npm - sandstream-kit - Versions diffs - 1.0.0 - Mend

sandstream-kit 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (519) hide show

package/LICENSE +21 -0
package/README.md +617 -0
package/dist/adapters/api-key-adapter.d.ts +35 -0
package/dist/adapters/api-key-adapter.js +46 -0
package/dist/adapters/api-key-adapter.js.map +1 -0
package/dist/adapters/clerk-auth.d.ts +6 -0
package/dist/adapters/clerk-auth.js +20 -0
package/dist/adapters/clerk-auth.js.map +1 -0
package/dist/adapters/cloudflare-r2.d.ts +6 -0
package/dist/adapters/cloudflare-r2.js +136 -0
package/dist/adapters/cloudflare-r2.js.map +1 -0
package/dist/adapters/expo-eas.d.ts +6 -0
package/dist/adapters/expo-eas.js +129 -0
package/dist/adapters/expo-eas.js.map +1 -0
package/dist/adapters/flagsmith-flags.d.ts +5 -0
package/dist/adapters/flagsmith-flags.js +20 -0
package/dist/adapters/flagsmith-flags.js.map +1 -0
package/dist/adapters/flyio-hosting.d.ts +2 -0
package/dist/adapters/flyio-hosting.js +143 -0
package/dist/adapters/flyio-hosting.js.map +1 -0
package/dist/adapters/index.d.ts +6 -0
package/dist/adapters/index.js +48 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/inngest-background.d.ts +5 -0
package/dist/adapters/inngest-background.js +19 -0
package/dist/adapters/inngest-background.js.map +1 -0
package/dist/adapters/liveblocks-realtime.d.ts +11 -0
package/dist/adapters/liveblocks-realtime.js +62 -0
package/dist/adapters/liveblocks-realtime.js.map +1 -0
package/dist/adapters/loops-email.d.ts +6 -0
package/dist/adapters/loops-email.js +18 -0
package/dist/adapters/loops-email.js.map +1 -0
package/dist/adapters/neon-db.d.ts +10 -0
package/dist/adapters/neon-db.js +94 -0
package/dist/adapters/neon-db.js.map +1 -0
package/dist/adapters/planetscale-db.d.ts +11 -0
package/dist/adapters/planetscale-db.js +134 -0
package/dist/adapters/planetscale-db.js.map +1 -0
package/dist/adapters/posthog-analytics.d.ts +6 -0
package/dist/adapters/posthog-analytics.js +22 -0
package/dist/adapters/posthog-analytics.js.map +1 -0
package/dist/adapters/railway-hosting.d.ts +2 -0
package/dist/adapters/railway-hosting.js +136 -0
package/dist/adapters/railway-hosting.js.map +1 -0
package/dist/adapters/resend-email.d.ts +35 -0
package/dist/adapters/resend-email.js +109 -0
package/dist/adapters/resend-email.js.map +1 -0
package/dist/adapters/searxng-instance.d.ts +6 -0
package/dist/adapters/searxng-instance.js +240 -0
package/dist/adapters/searxng-instance.js.map +1 -0
package/dist/adapters/sentry-monitoring.d.ts +7 -0
package/dist/adapters/sentry-monitoring.js +27 -0
package/dist/adapters/sentry-monitoring.js.map +1 -0
package/dist/adapters/stripe-payments.d.ts +6 -0
package/dist/adapters/stripe-payments.js +134 -0
package/dist/adapters/stripe-payments.js.map +1 -0
package/dist/adapters/supabase-db.d.ts +6 -0
package/dist/adapters/supabase-db.js +130 -0
package/dist/adapters/supabase-db.js.map +1 -0
package/dist/adapters/tinybird-analytics.d.ts +5 -0
package/dist/adapters/tinybird-analytics.js +20 -0
package/dist/adapters/tinybird-analytics.js.map +1 -0
package/dist/adapters/trigger-background.d.ts +6 -0
package/dist/adapters/trigger-background.js +20 -0
package/dist/adapters/trigger-background.js.map +1 -0
package/dist/adapters/types.d.ts +7 -0
package/dist/adapters/types.js +2 -0
package/dist/adapters/types.js.map +1 -0
package/dist/adapters/upstash-redis.d.ts +6 -0
package/dist/adapters/upstash-redis.js +88 -0
package/dist/adapters/upstash-redis.js.map +1 -0
package/dist/adapters/vercel-hosting.d.ts +6 -0
