norn-cli 2.4.0 → 2.5.0

package/out/secrets/cliSecrets.js

@@ -1,415 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ensureCliSecretsUnlocked = ensureCliSecretsUnlocked;
-exports.handleSecretsCommand = handleSecretsCommand;
-exports.printSecretResolutionErrors = printSecretResolutionErrors;
-const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
-const readline = __importStar(require("readline"));
-const process_1 = require("process");
-const environmentParser_1 = require("../environmentParser");
-const crypto_1 = require("./crypto");
-const envFileSecrets_1 = require("./envFileSecrets");
-const keyStore_1 = require("./keyStore");
-function getFlagValue(args, flag, shortFlag) {
-    const longIndex = args.indexOf(flag);
-    if (longIndex >= 0 && longIndex + 1 < args.length) {
-        return args[longIndex + 1];
-    }
-    if (shortFlag) {
-        const shortIndex = args.indexOf(shortFlag);
-        if (shortIndex >= 0 && shortIndex + 1 < args.length) {
-            return args[shortIndex + 1];
-        }
-    }
-    return undefined;
-}
-function hasFlag(args, flag) {
-    return args.includes(flag);
-}
-async function promptLine(question) {
-    if (!process.stdin.isTTY) {
-        return undefined;
-    }
-    const rl = readline.createInterface({ input: process_1.stdin, output: process_1.stdout });
-    try {
-        const answer = await new Promise((resolve) => {
-            rl.question(question, resolve);
-        });
-        const trimmed = answer.trim();
-        return trimmed === '' ? undefined : trimmed;
-    }
-    finally {
-        rl.close();
-    }
-}
-function uniqueUnlockableKids(errors) {
-    const kids = new Set();
-    for (const err of errors) {
-        if ((err.code === 'missing-key' || err.code === 'decrypt-failed') && err.kid) {
-            kids.add(err.kid);
-        }
-    }
-    return Array.from(kids).sort();
-}
-function formatSecretError(err, envFilePath) {
-    if (!envFilePath) {
-        return `${err.message}`;
-    }
-    const relative = path.relative(path.dirname(envFilePath), err.filePath);
-    const fileLabel = relative && relative !== '' ? relative : path.basename(err.filePath);
-    const lineLabel = err.line >= 0 ? `${fileLabel}:${err.line + 1}` : fileLabel;
-    return `${lineLabel} - ${err.message}`;
-}
-async function ensureKeyForKid(kid, contextPath) {
-    const existing = (0, keyStore_1.resolveSecretKey)(kid, contextPath);
-    if (existing) {
-        return existing;
-    }
-    const entered = await promptLine(`Enter shared key for kid '${kid}': `);
-    if (!entered) {
-        return undefined;
-    }
-    (0, keyStore_1.saveSecretKeyToCache)(kid, entered, contextPath);
-    return entered;
-}
-async function ensureCliSecretsUnlocked(targetPath) {
-    const envFilePath = (0, environmentParser_1.findEnvFileFromPath)(targetPath);
-    if (!envFilePath) {
-        return { ok: true, errors: [] };
-    }
-    for (let attempt = 0; attempt < 5; attempt++) {
-        const result = (0, environmentParser_1.loadAndResolveEnvFile)(envFilePath);
-        const unlockableKids = uniqueUnlockableKids(result.secretErrors);
-        if (unlockableKids.length === 0) {
-            return { ok: result.secretErrors.length === 0, envFilePath, errors: result.secretErrors };
-        }
-        for (const kid of unlockableKids) {
-            const key = await ensureKeyForKid(kid, envFilePath);
-            if (!key) {
-                return { ok: false, envFilePath, errors: result.secretErrors };
-            }
-        }
-    }
-    const finalResult = (0, environmentParser_1.loadAndResolveEnvFile)(envFilePath);
-    return { ok: finalResult.secretErrors.length === 0, envFilePath, errors: finalResult.secretErrors };
-}
-function printSecretsHelp() {
-    console.log(`
-Norn Secrets Commands
-
-Usage:
-  norn secrets keygen --name <kid>
-  norn secrets import-key --kid <kid> [--key <value>]
-  norn secrets encrypt --file <.nornenv> --var <name> [--env <env>] [--kid <kid>]
-  norn secrets rotate --file <.nornenv> --var <name> [--env <env>] [--kid <kid>] [--value <plaintext>]
-  norn secrets rekey [path] [--kid <newKid>]
-  norn secrets audit [path]
-  norn secrets keys
-  norn secrets forget --kid <kid>
-
-Notes:
-  - Secrets are stored as ENC[NORN_AGE_V1:kid=<id>:<payload>] in .nornenv.
