purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
 }>;
 type EnvMeta = Static<typeof EnvMetaSchema>;
-declare const EnvpktConfigSchema: _sinclair_typebox0.TObject<{
-  version: _sinclair_typebox0.TNumber;
-  catalog: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-  identity: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
-    name: _sinclair_typebox0.TString;
-    consumer: _sinclair_typebox0.TOptional<_sinclair_typebox0.TUnion<[_sinclair_typebox0.TLiteral<"agent">, _sinclair_typebox0.TLiteral<"service">, _sinclair_typebox0.TLiteral<"developer">, _sinclair_typebox0.TLiteral<"ci">]>>;
-    description: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-    expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    services: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-    key_file: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    recipient: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    secrets: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
+declare const EnvpktConfigSchema: _$_sinclair_typebox0.TObject<{
+  version: _$_sinclair_typebox0.TNumber;
+  catalog: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+  identity: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TObject<{
+    name: _$_sinclair_typebox0.TString;
+    consumer: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TUnion<[_$_sinclair_typebox0.TLiteral<"agent">, _$_sinclair_typebox0.TLiteral<"service">, _$_sinclair_typebox0.TLiteral<"developer">, _$_sinclair_typebox0.TLiteral<"ci">]>>;
+    description: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    capabilities: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+    expires: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    services: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+    key_file: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    recipient: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    secrets: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
   }>>;
-  secret: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
-    service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    expires: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    rotation_url: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    capabilities: _sinclair_typebox0.TOptional<_sinclair_typebox0.TArray<_sinclair_typebox0.TString>>;
-    created: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    rotates: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    rate_limit: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    model_hint: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    source: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    encrypted_value: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    required: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-    tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+  secret: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TObject<{
+    service: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    expires: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    rotation_url: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    capabilities: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TArray<_$_sinclair_typebox0.TString>>;
+    created: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    rotates: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    rate_limit: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    model_hint: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    source: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    encrypted_value: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    required: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
+    tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
   }>>>;
-  env: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TObject<{
-    value: _sinclair_typebox0.TString;
-    purpose: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    comment: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    tags: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TString>>;
+  env: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TObject<{
+    value: _$_sinclair_typebox0.TString;
+    purpose: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    comment: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    tags: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TString>>;
   }>>>;
-  lifecycle: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
-    stale_warning_days: _sinclair_typebox0.TOptional<_sinclair_typebox0.TNumber>;
-    require_expiration: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
-    require_service: _sinclair_typebox0.TOptional<_sinclair_typebox0.TBoolean>;
+  lifecycle: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TObject<{
+    stale_warning_days: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TNumber>;
+    require_expiration: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
+    require_service: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TBoolean>;
