sandstream-kit 1.0.0

package/dist/env-inspect.js

@@ -0,0 +1,81 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+/**
+ * Parse a .env file into a key-value record.
+ * Handles blank lines, comments (#), and quoted values.
+ */
+export function parseEnvFile(content) {
+    const result = {};
+    for (const line of content.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eqIdx = trimmed.indexOf("=");
+        if (eqIdx === -1)
+            continue;
+        const key = trimmed.slice(0, eqIdx).trim();
+        let value = trimmed.slice(eqIdx + 1);
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        result[key] = value;
+    }
+    return result;
+}
+/**
+ * Redact a secret value: show first 4 chars + ****
+ */
+export function redactValue(value) {
+    if (value.length <= 4)
+        return "****";
+    return value.slice(0, 4) + "****";
+}
+export async function inspectEnv(config, options = {}) {
+    const cwd = options.cwd ?? process.cwd();
+    const envPath = join(cwd, ".env.local");
+    let envVars = {};
+    let envLocalExists = false;
+    try {
+        const content = await readFile(envPath, "utf-8");
+        envVars = parseEnvFile(content);
+        envLocalExists = true;
+    }
+    catch {
+        // .env.local doesn't exist or is unreadable
+    }
+    // Collect key names from config and from .env.local
+    const keyNames = new Set();
+    const keySource = {};
+    if (config.secrets?.keys) {
+        for (const [name, cfg] of Object.entries(config.secrets.keys)) {
+            keyNames.add(name);
+            keySource[name] = cfg.source;
+        }
+    }
+    for (const name of Object.keys(envVars)) {
+        if (!keyNames.has(name)) {
+            keyNames.add(name);
+            keySource[name] = ".env.local";
+        }
+    }
+    const allKeys = [...keyNames].sort();
+    const keys = allKeys.map((name) => {
+        const rawValue = envVars[name];
+        const set = rawValue !== undefined;
+        const entry = { name, set, source: keySource[name] ?? ".env.local" };
+        if (set) {
+            if (options.showValues) {
+                entry.value = rawValue;
+            }
+            else {
+                entry.redacted = redactValue(rawValue);
+            }
+        }
+        return entry;
+    });
+    const filteredKeys = options.missingOnly ? keys.filter((k) => !k.set) : keys;
+    const ok = keys.every((k) => k.set);
+    return { ok, keys: filteredKeys, envLocalExists };
+}
+//# sourceMappingURL=env-inspect.js.map

package/dist/env-inspect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-inspect.js","sourceRoot":"","sources":["../src/env-inspect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAuBjC;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAE1C,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAElD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,KAAK,CAAC,CAAC;YAAE,SAAS;QAE3B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,IAAI,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QAErC,IACE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC9C,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAC9C,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7B,CAAC;QAED,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,MAAM,CAAC;IACrC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC;AACpC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAiB,EACjB,UAA0B,EAAE;IAE5B,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAExC,IAAI,OAAO,GAA2B,EAAE,CAAC;IACzC,IAAI,cAAc,GAAG,KAAK,CAAC;IAE3B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACjD,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QAChC,cAAc,GAAG,IAAI,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,4CAA4C;IAC9C,CAAC;IAED,oDAAoD;IACpD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,SAAS,GAA2B,EAAE,CAAC;IAE7C,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9D,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACnB,SAAS,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC;QACjC,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;IAErC,MAAM,IAAI,GAAmB,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,QAAQ,KAAK,SAAS,CAAC;QACnC,MAAM,KAAK,GAAiB,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,IAAI,YAAY,EAAE,CAAC;QAEnF,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,KAAK,CAAC,KAAK,GAAG,QAAQ,CAAC;YACzB,CAAC;iBAAM,CAAC;gBACN,KAAK,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7E,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEpC,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,cAAc,EAAE,CAAC;AACpD,CAAC"}