-  - Keys are cached locally in the project .norn-cache/secret-keys.json (gitignored).
-  - norn run auto-prompts once for missing kids when interactive.
-`);
-}
-async function handleKeygen(args) {
-    const kid = getFlagValue(args, '--name', '-n');
-    if (!kid) {
-        console.error(`Error: Missing --name for keygen.`);
-        return 1;
-    }
-    const key = (0, crypto_1.generateSharedSecretKey)();
-    (0, keyStore_1.saveSecretKeyToCache)(kid, key, process.cwd());
-    console.log(`Generated shared key for kid '${kid}'.`);
-    console.log(`Store this key in your team vault now:`);
-    console.log(key);
-    console.log(`Saved to local cache for current workspace.`);
-    return 0;
-}
-async function handleImportKey(args) {
-    const kid = getFlagValue(args, '--kid', '-k');
-    if (!kid) {
-        console.error(`Error: Missing --kid for import-key.`);
-        return 1;
-    }
-    const directKey = getFlagValue(args, '--key');
-    const key = directKey ?? await promptLine(`Enter shared key for kid '${kid}': `);
-    if (!key) {
-        console.error(`Error: No key provided.`);
-        return 1;
-    }
-    (0, keyStore_1.saveSecretKeyToCache)(kid, key, process.cwd());
-    console.log(`Saved key for kid '${kid}' to local cache.`);
-    return 0;
-}
-async function handleEncrypt(args) {
-    const filePath = getFlagValue(args, '--file', '-f');
-    const variableName = getFlagValue(args, '--var');
-    const envName = getFlagValue(args, '--env');
-    const explicitKid = getFlagValue(args, '--kid');
-    if (!filePath || !variableName) {
-        console.error(`Error: encrypt requires --file and --var.`);
-        return 1;
-    }
-    const absoluteFilePath = path.resolve(filePath);
-    const { content, secret } = (0, envFileSecrets_1.loadSecretLine)(absoluteFilePath, variableName, envName);
-    if (secret.encrypted) {
-        console.error(`Error: Secret '${variableName}' is already encrypted. Use rotate instead.`);
-        return 1;
-    }
-    const kid = explicitKid;
-    if (!kid) {
-        console.error(`Error: --kid is required when encrypting plaintext secret '${variableName}'.`);
-        return 1;
-    }
-    const key = await ensureKeyForKid(kid, absoluteFilePath);
-    if (!key) {
-        console.error(`Error: Missing key for kid '${kid}'.`);
-        return 1;
-    }
-    const encryptedValue = (0, crypto_1.encryptSecretValue)(secret.value, key, kid);
-    const updatedContent = (0, envFileSecrets_1.updateSecretLineValue)(content, secret.lineNumber, encryptedValue);
-    (0, envFileSecrets_1.writeSecretLine)(absoluteFilePath, updatedContent);
-    console.log(`Encrypted secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
-    return 0;
-}
-async function handleRotate(args) {
-    const filePath = getFlagValue(args, '--file', '-f');
-    const variableName = getFlagValue(args, '--var');
-    const envName = getFlagValue(args, '--env');
-    const explicitKid = getFlagValue(args, '--kid');
-    const explicitValue = getFlagValue(args, '--value');
-    if (!filePath || !variableName) {
-        console.error(`Error: rotate requires --file and --var.`);
-        return 1;
-    }
-    const absoluteFilePath = path.resolve(filePath);
-    const { content, secret } = (0, envFileSecrets_1.loadSecretLine)(absoluteFilePath, variableName, envName);
-    let kid = explicitKid;
-    if (!kid && secret.encrypted) {
-        const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
-        if (parsed.ok) {
-            kid = parsed.parsed.kid;
-        }
-    }
-    if (!kid) {
-        console.error(`Error: Could not determine kid for '${variableName}'. Pass --kid.`);
-        return 1;
-    }
-    const nextPlaintext = explicitValue ?? await promptLine(`Enter new plaintext value for '${variableName}': `);
-    if (nextPlaintext === undefined) {
-        console.error(`Error: No replacement value provided.`);
-        return 1;
-    }
