norn-cli 2.3.0 → 2.4.0

package/out/secrets/cliSecrets.js

@@ -0,0 +1,415 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureCliSecretsUnlocked = ensureCliSecretsUnlocked;
+exports.handleSecretsCommand = handleSecretsCommand;
+exports.printSecretResolutionErrors = printSecretResolutionErrors;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const readline = __importStar(require("readline"));
+const process_1 = require("process");
+const environmentParser_1 = require("../environmentParser");
+const crypto_1 = require("./crypto");
+const envFileSecrets_1 = require("./envFileSecrets");
+const keyStore_1 = require("./keyStore");
+function getFlagValue(args, flag, shortFlag) {
+    const longIndex = args.indexOf(flag);
+    if (longIndex >= 0 && longIndex + 1 < args.length) {
+        return args[longIndex + 1];
+    }
+    if (shortFlag) {
+        const shortIndex = args.indexOf(shortFlag);
+        if (shortIndex >= 0 && shortIndex + 1 < args.length) {
+            return args[shortIndex + 1];
+        }
+    }
+    return undefined;
+}
+function hasFlag(args, flag) {
+    return args.includes(flag);
+}
+async function promptLine(question) {
+    if (!process.stdin.isTTY) {
+        return undefined;
+    }
+    const rl = readline.createInterface({ input: process_1.stdin, output: process_1.stdout });
+    try {
+        const answer = await new Promise((resolve) => {
+            rl.question(question, resolve);
+        });
+        const trimmed = answer.trim();
+        return trimmed === '' ? undefined : trimmed;
+    }
+    finally {
+        rl.close();
+    }
+}
+function uniqueUnlockableKids(errors) {
+    const kids = new Set();
+    for (const err of errors) {
+        if ((err.code === 'missing-key' || err.code === 'decrypt-failed') && err.kid) {
+            kids.add(err.kid);
+        }
+    }
+    return Array.from(kids).sort();
+}
+function formatSecretError(err, envFilePath) {
+    if (!envFilePath) {
+        return `${err.message}`;
+    }
+    const relative = path.relative(path.dirname(envFilePath), err.filePath);
+    const fileLabel = relative && relative !== '' ? relative : path.basename(err.filePath);
+    const lineLabel = err.line >= 0 ? `${fileLabel}:${err.line + 1}` : fileLabel;
+    return `${lineLabel} - ${err.message}`;
+}
+async function ensureKeyForKid(kid, contextPath) {
+    const existing = (0, keyStore_1.resolveSecretKey)(kid, contextPath);
+    if (existing) {
+        return existing;
+    }
+    const entered = await promptLine(`Enter shared key for kid '${kid}': `);
+    if (!entered) {
+        return undefined;
+    }
+    (0, keyStore_1.saveSecretKeyToCache)(kid, entered, contextPath);
+    return entered;
+}
+async function ensureCliSecretsUnlocked(targetPath) {
+    const envFilePath = (0, environmentParser_1.findEnvFileFromPath)(targetPath);
+    if (!envFilePath) {
+        return { ok: true, errors: [] };
+    }
+    for (let attempt = 0; attempt < 5; attempt++) {
+        const result = (0, environmentParser_1.loadAndResolveEnvFile)(envFilePath);
+        const unlockableKids = uniqueUnlockableKids(result.secretErrors);
+        if (unlockableKids.length === 0) {
+            return { ok: result.secretErrors.length === 0, envFilePath, errors: result.secretErrors };
+        }
+        for (const kid of unlockableKids) {
+            const key = await ensureKeyForKid(kid, envFilePath);
+            if (!key) {
+                return { ok: false, envFilePath, errors: result.secretErrors };
+            }
+        }
+    }
+    const finalResult = (0, environmentParser_1.loadAndResolveEnvFile)(envFilePath);
+    return { ok: finalResult.secretErrors.length === 0, envFilePath, errors: finalResult.secretErrors };
+}
+function printSecretsHelp() {
+    console.log(`
+Norn Secrets Commands
+
+Usage:
+  norn secrets keygen --name <kid>
+  norn secrets import-key --kid <kid> [--key <value>]
+  norn secrets encrypt --file <.nornenv> --var <name> [--env <env>] [--kid <kid>]
+  norn secrets rotate --file <.nornenv> --var <name> [--env <env>] [--kid <kid>] [--value <plaintext>]
+  norn secrets rekey [path] [--kid <newKid>]
+  norn secrets audit [path]
+  norn secrets keys
+  norn secrets forget --kid <kid>
+
+Notes:
+  - Secrets are stored as ENC[NORN_AGE_V1:kid=<id>:<payload>] in .nornenv.
