rest-safe-env 0.1.0

package/dist/cli.js

@@ -0,0 +1,1984 @@
+import { access, mkdir, readFile, rm, stat, writeFile } from "node:fs/promises";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import { homedir } from "node:os";
+import { createCipheriv, createDecipheriv, createHash, createPublicKey, hkdfSync, randomBytes, timingSafeEqual, verify } from "node:crypto";
+import { createServer } from "node:http";
+import { fileURLToPath } from "node:url";
+const DEFAULT_UI_PORT = 47653;
+var MIN_PORT = 1024;
+var MAX_PORT = 65535;
+function getConfigDirPath() {
+	const overrideDir = process.env.RSE_CONFIG_DIR;
+	if (overrideDir) return path.resolve(overrideDir);
+	const home = homedir();
+	if (process.platform === "darwin") return path.join(home, "Library", "Application Support", "rest-safe-env");
+	if (process.platform === "win32") {
+		const appData = process.env.APPDATA;
+		if (appData) return path.join(appData, "rest-safe-env");
+		return path.join(home, "AppData", "Roaming", "rest-safe-env");
+	}
+	const xdgConfigHome = process.env.XDG_CONFIG_HOME;
+	if (xdgConfigHome) return path.join(xdgConfigHome, "rest-safe-env");
+	return path.join(home, ".config", "rest-safe-env");
+}
+function getConfigFilePath() {
+	return path.join(getConfigDirPath(), "config.json");
+}
+async function loadCliConfig() {
+	const configPath = getConfigFilePath();
+	try {
+		const raw = await readFile(configPath, "utf8");
+		const persistedPort = JSON.parse(raw).uiPort;
+		if (isValidPort(persistedPort)) return { uiPort: persistedPort };
+		return { uiPort: DEFAULT_UI_PORT };
+	} catch (error) {
+		if (isMissingFileError$1(error)) return { uiPort: DEFAULT_UI_PORT };
+		throw error;
+	}
+}
+async function setUiPort(uiPort) {
+	validatePort(uiPort);
+	const dirPath = getConfigDirPath();
+	const configPath = getConfigFilePath();
+	await mkdir(dirPath, { recursive: true });
+	await writeFile(configPath, JSON.stringify({ uiPort }, null, 2) + "\n", "utf8");
+	return { uiPort };
+}
+async function clearCliState() {
+	const configDir = getConfigDirPath();
+	await rm(configDir, {
+		recursive: true,
+		force: true
+	});
+	return configDir;
+}
+function parseAndValidatePort(value) {
+	const parsed = Number(value);
+	if (!Number.isInteger(parsed)) throw new Error(`Port must be an integer between ${MIN_PORT} and ${MAX_PORT}.`);
+	validatePort(parsed);
+	return parsed;
+}
+function validatePort(uiPort) {
+	if (!isValidPort(uiPort)) throw new Error(`Port must be between ${MIN_PORT} and ${MAX_PORT}.`);
+}
+function isValidPort(uiPort) {
+	return typeof uiPort === "number" && Number.isInteger(uiPort) && uiPort >= MIN_PORT && uiPort <= MAX_PORT;
+}
+function isMissingFileError$1(error) {
+	if (!(error instanceof Error)) return false;
+	return "code" in error && error.code === "ENOENT";
+}
+const ENCRYPTED_PREFIX = "enc:v1:";
+var PAIR_LINE_PATTERN = /^(\s*)([A-Za-z_][A-Za-z0-9_]*)(\s*)=(\s*)(.*)$/;
+var COMMENT_LINE_PATTERN = /^\s*#/;
+var BLANK_LINE_PATTERN = /^\s*$/;
+function parseEnvFile(content) {
+	const newline = content.includes("\r\n") ? "\r\n" : "\n";
+	const endsWithNewline = content.endsWith("\n");
+	const lines = content.split(/\r?\n/);
+	if (endsWithNewline) lines.pop();
+	return {
+		entries: lines.map(parseEnvLine),
+		newline,
+		endsWithNewline
+	};
+}
+function serializeEnvDocument(document) {
+	const body = document.entries.map(serializeEnvLine).join(document.newline);
+	if (document.endsWithNewline) return `${body}${document.newline}`;
+	return body;
+}
+function formatParsedEntriesForDebug(entries) {
+	const preview = entries.map((entry, index) => {
+		if (entry.type === "pair") return {
+			index,
+			type: entry.type,
+			key: entry.key,
+			rawValue: entry.rawValue,
+			encrypted: entry.encrypted
+		};
+		if (entry.type === "blank") return {
+			index,
+			type: entry.type
+		};
+		return {
+			index,
+			type: entry.type,
+			text: entry.text
+		};
+	});
+	return JSON.stringify(preview, null, 2);
+}
+function decodeEnvValue(rawValue) {
+	if (rawValue.length >= 2 && rawValue.startsWith("\"") && rawValue.endsWith("\"")) return decodeDoubleQuotedValue(rawValue.slice(1, -1));
+	if (rawValue.length >= 2 && rawValue.startsWith("'") && rawValue.endsWith("'")) return rawValue.slice(1, -1);
+	return rawValue;
+}
+function parseEnvLine(line) {
+	if (BLANK_LINE_PATTERN.test(line)) return {
+		type: "blank",
+		whitespace: line
+	};
+	if (COMMENT_LINE_PATTERN.test(line)) return {
+		type: "comment",
+		text: line
+	};
+	const pairMatch = line.match(PAIR_LINE_PATTERN);
+	if (!pairMatch) return {
+		type: "comment",
+		text: line
+	};
+	const [, leadingWhitespace, key, spacingBeforeEquals, spacingAfterEquals, rawValue] = pairMatch;
+	return {
+		type: "pair",
+		key,
+		rawValue,
+		leadingWhitespace,
+		spacingBeforeEquals,
+		spacingAfterEquals,
+		encrypted: rawValue.startsWith(ENCRYPTED_PREFIX)
+	};
+}
+function serializeEnvLine(entry) {
+	if (entry.type === "pair") return `${entry.leadingWhitespace}${entry.key}${entry.spacingBeforeEquals}=${entry.spacingAfterEquals}${entry.rawValue}`;
+	if (entry.type === "blank") return entry.whitespace;
+	return entry.text;
+}
+function decodeDoubleQuotedValue(value) {
+	let output = "";
+	for (let index = 0; index < value.length; index += 1) {
+		const current = value[index];
+		if (current !== "\\") {
+			output += current;
+			continue;
+		}
+		const next = value[index + 1];
+		if (next === void 0) {
+			output += "\\";
+			continue;
+		}
+		if (next === "n") {
+			output += "\n";
+			index += 1;
+			continue;
+		}
+		if (next === "r") {
+			output += "\r";
+			index += 1;
+			continue;
+		}
+		if (next === "t") {
+			output += "	";
+			index += 1;
+			continue;
+		}
+		if (next === "\"") {
+			output += "\"";
+			index += 1;
+			continue;
+		}
+		if (next === "\\") {
+			output += "\\";
+			index += 1;
+			continue;
+		}
+		output += `\\${next}`;
+		index += 1;
+	}
+	return output;
+}
+var ENCRYPTION_PAYLOAD_VERSION = 1;
+var ENCRYPTION_NONCE_LENGTH = 12;
+var ENCRYPTION_TAG_LENGTH = 16;
+function encryptEnvValue(value, keyName, masterKey) {
+	assertMasterKey(masterKey);
+	const nonce = randomBytes(ENCRYPTION_NONCE_LENGTH);
+	const aad = Buffer.from(`rse:v1:${keyName}`, "utf8");
+	const cipher = createCipheriv("aes-256-gcm", masterKey, nonce);
+	cipher.setAAD(aad);
+	const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+	const tag = cipher.getAuthTag();
+	if (tag.length !== ENCRYPTION_TAG_LENGTH) throw new Error("Invalid encryption tag length.");
+	return `${ENCRYPTED_PREFIX}${Buffer.concat([
+		Buffer.from([ENCRYPTION_PAYLOAD_VERSION]),
+		nonce,
+		ciphertext,
+		tag
+	]).toString("base64")}`;
+}