package/dist/env-switch.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Tracks the active environment ("dev" / "staging" / "prod") on disk so the
+ * rest of kit can refuse to materialize prod-scoped credentials when the
+ * developer is sitting in `dev`. The marker lives under `.kit/` because
+ * `.kit.toml` is meant to be project config (checkable into git), while
+ * the active env is per-developer state (gitignored).
+ */
+export type kitEnv = "dev" | "staging" | "prod";
+export declare const KNOWN_ENVS: kitEnv[];
+export declare const ACTIVE_ENV_FILE = ".kit/active-env.json";
+export interface ActiveEnvState {
+    env: kitEnv;
+    switchedAt: string;
+    switchedBy: string;
+}
+export declare function readActiveEnv(cwd?: string): Promise<ActiveEnvState | null>;
+export declare function writeActiveEnv(env: kitEnv, cwd?: string, switchedBy?: string): Promise<ActiveEnvState>;
+/**
+ * Returns the active env if set; defaults to "dev" so a project that hasn't
+ * opted into env-switching yet behaves safely (no accidental prod-key reads).
+ */
+export declare function getActiveEnv(cwd?: string): Promise<kitEnv>;
+export declare function prodReadAllowed(activeEnv: kitEnv, opts?: {
+    explicitOk?: boolean;
+    cwd?: string;
+}): boolean;
+/**
+ * Test-only: reset the module-scoped "warned-once" flag so tests can
+ * exercise the warning path deterministically.
+ */
+export declare function _resetProdOkWarningForTests(): void;
+/**
+ * A key counts as prod-scoped when its `ref` / `name` / `vault_path` mentions
+ * a typical prod marker. Conservative — false positives just nudge the user
+ * to confirm; false negatives would defeat the gate.
+ */
+export declare function looksLikeProdKey(refOrName: string | undefined): boolean;

package/dist/env-switch.js

@@ -0,0 +1,102 @@
+import { readFile, writeFile, mkdir, access } from "node:fs/promises";
+import { resolve, dirname } from "node:path";
+import { appendAuditEventDirect } from "./audit.js";
+export const KNOWN_ENVS = ["dev", "staging", "prod"];
+export const ACTIVE_ENV_FILE = ".kit/active-env.json";
+export async function readActiveEnv(cwd = process.cwd()) {
+    const path = resolve(cwd, ACTIVE_ENV_FILE);
+    try {
+        await access(path);
+        const text = await readFile(path, "utf-8");
+        const parsed = JSON.parse(text);
+        if (!parsed.env || !KNOWN_ENVS.includes(parsed.env)) {
+            return null;
+        }
+        return {
+            env: parsed.env,
+            switchedAt: parsed.switchedAt ?? new Date().toISOString(),
+            switchedBy: parsed.switchedBy ?? "unknown",
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export async function writeActiveEnv(env, cwd = process.cwd(), switchedBy = process.env.USER || "unknown") {
+    const state = {
+        env,
+        switchedAt: new Date().toISOString(),
+        switchedBy,
+    };
+    const path = resolve(cwd, ACTIVE_ENV_FILE);
+    await mkdir(dirname(path), { recursive: true });
+    await writeFile(path, JSON.stringify(state, null, 2) + "\n", "utf-8");
+    return state;
+}
+/**
+ * Returns the active env if set; defaults to "dev" so a project that hasn't
+ * opted into env-switching yet behaves safely (no accidental prod-key reads).
+ */
+export async function getActiveEnv(cwd = process.cwd()) {
+    const state = await readActiveEnv(cwd);
+    return state?.env ?? "dev";
+}
+/**
+ * Returns true if the caller is allowed to read prod-scoped secrets in the
+ * current shell. Two gates: the active env must be "prod" AND either an
+ * interactive confirmation has happened OR `KIT_PROD_OK=1` was set
+ * explicitly (suitable for CI deploy jobs).
+ *
+ * When `KIT_PROD_OK=1` authorizes the read, a one-time stderr warning is
+ * emitted at the call site (not at the eventual secrets-resolve step) and an
+ * audit event is appended. This closes the previous gap where the warning
+ * only printed AFTER the prod credential had already been materialized.
+ */
+let warnedAboutProdOk = false;
+function warnProdOkOnce(cwd) {
+    if (warnedAboutProdOk)
+        return;
+    warnedAboutProdOk = true;
+    console.error("[kit] WARNING: KIT_PROD_OK=1 active — prod credentials authorized for read in this process.");
+    void appendAuditEventDirect({
+        operation: "prod-key-bypass",
+        environment: "prod",
+        success: true,
+        metadata: {
+            method: "KIT_PROD_OK=1",
+            granter: process.env.USER ?? "unknown",
+        },
+    }, { cwd });
+}
+export function prodReadAllowed(activeEnv, opts = {}) {
+    if (activeEnv !== "prod")
+        return false;
+    if (opts.explicitOk)
+        return true;
+    if (process.env.KIT_PROD_OK === "1") {
+        warnProdOkOnce(opts.cwd ?? process.cwd());
+        return true;
+    }
+    return false;
+}
+/**
+ * Test-only: reset the module-scoped "warned-once" flag so tests can
+ * exercise the warning path deterministically.
+ */
+export function _resetProdOkWarningForTests() {
+    warnedAboutProdOk = false;
+}
+/**
+ * A key counts as prod-scoped when its `ref` / `name` / `vault_path` mentions
+ * a typical prod marker. Conservative — false positives just nudge the user
+ * to confirm; false negatives would defeat the gate.
+ */
+export function looksLikeProdKey(refOrName) {
+    if (!refOrName)
+        return false;
+    // Letter-boundary check: `\b` treats `_` as a word char (e.g. `PRD_DB`
+    // wouldn't match `\bPRD\b`). Use explicit letter-not-letter boundaries
+    // so `PRD_DB`, `stripe-live-key`, and `op://Prod/…` all trigger.
+    return /(?<![A-Za-z])(prod|production|live|prd)(?![A-Za-z])/i.test(refOrName);
+}
+//# sourceMappingURL=env-switch.js.map

