norn-cli 1.5.2 → 1.5.4

package/dist/cli.js

@@ -8881,11 +8881,11 @@ var require_mime_types = __commonJS({
       }
       return exts[0];
     }
-    function lookup(path6) {
-      if (!path6 || typeof path6 !== "string") {
+    function lookup(path10) {
+      if (!path10 || typeof path10 !== "string") {
         return false;
       }
-      var extension2 = extname2("x." + path6).toLowerCase().substr(1);
+      var extension2 = extname2("x." + path10).toLowerCase().substr(1);
       if (!extension2) {
         return false;
       }
@@ -8978,7 +8978,7 @@ var require_iterate = __commonJS({
     module2.exports = iterate;
     function iterate(list, iterator2, state, callback) {
       var key = state["keyedList"] ? state["keyedList"][state.index] : state.index;
-      state.jobs[key] = runJob(iterator2, key, list[key], function(error, output) {
+      state.jobs[key] = runJob(iterator2, key, list[key], function(error, output2) {
         if (!(key in state.jobs)) {
           return;
         }
@@ -8986,7 +8986,7 @@ var require_iterate = __commonJS({
         if (error) {
           abort(state);
         } else {
-          state.results[key] = output;
+          state.results[key] = output2;
         }
         callback(error, state.results);
       });
@@ -9990,13 +9990,13 @@ var require_form_data = __commonJS({
     "use strict";
     var CombinedStream = require_combined_stream();
     var util3 = require("util");
-    var path6 = require("path");
+    var path10 = require("path");
     var http3 = require("http");
-    var https2 = require("https");
+    var https3 = require("https");
     var parseUrl = require("url").parse;
-    var fs7 = require("fs");
+    var fs11 = require("fs");
     var Stream = require("stream").Stream;
-    var crypto2 = require("crypto");
+    var crypto3 = require("crypto");
     var mime = require_mime_types();
     var asynckit = require_asynckit();
     var setToStringTag = require_es_set_tostringtag();
@@ -10061,7 +10061,7 @@ var require_form_data = __commonJS({
         if (value.end != void 0 && value.end != Infinity && value.start != void 0) {
           callback(null, value.end + 1 - (value.start ? value.start : 0));
         } else {
-          fs7.stat(value.path, function(err, stat) {
+          fs11.stat(value.path, function(err, stat) {
             if (err) {
               callback(err);
               return;
@@ -10118,11 +10118,11 @@ var require_form_data = __commonJS({
     FormData3.prototype._getContentDisposition = function(value, options) {
       var filename;
       if (typeof options.filepath === "string") {
-        filename = path6.normalize(options.filepath).replace(/\\/g, "/");
+        filename = path10.normalize(options.filepath).replace(/\\/g, "/");
       } else if (options.filename || value && (value.name || value.path)) {
-        filename = path6.basename(options.filename || value && (value.name || value.path));
+        filename = path10.basename(options.filename || value && (value.name || value.path));
       } else if (value && value.readable && hasOwn(value, "httpVersion")) {
-        filename = path6.basename(value.client._httpMessage.path || "");
+        filename = path10.basename(value.client._httpMessage.path || "");
       }
       if (filename) {
         return 'filename="' + filename + '"';
@@ -10202,7 +10202,7 @@ var require_form_data = __commonJS({
       return Buffer.concat([dataBuffer, Buffer.from(this._lastBoundary())]);
     };
     FormData3.prototype._generateBoundary = function() {
-      this._boundary = "--------------------------" + crypto2.randomBytes(12).toString("hex");
+      this._boundary = "--------------------------" + crypto3.randomBytes(12).toString("hex");
     };
     FormData3.prototype.getLengthSync = function() {
       var knownLength = this._overheadLength + this._valueLength;
@@ -10261,7 +10261,7 @@ var require_form_data = __commonJS({
       }
       options.headers = this.getHeaders(params.headers);
       if (options.protocol === "https:") {
-        request = https2.request(options);
+        request = https3.request(options);
       } else {
         request = http3.request(options);
       }
@@ -11196,7 +11196,7 @@ var require_follow_redirects = __commonJS({
     var url2 = require("url");
     var URL2 = url2.URL;
     var http3 = require("http");
-    var https2 = require("https");
+    var https3 = require("https");
     var Writable = require("stream").Writable;
     var assert = require("assert");
     var debug = require_debug();
@@ -11547,15 +11547,15 @@ var require_follow_redirects = __commonJS({
         var protocol = scheme + ":";
         var nativeProtocol = nativeProtocols[protocol] = protocols[scheme];
         var wrappedProtocol = exports3[scheme] = Object.create(nativeProtocol);
-        function request(input, options, callback) {
-          if (isURL(input)) {
-            input = spreadUrlObject(input);
-          } else if (isString3(input)) {
-            input = spreadUrlObject(parseUrl(input));
+        function request(input2, options, callback) {
+          if (isURL(input2)) {
+            input2 = spreadUrlObject(input2);
+          } else if (isString3(input2)) {
+            input2 = spreadUrlObject(parseUrl(input2));
           } else {
             callback = options;
-            options = validateUrl(input);
-            input = { protocol };
+            options = validateUrl(input2);
+            input2 = { protocol };
           }
           if (isFunction3(options)) {
             callback = options;
@@ -11564,7 +11564,7 @@ var require_follow_redirects = __commonJS({
           options = Object.assign({
             maxRedirects: exports3.maxRedirects,
             maxBodyLength: exports3.maxBodyLength
-          }, input, options);
+          }, input2, options);
           options.nativeProtocols = nativeProtocols;
           if (!isString3(options.host) && !isString3(options.hostname)) {
             options.hostname = "::1";
@@ -11573,8 +11573,8 @@ var require_follow_redirects = __commonJS({
           debug("options", options);
           return new RedirectableRequest(options, callback);
         }
-        function get(input, options, callback) {
-          var wrappedRequest = wrappedProtocol.request(input, options, callback);
+        function get(input2, options, callback) {
+          var wrappedRequest = wrappedProtocol.request(input2, options, callback);
           wrappedRequest.end();
           return wrappedRequest;
         }
@@ -11587,29 +11587,29 @@ var require_follow_redirects = __commonJS({
     }
     function noop2() {
     }
-    function parseUrl(input) {
+    function parseUrl(input2) {
       var parsed;
       if (useNativeURL) {
-        parsed = new URL2(input);
+        parsed = new URL2(input2);
       } else {
-        parsed = validateUrl(url2.parse(input));
+        parsed = validateUrl(url2.parse(input2));
         if (!isString3(parsed.protocol)) {
-          throw new InvalidUrlError({ input });
+          throw new InvalidUrlError({ input: input2 });
         }
       }
       return parsed;
     }
-    function resolveUrl(relative3, base) {
-      return useNativeURL ? new URL2(relative3, base) : parseUrl(url2.resolve(base, relative3));
+    function resolveUrl(relative4, base) {
+      return useNativeURL ? new URL2(relative4, base) : parseUrl(url2.resolve(base, relative4));
     }
-    function validateUrl(input) {
-      if (/^\[/.test(input.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input.hostname)) {
-        throw new InvalidUrlError({ input: input.href || input });
+    function validateUrl(input2) {
+      if (/^\[/.test(input2.hostname) && !/^\[[:0-9a-f]+\]$/i.test(input2.hostname)) {
+        throw new InvalidUrlError({ input: input2.href || input2 });
       }
-      if (/^\[/.test(input.host) && !/^\[[:0-9a-f]+\](:\d+)?$/i.test(input.host)) {
-        throw new InvalidUrlError({ input: input.href || input });
+      if (/^\[/.test(input2.host) && !/^\[[:0-9a-f]+\](:\d+)?$/i.test(input2.host)) {
+        throw new InvalidUrlError({ input: input2.href || input2 });
       }
-      return input;
+      return input2;
     }
     function spreadUrlObject(urlObject, target) {
       var spread3 = target || {};
@@ -11681,7 +11681,7 @@ var require_follow_redirects = __commonJS({
     function isURL(value) {
       return URL2 && value instanceof URL2;
     }
-    module2.exports = wrap({ http: http3, https: https2 });
+    module2.exports = wrap({ http: http3, https: https3 });
     module2.exports.wrap = wrap;
   }
 });
@@ -15089,7 +15089,7 @@ var require_compile = __commonJS({
       const schOrFunc = root.refs[ref];
       if (schOrFunc)
         return schOrFunc;
-      let _sch = resolve6.call(this, root, ref);
+      let _sch = resolve9.call(this, root, ref);
       if (_sch === void 0) {
         const schema = (_a = root.localRefs) === null || _a === void 0 ? void 0 : _a[ref];
         const { schemaId } = this.opts;
@@ -15116,7 +15116,7 @@ var require_compile = __commonJS({
     function sameSchemaEnv(s1, s2) {
       return s1.schema === s2.schema && s1.root === s2.root && s1.baseId === s2.baseId;
     }
-    function resolve6(root, ref) {
+    function resolve9(root, ref) {
       let sch;
       while (typeof (sch = this.refs[ref]) == "string")
         ref = sch;
@@ -15214,27 +15214,27 @@ var require_utils = __commonJS({
     "use strict";
     var isUUID = RegExp.prototype.test.bind(/^[\da-f]{8}-[\da-f]{4}-[\da-f]{4}-[\da-f]{4}-[\da-f]{12}$/iu);
     var isIPv4 = RegExp.prototype.test.bind(/^(?:(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)\.){3}(?:25[0-5]|2[0-4]\d|1\d{2}|[1-9]\d|\d)$/u);
-    function stringArrayToHexStripped(input) {
+    function stringArrayToHexStripped(input2) {
       let acc = "";
       let code = 0;
       let i = 0;
-      for (i = 0; i < input.length; i++) {
-        code = input[i].charCodeAt(0);
+      for (i = 0; i < input2.length; i++) {
+        code = input2[i].charCodeAt(0);
         if (code === 48) {
           continue;
         }
         if (!(code >= 48 && code <= 57 || code >= 65 && code <= 70 || code >= 97 && code <= 102)) {
           return "";
         }
-        acc += input[i];
+        acc += input2[i];
         break;
       }
-      for (i += 1; i < input.length; i++) {
-        code = input[i].charCodeAt(0);
+      for (i += 1; i < input2.length; i++) {
+        code = input2[i].charCodeAt(0);
         if (!(code >= 48 && code <= 57 || code >= 65 && code <= 70 || code >= 97 && code <= 102)) {
           return "";
         }
-        acc += input[i];
+        acc += input2[i];
       }
       return acc;
     }
@@ -15243,29 +15243,29 @@ var require_utils = __commonJS({
       buffer.length = 0;
       return true;
     }
-    function consumeHextets(buffer, address, output) {
+    function consumeHextets(buffer, address, output2) {
       if (buffer.length) {
         const hex = stringArrayToHexStripped(buffer);
         if (hex !== "") {
           address.push(hex);
         } else {
-          output.error = true;
+          output2.error = true;
           return false;
         }
         buffer.length = 0;
       }
       return true;
     }
-    function getIPV6(input) {
+    function getIPV6(input2) {
       let tokenCount = 0;
-      const output = { error: false, address: "", zone: "" };
+      const output2 = { error: false, address: "", zone: "" };
       const address = [];
       const buffer = [];
       let endipv6Encountered = false;
       let endIpv6 = false;
       let consume = consumeHextets;
-      for (let i = 0; i < input.length; i++) {
-        const cursor = input[i];
+      for (let i = 0; i < input2.length; i++) {
+        const cursor = input2[i];
         if (cursor === "[" || cursor === "]") {
           continue;
         }
@@ -15273,20 +15273,20 @@ var require_utils = __commonJS({
           if (endipv6Encountered === true) {
             endIpv6 = true;
           }
-          if (!consume(buffer, address, output)) {
+          if (!consume(buffer, address, output2)) {
             break;
           }
           if (++tokenCount > 7) {
-            output.error = true;
+            output2.error = true;
             break;
           }
-          if (i > 0 && input[i - 1] === ":") {
+          if (i > 0 && input2[i - 1] === ":") {
             endipv6Encountered = true;
           }
           address.push(":");
           continue;
         } else if (cursor === "%") {
-          if (!consume(buffer, address, output)) {
+          if (!consume(buffer, address, output2)) {
             break;
           }
           consume = consumeIsZone;
@@ -15297,15 +15297,15 @@ var require_utils = __commonJS({
       }
       if (buffer.length) {
         if (consume === consumeIsZone) {
-          output.zone = buffer.join("");
+          output2.zone = buffer.join("");
         } else if (endIpv6) {
           address.push(buffer.join(""));
         } else {
           address.push(stringArrayToHexStripped(buffer));
         }
       }
-      output.address = address.join("");
-      return output;
+      output2.address = address.join("");
+      return output2;
     }
     function normalizeIPv6(host) {
       if (findToken(host, ":") < 2) {
@@ -15331,80 +15331,80 @@ var require_utils = __commonJS({
       }
       return ind;
     }
-    function removeDotSegments(path6) {
-      let input = path6;
-      const output = [];
+    function removeDotSegments(path10) {
+      let input2 = path10;
+      const output2 = [];