+function decryptEnvValue(rawValue, keyName, masterKey) {
+	assertMasterKey(masterKey);
+	if (!rawValue.startsWith("enc:v1:")) return rawValue;
+	const encodedPayload = rawValue.slice(7);
+	const payload = Buffer.from(encodedPayload, "base64");
+	if (payload.length < 1 + ENCRYPTION_NONCE_LENGTH + ENCRYPTION_TAG_LENGTH) throw new Error(`Invalid encrypted payload for key ${keyName}.`);
+	if (payload[0] !== ENCRYPTION_PAYLOAD_VERSION) throw new Error(`Unsupported encrypted payload version for key ${keyName}.`);
+	const nonceStart = 1;
+	const nonceEnd = nonceStart + ENCRYPTION_NONCE_LENGTH;
+	const tagStart = payload.length - ENCRYPTION_TAG_LENGTH;
+	const nonce = payload.subarray(nonceStart, nonceEnd);
+	const ciphertext = payload.subarray(nonceEnd, tagStart);
+	const tag = payload.subarray(tagStart);
+	const aad = Buffer.from(`rse:v1:${keyName}`, "utf8");
+	const decipher = createDecipheriv("aes-256-gcm", masterKey, nonce);
+	decipher.setAAD(aad);
+	decipher.setAuthTag(tag);
+	return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
+}
+function assertMasterKey(masterKey) {
+	if (masterKey.length !== 32) throw new Error("Invalid master key length.");
+}
+var CREDENTIAL_FILE_NAME = "credential.json";
+var WRAPPED_MASTER_KEY_FILE_NAME = "wrapped-master-key.json";
+var MASTER_KEY_LENGTH = 32;
+var WRAP_NONCE_LENGTH = 12;
+var WRAP_AAD = Buffer.from("rse:master-key-wrap:v1");
+var KEK_INFO = Buffer.from("rse:kek:v1");
+var PRF_SALT_TEXT = "rest-safe-env:master-key:v1";
+async function hasRegisteredCredentialMaterial() {
+	const [credentialExists, wrappedMasterKeyExists] = await Promise.all([fileExists(getCredentialFilePath()), fileExists(getWrappedMasterKeyFilePath())]);
+	return credentialExists && wrappedMasterKeyExists;
+}
+async function registerCredentialAndMasterKey(input) {
+	await ensureConfigDirectory();
+	const prfSalt = getPrfSaltBuffer();
+	const prfOutput = decodeBase64$1(input.prfOutput);
+	if (prfOutput.length === 0) throw new Error("Invalid prfOutput: empty value.");
+	const kek = deriveKek(prfOutput);
+	const masterKey = randomBytes(MASTER_KEY_LENGTH);
+	const wrapResult = wrapMasterKey(masterKey, kek);
+	const credentialRecord = {
+		version: 1,
+		credentialId: input.credentialId,
+		rpId: input.rpId,
+		publicKeySpki: input.publicKeySpki,
+		signCount: 0,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		clientDataJSON: input.clientDataJSON,
+		attestationObject: input.attestationObject
+	};
+	const wrappedMasterKeyRecord = {
+		version: 1,
+		createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+		prfSalt: encodeBase64(prfSalt),
+		nonce: encodeBase64(wrapResult.nonce),
+		ciphertext: encodeBase64(wrapResult.ciphertext),
+		tag: encodeBase64(wrapResult.tag)
+	};
+	await Promise.all([writeFile(getCredentialFilePath(), JSON.stringify(credentialRecord, null, 2) + "\n", "utf8"), writeFile(getWrappedMasterKeyFilePath(), JSON.stringify(wrappedMasterKeyRecord, null, 2) + "\n", "utf8")]);
+	const masterKeyForCaller = Buffer.from(masterKey);
+	masterKey.fill(0);
+	return {
+		prfSalt: encodeBase64(prfSalt),
+		masterKey: masterKeyForCaller
+	};
+}
+function getPrfSaltBase64() {
+	return encodeBase64(getPrfSaltBuffer());
+}
+async function readCredentialSummary() {
+	const record = await readCredentialRecord();
+	if (!record) return null;
+	if (!record.publicKeySpki || typeof record.publicKeySpki !== "string") return null;
+	const signCount = Number.isInteger(record.signCount) ? record.signCount : 0;
+	return {
+		credentialId: record.credentialId,
+		rpId: record.rpId,
+		publicKeySpki: record.publicKeySpki,
+		signCount
+	};
+}
+async function updateCredentialSignCount(nextSignCount) {
+	const record = await readCredentialRecord();
+	if (!record) throw new Error("Credential record not found.");
+	record.signCount = nextSignCount;
+	await writeFile(getCredentialFilePath(), JSON.stringify(record, null, 2) + "\n", "utf8");
+}
+async function unwrapMasterKeyFromPrfOutput(prfOutputBase64) {
+	const wrappedRecord = await readWrappedMasterKeyRecord();
+	const prfOutput = decodeBase64$1(prfOutputBase64);
+	if (prfOutput.length === 0) throw new Error("Invalid prfOutput: empty value.");
+	const kek = deriveKek(prfOutput);
+	const nonce = decodeBase64$1(wrappedRecord.nonce);
+	const ciphertext = decodeBase64$1(wrappedRecord.ciphertext);
+	const tag = decodeBase64$1(wrappedRecord.tag);
+	const decipher = createDecipheriv("aes-256-gcm", kek, nonce);
+	decipher.setAAD(WRAP_AAD);
+	decipher.setAuthTag(tag);
+	const masterKey = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+	if (masterKey.length !== MASTER_KEY_LENGTH) throw new Error("Invalid unwrapped master key length.");
+	return masterKey;
+}
+async function ensureConfigDirectory() {
+	await mkdir(getConfigDirPath(), { recursive: true });
+}
+function getCredentialFilePath() {
+	return path.join(getConfigDirPath(), CREDENTIAL_FILE_NAME);
+}
+function getWrappedMasterKeyFilePath() {
+	return path.join(getConfigDirPath(), WRAPPED_MASTER_KEY_FILE_NAME);
+}
+function deriveKek(prfOutput) {
+	const derived = hkdfSync("sha256", prfOutput, Buffer.alloc(0), KEK_INFO, MASTER_KEY_LENGTH);
+	return Buffer.from(derived);
+}
+function wrapMasterKey(masterKey, kek) {
+	const nonce = randomBytes(WRAP_NONCE_LENGTH);
+	const cipher = createCipheriv("aes-256-gcm", kek, nonce);
+	cipher.setAAD(WRAP_AAD);
+	return {
+		nonce,
+		ciphertext: Buffer.concat([cipher.update(masterKey), cipher.final()]),
+		tag: cipher.getAuthTag()
+	};
+}
+function getPrfSaltBuffer() {
+	return createHash("sha256").update(PRF_SALT_TEXT, "utf8").digest();
+}
+function encodeBase64(value) {
+	return value.toString("base64");
+}
+function decodeBase64$1(value) {
+	return Buffer.from(value, "base64");
+}
+async function fileExists(filePath) {
+	try {
+		await access(filePath);
+		return true;
+	} catch {
+		return false;
+	}
+}
+async function readCredentialRecord() {
+	try {
+		const raw = await readFile(getCredentialFilePath(), "utf8");
+		return JSON.parse(raw);
+	} catch (error) {
+		if (isMissingFileError(error)) return null;
+		throw error;
+	}
+}
+async function readWrappedMasterKeyRecord() {
+	const raw = await readFile(getWrappedMasterKeyFilePath(), "utf8");
+	return JSON.parse(raw);
+}
+function isMissingFileError(error) {
+	return error instanceof Error && "code" in error && error.code === "ENOENT";
+}
+var SessionApiError = class extends Error {
+	constructor(statusCode, errorCode, message) {
+		super(message);
+		this.statusCode = statusCode;
+		this.errorCode = errorCode;
+	}
+};
+var DEFAULT_CONNECT_TIMEOUT_MS = 6e4;
+var LOOPBACK_BIND_HOST = "127.0.0.1";
+var WEBAUTHN_RP_HOST = "localhost";