package/dist/env-switch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env-switch.js","sourceRoot":"","sources":["../src/env-switch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AACtE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAYpD,MAAM,CAAC,MAAM,UAAU,GAAa,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AAE/D,MAAM,CAAC,MAAM,eAAe,GAAG,sBAAsB,CAAC;AAQtD,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC3C,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,IAAI,CAAC,CAAC;QACnB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAA4B,CAAC;QAC3D,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAa,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO;YACL,GAAG,EAAE,MAAM,CAAC,GAAa;YACzB,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACzD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,SAAS;SAC3C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAW,EACX,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,aAAqB,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS;IAElD,MAAM,KAAK,GAAmB;QAC5B,GAAG;QACH,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,UAAU;KACX,CAAC;IACF,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IAC3C,MAAM,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,MAAM,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;IACtE,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,KAAK,EAAE,GAAG,IAAI,KAAK,CAAC;AAC7B,CAAC;AAED;;;;;;;;;;GAUG;AACH,IAAI,iBAAiB,GAAG,KAAK,CAAC;AAC9B,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,iBAAiB;QAAE,OAAO;IAC9B,iBAAiB,GAAG,IAAI,CAAC;IACzB,OAAO,CAAC,KAAK,CACX,6FAA6F,CAC9F,CAAC;IACF,KAAK,sBAAsB,CACzB;QACE,SAAS,EAAE,iBAAiB;QAC5B,WAAW,EAAE,MAAM;QACnB,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE;YACR,MAAM,EAAE,eAAe;YACvB,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS;SACvC;KACF,EACD,EAAE,GAAG,EAAE,CACR,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,SAAiB,EACjB,OAA+C,EAAE;IAEjD,IAAI,SAAS,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,KAAK,GAAG,EAAE,CAAC;QACpC,cAAc,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B;IACzC,iBAAiB,GAAG,KAAK,CAAC;AAC5B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAA6B;IAC5D,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,uEAAuE;IACvE,uEAAuE;IACvE,iEAAiE;IACjE,OAAO,sDAAsD,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAChF,CAAC"}