+  - Keys are cached locally in the project .norn-cache/secret-keys.json (gitignored).
+  - norn run auto-prompts once for missing kids when interactive.
+`);
+}
+async function handleKeygen(args) {
+    const kid = getFlagValue(args, '--name', '-n');
+    if (!kid) {
+        console.error(`Error: Missing --name for keygen.`);
+        return 1;
+    }
+    const key = (0, crypto_1.generateSharedSecretKey)();
+    (0, keyStore_1.saveSecretKeyToCache)(kid, key, process.cwd());
+    console.log(`Generated shared key for kid '${kid}'.`);
+    console.log(`Store this key in your team vault now:`);
+    console.log(key);
+    console.log(`Saved to local cache for current workspace.`);
+    return 0;
+}
+async function handleImportKey(args) {
+    const kid = getFlagValue(args, '--kid', '-k');
+    if (!kid) {
+        console.error(`Error: Missing --kid for import-key.`);
+        return 1;
+    }
+    const directKey = getFlagValue(args, '--key');
+    const key = directKey ?? await promptLine(`Enter shared key for kid '${kid}': `);
+    if (!key) {
+        console.error(`Error: No key provided.`);
+        return 1;
+    }
+    (0, keyStore_1.saveSecretKeyToCache)(kid, key, process.cwd());
+    console.log(`Saved key for kid '${kid}' to local cache.`);
+    return 0;
+}
+async function handleEncrypt(args) {
+    const filePath = getFlagValue(args, '--file', '-f');
+    const variableName = getFlagValue(args, '--var');
+    const envName = getFlagValue(args, '--env');
+    const explicitKid = getFlagValue(args, '--kid');
+    if (!filePath || !variableName) {
+        console.error(`Error: encrypt requires --file and --var.`);
+        return 1;
+    }
+    const absoluteFilePath = path.resolve(filePath);
+    const { content, secret } = (0, envFileSecrets_1.loadSecretLine)(absoluteFilePath, variableName, envName);
+    if (secret.encrypted) {
+        console.error(`Error: Secret '${variableName}' is already encrypted. Use rotate instead.`);
+        return 1;
+    }
+    const kid = explicitKid;
+    if (!kid) {
+        console.error(`Error: --kid is required when encrypting plaintext secret '${variableName}'.`);
+        return 1;
+    }
+    const key = await ensureKeyForKid(kid, absoluteFilePath);
+    if (!key) {
+        console.error(`Error: Missing key for kid '${kid}'.`);
+        return 1;
+    }
+    const encryptedValue = (0, crypto_1.encryptSecretValue)(secret.value, key, kid);
+    const updatedContent = (0, envFileSecrets_1.updateSecretLineValue)(content, secret.lineNumber, encryptedValue);
+    (0, envFileSecrets_1.writeSecretLine)(absoluteFilePath, updatedContent);
+    console.log(`Encrypted secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
+    return 0;
+}
+async function handleRotate(args) {
+    const filePath = getFlagValue(args, '--file', '-f');
+    const variableName = getFlagValue(args, '--var');
+    const envName = getFlagValue(args, '--env');
+    const explicitKid = getFlagValue(args, '--kid');
+    const explicitValue = getFlagValue(args, '--value');
+    if (!filePath || !variableName) {
+        console.error(`Error: rotate requires --file and --var.`);
+        return 1;
+    }
+    const absoluteFilePath = path.resolve(filePath);
+    const { content, secret } = (0, envFileSecrets_1.loadSecretLine)(absoluteFilePath, variableName, envName);
+    let kid = explicitKid;
+    if (!kid && secret.encrypted) {
+        const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
+        if (parsed.ok) {
+            kid = parsed.parsed.kid;
+        }
+    }
+    if (!kid) {
+        console.error(`Error: Could not determine kid for '${variableName}'. Pass --kid.`);
+        return 1;
+    }
+    const nextPlaintext = explicitValue ?? await promptLine(`Enter new plaintext value for '${variableName}': `);
+    if (nextPlaintext === undefined) {