+var SESSION_HEARTBEAT_TIMEOUT_MS = 3e3;
+var SESSION_HEARTBEAT_CHECK_INTERVAL_MS = 1500;
+var SESSION_STREAM_DISCONNECT_GRACE_MS = 750;
+var SESSION_STREAM_KEEPALIVE_MS = 1e3;
+async function startUiSession(options) {
+	const timeoutMs = options.timeoutMs ?? DEFAULT_CONNECT_TIMEOUT_MS;
+	const sessionId = randomBytes(16).toString("hex");
+	const token = randomBytes(16).toString("hex");
+	const pageHtml = await loadSessionHtml(options.mode);
+	const hasCredentialMaterial = await hasRegisteredCredentialMaterial();
+	const viewState = options.mode === "view" || options.mode === "import" ? {
+		envFilePath: options.envFilePath,
+		document: createInitialDocument(options.envFileContent)
+	} : null;
+	const runState = options.mode === "run" ? {
+		commandDisplay: options.commandDisplay,
+		envFilePath: options.envFilePath,
+		encryptedEntryCount: options.encryptedEntryCount,
+		requiresUnlock: options.encryptedEntryCount > 0,
+		decided: false
+	} : null;
+	let markConnected = () => {};
+	const connectedPromise = new Promise((resolve) => {
+		markConnected = resolve;
+	});
+	let markSessionDone = () => {};
+	const sessionDonePromise = new Promise((resolve) => {
+		markSessionDone = resolve;
+	});
+	let resolveRunDecision = null;
+	const runDecisionPromise = options.mode === "run" ? new Promise((resolve) => {
+		resolveRunDecision = resolve;
+	}) : null;
+	let sessionCompleted = false;
+	const context = {
+		mode: options.mode,
+		port: options.port,
+		token,
+		sessionId,
+		pageHtml,
+		onConnected: markConnected,
+		onSessionComplete: () => {
+			if (sessionCompleted) return;
+			sessionCompleted = true;
+			context.sessionCompleted = true;
+			markSessionDone();
+		},
+		onRunDecision: resolveRunDecision,
+		viewState,
+		runState,
+		pendingRegistration: null,
+		pendingUnlock: null,
+		hasRegisteredCredentialMaterial: hasCredentialMaterial,
+		unlockedMasterKey: null,
+		connected: false,
+		lastHeartbeatAt: null,
+		activeStreamCount: 0,
+		disconnectTimer: null,
+		sessionCompleted: false
+	};
+	const server = createServer((request, response) => {
+		handleRequest(request, response, context);
+	});
+	const heartbeatMonitor = setInterval(() => {
+		if (!context.connected || context.sessionCompleted || context.lastHeartbeatAt === null || context.activeStreamCount > 0) return;
+		if (Date.now() - context.lastHeartbeatAt > SESSION_HEARTBEAT_TIMEOUT_MS) completeSessionFromWindowClose(context);
+	}, SESSION_HEARTBEAT_CHECK_INTERVAL_MS);
+	try {
+		await listenOnFixedPort(server, options.port);
+		const url = `http://${WEBAUTHN_RP_HOST}:${options.port}/?session=${sessionId}&token=${token}&mode=${options.mode}`;
+		console.log(`[rse] open this URL if browser did not launch automatically: ${url}`);
+		await openBrowser(url);
+		await waitForConnection(connectedPromise, timeoutMs);
+		if (options.mode !== "run") {
+			await sessionDonePromise;
+			return { mode: options.mode };
+		}
+		const approved = await (runDecisionPromise ?? Promise.resolve(false));
+		await sessionDonePromise;
+		const masterKeyForCaller = context.unlockedMasterKey ? Buffer.from(context.unlockedMasterKey) : null;
+		wipeMasterKey$1(context.unlockedMasterKey);
+		context.unlockedMasterKey = null;
+		return {
+			mode: "run",
+			approved,
+			unlockedMasterKey: masterKeyForCaller
+		};
+	} finally {
+		clearInterval(heartbeatMonitor);
+		if (context.disconnectTimer) {
+			clearTimeout(context.disconnectTimer);
+			context.disconnectTimer = null;
+		}
+		wipeMasterKey$1(context.unlockedMasterKey);
+		context.unlockedMasterKey = null;
+		await closeServer(server);
+	}
+}
+async function loadSessionHtml(mode) {
+	const distHtmlPath = path.resolve(getCliDistDirPath(), "session.html");
+	try {
+		return await readFile(distHtmlPath, "utf8");
+	} catch (error) {
+		if (isFileNotFoundError$1(error)) return renderFallbackPage(mode);
+		throw error;
+	}
+}
+function getCliDistDirPath() {
+	const cliFilePath = fileURLToPath(import.meta.url);
+	return path.dirname(cliFilePath);
+}
+async function tryServeStaticDistAsset(pathname, response) {
+	const decodedPath = decodeURIComponent(pathname);
+	if (!decodedPath.startsWith("/")) return false;
+	const relativePath = decodedPath.slice(1);
+	if (!relativePath || relativePath.includes("\0")) return false;
+	const distDirPath = getCliDistDirPath();
+	const candidatePath = path.resolve(distDirPath, relativePath);
+	const normalizedDistPrefix = `${distDirPath}${path.sep}`;
+	if (!candidatePath.startsWith(normalizedDistPrefix)) return false;
+	try {
+		const content = await readFile(candidatePath);
+		response.writeHead(200, { "Content-Type": getContentTypeForPath(candidatePath) });
+		response.end(content);
+		return true;
+	} catch (error) {
+		if (isFileNotFoundError$1(error)) return false;
+		throw error;
+	}
+}
+function getContentTypeForPath(filePath) {
+	const extension = path.extname(filePath).toLowerCase();
+	if (extension === ".js" || extension === ".mjs") return "text/javascript; charset=utf-8";
+	if (extension === ".css") return "text/css; charset=utf-8";
+	if (extension === ".svg") return "image/svg+xml";
+	if (extension === ".json") return "application/json; charset=utf-8";
+	if (extension === ".html") return "text/html; charset=utf-8";
+	return "application/octet-stream";
+}
+function renderFallbackPage(mode) {
+	return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>rest-safe-env</title>
+</head>
+<body>
+  <main style="font-family: ui-sans-serif, system-ui, sans-serif; padding: 2rem;">
+    <h1>rest-safe-env</h1>
+    <p>mode: ${escapeHtml(mode)}</p>
+    <p>Built UI not found. Run <code>yarn build</code> and retry.</p>
+  </main>
+</body>
+</html>`;
+}
+async function listenOnFixedPort(server, port) {
+	await new Promise((resolve, reject) => {
+		const onError = (error) => {
+			server.off("listening", onListening);
+			reject(error);
+		};
+		const onListening = () => {
+			server.off("error", onError);
+			resolve();
+		};
+		server.once("error", onError);
+		server.once("listening", onListening);
+		server.listen(port, LOOPBACK_BIND_HOST);
+	}).catch((error) => {
+		if (isAddressInUseError(error)) throw new Error(`Configured UI port ${port} is already in use. Set a new one with: rse config port <newPort>.`);
+		throw error;
+	});
+}
+async function handleRequest(request, response, context) {
+	const host = request.headers.host ?? WEBAUTHN_RP_HOST;
+	const url = new URL(request.url ?? "/", `http://${host}`);
+	if (url.pathname === "/api/health") {
+		handleHealthRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/session/ping") {
+		handleSessionPingRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/session/closed") {