       let nextSlash = -1;
       let len = 0;
-      while (len = input.length) {
+      while (len = input2.length) {
         if (len === 1) {
-          if (input === ".") {
+          if (input2 === ".") {
             break;
-          } else if (input === "/") {
-            output.push("/");
+          } else if (input2 === "/") {
+            output2.push("/");
             break;
           } else {
-            output.push(input);
+            output2.push(input2);
             break;
           }
         } else if (len === 2) {
-          if (input[0] === ".") {
-            if (input[1] === ".") {
+          if (input2[0] === ".") {
+            if (input2[1] === ".") {
               break;
-            } else if (input[1] === "/") {
-              input = input.slice(2);
+            } else if (input2[1] === "/") {
+              input2 = input2.slice(2);
               continue;
             }
-          } else if (input[0] === "/") {
-            if (input[1] === "." || input[1] === "/") {
-              output.push("/");
+          } else if (input2[0] === "/") {
+            if (input2[1] === "." || input2[1] === "/") {
+              output2.push("/");
               break;
             }
           }
         } else if (len === 3) {
-          if (input === "/..") {
-            if (output.length !== 0) {
-              output.pop();
+          if (input2 === "/..") {
+            if (output2.length !== 0) {
+              output2.pop();
             }
-            output.push("/");
+            output2.push("/");
             break;
           }
         }
-        if (input[0] === ".") {
-          if (input[1] === ".") {
-            if (input[2] === "/") {
-              input = input.slice(3);
+        if (input2[0] === ".") {
+          if (input2[1] === ".") {
+            if (input2[2] === "/") {
+              input2 = input2.slice(3);
               continue;
             }
-          } else if (input[1] === "/") {
-            input = input.slice(2);
+          } else if (input2[1] === "/") {
+            input2 = input2.slice(2);
             continue;
           }
-        } else if (input[0] === "/") {
-          if (input[1] === ".") {
-            if (input[2] === "/") {
-              input = input.slice(2);
+        } else if (input2[0] === "/") {
+          if (input2[1] === ".") {
+            if (input2[2] === "/") {
+              input2 = input2.slice(2);
               continue;
-            } else if (input[2] === ".") {
-              if (input[3] === "/") {
-                input = input.slice(3);
-                if (output.length !== 0) {
-                  output.pop();
+            } else if (input2[2] === ".") {
+              if (input2[3] === "/") {
+                input2 = input2.slice(3);
+                if (output2.length !== 0) {
+                  output2.pop();
                 }
                 continue;
               }
             }
           }
         }
-        if ((nextSlash = input.indexOf("/", 1)) === -1) {
-          output.push(input);
+        if ((nextSlash = input2.indexOf("/", 1)) === -1) {
+          output2.push(input2);
           break;
         } else {
-          output.push(input.slice(0, nextSlash));
-          input = input.slice(nextSlash);
+          output2.push(input2.slice(0, nextSlash));
+          input2 = input2.slice(nextSlash);
         }
       }
-      return output.join("");
+      return output2.join("");
     }
     function normalizeComponentEncoding(component, esc) {
       const func = esc !== true ? escape : unescape;
@@ -15531,8 +15531,8 @@ var require_schemes = __commonJS({
         wsComponent.secure = void 0;
       }
       if (wsComponent.resourceName) {
-        const [path6, query] = wsComponent.resourceName.split("?");
-        wsComponent.path = path6 && path6 !== "/" ? path6 : void 0;
+        const [path10, query] = wsComponent.resourceName.split("?");
+        wsComponent.path = path10 && path10 !== "/" ? path10 : void 0;
         wsComponent.query = query;
         wsComponent.resourceName = void 0;
       }
@@ -15600,7 +15600,7 @@ var require_schemes = __commonJS({
         serialize: httpSerialize
       }
     );
-    var https2 = (
+    var https3 = (
       /** @type {SchemeHandler} */
       {
         scheme: "https",
@@ -15649,7 +15649,7 @@ var require_schemes = __commonJS({
       /** @type {Record<SchemeName, SchemeHandler>} */
       {
         http: http3,
-        https: https2,
+        https: https3,
         ws,
         wss,
         urn,
@@ -15691,55 +15691,55 @@ var require_fast_uri = __commonJS({
       }
       return uri;
     }
-    function resolve6(baseURI, relativeURI, options) {
+    function resolve9(baseURI, relativeURI, options) {
       const schemelessOptions = options ? Object.assign({ scheme: "null" }, options) : { scheme: "null" };
       const resolved = resolveComponent(parse2(baseURI, schemelessOptions), parse2(relativeURI, schemelessOptions), schemelessOptions, true);
       schemelessOptions.skipEscape = true;
       return serialize(resolved, schemelessOptions);
     }
-    function resolveComponent(base, relative3, options, skipNormalization) {
+    function resolveComponent(base, relative4, options, skipNormalization) {
       const target = {};
       if (!skipNormalization) {
         base = parse2(serialize(base, options), options);
-        relative3 = parse2(serialize(relative3, options), options);
+        relative4 = parse2(serialize(relative4, options), options);
       }
       options = options || {};
-      if (!options.tolerant && relative3.scheme) {
-        target.scheme = relative3.scheme;
-        target.userinfo = relative3.userinfo;
-        target.host = relative3.host;
-        target.port = relative3.port;
-        target.path = removeDotSegments(relative3.path || "");
-        target.query = relative3.query;
+      if (!options.tolerant && relative4.scheme) {
+        target.scheme = relative4.scheme;
+        target.userinfo = relative4.userinfo;
+        target.host = relative4.host;
+        target.port = relative4.port;
+        target.path = removeDotSegments(relative4.path || "");
+        target.query = relative4.query;
       } else {
-        if (relative3.userinfo !== void 0 || relative3.host !== void 0 || relative3.port !== void 0) {
-          target.userinfo = relative3.userinfo;
-          target.host = relative3.host;
-          target.port = relative3.port;
-          target.path = removeDotSegments(relative3.path || "");
-          target.query = relative3.query;
+        if (relative4.userinfo !== void 0 || relative4.host !== void 0 || relative4.port !== void 0) {
+          target.userinfo = relative4.userinfo;
+          target.host = relative4.host;
+          target.port = relative4.port;
+          target.path = removeDotSegments(relative4.path || "");
+          target.query = relative4.query;
         } else {
-          if (!relative3.path) {
+          if (!relative4.path) {
             target.path = base.path;
-            if (relative3.query !== void 0) {
-              target.query = relative3.query;
+            if (relative4.query !== void 0) {
+              target.query = relative4.query;
             } else {
               target.query = base.query;
             }
           } else {
-            if (relative3.path[0] === "/") {
-              target.path = removeDotSegments(relative3.path);
+            if (relative4.path[0] === "/") {
+              target.path = removeDotSegments(relative4.path);
             } else {
               if ((base.userinfo !== void 0 || base.host !== void 0 || base.port !== void 0) && !base.path) {
-                target.path = "/" + relative3.path;
+                target.path = "/" + relative4.path;
               } else if (!base.path) {
-                target.path = relative3.path;
+                target.path = relative4.path;
               } else {
-                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative3.path;
+                target.path = base.path.slice(0, base.path.lastIndexOf("/") + 1) + relative4.path;
               }
               target.path = removeDotSegments(target.path);
             }
-            target.query = relative3.query;
+            target.query = relative4.query;
           }
           target.userinfo = base.userinfo;
           target.host = base.host;
@@ -15747,7 +15747,7 @@ var require_fast_uri = __commonJS({
         }
         target.scheme = base.scheme;
       }
-      target.fragment = relative3.fragment;
+      target.fragment = relative4.fragment;
       return target;
     }
     function equal(uriA, uriB, options) {
@@ -15918,7 +15918,7 @@ var require_fast_uri = __commonJS({
     var fastUri = {
       SCHEMES,
       normalize,
-      resolve: resolve6,
+      resolve: resolve9,
       resolveComponent,
       equal,
       serialize,
@@ -18738,8 +18738,8 @@ function validateAgainstSchemaDetailed(value, schemaPath, basePath, workspaceRoo
     if (!valid && validate2.errors) {
       const errors = validate2.errors.map((err) => convertAjvError(err, value));
       const errorStrings = validate2.errors.map((err) => {
-        const path6 = err.instancePath || "(root)";
-        return `${path6}: ${err.message}`;
+        const path10 = err.instancePath || "(root)";
+        return `${path10}: ${err.message}`;
       });
       return {
         valid: false,
@@ -18868,7 +18868,7 @@ function resolveValue(expr, responses, variables, getValueByPath2, responseIndex
   if (refMatch) {
     const responseIdx = parseInt(refMatch[1], 10);
     const responseIndex = responseIdx - 1;
-    const path6 = refMatch[2];
+    const path10 = refMatch[2];
     if (responseIndex < 0 || responseIndex >= responses.length) {
       return {
         value: void 0,
@@ -18876,12 +18876,12 @@ function resolveValue(expr, responses, variables, getValueByPath2, responseIndex
       };
     }
     const response = responses[responseIndex];
-    const value = getValueByPath2(response, path6);
+    const value = getValueByPath2(response, path10);
     return {
       value,
       responseIndex: responseIdx,
       response,
-      jsonPath: path6,
+      jsonPath: path10,
       variableName: responseIndexToVariable?.get(responseIdx)
     };
   }
@@ -18898,22 +18898,22 @@ function resolveValue(expr, responses, variables, getValueByPath2, responseIndex
     if (varName in variables) {
       const varValue = variables[varName];
       if (typeof varValue === "object" && varValue !== null) {
-        const path6 = pathPart.replace(/^\./, "");
-        const value = getNestedValue2(varValue, path6);
+        const path10 = pathPart.replace(/^\./, "");
+        const value = getNestedValue2(varValue, path10);
         const isHttpResponse = "status" in varValue && "body" in varValue;
         return {
           value,
           variableName: varName,
-          jsonPath: path6,
+          jsonPath: path10,
           response: isHttpResponse ? varValue : void 0
         };
       }
       if (typeof varValue === "string") {
         try {
           const parsed = JSON.parse(varValue);
-          const path6 = pathPart.replace(/^\./, "");
-          const value = getNestedValue2(parsed, path6);
-          return { value, variableName: varName, jsonPath: path6 };
+          const path10 = pathPart.replace(/^\./, "");
+          const value = getNestedValue2(parsed, path10);
+          return { value, variableName: varName, jsonPath: path10 };
         } catch {
           return { value: void 0, error: `Cannot access path on non-object variable: ${varName}` };
         }
@@ -18969,11 +18969,11 @@ function resolveValue(expr, responses, variables, getValueByPath2, responseIndex
   }
   return { value: void 0, error: `Cannot resolve expression: ${trimmed}` };
 }
-function getNestedValue2(obj, path6) {
-  if (!path6 || obj === null || obj === void 0) {
+function getNestedValue2(obj, path10) {
+  if (!path10 || obj === null || obj === void 0) {
     return obj;
   }
-  const parts = path6.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
+  const parts = path10.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
   let current = obj;
   for (const part of parts) {
     if (current === null || current === void 0) {
@@ -19769,16 +19769,16 @@ var init_source = __esm({
 });
 
 // src/cli.ts
-var fs6 = __toESM(require("fs"));
+var fs10 = __toESM(require("fs"));
 var fsPromises = __toESM(require("fs/promises"));
-var path5 = __toESM(require("path"));
+var path9 = __toESM(require("path"));
 
 // src/nornapiParser.ts
-function extractPathParameters(path6) {
+function extractPathParameters(path10) {
   const params = [];
   const regex = /(?<!\{)\{([a-zA-Z_][a-zA-Z0-9_]*)\}(?!\})/g;
   let match;
-  while ((match = regex.exec(path6)) !== null) {
+  while ((match = regex.exec(path10)) !== null) {
     params.push(match[1]);
   }
   return params;
@@ -19828,12 +19828,12 @@ function parseNornApiFile(content) {
     if (inEndpointsBlock) {
       const endpointMatch = trimmed.match(/^([a-zA-Z_][a-zA-Z0-9_]*)\s*:\s*(GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS)\s+(.+)$/i);
       if (endpointMatch) {
-        const path6 = endpointMatch[3].trim();
+        const path10 = endpointMatch[3].trim();
         endpoints.push({
           name: endpointMatch[1],
           method: endpointMatch[2].toUpperCase(),
-          path: path6,
-          parameters: extractPathParameters(path6)
+          path: path10,