   }>>;
-  callbacks: _sinclair_typebox0.TOptional<_sinclair_typebox0.TObject<{
-    on_expiring: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    on_expired: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
-    on_audit_fail: _sinclair_typebox0.TOptional<_sinclair_typebox0.TString>;
+  callbacks: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TObject<{
+    on_expiring: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    on_expired: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
+    on_audit_fail: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TString>;
   }>>;
-  tools: _sinclair_typebox0.TOptional<_sinclair_typebox0.TRecord<_sinclair_typebox0.TString, _sinclair_typebox0.TUnknown>>;
+  tools: _$_sinclair_typebox0.TOptional<_$_sinclair_typebox0.TRecord<_$_sinclair_typebox0.TString, _$_sinclair_typebox0.TUnknown>>;
 }>;
 type EnvpktConfig = Static<typeof EnvpktConfigSchema>;
 //#endregion

package/dist/index.js

@@ -11,7 +11,6 @@ import { createInterface } from "node:readline";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListResourcesRequestSchema, ListToolsRequestSchema, ReadResourceRequestSchema } from "@modelcontextprotocol/sdk/types.js";
-
 //#region src/core/schema.ts
 const DATE_RE = /^\d{4}-\d{2}-\d{2}$/;
 const URI_RE = /^https?:\/\/.+/;
@@ -107,7 +106,6 @@ const EnvpktConfigSchema = Type.Object({
 	title: "envpkt configuration",
 	description: "Credential lifecycle and fleet management configuration for AI agents"
 });
-
 //#endregion
 //#region src/core/config.ts
 const CONFIG_FILENAME$1 = "envpkt.toml";
@@ -282,7 +280,6 @@ const resolveConfigPath = (flagPath, envVar, cwd) => {
 		source
 	}));
 };
-
 //#endregion
 //#region src/core/catalog.ts
 /** Load and validate a catalog file, mapping ConfigError → CatalogError */
@@ -359,7 +356,6 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 		};
 	}));
 };
-
 //#endregion
 //#region src/core/format.ts
 const maskValue = (value) => {
@@ -432,7 +428,6 @@ const formatPacket = (result, options) => {
 	}
 	return sections.join("\n\n");
 };
-
 //#endregion
 //#region src/core/audit.ts
 const MS_PER_DAY = 864e5;
@@ -531,7 +526,6 @@ const computeEnvAudit = (config, env = process.env) => {
 		missing: entries.filter((e) => e.status === "missing").length
 	};
 };
-
 //#endregion
 //#region src/core/patterns.ts
 const EXCLUDED_VARS = new Set([
@@ -1230,7 +1224,6 @@ const scanEnv = (env) => {
 	});
 	return results;
 };
-
 //#endregion
 //#region src/core/env.ts
 /** Scan env for credentials, returning structured results */
@@ -1313,7 +1306,6 @@ created = "${todayIso()}"
 	}
 	return blocks.join("\n");
 };
-
 //#endregion
 //#region src/fnox/cli.ts
 /** Export all secrets from fnox as key=value pairs for a given profile */
@@ -1367,7 +1359,6 @@ const fnoxGet = (key, profile, agentKey) => {
 		message: `fnox get ${key} failed: ${err}`
 	}), (output) => Right(output.trim()));
 };
-
 //#endregion
 //#region src/fnox/detect.ts
 const FNOX_CONFIG = "fnox.toml";
@@ -1381,7 +1372,6 @@ const fnoxAvailable = () => Try(() => {
 	execFileSync("fnox", ["--version"], { stdio: "pipe" });
 	return true;
 }).fold(() => false, (v) => v);
-
 //#endregion
 //#region src/fnox/identity.ts
 /** Check if the age CLI is available on PATH */
@@ -1411,7 +1401,6 @@ const unwrapAgentKey = (identityPath) => {
 		message: `age decrypt failed: ${err}`
 	}), (output) => Right(output.trim()));
 };
-
 //#endregion
 //#region src/fnox/parse.ts
 /** Read and parse fnox.toml, extracting secret keys and profiles */
@@ -1432,7 +1421,6 @@ const readFnoxConfig = (path) => Try(() => readFileSync(path, "utf-8")).fold((er
 }));
 /** Extract the set of secret key names from a parsed fnox config */
 const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
-
 //#endregion
 //#region src/core/keygen.ts
 /** Resolve the age identity file path: ENVPKT_AGE_KEY_FILE env var > ~/.envpkt/age-key.txt */
@@ -1537,7 +1525,6 @@ const updateConfigRecipient = (configPath, recipient) => {
 		}), () => Right(true));
 	});
 };
-
 //#endregion
 //#region src/core/seal.ts
 /** Encrypt a plaintext string using age with the given recipient public key (armored output) */
@@ -1637,7 +1624,6 @@ const unsealSecrets = (meta, identityPath) => {
 	}
 	return Right(result);
 };
-
 //#endregion
 //#region src/core/boot.ts
 const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) => Left(err), ({ path: configPath, source: configSource }) => loadConfig(configPath).fold((err) => Left(err), (config) => {
@@ -1794,7 +1780,6 @@ const formatBootError = (error) => {
 		default: return `Boot error: ${JSON.stringify(error)}`;
 	}
 };
-
 //#endregion
 //#region src/core/resolve-values.ts
 /** Resolve plaintext values for the given keys via cascade: fnox → env → interactive prompt */
@@ -1830,7 +1815,6 @@ const resolveValues = async (keys, profile, agentKey) => {
 	}
 	return result;
 };
-
 //#endregion
 //#region src/core/toml-edit.ts
 const SECTION_RE = /^\[.+\]\s*$/;
@@ -1980,7 +1964,6 @@ const updateSectionFields = (raw, sectionHeader, updates) => {
 * Ensures proper spacing (double newline before the block).