+		handleSessionClosedRequest(request, response, context, url);
+		return;
+	}
+	if (url.pathname === "/api/session/stream") {
+		handleSessionStreamRequest(request, response, context, url);
+		return;
+	}
+	if (url.pathname === "/api/env") {
+		await handleEnvRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/env/decrypt") {
+		await handleDecryptEnvRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/share/snapshot") {
+		await handleShareSnapshotRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/register/request") {
+		handleRegisterRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/register/response") {
+		await handleRegisterResponse(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/unlock/request") {
+		await handleUnlockRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/unlock/response") {
+		await handleUnlockResponse(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/run/context") {
+		handleRunContextRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/run/approve") {
+		handleRunApproveRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/api/run/deny") {
+		handleRunDenyRequest(request, response, context);
+		return;
+	}
+	if (url.pathname === "/") {
+		const session = url.searchParams.get("session");
+		const token = url.searchParams.get("token");
+		const mode = url.searchParams.get("mode");
+		if (session !== context.sessionId || token !== context.token || mode !== context.mode) {
+			respondJson(response, 403, {
+				ok: false,
+				error: "forbidden"
+			});
+			return;
+		}
+		response.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+		response.end(context.pageHtml);
+		return;
+	}
+	if (url.pathname === "/favicon.ico") {
+		response.writeHead(204);
+		response.end();
+		return;
+	}
+	if (request.method === "GET") {
+		if (await tryServeStaticDistAsset(url.pathname, response)) return;
+	}
+	respondJson(response, 404, {
+		ok: false,
+		error: "not_found"
+	});
+}
+function handleHealthRequest(request, response, context) {
+	if (request.method !== "GET") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	markSessionConnected(context);
+	respondJson(response, 200, { ok: true });
+}
+function handleSessionPingRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	markSessionConnected(context);
+	respondJson(response, 200, { ok: true });
+}
+function handleSessionStreamRequest(request, response, context, url) {
+	if (request.method !== "GET") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (url.searchParams.get("token") !== context.token) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	response.writeHead(200, {
+		"Content-Type": "text/event-stream; charset=utf-8",
+		"Cache-Control": "no-cache, no-transform",
+		Connection: "keep-alive"
+	});
+	response.flushHeaders();
+	response.write("event: connected\ndata: ok\n\n");
+	markSessionConnected(context);
+	context.activeStreamCount += 1;
+	request.socket.setNoDelay(true);
+	const keepAliveId = setInterval(() => {
+		if (!response.writableEnded && !response.destroyed) response.write(": keepalive\n\n");
+	}, SESSION_STREAM_KEEPALIVE_MS);
+	let closed = false;
+	const onClose = () => {
+		if (closed) return;
+		closed = true;
+		clearInterval(keepAliveId);
+		context.activeStreamCount = Math.max(0, context.activeStreamCount - 1);
+		scheduleDisconnectCheck(context);
+	};
+	response.on("close", onClose);
+	response.on("error", onClose);
+	request.on("close", onClose);
+	request.socket.on("close", onClose);
+	request.socket.on("end", onClose);
+}
+function handleSessionClosedRequest(request, response, context, url) {
+	if (request.method !== "POST" && request.method !== "GET") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	const tokenFromQuery = url.searchParams.get("token");
+	if (!hasValidToken(request, context.token) && tokenFromQuery !== context.token) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	completeSessionFromWindowClose(context);
+	respondJson(response, 200, { ok: true });
+}
+function markSessionConnected(context) {
+	if (context.disconnectTimer) {
+		clearTimeout(context.disconnectTimer);
+		context.disconnectTimer = null;
+	}
+	context.connected = true;
+	context.lastHeartbeatAt = Date.now();
+	context.onConnected();
+}
+function scheduleDisconnectCheck(context) {
+	if (context.sessionCompleted || context.activeStreamCount > 0) return;
+	if (context.disconnectTimer) clearTimeout(context.disconnectTimer);
+	context.disconnectTimer = setTimeout(() => {
+		context.disconnectTimer = null;
+		if (context.activeStreamCount > 0 || context.sessionCompleted) return;
+		completeSessionFromWindowClose(context);
+	}, SESSION_STREAM_DISCONNECT_GRACE_MS);
+}
+async function handleEnvRequest(request, response, context) {
+	if (context.mode !== "view" && context.mode !== "import" || !context.viewState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (request.method === "GET") {
+		respondJson(response, 200, { entries: toApiEntries(context.viewState.document) });
+		return;
+	}
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	try {
+		const payload = await readJsonBody(request);
+		if (!payload || !Array.isArray(payload.entries)) {
+			respondJson(response, 400, {
+				ok: false,
+				error: "invalid_payload"
+			});
+			return;
+		}
+		context.viewState.document = applyEditableEntries(context.viewState.document, payload.entries, context.hasRegisteredCredentialMaterial, context.unlockedMasterKey);
+		const output = serializeEnvDocument(context.viewState.document);
+		await writeFile(context.viewState.envFilePath, output, "utf8");
+		wipeMasterKey$1(context.unlockedMasterKey);
+		context.unlockedMasterKey = null;
+		respondJson(response, 200, { ok: true });
+		context.onSessionComplete();
+		return;
+	} catch (error) {
+		if (error instanceof SessionApiError) {
+			respondJson(response, error.statusCode, {
+				ok: false,
+				error: error.errorCode,
+				message: error.message
+			});
+			return;
+		}
+		respondJson(response, 400, {
+			ok: false,
+			error: "save_failed",
+			message: error instanceof Error ? error.message : "failed_to_save"
+		});
+	}
+}
+async function handleDecryptEnvRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "view" || !context.viewState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (!context.hasRegisteredCredentialMaterial) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "registration_required",
+			message: "WebAuthn registration is required before decrypting values."
+		});
+		return;
+	}
+	if (!context.unlockedMasterKey) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "unlock_required",
+			message: "Unlock required before decrypting values."