-    const key = await ensureKeyForKid(kid, absoluteFilePath);
-    if (!key) {
-        console.error(`Error: Missing key for kid '${kid}'.`);
-        return 1;
-    }
-    const encryptedValue = (0, crypto_1.encryptSecretValue)(nextPlaintext, key, kid);
-    const updatedContent = (0, envFileSecrets_1.updateSecretLineValue)(content, secret.lineNumber, encryptedValue);
-    (0, envFileSecrets_1.writeSecretLine)(absoluteFilePath, updatedContent);
-    console.log(`Rotated secret '${variableName}' in ${absoluteFilePath}:${secret.lineNumber + 1}`);
-    return 0;
-}
-async function handleRekey(args) {
-    const positional = args.filter(arg => !arg.startsWith('-'));
-    const targetPath = positional[0] ? path.resolve(positional[0]) : process.cwd();
-    const targetKid = getFlagValue(args, '--kid');
-    const files = (0, envFileSecrets_1.discoverNornenvFiles)(targetPath);
-    if (files.length === 0) {
-        console.log(`No .nornenv files found under ${targetPath}`);
-        return 0;
-    }
-    let updatedFiles = 0;
-    let updatedSecrets = 0;
-    for (const filePath of files) {
-        const original = fs.readFileSync(filePath, 'utf8');
-        const secretLines = (0, envFileSecrets_1.extractSecretLines)(original, filePath);
-        if (secretLines.length === 0) {
-            continue;
-        }
-        const replacements = new Map();
-        for (const secret of secretLines) {
-            if (!secret.encrypted) {
-                continue;
-            }
-            const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
-            if (!parsed.ok) {
-                console.error(`Skipping malformed secret at ${filePath}:${secret.lineNumber + 1}: ${parsed.error}`);
-                continue;
-            }
-            const sourceKid = parsed.parsed.kid;
-            const decryptKey = await ensureKeyForKid(sourceKid, filePath);
-            if (!decryptKey) {
-                console.error(`Missing key for source kid '${sourceKid}' (${filePath}:${secret.lineNumber + 1})`);
-                return 1;
-            }
-            let plaintext;
-            try {
-                plaintext = (0, crypto_1.decryptSecretValue)(secret.value, decryptKey);
-            }
-            catch (error) {
-                const message = error instanceof Error ? error.message : String(error);
-                console.error(`Failed to decrypt ${filePath}:${secret.lineNumber + 1} (${sourceKid}): ${message}`);
-                return 1;
-            }
-            const destinationKid = targetKid ?? sourceKid;
-            const encryptKey = destinationKid === sourceKid ? decryptKey : await ensureKeyForKid(destinationKid, filePath);
-            if (!encryptKey) {
-                console.error(`Missing key for destination kid '${destinationKid}'`);
-                return 1;
-            }
-            replacements.set(secret.lineNumber, (0, crypto_1.encryptSecretValue)(plaintext, encryptKey, destinationKid));
-        }
-        if (replacements.size === 0) {
-            continue;
-        }
-        let updated = original;
-        const orderedLines = Array.from(replacements.keys()).sort((a, b) => a - b);
-        for (const lineNumber of orderedLines) {
-            const value = replacements.get(lineNumber);
-            if (!value) {
-                continue;
-            }
-            updated = (0, envFileSecrets_1.updateSecretLineValue)(updated, lineNumber, value);
-            updatedSecrets += 1;
-        }
-        if (updated !== original) {
-            fs.writeFileSync(filePath, updated, 'utf8');
-            updatedFiles += 1;
-        }
-    }
-    console.log(`Rekey complete. Updated ${updatedSecrets} secrets across ${updatedFiles} file(s).`);
-    return 0;
-}
-async function handleAudit(args) {
-    const positional = args.filter(arg => !arg.startsWith('-'));
-    const targetPath = positional[0] ? path.resolve(positional[0]) : process.cwd();
-    const files = (0, envFileSecrets_1.discoverNornenvFiles)(targetPath);