package/dist/adapters/vercel-hosting.js +112 -0
package/dist/adapters/vercel-hosting.js.map +1 -0
package/dist/agent-adapter-model.d.ts +108 -0
package/dist/agent-adapter-model.js +6 -0
package/dist/agent-adapter-model.js.map +1 -0
package/dist/agent-adapter-service.d.ts +67 -0
package/dist/agent-adapter-service.js +299 -0
package/dist/agent-adapter-service.js.map +1 -0
package/dist/agent-config.d.ts +56 -0
package/dist/agent-config.js +129 -0
package/dist/agent-config.js.map +1 -0
package/dist/agent-governance-model.d.ts +128 -0
package/dist/agent-governance-model.js +6 -0
package/dist/agent-governance-model.js.map +1 -0
package/dist/agent-governance-service.d.ts +101 -0
package/dist/agent-governance-service.js +319 -0
package/dist/agent-governance-service.js.map +1 -0
package/dist/alert-rules-engine.d.ts +102 -0
package/dist/alert-rules-engine.js +210 -0
package/dist/alert-rules-engine.js.map +1 -0
package/dist/analytics-service.d.ts +126 -0
package/dist/analytics-service.js +318 -0
package/dist/analytics-service.js.map +1 -0
package/dist/analyze.d.ts +19 -0
package/dist/analyze.js +311 -0
package/dist/analyze.js.map +1 -0
package/dist/apm-instrumentor.d.ts +119 -0
package/dist/apm-instrumentor.js +225 -0
package/dist/apm-instrumentor.js.map +1 -0
package/dist/approval-model.d.ts +82 -0
package/dist/approval-model.js +6 -0
package/dist/approval-model.js.map +1 -0
package/dist/approval-service.d.ts +39 -0
package/dist/approval-service.js +236 -0
package/dist/approval-service.js.map +1 -0
package/dist/approval.d.ts +22 -0
package/dist/approval.js +148 -0
package/dist/approval.js.map +1 -0
package/dist/audit-logging-model.d.ts +157 -0
package/dist/audit-logging-model.js +6 -0
package/dist/audit-logging-model.js.map +1 -0
package/dist/audit-logging-service.d.ts +89 -0
package/dist/audit-logging-service.js +367 -0
package/dist/audit-logging-service.js.map +1 -0
package/dist/audit-secrets.d.ts +42 -0
package/dist/audit-secrets.js +126 -0
package/dist/audit-secrets.js.map +1 -0
package/dist/audit.d.ts +43 -0
package/dist/audit.js +286 -0
package/dist/audit.js.map +1 -0
package/dist/author-dashboard.d.ts +84 -0
package/dist/author-dashboard.js +204 -0
package/dist/author-dashboard.js.map +1 -0
package/dist/author-notifications.d.ts +130 -0
package/dist/author-notifications.js +261 -0
package/dist/author-notifications.js.map +1 -0
package/dist/author-verification.d.ts +79 -0
package/dist/author-verification.js +257 -0
package/dist/author-verification.js.map +1 -0
package/dist/autonomous-setup-model.d.ts +117 -0
package/dist/autonomous-setup-model.js +6 -0
package/dist/autonomous-setup-model.js.map +1 -0
package/dist/autonomous-setup-service.d.ts +74 -0
package/dist/autonomous-setup-service.js +325 -0
package/dist/autonomous-setup-service.js.map +1 -0
package/dist/badge-system.d.ts +70 -0
package/dist/badge-system.js +210 -0
package/dist/badge-system.js.map +1 -0
package/dist/baseline.d.ts +34 -0
package/dist/baseline.js +78 -0
package/dist/baseline.js.map +1 -0
package/dist/beta-program-service.d.ts +112 -0
package/dist/beta-program-service.js +240 -0
package/dist/beta-program-service.js.map +1 -0
package/dist/budget.d.ts +34 -0
package/dist/budget.js +159 -0
package/dist/budget.js.map +1 -0
package/dist/bumblebee.d.ts +143 -0
package/dist/bumblebee.js +384 -0
package/dist/bumblebee.js.map +1 -0
package/dist/cache-manager.d.ts +97 -0
package/dist/cache-manager.js +244 -0
package/dist/cache-manager.js.map +1 -0
package/dist/cdn-adapter.d.ts +64 -0