+          parameters: extractPathParameters(path10)
         });
       }
       continue;
@@ -20123,11 +20123,11 @@ function extractFileLevelVariables(text) {
   }
   return variables;
 }
-function getNestedValue(obj, path6) {
-  if (!path6 || obj === null || obj === void 0) {
+function getNestedValue(obj, path10) {
+  if (!path10 || obj === null || obj === void 0) {
     return obj;
   }
-  const parts = path6.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
+  const parts = path10.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
   let current = obj;
   for (const part of parts) {
     if (current === null || current === void 0) {
@@ -20159,8 +20159,8 @@ function substituteVariables(text, variables) {
       const value = variables[varName];
       if (typeof value === "object" && value !== null) {
         if (pathPart) {
-          const path6 = pathPart.replace(/^\./, "");
-          const nestedValue = getNestedValue(value, path6);
+          const path10 = pathPart.replace(/^\./, "");
+          const nestedValue = getNestedValue(value, path10);
           return valueToString(nestedValue);
         }
         return valueToString(value);
@@ -20168,8 +20168,8 @@ function substituteVariables(text, variables) {
       if (pathPart && typeof value === "string") {
         try {
           const parsed = JSON.parse(value);
-          const path6 = pathPart.replace(/^\./, "");
-          const nestedValue = getNestedValue(parsed, path6);
+          const path10 = pathPart.replace(/^\./, "");
+          const nestedValue = getNestedValue(parsed, path10);
           return valueToString(nestedValue);
         } catch {
           return value;
@@ -20285,8 +20285,8 @@ async function resolveImports(text, baseDir, readFile2, alreadyImported = /* @__
   const namedRequestSources = /* @__PURE__ */ new Map();
   const sequenceSources = /* @__PURE__ */ new Map();
   for (const imp of imports) {
-    const path6 = await import("path");
-    const absolutePath = path6.resolve(baseDir, imp.path);
+    const path10 = await import("path");
+    const absolutePath = path10.resolve(baseDir, imp.path);
     if (importStack.has(absolutePath)) {
       errors.push({
         path: imp.path,
@@ -20333,7 +20333,7 @@ async function resolveImports(text, baseDir, readFile2, alreadyImported = /* @__
         }
         continue;
       }
-      const importDir = path6.dirname(absolutePath);
+      const importDir = path10.dirname(absolutePath);
       const nestedResult = await resolveImports(content, importDir, readFile2, alreadyImported, importStack);
       errors.push(...nestedResult.errors);
       resolvedPaths.push(...nestedResult.resolvedPaths);
@@ -20932,9 +20932,9 @@ function isVisitable(thing) {
 function removeBrackets(key) {
   return utils_default.endsWith(key, "[]") ? key.slice(0, -2) : key;
 }
-function renderKey(path6, key, dots) {
-  if (!path6) return key;
-  return path6.concat(key).map(function each(token, i) {
+function renderKey(path10, key, dots) {
+  if (!path10) return key;
+  return path10.concat(key).map(function each(token, i) {
     token = removeBrackets(token);
     return !dots && i ? "[" + token + "]" : token;
   }).join(dots ? "." : "");
@@ -20982,9 +20982,9 @@ function toFormData(obj, formData, options) {
     }
     return value;
   }
-  function defaultVisitor(value, key, path6) {
+  function defaultVisitor(value, key, path10) {
     let arr = value;
-    if (value && !path6 && typeof value === "object") {
+    if (value && !path10 && typeof value === "object") {
       if (utils_default.endsWith(key, "{}")) {
         key = metaTokens ? key : key.slice(0, -2);
         value = JSON.stringify(value);
@@ -21003,7 +21003,7 @@ function toFormData(obj, formData, options) {
     if (isVisitable(value)) {
       return true;
     }
-    formData.append(renderKey(path6, key, dots), convertValue(value));
+    formData.append(renderKey(path10, key, dots), convertValue(value));
     return false;
   }
   const stack = [];
@@ -21012,10 +21012,10 @@ function toFormData(obj, formData, options) {
     convertValue,
     isVisitable
   });
-  function build(value, path6) {
+  function build(value, path10) {
     if (utils_default.isUndefined(value)) return;
     if (stack.indexOf(value) !== -1) {
-      throw Error("Circular reference detected in " + path6.join("."));
+      throw Error("Circular reference detected in " + path10.join("."));
     }
     stack.push(value);
     utils_default.forEach(value, function each(el, key) {
@@ -21023,11 +21023,11 @@ function toFormData(obj, formData, options) {
         formData,
         el,
         utils_default.isString(key) ? key.trim() : key,
-        path6,
+        path10,
         exposedHelpers
       );
       if (result === true) {
-        build(el, path6 ? path6.concat(key) : [key]);
+        build(el, path10 ? path10.concat(key) : [key]);
       }
     });
     stack.pop();
@@ -21239,7 +21239,7 @@ var platform_default = {
 // node_modules/axios/lib/helpers/toURLEncodedForm.js
 function toURLEncodedForm(data, options) {
   return toFormData_default(data, new platform_default.classes.URLSearchParams(), {
-    visitor: function(value, key, path6, helpers) {
+    visitor: function(value, key, path10, helpers) {
       if (platform_default.isNode && utils_default.isBuffer(value)) {
         this.append(key, value.toString("base64"));
         return false;
@@ -21269,11 +21269,11 @@ function arrayToObject(arr) {
   return obj;
 }
 function formDataToJSON(formData) {
-  function buildPath(path6, value, target, index) {
-    let name = path6[index++];
+  function buildPath(path10, value, target, index) {
+    let name = path10[index++];
     if (name === "__proto__") return true;
     const isNumericKey = Number.isFinite(+name);
-    const isLast = index >= path6.length;
+    const isLast = index >= path10.length;
     name = !name && utils_default.isArray(target) ? target.length : name;
     if (isLast) {
       if (utils_default.hasOwnProp(target, name)) {
@@ -21286,7 +21286,7 @@ function formDataToJSON(formData) {
     if (!target[name] || !utils_default.isObject(target[name])) {
       target[name] = [];
     }
-    const result = buildPath(path6, value, target[name], index);
+    const result = buildPath(path10, value, target[name], index);
     if (result && utils_default.isArray(target[name])) {
       target[name] = arrayToObject(target[name]);
     }
@@ -21715,10 +21715,10 @@ utils_default.inherits(CanceledError, AxiosError_default, {
 var CanceledError_default = CanceledError;
 
 // node_modules/axios/lib/core/settle.js
-function settle(resolve6, reject, response) {
+function settle(resolve9, reject, response) {
   const validateStatus2 = response.config.validateStatus;
   if (!response.status || !validateStatus2 || validateStatus2(response.status)) {
-    resolve6(response);
+    resolve9(response);
   } else {
     reject(new AxiosError_default(
       "Request failed with status code " + response.status,
@@ -22341,7 +22341,7 @@ function setProxy(options, configProxy, location) {
 }
 var isHttpAdapterSupported = typeof process !== "undefined" && utils_default.kindOf(process) === "process";
 var wrapAsync = (asyncExecutor) => {
-  return new Promise((resolve6, reject) => {
+  return new Promise((resolve9, reject) => {
     let onDone;
     let isDone;
     const done = (value, isRejected) => {
@@ -22351,7 +22351,7 @@ var wrapAsync = (asyncExecutor) => {
     };
     const _resolve = (value) => {
       done(value);
-      resolve6(value);
+      resolve9(value);
     };
     const _reject = (reason) => {
       done(reason, true);
@@ -22403,7 +22403,7 @@ var http2Transport = {
   }
 };
 var http_default = isHttpAdapterSupported && function httpAdapter(config) {
-  return wrapAsync(async function dispatchHttpRequest(resolve6, reject, onDone) {
+  return wrapAsync(async function dispatchHttpRequest(resolve9, reject, onDone) {
     let { data, lookup, family, httpVersion = 1, http2Options } = config;
     const { responseType, responseEncoding } = config;
     const method = config.method.toUpperCase();
@@ -22488,7 +22488,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
       }
       let convertedData;
       if (method !== "GET") {
-        return settle(resolve6, reject, {
+        return settle(resolve9, reject, {
           status: 405,
           statusText: "method not allowed",
           headers: {},
@@ -22510,7 +22510,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
       } else if (responseType === "stream") {
         convertedData = import_stream4.default.Readable.from(convertedData);
       }
-      return settle(resolve6, reject, {
+      return settle(resolve9, reject, {
         data: convertedData,
         status: 200,
         statusText: "OK",
@@ -22608,9 +22608,9 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
       auth = urlUsername + ":" + urlPassword;
     }
     auth && headers.delete("authorization");
-    let path6;
+    let path10;
     try {
-      path6 = buildURL(
+      path10 = buildURL(
         parsed.pathname + parsed.search,
         config.params,
         config.paramsSerializer
@@ -22628,7 +22628,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
       false
     );
     const options = {
-      path: path6,
+      path: path10,
       method,
       headers: headers.toJSON(),
       agents: { http: config.httpAgent, https: config.httpsAgent },
@@ -22729,7 +22729,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
       };
       if (responseType === "stream") {
         response.data = responseStream;
-        settle(resolve6, reject, response);
+        settle(resolve9, reject, response);
       } else {
         const responseBuffer = [];
         let totalResponseBytes = 0;
@@ -22777,7 +22777,7 @@ var http_default = isHttpAdapterSupported && function httpAdapter(config) {
           } catch (err) {
             return reject(AxiosError_default.from(err, null, config, response.request, response));
           }
-          settle(resolve6, reject, response);
+          settle(resolve9, reject, response);
         });
       }
       abortEmitter.once("abort", (err) => {
@@ -22864,14 +22864,14 @@ var isURLSameOrigin_default = platform_default.hasStandardBrowserEnv ? /* @__PUR
 var cookies_default = platform_default.hasStandardBrowserEnv ? (
   // Standard browser envs support document.cookie
   {
-    write(name, value, expires, path6, domain, secure, sameSite) {
+    write(name, value, expires, path10, domain, secure, sameSite) {
       if (typeof document === "undefined") return;
       const cookie = [`${name}=${encodeURIComponent(value)}`];
       if (utils_default.isNumber(expires)) {
         cookie.push(`expires=${new Date(expires).toUTCString()}`);
       }
-      if (utils_default.isString(path6)) {
-        cookie.push(`path=${path6}`);
+      if (utils_default.isString(path10)) {
+        cookie.push(`path=${path10}`);
       }
       if (utils_default.isString(domain)) {
         cookie.push(`domain=${domain}`);
@@ -23026,7 +23026,7 @@ var resolveConfig_default = (config) => {
 // node_modules/axios/lib/adapters/xhr.js
 var isXHRAdapterSupported = typeof XMLHttpRequest !== "undefined";
 var xhr_default = isXHRAdapterSupported && function(config) {
-  return new Promise(function dispatchXhrRequest(resolve6, reject) {
+  return new Promise(function dispatchXhrRequest(resolve9, reject) {
     const _config = resolveConfig_default(config);
     let requestData = _config.data;
     const requestHeaders = AxiosHeaders_default.from(_config.headers).normalize();
@@ -23060,7 +23060,7 @@ var xhr_default = isXHRAdapterSupported && function(config) {
         request
       };
       settle(function _resolve(value) {
-        resolve6(value);
+        resolve9(value);
         done();
       }, function _reject(err) {
         reject(err);
@@ -23431,8 +23431,8 @@ var factory = (env3) => {
       responseType = responseType || "text";
       let responseData = await resolvers[utils_default.findKey(resolvers, responseType) || "text"](response, config);
       !isStreamResponse && unsubscribe && unsubscribe();
-      return await new Promise((resolve6, reject) => {
-        settle(resolve6, reject, {
+      return await new Promise((resolve9, reject) => {
+        settle(resolve9, reject, {
           data: responseData,
           headers: AxiosHeaders_default.from(response.headers),
           status: response.status,
@@ -23828,8 +23828,8 @@ var CancelToken = class _CancelToken {
       throw new TypeError("executor must be a function.");
     }
     let resolvePromise;
-    this.promise = new Promise(function promiseExecutor(resolve6) {
-      resolvePromise = resolve6;
+    this.promise = new Promise(function promiseExecutor(resolve9) {
+      resolvePromise = resolve9;
     });
     const token = this;
     this.promise.then((cancel) => {
@@ -23842,9 +23842,9 @@ var CancelToken = class _CancelToken {
     });
     this.promise.then = (onfulfilled) => {
       let _resolve;
-      const promise = new Promise((resolve6) => {
-        token.subscribe(resolve6);
-        _resolve = resolve6;
+      const promise = new Promise((resolve9) => {
+        token.subscribe(resolve9);
+        _resolve = resolve9;
       }).then(onfulfilled);
       promise.cancel = function reject() {
         token.unsubscribe(_resolve);
@@ -24061,6 +24061,9 @@ var {
   mergeConfig: mergeConfig2
 } = axios_default;
 
+// src/httpClient.ts
+var https2 = __toESM(require("https"));
+
 // node_modules/tough-cookie/dist/index.js