-    if (files.length === 0) {
-        console.log(`No .nornenv files found under ${targetPath}`);
-        return 0;
-    }
-    const issues = [];
-    for (const filePath of files) {
-        const content = fs.readFileSync(filePath, 'utf8');
-        const secrets = (0, envFileSecrets_1.extractSecretLines)(content, filePath);
-        for (const secret of secrets) {
-            if (!secret.encrypted) {
-                issues.push(`${filePath}:${secret.lineNumber + 1} secret '${secret.name}' is plaintext.`);
-                continue;
-            }
-            const parsed = (0, crypto_1.parseEncryptedSecretValue)(secret.value);
-            if (!parsed.ok) {
-                issues.push(`${filePath}:${secret.lineNumber + 1} malformed encrypted value (${parsed.error}).`);
-            }
-        }
-    }
-    if (issues.length === 0) {
-        console.log(`Audit passed. All secret declarations are encrypted.`);
-        return 0;
-    }
-    console.error(`Audit failed with ${issues.length} issue(s):`);
-    for (const issue of issues) {
-        console.error(`  - ${issue}`);
-    }
-    return 1;
-}
-async function handleKeys() {
-    const keys = (0, keyStore_1.listCachedSecretKeyIds)(process.cwd());
-    if (keys.length === 0) {
-        console.log('No cached keys found for this workspace.');
-        return 0;
-    }
-    console.log('Cached key ids:');
-    for (const kid of keys) {
-        console.log(`  - ${kid}`);
-    }
-    return 0;
-}
-async function handleForget(args) {
-    const kid = getFlagValue(args, '--kid', '-k');
-    if (!kid) {
-        console.error(`Error: forget requires --kid.`);
-        return 1;
-    }
-    const removed = (0, keyStore_1.removeSecretKeyFromCache)(kid, process.cwd());
-    if (!removed) {
-        console.log(`No cached key found for '${kid}'.`);
-        return 0;
-    }
-    console.log(`Removed cached key '${kid}'.`);
-    return 0;
-}
-async function handleSecretsCommand(args) {
-    const [subcommand, ...rest] = args;
-    switch (subcommand) {
-        case 'keygen':
-            return handleKeygen(rest);
-        case 'import-key':
-            return handleImportKey(rest);
-        case 'encrypt':
-            return handleEncrypt(rest);
-        case 'rotate':
-            return handleRotate(rest);
-        case 'rekey':
-            return handleRekey(rest);
-        case 'audit':
-            return handleAudit(rest);
-        case 'keys':
-            return handleKeys();
-        case 'forget':
-            return handleForget(rest);
-        case '--help':
-        case '-h':
-        case undefined:
-            printSecretsHelp();
-            return 0;
-        default:
-            console.error(`Unknown secrets command: ${subcommand}`);
-            printSecretsHelp();
-            return 1;
-    }
-}
-function printSecretResolutionErrors(errors, envFilePath) {
-    for (const err of errors) {
-        console.error(`Error: ${formatSecretError(err, envFilePath)}`);
-    }
-}
-//# sourceMappingURL=cliSecrets.js.map

package/out/secrets/crypto.js

@@ -1,105 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.ENCRYPTED_SECRET_VERSION = exports.ENCRYPTED_SECRET_SUFFIX = exports.ENCRYPTED_SECRET_PREFIX = void 0;
-exports.generateSharedSecretKey = generateSharedSecretKey;
-exports.isEncryptedSecretValue = isEncryptedSecretValue;
-exports.parseEncryptedSecretValue = parseEncryptedSecretValue;
-exports.encryptSecretValue = encryptSecretValue;
-exports.decryptSecretValue = decryptSecretValue;
-const crypto = __importStar(require("crypto"));
-exports.ENCRYPTED_SECRET_PREFIX = 'ENC[';
-exports.ENCRYPTED_SECRET_SUFFIX = ']';
-exports.ENCRYPTED_SECRET_VERSION = 'NORN_AGE_V1';
-const encryptedSecretRegex = /^ENC\[([A-Z0-9_]+):kid=([a-zA-Z0-9._-]+):([A-Za-z0-9_-]+)\]$/;
-function deriveEncryptionKey(sharedKey) {
-    return crypto.createHash('sha256').update(sharedKey, 'utf8').digest();
-}
