metaharness 0.1.0

package/dist/score.js

@@ -0,0 +1,381 @@
+// SPDX-License-Identifier: MIT
+//
+// `harness score <path>` — 19th subcommand (iter 111). Priority 2 from the
+// user's roadmap. Aggregates 5 dimensions into a single 0–100 score plus a
+// per-dimension breakdown.
+//
+// Dimensions + weights (from the user's spec):
+//   - Repo understanding   (25%) — meta.surface + meta.kernel_version + diag verdict
+//   - Agent usefulness     (25%) — count of agents + skills + commands
+//   - MCP safety           (20%) — mcp-policy.json default-deny + audit + no risky perms
+//   - Test coverage        (15%) — presence of __tests__/ or tests/ + ci wiring
+//   - Publish readiness    (15%) — witness present + sbom emit-able + npm pack ready
+//
+// Modes: text (default) · --json · --bundle (ADR-031 schema-1 envelope) · --out <file>.
+//
+// Verdict + exit code:
+//   - score ≥ 85  → 'A' (exit 0, the target the user named)
+//   - score ≥ 70  → 'B' (exit 0)
+//   - score ≥ 50  → 'C' (exit 1, needs work)
+//   - score <  50 → 'F' (exit 2, blocked)
+import { existsSync, statSync, writeFileSync, readFileSync, readdirSync } from 'node:fs';
+import { resolve, join } from 'node:path';
+// --- helpers ---------------------------------------------------------------
+function safeReadJson(path) {
+    try {
+        if (!existsSync(path))
+            return null;
+        return JSON.parse(readFileSync(path, 'utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+function dirExists(dir, sub) {
+    try {
+        return existsSync(join(dir, sub)) && statSync(join(dir, sub)).isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+function fileExists(dir, sub) {
+    try {
+        return existsSync(join(dir, sub)) && statSync(join(dir, sub)).isFile();
+    }
+    catch {
+        return false;
+    }
+}
+function countDir(dir, sub) {
+    try {
+        const target = join(dir, sub);
+        if (!existsSync(target))
+            return 0;
+        return readdirSync(target).filter((n) => !n.startsWith('.')).length;
+    }
+    catch {
+        return 0;
+    }
+}
+// --- dimension scorers (pure-ish — they read disk but no exec) -------------
+function scoreRepoUnderstanding(dir, manifest) {
+    const signals = [];
+    let s = 0;
+    if (manifest) {
+        s += 35;
+        signals.push('manifest.json present');
+        if (manifest.meta?.surface) {
+            s += 20;
+            signals.push(`surface=${manifest.meta.surface}`);
+        }
+        if (manifest.meta?.kernel_version) {
+            s += 25;
+            signals.push(`kernel=${manifest.meta.kernel_version}`);
+        }
+        if (manifest.host || manifest.hosts) {
+            s += 20;
+            signals.push(`host(s)=${manifest.hosts ?? manifest.host}`);
+        }
+    }
+    else {
+        signals.push('no manifest — cannot identify what this harness is');
+    }
+    return { name: 'Repo understanding', weight: 0.25, score: Math.min(100, s), signals };
+}
+function scoreAgentUsefulness(dir) {
+    const signals = [];
+    let s = 0;
+    const agents = countDir(dir, 'src/agents');
+    const skills = countDir(dir, '.claude/skills');
+    const commands = countDir(dir, '.claude/commands');
+    if (agents > 0) {
+        s += Math.min(40, agents * 10);
+        signals.push(`${agents} agent(s) in src/agents/`);
+    }
+    if (skills > 0) {
+        s += Math.min(30, skills * 15);
+        signals.push(`${skills} skill(s) in .claude/skills/`);
+    }
+    if (commands > 0) {
+        s += Math.min(30, commands * 15);
+        signals.push(`${commands} command(s) in .claude/commands/`);
+    }
+    if (s === 0)
+        signals.push('no agents / skills / commands found');
+    return { name: 'Agent usefulness', weight: 0.25, score: Math.min(100, s), signals };
+}
+function scoreMcpSafety(dir) {
+    const signals = [];
+    const policy = safeReadJson(join(dir, '.harness', 'mcp-policy.json'));
+    // No policy + no .mcp.json at all = MCP not in use, which is the safest possible.
