envpkt 0.7.3 → 0.8.1

package/dist/cli.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
-import { dirname, join, resolve } from "node:path";
+import { basename, dirname, join, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
 import { Cond, Either, Left, List, Option, Right, Try } from "functype";
@@ -24,17 +24,17 @@ const parseDate = (dateStr) => {
 };
 const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration, requireService, today) => {
 	const issues = [];
-	const created = Option(meta?.created).flatMap(parseDate);
-	const expires = Option(meta?.expires).flatMap(parseDate);
-	const rotationUrl = Option(meta?.rotation_url);
-	const purpose = Option(meta?.purpose);
-	const service = Option(meta?.service);
+	const created = Option(meta.created).flatMap(parseDate);
+	const expires = Option(meta.expires).flatMap(parseDate);
+	const rotationUrl = Option(meta.rotation_url);
+	const purpose = Option(meta.purpose);
+	const service = Option(meta.service);
 	const daysRemaining = expires.map((exp) => daysBetween(today, exp));
 	const daysSinceCreated = created.map((c) => daysBetween(c, today));
 	const isExpired = daysRemaining.fold(() => false, (d) => d < 0);
 	const isExpiringSoon = daysRemaining.fold(() => false, (d) => d >= 0 && d <= WARN_BEFORE_DAYS);
 	const isStale = daysSinceCreated.fold(() => false, (d) => d > staleWarningDays);
-	const hasSealed = !!meta?.encrypted_value;
+	const hasSealed = !!meta.encrypted_value;
 	const isMissing = fnoxKeys.size > 0 && !fnoxKeys.has(key) && !hasSealed;
 	const isMissingMetadata = requireExpiration && expires.isNone() || requireService && service.isNone();
 	if (isExpired) issues.push("Secret has expired");
@@ -52,8 +52,8 @@ const classifySecret = (key, meta, fnoxKeys, staleWarningDays, requireExpiration
 		days_remaining: daysRemaining,
 		rotation_url: rotationUrl,
 		purpose,
-		created: Option(meta?.created),
-		expires: Option(meta?.expires),
+		created: Option(meta.created),
+		expires: Option(meta.expires),
 		issues: List(issues)
 	};
 };
@@ -91,18 +91,17 @@ const computeAudit = (config, fnoxKeys, today) => {
 };
 const computeEnvAudit = (config, env = process.env) => {
 	const envEntries = config.env ?? {};
-	const entries = [];
-	for (const [key, entry] of Object.entries(envEntries)) {
+	const entries = Object.entries(envEntries).map(([key, entry]) => {
 		const currentValue = env[key];
 		const status = Cond.of().when(currentValue === void 0, "missing").elseWhen(currentValue !== entry.value, "overridden").else("default");
-		entries.push({
+		return {
 			key,
 			defaultValue: entry.value,
 			currentValue,
 			status,
 			purpose: entry.purpose
-		});
-	}
+		};
+	});
 	return {
 		entries,
 		total: entries.length,
@@ -220,7 +219,7 @@ const normalizeDates = (obj) => {
 /** Expand ~ and $ENV_VAR / ${ENV_VAR} in a path string (silent — unresolved vars become "") */
 const expandPath = (p) => {
 	return Path.expandTilde(p).replace(/\$\{(\w+)\}|\$(\w+)/g, (_, braced, bare) => {
-		const name = braced ?? bare ?? "";
+		const name = Option(braced).fold(() => Option(bare).fold(() => "", (b) => b), (b) => b);
 		return Env.getOrDefault(name, "");
 	});
 };
@@ -255,10 +254,9 @@ const ENV_FALLBACK_PATHS = [
 ];
 /** Build discovery paths dynamically from Platform home and cloud storage detection */
 const buildSearchPaths = () => {
-	const paths = [];
-	for (const home of Platform.homeDirs().toArray()) paths.push(join(home, ".envpkt", CONFIG_FILENAME$2));
-	for (const cloud of Platform.cloudStorageDirs().toArray()) paths.push(join(cloud.path, ".envpkt", CONFIG_FILENAME$2));
-	return paths;
+	const homePaths = Platform.homeDirs().toArray().map((home) => join(home, ".envpkt", CONFIG_FILENAME$2));
+	const cloudPaths = Platform.cloudStorageDirs().toArray().map((cloud) => join(cloud.path, ".envpkt", CONFIG_FILENAME$2));
+	return [...homePaths, ...cloudPaths];
 };
 /** Discover config by checking CWD, then ENVPKT_SEARCH_PATH, then dynamic Platform paths */
 const discoverConfig = (cwd) => {
@@ -267,28 +265,24 @@ const discoverConfig = (cwd) => {
 		path: cwdCandidate,
 		source: "cwd"
 	});
-	const customPaths = Env.get("ENVPKT_SEARCH_PATH").fold(() => [], (v) => v.split(":").filter(Boolean));
-	for (const template of customPaths) {
-		const expanded = expandPath(template);
-		if (!expanded || expanded.startsWith("/.envpkt")) continue;
-		const matches = expandGlobPath(expanded);
-		if (matches.length > 0) return Option({
-			path: matches[0],
-			source: "search"
-		});
-	}
-	for (const p of buildSearchPaths()) if (Fs.existsSync(p)) return Option({
-		path: p,
+	const customMatch = Env.get("ENVPKT_SEARCH_PATH").fold(() => [], (v) => v.split(":").filter(Boolean)).map((template) => ({
+		template,
+		expanded: expandPath(template)
+	})).filter(({ expanded }) => expanded !== "" && !expanded.startsWith("/.envpkt")).map(({ expanded }) => expandGlobPath(expanded)).find((matches) => matches.length > 0);
+	if (customMatch) return Option({
+		path: customMatch[0],
+		source: "search"
+	});
+	const platformMatch = buildSearchPaths().find((p) => Fs.existsSync(p));
+	if (platformMatch) return Option({
+		path: platformMatch,
+		source: "search"
+	});
+	const fallbackMatch = ENV_FALLBACK_PATHS.map((template) => expandPath(template)).filter((expanded) => expanded !== "" && !expanded.startsWith("/.envpkt")).find((expanded) => Fs.existsSync(expanded));
+	if (fallbackMatch) return Option({
+		path: fallbackMatch,
 		source: "search"
 	});
-	for (const template of ENV_FALLBACK_PATHS) {
-		const expanded = expandPath(template);
-		if (!expanded || expanded.startsWith("/.envpkt")) continue;
-		if (Fs.existsSync(expanded)) return Option({
-			path: expanded,
-			source: "search"
-		});
-	}
 	return Option(void 0);
 };
 /** Read a config file, returning Either<ConfigError, string> */
@@ -380,22 +374,21 @@ const loadCatalog = (catalogPath) => loadConfig(catalogPath).fold((err) => {
 }, (config) => Right(config));
 /** Resolve secrets by merging catalog meta with agent overrides (shallow merge) */
 const resolveSecrets = (agentMeta, catalogMeta, agentSecrets, catalogPath) => {
-	const resolved = {};
-	for (const key of agentSecrets) {
-		const catalogEntry = catalogMeta[key];
-		if (!catalogEntry) return Left({
+	return agentSecrets.reduce((acc, key) => acc.flatMap((resolved) => {
+		if (!(key in catalogMeta)) return Left({
 			_tag: "SecretNotInCatalog",
 			key,
 			catalogPath
 		});
-		const agentOverride = agentMeta[key];
-		if (agentOverride) resolved[key] = {
-			...catalogEntry,
-			...agentOverride
-		};
-		else resolved[key] = catalogEntry;
-	}
-	return Right(resolved);
+		const catalogEntry = catalogMeta[key];
+		return Right({
+			...resolved,
+			[key]: key in agentMeta ? {
+				...catalogEntry,
+				...agentMeta[key]
+			} : catalogEntry
+		});
+	}), Right({}));
 };
 /** Resolve an agent config against its catalog (if any), producing a flat self-contained config */
 const resolveConfig = (agentConfig, agentConfigDir) => {
@@ -413,13 +406,9 @@ const resolveConfig = (agentConfig, agentConfigDir) => {
 	const agentSecrets = agentConfig.identity.secrets;
 	const agentSecretEntries = agentConfig.secret ?? {};
 	return loadCatalog(catalogPath).flatMap((catalogConfig) => resolveSecrets(agentSecretEntries, catalogConfig.secret ?? {}, agentSecrets, catalogPath).map((resolvedMeta) => {
-		const merged = [];
-		const overridden = [];
+		const merged = [...agentSecrets];
+		const overridden = agentSecrets.filter((key) => key in agentSecretEntries);
 		const warnings = [];
-		for (const key of agentSecrets) {
-			merged.push(key);
-			if (agentSecretEntries[key]) overridden.push(key);
-		}
 		const { catalog: _catalog, ...agentWithoutCatalog } = agentConfig;
 		const identityData = agentConfig.identity ? (() => {
 			const { secrets: _secrets, ...rest } = agentConfig.identity;
@@ -449,6 +438,8 @@ const DIM = "\x1B[2m";
 const RED = "\x1B[31m";
 const GREEN = "\x1B[32m";
 const YELLOW = "\x1B[33m";
+const BLUE = "\x1B[34m";
+const MAGENTA = "\x1B[35m";
 const CYAN = "\x1B[36m";
 const statusColor = (status) => {
 	switch (status) {
@@ -677,11 +668,11 @@ const formatEnvAuditTable = (config) => {
 		return;
 	}
 	console.log(`\n${BOLD}Environment Defaults${RESET} (${envAudit.total} entries)`);
-	for (const entry of envAudit.entries) {
+	envAudit.entries.forEach((entry) => {
 		const statusIcon = entry.status === "default" ? `${GREEN}=${RESET}` : entry.status === "overridden" ? `${YELLOW}~${RESET}` : `${RED}!${RESET}`;
 		const statusLabel = entry.status === "default" ? `${DIM}using default${RESET}` : entry.status === "overridden" ? `${YELLOW}overridden${RESET} (${entry.currentValue})` : `${RED}not set${RESET}`;
 		console.log(`  ${statusIcon} ${BOLD}${entry.key}${RESET} = "${entry.defaultValue}" ${statusLabel}`);
-	}
+	});
 };
 const formatEnvAuditJson = (config) => {
 	const envAudit = computeEnvAudit(config);
@@ -699,24 +690,24 @@ const runAuditOnConfig = (config, options) => {
 		const secretEntries = config.secret ?? {};
 		return {
 			...audit,
-			secrets: audit.secrets.filter((s) => !!secretEntries[s.key]?.encrypted_value)
+			secrets: audit.secrets.filter((s) => !!secretEntries[s.key].encrypted_value)
 		};
 	})() : audit;
 	const afterExternal = options.external ? (() => {
 		const secretEntries = config.secret ?? {};
 		return {
 			...afterSealed,
-			secrets: afterSealed.secrets.filter((s) => !secretEntries[s.key]?.encrypted_value)
+			secrets: afterSealed.secrets.filter((s) => !secretEntries[s.key].encrypted_value)
 		};
 	})() : afterSealed;
 	const afterStatus = options.status ? {
 		...afterExternal,
 		secrets: afterExternal.secrets.filter((s) => s.status === options.status)
 	} : afterExternal;
-	const filtered = options.expiring !== void 0 ? {
+	const filtered = Option(options.expiring).fold(() => afterStatus, (expiring) => ({
 		...afterStatus,
-		secrets: afterStatus.secrets.filter((s) => s.days_remaining.fold(() => false, (d) => d >= 0 && d <= options.expiring))
-	} : afterStatus;
+		secrets: afterStatus.secrets.filter((s) => s.days_remaining.fold(() => false, (d) => d >= 0 && d <= expiring))
+	}));
 	if (options.format === "json") console.log(formatAuditJson(filtered));
 	else if (options.format === "minimal") console.log(formatAuditMinimal(filtered));
 	else console.log(formatAudit(filtered));
@@ -747,13 +738,13 @@ const fnoxExport = (profile, agentKey) => {
 		message: `fnox export failed: ${err}`
 	}), (output) => {
 		const entries = {};
-		for (const line of output.split("\n")) {
+		output.split("\n").forEach((line) => {
 			const eq = line.indexOf("=");
 			if (eq > 0) {
 				const key = line.slice(0, eq).trim();
 				entries[key] = line.slice(eq + 1).trim();
 			}
-		}
+		});
 		return Right(entries);
 	});
 };
@@ -777,27 +768,38 @@ const ageAvailable = () => Try(() => {
 	execFileSync("age", ["--version"], { stdio: "pipe" });
 	return true;
 }).fold(() => false, (v) => v);
-/** Unwrap an encrypted agent key using age --decrypt */
+/**
+* Extract the secret key from an age identity file (plain or encrypted).