 var import_tldts = __toESM(require_cjs(), 1);
 function pathMatch(reqPath, cookiePath) {
@@ -24215,10 +24218,10 @@ var safeToStringImpl = (val, seenArrays = /* @__PURE__ */ new WeakSet()) => {
 var safeToString = (val) => safeToStringImpl(val);
 function createPromiseCallback(cb) {
   let callback;
-  let resolve6;
+  let resolve9;
   let reject;
   const promise = new Promise((_resolve, _reject) => {
-    resolve6 = _resolve;
+    resolve9 = _resolve;
     reject = _reject;
   });
   if (typeof cb === "function") {
@@ -24234,7 +24237,7 @@ function createPromiseCallback(cb) {
     callback = (err, result) => {
       try {
         if (err) reject(err);
-        else resolve6(result);
+        else resolve9(result);
       } catch (e) {
         reject(e instanceof Error ? e : new Error());
       }
@@ -24268,18 +24271,18 @@ var MemoryCookieStore = class extends Store {
   /**
    * @internal No doc because this is an overload that supports the implementation
    */
-  findCookie(domain, path6, key, callback) {
+  findCookie(domain, path10, key, callback) {
     const promiseCallback = createPromiseCallback(callback);
-    if (domain == null || path6 == null || key == null) {
+    if (domain == null || path10 == null || key == null) {
       return promiseCallback.resolve(void 0);
     }
-    const result = this.idx[domain]?.[path6]?.[key];
+    const result = this.idx[domain]?.[path10]?.[key];
     return promiseCallback.resolve(result);
   }
   /**
    * @internal No doc because this is an overload that supports the implementation
    */
-  findCookies(domain, path6, allowSpecialUseDomain = false, callback) {
+  findCookies(domain, path10, allowSpecialUseDomain = false, callback) {
     if (typeof allowSpecialUseDomain === "function") {
       callback = allowSpecialUseDomain;
       allowSpecialUseDomain = true;
@@ -24290,7 +24293,7 @@ var MemoryCookieStore = class extends Store {
       return promiseCallback.resolve([]);
     }
     let pathMatcher;
-    if (!path6) {
+    if (!path10) {
       pathMatcher = function matchAll2(domainIndex) {
         for (const curPath in domainIndex) {
           const pathIndex = domainIndex[curPath];
@@ -24305,7 +24308,7 @@ var MemoryCookieStore = class extends Store {
     } else {
       pathMatcher = function matchRFC(domainIndex) {
         for (const cookiePath in domainIndex) {
-          if (pathMatch(path6, cookiePath)) {
+          if (pathMatch(path10, cookiePath)) {
             const pathIndex = domainIndex[cookiePath];
             for (const key in pathIndex) {
               const value = pathIndex[key];
@@ -24333,14 +24336,14 @@ var MemoryCookieStore = class extends Store {
    */
   putCookie(cookie, callback) {
     const promiseCallback = createPromiseCallback(callback);
-    const { domain, path: path6, key } = cookie;
-    if (domain == null || path6 == null || key == null) {
+    const { domain, path: path10, key } = cookie;
+    if (domain == null || path10 == null || key == null) {
       return promiseCallback.resolve(void 0);
     }
     const domainEntry = this.idx[domain] ?? /* @__PURE__ */ Object.create(null);
     this.idx[domain] = domainEntry;
-    const pathEntry = domainEntry[path6] ?? /* @__PURE__ */ Object.create(null);
-    domainEntry[path6] = pathEntry;
+    const pathEntry = domainEntry[path10] ?? /* @__PURE__ */ Object.create(null);
+    domainEntry[path10] = pathEntry;
     pathEntry[key] = cookie;
     return promiseCallback.resolve(void 0);
   }
@@ -24354,20 +24357,20 @@ var MemoryCookieStore = class extends Store {
   /**
    * @internal No doc because this is an overload that supports the implementation
    */
-  removeCookie(domain, path6, key, callback) {
+  removeCookie(domain, path10, key, callback) {
     const promiseCallback = createPromiseCallback(callback);
-    delete this.idx[domain]?.[path6]?.[key];
+    delete this.idx[domain]?.[path10]?.[key];
     return promiseCallback.resolve(void 0);
   }
   /**
    * @internal No doc because this is an overload that supports the implementation
    */
-  removeCookies(domain, path6, callback) {
+  removeCookies(domain, path10, callback) {
     const promiseCallback = createPromiseCallback(callback);
     const domainEntry = this.idx[domain];
     if (domainEntry) {
-      if (path6) {
-        delete domainEntry[path6];
+      if (path10) {
+        delete domainEntry[path10];
       } else {
         delete this.idx[domain];
       }
@@ -24393,8 +24396,8 @@ var MemoryCookieStore = class extends Store {
     domains.forEach((domain) => {
       const domainEntry = idx[domain] ?? {};
       const paths = Object.keys(domainEntry);
-      paths.forEach((path6) => {
-        const pathEntry = domainEntry[path6] ?? {};
+      paths.forEach((path10) => {
+        const pathEntry = domainEntry[path10] ?? {};
         const keys = Object.keys(pathEntry);
         keys.forEach((key) => {
           const keyEntry = pathEntry[key];
@@ -25278,18 +25281,18 @@ function cookieCompare(a, b) {
   cmp = (a.creationIndex || 0) - (b.creationIndex || 0);
   return cmp;
 }
-function defaultPath(path6) {
-  if (!path6 || path6.slice(0, 1) !== "/") {
+function defaultPath(path10) {
+  if (!path10 || path10.slice(0, 1) !== "/") {
     return "/";
   }
-  if (path6 === "/") {
-    return path6;
+  if (path10 === "/") {
+    return path10;
   }
-  const rightSlash = path6.lastIndexOf("/");
+  const rightSlash = path10.lastIndexOf("/");
   if (rightSlash === 0) {
     return "/";
   }
-  return path6.slice(0, rightSlash);
+  return path10.slice(0, rightSlash);
 }
 var IP_REGEX_LOWERCASE = /(?:^(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}$)|(?:^(?:(?:[a-f\d]{1,4}:){7}(?:[a-f\d]{1,4}|:)|(?:[a-f\d]{1,4}:){6}(?:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|:[a-f\d]{1,4}|:)|(?:[a-f\d]{1,4}:){5}(?::(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,2}|:)|(?:[a-f\d]{1,4}:){4}(?:(?::[a-f\d]{1,4}){0,1}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,3}|:)|(?:[a-f\d]{1,4}:){3}(?:(?::[a-f\d]{1,4}){0,2}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,4}|:)|(?:[a-f\d]{1,4}:){2}(?:(?::[a-f\d]{1,4}){0,3}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,5}|:)|(?:[a-f\d]{1,4}:){1}(?:(?::[a-f\d]{1,4}){0,4}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,6}|:)|(?::(?:(?::[a-f\d]{1,4}){0,5}:(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)(?:\.(?:25[0-5]|2[0-4]\d|1\d\d|[1-9]\d|\d)){3}|(?::[a-f\d]{1,4}){1,7}|:)))$)/;
 function domainMatch(domain, cookieDomain, canonicalize) {
@@ -25691,7 +25694,7 @@ var CookieJar = class _CookieJar {
       return promiseCallback.reject(parameterError);
     }
     const host = canonicalDomain(context.hostname);
-    const path6 = context.pathname || "/";
+    const path10 = context.pathname || "/";
     const potentiallyTrustworthy = isPotentiallyTrustworthy(
       url2,
       this.allowSecureOnLocal
@@ -25722,7 +25725,7 @@ var CookieJar = class _CookieJar {
           return false;
         }
       }
-      if (!allPaths && typeof c.path === "string" && !pathMatch(path6, c.path)) {
+      if (!allPaths && typeof c.path === "string" && !pathMatch(path10, c.path)) {
         return false;
       }
       if (c.secure && !potentiallyTrustworthy) {
@@ -25754,7 +25757,7 @@ var CookieJar = class _CookieJar {
     }
     store.findCookies(
       host,
-      allPaths ? null : path6,
+      allPaths ? null : path10,
       this.allowSpecialUseDomain,
       (err, cookies) => {
         if (err) {
@@ -26231,8 +26234,21 @@ function isNornError(error) {
   return error instanceof NornError;
 }
 
+// src/httpRuntimeOptions.ts
+var verifyTlsCertificates = true;
+function setVerifyTlsCertificates(enabled) {
+  verifyTlsCertificates = enabled;
+}
+function getVerifyTlsCertificates() {
+  return verifyTlsCertificates;
+}
+
 // src/httpClient.ts
 var sharedCookieJar = new CookieJar();
+var insecureHttpsAgent = new https2.Agent({ rejectUnauthorized: false });
+function getHttpsAgent() {
+  return getVerifyTlsCertificates() ? void 0 : insecureHttpsAgent;
+}
 function createCookieJar() {
   return new CookieJar();
 }
@@ -26253,7 +26269,7 @@ async function sendRequest(request, retryOptions) {
   return sendRequestWithJar(request, sharedCookieJar, retryOptions);
 }
 function sleep(ms) {
-  return new Promise((resolve6) => setTimeout(resolve6, ms));
+  return new Promise((resolve9) => setTimeout(resolve9, ms));
 }
 function shouldRetry(response, error) {
   if (error) return true;
@@ -26328,11 +26344,13 @@ async function sendRequestWithJar(request, jar, retryOptions) {
         const response = await axios_default({
           method: currentMethod,
           url: currentUrl,
+          adapter: "http",
           headers,
           data,
           timeout: 3e4,
           maxRedirects: 0,
-          validateStatus: () => true
+          validateStatus: () => true,
+          httpsAgent: getHttpsAgent()
         });
         const setCookieHeader = response.headers["set-cookie"];
         if (setCookieHeader) {
@@ -26448,8 +26466,8 @@ var pwshAvailable = null;
 function stripAnsiCodes(str) {
   return str.replace(/\x1B(?:\[[0-9;]*[a-zA-Z]|\][^\x07]*(?:\x07|\x1B\\)|[a-zA-Z])/g, "");
 }
-function tryParsePowerShellOutput(output) {
-  const lines = output.split("\n").map((l) => l.trimEnd());
+function tryParsePowerShellOutput(output2) {
+  const lines = output2.split("\n").map((l) => l.trimEnd());
   const nonEmptyLines = lines.filter((l) => l.trim() !== "");
   if (nonEmptyLines.length === 0) {
     return null;
@@ -26543,8 +26561,8 @@ function parseValue(str) {
   }
   return str;
 }
-function cleanScriptOutput(output) {
-  let cleaned = stripAnsiCodes(output).trim();
+function cleanScriptOutput(output2) {
+  let cleaned = stripAnsiCodes(output2).trim();
   if (cleaned.startsWith("{") && cleaned.endsWith("}") || cleaned.startsWith("[") && cleaned.endsWith("]")) {
     try {
       const parsed = JSON.parse(cleaned);
@@ -26664,7 +26682,7 @@ async function runScript(type, scriptPath, args, workingDir, variables = {}, cap
         captureVar
       };
   }
-  return new Promise((resolve6) => {
+  return new Promise((resolve9) => {
     const env3 = {
       ...process.env,
       // Pass variables as environment variables with NORN_ prefix
@@ -26688,7 +26706,7 @@ async function runScript(type, scriptPath, args, workingDir, variables = {}, cap
       stderr += data.toString();
     });
     child.on("error", (err) => {
-      resolve6({
+      resolve9({
         success: false,
         output: cleanScriptOutput(stdout),
         error: `Failed to execute script: ${err.message}`,
@@ -26702,7 +26720,7 @@ async function runScript(type, scriptPath, args, workingDir, variables = {}, cap
     child.on("close", (code) => {
       const exitCode = code ?? 0;
       const cleanedOutput = cleanScriptOutput(stdout);
-      resolve6({
+      resolve9({
         success: exitCode === 0,
         output: cleanedOutput,
         error: stderr.trim(),
@@ -26767,11 +26785,11 @@ function readJsonFile(filePath, workingDir) {
     };
   }
 }
-function setNestedValue(obj, path6, value) {
-  if (!path6 || obj === null || obj === void 0 || typeof obj !== "object") {
+function setNestedValue(obj, path10, value) {
+  if (!path10 || obj === null || obj === void 0 || typeof obj !== "object") {
     return false;
   }
-  const parts = path6.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
+  const parts = path10.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
   if (parts.length === 0) {
     return false;
   }
@@ -27273,8 +27291,8 @@ function bindSequenceArguments(params, args, runtimeVariables) {
   }
   return { variables: result };
 }
-function getVariableValueByPath(path6, variables) {
-  const parts = path6.split(".");
+function getVariableValueByPath(path10, variables) {
+  const parts = path10.split(".");
   let current = variables;
   for (const part of parts) {
     if (current === null || current === void 0) {
@@ -27639,8 +27657,8 @@ function evaluateValueExpression(expr, runtimeVariables) {
     } else {
       return { value: String(varValue), error: `Cannot access path on non-object value` };
     }
-    const path6 = pathPart.replace(/^\./, "").replace(/\[(\d+)\]/g, ".$1");
-    const parts = path6.split(".").filter((p) => p !== "");
+    const path10 = pathPart.replace(/^\./, "").replace(/\[(\d+)\]/g, ".$1");
+    const parts = path10.split(".").filter((p) => p !== "");
     let current = dataToNavigate;
     for (const part of parts) {
       if (current === null || current === void 0) {
@@ -27719,8 +27737,8 @@ function resolveBareVariables(text, variables) {
     if (varName in variables) {
       const value = variables[varName];
       if (pathPart) {
-        const path6 = pathPart.replace(/^\./, "");
-        const nestedValue = getNestedValueFromObject(value, path6);
+        const path10 = pathPart.replace(/^\./, "");
+        const nestedValue = getNestedValueFromObject(value, path10);
         return valueToString2(nestedValue);
       }
       return valueToString2(value);
@@ -27740,8 +27758,8 @@ function resolveBareVariables(text, variables) {
         if (varName in variables) {
           const value = variables[varName];
           if (pathPart) {
-            const path6 = pathPart.replace(/^\./, "");
-            return valueToString2(getNestedValueFromObject(value, path6));
+            const path10 = pathPart.replace(/^\./, "");
+            return valueToString2(getNestedValueFromObject(value, path10));
           }
           return valueToString2(value);
         }