 */
 const appendSection = (raw, block) => `${raw.trimEnd()}\n\n${block}`;
-
 //#endregion
 //#region src/core/fleet.ts
 const CONFIG_FILENAME = "envpkt.toml";
@@ -2045,7 +2028,6 @@ const scanFleet = (rootDir, options) => {
 		expiring_soon
 	};
 };
-
 //#endregion
 //#region src/fnox/sync.ts
 /** Compare fnox keys and envpkt meta keys to find mismatches */
@@ -2055,7 +2037,6 @@ const compareFnoxAndEnvpkt = (fnoxKeys, envpktKeys) => {
 		orphaned: List([...envpktKeys].filter((k) => !fnoxKeys.has(k)))
 	};
 };
-
 //#endregion
 //#region src/mcp/resources.ts
 const loadConfigSafe = () => {
@@ -2133,7 +2114,6 @@ const readResource = (uri) => {
 	const handler = resourceHandlers[uri];
 	return handler?.();
 };
-
 //#endregion
 //#region src/mcp/tools.ts
 const textResult = (text) => ({ content: [{
@@ -2324,7 +2304,6 @@ const callTool = (name, args) => {
 	if (!handler) return errorResult(`Unknown tool: ${name}`);
 	return handler(args);
 };
-
 //#endregion
 //#region src/mcp/server.ts
 const createServer = () => {
@@ -2365,6 +2344,5 @@ const startServer = async () => {
 	const transport = new StdioServerTransport();
 	await server.connect(transport);
 };
-
 //#endregion
-export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, updateSectionFields, validateConfig };
+export { AgentIdentitySchema, CallbackConfigSchema, ConsumerType, EnvMetaSchema, EnvpktBootError, EnvpktConfigSchema, IdentitySchema, LifecycleConfigSchema, SecretMetaSchema, ToolsConfigSchema, ageAvailable, ageDecrypt, ageEncrypt, appendSection, boot, bootSafe, callTool, compareFnoxAndEnvpkt, computeAudit, computeEnvAudit, createServer, deriveServiceFromName, detectFnox, discoverConfig, envCheck, envScan, extractFnoxKeys, findConfigPath, fnoxAvailable, fnoxExport, fnoxGet, formatPacket, generateKeypair, generateTomlFromScan, loadCatalog, loadConfig, loadConfigFromCwd, maskValue, matchEnvVar, matchValueShape, parseToml, readConfigFile, readFnoxConfig, readResource, removeSection, renameSection, resolveConfig, resolveConfigPath, resolveInlineKey, resolveKeyPath, resolveSecrets, resolveValues, resourceDefinitions, scanEnv, scanFleet, sealSecrets, startServer, toolDefinitions, unsealSecrets, unwrapAgentKey, updateConfigRecipient, updateSectionFields, validateConfig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "envpkt",
-  "version": "0.7.2",
+  "version": "0.7.3",
   "description": "Credential lifecycle and fleet management for AI agents",
   "keywords": [
     "credentials",
@@ -20,36 +20,18 @@
   "bin": {
     "envpkt": "dist/cli.js"
   },
-  "scripts": {
-    "validate": "ts-builds validate",
-    "format": "ts-builds format",
-    "format:check": "ts-builds format:check",
-    "lint": "ts-builds lint",
-    "lint:check": "ts-builds lint:check",
-    "typecheck": "ts-builds typecheck",
-    "test": "ts-builds test",
-    "test:watch": "ts-builds test:watch",
-    "test:coverage": "ts-builds test:coverage",
-    "build": "ts-builds build",
-    "build:schema": "tsx scripts/build-schema.ts",
-    "demo": "tsx scripts/generate-demo-html.ts",
-    "dev": "ts-builds dev",
-    "docs:dev": "pnpm --dir site dev",
-    "docs:build": "pnpm --dir site build",
-    "prepublishOnly": "pnpm validate"
-  },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
-    "@sinclair/typebox": "^0.34.48",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "@sinclair/typebox": "^0.34.49",
     "commander": "^14.0.3",
-    "functype": "^0.49.0",
-    "functype-os": "^0.3.0",
-    "smol-toml": "^1.6.0"
+    "functype": "^0.56.0",
+    "functype-os": "^0.4.2",
+    "smol-toml": "^1.6.1"
   },
   "devDependencies": {
-    "@types/node": "^24.12.0",
-    "ts-builds": "^2.5.2",
-    "tsdown": "^0.20.3",
+    "@types/node": "^24.12.2",
+    "ts-builds": "^2.6.3",
+    "tsdown": "^0.21.7",
     "tsx": "^4.21.0"
   },
   "type": "module",
@@ -70,5 +52,21 @@
     "schemas"
   ],
   "prettier": "ts-builds/prettier",
-  "packageManager": "pnpm@10.32.1+sha512.a706938f0e89ac1456b6563eab4edf1d1faf3368d1191fc5c59790e96dc918e4456ab2e67d613de1043d2e8c81f87303e6b40d4ffeca9df15ef1ad567348f2be"
-}
+  "scripts": {
+    "validate": "ts-builds validate",
+    "format": "ts-builds format",
+    "format:check": "ts-builds format:check",
+    "lint": "ts-builds lint",
+    "lint:check": "ts-builds lint:check",
+    "typecheck": "ts-builds typecheck",
+    "test": "ts-builds test",
+    "test:watch": "ts-builds test:watch",
+    "test:coverage": "ts-builds test:coverage",
+    "build": "ts-builds build",
+    "build:schema": "tsx scripts/build-schema.ts",
+    "demo": "tsx scripts/generate-demo-html.ts",
+    "dev": "ts-builds dev",
+    "docs:dev": "pnpm --dir site dev",
+    "docs:build": "pnpm --dir site build"
+  }
+}