+* - Plain identity files (from `age-keygen`) contain `AGE-SECRET-KEY-*` lines directly
+* - Encrypted identity files need `age --decrypt` to unwrap
+*/
 const unwrapAgentKey = (identityPath) => {
 	if (!existsSync(identityPath)) return Left({
 		_tag: "IdentityNotFound",
 		path: identityPath
 	});
-	if (!ageAvailable()) return Left({
-		_tag: "AgeNotFound",
-		message: "age CLI not found on PATH"
-	});
-	return Try(() => execFileSync("age", ["--decrypt", identityPath], {
-		stdio: [
-			"pipe",
-			"pipe",
-			"pipe"
-		],
-		encoding: "utf-8"
-	})).fold((err) => Left({
+	return Try(() => readFileSync(identityPath, "utf-8")).fold((err) => Left({
 		_tag: "DecryptFailed",
-		message: `age decrypt failed: ${err}`
-	}), (output) => Right(output.trim()));
+		message: `Failed to read identity file: ${err}`
+	}), (content) => {
+		const secretKeyLine = content.split("\n").find((l) => l.startsWith("AGE-SECRET-KEY-"));
+		if (secretKeyLine) return Right(secretKeyLine.trim());
+		if (!ageAvailable()) return Left({
+			_tag: "AgeNotFound",
+			message: "age CLI not found on PATH"
+		});
+		return Try(() => execFileSync("age", ["--decrypt", identityPath], {
+			stdio: [
+				"pipe",
+				"pipe",
+				"pipe"
+			],
+			encoding: "utf-8"
+		})).fold((err) => Left({
+			_tag: "DecryptFailed",
+			message: `age decrypt failed: ${err}`
+		}), (output) => Right(output.trim()));
+	});
 };
 //#endregion
 //#region src/fnox/parse.ts
@@ -823,14 +825,14 @@ const extractFnoxKeys = (config) => new Set(Object.keys(config.secrets));
 //#region src/core/keygen.ts
 /** Resolve the age identity file path: ENVPKT_AGE_KEY_FILE env var > ~/.envpkt/age-key.txt */
 const resolveKeyPath = () => process.env["ENVPKT_AGE_KEY_FILE"] ?? join(homedir(), ".envpkt", "age-key.txt");
-/** Generate an age keypair and write to disk */
+/** Generate an age keypair and write to disk. Refuses to overwrite if the file already exists. */
 const generateKeypair = (options) => {
 	if (!ageAvailable()) return Left({
 		_tag: "AgeNotFound",
 		message: "age-keygen CLI not found on PATH. Install age: https://github.com/FiloSottile/age"
 	});
 	const outputPath = options?.outputPath ?? resolveKeyPath();
-	if (existsSync(outputPath) && !options?.force) return Left({
+	if (existsSync(outputPath)) return Left({
 		_tag: "KeyExists",
 		path: outputPath
 	});
@@ -872,46 +874,77 @@ const generateKeypair = (options) => {
 		}));
 	});
 };
-/** Update identity.recipient in an envpkt.toml file, preserving structure */
-const updateConfigRecipient = (configPath, recipient) => {
-	return Try(() => readFileSync(configPath, "utf-8")).fold((err) => Left({
+/** Update identity fields (recipient, key_file, name) in an envpkt.toml file, preserving structure */
+const updateConfigIdentity = (configPath, options) => {
+	const readResult = Try(() => readFileSync(configPath, "utf-8"));
+	const fieldUpdaters = [
+		{
+			re: /^recipient\s*=/,
+			line: `recipient = "${options.recipient}"`
+		},
+		...options.name ? [{
+			re: /^name\s*=/,
+			line: `name = "${options.name}"`
+		}] : [],
+		...options.keyFile ? [{
+			re: /^key_file\s*=/,
+			line: `key_file = "${options.keyFile}"`
+		}] : []
+	];
+	return readResult.fold((err) => Left({
 		_tag: "ConfigUpdateError",
 		message: `Failed to read config: ${err}`
 	}), (raw) => {
 		const lines = raw.split("\n");
-		const output = [];
-		let inIdentitySection = false;
-		let recipientUpdated = false;
-		let hasIdentitySection = false;
-		for (const line of lines) {
-			if (/^\[identity\]\s*$/.test(line)) {
-				inIdentitySection = true;
-				hasIdentitySection = true;
-				output.push(line);
-				continue;
-			}
+		const updatedFields = /* @__PURE__ */ new Set();
+		const acc = lines.reduce((state, line) => {
+			if (/^\[identity\]\s*$/.test(line)) return {
+				...state,
+				output: [...state.output, line],
+				inIdentitySection: true,
+				hasIdentitySection: true
+			};
 			if (/^\[/.test(line) && !/^\[identity\]\s*$/.test(line)) {
-				if (inIdentitySection && !recipientUpdated) {
-					output.push(`recipient = "${recipient}"`);
-					recipientUpdated = true;
-				}
-				inIdentitySection = false;
-				output.push(line);
-				continue;
+				const missing = state.inIdentitySection ? fieldUpdaters.filter((f) => !updatedFields.has(f.re.source)).map((f) => f.line) : [];
+				missing.forEach((l) => updatedFields.add(l));
+				return {
+					...state,
+					output: [
+						...state.output,
+						...missing,
+						line
+					],
+					inIdentitySection: false
+				};
 			}
-			if (inIdentitySection && /^recipient\s*=/.test(line)) {
-				output.push(`recipient = "${recipient}"`);
-				recipientUpdated = true;
-				continue;
+			if (state.inIdentitySection) {
+				const match = fieldUpdaters.find((f) => f.re.test(line));
+				if (match) {
+					updatedFields.add(match.re.source);
+					return {
+						...state,
+						output: [...state.output, match.line]
+					};
+				}
 			}
-			output.push(line);
-		}
-		if (inIdentitySection && !recipientUpdated) output.push(`recipient = "${recipient}"`);
-		if (!hasIdentitySection) {
-			output.push("");
-			output.push("[identity]");
-			output.push(`recipient = "${recipient}"`);
-		}
+			return {
+				...state,
+				output: [...state.output, line]
+			};
+		}, {
+			output: [],
+			inIdentitySection: false,
+			hasIdentitySection: false
+		});
+		const missingAtEof = acc.inIdentitySection ? fieldUpdaters.filter((f) => !updatedFields.has(f.re.source)).map((f) => f.line) : [];
+		const afterEof = [...acc.output, ...missingAtEof];
+		const identityLines = fieldUpdaters.map((f) => f.line);
+		const output = !acc.hasIdentitySection ? [
+			...afterEof,
+			"",
+			"[identity]",
+			...identityLines
+		] : afterEof;
 		return Try(() => writeFileSync(configPath, output.join("\n"))).fold((err) => Left({
 			_tag: "ConfigUpdateError",
 			message: `Failed to write config: ${err}`
@@ -975,27 +1008,23 @@ const sealSecrets = (meta, values, recipient) => {
 		_tag: "AgeNotFound",
 		message: "age CLI not found on PATH"
 	});
-	const result = {};
-	for (const [key, secretMeta] of Object.entries(meta)) {
-		const plaintext = values[key];
-		if (plaintext === void 0) {
-			result[key] = secretMeta;
-			continue;
-		}
-		const outcome = ageEncrypt(plaintext, recipient).fold((err) => Left({
+	return Object.entries(meta).reduce((acc, [key, secretMeta]) => acc.flatMap((result) => {
+		if (!(key in values)) return Right({
+			...result,
+			[key]: secretMeta
+		});
+		return ageEncrypt(values[key], recipient).mapLeft((err) => ({
 			_tag: "EncryptFailed",
 			key,
 			message: err.message
-		}), (ciphertext) => Right(ciphertext));
-		const failed = outcome.fold((err) => err, () => void 0);
-		if (failed) return Left(failed);
-		const ciphertext = outcome.fold(() => "", (v) => v);
-		result[key] = {
-			...secretMeta,
-			encrypted_value: ciphertext
-		};
-	}
-	return Right(result);
+		})).map((ciphertext) => ({
+			...result,
+			[key]: {
+				...secretMeta,
+				encrypted_value: ciphertext
+			}
+		}));
+	}), Right({}));
 };
 /** Unseal secrets: decrypt encrypted_value for each meta entry that has one */
 const unsealSecrets = (meta, identityPath) => {
@@ -1003,19 +1032,14 @@ const unsealSecrets = (meta, identityPath) => {
 		_tag: "AgeNotFound",
 		message: "age CLI not found on PATH"
 	});
-	const result = {};
-	for (const [key, secretMeta] of Object.entries(meta)) {
-		if (!secretMeta.encrypted_value) continue;
-		const outcome = ageDecrypt(secretMeta.encrypted_value, identityPath).fold((err) => Left({
-			_tag: "DecryptFailed",
-			key,
-			message: err.message
-		}), (plaintext) => Right(plaintext));
-		const failed = outcome.fold((err) => err, () => void 0);
-		if (failed) return Left(failed);
-		result[key] = outcome.fold(() => "", (v) => v);
-	}
-	return Right(result);
+	return Object.entries(meta).filter(([, secretMeta]) => secretMeta.encrypted_value !== void 0 && secretMeta.encrypted_value !== "").reduce((acc, [key, secretMeta]) => acc.flatMap((result) => ageDecrypt(secretMeta.encrypted_value, identityPath).mapLeft((err) => ({
+		_tag: "DecryptFailed",
+		key,
+		message: err.message
+	})).map((plaintext) => ({
+		...result,
+		[key]: plaintext
+	}))), Right({}));
 };
 //#endregion
 //#region src/core/boot.ts
@@ -1030,15 +1054,13 @@ const resolveAndLoad = (opts) => resolveConfigPath(opts.configPath).fold((err) =
 }));
 /** Resolve identity file path with explicit fallback control */
 const resolveIdentityFilePath = (config, configDir, useDefaultFallback) => {
-	if (config.identity?.key_file) return resolve(configDir, expandPath(config.identity.key_file));
-	if (!useDefaultFallback) return void 0;
+	if (config.identity?.key_file) return Option(resolve(configDir, expandPath(config.identity.key_file)));
+	if (!useDefaultFallback) return Option(void 0);
 	const defaultPath = resolveKeyPath();
-	return existsSync(defaultPath) ? defaultPath : void 0;