+    const hasMcp = policy != null || fileExists(dir, '.mcp.json');
+    if (!hasMcp) {
+        signals.push('MCP not in use (mode=off — safest)');
+        return { name: 'MCP safety', weight: 0.2, score: 100, signals, mcpRisk: 'None' };
+    }
+    let s = 0;
+    let risk = 'Low';
+    if (policy?.defaultDeny === true) {
+        s += 40;
+        signals.push('default-deny ON');
+    }
+    else {
+        risk = 'High';
+        signals.push('default-deny OFF — dangerous');
+    }
+    if (policy?.auditLog === true) {
+        s += 15;
+        signals.push('audit-log ON');
+    }
+    if (policy?.allowShell === false || policy?.allowShell == null) {
+        s += 15;
+        signals.push('shell gated');
+    }
+    else {
+        risk = 'High';
+        signals.push('shell ALLOWED — risky');
+    }
+    if (policy?.allowNetwork === false || policy?.allowNetwork == null) {
+        s += 15;
+        signals.push('network gated');
+    }
+    else {
+        if (risk !== 'High')
+            risk = 'Medium';
+        signals.push('network ALLOWED');
+    }
+    if (policy?.allowFileWrite === false || policy?.allowFileWrite == null) {
+        s += 15;
+        signals.push('file-write gated');
+    }
+    else {
+        if (risk !== 'High')
+            risk = 'Medium';
+        signals.push('file-write ALLOWED');
+    }
+    return { name: 'MCP safety', weight: 0.2, score: Math.min(100, s), signals, mcpRisk: risk };
+}
+function scoreTestCoverage(dir) {
+    const signals = [];
+    let s = 0;
+    const hasTests = dirExists(dir, '__tests__') || dirExists(dir, 'tests') || dirExists(dir, 'test');
+    if (hasTests) {
+        s += 50;
+        signals.push('test directory present');
+    }
+    const pkg = safeReadJson(join(dir, 'package.json'));
+    if (pkg?.scripts?.test) {
+        s += 25;
+        signals.push(`npm test → ${pkg.scripts.test}`);
+    }
+    if (dirExists(dir, '.github/workflows')) {
+        s += 25;
+        signals.push('CI workflow present');
+    }
+    if (s === 0)
+        signals.push('no test signals detected');
+    return { name: 'Test coverage', weight: 0.15, score: Math.min(100, s), signals };
+}
+function scorePublishReadiness(dir, manifest) {
+    const signals = [];
+    let s = 0;
+    const witnessSigned = fileExists(dir, '.harness/witness.json');
+    if (witnessSigned) {
+        s += 40;
+        signals.push('witness.json present');
+    }
+    // sbom.json is emitted by `harness sbom`; presence indicates the operator
+    // has at least run it once. Even if it's not committed, presence is the
+    // strong publish-readiness signal.
+    const sbom = fileExists(dir, 'sbom.json') || fileExists(dir, '.harness/sbom.json');
+    if (sbom) {
+        s += 20;
+        signals.push('SBOM present');
+    }
+    const pkg = safeReadJson(join(dir, 'package.json'));
+    if (pkg?.name && pkg?.version) {
+        s += 20;
+        signals.push(`pkg=${pkg.name}@${pkg.version}`);
+    }
+    if (manifest?.host && pkg?.bin) {
+        s += 20;
+        signals.push('bin entry present (npx-runnable)');
+    }
+    else if (pkg?.bin) {
+        s += 10;
+        signals.push('bin entry present');
+    }
+    if (s === 0)
+        signals.push('no publish signals — run harness validate first');
+    const releaseReady = s >= 70;
+    return { name: 'Publish readiness', weight: 0.15, score: Math.min(100, s), signals, witnessSigned, sbom, releaseReady };
+}
+// --- overall ---------------------------------------------------------------
+export function buildScorecard(dir, generatedAt = new Date().toISOString()) {
+    const manifest = safeReadJson(join(dir, '.harness', 'manifest.json'));
+    const repoUnderstanding = scoreRepoUnderstanding(dir, manifest);
+    const agentUsefulness = scoreAgentUsefulness(dir);
+    const mcpSafety = scoreMcpSafety(dir);
+    const testCoverage = scoreTestCoverage(dir);
+    const publishReadiness = scorePublishReadiness(dir, manifest);
+    const dims = [repoUnderstanding, agentUsefulness, mcpSafety, testCoverage, publishReadiness];
+    const overall = Math.round(dims.reduce((sum, d) => sum + d.weight * d.score, 0));
+    let grade;
+    let exitCode;
+    if (overall >= 85) {
+        grade = 'A';
+        exitCode = 0;
+    }
+    else if (overall >= 70) {
+        grade = 'B';
+        exitCode = 0;
+    }
+    else if (overall >= 50) {
+        grade = 'C';
+        exitCode = 1;
+    }
+    else {
+        grade = 'F';
+        exitCode = 2;
+    }
+    // Detect tests: any of __tests__/ tests/ test/.