+		});
+		return;
+	}
+	try {
+		const payload = await readJsonBody(request);
+		if (!payload || !Number.isInteger(payload.sourceIndex) || payload.sourceIndex < 0 || typeof payload.key !== "string" || payload.key.length === 0) throw new SessionApiError(400, "invalid_payload", "sourceIndex and key are required.");
+		const sourceEntry = context.viewState.document.entries[payload.sourceIndex];
+		if (!sourceEntry || sourceEntry.type !== "pair" || sourceEntry.key !== payload.key || !sourceEntry.rawValue.startsWith("enc:v1:")) throw new SessionApiError(404, "entry_not_found", "Encrypted entry was not found.");
+		respondJson(response, 200, { value: decryptEnvValue(sourceEntry.rawValue, sourceEntry.key, context.unlockedMasterKey) });
+	} catch (error) {
+		if (error instanceof SessionApiError) {
+			respondJson(response, error.statusCode, {
+				ok: false,
+				error: error.errorCode,
+				message: error.message
+			});
+			return;
+		}
+		respondJson(response, 400, {
+			ok: false,
+			error: "decrypt_failed",
+			message: error instanceof Error ? error.message : "decrypt_failed"
+		});
+	}
+}
+async function handleShareSnapshotRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "view" || !context.viewState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	try {
+		respondJson(response, 200, { entries: buildShareSnapshotEntries(context.viewState.document, context.hasRegisteredCredentialMaterial, context.unlockedMasterKey) });
+	} catch (error) {
+		if (error instanceof SessionApiError) {
+			respondJson(response, error.statusCode, {
+				ok: false,
+				error: error.errorCode,
+				message: error.message
+			});
+			return;
+		}
+		respondJson(response, 400, {
+			ok: false,
+			error: "share_snapshot_failed",
+			message: error instanceof Error ? error.message : "share_snapshot_failed"
+		});
+	}
+}
+function handleRegisterRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "view" && context.mode !== "import") {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (context.hasRegisteredCredentialMaterial) {
+		respondJson(response, 200, {
+			ok: true,
+			alreadyRegistered: true
+		});
+		return;
+	}
+	const challenge = randomBytes(32);
+	const userId = randomBytes(16);
+	const rpId = WEBAUTHN_RP_HOST;
+	context.pendingRegistration = {
+		challenge,
+		rpId,
+		expectedOrigin: `http://${WEBAUTHN_RP_HOST}:${context.port}`,
+		expiresAt: Date.now() + 6e4
+	};
+	respondJson(response, 200, {
+		challenge: challenge.toString("base64"),
+		rpId,
+		user: {
+			id: userId.toString("base64"),
+			name: "local-user"
+		},
+		prfSalt: getPrfSaltBase64()
+	});
+}
+async function handleRegisterResponse(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "view" && context.mode !== "import") {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (!context.pendingRegistration) {
+		respondJson(response, 400, {
+			ok: false,
+			error: "registration_not_requested"
+		});
+		return;
+	}
+	try {
+		const payload = await readJsonBody(request);
+		validateRegisterResponsePayload(payload);
+		if (Date.now() > context.pendingRegistration.expiresAt) {
+			context.pendingRegistration = null;
+			throw new SessionApiError(400, "registration_expired", "Registration request expired.");
+		}
+		const clientData = parseClientData(payload.clientDataJSON);
+		const expectedChallenge = toBase64Url(context.pendingRegistration.challenge);
+		if (clientData.challenge !== expectedChallenge) throw new SessionApiError(400, "invalid_registration_challenge", "Registration challenge mismatch.");
+		if (clientData.type !== "webauthn.create") throw new SessionApiError(400, "invalid_registration_type", "Unexpected WebAuthn clientData type.");
+		if (clientData.origin !== context.pendingRegistration.expectedOrigin) throw new SessionApiError(400, "invalid_registration_origin", "Unexpected registration origin.");
+		const registrationResult = await registerCredentialAndMasterKey({
+			credentialId: payload.id,
+			rpId: context.pendingRegistration.rpId,
+			publicKeySpki: payload.publicKeySpki,
+			clientDataJSON: payload.clientDataJSON,
+			attestationObject: payload.attestationObject,
+			prfOutput: payload.prfOutput
+		});
+		context.hasRegisteredCredentialMaterial = true;
+		context.unlockedMasterKey = registrationResult.masterKey;
+		context.pendingRegistration = null;
+		respondJson(response, 200, { ok: true });
+	} catch (error) {
+		context.pendingRegistration = null;
+		if (error instanceof SessionApiError) {
+			respondJson(response, error.statusCode, {
+				ok: false,
+				error: error.errorCode,
+				message: error.message
+			});
+			return;
+		}
+		respondJson(response, 400, {
+			ok: false,
+			error: "registration_failed",
+			message: error instanceof Error ? error.message : "registration_failed"
+		});
+	}
+}
+async function handleUnlockRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (context.unlockedMasterKey) {
+		respondJson(response, 200, {
+			ok: true,
+			alreadyUnlocked: true
+		});
+		return;
+	}
+	if (!context.hasRegisteredCredentialMaterial) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "registration_required",
+			message: "WebAuthn registration is required before unlock."
+		});
+		return;
+	}
+	const credential = await readCredentialSummary();
+	if (!credential) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "registration_required",
+			message: "Credential material missing. Run registration again."
+		});
+		return;
+	}
+	const challenge = randomBytes(32);
+	const expectedOrigin = `http://${WEBAUTHN_RP_HOST}:${context.port}`;
+	context.pendingUnlock = {
+		challenge,
+		expiresAt: Date.now() + 6e4,
+		rpId: credential.rpId,
+		expectedOrigin,
+		credentialId: credential.credentialId
+	};
+	respondJson(response, 200, {
+		challenge: challenge.toString("base64"),
+		credentialId: credential.credentialId,
+		rpId: credential.rpId,
+		timeoutMs: 6e4,
+		prfSalt: getPrfSaltBase64()
+	});
+}
+async function handleUnlockResponse(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (!context.pendingUnlock) {
+		respondJson(response, 400, {
+			ok: false,
+			error: "unlock_not_requested"
+		});
+		return;
+	}
+	try {
+		const payload = await readJsonBody(request);
+		validateUnlockResponsePayload(payload);
+		if (Date.now() > context.pendingUnlock.expiresAt) {
+			context.pendingUnlock = null;
+			throw new SessionApiError(400, "unlock_expired", "Unlock request expired.");
+		}
+		if (payload.id !== context.pendingUnlock.credentialId) throw new SessionApiError(400, "invalid_unlock_credential", "Credential mismatch for unlock.");
+		const clientData = parseClientData(payload.clientDataJSON);
+		const expectedChallenge = toBase64Url(context.pendingUnlock.challenge);
+		if (clientData.challenge !== expectedChallenge) throw new SessionApiError(400, "invalid_unlock_challenge", "Unlock challenge mismatch.");
+		if (clientData.type !== "webauthn.get") throw new SessionApiError(400, "invalid_unlock_type", "Unexpected WebAuthn clientData type.");
+		if (clientData.origin !== context.pendingUnlock.expectedOrigin) throw new SessionApiError(400, "invalid_unlock_origin", "Unexpected unlock origin.");
+		const credential = await readCredentialSummary();
+		if (!credential) throw new SessionApiError(400, "credential_not_found", "Credential material not found.");
+		if (credential.credentialId !== context.pendingUnlock.credentialId) throw new SessionApiError(400, "invalid_unlock_credential", "Credential mismatch for unlock.");
+		const authenticatorData = decodeBase64(payload.authenticatorData);
+		const signCount = verifyAuthenticatorData(authenticatorData, credential.rpId);
+		if (!verifyWebAuthnAssertionSignature(credential.publicKeySpki, authenticatorData, payload.clientDataJSON, payload.signature)) throw new SessionApiError(400, "invalid_unlock_signature", "Assertion signature verification failed.");
+		if (credential.signCount > 0 && signCount > 0 && signCount <= credential.signCount) throw new SessionApiError(400, "sign_count_regression", "Authenticator sign counter did not increase; possible cloned credential.");
+		if (signCount > credential.signCount) await updateCredentialSignCount(signCount);
+		context.unlockedMasterKey = await unwrapMasterKeyFromPrfOutput(payload.prfOutput);
+		context.pendingUnlock = null;
+		respondJson(response, 200, { ok: true });
+	} catch (error) {
+		context.pendingUnlock = null;
+		if (error instanceof SessionApiError) {
+			respondJson(response, error.statusCode, {
+				ok: false,
+				error: error.errorCode,
+				message: error.message
+			});
+			return;
+		}
+		respondJson(response, 400, {
+			ok: false,
+			error: "unlock_failed",
+			message: error instanceof Error ? error.message : "unlock_failed"
+		});
+	}
+}
+function handleRunContextRequest(request, response, context) {
+	if (request.method !== "GET") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "run" || !context.runState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	respondJson(response, 200, {
+		command: context.runState.commandDisplay,
+		envFilePath: context.runState.envFilePath,
+		encryptedEntryCount: context.runState.encryptedEntryCount,
+		requiresUnlock: context.runState.requiresUnlock
+	});
+}
+function handleRunApproveRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "run" || !context.runState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (context.runState.decided) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "already_decided"
+		});
+		return;
+	}
+	if (context.runState.requiresUnlock && !context.unlockedMasterKey) {
+		respondJson(response, 409, {
+			ok: false,
+			error: "unlock_required",
+			message: "Unlock is required before approving this run."