-function generateSharedSecretKey() {
-    return crypto.randomBytes(32).toString('base64url');
-}
-function isEncryptedSecretValue(value) {
-    return value.trim().startsWith(exports.ENCRYPTED_SECRET_PREFIX) && value.trim().endsWith(exports.ENCRYPTED_SECRET_SUFFIX);
-}
-function parseEncryptedSecretValue(value) {
-    const trimmed = value.trim();
-    const match = trimmed.match(encryptedSecretRegex);
-    if (!match) {
-        return {
-            ok: false,
-            error: `Invalid encrypted secret format. Expected: ENC[${exports.ENCRYPTED_SECRET_VERSION}:kid=<id>:<payload>]`
-        };
-    }
-    return {
-        ok: true,
-        parsed: {
-            version: match[1],
-            kid: match[2],
-            payload: match[3]
-        }
-    };
-}
-function encryptSecretValue(plaintext, sharedKey, kid) {
-    const key = deriveEncryptionKey(sharedKey);
-    const iv = crypto.randomBytes(12);
-    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
-    const ciphertext = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-    const authTag = cipher.getAuthTag();
-    const payload = Buffer.concat([iv, authTag, ciphertext]).toString('base64url');
-    return `ENC[${exports.ENCRYPTED_SECRET_VERSION}:kid=${kid}:${payload}]`;
-}
-function decryptSecretValue(encryptedValue, sharedKey) {
-    const parsedResult = parseEncryptedSecretValue(encryptedValue);
-    if (!parsedResult.ok) {
-        throw new Error(parsedResult.error);
-    }
-    const { version, payload } = parsedResult.parsed;
-    if (version !== exports.ENCRYPTED_SECRET_VERSION) {
-        throw new Error(`Unsupported encrypted secret version '${version}'. Expected '${exports.ENCRYPTED_SECRET_VERSION}'.`);
-    }
-    const raw = Buffer.from(payload, 'base64url');
-    if (raw.length < 28) {
-        throw new Error('Encrypted payload is too short.');
-    }
-    const iv = raw.subarray(0, 12);
-    const authTag = raw.subarray(12, 28);
-    const ciphertext = raw.subarray(28);
-    const key = deriveEncryptionKey(sharedKey);
-    const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
-    decipher.setAuthTag(authTag);
-    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-    return decrypted.toString('utf8');
-}
-//# sourceMappingURL=crypto.js.map

package/out/secrets/envFileSecrets.js

@@ -1,177 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.isNornenvFilePath = isNornenvFilePath;
-exports.isNornenvDocumentLike = isNornenvDocumentLike;
-exports.extractSecretLines = extractSecretLines;
-exports.updateSecretLineValue = updateSecretLineValue;
-exports.findSecretLine = findSecretLine;
-exports.loadSecretLine = loadSecretLine;
-exports.writeSecretLine = writeSecretLine;
-exports.discoverNornenvFiles = discoverNornenvFiles;
-const fs = __importStar(require("fs"));
-const path = __importStar(require("path"));
-const crypto_1 = require("./crypto");
-const envRegex = /^\s*\[env:([a-zA-Z_][a-zA-Z0-9_-]*)\]\s*$/;
-const secretConnectionStringRegex = /^(\s*secret\s+connectionString\s+)([a-zA-Z_][a-zA-Z0-9_]*)(\s*=\s*)(.+)$/;
-const secretRegex = /^(\s*secret\s+)([a-zA-Z_][a-zA-Z0-9_]*)(\s*=\s*)(.+)$/;
-function splitContentLines(content) {
-    return content.split(/\r?\n/);
-}
-function detectEol(content) {
-    return content.includes('\r\n') ? '\r\n' : '\n';
-}
-function isNornenvFilePath(filePath) {
-    return path.basename(filePath).toLowerCase() === '.nornenv';
-}
-function isNornenvDocumentLike(languageId, filePath) {
-    return languageId === 'nornenv' || (!!filePath && isNornenvFilePath(filePath));
-}
-function extractSecretLines(content, filePath) {
-    const lines = splitContentLines(content);
-    const secrets = [];
-    let currentEnv;
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#')) {
-            continue;
-        }
-        const envMatch = trimmed.match(envRegex);
-        if (envMatch) {
-            currentEnv = envMatch[1];
-            continue;
-        }