+	return existsSync(defaultPath) ? Option(defaultPath) : Option(void 0);
 };
 const resolveIdentityKey = (config, configDir) => {
-	const identityPath = resolveIdentityFilePath(config, configDir, false);
-	if (!identityPath) return Right(void 0);
-	return unwrapAgentKey(identityPath).fold((err) => Left(err), (key) => Right(key));
+	return resolveIdentityFilePath(config, configDir, false).fold(() => Right(Option(void 0)), (path) => unwrapAgentKey(path).fold((err) => Left(err), (key) => Right(Option(key))));
 };
 const detectFnoxKeys = (configDir) => detectFnox(configDir).fold(() => /* @__PURE__ */ new Set(), (fnoxPath) => readFnoxConfig(fnoxPath).fold(() => /* @__PURE__ */ new Set(), (fnoxConfig) => extractFnoxKeys(fnoxConfig)));
 const checkExpiration = (audit, failOnExpired, warnOnly) => {
@@ -1066,10 +1088,8 @@ const looksLikeSecret = (value) => {
 	return false;
 };
 const checkEnvMisclassification = (config) => {
-	const warnings = [];
 	const envEntries = config.env ?? {};
-	for (const [key, entry] of Object.entries(envEntries)) if (looksLikeSecret(entry.value)) warnings.push(`[env.${key}] value looks like a secret — consider moving to [secret.${key}]`);
-	return warnings;
+	return Object.entries(envEntries).filter(([, entry]) => looksLikeSecret(entry.value)).map(([key]) => `[env.${key}] value looks like a secret — consider moving to [secret.${key}]`);
 };
 /** Programmatic boot — returns Either<BootError, BootResult> */
 const bootSafe = (options) => {
@@ -1080,11 +1100,13 @@ const bootSafe = (options) => {
 	return resolveAndLoad(opts).flatMap(({ config, configPath, configDir, configSource }) => {
 		const secretEntries = config.secret ?? {};
 		const metaKeys = Object.keys(secretEntries);
-		const hasSealedValues = metaKeys.some((k) => !!secretEntries[k]?.encrypted_value);
+		const hasSealedValues = metaKeys.some((k) => !!secretEntries[k].encrypted_value);
 		const identityKeyResult = resolveIdentityKey(config, configDir);
-		const identityKey = identityKeyResult.fold(() => void 0, (k) => k);
-		const identityKeyError = identityKeyResult.fold((err) => err, () => void 0);
-		if (identityKeyError && !hasSealedValues) return Left(identityKeyError);
+		const identityKey = identityKeyResult.fold(() => Option(void 0), (k) => k);
+		if (identityKeyResult.isLeft() && !hasSealedValues) return identityKeyResult.fold((err) => Left(err), () => Left({
+			_tag: "ReadError",
+			message: "unexpected"
+		}));
 		const audit = computeAudit(config, detectFnoxKeys(configDir));
 		return checkExpiration(audit, failOnExpired, warnOnly).map((warnings) => {
 			const secrets = {};
@@ -1092,40 +1114,47 @@ const bootSafe = (options) => {
 			const skipped = [];
 			warnings.push(...checkEnvMisclassification(config));
 			const envEntries = config.env ?? {};
-			const envDefaults = {};
-			const overridden = [];
-			for (const [key, entry] of Object.entries(envEntries)) if (process.env[key] === void 0) {
-				envDefaults[key] = entry.value;
-				if (inject) process.env[key] = entry.value;
-			} else overridden.push(key);
+			const envEntriesArr = Object.entries(envEntries);
+			const envDefaults = Object.fromEntries(envEntriesArr.flatMap(([key, entry]) => Option(process.env[key]).fold(() => [[key, entry.value]], () => [])));
+			const overridden = envEntriesArr.flatMap(([key]) => Option(process.env[key]).fold(() => [], () => [key]));
+			if (inject) Object.entries(envDefaults).forEach(([key, value]) => {
+				process.env[key] = value;
+			});
 			const sealedKeys = /* @__PURE__ */ new Set();
 			const identityFilePath = resolveIdentityFilePath(config, configDir, true);
-			if (hasSealedValues && identityFilePath) unsealSecrets(secretEntries, identityFilePath).fold((err) => {
-				warnings.push(`Sealed value decryption failed: ${err.message}`);
-			}, (unsealed) => {
-				for (const [key, value] of Object.entries(unsealed)) {
-					secrets[key] = value;
-					injected.push(key);
-					sealedKeys.add(key);
-				}
+			if (hasSealedValues) identityFilePath.fold(() => {
+				warnings.push("Sealed values found but no identity file available for decryption");
+			}, (idPath) => {
+				unsealSecrets(secretEntries, idPath).fold((err) => {
+					warnings.push(`Sealed value decryption failed: ${err.message}`);
+				}, (unsealed) => {
+					const unsealedEntries = Object.entries(unsealed);
+					Object.assign(secrets, unsealed);
+					injected.push(...unsealedEntries.map(([key]) => key));
+					unsealedEntries.map(([key]) => key).forEach((key) => sealedKeys.add(key));
+				});
 			});
-			else if (hasSealedValues && !identityFilePath) warnings.push("Sealed values found but no identity file available for decryption");
 			const remainingKeys = metaKeys.filter((k) => !sealedKeys.has(k));
-			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey).fold((err) => {
+			if (remainingKeys.length > 0) if (fnoxAvailable()) fnoxExport(opts.profile, identityKey.orUndefined()).fold((err) => {
 				warnings.push(`fnox export failed: ${err.message}`);
-				for (const key of remainingKeys) skipped.push(key);
+				skipped.push(...remainingKeys);
 			}, (exported) => {
-				for (const key of remainingKeys) if (key in exported) {
+				const found = remainingKeys.filter((key) => key in exported);
+				const notFound = remainingKeys.filter((key) => !(key in exported));
+				found.forEach((key) => {
 					secrets[key] = exported[key];
-					injected.push(key);
-				} else skipped.push(key);
+				});
+				injected.push(...found);
+				skipped.push(...notFound);
 			});
 			else {
 				if (!hasSealedValues) warnings.push("fnox not available — no secrets injected");
 				else warnings.push("fnox not available — unsealed secrets could not be resolved");
-				for (const key of remainingKeys) skipped.push(key);
+				skipped.push(...remainingKeys);
 			}
-			if (inject) for (const [key, value] of Object.entries(secrets)) process.env[key] = value;
+			if (inject) Object.entries(secrets).forEach(([key, value]) => {
+				process.env[key] = value;
+			});
 			return {
 				audit,
 				injected,
@@ -1763,11 +1792,10 @@ const VALUE_SHAPE_PATTERNS = [
 ];
 /** Detect service from value prefix/shape */
 const matchValueShape = (value) => {
-	for (const vp of VALUE_SHAPE_PATTERNS) if (value.startsWith(vp.prefix)) return Option({
+	return Option(VALUE_SHAPE_PATTERNS.find((vp) => value.startsWith(vp.prefix))).map((vp) => ({
 		service: vp.service,
 		description: vp.description
-	});
-	return Option(void 0);
+	}));
 };
 /** Strip common suffixes and derive a service name from an env var name */
 const deriveServiceFromName = (name) => {
@@ -1795,22 +1823,22 @@ const deriveServiceFromName = (name) => {
 /** Match a single env var against all patterns */
 const matchEnvVar = (name, value) => {
 	if (EXCLUDED_VARS.has(name)) return Option(void 0);
-	for (const p of EXACT_NAME_PATTERNS) if (name === p.pattern) return Option({
+	const exactMatch = EXACT_NAME_PATTERNS.find((p) => name === p.pattern);
+	if (exactMatch) return Option({
 		envVar: name,
 		value,
-		service: Option(p.service),
-		confidence: p.confidence,
-		matchedBy: `exact:${p.pattern}`
+		service: Option(exactMatch.service),
+		confidence: exactMatch.confidence,
+		matchedBy: `exact:${exactMatch.pattern}`
 	});
 	return matchValueShape(value).fold(() => {
-		for (const sp of SUFFIX_PATTERNS) if (name.endsWith(sp.suffix)) return Option({
+		return Option(SUFFIX_PATTERNS.find((sp) => name.endsWith(sp.suffix))).map((sp) => ({
 			envVar: name,
 			value,
 			service: Option(deriveServiceFromName(name)),
 			confidence: "medium",
 			matchedBy: `suffix:${sp.suffix}`
-		});
-		return Option(void 0);
+		}));
 	}, (vm) => Option({
 		envVar: name,
 		value,
@@ -1821,11 +1849,10 @@ const matchEnvVar = (name, value) => {
 };
 /** Scan full env, sorted by confidence (high first) then alphabetically */
 const scanEnv = (env) => {
-	const results = [];
-	for (const [name, value] of Object.entries(env)) {
-		if (value === void 0 || value === "") continue;
-		matchEnvVar(name, value).fold(() => {}, (m) => results.push(m));
-	}
+	const results = Object.entries(env).flatMap(([name, value]) => {
+		if (value === void 0 || value === "") return [];
+		return matchEnvVar(name, value).fold(() => [], (m) => [m]);
+	});
 	const confidenceOrder = {
 		high: 0,
 		medium: 1,
@@ -1858,38 +1885,44 @@ const envScan = (env, options) => {
 };
 /** Bidirectional drift detection between config and live environment */
 const envCheck = (config, env) => {
-	const entries = [];
 	const secretEntries = config.secret ?? {};
 	const metaKeys = Object.keys(secretEntries);
 	const trackedSet = new Set(metaKeys);
-	for (const key of metaKeys) {
+	const secretDriftEntries = metaKeys.map((key) => {
 		const meta = secretEntries[key];
 		const present = env[key] !== void 0 && env[key] !== "";
-		entries.push({
+		return {
 			envVar: key,
-			service: Option(meta?.service),