package/dist/environment.d.ts

@@ -0,0 +1,27 @@
+import type { GovernanceConfig, EnvironmentAccess } from "./config.js";
+export type Environment = "dev" | "staging" | "prod";
+export interface EnvironmentInfo {
+    environment: Environment;
+    source: "env" | "git" | "default";
+    access?: EnvironmentAccess;
+}
+/**
+ * Detect current environment based on:
+ * 1. NODE_ENV environment variable
+ * 2. Git branch name (main→prod, staging→staging, feature/*→dev)
+ * 3. Default to 'dev'
+ */
+export declare function detectEnvironment(governance?: GovernanceConfig): EnvironmentInfo;
+/**
+ * Check if an operation is allowed in the current environment
+ */
+export declare function isOperationAllowed(operation: "read" | "write" | "delete", envInfo: EnvironmentInfo): boolean;
+export declare function isNonInteractive(): boolean;
+/**
+ * Test-only: reset the module-scoped warning flag.
+ */
+export declare function _resetNonInteractiveWarningForTests(): void;
+/**
+ * Get a human-readable description of the environment
+ */
+export declare function formatEnvironment(envInfo: EnvironmentInfo): string;

package/dist/environment.js

@@ -0,0 +1,148 @@
+import { execSync } from "node:child_process";
+import { appendAuditEventDirect } from "./audit.js";
+/**
+ * Detect current environment based on:
+ * 1. NODE_ENV environment variable
+ * 2. Git branch name (main→prod, staging→staging, feature/*→dev)
+ * 3. Default to 'dev'
+ */
+export function detectEnvironment(governance) {
+    // 1. Check NODE_ENV
+    const nodeEnv = process.env.NODE_ENV?.toLowerCase();
+    if (nodeEnv === "production") {
+        return {
+            environment: "prod",
+            source: "env",
+            access: governance?.access?.prod,
+        };
+    }
+    if (nodeEnv === "staging") {
+        return {
+            environment: "staging",
+            source: "env",
+            access: governance?.access?.staging,
+        };
+    }
+    if (nodeEnv === "development" || nodeEnv === "dev") {
+        return {
+            environment: "dev",
+            source: "env",
+            access: governance?.access?.dev,
+        };
+    }
+    // 2. Fall back to git branch
+    try {
+        const branch = execSync("git rev-parse --abbrev-ref HEAD", {
+            encoding: "utf-8",
+            stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (branch === "main" || branch === "master") {
+            return {
+                environment: "prod",
+                source: "git",
+                access: governance?.access?.prod,
+            };
+        }
+        if (branch === "staging") {
+            return {
+                environment: "staging",
+                source: "git",
+                access: governance?.access?.staging,
+            };
+        }
+        // Any other branch (feature/*, dev, etc.) → dev
+        return {
+            environment: "dev",
+            source: "git",
+            access: governance?.access?.dev,
+        };
+    }
+    catch {
+        // If git is not available or not in a git repo, default to dev
+    }
+    // 3. Default to dev
+    return {
+        environment: "dev",
+        source: "default",
+        access: governance?.access?.dev,
+    };
+}
+/**
+ * Check if an operation is allowed in the current environment
+ */
+export function isOperationAllowed(operation, envInfo) {
+    if (!envInfo.access) {
+        // No access config means allow everything (for backwards compatibility)
+        return true;
+    }
+    switch (operation) {
+        case "read":
+            return envInfo.access.read ?? false;
+        case "write":
+            return envInfo.access.write ?? false;
+        case "delete":
+            return envInfo.access.delete ?? false;
+        default:
+            return false;
+    }
+}
+/**
+ * Returns true when running in a non-interactive context.
+ * Checks (in order):
+ *   1. --non-interactive flag in process.argv
+ *   2. KIT_NON_INTERACTIVE=1 (or =true)
+ *   3. CI=true (set by GitHub Actions, CircleCI, and most CI systems)
+ *
+ * When the env-var path (#2) triggers in a context where a TTY is
+ * available, emit a one-time stderr warning + audit event. Combined with
+ * `KIT_ELEVATED=1`, non-interactive mode lets destructive ops run with
+ * zero acknowledgement; surfacing the choice makes the bypass non-silent.
+ * CI=true (#3) is not warned about because that's the normal mode there.
+ */
+let warnedAboutNonInteractive = false;
+function warnNonInteractiveOnce(source) {
+    if (warnedAboutNonInteractive)
+        return;
+    warnedAboutNonInteractive = true;
+    console.error(`[kit] WARNING: non-interactive mode active (via ${source}) — all confirmation prompts will be skipped.`);
+    void appendAuditEventDirect({
+        operation: "non-interactive-mode",
+        environment: process.env.NODE_ENV ?? "unknown",
+        success: true,
+        metadata: { source, granter: process.env.USER ?? "unknown" },
+    });
+}
+export function isNonInteractive() {
+    if (process.argv.includes("--non-interactive")) {
+        if (process.stdout.isTTY)
+            warnNonInteractiveOnce("flag");
+        return true;
+    }
+    const flag = process.env.KIT_NON_INTERACTIVE?.toLowerCase();
+    if (flag === "1" || flag === "true") {
+        if (process.stdout.isTTY)
+            warnNonInteractiveOnce("env-var");
+        return true;
+    }
+    if (process.env.CI === "true")
+        return true;
+    return false;
+}
+/**
+ * Test-only: reset the module-scoped warning flag.
+ */
+export function _resetNonInteractiveWarningForTests() {
+    warnedAboutNonInteractive = false;
+}
+/**
+ * Get a human-readable description of the environment
+ */
+export function formatEnvironment(envInfo) {
+    const sourceLabel = {
+        env: "NODE_ENV",
+        git: "git branch",
+        default: "default",
+    }[envInfo.source];
+    return `${envInfo.environment} (from ${sourceLabel})`;
+}
+//# sourceMappingURL=environment.js.map