-        const secretConnectionStringMatch = line.match(secretConnectionStringRegex);
-        const secretMatch = line.match(secretRegex);
-        if (!secretConnectionStringMatch && !secretMatch) {
-            continue;
-        }
-        const secretName = secretConnectionStringMatch
-            ? `${secretConnectionStringMatch[2]}_connectionString`
-            : secretMatch[2];
-        const value = (secretConnectionStringMatch?.[4] ?? secretMatch[4]).trim();
-        const encrypted = (0, crypto_1.isEncryptedSecretValue)(value);
-        let kid;
-        if (encrypted) {
-            const parsed = (0, crypto_1.parseEncryptedSecretValue)(value);
-            if (parsed.ok) {
-                kid = parsed.parsed.kid;
-            }
-        }
-        secrets.push({
-            filePath,
-            lineNumber: i,
-            envName: currentEnv,
-            name: secretName,
-            value,
-            encrypted,
-            kid
-        });
-    }
-    return secrets;
-}
-function updateSecretLineValue(content, lineNumber, newValue) {
-    const lines = splitContentLines(content);
-    if (lineNumber < 0 || lineNumber >= lines.length) {
-        throw new Error(`Line ${lineNumber + 1} is out of range.`);
-    }
-    const line = lines[lineNumber];
-    const secretConnectionStringMatch = line.match(secretConnectionStringRegex);
-    const secretMatch = line.match(secretRegex);
-    if (!secretConnectionStringMatch && !secretMatch) {
-        throw new Error(`Line ${lineNumber + 1} is not a secret declaration.`);
-    }
-    if (secretConnectionStringMatch) {
-        lines[lineNumber] = `${secretConnectionStringMatch[1]}${secretConnectionStringMatch[2]}${secretConnectionStringMatch[3]}${newValue}`;
-    }
-    else {
-        lines[lineNumber] = `${secretMatch[1]}${secretMatch[2]}${secretMatch[3]}${newValue}`;
-    }
-    return lines.join(detectEol(content));
-}
-function findSecretLine(content, variableName, envName) {
-    const secretLines = extractSecretLines(content);
-    if (envName !== undefined) {
-        return secretLines.find(secret => secret.name === variableName && secret.envName === envName);
-    }
-    const commonMatch = secretLines.find(secret => secret.name === variableName && secret.envName === undefined);
-    if (commonMatch) {
-        return commonMatch;
-    }
-    return secretLines.find(secret => secret.name === variableName);
-}
-function loadSecretLine(filePath, variableName, envName) {
-    const content = fs.readFileSync(filePath, 'utf8');
-    const secret = findSecretLine(content, variableName, envName);
-    if (!secret) {
-        const envLabel = envName ? ` in [env:${envName}]` : '';
-        throw new Error(`Secret '${variableName}' not found${envLabel} in ${filePath}`);
-    }
-    return { content, secret };
-}
-function writeSecretLine(filePath, content) {
-    fs.writeFileSync(filePath, content, 'utf8');
-}
-function discoverNornenvFiles(targetPath) {
-    const resolved = path.resolve(targetPath);
-    if (!fs.existsSync(resolved)) {
-        return [];
-    }
-    const stats = fs.statSync(resolved);
-    if (stats.isFile()) {
-        return isNornenvFilePath(resolved) ? [resolved] : [];
-    }
-    const results = [];
-    const walk = (dir) => {
-        const entries = fs.readdirSync(dir, { withFileTypes: true });
-        for (const entry of entries) {
-            const fullPath = path.join(dir, entry.name);
-            if (entry.isDirectory()) {
-                if (entry.name === 'node_modules' || entry.name === '.git' || entry.name === 'dist' || entry.name === 'out') {
-                    continue;
-                }
-                walk(fullPath);
-                continue;
-            }
-            if (entry.isFile() && isNornenvFilePath(entry.name)) {
-                results.push(fullPath);
-            }
-        }
-    };
-    walk(resolved);
-    return results.sort();
-}
-//# sourceMappingURL=envFileSecrets.js.map