@@ -27778,11 +27796,11 @@ function splitExpressionParts(expr) {
   }
   return parts;
 }
-function getNestedValueFromObject(obj, path6) {
-  if (!path6) {
+function getNestedValueFromObject(obj, path10) {
+  if (!path10) {
     return obj;
   }
-  const parts = path6.split(/\.|\[(\d+)\]/).filter((p) => p !== "" && p !== void 0);
+  const parts = path10.split(/\.|\[(\d+)\]/).filter((p) => p !== "" && p !== void 0);
   let current = obj;
   for (const part of parts) {
     if (current === null || current === void 0) {
@@ -27805,7 +27823,7 @@ function valueToString2(value) {
   return String(value);
 }
 function sleep2(ms) {
-  return new Promise((resolve6) => setTimeout(resolve6, ms));
+  return new Promise((resolve9) => setTimeout(resolve9, ms));
 }
 function isIfCommand(line2) {
   return /^if\s+.+$/i.test(line2.trim());
@@ -28127,24 +28145,24 @@ function extractCaptureDirectives(content) {
   for (const line2 of content.split("\n")) {
     const match = line2.trim().match(captureRegex);
     if (match) {
-      let path6 = match[3] || "";
-      if (path6.startsWith(".")) {
-        path6 = path6.substring(1);
+      let path10 = match[3] || "";
+      if (path10.startsWith(".")) {
+        path10 = path10.substring(1);
       }
       captures.push({
         varName: match[1],
         afterRequest: parseInt(match[2], 10),
-        path: path6
+        path: path10
       });
     }
   }
   return captures;
 }
-function getValueByPath(response, path6) {
-  if (!path6) {
+function getValueByPath(response, path10) {
+  if (!path10) {
     return void 0;
   }
-  const parts = path6.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
+  const parts = path10.replace(/\[(\d+)\]/g, ".$1").split(".").filter((p) => p !== "");
   if (parts.length === 0) {
     return void 0;
   }
@@ -28448,8 +28466,8 @@ async function runSequenceWithJar(sequenceContent, fileVariables, cookieJar, wor
           }
         }
         if (pathPart) {
-          const path6 = pathPart.replace(/^\./, "");
-          newValue = getNestedValueFromObject(value, path6);
+          const path10 = pathPart.replace(/^\./, "");
+          newValue = getNestedValueFromObject(value, path10);
         } else {
           newValue = value;
         }
@@ -28811,8 +28829,8 @@ ${indentMultiline(userMessage)}`;
         if (sequenceSources) {
           const sourceFile = sequenceSources.get(targetName.toLowerCase());
           if (sourceFile) {
-            const path6 = await import("path");
-            subWorkingDir = path6.dirname(sourceFile);
+            const path10 = await import("path");
+            subWorkingDir = path10.dirname(sourceFile);
           }
         }
         const subResult = await runSequenceWithJar(
@@ -29073,12 +29091,14 @@ ${indentMultiline(userMessage)}`;
           } : void 0;
           const response = cookieJar ? await sendRequestWithJar(requestParsed, cookieJar, retryOpts) : await sendRequest(requestParsed, retryOpts);
           addResponse(response);
+          responseIndexToVariable.set(responses.length, varName);
           const stepResult = {
             type: "request",
             stepIndex: stepIdx,
             response,
             requestMethod: requestParsed.method,
-            requestUrl: requestParsed.url
+            requestUrl: requestParsed.url,
+            variableName: varName
           };
           orderedSteps.push(stepResult);
           reportProgress(stepIdx, "namedRequest", `var ${varName} = run ${sequenceName} \u2192 ${requestParsed.method} ${requestParsed.url}`, stepResult);
@@ -29165,8 +29185,8 @@ ${indentMultiline(userMessage)}`;
       if (sequenceSources) {
         const sourceFile = sequenceSources.get(sequenceName.toLowerCase());
         if (sourceFile) {
-          const path6 = await import("path");
-          subWorkingDir = path6.dirname(sourceFile);
+          const path10 = await import("path");
+          subWorkingDir = path10.dirname(sourceFile);
         }
       }
       const subResult = await runSequenceWithJar(
@@ -30571,14 +30591,238 @@ function generateHtmlReportFromResponse(response, testName, options) {
 }
 
 // src/environmentParser.ts
+var fs7 = __toESM(require("fs"));
+var path6 = __toESM(require("path"));
+
+// src/secrets/crypto.ts
+var crypto2 = __toESM(require("crypto"));
+var ENCRYPTED_SECRET_PREFIX = "ENC[";
+var ENCRYPTED_SECRET_SUFFIX = "]";
+var ENCRYPTED_SECRET_VERSION = "NORN_AGE_V1";
+var encryptedSecretRegex = /^ENC\[([A-Z0-9_]+):kid=([a-zA-Z0-9._-]+):([A-Za-z0-9_-]+)\]$/;
+function deriveEncryptionKey(sharedKey) {
+  return crypto2.createHash("sha256").update(sharedKey, "utf8").digest();
+}
+function generateSharedSecretKey() {
+  return crypto2.randomBytes(32).toString("base64url");
+}
+function isEncryptedSecretValue(value) {
+  return value.trim().startsWith(ENCRYPTED_SECRET_PREFIX) && value.trim().endsWith(ENCRYPTED_SECRET_SUFFIX);
+}
+function parseEncryptedSecretValue(value) {
+  const trimmed = value.trim();
+  const match = trimmed.match(encryptedSecretRegex);
+  if (!match) {
+    return {
+      ok: false,
+      error: `Invalid encrypted secret format. Expected: ENC[${ENCRYPTED_SECRET_VERSION}:kid=<id>:<payload>]`
+    };
+  }
+  return {
+    ok: true,
+    parsed: {
+      version: match[1],
+      kid: match[2],
+      payload: match[3]
+    }
+  };
+}
+function encryptSecretValue(plaintext, sharedKey, kid) {
+  const key = deriveEncryptionKey(sharedKey);
+  const iv = crypto2.randomBytes(12);
+  const cipher = crypto2.createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const payload = Buffer.concat([iv, authTag, ciphertext]).toString("base64url");
+  return `ENC[${ENCRYPTED_SECRET_VERSION}:kid=${kid}:${payload}]`;
+}
+function decryptSecretValue(encryptedValue, sharedKey) {
+  const parsedResult = parseEncryptedSecretValue(encryptedValue);
+  if (!parsedResult.ok) {
+    throw new Error(parsedResult.error);
+  }
+  const { version: version2, payload } = parsedResult.parsed;
+  if (version2 !== ENCRYPTED_SECRET_VERSION) {
+    throw new Error(`Unsupported encrypted secret version '${version2}'. Expected '${ENCRYPTED_SECRET_VERSION}'.`);
+  }
+  const raw = Buffer.from(payload, "base64url");
+  if (raw.length < 28) {
+    throw new Error("Encrypted payload is too short.");
+  }
+  const iv = raw.subarray(0, 12);
+  const authTag = raw.subarray(12, 28);
+  const ciphertext = raw.subarray(28);
+  const key = deriveEncryptionKey(sharedKey);
+  const decipher = crypto2.createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  return decrypted.toString("utf8");
+}
+
+// src/secrets/keyStore.ts
+var fs6 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
+
+// src/cacheDir.ts
 var fs5 = __toESM(require("fs"));
 var path4 = __toESM(require("path"));
+var NORN_CACHE_DIR = ".norn-cache";
+var CACHE_GITIGNORE_FILE = ".gitignore";
+var CACHE_GITIGNORE_CONTENT = "*\n";
+function ensureNornCacheGitignore(cacheDir) {
+  const gitignorePath = path4.join(cacheDir, CACHE_GITIGNORE_FILE);
+  try {
+    const hasDesiredContent = fs5.existsSync(gitignorePath) && fs5.readFileSync(gitignorePath, "utf8") === CACHE_GITIGNORE_CONTENT;
+    if (hasDesiredContent) {
+      return;
+    }
+    fs5.writeFileSync(gitignorePath, CACHE_GITIGNORE_CONTENT, "utf8");
+  } catch {
+  }
+}
+
+// src/secrets/keyStore.ts
+var CACHE_FILE = "secret-keys.json";
+var CACHE_VERSION = 1;
+var sessionKeys = /* @__PURE__ */ new Map();
+function getSearchStartDirectory(targetPath) {
+  const resolvedPath = path5.resolve(targetPath);
+  try {
+    const stats = fs6.statSync(resolvedPath);
+    return stats.isDirectory() ? resolvedPath : path5.dirname(resolvedPath);
+  } catch {
+    return path5.dirname(resolvedPath);
+  }
+}
+function findExistingCacheDir(targetPath) {
+  let dir = getSearchStartDirectory(targetPath);
+  while (true) {
+    const cacheDir = path5.join(dir, NORN_CACHE_DIR);
+    if (fs6.existsSync(cacheDir) && fs6.statSync(cacheDir).isDirectory()) {
+      return cacheDir;
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) {
+      return void 0;
+    }
+    dir = parent;
+  }
+}
+function ensureCacheDir(targetPath) {
+  const existing = findExistingCacheDir(targetPath);
+  const cacheDir = existing ?? path5.join(getSearchStartDirectory(targetPath), NORN_CACHE_DIR);
+  if (!fs6.existsSync(cacheDir)) {
+    fs6.mkdirSync(cacheDir, { recursive: true });
+  }
+  ensureNornCacheGitignore(cacheDir);
+  return cacheDir;
+}
+function getCachePath(targetPath) {
+  const cacheDir = ensureCacheDir(targetPath);
+  return path5.join(cacheDir, CACHE_FILE);
+}
+function readCache(targetPath) {
+  const cachePath = getCachePath(targetPath);
+  if (!fs6.existsSync(cachePath)) {
+    return { version: CACHE_VERSION, keys: {} };
+  }
+  try {
+    const parsed = JSON.parse(fs6.readFileSync(cachePath, "utf8"));
+    if (parsed.version !== CACHE_VERSION || typeof parsed.keys !== "object" || parsed.keys === null) {
+      return { version: CACHE_VERSION, keys: {} };
+    }
+    return parsed;
+  } catch {
+    return { version: CACHE_VERSION, keys: {} };
+  }
+}
+function writeCache(targetPath, cache) {
+  const cachePath = getCachePath(targetPath);
+  fs6.writeFileSync(cachePath, JSON.stringify(cache, null, 2), { encoding: "utf8", mode: 384 });
+  try {
+    fs6.chmodSync(cachePath, 384);
+  } catch {
+  }
+}
+function kidToEnvVarSuffix(kid) {
+  return kid.replace(/[^a-zA-Z0-9]/g, "_").toUpperCase();
+}
+function getEnvMappedKeys() {
+  const raw = process.env.NORN_SECRET_KEYS;
+  if (!raw) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    const mapped = {};
+    for (const [key, value] of Object.entries(parsed)) {
+      if (typeof value === "string" && value.trim() !== "") {
+        mapped[key] = value;
+      }
+    }
+    return mapped;
+  } catch {
+    return {};
+  }
+}
+function resolveSecretKey(kid, targetPath) {
+  const sessionValue = sessionKeys.get(kid);
+  if (sessionValue) {
+    return sessionValue;
+  }
+  const mapped = getEnvMappedKeys();
+  if (mapped[kid]) {
+    return mapped[kid];
+  }
+  const specific = process.env[`NORN_SECRET_KEY_${kidToEnvVarSuffix(kid)}`];
+  if (specific && specific.trim() !== "") {
+    return specific;
+  }
+  const cache = readCache(targetPath);
+  const cached = cache.keys[kid]?.value;
+  if (cached && cached.trim() !== "") {
+    return cached;
+  }
+  const fallback = process.env.NORN_SECRET_KEY;
+  if (fallback && fallback.trim() !== "") {
+    return fallback;
+  }
+  return void 0;
+}
+function setSessionSecretKey(kid, key) {
+  sessionKeys.set(kid, key);
+}
+function saveSecretKeyToCache(kid, key, targetPath) {
+  const cache = readCache(targetPath);
+  cache.keys[kid] = {
+    value: key,
+    updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  writeCache(targetPath, cache);
+  setSessionSecretKey(kid, key);
+}
+function removeSecretKeyFromCache(kid, targetPath) {
+  const cache = readCache(targetPath);
+  if (!cache.keys[kid]) {
+    return false;
+  }
+  delete cache.keys[kid];
+  writeCache(targetPath, cache);
+  sessionKeys.delete(kid);
+  return true;
+}
+function listCachedSecretKeyIds(targetPath) {
+  const cache = readCache(targetPath);
+  return Object.keys(cache.keys).sort();
+}
+
+// src/environmentParser.ts
 var ENV_FILENAME = ".nornenv";
 var importRegex = /^import\s+["']?(.+?)["']?\s*$/;
 var envRegex = /^\[env:([a-zA-Z_][a-zA-Z0-9_-]*)\]$/;
 var varRegex = /^var\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.+)$/;
 var secretRegex = /^secret\s+([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.+)$/;
-function parseEnvFile(content) {
+function parseEnvFile(content, sourceFilePath) {
   const lines = content.split("\n");
   const config = {
     common: {},
@@ -30586,7 +30830,8 @@ function parseEnvFile(content) {
     secretNames: /* @__PURE__ */ new Set(),
     secretValues: /* @__PURE__ */ new Map(),
     imports: [],
-    misplacedImports: []
+    misplacedImports: [],
+    secretDeclarations: []
   };
   let currentEnv = null;
   let seenContent = false;
@@ -30621,6 +30866,13 @@ function parseEnvFile(content) {
     if (secretMatch) {
       const varName = secretMatch[1];
       const varValue = secretMatch[2].trim();
+      config.secretDeclarations.push({
+        name: varName,
+        value: varValue,
+        envName: currentEnv?.name,
+        lineNumber: i,
+        filePath: sourceFilePath
+      });
       config.secretNames.add(varName);
       config.secretValues.set(varName, varValue);
       if (currentEnv) {
@@ -30644,22 +30896,22 @@ function parseEnvFile(content) {
   return config;
 }
 function getEnvSearchStartDirectory(targetPath) {
-  const resolvedPath = path4.resolve(targetPath);
+  const resolvedPath = path6.resolve(targetPath);
   try {
-    const stats = fs5.statSync(resolvedPath);
-    return stats.isDirectory() ? resolvedPath : path4.dirname(resolvedPath);
+    const stats = fs7.statSync(resolvedPath);
+    return stats.isDirectory() ? resolvedPath : path6.dirname(resolvedPath);
   } catch {
-    return path4.dirname(resolvedPath);
+    return path6.dirname(resolvedPath);
   }
 }
 function findEnvFileFromPath(filePath) {
   let dir = getEnvSearchStartDirectory(filePath);
   while (true) {
-    const envPath = path4.join(dir, ENV_FILENAME);
-    if (fs5.existsSync(envPath)) {
+    const envPath = path6.join(dir, ENV_FILENAME);
+    if (fs7.existsSync(envPath)) {
       return envPath;
     }
-    const parentDir = path4.dirname(dir);
+    const parentDir = path6.dirname(dir);
     if (parentDir === dir) {
       break;
     }