package/dist/cdn-adapter.js +263 -0
package/dist/cdn-adapter.js.map +1 -0
package/dist/certification-workflow-model.d.ts +95 -0
package/dist/certification-workflow-model.js +6 -0
package/dist/certification-workflow-model.js.map +1 -0
package/dist/certification-workflow-service.d.ts +72 -0
package/dist/certification-workflow-service.js +305 -0
package/dist/certification-workflow-service.js.map +1 -0
package/dist/check-design.d.ts +38 -0
package/dist/check-design.js +256 -0
package/dist/check-design.js.map +1 -0
package/dist/check-gitignore.d.ts +39 -0
package/dist/check-gitignore.js +156 -0
package/dist/check-gitignore.js.map +1 -0
package/dist/check-hooks.d.ts +15 -0
package/dist/check-hooks.js +72 -0
package/dist/check-hooks.js.map +1 -0
package/dist/check-lock.d.ts +16 -0
package/dist/check-lock.js +94 -0
package/dist/check-lock.js.map +1 -0
package/dist/check-secrets.d.ts +11 -0
package/dist/check-secrets.js +320 -0
package/dist/check-secrets.js.map +1 -0
package/dist/check-security.d.ts +13 -0
package/dist/check-security.js +887 -0
package/dist/check-security.js.map +1 -0
package/dist/check-services.d.ts +10 -0
package/dist/check-services.js +44 -0
package/dist/check-services.js.map +1 -0
package/dist/check-skills.d.ts +8 -0
package/dist/check-skills.js +26 -0
package/dist/check-skills.js.map +1 -0
package/dist/check-tests.d.ts +43 -0
package/dist/check-tests.js +175 -0
package/dist/check-tests.js.map +1 -0
package/dist/check-tools.d.ts +8 -0
package/dist/check-tools.js +42 -0
package/dist/check-tools.js.map +1 -0
package/dist/check-web-search.d.ts +12 -0
package/dist/check-web-search.js +168 -0
package/dist/check-web-search.js.map +1 -0
package/dist/ci-cd-publisher.d.ts +162 -0
package/dist/ci-cd-publisher.js +319 -0
package/dist/ci-cd-publisher.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +4074 -0
package/dist/cli.js.map +1 -0
package/dist/clone.d.ts +25 -0
package/dist/clone.js +73 -0
package/dist/clone.js.map +1 -0
package/dist/completions.d.ts +8 -0
package/dist/completions.js +250 -0
package/dist/completions.js.map +1 -0
package/dist/compression-manager.d.ts +107 -0
package/dist/compression-manager.js +250 -0
package/dist/compression-manager.js.map +1 -0
package/dist/config.d.ts +233 -0
package/dist/config.js +255 -0
package/dist/config.js.map +1 -0
package/dist/context.d.ts +38 -0
package/dist/context.js +86 -0
package/dist/context.js.map +1 -0
package/dist/cost-monitor.d.ts +72 -0
package/dist/cost-monitor.js +218 -0
package/dist/cost-monitor.js.map +1 -0
package/dist/create-plugin.d.ts +22 -0
package/dist/create-plugin.js +266 -0
package/dist/create-plugin.js.map +1 -0
package/dist/database.d.ts +123 -0
package/dist/database.js +354 -0
package/dist/database.js.map +1 -0
package/dist/datadog-adapter.d.ts +60 -0
package/dist/datadog-adapter.js +245 -0
package/dist/datadog-adapter.js.map +1 -0
package/dist/doctor.d.ts +15 -0
package/dist/doctor.js +131 -0
package/dist/doctor.js.map +1 -0
package/dist/documentation-generator.d.ts +226 -0
package/dist/documentation-generator.js +348 -0
package/dist/documentation-generator.js.map +1 -0
package/dist/elevation-scopes.d.ts +40 -0
package/dist/elevation-scopes.js +110 -0
package/dist/elevation-scopes.js.map +1 -0
package/dist/elevation.d.ts +102 -0
package/dist/elevation.js +449 -0
package/dist/elevation.js.map +1 -0
package/dist/env-diff.d.ts +27 -0
package/dist/env-diff.js +104 -0
package/dist/env-diff.js.map +1 -0
package/dist/env-inspect.d.ts +28 -0
package/dist/env-inspect.js +81 -0