+		});
+		return;
+	}
+	context.runState.decided = true;
+	context.onRunDecision?.(true);
+	context.onSessionComplete();
+	respondJson(response, 200, { approved: true });
+}
+function handleRunDenyRequest(request, response, context) {
+	if (request.method !== "POST") {
+		respondJson(response, 405, {
+			ok: false,
+			error: "method_not_allowed"
+		});
+		return;
+	}
+	if (context.mode !== "run" || !context.runState) {
+		respondJson(response, 404, {
+			ok: false,
+			error: "not_found"
+		});
+		return;
+	}
+	if (!hasValidToken(request, context.token)) {
+		respondJson(response, 403, {
+			ok: false,
+			error: "forbidden"
+		});
+		return;
+	}
+	if (!context.runState.decided) {
+		context.runState.decided = true;
+		context.onRunDecision?.(false);
+		context.onSessionComplete();
+	}
+	respondJson(response, 200, { approved: false });
+}
+function toApiEntries(document) {
+	return document.entries.map((entry) => {
+		if (entry.type === "blank") return { type: "blank" };
+		if (entry.type === "comment") return {
+			type: "comment",
+			text: entry.text
+		};
+		if (entry.rawValue.startsWith("enc:v1:")) return {
+			type: "pair",
+			key: entry.key,
+			value: { kind: "encrypted" }
+		};
+		return {
+			type: "pair",
+			key: entry.key,
+			value: {
+				kind: "plain",
+				value: decodeEnvValue(entry.rawValue)
+			}
+		};
+	});
+}
+function buildShareSnapshotEntries(document, hasCredentialMaterial, unlockedMasterKey) {
+	return document.entries.map((entry) => {
+		if (entry.type === "blank") return { type: "blank" };
+		if (entry.type === "comment") return {
+			type: "comment",
+			text: entry.text
+		};
+		if (!entry.rawValue.startsWith("enc:v1:")) return {
+			type: "pair",
+			key: entry.key,
+			value: decodeEnvValue(entry.rawValue),
+			encrypt: false
+		};
+		if (!hasCredentialMaterial) throw new SessionApiError(409, "registration_required", "WebAuthn registration is required before sharing encrypted values.");
+		if (!unlockedMasterKey) throw new SessionApiError(409, "unlock_required", "Unlock required before sharing encrypted values.");
+		return {
+			type: "pair",
+			key: entry.key,
+			value: decryptEnvValue(entry.rawValue, entry.key, unlockedMasterKey),
+			encrypt: true
+		};
+	});
+}
+function applyEditableEntries(document, entries, hasCredentialMaterial, unlockedMasterKey) {
+	const nextEntries = entries.map((entry, index) => {
+		if (entry.type === "blank") return {
+			type: "blank",
+			whitespace: ""
+		};
+		if (entry.type === "comment") return {
+			type: "comment",
+			text: entry.text
+		};
+		if (entry.encrypt) {
+			const sourceIndex$1 = Number.isInteger(entry.sourceIndex) && (entry.sourceIndex ?? -1) >= 0 ? entry.sourceIndex : index;
+			const previousEntry$1 = document.entries[sourceIndex$1];
+			if (entry.preserveEncrypted === true && previousEntry$1 && previousEntry$1.type === "pair" && previousEntry$1.key === entry.key && previousEntry$1.rawValue.startsWith("enc:v1:")) return {
+				type: "pair",
+				key: entry.key,
+				rawValue: previousEntry$1.rawValue,
+				leadingWhitespace: "",
+				spacingBeforeEquals: "",
+				spacingAfterEquals: "",
+				encrypted: true
+			};
+			if (!hasCredentialMaterial) throw new SessionApiError(409, "registration_required", "WebAuthn registration is required before encrypting values.");
+			if (!unlockedMasterKey) throw new SessionApiError(409, "unlock_required", "Unlock required before encrypting values.");
+			return {
+				type: "pair",
+				key: entry.key,
+				rawValue: encryptEnvValue(decodeEnvValue(entry.value), entry.key, unlockedMasterKey),
+				leadingWhitespace: "",
+				spacingBeforeEquals: "",
+				spacingAfterEquals: "",
+				encrypted: true
+			};
+		}
+		const sourceIndex = Number.isInteger(entry.sourceIndex) && (entry.sourceIndex ?? -1) >= 0 ? entry.sourceIndex : index;
+		const previousEntry = document.entries[sourceIndex];
+		const canPreservePlainRaw = entry.preservePlainRaw === true && previousEntry && previousEntry.type === "pair" && previousEntry.key === entry.key && !previousEntry.rawValue.startsWith("enc:v1:");
+		return {
+			type: "pair",
+			key: entry.key,
+			rawValue: canPreservePlainRaw ? previousEntry.rawValue : entry.value,
+			leadingWhitespace: "",
+			spacingBeforeEquals: "",
+			spacingAfterEquals: "",
+			encrypted: false
+		};
+	});
+	return {
+		...document,
+		entries: nextEntries
+	};
+}
+function hasValidToken(request, expectedToken) {
+	const tokenHeader = request.headers["x-rse-token"];
+	if (typeof tokenHeader !== "string") return false;
+	return tokenHeader === expectedToken;
+}
+async function readJsonBody(request) {
+	const chunks = [];
+	await new Promise((resolve, reject) => {
+		request.on("data", (chunk) => {
+			chunks.push(chunk);
+		});
+		request.on("end", () => resolve());
+		request.on("error", reject);
+	});
+	const text = Buffer.concat(chunks).toString("utf8");
+	return JSON.parse(text);
+}
+function respondJson(response, statusCode, body) {
+	response.writeHead(statusCode, { "Content-Type": "application/json; charset=utf-8" });
+	response.end(JSON.stringify(body));
+}
+async function openBrowser(url) {
+	if (process.env.RSE_SKIP_BROWSER_OPEN === "1") return;
+	const launchCommands = buildBrowserLaunchCommands(url);
+	for (const launchCommand of launchCommands) if (await tryLaunchDetachedProcess(launchCommand.cmd, launchCommand.args)) return;
+	throw new Error("Failed to launch browser.");
+}
+function buildBrowserLaunchCommands(url) {
+	if (process.platform === "darwin") return [
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Google Chrome",
+				"--args",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Microsoft Edge",
+				"--args",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Brave Browser",
+				"--args",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Google Chrome",
+				"--args",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Microsoft Edge",
+				"--args",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Brave Browser",
+				"--args",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Firefox",
+				"--args",
+				"-new-window",
+				url
+			]
+		},
+		{
+			cmd: "open",
+			args: [
+				"-na",
+				"Safari",
+				url
+			]
+		},
+		{
+			cmd: "open",
+			args: [url]
+		}
+	];
+	if (process.platform === "win32") return [
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"chrome",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"msedge",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"brave",
+				`--app=${url}`
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"chrome",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"msedge",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"brave",
+				"--new-window",
+				url
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				"firefox",
+				"-new-window",
+				url
+			]
+		},
+		{
+			cmd: "cmd",
+			args: [
+				"/c",
+				"start",
+				"",
+				url
+			]
+		}
+	];
+	return [
+		{
+			cmd: "google-chrome",
+			args: [`--app=${url}`]
+		},
+		{
+			cmd: "chromium-browser",
+			args: [`--app=${url}`]
+		},
+		{
+			cmd: "chromium",
+			args: [`--app=${url}`]
+		},
+		{
+			cmd: "microsoft-edge",
+			args: [`--app=${url}`]
+		},
+		{
+			cmd: "brave-browser",
+			args: [`--app=${url}`]
+		},
+		{