+			service: Option(meta.service),
 			status: present ? "tracked" : "missing_from_env",
 			confidence: Option(void 0)
-		});
-	}
+		};
+	});
 	const envDefaults = config.env ?? {};
-	for (const key of Object.keys(envDefaults)) if (!trackedSet.has(key)) {
+	const envDefaultEntries = Object.keys(envDefaults).filter((key) => {
+		if (trackedSet.has(key)) return false;
 		trackedSet.add(key);
+		return true;
+	}).map((key) => {
 		const present = env[key] !== void 0 && env[key] !== "";
-		entries.push({
+		return {
 			envVar: key,
 			service: Option(void 0),
 			status: present ? "tracked" : "missing_from_env",
 			confidence: Option(void 0)
-		});
-	}
-	const envMatches = scanEnv(env);
-	for (const match of envMatches) if (!trackedSet.has(match.envVar)) entries.push({
+		};
+	});
+	const untrackedEntries = scanEnv(env).filter((match) => !trackedSet.has(match.envVar)).map((match) => ({
 		envVar: match.envVar,
 		service: match.service,
 		status: "untracked",
 		confidence: Option(match.confidence)
-	});
+	}));
+	const entries = [
+		...secretDriftEntries,
+		...envDefaultEntries,
+		...untrackedEntries
+	];
 	const tracked_and_present = entries.filter((e) => e.status === "tracked").length;
 	const missing_from_env = entries.filter((e) => e.status === "missing_from_env").length;
 	const untracked_credentials = entries.filter((e) => e.status === "untracked").length;
@@ -1904,10 +1937,9 @@ const envCheck = (config, env) => {
 const todayIso$1 = () => (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
 /** Generate TOML [secret.*] blocks from scan results, mirroring init.ts pattern */
 const generateTomlFromScan = (matches) => {
-	const blocks = [];
-	for (const match of matches) {
+	return matches.map((match) => {
 		const svc = match.service.fold(() => match.envVar.toLowerCase().replace(/_/g, "-"), (s) => s);
-		blocks.push(`[secret.${match.envVar}]
+		return `[secret.${match.envVar}]
 service = "${svc}"
 # purpose = ""               # Why: what this secret enables
 # capabilities = []          # What operations this grants
@@ -1916,9 +1948,8 @@ created = "${todayIso$1()}"
 # rotation_url = ""          # URL for rotation procedure
 # source = ""                # Where the value originates (e.g. vault, ci)
 # tags = {}
-`);
-	}
-	return blocks.join("\n");
+`;
+	}).join("\n");
 };
 //#endregion
 //#region src/core/toml-edit.ts
@@ -1930,11 +1961,7 @@ const MULTILINE_OPEN = "\"\"\"";
 * Handles multiline `"""..."""` values when scanning for section boundaries.
 */
 const findSectionRange = (lines, sectionHeader) => {
-	let start = -1;
-	for (let i = 0; i < lines.length; i++) if (lines[i].trim() === sectionHeader) {
-		start = i;
-		break;
-	}
+	const start = lines.findIndex((l) => l.trim() === sectionHeader);
 	if (start === -1) return void 0;
 	let end = lines.length;
 	let inMultiline = false;
@@ -2056,7 +2083,8 @@ const updateSectionFields = (raw, sectionHeader, updates) => {
 		}
 		remaining.push(line);
 	}
-	for (const [key, value] of Object.entries(updates)) if (value !== null && !updatedKeys.has(key)) remaining.push(`${key} = ${value}`);
+	const newFields = Object.entries(updates).filter(([key, value]) => value !== null && !updatedKeys.has(key)).map(([key, value]) => `${key} = ${value}`);
+	remaining.push(...newFields);
 	const result = [
 		...before,
 		...remaining,
@@ -2156,13 +2184,21 @@ const runEnvExport = (options) => {
 	}, (boot) => {
 		const sourceMsg = formatConfigSource(boot.configPath, boot.configSource);
 		if (sourceMsg) console.error(sourceMsg);
-		for (const warning of boot.warnings) console.error(`${YELLOW}Warning:${RESET} ${warning}`);
-		for (const [key, value] of Object.entries(boot.envDefaults)) console.log(`export ${key}='${shellEscape(value)}'`);
+		boot.warnings.forEach((warning) => {
+			console.error(`${YELLOW}Warning:${RESET} ${warning}`);
+		});
+		Object.entries(boot.envDefaults).forEach(([key, value]) => {
+			console.log(`export ${key}='${shellEscape(value)}'`);
+		});
 		if (boot.overridden.length > 0) loadConfig(boot.configPath).fold(() => {}, (config) => {
 			const envEntries = config.env ?? {};
-			for (const key of boot.overridden) if (key in envEntries) console.log(`export ${key}='${shellEscape(envEntries[key].value)}'`);
+			boot.overridden.forEach((key) => {
+				if (key in envEntries) console.log(`export ${key}='${shellEscape(envEntries[key].value)}'`);
+			});
+		});
+		Object.entries(boot.secrets).forEach(([key, value]) => {
+			console.log(`export ${key}='${shellEscape(value)}'`);
 		});
-		for (const [key, value] of Object.entries(boot.secrets)) console.log(`export ${key}='${shellEscape(value)}'`);
 	});
 };
 const buildEnvBlock = (name, value, options) => {
@@ -2179,7 +2215,7 @@ const buildEnvBlock = (name, value, options) => {
 	return `${lines.join("\n")}\n`;
 };
 const withConfig$1 = (configFlag, fn) => {
-	resolveConfigPath(configFlag).fold((err) => {
+	resolveConfigPath(configFlag.orUndefined()).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
 	}, ({ path: configPath, source }) => {
@@ -2215,7 +2251,7 @@ const runEnvAdd = (name, value, options) => {
 	});
 };
 const runEnvEdit = (name, options) => {
-	withConfig$1(options.config, (configPath, raw) => {
+	withConfig$1(Option(options.config), (configPath, raw) => {
 		loadConfig(configPath).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -2252,7 +2288,7 @@ const runEnvEdit = (name, options) => {
 	});
 };
 const runEnvRm = (name, options) => {
-	withConfig$1(options.config, (configPath, raw) => {
+	withConfig$1(Option(options.config), (configPath, raw) => {
 		removeSection(raw, `[env.${name}]`).fold((err) => {
 			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
 			process.exit(1);
@@ -2268,7 +2304,7 @@ const runEnvRm = (name, options) => {
 	});
 };
 const runEnvRename = (oldName, newName, options) => {
-	withConfig$1(options.config, (configPath, raw) => {
+	withConfig$1(Option(options.config), (configPath, raw) => {
 		renameSection(raw, `[env.${oldName}]`, `[env.${newName}]`).fold((err) => {
 			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
 			process.exit(1);
@@ -2345,20 +2381,24 @@ const runExec = (args, options) => {
 		}
 		if (boot.audit.status === "critical" && options.warnOnly) console.error(`${YELLOW}Warning:${RESET} Proceeding despite critical audit status (--warn-only)`);
 	}
-	for (const warning of boot.warnings) console.error(`${YELLOW}Warning:${RESET} ${warning}`);
+	boot.warnings.forEach((warning) => {
+		console.error(`${YELLOW}Warning:${RESET} ${warning}`);
+	});
 	const env = { ...process.env };
-	for (const [key, value] of Object.entries(boot.envDefaults)) if (!(key in env)) env[key] = value;
-	for (const [key, value] of Object.entries(boot.secrets)) env[key] = value;
+	Object.entries(boot.envDefaults).forEach(([key, value]) => {
+		if (!(key in env)) env[key] = value;
+	});
+	Object.entries(boot.secrets).forEach(([key, value]) => {
+		env[key] = value;
+	});
 	const [cmd, ...cmdArgs] = args;
-	try {
-		execFileSync(cmd, cmdArgs, {
-			env,
-			stdio: "inherit"
-		});
-	} catch (err) {
+	Try(() => execFileSync(cmd, cmdArgs, {
+		env,
+		stdio: "inherit"
+	})).fold((err) => {
 		const exitCode = err.status ?? 1;
 		process.exit(exitCode);
-	}
+	}, () => {});
 };
 //#endregion
 //#region src/core/fleet.ts
@@ -2398,17 +2438,15 @@ function* findEnvpktFiles(dir, maxDepth, currentDepth = 0) {
 }
 const scanFleet = (rootDir, options) => {
 	const maxDepth = options?.maxDepth ?? 3;
-	const agents = [];
-	for (const configPath of findEnvpktFiles(rootDir, maxDepth)) loadConfig(configPath).fold(() => {}, (config) => {
+	const agentList = List(Array.from(findEnvpktFiles(rootDir, maxDepth)).flatMap((configPath) => loadConfig(configPath).fold(() => [], (config) => {
 		const audit = computeAudit(config);
-		agents.push({
+		return [{
 			path: configPath,
 			identity: config.identity,
-			min_expiry_days: audit.secrets.toArray().reduce((min, s) => s.days_remaining.fold(() => min, (d) => min === void 0 ? d : Math.min(min, d)), void 0),
+			min_expiry_days: audit.secrets.toArray().reduce((min, s) => s.days_remaining.fold(() => min, (d) => min.fold(() => Option(d), (m) => Option(Math.min(m, d)))), Option(void 0)).orUndefined(),
 			audit
-		});
-	});
-	const agentList = List(agents);
+		}];
+	})));
 	const total_agents = agentList.size;
 	const total_secrets = agentList.toArray().reduce((acc, a) => acc + a.audit.total, 0);
 	const expired = agentList.toArray().reduce((acc, a) => acc + a.audit.expired, 0);
@@ -2440,17 +2478,16 @@ const runFleet = (options) => {
 		process.exit(fleet.status === "critical" ? 2 : 0);
 		return;
 	}
-	const statusFilter = options.status;
-	const agents = statusFilter ? fleet.agents.filter((a) => a.audit.status === statusFilter) : fleet.agents;
+	const agents = Option(options.status).fold(() => fleet.agents, (s) => fleet.agents.filter((a) => a.audit.status === s));