+        console.error(`Error: No replacement value provided.`);
+        return 1;
+    }
+    const key = await ensureKeyForKid(kid, absoluteFilePath);
+    if (!key) {
+        console.error(`Error: Missing key for kid '${kid}'.`);
+        return 1;
+    }
+    const encryptedValue = (0, crypto_1.encryptSecretValue)(nextPlaintext, key, kid);
+    const updatedContent = (0, envFileSecrets_1.updateSecretLineValue)(content, secret.lineNumber, encryptedValue);
+    (0, envFileSecrets_1.writeSecretLine)(absoluteFilePath, updatedContent);
+    console.log(`Rotated secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
+    return 0;
+}
+async function handleRekey(args) {
+    const positional = args.filter(arg => !arg.startsWith('-'));
+    const targetPath = positional[0] ? path.resolve(positional[0]) : process.cwd();
+    const targetKid = getFlagValue(args, '--kid');
+    const files = (0, envFileSecrets_1.discoverNornenvFiles)(targetPath);
+    if (files.length === 0) {
+        console.log(`No .nornenv files found under ${targetPath}`);
+        return 0;
+    }
+    let updatedFiles = 0;
+    let updatedSecrets = 0;
+    for (const filePath of files) {
+        const original = fs.readFileSync(filePath, 'utf8');
+        const secretLines = (0, envFileSecrets_1.extractSecretLines)(original, filePath);
+        if (secretLines.length === 0) {
+            continue;
+        }
+        const replacements = new Map();
+        for (const secret of secretLines) {
+            if (!secret.encrypted) {
+                continue;
+            }
+            const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
+            if (!parsed.ok) {
+                console.error(`Skipping malformed secret at ${filePath}:${secret.lineNumber + 1}: ${parsed.error}`);
+                continue;
+            }
+            const sourceKid = parsed.parsed.kid;
+            const decryptKey = await ensureKeyForKid(sourceKid, filePath);
+            if (!decryptKey) {
+                console.error(`Missing key for source kid '${sourceKid}' (${filePath}:${secret.lineNumber + 1})`);
+                return 1;
+            }
+            let plaintext;
+            try {
+                plaintext = (0, crypto_1.decryptSecretValue)(secret.value, decryptKey);
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                console.error(`Failed to decrypt ${filePath}:${secret.lineNumber + 1} (${sourceKid}): ${message}`);
+                return 1;
+            }
+            const destinationKid = targetKid ?? sourceKid;
+            const encryptKey = destinationKid === sourceKid ? decryptKey : await ensureKeyForKid(destinationKid, filePath);
+            if (!encryptKey) {
+                console.error(`Missing key for destination kid '${destinationKid}'`);
+                return 1;
+            }
+            replacements.set(secret.lineNumber, (0, crypto_1.encryptSecretValue)(plaintext, encryptKey, destinationKid));
+        }
+        if (replacements.size === 0) {
+            continue;
+        }
+        let updated = original;
+        const orderedLines = Array.from(replacements.keys()).sort((a, b) => a - b);
+        for (const lineNumber of orderedLines) {
+            const value = replacements.get(lineNumber);
+            if (!value) {
+                continue;
+            }
+            updated = (0, envFileSecrets_1.updateSecretLineValue)(updated, lineNumber, value);
+            updatedSecrets += 1;
+        }
+        if (updated !== original) {
+            fs.writeFileSync(filePath, updated, 'utf8');
+            updatedFiles += 1;
+        }
+    }
+    console.log(`Rekey complete. Updated ${updatedSecrets} secrets across ${updatedFiles} file(s).`);
+    return 0;
+}
+async function handleAudit(args) {
+    const positional = args.filter(arg => !arg.startsWith('-'));