+    const testsDetected = testCoverage.score > 0;
+    return {
+        schema: 1,
+        generatedAt,
+        dir,
+        overall,
+        grade,
+        dimensions: dims,
+        badges: {
+            score: overall,
+            mcpRisk: mcpSafety.mcpRisk,
+            releaseReady: publishReadiness.releaseReady,
+            testsDetected,
+            sbom: publishReadiness.sbom,
+            witnessSigned: publishReadiness.witnessSigned,
+        },
+        exitCode,
+    };
+}
+// --- formatting ------------------------------------------------------------
+function bar(score) {
+    const width = 20;
+    const filled = Math.round((score / 100) * width);
+    return '█'.repeat(filled) + '░'.repeat(width - filled);
+}
+function yn(b) {
+    return b ? 'Yes' : 'No';
+}
+export function formatScorecard(sc) {
+    const out = [];
+    out.push(`harness score — ${sc.dir}`);
+    out.push('');
+    out.push(`Overall: ${sc.overall}/100  Grade: ${sc.grade}`);
+    out.push('');
+    for (const d of sc.dimensions) {
+        out.push(`  ${d.name.padEnd(22)} ${String(d.score).padStart(3)}  ${bar(d.score)}  (${Math.round(d.weight * 100)}%)`);
+        for (const s of d.signals)
+            out.push(`    · ${s}`);
+    }
+    out.push('');
+    out.push('Badges:');
+    out.push(`  Harness Score: ${sc.badges.score}`);
+    out.push(`  MCP Risk:      ${sc.badges.mcpRisk}`);
+    out.push(`  Release Ready: ${yn(sc.badges.releaseReady)}`);
+    out.push(`  Tests Detected:${yn(sc.badges.testsDetected)}`);
+    out.push(`  SBOM:          ${yn(sc.badges.sbom)}`);
+    out.push(`  Witness Signed:${yn(sc.badges.witnessSigned)}`);
+    out.push('');
+    out.push(`Verdict: ${sc.grade} (exit ${sc.exitCode})`);
+    return out;
+}
+// --- sanitisation (ADR-031) ------------------------------------------------
+const SECRET_RE = /(secret|token|key|password|passphrase)/i;
+function sanitise(v) {
+    if (v == null)
+        return v;
+    if (Array.isArray(v))
+        return v.map(sanitise);
+    if (typeof v === 'object') {
+        const out = {};
+        for (const [k, val] of Object.entries(v)) {
+            out[k] = SECRET_RE.test(k) ? '[REDACTED]' : sanitise(val);
+        }
+        return out;
+    }
+    return v;
+}
+// --- dispatch --------------------------------------------------------------
+function usage() {
+    return [
+        'Usage: harness score <path> [--out <file>] [--json] [--bundle]',
+        '',
+        '  5-dimension scorecard for a generated harness. 0–100, grade A/B/C/F.',
+        '  Dimensions: Repo understanding (25%) · Agent usefulness (25%) ·',
+        '             MCP safety (20%) · Test coverage (15%) · Publish readiness (15%).',
+        '',
+        '  --out <file>   Write the badges JSON to <file>.',
+        '  --json         Emit the badges JSON to stdout instead of text.',
+        '  --bundle       Emit the full scorecard as an ADR-031 schema-1 envelope.',
+    ];
+}
+export async function scoreCmd(args) {
+    const bundle = args.includes('--bundle');
+    const json = args.includes('--json');
+    let outPath = null;
+    const positional = [];
+    for (let i = 0; i < args.length; i++) {
+        const a = args[i];
+        if (a === '--out') {
+            outPath = args[++i] ?? null;
+            if (!outPath) {
+                const err = { schema: 1, error: 'missing-out-path', exitCode: 2 };
+                return { code: 2, lines: [bundle || json ? JSON.stringify(err, null, 2) : '--out requires a file path'] };
+            }
+        }
+        else if (a === '--bundle' || a === '--json') {
+            /* handled */
+        }
+        else if (a === '--help' || a === '-h') {
+            return { code: 0, lines: usage() };
+        }
+        else if (a && !a.startsWith('--')) {
+            positional.push(a);
+        }
+        else if (a) {
+            const err = { schema: 1, error: `unknown-flag-${a.replace(/^--?/, '')}`, exitCode: 2 };
+            return { code: 2, lines: [bundle || json ? JSON.stringify(err, null, 2) : `Unknown flag: ${a}`] };
+        }
+    }
+    if (positional.length === 0) {
+        return { code: 2, lines: usage() };
+    }
+    const dir = resolve(positional[0]);
+    if (!existsSync(dir) || !statSync(dir).isDirectory()) {
+        const generatedAt = new Date().toISOString();
+        const err = { schema: 1, generatedAt, error: 'not-a-directory', dir, exitCode: 2 };
+        if (bundle || json)
+            return { code: 2, lines: [JSON.stringify(err, null, 2)] };
+        return { code: 2, lines: [`harness score: not a directory: ${dir}`] };