 	console.log(`${statusIcon(fleet.status)} ${BOLD}Fleet: ${fleet.status.toUpperCase()}${RESET} — ${fleet.total_agents} agents, ${fleet.total_secrets} secrets`);
 	if (fleet.expired > 0) console.log(`  ${RED}${fleet.expired}${RESET} expired`);
 	if (fleet.expiring_soon > 0) console.log(`  ${YELLOW}${fleet.expiring_soon}${RESET} expiring soon`);
 	console.log("");
-	for (const agent of agents) {
+	agents.forEach((agent) => {
 		const name = agent.identity?.name ? BOLD + agent.identity.name + RESET : DIM + agent.path + RESET;
 		const icon = statusIcon(agent.audit.status);
 		console.log(`  ${icon} ${name} ${DIM}(${agent.audit.total} secrets)${RESET}`);
-	}
+	});
 	process.exit(fleet.status === "critical" ? 2 : 0);
 };
 //#endregion
@@ -2507,7 +2544,7 @@ const generateTemplate = (options, fnoxKeys) => {
 		lines.push(``);
 		if (fnoxKeys && fnoxKeys.length > 0) {
 			lines.push(`# Secrets detected from fnox.toml`);
-			for (const key of fnoxKeys) lines.push(generateSecretBlock(key));
+			lines.push(...fnoxKeys.map((key) => generateSecretBlock(key)));
 		} else {
 			lines.push(`# Add your secret metadata below.`);
 			lines.push(`# Each [secret.<key>] describes a secret your agent needs.`);
@@ -2542,8 +2579,8 @@ const runInit = (dir, options) => {
 		console.error(`${RED}Error:${RESET} ${CONFIG_FILENAME} already exists. Use --force to overwrite.`);
 		process.exit(1);
 	}
-	const fnoxKeys = options.fromFnox ? (() => {
-		const fnoxPath = options.fromFnox === "true" || options.fromFnox === "" ? join(dir, "fnox.toml") : options.fromFnox;
+	const fnoxKeys = Option(options.fromFnox).map((fromFnox) => {
+		const fnoxPath = fromFnox === "true" || fromFnox === "" ? join(dir, "fnox.toml") : fromFnox;
 		if (!existsSync(fnoxPath)) {
 			console.error(`${RED}Error:${RESET} fnox.toml not found at ${fnoxPath}`);
 			process.exit(1);
@@ -2551,15 +2588,18 @@ const runInit = (dir, options) => {
 		return readFnoxKeys(fnoxPath).fold((err) => {
 			console.error(`${RED}Error:${RESET} Failed to read fnox.toml: ${formatConfigError(err)}`);
 			process.exit(1);
+			return [];
 		}, (keys) => keys);
-	})() : void 0;
-	const content = generateTemplate(options, fnoxKeys);
+	});
+	const content = generateTemplate(options, fnoxKeys.orUndefined());
 	Try(() => writeFileSync(outPath, content, "utf-8")).fold((err) => {
 		console.error(`${RED}Error:${RESET} Failed to write ${CONFIG_FILENAME}: ${err}`);
 		process.exit(1);
 	}, () => {
 		console.log(`${GREEN}✓${RESET} Created ${BOLD}${CONFIG_FILENAME}${RESET} in ${CYAN}${dir}${RESET}`);
-		if (fnoxKeys) console.log(`  Scaffolded ${fnoxKeys.length} secret(s) from fnox.toml`);
+		fnoxKeys.forEach((keys) => {
+			console.log(`  Scaffolded ${keys.length} secret(s) from fnox.toml`);
+		});
 		console.log(`  ${BOLD}Next:${RESET} Fill in metadata for each secret`);
 	});
 };
@@ -2572,75 +2612,76 @@ const maskValue = (value) => {
 //#endregion
 //#region src/cli/commands/inspect.ts
 const printSecretMeta = (meta, indent) => {
-	if (meta.purpose) console.log(`${indent}purpose: ${meta.purpose}`);
-	if (meta.comment) console.log(`${indent}comment: ${DIM}${meta.comment}${RESET}`);
-	if (meta.capabilities) console.log(`${indent}capabilities: ${DIM}${meta.capabilities.join(", ")}${RESET}`);
+	if (meta.purpose) console.log(`${indent}${DIM}purpose:${RESET} ${meta.purpose}`);
+	if (meta.comment) console.log(`${indent}${DIM}comment:${RESET} ${DIM}${meta.comment}${RESET}`);
+	if (meta.capabilities) console.log(`${indent}${DIM}capabilities:${RESET} ${meta.capabilities.map((c) => `${MAGENTA}${c}${RESET}`).join(", ")}`);
 	const dateParts = [];
-	if (meta.created) dateParts.push(`created: ${meta.created}`);
-	if (meta.expires) dateParts.push(`expires: ${meta.expires}`);
+	if (meta.created) dateParts.push(`${DIM}created:${RESET} ${BLUE}${meta.created}${RESET}`);
+	if (meta.expires) dateParts.push(`${DIM}expires:${RESET} ${YELLOW}${meta.expires}${RESET}`);
 	if (dateParts.length > 0) console.log(`${indent}${dateParts.join("  ")}`);
 	const opsParts = [];
-	if (meta.rotates) opsParts.push(`rotates: ${meta.rotates}`);
-	if (meta.rate_limit) opsParts.push(`rate_limit: ${meta.rate_limit}`);
+	if (meta.rotates) opsParts.push(`${DIM}rotates:${RESET} ${CYAN}${meta.rotates}${RESET}`);
+	if (meta.rate_limit) opsParts.push(`${DIM}rate_limit:${RESET} ${CYAN}${meta.rate_limit}${RESET}`);
 	if (opsParts.length > 0) console.log(`${indent}${opsParts.join("  ")}`);
-	if (meta.source) console.log(`${indent}source: ${meta.source}`);
-	if (meta.model_hint) console.log(`${indent}model_hint: ${meta.model_hint}`);
-	if (meta.rotation_url) console.log(`${indent}rotation_url: ${DIM}${meta.rotation_url}${RESET}`);
-	if (meta.required !== void 0) console.log(`${indent}required: ${meta.required}`);
+	if (meta.source) console.log(`${indent}${DIM}source:${RESET} ${BLUE}${meta.source}${RESET}`);
+	if (meta.model_hint) console.log(`${indent}${DIM}model_hint:${RESET} ${MAGENTA}${meta.model_hint}${RESET}`);
+	if (meta.rotation_url) console.log(`${indent}${DIM}rotation_url:${RESET} ${DIM}${meta.rotation_url}${RESET}`);
+	if (meta.required !== void 0) console.log(`${indent}${DIM}required:${RESET} ${meta.required ? `${GREEN}true${RESET}` : `${DIM}false${RESET}`}`);
 	if (meta.tags) {
-		const tagStr = Object.entries(meta.tags).map(([k, v]) => `${k}=${v}`).join(", ");
-		console.log(`${indent}tags: ${tagStr}`);
+		const tagStr = Object.entries(meta.tags).map(([k, v]) => `${CYAN}${k}${RESET}=${DIM}${v}${RESET}`).join(", ");
+		console.log(`${indent}${DIM}tags:${RESET} ${tagStr}`);
 	}
 };
 const printConfig = (config, path, resolveResult, opts) => {
 	console.log(`${BOLD}envpkt.toml${RESET} ${DIM}(${path})${RESET}`);
 	if (resolveResult?.catalogPath) console.log(`${DIM}Catalog: ${CYAN}${resolveResult.catalogPath}${RESET}`);
-	console.log(`version: ${config.version}`);
+	console.log(`${DIM}version:${RESET} ${config.version}`);
 	console.log("");
 	if (config.identity) {
-		console.log(`${BOLD}Identity:${RESET} ${config.identity.name}`);
-		if (config.identity.consumer) console.log(`  consumer: ${config.identity.consumer}`);
-		if (config.identity.description) console.log(`  description: ${config.identity.description}`);
-		if (config.identity.capabilities) console.log(`  capabilities: ${config.identity.capabilities.join(", ")}`);
-		if (config.identity.expires) console.log(`  expires: ${config.identity.expires}`);
-		if (config.identity.services) console.log(`  services: ${config.identity.services.join(", ")}`);
-		if (config.identity.secrets) console.log(`  secrets: ${config.identity.secrets.join(", ")}`);
+		console.log(`${BOLD}Identity:${RESET} ${GREEN}${config.identity.name}${RESET}`);
+		if (config.identity.consumer) console.log(`  ${DIM}consumer:${RESET} ${MAGENTA}${config.identity.consumer}${RESET}`);
+		if (config.identity.description) console.log(`  ${DIM}description:${RESET} ${config.identity.description}`);
+		if (config.identity.capabilities) console.log(`  ${DIM}capabilities:${RESET} ${config.identity.capabilities.map((c) => `${MAGENTA}${c}${RESET}`).join(", ")}`);
+		if (config.identity.expires) console.log(`  ${DIM}expires:${RESET} ${YELLOW}${config.identity.expires}${RESET}`);
+		if (config.identity.services) console.log(`  ${DIM}services:${RESET} ${config.identity.services.map((s) => `${CYAN}${s}${RESET}`).join(", ")}`);
+		if (config.identity.secrets) console.log(`  ${DIM}secrets:${RESET} ${config.identity.secrets.map((s) => `${BOLD}${s}${RESET}`).join(", ")}`);
 		console.log("");
 	}
 	const secretEntries = config.secret ?? {};
 	console.log(`${BOLD}Secrets:${RESET} ${Object.keys(secretEntries).length}`);
-	for (const [key, meta] of Object.entries(secretEntries)) {
-		const secretValue = opts?.secrets?.[key];
-		const valueSuffix = secretValue !== void 0 ? ` = ${YELLOW}${(opts?.secretDisplay ?? "encrypted") === "plaintext" ? secretValue : maskValue(secretValue)}${RESET}` : "";
+	Object.entries(secretEntries).forEach(([key, meta]) => {
+		const valueSuffix = Option(opts?.secrets?.[key]).fold(() => "", (secretValue) => ` = ${YELLOW}${(opts?.secretDisplay ?? "encrypted") === "plaintext" ? secretValue : maskValue(secretValue)}${RESET}`);
 		const sealedTag = meta.encrypted_value ? ` ${CYAN}[sealed]${RESET}` : "";
 		console.log(`  ${BOLD}${key}${RESET} → ${meta.service ?? key}${sealedTag}${valueSuffix}`);
 		printSecretMeta(meta, "    ");
-	}
+	});
 	const envEntries = config.env ?? {};
 	const envKeys = Object.keys(envEntries);
 	if (envKeys.length > 0) {
 		console.log("");
 		console.log(`${BOLD}Environment Defaults:${RESET} ${envKeys.length}`);
-		for (const [key, entry] of Object.entries(envEntries)) {
-			console.log(`  ${BOLD}${key}${RESET} = "${entry.value}"`);
-			if (entry.purpose) console.log(`    purpose: ${entry.purpose}`);
-			if (entry.comment) console.log(`    comment: ${DIM}${entry.comment}${RESET}`);
-		}
+		Object.entries(envEntries).forEach(([key, entry]) => {