package/dist/env-inspect.js.map +1 -0
package/dist/env-switch.d.ts +37 -0
package/dist/env-switch.js +102 -0
package/dist/env-switch.js.map +1 -0
package/dist/environment.d.ts +27 -0
package/dist/environment.js +148 -0
package/dist/environment.js.map +1 -0
package/dist/error-tracker.d.ts +92 -0
package/dist/error-tracker.js +206 -0
package/dist/error-tracker.js.map +1 -0
package/dist/escalate.d.ts +11 -0
package/dist/escalate.js +73 -0
package/dist/escalate.js.map +1 -0
package/dist/event-stream.d.ts +81 -0
package/dist/event-stream.js +161 -0
package/dist/event-stream.js.map +1 -0
package/dist/fix.d.ts +42 -0
package/dist/fix.js +419 -0
package/dist/fix.js.map +1 -0
package/dist/governance-middleware.d.ts +22 -0
package/dist/governance-middleware.js +173 -0
package/dist/governance-middleware.js.map +1 -0
package/dist/governance.d.ts +44 -0
package/dist/governance.js +236 -0
package/dist/governance.js.map +1 -0
package/dist/hooks.d.ts +25 -0
package/dist/hooks.js +281 -0
package/dist/hooks.js.map +1 -0
package/dist/id-generator.d.ts +43 -0
package/dist/id-generator.js +47 -0
package/dist/id-generator.js.map +1 -0
package/dist/image-optimizer.d.ts +92 -0
package/dist/image-optimizer.js +202 -0
package/dist/image-optimizer.js.map +1 -0
package/dist/install.d.ts +15 -0
package/dist/install.js +59 -0
package/dist/install.js.map +1 -0
package/dist/lock.d.ts +82 -0
package/dist/lock.js +264 -0
package/dist/lock.js.map +1 -0
package/dist/login.d.ts +23 -0
package/dist/login.js +132 -0
package/dist/login.js.map +1 -0
package/dist/mcp-kit-tools-model.d.ts +195 -0
package/dist/mcp-kit-tools-model.js +6 -0
package/dist/mcp-kit-tools-model.js.map +1 -0
package/dist/mcp-kit-tools-service.d.ts +127 -0
package/dist/mcp-kit-tools-service.js +943 -0
package/dist/mcp-kit-tools-service.js.map +1 -0
package/dist/mcp-orchestrator.d.ts +70 -0
package/dist/mcp-orchestrator.js +175 -0
package/dist/mcp-orchestrator.js.map +1 -0
package/dist/mcp-server.d.ts +3 -0
package/dist/mcp-server.js +722 -0
package/dist/mcp-server.js.map +1 -0
package/dist/middleware/rate-limiter.d.ts +74 -0
package/dist/middleware/rate-limiter.js +342 -0
package/dist/middleware/rate-limiter.js.map +1 -0
package/dist/migration-runner.d.ts +66 -0
package/dist/migration-runner.js +192 -0
package/dist/migration-runner.js.map +1 -0
package/dist/migrations.d.ts +25 -0
package/dist/migrations.js +530 -0
package/dist/migrations.js.map +1 -0
package/dist/moderation-system.d.ts +153 -0
package/dist/moderation-system.js +338 -0
package/dist/moderation-system.js.map +1 -0
package/dist/multi-agent-workflow-model.d.ts +125 -0
package/dist/multi-agent-workflow-model.js +6 -0
package/dist/multi-agent-workflow-model.js.map +1 -0
package/dist/multi-agent-workflow-service.d.ts +102 -0
package/dist/multi-agent-workflow-service.js +452 -0
package/dist/multi-agent-workflow-service.js.map +1 -0
package/dist/onepassword.d.ts +75 -0
package/dist/onepassword.js +140 -0
package/dist/onepassword.js.map +1 -0
package/dist/open.d.ts +30 -0
package/dist/open.js +166 -0
package/dist/open.js.map +1 -0
package/dist/output.d.ts +32 -0
package/dist/output.js +295 -0
package/dist/output.js.map +1 -0
package/dist/partner-service.d.ts +101 -0
package/dist/partner-service.js +191 -0
package/dist/partner-service.js.map +1 -0
package/dist/payout-service.d.ts +136 -0
package/dist/payout-service.js +293 -0
package/dist/payout-service.js.map +1 -0
package/dist/pkg.d.ts +30 -0
package/dist/pkg.js +162 -0
package/dist/pkg.js.map +1 -0
package/dist/plugin-loader.d.ts +16 -0