+    }
+    const sc = buildScorecard(dir);
+    if (outPath) {
+        try {
+            writeFileSync(resolve(outPath), JSON.stringify(sc.badges, null, 2) + '\n', 'utf-8');
+        }
+        catch (e) {
+            const err = { schema: 1, error: 'out-write-failed', detail: String(e), exitCode: 2 };
+            return { code: 2, lines: [bundle || json ? JSON.stringify(err, null, 2) : `harness score: failed to write --out: ${String(e)}`] };
+        }
+    }
+    if (bundle) {
+        return { code: sc.exitCode, lines: [JSON.stringify(sanitise(sc), null, 2)] };
+    }
+    if (json) {
+        return { code: sc.exitCode, lines: [JSON.stringify(sc.badges, null, 2)] };
+    }
+    return { code: sc.exitCode, lines: formatScorecard(sc) };
+}
+//# sourceMappingURL=score.js.map

package/dist/score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"score.js","sourceRoot":"","sources":["../src/score.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,EAAE;AACF,2EAA2E;AAC3E,2EAA2E;AAC3E,2BAA2B;AAC3B,EAAE;AACF,+CAA+C;AAC/C,qFAAqF;AACrF,uEAAuE;AACvE,yFAAyF;AACzF,gFAAgF;AAChF,qFAAqF;AACrF,EAAE;AACF,wFAAwF;AACxF,EAAE;AACF,uBAAuB;AACvB,4DAA4D;AAC5D,iCAAiC;AACjC,6CAA6C;AAC7C,0CAA0C;AAE1C,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,SAAS,CAAC;AACzF,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AA6B1C,8EAA8E;AAE9E,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACnC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IACjD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,SAAS,CAAC,GAAW,EAAE,GAAW;IACzC,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,GAAW,EAAE,GAAW;IAC1C,IAAI,CAAC;QACH,OAAO,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;IACzE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,GAAW,EAAE,GAAW;IACxC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,CAAC;QAClC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,8EAA8E;AAE9E,SAAS,sBAAsB,CAAC,GAAW,EAAE,QAAa;IACxD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,IAAI,QAAQ,EAAE,CAAC;QACb,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACtC,IAAI,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;YAC3B,CAAC,IAAI,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QACnD,CAAC;QACD,IAAI,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC;YAClC,CAAC,IAAI,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,UAAU,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,IAAI,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACpC,CAAC,IAAI,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,WAAW,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,oBAAoB,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;AACxF,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAW;IACvC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAC/C,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACnD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,0BAA0B,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,8BAA8B,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;QACjC,OAAO,CAAC,IAAI,CAAC,GAAG,QAAQ,kCAAkC,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACjE,OAAO,EAAE,IAAI,EAAE,kBAAkB,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;AACtF,CAAC;AAMD,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;IACtE,kFAAkF;IAClF,MAAM,MAAM,GAAG,MAAM,IAAI,IAAI,IAAI,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;QACnD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,IAAI,IAAI,GAAuC,KAAK,CAAC;IACrD,IAAI,MAAM,EAAE,WAAW,KAAK,IAAI,EAAE,CAAC;QACjC,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,MAAM,CAAC;QACd,OAAO,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,MAAM,EAAE,QAAQ,KAAK,IAAI,EAAE,CAAC;QAC9B,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC/B,CAAC;IACD,IAAI,MAAM,EAAE,UAAU,KAAK,KAAK,IAAI,MAAM,EAAE,UAAU,IAAI,IAAI,EAAE,CAAC;QAC/D,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,MAAM,CAAC;QACd,OAAO,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,MAAM,EAAE,YAAY,KAAK,KAAK,IAAI,MAAM,EAAE,YAAY,IAAI,IAAI,EAAE,CAAC;QACnE,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,IAAI,IAAI,KAAK,MAAM;YAAE,IAAI,GAAG,QAAQ,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAClC,CAAC;IACD,IAAI,MAAM,EAAE,cAAc,KAAK,KAAK,IAAI,MAAM,EAAE,cAAc,IAAI,IAAI,EAAE,CAAC;QACvE,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnC,CAAC;SAAM,CAAC;QACN,IAAI,IAAI,KAAK,MAAM;YAAE,IAAI,GAAG,QAAQ,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAC9F,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAClG,IAAI,QAAQ,EAAE,CAAC;QACb,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACzC,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,CAAC;IACpD,IAAI,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QACvB,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,SAAS,CAAC,GAAG,EAAE,mBAAmB,CAAC,EAAE,CAAC;QACxC,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IACtD,OAAO,EAAE,IAAI,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC;AACnF,CAAC;AAQD,SAAS,qBAAqB,CAAC,GAAW,EAAE,QAAa;IACvD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;IAC/D,IAAI,aAAa,EAAE,CAAC;QAClB,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IACvC,CAAC;IACD,0EAA0E;IAC1E,wEAAwE;IACxE,mCAAmC;IACnC,MAAM,IAAI,GAAG,UAAU,CAAC,GAAG,EAAE,WAAW,CAAC,IAAI,UAAU,CAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC;IACnF,IAAI,IAAI,EAAE,CAAC;QACT,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC/B,CAAC;IACD,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,CAAC;IACpD,IAAI,GAAG,EAAE,IAAI,IAAI,GAAG,EAAE,OAAO,EAAE,CAAC;QAC9B,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,OAAO,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,IAAI,QAAQ,EAAE,IAAI,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC;QAC/B,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IACnD,CAAC;SAAM,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC;QACpB,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACpC,CAAC;IACD,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IAC7E,MAAM,YAAY,GAAG,CAAC,IAAI,EAAE,CAAC;IAC7B,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;AAC1H,CAAC;AAED,8EAA8E;AAE9E,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,cAAsB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;IACxF,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC,CAAC;IACtE,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChE,MAAM,eAAe,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,gBAAgB,GAAG,qBAAqB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAE9D,MAAM,IAAI,GAAqB,CAAC,iBAAiB,EAAE,eAAe,EAAE,SAAS,EAAE,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAC/G,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;IAEjF,IAAI,KAA4B,CAAC;IACjC,IAAI,QAAmB,CAAC;IACxB,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;QAClB,KAAK,GAAG,GAAG,CAAC;QACZ,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;SAAM,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;QACzB,KAAK,GAAG,GAAG,CAAC;QACZ,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;SAAM,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;QACzB,KAAK,GAAG,GAAG,CAAC;QACZ,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;SAAM,CAAC;QACN,KAAK,GAAG,GAAG,CAAC;QACZ,QAAQ,GAAG,CAAC,CAAC;IACf,CAAC;IAED,gDAAgD;IAChD,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,GAAG,CAAC,CAAC;IAE7C,OAAO;QACL,MAAM,EAAE,CAAC;QACT,WAAW;QACX,GAAG;QACH,OAAO;QACP,KAAK;QACL,UAAU,EAAE,IAAI;QAChB,MAAM,EAAE;YACN,KAAK,EAAE,OAAO;YACd,OAAO,EAAE,SAAS,CAAC,OAAO;YAC1B,YAAY,EAAE,gBAAgB,CAAC,YAAY;YAC3C,aAAa;YACb,IAAI,EAAE,gBAAgB,CAAC,IAAI;YAC3B,aAAa,EAAE,gBAAgB,CAAC,aAAa;SAC9C;QACD,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,8EAA8E;AAE9E,SAAS,GAAG,CAAC,KAAa;IACxB,MAAM,KAAK,GAAG,EAAE,CAAC;IACjB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IACjD,OAAO,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,EAAE,CAAC,CAAU;IACpB,OAAO,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,EAAa;IAC3C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,GAAG,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IACtC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,OAAO,gBAAgB,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC;IAC3D,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,UAAU,EAAE,CAAC;QAC9B,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACrH,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO;YAAE,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;IACD,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpB,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAChD,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IAClD,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;IAC3D,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAC5D,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnD,GAAG,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAC5D,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC,KAAK,UAAU,EAAE,CAAC,QAAQ,GAAG,CAAC,CAAC;IACvD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,8EAA8E;AAE9E,MAAM,SAAS,GAAG,yCAAyC,CAAC;AAE5D,SAAS,QAAQ,CAAC,CAAU;IAC1B,IAAI,CAAC,IAAI,IAAI;QAAE,OAAO,CAAC,CAAC;IACxB,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1B,MAAM,GAAG,GAA4B,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAA4B,CAAC,EAAE,CAAC;YACpE,GAAG,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,8EAA8E;AAE9E,SAAS,KAAK;IACZ,OAAO;QACL,gEAAgE;QAChE,EAAE;QACF,wEAAwE;QACxE,mEAAmE;QACnE,gFAAgF;QAChF,EAAE;QACF,mDAAmD;QACnD,kEAAkE;QAClE,2EAA2E;KAC5E,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAc;IAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;YAClB,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,CAAC;YAC5B,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,CAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;gBAC3E,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,4BAA4B,CAAC,EAAE,CAAC;YAC5G,CAAC;QACH,CAAC;aAAM,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC9C,aAAa;QACf,CAAC;aAAM,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;QACrC,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrB,CAAC;aAAM,IAAI,CAAC,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,CAAU,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YAChG,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,iBAAiB,CAAC,EAAE,CAAC,EAAE,CAAC;QACpG,CAAC;IACH,CAAC;IAED,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC;IACrC,CAAC;IAED,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC,CAAE,CAAC,CAAC;IACpC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACrD,MAAM,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,CAAU,EAAE,WAAW,EAAE,KAAK,EAAE,iBAAiB,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC5F,IAAI,MAAM,IAAI,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,mCAAmC,GAAG,EAAE,CAAC,EAAE,CAAC;IACxE,CAAC;IAED,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IAE/B,IAAI,OAAO,EAAE,CAAC;QACZ,IAAI,CAAC;YACH,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QACtF,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,CAAU,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;YAC9F,OAAO,EAAE,IAAI,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,yCAAyC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QACpI,CAAC;IACH,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/E,CAAC;IACD,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5E,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,eAAe,CAAC,EAAE,CAAC,EAAE,CAAC;AAC3D,CAAC"}

package/dist/secrets.d.ts

@@ -0,0 +1,27 @@
+export type SubcommandResult = {
+    code: number;
+    lines: string[];
+};
+export interface GcloudRunner {
+    run(args: string[], opts?: {
+        input?: string;
+    }): Promise<{
+        code: number;
+        stdout: string;
+        stderr: string;
+    }>;
+}
+/** Default runner — wraps gcloud subprocess. */
+export declare const defaultRunner: GcloudRunner;
+/** Validate full GCP setup for publish-time secret fetch. */
+export declare function check(args: string[], runner?: GcloudRunner): Promise<SubcommandResult>;
+/** Fetch a secret's latest value and print to stdout. */
+export declare function fetch(args: string[], runner?: GcloudRunner): Promise<SubcommandResult>;
+/**
+ * Fetch NPM_TOKEN and run `npm whoami --registry=https://registry.npmjs.org/`.
+ * No publish — just confirms the token is valid + non-revoked.
+ */
+export declare function validateToken(args: string[], runner?: GcloudRunner): Promise<SubcommandResult>;
+/** Top-level dispatcher for `harness secrets <subsub> ...`. */
+export declare function secretsDispatch(args: string[], runner?: GcloudRunner): Promise<SubcommandResult>;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AAsBA,MAAM,MAAM,gBAAgB,GAAG;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEjE,MAAM,WAAW,YAAY;IAC3B,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,IAAI,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3G;AAED,gDAAgD;AAChD,eAAO,MAAM,aAAa,EAAE,YAiB3B,CAAC;AAWF,6DAA6D;AAC7D,wBAAsB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,GAAE,YAA4B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAuE3G;AAED,yDAAyD;AACzD,wBAAsB,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,GAAE,YAA4B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAyB3G;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,GAAE,YAA4B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAwCnH;AAED,+DAA+D;AAC/D,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,MAAM,GAAE,YAA4B,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAmCrH"}

package/dist/secrets.js

@@ -0,0 +1,228 @@
+// SPDX-License-Identifier: MIT
+//
+// `harness secrets` — GCP Secret Manager integration for publish-time
+// credential validation. Uses `gcloud` shell-outs (already a documented
+// prereq) rather than the @google-cloud/secret-manager SDK to avoid
+// pulling 12 MB of GCP client deps into every install.