+			console.log(`  ${BOLD}${key}${RESET} = ${GREEN}"${entry.value}"${RESET}`);
+			if (entry.purpose) console.log(`    ${DIM}purpose:${RESET} ${entry.purpose}`);
+			if (entry.comment) console.log(`    ${DIM}comment:${RESET} ${DIM}${entry.comment}${RESET}`);
+		});
 	}
 	if (config.lifecycle) {
 		console.log("");
 		console.log(`${BOLD}Lifecycle:${RESET}`);
-		if (config.lifecycle.stale_warning_days !== void 0) console.log(`  stale_warning_days: ${config.lifecycle.stale_warning_days}`);
-		if (config.lifecycle.require_expiration !== void 0) console.log(`  require_expiration: ${config.lifecycle.require_expiration}`);
-		if (config.lifecycle.require_service !== void 0) console.log(`  require_service: ${config.lifecycle.require_service}`);
+		if (config.lifecycle.stale_warning_days !== void 0) console.log(`  ${DIM}stale_warning_days:${RESET} ${YELLOW}${config.lifecycle.stale_warning_days}${RESET}`);
+		if (config.lifecycle.require_expiration !== void 0) console.log(`  ${DIM}require_expiration:${RESET} ${config.lifecycle.require_expiration ? `${GREEN}true${RESET}` : `${DIM}false${RESET}`}`);
+		if (config.lifecycle.require_service !== void 0) console.log(`  ${DIM}require_service:${RESET} ${config.lifecycle.require_service ? `${GREEN}true${RESET}` : `${DIM}false${RESET}`}`);
 	}
 	if (resolveResult?.catalogPath) {
 		console.log("");
 		console.log(`${BOLD}Catalog Resolution:${RESET}`);
-		console.log(`  merged: ${resolveResult.merged.length} keys`);
-		if (resolveResult.overridden.length > 0) console.log(`  overridden: ${resolveResult.overridden.join(", ")}`);
-		else console.log(`  overridden: ${DIM}(none)${RESET}`);
-		for (const w of resolveResult.warnings) console.log(`  ${YELLOW}warning:${RESET} ${w}`);
+		console.log(`  ${DIM}merged:${RESET} ${GREEN}${resolveResult.merged.length}${RESET} keys`);
+		if (resolveResult.overridden.length > 0) console.log(`  ${DIM}overridden:${RESET} ${resolveResult.overridden.map((k) => `${YELLOW}${k}${RESET}`).join(", ")}`);
+		else console.log(`  ${DIM}overridden: (none)${RESET}`);
+		resolveResult.warnings.forEach((w) => {
+			console.log(`  ${YELLOW}warning:${RESET} ${w}`);
+		});
 	}
 };
 const runInspect = (options) => {
@@ -2690,15 +2731,33 @@ const runInspect = (options) => {
 };
 //#endregion
 //#region src/cli/commands/keygen.ts
+/** Shorten a path under $HOME to use ~ prefix */
+const tildeShorten = (p) => {
+	const home = homedir();
+	return p.startsWith(home) ? `~${p.slice(home.length)}` : p;
+};
+/** Derive a default identity name from the config path's parent directory */
+const deriveIdentityName = (configPath) => basename(dirname(resolve(configPath)));
+/**
+* Derive a project-specific key path from the config path.
+* - `envpkt.toml` → `~/.envpkt/<dir>-key.txt`
+* - `prod.envpkt.toml` → `~/.envpkt/<dir>-prod-key.txt`
+* - `foo.envpkt.toml` → `~/.envpkt/<dir>-foo-key.txt`
+*/
+const deriveKeyPath = (configPath) => {
+	const abs = resolve(configPath);
+	const dir = basename(dirname(abs));
+	const stem = basename(abs).replace(/\.envpkt\.toml$/, "").replace(/\.toml$/, "");
+	const name = stem === "envpkt" || stem === "" ? dir : `${dir}-${stem}`;
+	return join(homedir(), ".envpkt", `${name}-key.txt`);
+};
 const runKeygen = (options) => {
-	const outputPath = options.output ?? resolveKeyPath();
-	generateKeypair({
-		force: options.force,
-		outputPath
-	}).fold((err) => {
+	const configPath = resolve(options.config ?? join(process.cwd(), "envpkt.toml"));
+	generateKeypair({ outputPath: options.output ?? (options.global ? resolveKeyPath() : deriveKeyPath(configPath)) }).fold((err) => {
 		if (err._tag === "KeyExists") {
 			console.error(`${YELLOW}Warning:${RESET} Identity file already exists: ${CYAN}${err.path}${RESET}`);
-			console.error(`${DIM}Use --force to overwrite.${RESET}`);
+			console.error(`${DIM}To replace it: remove the file first, then re-run keygen.${RESET}`);
+			console.error(`${DIM}To use a different path: pass -o <path>.${RESET}`);
 			process.exit(1);
 		}
 		console.error(formatError(err));
@@ -2707,16 +2766,24 @@ const runKeygen = (options) => {
 		console.log(`${GREEN}Generated${RESET} age identity: ${CYAN}${identityPath}${RESET}`);
 		console.log(`${BOLD}Recipient:${RESET} ${recipient}`);
 		console.log("");
-		const configPath = resolve(options.config ?? join(process.cwd(), "envpkt.toml"));
-		if (existsSync(configPath)) updateConfigRecipient(configPath, recipient).fold((err) => {
-			console.error(`${YELLOW}Warning:${RESET} Could not update config: ${"message" in err ? err.message : err._tag}`);
-			console.log(`${DIM}Manually add to your envpkt.toml:${RESET}`);
-			console.log(`  [identity]`);
-			console.log(`  recipient = "${recipient}"`);
-		}, () => {
-			console.log(`${GREEN}Updated${RESET} ${CYAN}${configPath}${RESET} with identity.recipient`);
-		});
-		else {
+		if (existsSync(configPath)) {
+			const name = deriveIdentityName(configPath);
+			const keyFile = tildeShorten(identityPath);
+			updateConfigIdentity(configPath, {
+				recipient,
+				name,
+				keyFile
+			}).fold((err) => {
+				console.error(`${YELLOW}Warning:${RESET} Could not update config: ${"message" in err ? err.message : err._tag}`);
+				console.log(`${DIM}Manually add to your envpkt.toml:${RESET}`);
+				console.log(`  [identity]`);
+				console.log(`  name = "${name}"`);
+				console.log(`  recipient = "${recipient}"`);
+				console.log(`  key_file = "${keyFile}"`);
+			}, () => {
+				console.log(`${GREEN}Updated${RESET} ${CYAN}${configPath}${RESET} with identity (name, recipient, key_file)`);
+			});
+		} else {
 			console.log(`${BOLD}Next steps:${RESET}`);
 			console.log(`  ${DIM}1.${RESET} envpkt init          ${DIM}# create envpkt.toml${RESET}`);
 			console.log(`  ${DIM}2.${RESET} envpkt env scan --write  ${DIM}# discover credentials${RESET}`);
@@ -2727,7 +2794,7 @@ const runKeygen = (options) => {
 //#endregion
 //#region src/mcp/resources.ts
 const loadConfigSafe = () => {
-	return resolveConfigPath().fold(() => void 0, ({ path }) => loadConfig(path).fold(() => void 0, (config) => ({
+	return resolveConfigPath().fold(() => Option.none(), ({ path }) => loadConfig(path).fold(() => Option.none(), (config) => Option({
 		config,
 		path
 	})));
@@ -2743,14 +2810,11 @@ const resourceDefinitions = [{
 	description: "Capabilities declared by the agent and per-secret capability grants",
 	mimeType: "application/json"
 }];
-const readHealth = () => {
-	const loaded = loadConfigSafe();
-	if (!loaded) return { contents: [{
-		uri: "envpkt://health",
-		mimeType: "application/json",
-		text: JSON.stringify({ error: "No envpkt.toml found" })
-	}] };
-	const { config, path } = loaded;
+const readHealth = () => loadConfigSafe().fold(() => ({ contents: [{
+	uri: "envpkt://health",
+	mimeType: "application/json",
+	text: JSON.stringify({ error: "No envpkt.toml found" })
+}] }), ({ config, path }) => {
 	const audit = computeAudit(config);
 	return { contents: [{
 		uri: "envpkt://health",
@@ -2766,19 +2830,17 @@ const readHealth = () => {
 			missing: audit.missing
 		}, null, 2)
 	}] };
-};
-const readCapabilities = () => {
-	const loaded = loadConfigSafe();
-	if (!loaded) return { contents: [{
-		uri: "envpkt://capabilities",
-		mimeType: "application/json",
-		text: JSON.stringify({ error: "No envpkt.toml found" })
-	}] };
-	const { config } = loaded;
+});
+const readCapabilities = () => loadConfigSafe().fold(() => ({ contents: [{
+	uri: "envpkt://capabilities",
+	mimeType: "application/json",
+	text: JSON.stringify({ error: "No envpkt.toml found" })
+}] }), ({ config }) => {
 	const agentCapabilities = config.identity?.capabilities ?? [];
 	const secretCapabilities = {};
-	const secretEntries = config.secret ?? {};
-	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	Object.entries(config.secret ?? {}).forEach(([key, meta]) => {
+		if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	});
 	return { contents: [{
 		uri: "envpkt://capabilities",
 		mimeType: "application/json",
@@ -2792,15 +2854,12 @@ const readCapabilities = () => {
 			secrets: secretCapabilities
 		}, null, 2)
 	}] };
-};
+});
 const resourceHandlers = {
 	"envpkt://health": readHealth,
 	"envpkt://capabilities": readCapabilities
 };
-const readResource = (uri) => {
-	const handler = resourceHandlers[uri];
-	return handler?.();
-};
+const readResource = (uri) => Option(resourceHandlers[uri]).map((handler) => handler());
 //#endregion
 //#region src/mcp/tools.ts
 const textResult = (text) => ({ content: [{
@@ -2815,7 +2874,7 @@ const errorResult = (message) => ({
 	isError: true
 });
 const loadConfigForTool = (configPath) => {
-	return resolveConfigPath(configPath).fold((err) => ({
+	return resolveConfigPath(configPath.fold(() => void 0, (v) => v)).fold((err) => ({
 		ok: false,
 		result: errorResult(`Config error: ${err._tag} — ${err._tag === "FileNotFound" ? err.path : ""}`)
 	}), ({ path }) => loadConfig(path).fold((err) => ({