@@ -30669,6 +30921,7 @@ function findEnvFileFromPath(filePath) {
 }
 function resolveNornenvImports(config, baseDir, entryFilePath, readFile2, importStack, alreadyImported) {
   const errors = [];
+  const secretErrors = [];
   const resolvedPaths = [];
   const stack = importStack ?? [entryFilePath];
   const visited = alreadyImported ?? /* @__PURE__ */ new Set([entryFilePath]);
@@ -30683,7 +30936,7 @@ function resolveNornenvImports(config, baseDir, entryFilePath, readFile2, import
   }
   for (const imp of config.imports) {
     const resolvedImportPath = resolveImportPath(imp.path, baseDir);
-    if (!resolvedImportPath || !fs5.existsSync(resolvedImportPath)) {
+    if (!resolvedImportPath || !fs7.existsSync(resolvedImportPath)) {
       errors.push({
         message: `Imported file not found: '${imp.path}'`,
         filePath: entryFilePath,
@@ -30699,10 +30952,10 @@ function resolveNornenvImports(config, baseDir, entryFilePath, readFile2, import
       });
       continue;
     }
-    const normalizedPath = path4.resolve(resolvedImportPath);
+    const normalizedPath = path6.resolve(resolvedImportPath);
     if (stack.includes(normalizedPath)) {
-      const entryDir = path4.dirname(stack[0]);
-      const cycle = [...stack, normalizedPath].map((p) => path4.relative(entryDir, p) || path4.basename(p)).join(" \u2192 ");
+      const entryDir = path6.dirname(stack[0]);
+      const cycle = [...stack, normalizedPath].map((p) => path6.relative(entryDir, p) || path6.basename(p)).join(" \u2192 ");
       errors.push({
         message: `Circular import detected: ${cycle}`,
         filePath: entryFilePath,
@@ -30726,29 +30979,30 @@ function resolveNornenvImports(config, baseDir, entryFilePath, readFile2, import
       });
       continue;
     }
-    const importedConfig = parseEnvFile(importedContent);
+    const importedConfig = parseEnvFile(importedContent, normalizedPath);
     resolvedPaths.push(normalizedPath);
     if (importedConfig.imports.length > 0) {
       const childResult = resolveNornenvImports(
         importedConfig,
-        path4.dirname(normalizedPath),
+        path6.dirname(normalizedPath),
         normalizedPath,
         readFile2,
         [...stack, normalizedPath],
         visited
       );
       errors.push(...childResult.errors);
+      secretErrors.push(...childResult.secretErrors);
       resolvedPaths.push(...childResult.resolvedPaths);
       mergeConfigs(config, childResult.config, entryFilePath, normalizedPath, variableOrigins, errors);
     } else {
       mergeConfigs(config, importedConfig, entryFilePath, normalizedPath, variableOrigins, errors);
     }
   }
-  return { config, errors, resolvedPaths };
+  return { config, errors, secretErrors, resolvedPaths };
 }
 function resolveImportPath(importPath, baseDir) {
   const cleaned = importPath.replace(/^["']|["']$/g, "");
-  return path4.resolve(baseDir, cleaned);
+  return path6.resolve(baseDir, cleaned);
 }
 function registerVariableOrigins(config, filePath, origins) {
   for (const varName of Object.keys(config.common)) {
@@ -30807,31 +31061,578 @@ function mergeConfigs(target, source, targetFilePath, sourceFilePath, variableOr
   for (const [name, value] of source.secretValues) {
     target.secretValues.set(name, value);
   }
+  for (const declaration of source.secretDeclarations) {
+    target.secretDeclarations.push({ ...declaration, filePath: declaration.filePath ?? sourceFilePath });
+  }
 }
 function toDisplayPath(filePath, entryFilePath) {
-  const entryDir = path4.dirname(entryFilePath);
-  const relative3 = path4.relative(entryDir, filePath);
-  return relative3 && relative3 !== "" ? relative3 : path4.basename(filePath);
+  const entryDir = path6.dirname(entryFilePath);
+  const relative4 = path6.relative(entryDir, filePath);
+  return relative4 && relative4 !== "" ? relative4 : path6.basename(filePath);
 }
 function loadAndResolveEnvFile(filePath) {
-  const content = fs5.readFileSync(filePath, "utf-8");
-  const config = parseEnvFile(content);
+  const content = fs7.readFileSync(filePath, "utf-8");
+  const config = parseEnvFile(content, filePath);
   if (config.imports.length === 0) {
-    return { config, errors: [], resolvedPaths: [] };
+    const secretErrors = resolveEncryptedSecretValues(config, filePath);
+    return { config, errors: [], secretErrors, resolvedPaths: [] };
   }
-  return resolveNornenvImports(
+  const result = resolveNornenvImports(
     config,
-    path4.dirname(filePath),
+    path6.dirname(filePath),
     filePath,
-    (p) => fs5.readFileSync(p, "utf-8")
+    (p) => fs7.readFileSync(p, "utf-8")
   );
+  result.secretErrors.push(...resolveEncryptedSecretValues(result.config, filePath));
+  return result;
+}
+function resolveEncryptedSecretValues(config, entryFilePath) {
+  const errors = [];
+  for (const declaration of config.secretDeclarations) {
+    if (!isEncryptedSecretValue(declaration.value)) {
+      continue;
+    }
+    const parsed = parseEncryptedSecretValue(declaration.value);
+    const filePath = declaration.filePath ?? entryFilePath;
+    if (!parsed.ok) {
+      errors.push({
+        code: "invalid-format",
+        message: parsed.error,
+        filePath,
+        line: declaration.lineNumber,
+        variableName: declaration.name
+      });
+      continue;
+    }
+    const { kid } = parsed.parsed;
+    const key = resolveSecretKey(kid, filePath);
+    if (!key) {
+      errors.push({
+        code: "missing-key",
+        message: `Missing secret key for kid '${kid}'.`,
+        filePath,
+        line: declaration.lineNumber,
+        variableName: declaration.name,
+        kid
+      });
+      continue;
+    }
+    let plaintext;
+    try {
+      plaintext = decryptSecretValue(declaration.value, key);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      errors.push({
+        code: "decrypt-failed",
+        message: `Failed to decrypt secret '${declaration.name}' with kid '${kid}': ${message}`,
+        filePath,
+        line: declaration.lineNumber,
+        variableName: declaration.name,
+        kid
+      });
+      continue;
+    }
+    declaration.value = plaintext;
+    if (declaration.envName) {
+      const env3 = config.environments.find((e) => e.name === declaration.envName);
+      if (env3) {
+        env3.variables[declaration.name] = plaintext;
+      }
+    } else {
+      config.common[declaration.name] = plaintext;
+    }
+    config.secretValues.set(declaration.name, plaintext);
+  }
+  return errors;
+}
+
+// src/secrets/cliSecrets.ts
+var fs9 = __toESM(require("fs"));
+var path8 = __toESM(require("path"));
+var readline = __toESM(require("readline"));
+var import_process = require("process");
+
+// src/secrets/envFileSecrets.ts
+var fs8 = __toESM(require("fs"));
+var path7 = __toESM(require("path"));
+var envRegex2 = /^\s*\[env:([a-zA-Z_][a-zA-Z0-9_-]*)\]\s*$/;
+var secretRegex2 = /^(\s*secret\s+)([a-zA-Z_][a-zA-Z0-9_]*)(\s*=\s*)(.+)$/;
+function extractSecretLines(content, filePath) {
+  const lines = content.split("\n");
+  const secrets = [];
+  let currentEnv;
+  for (let i = 0; i < lines.length; i++) {
+    const line2 = lines[i];
+    const trimmed = line2.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+    const envMatch = trimmed.match(envRegex2);
+    if (envMatch) {
+      currentEnv = envMatch[1];
+      continue;
+    }
+    const secretMatch = line2.match(secretRegex2);
+    if (!secretMatch) {
+      continue;
+    }
+    const value = secretMatch[4].trim();
+    const encrypted = isEncryptedSecretValue(value);
+    let kid;
+    if (encrypted) {
+      const parsed = parseEncryptedSecretValue(value);
+      if (parsed.ok) {
+        kid = parsed.parsed.kid;
+      }
+    }
+    secrets.push({
+      filePath,
+      lineNumber: i,
+      envName: currentEnv,
+      name: secretMatch[2],
+      value,
+      encrypted,
+      kid
+    });
+  }
+  return secrets;
+}
+function updateSecretLineValue(content, lineNumber, newValue) {
+  const lines = content.split("\n");
+  if (lineNumber < 0 || lineNumber >= lines.length) {
+    throw new Error(`Line ${lineNumber + 1} is out of range.`);
+  }
+  const line2 = lines[lineNumber];
+  const secretMatch = line2.match(secretRegex2);
+  if (!secretMatch) {
+    throw new Error(`Line ${lineNumber + 1} is not a secret declaration.`);
+  }
+  lines[lineNumber] = `${secretMatch[1]}${secretMatch[2]}${secretMatch[3]}${newValue}`;
+  return lines.join("\n");
+}
+function findSecretLine(content, variableName, envName) {
+  const secretLines = extractSecretLines(content);
+  if (envName !== void 0) {
+    return secretLines.find((secret) => secret.name === variableName && secret.envName === envName);
+  }
+  const commonMatch = secretLines.find((secret) => secret.name === variableName && secret.envName === void 0);
+  if (commonMatch) {
+    return commonMatch;
+  }
+  return secretLines.find((secret) => secret.name === variableName);
+}
+function loadSecretLine(filePath, variableName, envName) {
+  const content = fs8.readFileSync(filePath, "utf8");
+  const secret = findSecretLine(content, variableName, envName);
+  if (!secret) {
+    const envLabel = envName ? ` in [env:${envName}]` : "";
+    throw new Error(`Secret '${variableName}' not found${envLabel} in ${filePath}`);
+  }
+  return { content, secret };
+}
+function writeSecretLine(filePath, content) {
+  fs8.writeFileSync(filePath, content, "utf8");
+}
+function discoverNornenvFiles(targetPath) {
+  const resolved = path7.resolve(targetPath);
+  if (!fs8.existsSync(resolved)) {
+    return [];
+  }
+  const stats = fs8.statSync(resolved);
+  if (stats.isFile()) {
+    return path7.basename(resolved) === ".nornenv" ? [resolved] : [];
+  }
+  const results = [];
+  const walk = (dir) => {
+    const entries = fs8.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path7.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        if (entry.name === "node_modules" || entry.name === ".git" || entry.name === "dist" || entry.name === "out") {
+          continue;
+        }
+        walk(fullPath);
+        continue;
+      }
+      if (entry.isFile() && entry.name === ".nornenv") {
+        results.push(fullPath);
+      }
+    }
+  };
+  walk(resolved);
+  return results.sort();
+}
+
+// src/secrets/cliSecrets.ts
+function getFlagValue(args, flag, shortFlag) {
+  const longIndex = args.indexOf(flag);
+  if (longIndex >= 0 && longIndex + 1 < args.length) {
+    return args[longIndex + 1];
+  }
+  if (shortFlag) {
+    const shortIndex = args.indexOf(shortFlag);
+    if (shortIndex >= 0 && shortIndex + 1 < args.length) {
+      return args[shortIndex + 1];
+    }
+  }
+  return void 0;
+}
+async function promptLine(question) {
+  if (!process.stdin.isTTY) {
+    return void 0;
+  }
+  const rl = readline.createInterface({ input: import_process.stdin, output: import_process.stdout });
+  try {
+    const answer = await new Promise((resolve9) => {
+      rl.question(question, resolve9);
+    });
+    const trimmed = answer.trim();
+    return trimmed === "" ? void 0 : trimmed;
+  } finally {
+    rl.close();
+  }
+}
+function uniqueUnlockableKids(errors) {
+  const kids = /* @__PURE__ */ new Set();
+  for (const err of errors) {
+    if ((err.code === "missing-key" || err.code === "decrypt-failed") && err.kid) {
+      kids.add(err.kid);
+    }
+  }
+  return Array.from(kids).sort();
+}
+function formatSecretError(err, envFilePath) {
+  if (!envFilePath) {
+    return `${err.message}`;
+  }
+  const relative4 = path8.relative(path8.dirname(envFilePath), err.filePath);
+  const fileLabel = relative4 && relative4 !== "" ? relative4 : path8.basename(err.filePath);
+  const lineLabel = err.line >= 0 ? `${fileLabel}:${err.line + 1}` : fileLabel;
+  return `${lineLabel} - ${err.message}`;
+}
+async function ensureKeyForKid(kid, contextPath) {
+  const existing = resolveSecretKey(kid, contextPath);
+  if (existing) {
+    return existing;
+  }
+  const entered = await promptLine(`Enter shared key for kid '${kid}': `);
+  if (!entered) {
+    return void 0;
+  }
+  saveSecretKeyToCache(kid, entered, contextPath);
+  return entered;
+}
+async function ensureCliSecretsUnlocked(targetPath) {
+  const envFilePath = findEnvFileFromPath(targetPath);
+  if (!envFilePath) {
+    return { ok: true, errors: [] };
+  }
+  for (let attempt = 0; attempt < 5; attempt++) {
+    const result = loadAndResolveEnvFile(envFilePath);
+    const unlockableKids = uniqueUnlockableKids(result.secretErrors);
+    if (unlockableKids.length === 0) {
+      return { ok: result.secretErrors.length === 0, envFilePath, errors: result.secretErrors };
+    }
+    for (const kid of unlockableKids) {
+      const key = await ensureKeyForKid(kid, envFilePath);
+      if (!key) {
+        return { ok: false, envFilePath, errors: result.secretErrors };
+      }
+    }
+  }
+  const finalResult = loadAndResolveEnvFile(envFilePath);
+  return { ok: finalResult.secretErrors.length === 0, envFilePath, errors: finalResult.secretErrors };
+}
+function printSecretsHelp() {
+  console.log(`
+Norn Secrets Commands
+
+Usage:
+  norn secrets keygen --name <kid>
+  norn secrets import-key --kid <kid> [--key <value>]
+  norn secrets encrypt --file <.nornenv> --var <name> [--env <env>] [--kid <kid>]
+  norn secrets rotate --file <.nornenv> --var <name> [--env <env>] [--kid <kid>] [--value <plaintext>]
+  norn secrets rekey [path] [--kid <newKid>]
+  norn secrets audit [path]
+  norn secrets keys
+  norn secrets forget --kid <kid>
+
+Notes:
+  - Secrets are stored as ENC[NORN_AGE_V1:kid=<id>:<payload>] in .nornenv.