+			cmd: "google-chrome",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "chromium-browser",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "chromium",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "microsoft-edge",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "brave-browser",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "firefox",
+			args: ["--new-window", url]
+		},
+		{
+			cmd: "xdg-open",
+			args: [url]
+		}
+	];
+}
+async function tryLaunchDetachedProcess(cmd, args) {
+	return await new Promise((resolve) => {
+		const child = spawn(cmd, args, {
+			detached: true,
+			stdio: "ignore"
+		});
+		let done = false;
+		const finalize = (result) => {
+			if (done) return;
+			done = true;
+			resolve(result);
+		};
+		child.once("error", () => finalize(false));
+		child.unref();
+		setTimeout(() => finalize(true), 120);
+	});
+}
+function waitForConnection(connectedPromise, timeoutMs) {
+	return new Promise((resolve, reject) => {
+		const timeoutId = setTimeout(() => {
+			reject(/* @__PURE__ */ new Error(`Timed out waiting for browser connection after ${timeoutMs}ms.`));
+		}, timeoutMs);
+		connectedPromise.then(() => {
+			clearTimeout(timeoutId);
+			resolve();
+		}).catch((error) => {
+			clearTimeout(timeoutId);
+			reject(error);
+		});
+	});
+}
+function closeServer(server) {
+	if (!server.listening) return Promise.resolve();
+	return new Promise((resolve, reject) => {
+		server.close((error) => {
+			if (error) {
+				reject(error);
+				return;
+			}
+			resolve();
+		});
+	});
+}
+function isAddressInUseError(error) {
+	if (!(error instanceof Error)) return false;
+	return "code" in error && error.code === "EADDRINUSE";
+}
+function isFileNotFoundError$1(error) {
+	if (!(error instanceof Error)) return false;
+	return "code" in error && error.code === "ENOENT";
+}
+function createInitialDocument(envFileContent) {
+	if (envFileContent === null) return {
+		entries: [],
+		newline: "\n",
+		endsWithNewline: false
+	};
+	return parseEnvFile(envFileContent);
+}
+function escapeHtml(input) {
+	return input.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&#039;");
+}
+function parseClientData(clientDataBase64) {
+	const text = Buffer.from(clientDataBase64, "base64").toString("utf8");
+	const parsed = JSON.parse(text);
+	if (!parsed || typeof parsed.type !== "string" || typeof parsed.challenge !== "string" || typeof parsed.origin !== "string") throw new SessionApiError(400, "invalid_client_data", "Invalid clientDataJSON payload.");
+	return parsed;
+}
+function validateRegisterResponsePayload(payload) {
+	if (!payload || typeof payload !== "object") throw new SessionApiError(400, "invalid_registration_payload", "Invalid registration payload.");
+	if (!payload.id || !payload.publicKeySpki || !payload.clientDataJSON || !payload.attestationObject || !payload.prfOutput) throw new SessionApiError(400, "invalid_registration_payload", "id, publicKeySpki, clientDataJSON, attestationObject, and prfOutput are required.");
+}
+function validateUnlockResponsePayload(payload) {
+	if (!payload || typeof payload !== "object") throw new SessionApiError(400, "invalid_unlock_payload", "Invalid unlock payload.");
+	if (!payload.id || !payload.clientDataJSON || !payload.authenticatorData || !payload.signature || !payload.prfOutput) throw new SessionApiError(400, "invalid_unlock_payload", "id, clientDataJSON, authenticatorData, signature, and prfOutput are required.");
+}
+function verifyAuthenticatorData(authenticatorData, rpId) {
+	if (authenticatorData.length < 37) throw new SessionApiError(400, "invalid_authenticator_data", "Authenticator data is too short.");
+	const expectedRpIdHash = createHash("sha256").update(rpId, "utf8").digest();
+	if (!timingSafeEqual(authenticatorData.subarray(0, 32), expectedRpIdHash)) throw new SessionApiError(400, "invalid_rp_id_hash", "Authenticator RP ID hash mismatch.");
+	if (!((authenticatorData[32] & 4) !== 0)) throw new SessionApiError(400, "user_verification_required", "User verification flag not present.");
+	return authenticatorData.readUInt32BE(33);
+}
+function verifyWebAuthnAssertionSignature(publicKeySpkiBase64, authenticatorData, clientDataJSONBase64, signatureBase64) {
+	const publicKey = createPublicKey({
+		key: decodeBase64(publicKeySpkiBase64),
+		format: "der",
+		type: "spki"
+	});
+	const clientDataHash = createHash("sha256").update(decodeBase64(clientDataJSONBase64)).digest();
+	return verify("sha256", Buffer.concat([authenticatorData, clientDataHash]), publicKey, decodeBase64(signatureBase64));
+}
+function decodeBase64(value) {
+	return Buffer.from(value, "base64");
+}
+function toBase64Url(buffer) {
+	return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function wipeMasterKey$1(masterKey) {
+	if (!masterKey) return;
+	masterKey.fill(0);
+}
+function completeSessionFromWindowClose(context) {
+	if (context.sessionCompleted) return;
+	if (context.mode === "run" && context.runState && !context.runState.decided) {
+		context.runState.decided = true;
+		context.onRunDecision?.(false);
+	}
+	context.onSessionComplete();
+}
+async function main() {
+	try {
+		const args = parseCliArgs(process.argv.slice(2));
+		if (args.type === "view") {
+			await handleViewCommand(args.envFilePathArg, args.verbose);
+			return;
+		}
+		if (args.type === "import") {
+			await handleImportCommand(args.envFilePathArg, args.verbose);
+			return;
+		}
+		if (args.type === "run") {
+			const exitCode = await handleRunCommand(args.envFilePathArg, args.command);
+			process.exitCode = exitCode;
+			return;
+		}
+		if (args.type === "cleanup") {
+			await handleCleanupCommand();
+			return;
+		}
+		await handleConfigPortCommand(args.portArg);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		console.error(message);
+		printUsage();
+		process.exitCode = 1;
+	}
+}
+function extractVerboseFlag(args) {
+	const filteredArgs = [];
+	let verbose = false;
+	for (const arg of args) {
+		if (arg === "--verbose") {
+			verbose = true;
+			continue;
+		}
+		filteredArgs.push(arg);
+	}
+	return {
+		filteredArgs,
+		verbose
+	};
+}
+function parseCliArgs(argv) {
+	if (argv.length === 0) throw new Error("Missing command.");
+	const [command, ...rest] = argv;
+	if (command === "view") {
+		const { filteredArgs, verbose } = extractVerboseFlag(rest);
+		if (filteredArgs.length > 1) throw new Error("`rse view` accepts at most one env file path.");
+		return {
+			type: "view",
+			envFilePathArg: filteredArgs[0],
+			verbose
+		};
+	}
+	if (command === "run") {
+		const separatorIndex = rest.indexOf("--");
+		if (separatorIndex === -1) throw new Error("`rse run` requires `-- <command...>`.");
+		const beforeSeparator = rest.slice(0, separatorIndex);
+		const commandParts = rest.slice(separatorIndex + 1);
+		const { filteredArgs, verbose } = extractVerboseFlag(beforeSeparator);
+		if (filteredArgs.length > 1) throw new Error("`rse run` accepts at most one env file path before `--`.");
+		if (commandParts.length === 0) throw new Error("Missing child command after `--`.");
+		return {
+			type: "run",
+			envFilePathArg: filteredArgs[0],
+			command: commandParts,
+			verbose
+		};
+	}
+	if (command === "import") {
+		const { filteredArgs, verbose } = extractVerboseFlag(rest);
+		if (filteredArgs.length > 1) throw new Error("`rse import` accepts at most one env file path.");
+		return {
+			type: "import",
+			envFilePathArg: filteredArgs[0],
+			verbose
+		};
+	}
+	if (command === "config") {