@@ -2898,8 +2957,9 @@ const toolDefinitions = [
 		}
 	}
 ];
+const configPathArg = (args) => Option(typeof args.configPath === "string" ? args.configPath : null);
 const handleGetPacketHealth = (args) => {
-	const loaded = loadConfigForTool(args.configPath);
+	const loaded = loadConfigForTool(configPathArg(args));
 	if (!loaded.ok) return loaded.result;
 	const { config, path } = loaded;
 	const audit = computeAudit(config);
@@ -2924,13 +2984,14 @@ const handleGetPacketHealth = (args) => {
 	}, null, 2));
 };
 const handleListCapabilities = (args) => {
-	const loaded = loadConfigForTool(args.configPath);
+	const loaded = loadConfigForTool(configPathArg(args));
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
 	const agentCapabilities = config.identity?.capabilities ?? [];
 	const secretCapabilities = {};
-	const secretEntries = config.secret ?? {};
-	for (const [key, meta] of Object.entries(secretEntries)) if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	Object.entries(config.secret ?? {}).forEach(([key, meta]) => {
+		if (meta.capabilities && meta.capabilities.length > 0) secretCapabilities[key] = meta.capabilities;
+	});
 	return textResult(JSON.stringify({
 		identity: config.identity ? {
 			name: config.identity.name,
@@ -2945,21 +3006,21 @@ const handleListCapabilities = (args) => {
 const handleGetSecretMeta = (args) => {
 	const key = args.key;
 	if (!key) return errorResult("Missing required argument: key");
-	const loaded = loadConfigForTool(args.configPath);
+	const loaded = loadConfigForTool(configPathArg(args));
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
-	const meta = (config.secret ?? {})[key];
-	if (!meta) return errorResult(`Secret not found: ${key}`);
-	const { encrypted_value: _, ...safeMeta } = meta;
-	return textResult(JSON.stringify({
-		key,
-		...safeMeta
-	}, null, 2));
+	return Option((config.secret ?? {})[key]).fold(() => errorResult(`Secret not found: ${key}`), (meta) => {
+		const { encrypted_value: _, ...safeMeta } = meta;
+		return textResult(JSON.stringify({
+			key,
+			...safeMeta
+		}, null, 2));
+	});
 };
 const handleCheckExpiration = (args) => {
 	const key = args.key;
 	if (!key) return errorResult("Missing required argument: key");
-	const loaded = loadConfigForTool(args.configPath);
+	const loaded = loadConfigForTool(configPathArg(args));
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
 	return computeAudit(config).secrets.find((s) => s.key === key).fold(() => errorResult(`Secret not found: ${key}`), (s) => textResult(JSON.stringify({
@@ -2973,7 +3034,7 @@ const handleCheckExpiration = (args) => {
 	}, null, 2)));
 };
 const handleGetEnvMeta = (args) => {
-	const loaded = loadConfigForTool(args.configPath);
+	const loaded = loadConfigForTool(configPathArg(args));
 	if (!loaded.ok) return loaded.result;
 	const { config } = loaded;
 	const envAudit = computeEnvAudit(config);
@@ -2986,11 +3047,7 @@ const handlers = {
 	checkExpiration: handleCheckExpiration,
 	getEnvMeta: handleGetEnvMeta
 };
-const callTool = (name, args) => {
-	const handler = handlers[name];
-	if (!handler) return errorResult(`Unknown tool: ${name}`);
-	return handler(args);
-};
+const callTool = (name, args) => Option(handlers[name]).fold(() => errorResult(`Unknown tool: ${name}`), (handler) => handler(args));
 //#endregion
 //#region src/mcp/server.ts
 const createServer = () => {
@@ -3016,13 +3073,11 @@ const createServer = () => {
 	server.setRequestHandler(ListResourcesRequestSchema, () => ({ resources: [...resourceDefinitions] }));
 	server.setRequestHandler(ReadResourceRequestSchema, (request) => {
 		const { uri } = request.params;
-		const result = readResource(uri);
-		if (!result) return { contents: [{
+		return readResource(uri).fold(() => ({ contents: [{
 			uri,
 			mimeType: "text/plain",
 			text: `Resource not found: ${uri}`
-		}] };
-		return result;
+		}] }), (result) => result);
 	});
 	return server;
 };
@@ -3066,8 +3121,10 @@ const runResolve = (options) => {
 				} else process.stdout.write(content);
 				if (result.catalogPath) {
 					const summaryTarget = options.output ? process.stdout : process.stderr;
-					summaryTarget.write(`\n${CYAN}Catalog:${RESET} ${result.catalogPath}\n${GREEN}Merged:${RESET} ${result.merged.length} key(s)${result.overridden.length > 0 ? ` ${YELLOW}(${result.overridden.length} overridden: ${result.overridden.join(", ")})${RESET}` : ""}\n`);
-					for (const w of result.warnings) summaryTarget.write(`${RED}Warning:${RESET} ${w}\n`);
+					summaryTarget.write(`\n${BOLD}${CYAN}Catalog:${RESET} ${BLUE}${result.catalogPath}${RESET}\n${GREEN}Merged:${RESET} ${BOLD}${result.merged.length}${RESET} key(s)${result.overridden.length > 0 ? ` ${YELLOW}(${result.overridden.length} overridden: ${BOLD}${result.overridden.join(`${RESET}${YELLOW}, ${BOLD}`)}${RESET}${YELLOW})${RESET}` : ""}\n`);
+					result.warnings.forEach((w) => {
+						summaryTarget.write(`${RED}Warning:${RESET} ${w}\n`);
+					});
 				}
 			});
 		});
@@ -3080,18 +3137,20 @@ const resolveValues = async (keys, profile, agentKey) => {
 	const result = {};
 	const remaining = new Set(keys);
 	if (fnoxAvailable()) fnoxExport(profile, agentKey).fold(() => {}, (exported) => {
-		for (const key of [...remaining]) if (key in exported) {
-			result[key] = exported[key];
-			remaining.delete(key);
-		}
+		[...remaining].forEach((key) => {
+			if (key in exported) {
+				result[key] = exported[key];
+				remaining.delete(key);
+			}
+		});
 	});
-	for (const key of [...remaining]) {
+	[...remaining].forEach((key) => {
 		const envValue = process.env[key];
 		if (envValue !== void 0 && envValue !== "") {
 			result[key] = envValue;
 			remaining.delete(key);
 		}
-	}
+	});
 	if (remaining.size > 0 && process.stdin.isTTY) {
 		const rl = createInterface({
 			input: process.stdin,
@@ -3114,53 +3173,55 @@ const resolveValues = async (keys, profile, agentKey) => {
 const writeSealedToml = (configPath, sealedMeta) => {
 	const lines = readFileSync(configPath, "utf-8").split("\n");
 	const output = [];
-	let currentMetaKey;
+	let currentMetaKey = Option.none();
 	let insideMetaBlock = false;
 	let hasEncryptedValue = false;
 	const pendingSeals = /* @__PURE__ */ new Map();
-	for (const [key, meta] of Object.entries(sealedMeta)) if (meta.encrypted_value) pendingSeals.set(key, meta.encrypted_value);
+	Object.entries(sealedMeta).forEach(([key, meta]) => {
+		if (meta.encrypted_value) pendingSeals.set(key, meta.encrypted_value);
+	});
 	const metaSectionRe = /^\[secret\.(.+)\]\s*$/;
 	const encryptedValueRe = /^encrypted_value\s*=/;
 	const newSectionRe = /^\[/;
-	for (let i = 0; i < lines.length; i++) {
-		const line = lines[i];
-		const metaMatch = metaSectionRe.exec(line);
-		if (metaMatch) {
-			if (currentMetaKey && !hasEncryptedValue && pendingSeals.has(currentMetaKey)) {
+	const flushPending = () => {
+		currentMetaKey.forEach((key) => {
+			if (!hasEncryptedValue && pendingSeals.has(key)) {
 				output.push(`encrypted_value = """`);
-				output.push(pendingSeals.get(currentMetaKey));
+				output.push(pendingSeals.get(key));
 				output.push(`"""`);
 				output.push("");
-				pendingSeals.delete(currentMetaKey);
+				pendingSeals.delete(key);
 			}
-			currentMetaKey = metaMatch[1];
+		});
+	};
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		const metaMatch = metaSectionRe.exec(line);
+		if (metaMatch) {
+			flushPending();
+			currentMetaKey = Option(metaMatch[1]);
 			insideMetaBlock = true;
 			hasEncryptedValue = false;
 			output.push(line);
 			continue;
 		}
 		if (insideMetaBlock && newSectionRe.test(line) && !metaSectionRe.test(line)) {
-			if (currentMetaKey && !hasEncryptedValue && pendingSeals.has(currentMetaKey)) {
-				output.push(`encrypted_value = """`);
-				output.push(pendingSeals.get(currentMetaKey));
-				output.push(`"""`);
-				output.push("");
-				pendingSeals.delete(currentMetaKey);
-			}
+			flushPending();
 			insideMetaBlock = false;
-			currentMetaKey = void 0;
+			currentMetaKey = Option.none();
 			output.push(line);
 			continue;
 		}
 		if (insideMetaBlock && encryptedValueRe.test(line)) {
 			hasEncryptedValue = true;
-			const replacing = !!(currentMetaKey && pendingSeals.has(currentMetaKey));
-			if (replacing) {
+			const replacing = currentMetaKey.fold(() => false, (key) => pendingSeals.has(key));
+			if (replacing) currentMetaKey.forEach((key) => {
 				output.push(`encrypted_value = """`);
-				output.push(pendingSeals.get(currentMetaKey));
+				output.push(pendingSeals.get(key));
 				output.push(`"""`);
-				pendingSeals.delete(currentMetaKey);
-			} else output.push(line);
+				pendingSeals.delete(key);
+			});
+			else output.push(line);
 			if (line.slice(line.indexOf("=") + 1).trim().includes("\"\"\"")) {
 				while (i + 1 < lines.length && !lines[i + 1].includes("\"\"\"")) {
 					if (!replacing) output.push(lines[i + 1]);