+//
+// Commands:
+//   harness secrets check               validate full GCP setup
+//   harness secrets fetch <name>        fetch a secret value (stdout)
+//   harness secrets validate-token      fetch NPM_TOKEN + npm whoami
+//
+// Auth path:
+//   - Local dev: ADC via `gcloud auth application-default login`
+//   - CI:       Workload Identity Federation (no long-lived keys)
+import { spawn } from 'node:child_process';
+import { promisify } from 'node:util';
+import { execFile as execFileCb } from 'node:child_process';
+const execFile = promisify(execFileCb);
+/** Default runner — wraps gcloud subprocess. */
+export const defaultRunner = {
+    async run(args, _opts) {
+        try {
+            const { stdout, stderr } = await execFile('gcloud', args, {
+                maxBuffer: 1024 * 1024,
+                windowsHide: true,
+            });
+            return { code: 0, stdout, stderr };
+        }
+        catch (err) {
+            const e = err;
+            return {
+                code: typeof e.code === 'number' ? e.code : 1,
+                stdout: e.stdout ?? '',
+                stderr: e.stderr ?? (e.message ?? ''),
+            };
+        }
+    },
+};
+function isGcloudOnPath() {
+    return new Promise(resolve => {
+        const cmd = process.platform === 'win32' ? 'where' : 'which';
+        const p = spawn(cmd, ['gcloud'], { stdio: 'ignore', windowsHide: true });
+        p.on('error', () => resolve(false));
+        p.on('exit', code => resolve(code === 0));
+    });
+}
+/** Validate full GCP setup for publish-time secret fetch. */
+export async function check(args, runner = defaultRunner) {
+    const lines = ['harness secrets check'];
+    let problems = 0;
+    const projectFromFlag = args.find(a => a.startsWith('--project='))?.slice('--project='.length);
+    const secretName = args.find(a => a.startsWith('--secret='))?.slice('--secret='.length) ?? 'NPM_TOKEN';
+    if (!(await isGcloudOnPath())) {
+        lines.push('  FAIL gcloud CLI not on PATH');
+        lines.push('       install: https://cloud.google.com/sdk/docs/install');
+        return { code: 1, lines };
+    }
+    lines.push('  PASS gcloud is on PATH');
+    // 1. Project
+    let project = projectFromFlag;
+    if (!project) {
+        const r = await runner.run(['config', 'get-value', 'project']);
+        project = r.stdout.trim();
+        if (!project || project === '(unset)') {
+            lines.push('  FAIL no active gcloud project (try --project=<id> or gcloud config set project)');
+            problems++;
+        }
+        else {
+            lines.push(`  PASS active project: ${project}`);
+        }
+    }
+    else {
+        lines.push(`  PASS project flag: ${project}`);
+    }
+    if (!project || problems > 0)
+        return { code: 1, lines };
+    // 2. Auth
+    const auth = await runner.run(['auth', 'list', '--filter=status:ACTIVE', '--format=value(account)']);
+    if (auth.code !== 0 || !auth.stdout.trim()) {
+        lines.push('  FAIL no active gcloud auth (run: gcloud auth application-default login)');
+        problems++;
+    }
+    else {
+        lines.push(`  PASS active account: ${auth.stdout.trim()}`);
+    }
+    // 3. Secret exists
+    const sec = await runner.run([
+        'secrets', 'describe', secretName,
+        `--project=${project}`,
+        '--format=value(name)',
+    ]);
+    if (sec.code !== 0) {
+        lines.push(`  FAIL secret '${secretName}' not found in project ${project}`);
+        lines.push('       create with: gcloud secrets create ' + secretName + ' --replication-policy=automatic');
+        problems++;
+    }
+    else {
+        lines.push(`  PASS secret '${secretName}' exists`);
+    }
+    // 4. WIF pool (best-effort — skip if list errors)
+    const pool = await runner.run([
+        'iam', 'workload-identity-pools', 'list',
+        '--location=global', `--project=${project}`,
+        '--format=value(displayName)', '--filter=state:ACTIVE',
+    ]);
+    if (pool.code === 0 && pool.stdout.trim()) {
+        lines.push(`  PASS workload-identity-pool present (${pool.stdout.trim().split('\n')[0]})`);
+    }
+    else {
+        lines.push('  WARN no active workload-identity-pool found');
+        lines.push('       CI cannot fetch this secret without WIF — see docs/setup/gcp-secrets.md');
+    }
+    if (problems === 0) {
+        lines.push('', `Result: HEALTHY (project=${project}, secret=${secretName})`);
+        return { code: 0, lines };
+    }
+    lines.push('', `Result: ${problems} issue${problems === 1 ? '' : 's'}`);
+    return { code: 1, lines };
+}
+/** Fetch a secret's latest value and print to stdout. */
+export async function fetch(args, runner = defaultRunner) {
+    const lines = [];
+    const name = args.find(a => !a.startsWith('--'));
+    if (!name) {
+        return { code: 2, lines: ['Usage: harness secrets fetch <secret-name> [--project=<id>] [--version=latest]'] };
+    }
+    const project = args.find(a => a.startsWith('--project='))?.slice('--project='.length);
+    const version = args.find(a => a.startsWith('--version='))?.slice('--version='.length) ?? 'latest';
+    const cmd = ['secrets', 'versions', 'access', version, `--secret=${name}`];
+    if (project)
+        cmd.push(`--project=${project}`);
+    const r = await runner.run(cmd);
+    if (r.code !== 0) {
+        return {
+            code: 1,
+            lines: [
+                `Fetch failed for secret '${name}': ${r.stderr.trim() || 'unknown error'}`,
+                'Try: harness secrets check --secret=' + name,
+            ],
+        };
+    }
+    // Print raw value to stdout for piping (no trailing newline added).