+  - Keys are cached locally in .norn-cache/secret-keys.json (gitignored).
+  - norn run auto-prompts once for missing kids when interactive.
+`);
+}
+async function handleKeygen(args) {
+  const kid = getFlagValue(args, "--name", "-n");
+  if (!kid) {
+    console.error(`Error: Missing --name for keygen.`);
+    return 1;
+  }
+  const key = generateSharedSecretKey();
+  saveSecretKeyToCache(kid, key, process.cwd());
+  console.log(`Generated shared key for kid '${kid}'.`);
+  console.log(`Store this key in your team vault now:`);
+  console.log(key);
+  console.log(`Saved to local cache for current workspace.`);
+  return 0;
+}
+async function handleImportKey(args) {
+  const kid = getFlagValue(args, "--kid", "-k");
+  if (!kid) {
+    console.error(`Error: Missing --kid for import-key.`);
+    return 1;
+  }
+  const directKey = getFlagValue(args, "--key");
+  const key = directKey ?? await promptLine(`Enter shared key for kid '${kid}': `);
+  if (!key) {
+    console.error(`Error: No key provided.`);
+    return 1;
+  }
+  saveSecretKeyToCache(kid, key, process.cwd());
+  console.log(`Saved key for kid '${kid}' to local cache.`);
+  return 0;
+}
+async function handleEncrypt(args) {
+  const filePath = getFlagValue(args, "--file", "-f");
+  const variableName = getFlagValue(args, "--var");
+  const envName = getFlagValue(args, "--env");
+  const explicitKid = getFlagValue(args, "--kid");
+  if (!filePath || !variableName) {
+    console.error(`Error: encrypt requires --file and --var.`);
+    return 1;
+  }
+  const absoluteFilePath = path8.resolve(filePath);
+  const { content, secret } = loadSecretLine(absoluteFilePath, variableName, envName);
+  if (secret.encrypted) {
+    console.error(`Error: Secret '${variableName}' is already encrypted. Use rotate instead.`);
+    return 1;
+  }
+  const kid = explicitKid;
+  if (!kid) {
+    console.error(`Error: --kid is required when encrypting plaintext secret '${variableName}'.`);
+    return 1;
+  }
+  const key = await ensureKeyForKid(kid, absoluteFilePath);
+  if (!key) {
+    console.error(`Error: Missing key for kid '${kid}'.`);
+    return 1;
+  }
+  const encryptedValue = encryptSecretValue(secret.value, key, kid);
+  const updatedContent = updateSecretLineValue(content, secret.lineNumber, encryptedValue);
+  writeSecretLine(absoluteFilePath, updatedContent);
+  console.log(`Encrypted secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
+  return 0;
+}
+async function handleRotate(args) {
+  const filePath = getFlagValue(args, "--file", "-f");
+  const variableName = getFlagValue(args, "--var");
+  const envName = getFlagValue(args, "--env");
+  const explicitKid = getFlagValue(args, "--kid");
+  const explicitValue = getFlagValue(args, "--value");
+  if (!filePath || !variableName) {
+    console.error(`Error: rotate requires --file and --var.`);
+    return 1;
+  }
+  const absoluteFilePath = path8.resolve(filePath);
+  const { content, secret } = loadSecretLine(absoluteFilePath, variableName, envName);
+  let kid = explicitKid;
+  if (!kid && secret.encrypted) {
+    const parsed = parseEncryptedSecretValue(secret.value);
+    if (parsed.ok) {
+      kid = parsed.parsed.kid;
+    }
+  }
+  if (!kid) {
+    console.error(`Error: Could not determine kid for '${variableName}'. Pass --kid.`);
+    return 1;
+  }
+  const nextPlaintext = explicitValue ?? await promptLine(`Enter new plaintext value for '${variableName}': `);
+  if (nextPlaintext === void 0) {
+    console.error(`Error: No replacement value provided.`);
+    return 1;
+  }
+  const key = await ensureKeyForKid(kid, absoluteFilePath);
+  if (!key) {
+    console.error(`Error: Missing key for kid '${kid}'.`);
+    return 1;
+  }
+  const encryptedValue = encryptSecretValue(nextPlaintext, key, kid);
+  const updatedContent = updateSecretLineValue(content, secret.lineNumber, encryptedValue);
+  writeSecretLine(absoluteFilePath, updatedContent);
+  console.log(`Rotated secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
+  return 0;
+}
+async function handleRekey(args) {
+  const positional = args.filter((arg) => !arg.startsWith("-"));
+  const targetPath = positional[0] ? path8.resolve(positional[0]) : process.cwd();
+  const targetKid = getFlagValue(args, "--kid");
+  const files = discoverNornenvFiles(targetPath);
+  if (files.length === 0) {
+    console.log(`No .nornenv files found under ${targetPath}`);
+    return 0;
+  }
+  let updatedFiles = 0;
+  let updatedSecrets = 0;
+  for (const filePath of files) {
+    const original = fs9.readFileSync(filePath, "utf8");
+    const secretLines = extractSecretLines(original, filePath);
+    if (secretLines.length === 0) {
+      continue;
+    }
+    const replacements = /* @__PURE__ */ new Map();
+    for (const secret of secretLines) {
+      if (!secret.encrypted) {
+        continue;
+      }
+      const parsed = parseEncryptedSecretValue(secret.value);
+      if (!parsed.ok) {
+        console.error(`Skipping malformed secret at ${filePath}:${secret.lineNumber + 1}: ${parsed.error}`);
+        continue;
+      }
+      const sourceKid = parsed.parsed.kid;
+      const decryptKey = await ensureKeyForKid(sourceKid, filePath);
+      if (!decryptKey) {
+        console.error(`Missing key for source kid '${sourceKid}' (${filePath}:${secret.lineNumber + 1})`);
+        return 1;
+      }
+      let plaintext;
+      try {
+        plaintext = decryptSecretValue(secret.value, decryptKey);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Failed to decrypt ${filePath}:${secret.lineNumber + 1} (${sourceKid}): ${message}`);
+        return 1;
+      }
+      const destinationKid = targetKid ?? sourceKid;
+      const encryptKey = destinationKid === sourceKid ? decryptKey : await ensureKeyForKid(destinationKid, filePath);
+      if (!encryptKey) {
+        console.error(`Missing key for destination kid '${destinationKid}'`);
+        return 1;
+      }
+      replacements.set(secret.lineNumber, encryptSecretValue(plaintext, encryptKey, destinationKid));
+    }
+    if (replacements.size === 0) {
+      continue;
+    }
+    let updated = original;
+    const orderedLines = Array.from(replacements.keys()).sort((a, b) => a - b);
+    for (const lineNumber of orderedLines) {
+      const value = replacements.get(lineNumber);
+      if (!value) {
+        continue;
+      }
+      updated = updateSecretLineValue(updated, lineNumber, value);
+      updatedSecrets += 1;
+    }
+    if (updated !== original) {
+      fs9.writeFileSync(filePath, updated, "utf8");
+      updatedFiles += 1;
+    }
+  }
+  console.log(`Rekey complete. Updated ${updatedSecrets} secrets across ${updatedFiles} file(s).`);
+  return 0;
+}
+async function handleAudit(args) {
+  const positional = args.filter((arg) => !arg.startsWith("-"));
+  const targetPath = positional[0] ? path8.resolve(positional[0]) : process.cwd();
+  const files = discoverNornenvFiles(targetPath);
+  if (files.length === 0) {
+    console.log(`No .nornenv files found under ${targetPath}`);
+    return 0;
+  }
+  const issues = [];
+  for (const filePath of files) {
+    const content = fs9.readFileSync(filePath, "utf8");
+    const secrets = extractSecretLines(content, filePath);
+    for (const secret of secrets) {
+      if (!secret.encrypted) {
+        issues.push(`${filePath}:${secret.lineNumber + 1} secret '${secret.name}' is plaintext.`);
+        continue;
+      }
+      const parsed = parseEncryptedSecretValue(secret.value);
+      if (!parsed.ok) {
+        issues.push(`${filePath}:${secret.lineNumber + 1} malformed encrypted value (${parsed.error}).`);
+      }
+    }
+  }
+  if (issues.length === 0) {
+    console.log(`Audit passed. All secret declarations are encrypted.`);
+    return 0;
+  }
+  console.error(`Audit failed with ${issues.length} issue(s):`);
+  for (const issue of issues) {
+    console.error(`  - ${issue}`);
+  }
+  return 1;
+}
+async function handleKeys() {
+  const keys = listCachedSecretKeyIds(process.cwd());
+  if (keys.length === 0) {
+    console.log("No cached keys found for this workspace.");
+    return 0;
+  }
+  console.log("Cached key ids:");
+  for (const kid of keys) {
+    console.log(`  - ${kid}`);
+  }
+  return 0;
+}
+async function handleForget(args) {
+  const kid = getFlagValue(args, "--kid", "-k");
+  if (!kid) {
+    console.error(`Error: forget requires --kid.`);
+    return 1;
+  }
+  const removed = removeSecretKeyFromCache(kid, process.cwd());
+  if (!removed) {
+    console.log(`No cached key found for '${kid}'.`);
+    return 0;
+  }
+  console.log(`Removed cached key '${kid}'.`);
+  return 0;
+}
+async function handleSecretsCommand(args) {
+  const [subcommand, ...rest] = args;
+  switch (subcommand) {
+    case "keygen":
+      return handleKeygen(rest);
+    case "import-key":
+      return handleImportKey(rest);
+    case "encrypt":
+      return handleEncrypt(rest);
+    case "rotate":
+      return handleRotate(rest);
+    case "rekey":
+      return handleRekey(rest);
+    case "audit":
+      return handleAudit(rest);
+    case "keys":
+      return handleKeys();
+    case "forget":
+      return handleForget(rest);
+    case "--help":
+    case "-h":
+    case void 0:
+      printSecretsHelp();
+      return 0;
+    default:
+      console.error(`Unknown secrets command: ${subcommand}`);
+      printSecretsHelp();
+      return 1;
+  }
+}
+function printSecretResolutionErrors(errors, envFilePath) {
+  for (const err of errors) {
+    console.error(`Error: ${formatSecretError(err, envFilePath)}`);
+  }
 }
 
 // src/cli.ts
 function formatNornenvErrorLocation(rootEnvFilePath, errorFilePath, line2) {
-  const baseDir = path5.dirname(rootEnvFilePath);
-  const relativePath = path5.relative(baseDir, errorFilePath);
-  const fileLabel = relativePath && relativePath !== "" ? relativePath : path5.basename(errorFilePath);
+  const baseDir = path9.dirname(rootEnvFilePath);
+  const relativePath = path9.relative(baseDir, errorFilePath);
+  const fileLabel = relativePath && relativePath !== "" ? relativePath : path9.basename(errorFilePath);
   return line2 >= 0 ? `${fileLabel}:${line2 + 1}` : fileLabel;
 }
 function resolveEnvironmentForPath(targetPath, selectedEnv) {
@@ -30841,10 +31642,11 @@ function resolveEnvironmentForPath(targetPath, selectedEnv) {
       variables: {},
       secretNames: /* @__PURE__ */ new Set(),
       secretValues: /* @__PURE__ */ new Map(),
+      secretErrors: [],
       availableEnvironments: []
     };
   }
-  const { config: envConfig, errors: importErrors } = loadAndResolveEnvFile(envFilePath);
+  const { config: envConfig, errors: importErrors, secretErrors } = loadAndResolveEnvFile(envFilePath);
   for (const err of importErrors) {
     const location = formatNornenvErrorLocation(envFilePath, err.filePath, err.line);
     console.error(`Error in ${location}: ${err.message}`);
@@ -30865,6 +31667,7 @@ function resolveEnvironmentForPath(targetPath, selectedEnv) {
         variables,
         secretNames,
         secretValues,
+        secretErrors: secretErrors.map((e) => e.message),
         availableEnvironments,
         envNotFound: selectedEnv
       };
@@ -30881,6 +31684,7 @@ function resolveEnvironmentForPath(targetPath, selectedEnv) {
     variables,
     secretNames,
     secretValues,
+    secretErrors: secretErrors.map((e) => e.message),
     availableEnvironments
   };
 }
@@ -30910,10 +31714,10 @@ function generateTimestamp() {
   return `${year}-${month}-${day}-${hours}${minutes}${seconds}`;
 }
 function generateReportPaths(outputDir, inputFile, timestamp) {
-  const baseName = path5.basename(inputFile, path5.extname(inputFile));
+  const baseName = path9.basename(inputFile, path9.extname(inputFile));
   return {
-    junitPath: path5.join(outputDir, `${baseName}-${timestamp}-results.xml`),
-    htmlPath: path5.join(outputDir, `${baseName}-${timestamp}-report.html`)
+    junitPath: path9.join(outputDir, `${baseName}-${timestamp}-results.xml`),
+    htmlPath: path9.join(outputDir, `${baseName}-${timestamp}-report.html`)
   };
 }
 function parseArgs(args) {
@@ -30924,7 +31728,8 @@ function parseArgs(args) {
     failOnError: true,
     noRedact: false,
     tagFilters: [],
-    tagsFilter: []
+    tagsFilter: [],
+    insecure: false
   };
   for (let i = 0; i < args.length; i++) {
     const arg = args[i];
@@ -30940,6 +31745,8 @@ function parseArgs(args) {
       options.env = args[++i];
     } else if (arg === "--timeout" || arg === "-t") {
       options.timeout = parseInt(args[++i], 10) * 1e3;
+    } else if (arg === "--insecure") {
+      options.insecure = true;
     } else if (arg === "--no-fail") {
       options.failOnError = false;
     } else if (arg === "--no-redact") {
@@ -30975,6 +31782,7 @@ function printHelp() {
 Norn CLI - Run HTTP requests and test sequences from .norn files
 
 Usage: norn <file.norn|directory> [options]
+       norn secrets <command> [options]
 
   When given a directory, recursively discovers and runs all test sequences
   from .norn files within that directory and subdirectories.