package/dist/environment.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"environment.js","sourceRoot":"","sources":["../src/environment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,OAAO,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAUpD;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,UAA6B;IAE7B,oBAAoB;IACpB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;IACpD,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;QAC7B,OAAO;YACL,WAAW,EAAE,MAAM;YACnB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI;SACjC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO;YACL,WAAW,EAAE,SAAS;YACtB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO;SACpC,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,KAAK,aAAa,IAAI,OAAO,KAAK,KAAK,EAAE,CAAC;QACnD,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG;SAChC,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,iCAAiC,EAAE;YACzD,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC,IAAI,EAAE,CAAC;QAEV,IAAI,MAAM,KAAK,MAAM,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO;gBACL,WAAW,EAAE,MAAM;gBACnB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI;aACjC,CAAC;QACJ,CAAC;QACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO;gBACL,WAAW,EAAE,SAAS;gBACtB,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,OAAO;aACpC,CAAC;QACJ,CAAC;QACD,gDAAgD;QAChD,OAAO;YACL,WAAW,EAAE,KAAK;YAClB,MAAM,EAAE,KAAK;YACb,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG;SAChC,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;IACjE,CAAC;IAED,oBAAoB;IACpB,OAAO;QACL,WAAW,EAAE,KAAK;QAClB,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG;KAChC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,SAAsC,EACtC,OAAwB;IAExB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACpB,wEAAwE;QACxE,OAAO,IAAI,CAAC;IACd,CAAC;IAED,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC;QACvC,KAAK,QAAQ;YACX,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,IAAI,KAAK,CAAC;QACxC;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,IAAI,yBAAyB,GAAG,KAAK,CAAC;AACtC,SAAS,sBAAsB,CAAC,MAA0B;IACxD,IAAI,yBAAyB;QAAE,OAAO;IACtC,yBAAyB,GAAG,IAAI,CAAC;IACjC,OAAO,CAAC,KAAK,CACX,mDAAmD,MAAM,+CAA+C,CACzG,CAAC;IACF,KAAK,sBAAsB,CAAC;QAC1B,SAAS,EAAE,sBAAsB;QACjC,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,SAAS;QAC9C,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,SAAS,EAAE;KAC7D,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,gBAAgB;IAC9B,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK;YAAE,sBAAsB,CAAC,MAAM,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,WAAW,EAAE,CAAC;IAC5D,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,MAAM,CAAC,KAAK;YAAE,sBAAsB,CAAC,SAAS,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,CAAC,EAAE,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mCAAmC;IACjD,yBAAyB,GAAG,KAAK,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAwB;IACxD,MAAM,WAAW,GAAG;QAClB,GAAG,EAAE,UAAU;QACf,GAAG,EAAE,YAAY;QACjB,OAAO,EAAE,SAAS;KACnB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAElB,OAAO,GAAG,OAAO,CAAC,WAAW,UAAU,WAAW,GAAG,CAAC;AACxD,CAAC"}