+    const targetPath = positional[0] ? path.resolve(positional[0]) : process.cwd();
+    const files = (0, envFileSecrets_1.discoverNornenvFiles)(targetPath);
+    if (files.length === 0) {
+        console.log(`No .nornenv files found under ${targetPath}`);
+        return 0;
+    }
+    const issues = [];
+    for (const filePath of files) {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const secrets = (0, envFileSecrets_1.extractSecretLines)(content, filePath);
+        for (const secret of secrets) {
+            if (!secret.encrypted) {
+                issues.push(`${filePath}:${secret.lineNumber + 1} secret '${secret.name}' is plaintext.`);
+                continue;
+            }
+            const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
+            if (!parsed.ok) {
+                issues.push(`${filePath}:${secret.lineNumber + 1} malformed encrypted value (${parsed.error}).`);
+            }
+        }
+    }
+    if (issues.length === 0) {
+        console.log(`Audit passed. All secret declarations are encrypted.`);
+        return 0;
+    }
+    console.error(`Audit failed with ${issues.length} issue(s):`);
+    for (const issue of issues) {
+        console.error(`  - ${issue}`);
+    }
+    return 1;
+}
+async function handleKeys() {
+    const keys = (0, keyStore_1.listCachedSecretKeyIds)(process.cwd());
+    if (keys.length === 0) {
+        console.log('No cached keys found for this workspace.');
+        return 0;
+    }
+    console.log('Cached key ids:');
+    for (const kid of keys) {
+        console.log(`  - ${kid}`);
+    }
+    return 0;
+}
+async function handleForget(args) {
+    const kid = getFlagValue(args, '--kid', '-k');
+    if (!kid) {
+        console.error(`Error: forget requires --kid.`);
+        return 1;
+    }
+    const removed = (0, keyStore_1.removeSecretKeyFromCache)(kid, process.cwd());
+    if (!removed) {
+        console.log(`No cached key found for '${kid}'.`);
+        return 0;
+    }
+    console.log(`Removed cached key '${kid}'.`);
+    return 0;
+}
+async function handleSecretsCommand(args) {
+    const [subcommand, ...rest] = args;
+    switch (subcommand) {
+        case 'keygen':
+            return handleKeygen(rest);
+        case 'import-key':
+            return handleImportKey(rest);
+        case 'encrypt':
+            return handleEncrypt(rest);
+        case 'rotate':
+            return handleRotate(rest);
+        case 'rekey':
+            return handleRekey(rest);
+        case 'audit':
+            return handleAudit(rest);
+        case 'keys':
+            return handleKeys();
+        case 'forget':
+            return handleForget(rest);
+        case '--help':
+        case '-h':
+        case undefined:
+            printSecretsHelp();
+            return 0;
+        default:
+            console.error(`Unknown secrets command: ${subcommand}`);
+            printSecretsHelp();
+            return 1;
+    }
+}
+function printSecretResolutionErrors(errors, envFilePath) {
+    for (const err of errors) {
+        console.error(`Error: ${formatSecretError(err, envFilePath)}`);
+    }
+}
+//# sourceMappingURL=cliSecrets.js.map

package/out/secrets/crypto.js

@@ -0,0 +1,105 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ENCRYPTED_SECRET_VERSION = exports.ENCRYPTED_SECRET_SUFFIX = exports.ENCRYPTED_SECRET_PREFIX = void 0;
+exports.generateSharedSecretKey = generateSharedSecretKey;
+exports.isEncryptedSecretValue = isEncryptedSecretValue;
+exports.parseEncryptedSecretValue = parseEncryptedSecretValue;
+exports.encryptSecretValue = encryptSecretValue;
+exports.decryptSecretValue = decryptSecretValue;
+const crypto = __importStar(require("crypto"));
+exports.ENCRYPTED_SECRET_PREFIX = 'ENC[';
+exports.ENCRYPTED_SECRET_SUFFIX = ']';
+exports.ENCRYPTED_SECRET_VERSION = 'NORN_AGE_V1';