@@ -3175,12 +3236,7 @@ const writeSealedToml = (configPath, sealedMeta) => {
 		}
 		output.push(line);
 	}
-	if (currentMetaKey && !hasEncryptedValue && pendingSeals.has(currentMetaKey)) {
-		output.push(`encrypted_value = """`);
-		output.push(pendingSeals.get(currentMetaKey));
-		output.push(`"""`);
-		pendingSeals.delete(currentMetaKey);
-	}
+	flushPending();
 	writeFileSync(configPath, output.join("\n"));
 };
 const runSeal = async (options) => {
@@ -3217,10 +3273,13 @@ const runSeal = async (options) => {
 		console.error(`${DIM}Move these to [secret.*] only, or remove from [env.*] before sealing.${RESET}`);
 		process.exit(2);
 	}
-	const identityKey = config.identity.key_file ? unwrapAgentKey(resolve(configDir, expandPath(config.identity.key_file))).fold((err) => {
-		const msg = err._tag === "IdentityNotFound" ? `not found: ${err.path}` : err.message;
-		console.error(`${YELLOW}Warning:${RESET} Could not unwrap agent key: ${msg}`);
-	}, (k) => k) : void 0;
+	const identityKey = Option(config.identity.key_file).flatMap((keyFile) => {
+		return unwrapAgentKey(resolve(configDir, expandPath(keyFile))).fold((err) => {
+			const msg = err._tag === "IdentityNotFound" ? `not found: ${err.path}` : err.message;
+			console.error(`${YELLOW}Warning:${RESET} Could not unwrap agent key: ${msg}`);
+			return Option.none();
+		}, (k) => Option(k));
+	});
 	const editKeys = options.edit ? options.edit.split(",").map((k) => k.trim()).filter((k) => k.length > 0) : [];
 	if (editKeys.length > 0) {
 		const allSecretEntries = config.secret ?? {};
@@ -3269,8 +3328,8 @@ const runSeal = async (options) => {
 	}
 	const allSecretEntries = config.secret ?? {};
 	const allKeys = Object.keys(allSecretEntries);
-	const alreadySealed = allKeys.filter((k) => allSecretEntries[k]?.encrypted_value);
-	const unsealed = allKeys.filter((k) => !allSecretEntries[k]?.encrypted_value);
+	const alreadySealed = allKeys.filter((k) => allSecretEntries[k].encrypted_value);
+	const unsealed = allKeys.filter((k) => !allSecretEntries[k].encrypted_value);
 	if (!options.reseal && alreadySealed.length > 0) {
 		if (unsealed.length === 0) {
 			console.log(`${GREEN}✓${RESET} All ${BOLD}${alreadySealed.length}${RESET} secret(s) already sealed. Use ${CYAN}--reseal${RESET} to re-encrypt.`);
@@ -3303,13 +3362,13 @@ const runSeal = async (options) => {
 				process.exit(2);
 				return {};
 			}, (d) => d);
-			const newValues = unsealed.length > 0 ? await resolveValues(unsealed, options.profile, identityKey) : {};
+			const newValues = unsealed.length > 0 ? await resolveValues(unsealed, options.profile, identityKey.orUndefined()) : {};
 			return {
 				...decrypted,
 				...newValues
 			};
 		}
-		return resolveValues(metaKeys, options.profile, identityKey);
+		return resolveValues(metaKeys, options.profile, identityKey.orUndefined());
 	})();
 	const resolved = Object.keys(values).length;
 	const skipped = metaKeys.length - resolved;
@@ -3382,7 +3441,7 @@ const buildFieldUpdates = (options) => {
 	return updates;
 };
 const withConfig = (configFlag, fn) => {
-	resolveConfigPath(configFlag).fold((err) => {
+	resolveConfigPath(configFlag.orUndefined()).fold((err) => {
 		console.error(formatError(err));
 		process.exit(2);
 	}, ({ path: configPath, source }) => {
@@ -3426,7 +3485,7 @@ const runSecretEdit = (name, options) => {
 		console.error(`${RED}Error:${RESET} Invalid date format for --expires: "${options.expires}" (expected YYYY-MM-DD)`);
 		process.exit(1);
 	}
-	withConfig(options.config, (configPath, raw) => {
+	withConfig(Option(options.config), (configPath, raw) => {
 		loadConfig(configPath).fold((err) => {
 			console.error(formatError(err));
 			process.exit(2);
@@ -3456,7 +3515,7 @@ const runSecretEdit = (name, options) => {
 	});
 };
 const runSecretRm = (name, options) => {
-	withConfig(options.config, (configPath, raw) => {
+	withConfig(Option(options.config), (configPath, raw) => {
 		removeSection(raw, `[secret.${name}]`).fold((err) => {
 			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
 			process.exit(1);
@@ -3472,7 +3531,7 @@ const runSecretRm = (name, options) => {
 	});
 };
 const runSecretRename = (oldName, newName, options) => {
-	withConfig(options.config, (configPath, raw) => {
+	withConfig(Option(options.config), (configPath, raw) => {
 		renameSection(raw, `[secret.${oldName}]`, `[secret.${newName}]`).fold((err) => {
 			console.error(`${RED}Error:${RESET} ${err._tag}: ${err.section}`);
 			process.exit(1);
@@ -3546,42 +3605,34 @@ const runShellHook = (shell) => {
 };
 //#endregion
 //#region src/cli/commands/upgrade.ts
-const getCurrentVersion = () => {
-	try {
-		return execFileSync("npm", [
-			"list",
-			"-g",
-			"envpkt",
-			"--json"
-		], {
-			encoding: "utf-8",
-			stdio: [
-				"pipe",
-				"pipe",
-				"pipe"
-			]
-		}).match(/"envpkt":\s*\{\s*"version":\s*"([^"]+)"/)?.[1] ?? "unknown";
-	} catch {
-		return "unknown";
-	}
-};
+const getCurrentVersion = () => Try(() => execFileSync("npm", [
+	"list",
+	"-g",
+	"envpkt",
+	"--json"
+], {
+	encoding: "utf-8",
+	stdio: [
+		"pipe",
+		"pipe",
+		"pipe"
+	]
+})).fold(() => "unknown", (output) => output.match(/"envpkt":\s*\{\s*"version":\s*"([^"]+)"/)?.[1] ?? "unknown");
 const runUpgrade = () => {
 	const before = getCurrentVersion();
 	console.log(`${DIM}Current version: ${before}${RESET}`);
 	console.log(`${CYAN}Upgrading envpkt...${RESET}\n`);
-	try {
-		execFileSync("npm", [
-			"install",
-			"-g",
-			"envpkt@latest",
-			"--prefer-online"
-		], {
-			stdio: "inherit",
-			encoding: "utf-8"
-		});
-	} catch {
+	Try(() => execFileSync("npm", [
+		"install",
+		"-g",
+		"envpkt@latest",
+		"--prefer-online"
+	], {
+		stdio: "inherit",
+		encoding: "utf-8"
+	})).fold(() => {
 		console.error(`\n${RED}Error:${RESET} npm install failed. Trying with cache clean...`);
-		try {
+		Try(() => {
 			execFileSync("npm", [
 				"cache",
 				"clean",
@@ -3595,12 +3646,12 @@ const runUpgrade = () => {
 				stdio: "inherit",
 				encoding: "utf-8"
 			});
-		} catch {
+		}).fold(() => {
 			console.error(`${RED}Error:${RESET} Upgrade failed. Try manually:`);
 			console.error(`  ${BOLD}sudo npm install -g envpkt@latest --prefer-online${RESET}`);
 			process.exit(1);
-		}
-	}
+		}, () => {});
+	}, () => {});
 	const after = getCurrentVersion();
 	if (before === after && before !== "unknown") console.log(`\n${GREEN}✓${RESET} Already on latest version ${BOLD}${after}${RESET}`);
 	else console.log(`\n${GREEN}✓${RESET} Upgraded ${YELLOW}${before}${RESET} → ${BOLD}${after}${RESET}`);
@@ -3620,7 +3671,7 @@ program.name("envpkt").description("Credential lifecycle and fleet management fo
 program.command("init").description("Initialize a new envpkt.toml in the current directory").option("--from-fnox [path]", "Scaffold from fnox.toml (optionally specify path)").option("--catalog <path>", "Path to shared secret catalog").option("--identity", "Include [identity] section").option("--name <name>", "Identity name (requires --identity)").option("--capabilities <caps>", "Comma-separated capabilities (requires --identity)").option("--expires <date>", "Credential expiration YYYY-MM-DD (requires --identity)").option("--force", "Overwrite existing envpkt.toml").action((options) => {
 	runInit(process.cwd(), options);
 });
-program.command("keygen").description("Generate an age keypair for sealing secrets — run this before `seal` if you don't have a key yet").option("-c, --config <path>", "Path to envpkt.toml (updates identity.recipient if found)").option("--force", "Overwrite existing identity file").option("-o, --output <path>", "Output path for identity file (default: ~/.envpkt/age-key.txt)").action((options) => {
+program.command("keygen").description("Generate an age keypair for sealing secrets — run this before `seal` if you don't have a key yet").option("-c, --config <path>", "Path to envpkt.toml (updates identity.recipient if found)").option("-o, --output <path>", "Output path for identity file (default: ~/.envpkt/<project>-key.txt)").option("--global", "Write key to the shared default path (~/.envpkt/age-key.txt) instead of a project-specific one").action((options) => {
 	runKeygen(options);
 });
 program.command("audit").description("Audit credential health from envpkt.toml (use --strict in CI pipelines to gate deploys)").option("-c, --config <path>", "Path to envpkt.toml").option("--format <format>", "Output format: table | json | minimal", "table").option("--expiring <days>", "Show secrets expiring within N days", parseInt).option("--status <status>", "Filter by status: healthy | expiring_soon | expired | stale | missing").option("--strict", "Exit non-zero on any non-healthy secret").option("--all", "Show both secrets and env defaults").option("--env-only", "Show only env defaults (drift detection)").option("--sealed", "Show only secrets with encrypted_value").option("--external", "Show only secrets without encrypted_value").action((options) => {