@@ -30984,6 +31792,7 @@ Options:
   -r, --request <name>   Run a specific named request (single file only)
   -e, --env <name>       Use environment from .nornenv (e.g., dev, prod)
   -t, --timeout <sec>    Request timeout in seconds (default: no timeout)
+  --insecure             Disable TLS certificate verification (dev/self-signed only)
   -j, --json             Output results as JSON (for CI/CD)
   -v, --verbose          Show detailed output (headers, request/response bodies)
   --no-fail              Don't exit with error code on failed requests
@@ -31034,7 +31843,11 @@ Examples:
   norn tests/ -o ./reports                  # Generate reports for all tests
   norn api-tests.norn --junit results.xml   # Generate JUnit report (explicit)
   norn api-tests.norn --html report.html    # Generate HTML report (explicit)
+  norn api-tests.norn --insecure            # Allow self-signed/local TLS certs
   norn api-tests.norn --no-redact           # Show all data (no redaction)
+  norn secrets keygen --name team-main      # Generate shared key and cache locally
+  norn secrets import-key --kid team-main   # Save shared key from your vault
+  norn secrets audit .                       # Fail if plaintext secrets are committed
 `);
 }
 async function runSingleRequest(fileContent, variables, cookieJar, apiDefinitions, filePath, envContext) {
@@ -31172,9 +31985,9 @@ async function runSingleRequest(fileContent, variables, cookieJar, apiDefinition
 function discoverNornFiles(dirPath) {
   const files = [];
   function walkDir(currentPath) {
-    const entries = fs6.readdirSync(currentPath, { withFileTypes: true });
+    const entries = fs10.readdirSync(currentPath, { withFileTypes: true });
     for (const entry of entries) {
-      const fullPath = path5.join(currentPath, entry.name);
+      const fullPath = path9.join(currentPath, entry.name);
       if (entry.isDirectory()) {
         if (!entry.name.startsWith(".") && entry.name !== "node_modules") {
           walkDir(fullPath);
@@ -31194,7 +32007,7 @@ function countTestSequences(fileContent, tagFilterOptions) {
   return { total: testSequences.length, filtered };
 }
 async function loadTheoryFile(theoryPath, workingDir) {
-  const absolutePath = path5.resolve(workingDir, theoryPath);
+  const absolutePath = path9.resolve(workingDir, theoryPath);
   const content = await fsPromises.readFile(absolutePath, "utf-8");
   return JSON.parse(content);
 }
@@ -31288,23 +32101,37 @@ async function runAllSequences(fileContent, variables, cookieJar, workingDir, ap
   return results;
 }
 async function main() {
-  const args = process.argv.slice(2);
+  const rawArgs = process.argv.slice(2);
+  if (rawArgs[0] === "secrets") {
+    const exitCode = await handleSecretsCommand(rawArgs.slice(1));
+    process.exit(exitCode);
+  }
+  const args = rawArgs[0] === "run" ? rawArgs.slice(1) : rawArgs;
   if (args.length === 0) {
     printHelp();
     process.exit(1);
   }
   const options = parseArgs(args);
+  setVerifyTlsCertificates(!options.insecure);
+  if (options.insecure) {
+    process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+  } else {
+    delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+  }
   if (!options.file) {
     console.error("Error: No input file or directory specified");
     process.exit(1);
   }
   const colors = await initColors();
-  const inputPath = path5.resolve(options.file);
-  if (!fs6.existsSync(inputPath)) {
+  if (options.insecure) {
+    console.error(colors.warning("Warning: TLS certificate verification is disabled (--insecure). Use this only for local development."));
+  }
+  const inputPath = path9.resolve(options.file);
+  if (!fs10.existsSync(inputPath)) {
     console.error(`Error: Path not found: ${inputPath}`);
     process.exit(1);
   }
-  const isDirectory = fs6.statSync(inputPath).isDirectory();
+  const isDirectory = fs10.statSync(inputPath).isDirectory();
   let filesToRun;
   if (isDirectory) {
     filesToRun = discoverNornFiles(inputPath);
@@ -31342,6 +32169,15 @@ async function main() {
   }
   if (options.sequence || options.request) {
     const filePath = filesToRun[0];
+    const secretUnlockResult = await ensureCliSecretsUnlocked(filePath);
+    if (!secretUnlockResult.ok) {
+      if (secretUnlockResult.errors.length > 0) {
+        printSecretResolutionErrors(secretUnlockResult.errors, secretUnlockResult.envFilePath);
+      } else {
+        console.error("Unable to unlock encrypted secrets.");
+      }
+      process.exit(1);
+    }
     const resolvedEnv = resolveEnvironmentForPath(filePath, options.env);
     const envValidationContext = buildCliEnvironmentValidationContext(resolvedEnv, options.env);
     if (resolvedEnv.envNotFound) {
@@ -31349,6 +32185,12 @@ async function main() {
       console.error(`Available environments: ${resolvedEnv.availableEnvironments.join(", ") || "none"}`);
       process.exit(1);
     }
+    if (resolvedEnv.secretErrors.length > 0) {
+      for (const error of resolvedEnv.secretErrors) {
+        console.error(`Error: ${error}`);
+      }
+      process.exit(1);
+    }
     if (!resolvedEnv.envFilePath && options.env) {
       console.error(colors.warning(`Warning: --env specified but no .nornenv file found`));
     } else if (resolvedEnv.envFilePath && options.env && options.verbose) {
@@ -31356,11 +32198,11 @@ async function main() {
     }
     mergeSecrets(combinedSecretNames, combinedSecretValues, resolvedEnv.secretNames, resolvedEnv.secretValues);
     const redaction2 = createRedactionOptions(combinedSecretNames, combinedSecretValues, !options.noRedact);
-    const fileContent = fs6.readFileSync(filePath, "utf-8");
+    const fileContent = fs10.readFileSync(filePath, "utf-8");
     const fileVariables = extractFileLevelVariables(fileContent);
     const variables = { ...resolvedEnv.variables, ...fileVariables };
     const cookieJar = createCookieJar();
-    const workingDir = path5.dirname(filePath);
+    const workingDir = path9.dirname(filePath);
     const importResult = await resolveImports(
       fileContent,
       workingDir,
@@ -31461,7 +32303,7 @@ ${fileContent}` : fileContent;
   let totalTestCount = 0;
   let filteredTestCount = 0;
   for (const filePath of filesToRun) {
-    const fileContent = fs6.readFileSync(filePath, "utf-8");
+    const fileContent = fs10.readFileSync(filePath, "utf-8");
     const counts = countTestSequences(fileContent, tagFilterOptions);
     totalTestCount += counts.total;
     filteredTestCount += counts.filtered;
@@ -31480,6 +32322,15 @@ ${fileContent}` : fileContent;
     console.log("");
   }
   for (const filePath of filesToRun) {
+    const secretUnlockResult = await ensureCliSecretsUnlocked(filePath);
+    if (!secretUnlockResult.ok) {
+      if (secretUnlockResult.errors.length > 0) {
+        printSecretResolutionErrors(secretUnlockResult.errors, secretUnlockResult.envFilePath);
+      } else {
+        console.error("Unable to unlock encrypted secrets.");
+      }
+      process.exit(1);
+    }
     const resolvedEnv = resolveEnvironmentForPath(filePath, options.env);
     const envValidationContext = buildCliEnvironmentValidationContext(resolvedEnv, options.env);
     if (resolvedEnv.envNotFound) {
@@ -31487,17 +32338,23 @@ ${fileContent}` : fileContent;
       console.error(`Available environments: ${resolvedEnv.availableEnvironments.join(", ") || "none"}`);
       process.exit(1);
     }
+    if (resolvedEnv.secretErrors.length > 0) {
+      for (const error of resolvedEnv.secretErrors) {
+        console.error(`Error: ${error}`);
+      }
+      process.exit(1);
+    }
     if (!resolvedEnv.envFilePath && options.env) {
-      const relPath = isDirectory ? path5.relative(inputPath, filePath) : path5.basename(filePath);
+      const relPath = isDirectory ? path9.relative(inputPath, filePath) : path9.basename(filePath);
       console.error(colors.warning(`Warning: --env specified but no .nornenv file found for ${relPath}`));
     }
     mergeSecrets(combinedSecretNames, combinedSecretValues, resolvedEnv.secretNames, resolvedEnv.secretValues);
     const redaction2 = createRedactionOptions(combinedSecretNames, combinedSecretValues, !options.noRedact);
-    const fileContent = fs6.readFileSync(filePath, "utf-8");
+    const fileContent = fs10.readFileSync(filePath, "utf-8");
     const fileVariables = extractFileLevelVariables(fileContent);
     const variables = { ...resolvedEnv.variables, ...fileVariables };
     const cookieJar = createCookieJar();
-    const workingDir = path5.dirname(filePath);
+    const workingDir = path9.dirname(filePath);
     const importResult = await resolveImports(
       fileContent,
       workingDir,
@@ -31529,7 +32386,7 @@ ${fileContent}` : fileContent;
       continue;
     }
     if (isDirectory && options.output !== "json") {
-      const relPath = path5.relative(inputPath, filePath);
+      const relPath = path9.relative(inputPath, filePath);
       console.log(colors.info(`
 \u2501\u2501\u2501 ${relPath} \u2501\u2501\u2501`));
     }
@@ -31573,7 +32430,7 @@ ${fileContent}` : fileContent;
   let htmlOutputPath = options.htmlOutput;
   if (options.outputDir) {
     const timestamp = generateTimestamp();
-    const baseName = isDirectory ? path5.basename(inputPath) : path5.basename(inputPath, path5.extname(inputPath));
+    const baseName = isDirectory ? path9.basename(inputPath) : path9.basename(inputPath, path9.extname(inputPath));
     const generatedPaths = generateReportPaths(options.outputDir, baseName + ".norn", timestamp);
     if (!junitOutputPath) {
       junitOutputPath = generatedPaths.junitPath;
@@ -31581,12 +32438,12 @@ ${fileContent}` : fileContent;
     if (!htmlOutputPath) {
       htmlOutputPath = generatedPaths.htmlPath;
     }
-    if (!fs6.existsSync(options.outputDir)) {
-      fs6.mkdirSync(options.outputDir, { recursive: true });
+    if (!fs10.existsSync(options.outputDir)) {
+      fs10.mkdirSync(options.outputDir, { recursive: true });
     }
   }
   if (junitOutputPath) {
-    const suiteName = isDirectory ? path5.basename(inputPath) : path5.basename(inputPath, path5.extname(inputPath));
+    const suiteName = isDirectory ? path9.basename(inputPath) : path9.basename(inputPath, path9.extname(inputPath));
     if (result.type === "request") {
       generateJUnitReportFromResponse(
         result.results[0],
@@ -31602,11 +32459,11 @@ ${fileContent}` : fileContent;
     console.log(colors.info(`JUnit report written to: ${junitOutputPath}`));
   }
   if (htmlOutputPath) {
-    const title = `Norn Test Report - ${path5.basename(inputPath)}`;
+    const title = `Norn Test Report - ${path9.basename(inputPath)}`;
     if (result.type === "request") {
       generateHtmlReportFromResponse(
         result.results[0],
-        options.request || path5.basename(inputPath),
+        options.request || path9.basename(inputPath),
         { outputPath: htmlOutputPath, redaction, title }
       );
     } else {