+const encryptedSecretRegex = /^ENC\[([A-Z0-9_]+):kid=([a-zA-Z0-9._-]+):([A-Za-z0-9_-]+)\]$/;
+function deriveEncryptionKey(sharedKey) {
+    return crypto.createHash('sha256').update(sharedKey, 'utf8').digest();
+}
+function generateSharedSecretKey() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+function isEncryptedSecretValue(value) {
+    return value.trim().startsWith(exports.ENCRYPTED_SECRET_PREFIX) && value.trim().endsWith(exports.ENCRYPTED_SECRET_SUFFIX);
+}
+function parseEncryptedSecretValue(value) {
+    const trimmed = value.trim();
+    const match = trimmed.match(encryptedSecretRegex);
+    if (!match) {
+        return {
+            ok: false,
+            error: `Invalid encrypted secret format. Expected: ENC[${exports.ENCRYPTED_SECRET_VERSION}:kid=<id>:<payload>]`
+        };
+    }
+    return {
+        ok: true,
+        parsed: {
+            version: match[1],
+            kid: match[2],
+            payload: match[3]
+        }
+    };
+}
+function encryptSecretValue(plaintext, sharedKey, kid) {
+    const key = deriveEncryptionKey(sharedKey);
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    const payload = Buffer.concat([iv, authTag, ciphertext]).toString('base64url');
+    return `ENC[${exports.ENCRYPTED_SECRET_VERSION}:kid=${kid}:${payload}]`;
+}
+function decryptSecretValue(encryptedValue, sharedKey) {
+    const parsedResult = parseEncryptedSecretValue(encryptedValue);
+    if (!parsedResult.ok) {
+        throw new Error(parsedResult.error);
+    }
+    const { version, payload } = parsedResult.parsed;
+    if (version !== exports.ENCRYPTED_SECRET_VERSION) {
+        throw new Error(`Unsupported encrypted secret version '${version}'. Expected '${exports.ENCRYPTED_SECRET_VERSION}'.`);
+    }
+    const raw = Buffer.from(payload, 'base64url');
+    if (raw.length < 28) {
+        throw new Error('Encrypted payload is too short.');
+    }
+    const iv = raw.subarray(0, 12);
+    const authTag = raw.subarray(12, 28);
+    const ciphertext = raw.subarray(28);
+    const key = deriveEncryptionKey(sharedKey);
+    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return decrypted.toString('utf8');
+}
+//# sourceMappingURL=crypto.js.map

package/out/secrets/envFileSecrets.js

@@ -0,0 +1,177 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNornenvFilePath = isNornenvFilePath;
+exports.isNornenvDocumentLike = isNornenvDocumentLike;
+exports.extractSecretLines = extractSecretLines;
+exports.updateSecretLineValue = updateSecretLineValue;
+exports.findSecretLine = findSecretLine;
+exports.loadSecretLine = loadSecretLine;
+exports.writeSecretLine = writeSecretLine;
+exports.discoverNornenvFiles = discoverNornenvFiles;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto_1 = require("./crypto");
+const envRegex = /^\s*\[env:([a-zA-Z_][a-zA-Z0-9_-]*)\]\s*$/;
+const secretConnectionStringRegex = /^(\s*secret\s+connectionString\s+)([a-zA-Z_][a-zA-Z0-9_]*)(\s*=\s*)(.+)$/;
+const secretRegex = /^(\s*secret\s+)([a-zA-Z_][a-zA-Z0-9_]*)(\s*=\s*)(.+)$/;
+function splitContentLines(content) {
+    return content.split(/\r?\n/);
+}
+function detectEol(content) {
+    return content.includes('\r\n') ? '\r\n' : '\n';
+}
+function isNornenvFilePath(filePath) {
+    return path.basename(filePath).toLowerCase() === '.nornenv';
+}
+function isNornenvDocumentLike(languageId, filePath) {
+    return languageId === 'nornenv' || (!!filePath && isNornenvFilePath(filePath));
+}
+function extractSecretLines(content, filePath) {
+    const lines = splitContentLines(content);
+    const secrets = [];
+    let currentEnv;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#')) {
+            continue;
+        }
+        const envMatch = trimmed.match(envRegex);
+        if (envMatch) {
+            currentEnv = envMatch[1];
+            continue;
+        }