package/dist/error-tracker.d.ts

@@ -0,0 +1,92 @@
+export interface ErrorLog {
+    id: string;
+    message: string;
+    stack: string;
+    severity: "critical" | "high" | "medium" | "low";
+    context: Record<string, unknown>;
+    timestamp: string;
+    userId?: string;
+    sessionId?: string;
+    resolved: boolean;
+    resolvedAt?: string;
+}
+export interface ErrorMetrics {
+    totalErrors: number;
+    errorsBySeverity: Record<string, number>;
+    errorsByType: Record<string, number>;
+    errorTrend: Array<{
+        date: string;
+        count: number;
+    }>;
+    topErrors: Array<{
+        message: string;
+        count: number;
+    }>;
+}
+export interface ErrorGroup {
+    id: string;
+    message: string;
+    firstSeen: string;
+    lastSeen: string;
+    occurrences: number;
+    severity: "critical" | "high" | "medium" | "low";
+    resolved: boolean;
+}
+export declare class ErrorTracker {
+    private errors;
+    private errorGroups;
+    private errorIndex;
+    /**
+     * Log an error.
+     */
+    logError(message: string, stack: string, severity?: "critical" | "high" | "medium" | "low", context?: Record<string, unknown>, userId?: string, sessionId?: string): ErrorLog;
+    /**
+     * Get error by ID.
+     */
+    getError(errorId: string): ErrorLog | null;
+    /**
+     * Resolve an error.
+     */
+    resolveError(errorId: string): ErrorLog | null;
+    /**
+     * Get all unresolved errors.
+     */
+    getUnresolvedErrors(): ErrorLog[];
+    /**
+     * Get errors by severity.
+     */
+    getErrorsBySeverity(severity: string): ErrorLog[];
+    private indexError;
+    private groupError;
+    private findGroupForError;
+    /**
+     * Get all error groups.
+     */
+    getAllErrorGroups(): ErrorGroup[];
+    /**
+     * Get errors in a group.
+     */
+    getErrorsByGroup(groupId: string): ErrorLog[];
+    /**
+     * Get error metrics.
+     */
+    getMetrics(): ErrorMetrics;
+    /**
+     * Get error rate (errors per minute).
+     */
+    getErrorRate(): number;
+    /**
+     * Get most recent errors.
+     */
+    getRecentErrors(limit?: number): ErrorLog[];
+    /**
+     * Clear old errors (older than days).
+     */
+    clearOldErrors(days: number): number;
+    /**
+     * Clear resolved errors.
+     */
+    clearResolvedErrors(): number;
+    getErrorCache(): Map<string, ErrorLog>;
+    getErrorGroupCache(): Map<string, ErrorGroup>;
+}