+		const { filteredArgs, verbose } = extractVerboseFlag(rest);
+		if (filteredArgs[0] !== "port") throw new Error("Usage: rse config port [port] [--verbose]");
+		if (filteredArgs.length > 2) throw new Error("Usage: rse config port [port] [--verbose]");
+		return {
+			type: "config-port",
+			portArg: filteredArgs[1],
+			verbose
+		};
+	}
+	if (command === "cleanup") {
+		const { filteredArgs, verbose } = extractVerboseFlag(rest);
+		if (filteredArgs.length > 0) throw new Error("Usage: rse cleanup [--verbose]");
+		return {
+			type: "cleanup",
+			verbose
+		};
+	}
+	throw new Error(`Unknown command: ${command}`);
+}
+async function handleViewCommand(envFilePathArg, verbose) {
+	const envPath = await resolveEnvPath(envFilePathArg);
+	const envContent = await readEnvFileIfExists(envPath);
+	const config = await loadCliConfig();
+	if (!envContent) {
+		console.log(`[rse] env file not found: ${envPath}`);
+		console.log(`[rse] starting local UI session on localhost:${config.uiPort} (mode=view)`);
+		await startUiSession({
+			mode: "view",
+			port: config.uiPort,
+			envFilePath: envPath,
+			envFileContent: null
+		});
+		console.log("[rse] browser connected to local session.");
+		return;
+	}
+	console.log(`[rse] loaded env file: ${envPath}`);
+	if (verbose) {
+		const parsed = parseEnvFile(envContent);
+		const roundTrip = serializeEnvDocument(parsed);
+		console.log(`[rse] lossless parser round-trip check: ${roundTrip === envContent ? "ok" : "mismatch"}`);
+		console.log("[rse] parsed entries (debug):");
+		console.log(formatParsedEntriesForDebug(parsed.entries));
+	}
+	console.log(`[rse] starting local UI session on localhost:${config.uiPort} (mode=view)`);
+	await startUiSession({
+		mode: "view",
+		port: config.uiPort,
+		envFilePath: envPath,
+		envFileContent: envContent
+	});
+	console.log("[rse] browser connected to local session.");
+}
+async function handleImportCommand(envFilePathArg, verbose) {
+	const envPath = await resolveEnvPath(envFilePathArg);
+	const envContent = await readEnvFileIfExists(envPath);
+	const config = await loadCliConfig();
+	if (envContent) {
+		console.log(`[rse] loaded env file: ${envPath}`);
+		if (verbose) {
+			const parsed = parseEnvFile(envContent);
+			const roundTrip = serializeEnvDocument(parsed);
+			console.log(`[rse] lossless parser round-trip check: ${roundTrip === envContent ? "ok" : "mismatch"}`);
+			console.log("[rse] parsed entries (debug):");
+			console.log(formatParsedEntriesForDebug(parsed.entries));
+		}
+	} else console.log(`[rse] env file not found: ${envPath}`);
+	console.log(`[rse] starting local UI session on localhost:${config.uiPort} (mode=import)`);
+	await startUiSession({
+		mode: "import",
+		port: config.uiPort,
+		envFilePath: envPath,
+		envFileContent: envContent
+	});
+	console.log("[rse] browser connected to local session.");
+}
+async function handleRunCommand(envFilePathArg, command) {
+	const envPath = await resolveEnvPath(envFilePathArg);
+	const envContent = await readEnvFileIfExists(envPath);
+	const config = await loadCliConfig();
+	if (!envContent) {
+		console.log(`[rse] env file not found: ${envPath}; running command unchanged.`);
+		return spawnChild(command);
+	}
+	const parsed = parseEnvFile(envContent);
+	if (!hasEncryptedEntries(parsed)) return spawnChild(command, buildChildEnv(parsed, null));
+	console.log(`[rse] encrypted values detected in ${envPath}; approval is required.`);
+	console.log(`[rse] starting local UI session on localhost:${config.uiPort} (mode=run)`);
+	const runSession = await startUiSession({
+		mode: "run",
+		port: config.uiPort,
+		commandDisplay: command.join(" "),
+		envFilePath: envPath,
+		encryptedEntryCount: countEncryptedEntries(parsed)
+	});
+	if (runSession.mode !== "run") throw new Error("Invalid run session result.");
+	if (!runSession.approved) {
+		console.error("[rse] run was denied.");
+		return 1;
+	}
+	if (!runSession.unlockedMasterKey) {
+		console.error("[rse] run approval completed without unlocked key.");
+		return 1;
+	}
+	const unlockedMasterKey = runSession.unlockedMasterKey;
+	try {
+		return await spawnChild(command, buildChildEnv(parsed, unlockedMasterKey));
+	} finally {
+		wipeMasterKey(unlockedMasterKey);
+	}
+}
+async function handleConfigPortCommand(portArg) {
+	if (!portArg) {
+		const config = await loadCliConfig();
+		console.log(`[rse] configured UI port: ${config.uiPort}`);
+		console.log(`[rse] config file: ${getConfigFilePath()}`);
+		return;
+	}
+	const updated = await setUiPort(parseAndValidatePort(portArg));
+	console.log(`[rse] updated UI port: ${updated.uiPort}`);
+	console.log(`[rse] config file: ${getConfigFilePath()}`);
+}
+async function handleCleanupCommand() {
+	const clearedDir = await clearCliState();
+	console.log(`[rse] cleared local state: ${clearedDir}`);
+	console.log("[rse] registration, wrapped master key, counters, and cli config were removed.");
+}
+async function resolveEnvPath(envFilePathArg) {
+	if (!envFilePathArg) return path.resolve(process.cwd(), ".env");
+	const candidatePath = path.resolve(process.cwd(), envFilePathArg);
+	try {
+		if ((await stat(candidatePath)).isDirectory()) return path.join(candidatePath, ".env");
+		return candidatePath;
+	} catch (error) {
+		if (isFileNotFoundError(error)) return candidatePath;
+		throw error;
+	}
+}
+async function readEnvFileIfExists(filePath) {
+	try {
+		return await readFile(filePath, "utf8");
+	} catch (error) {
+		if (isFileNotFoundError(error)) return null;
+		throw error;
+	}
+}
+function isFileNotFoundError(error) {
+	if (!(error instanceof Error)) return false;
+	return "code" in error && error.code === "ENOENT";
+}
+function hasEncryptedEntries(document) {
+	return document.entries.some((entry) => entry.type === "pair" && entry.rawValue.startsWith("enc:v1:"));
+}
+function countEncryptedEntries(document) {
+	return document.entries.filter((entry) => entry.type === "pair" && entry.rawValue.startsWith("enc:v1:")).length;
+}
+function buildChildEnv(document, masterKey) {
+	const envFromFile = {};
+	for (const entry of document.entries) {
+		if (entry.type !== "pair") continue;
+		if (entry.rawValue.startsWith("enc:v1:")) {
+			if (!masterKey) throw new Error(`Missing unlocked key for encrypted env key: ${entry.key}`);
+			envFromFile[entry.key] = decryptEnvValue(entry.rawValue, entry.key, masterKey);
+			continue;
+		}
+		envFromFile[entry.key] = decodeEnvValue(entry.rawValue);
+	}
+	return {
+		...process.env,
+		...envFromFile
+	};
+}
+function spawnChild(command, env = process.env) {
+	return new Promise((resolve, reject) => {
+		const child = spawn(command[0], command.slice(1), {
+			stdio: "inherit",
+			env
+		});
+		child.on("error", reject);
+		child.on("exit", (code, signal) => {
+			if (signal) {
+				console.error(`[rse] child process terminated by signal ${signal}`);
+				resolve(1);
+				return;
+			}
+			resolve(code ?? 1);
+		});
+	});
+}
+function wipeMasterKey(masterKey) {
+	if (!masterKey) return;
+	masterKey.fill(0);
+}
+function printUsage() {
+	console.error("Usage:");
+	console.error("  rse view [envFilePath] [--verbose]");
+	console.error("  rse import [envFilePath] [--verbose]");
+	console.error("  rse run [envFilePath] [--verbose] -- <command...>");
+	console.error("  rse config port [port] [--verbose]");
+	console.error("  rse cleanup [--verbose]");
+}
+main();
+export {};