+        const secretConnectionStringMatch = line.match(secretConnectionStringRegex);
+        const secretMatch = line.match(secretRegex);
+        if (!secretConnectionStringMatch && !secretMatch) {
+            continue;
+        }
+        const secretName = secretConnectionStringMatch
+            ? `${secretConnectionStringMatch[2]}_connectionString`
+            : secretMatch[2];
+        const value = (secretConnectionStringMatch?.[4] ?? secretMatch[4]).trim();
+        const encrypted = (0, crypto_1.isEncryptedSecretValue)(value);
+        let kid;
+        if (encrypted) {
+            const parsed = (0, crypto_1.parseEncryptedSecretValue)(value);
+            if (parsed.ok) {
+                kid = parsed.parsed.kid;
+            }
+        }
+        secrets.push({
+            filePath,
+            lineNumber: i,
+            envName: currentEnv,
+            name: secretName,
+            value,
+            encrypted,
+            kid
+        });
+    }
+    return secrets;
+}
+function updateSecretLineValue(content, lineNumber, newValue) {
+    const lines = splitContentLines(content);
+    if (lineNumber < 0 || lineNumber >= lines.length) {
+        throw new Error(`Line ${lineNumber + 1} is out of range.`);
+    }
+    const line = lines[lineNumber];
+    const secretConnectionStringMatch = line.match(secretConnectionStringRegex);
+    const secretMatch = line.match(secretRegex);
+    if (!secretConnectionStringMatch && !secretMatch) {
+        throw new Error(`Line ${lineNumber + 1} is not a secret declaration.`);
+    }
+    if (secretConnectionStringMatch) {
+        lines[lineNumber] = `${secretConnectionStringMatch[1]}${secretConnectionStringMatch[2]}${secretConnectionStringMatch[3]}${newValue}`;
+    }
+    else {
+        lines[lineNumber] = `${secretMatch[1]}${secretMatch[2]}${secretMatch[3]}${newValue}`;
+    }
+    return lines.join(detectEol(content));
+}
+function findSecretLine(content, variableName, envName) {
+    const secretLines = extractSecretLines(content);
+    if (envName !== undefined) {
+        return secretLines.find(secret => secret.name === variableName && secret.envName === envName);
+    }
+    const commonMatch = secretLines.find(secret => secret.name === variableName && secret.envName === undefined);
+    if (commonMatch) {
+        return commonMatch;
+    }
+    return secretLines.find(secret => secret.name === variableName);
+}
+function loadSecretLine(filePath, variableName, envName) {
+    const content = fs.readFileSync(filePath, 'utf8');
+    const secret = findSecretLine(content, variableName, envName);
+    if (!secret) {
+        const envLabel = envName ? ` in [env:${envName}]` : '';
+        throw new Error(`Secret '${variableName}' not found${envLabel} in ${filePath}`);
+    }
+    return { content, secret };
+}
+function writeSecretLine(filePath, content) {
+    fs.writeFileSync(filePath, content, 'utf8');
+}
+function discoverNornenvFiles(targetPath) {
+    const resolved = path.resolve(targetPath);
+    if (!fs.existsSync(resolved)) {
+        return [];
+    }
+    const stats = fs.statSync(resolved);
+    if (stats.isFile()) {
+        return isNornenvFilePath(resolved) ? [resolved] : [];
+    }
+    const results = [];
+    const walk = (dir) => {
+        const entries = fs.readdirSync(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                if (entry.name === 'node_modules' || entry.name === '.git' || entry.name === 'dist' || entry.name === 'out') {
+                    continue;
+                }
+                walk(fullPath);
+                continue;
+            }
+            if (entry.isFile() && isNornenvFilePath(entry.name)) {
+                results.push(fullPath);
+            }
+        }
+    };
+    walk(resolved);
+    return results.sort();
+}
+//# sourceMappingURL=envFileSecrets.js.map