+    process.stdout.write(r.stdout);
+    return { code: 0, lines };
+}
+/**
+ * Fetch NPM_TOKEN and run `npm whoami --registry=https://registry.npmjs.org/`.
+ * No publish — just confirms the token is valid + non-revoked.
+ */
+export async function validateToken(args, runner = defaultRunner) {
+    const lines = ['harness secrets validate-token'];
+    const project = args.find(a => a.startsWith('--project='))?.slice('--project='.length);
+    const secret = args.find(a => a.startsWith('--secret='))?.slice('--secret='.length) ?? 'NPM_TOKEN';
+    const cmd = ['secrets', 'versions', 'access', 'latest', `--secret=${secret}`];
+    if (project)
+        cmd.push(`--project=${project}`);
+    const r = await runner.run(cmd);
+    if (r.code !== 0) {
+        lines.push(`  FAIL could not fetch '${secret}' — ${r.stderr.trim() || 'unknown error'}`);
+        return { code: 1, lines };
+    }
+    const token = r.stdout.trim();
+    if (!token) {
+        lines.push(`  FAIL secret '${secret}' returned an empty value`);
+        return { code: 1, lines };
+    }
+    lines.push(`  PASS fetched '${secret}' (${token.length} chars)`);
+    // Run npm whoami with token injected via env. No persistent .npmrc rewrite.
+    try {
+        const { stdout, stderr } = await execFile('npm', ['whoami', '--registry=https://registry.npmjs.org/'], {
+            env: { ...process.env, npm_config__authToken: token },
+            windowsHide: true,
+        });
+        const who = stdout.trim();
+        if (!who) {
+            lines.push(`  FAIL npm whoami returned empty (stderr: ${stderr.trim()})`);
+            return { code: 1, lines };
+        }
+        lines.push(`  PASS npm whoami: ${who}`);
+        lines.push('', `Result: HEALTHY (secret=${secret}, npm_user=${who})`);
+        return { code: 0, lines };
+    }
+    catch (err) {
+        const e = err;
+        lines.push(`  FAIL npm whoami failed: ${e.stderr?.trim() || e.message || 'unknown'}`);
+        lines.push('       token is set but npm rejected it — may be expired or revoked');
+        return { code: 1, lines };
+    }
+}
+/** Top-level dispatcher for `harness secrets <subsub> ...`. */
+export async function secretsDispatch(args, runner = defaultRunner) {
+    const [subsub = 'help', ...rest] = args;
+    switch (subsub) {
+        case 'check':
+            return check(rest, runner);
+        case 'fetch':
+            return fetch(rest, runner);
+        case 'validate-token':
+            return validateToken(rest, runner);
+        case 'help':
+            return {
+                code: 0,
+                lines: [
+                    'Usage: harness secrets <subcommand> [options]',
+                    '',
+                    'Subcommands:',
+                    '  check           — validate full GCP Secret Manager setup',
+                    '  fetch <name>    — fetch a secret value (prints to stdout)',
+                    '  validate-token  — fetch NPM_TOKEN and run `npm whoami`',
+                    '',
+                    'Common options:',
+                    '  --project=<id>    override gcloud active project',
+                    '  --secret=<name>   override default secret name (NPM_TOKEN)',
+                    '  --version=latest  fetch a specific secret version',
+                    '',
+                    'CI usage (Workload Identity Federation):',
+                    '  see docs/setup/gcp-secrets.md',
+                ],
+            };
+        default:
+            return {
+                code: 2,
+                lines: [`Unknown secrets subcommand: ${subsub}`, `Run 'harness secrets help' for usage.`],
+            };
+    }
+}
+//# sourceMappingURL=secrets.js.map