package/dist/plugin-loader.js +124 -0
package/dist/plugin-loader.js.map +1 -0
package/dist/plugin-registry-model.d.ts +133 -0
package/dist/plugin-registry-model.js +6 -0
package/dist/plugin-registry-model.js.map +1 -0
package/dist/plugin-registry-service.d.ts +109 -0
package/dist/plugin-registry-service.js +361 -0
package/dist/plugin-registry-service.js.map +1 -0
package/dist/plugin-registry.d.ts +58 -0
package/dist/plugin-registry.js +108 -0
package/dist/plugin-registry.js.map +1 -0
package/dist/plugin-updates.d.ts +135 -0
package/dist/plugin-updates.js +326 -0
package/dist/plugin-updates.js.map +1 -0
package/dist/plugins-cli.d.ts +7 -0
package/dist/plugins-cli.js +157 -0
package/dist/plugins-cli.js.map +1 -0
package/dist/plugins.d.ts +88 -0
package/dist/plugins.js +251 -0
package/dist/plugins.js.map +1 -0
package/dist/policy.d.ts +66 -0
package/dist/policy.js +160 -0
package/dist/policy.js.map +1 -0
package/dist/post-pull-audit.d.ts +39 -0
package/dist/post-pull-audit.js +151 -0
package/dist/post-pull-audit.js.map +1 -0
package/dist/provision.d.ts +17 -0
package/dist/provision.js +147 -0
package/dist/provision.js.map +1 -0
package/dist/query-optimizer.d.ts +102 -0
package/dist/query-optimizer.js +199 -0
package/dist/query-optimizer.js.map +1 -0
package/dist/read-only-mode.d.ts +46 -0
package/dist/read-only-mode.js +71 -0
package/dist/read-only-mode.js.map +1 -0
package/dist/redis-adapter.d.ts +71 -0
package/dist/redis-adapter.js +278 -0
package/dist/redis-adapter.js.map +1 -0
package/dist/resilience-tests.d.ts +120 -0
package/dist/resilience-tests.js +293 -0
package/dist/resilience-tests.js.map +1 -0
package/dist/revocation.d.ts +22 -0
package/dist/revocation.js +100 -0
package/dist/revocation.js.map +1 -0
package/dist/run.d.ts +21 -0
package/dist/run.js +80 -0
package/dist/run.js.map +1 -0
package/dist/scan-build.d.ts +18 -0
package/dist/scan-build.js +100 -0
package/dist/scan-build.js.map +1 -0
package/dist/scan-plaintext.d.ts +24 -0
package/dist/scan-plaintext.js +147 -0
package/dist/scan-plaintext.js.map +1 -0
package/dist/scan-staged.d.ts +15 -0
package/dist/scan-staged.js +70 -0
package/dist/scan-staged.js.map +1 -0
package/dist/scan-transcripts.d.ts +23 -0
package/dist/scan-transcripts.js +93 -0
package/dist/scan-transcripts.js.map +1 -0
package/dist/secret-backends.d.ts +50 -0
package/dist/secret-backends.js +510 -0
package/dist/secret-backends.js.map +1 -0
package/dist/secret-expiration.d.ts +46 -0
package/dist/secret-expiration.js +172 -0
package/dist/secret-expiration.js.map +1 -0
package/dist/secrets-migrate.d.ts +75 -0
package/dist/secrets-migrate.js +185 -0
package/dist/secrets-migrate.js.map +1 -0
package/dist/secrets-model.d.ts +77 -0
package/dist/secrets-model.js +6 -0
package/dist/secrets-model.js.map +1 -0
package/dist/secrets-onecli.d.ts +65 -0
package/dist/secrets-onecli.js +113 -0
package/dist/secrets-onecli.js.map +1 -0
package/dist/secrets-propagate.d.ts +48 -0
package/dist/secrets-propagate.js +201 -0
package/dist/secrets-propagate.js.map +1 -0
package/dist/secrets-pull.d.ts +34 -0
package/dist/secrets-pull.js +118 -0
package/dist/secrets-pull.js.map +1 -0
package/dist/secrets-purge-history.d.ts +53 -0
package/dist/secrets-purge-history.js +144 -0
package/dist/secrets-purge-history.js.map +1 -0
package/dist/secrets-rotate-cli.d.ts +54 -0
package/dist/secrets-rotate-cli.js +438 -0
package/dist/secrets-rotate-cli.js.map +1 -0
package/dist/secrets-rotate.d.ts +38 -0
package/dist/secrets-rotate.js +65 -0
package/dist/secrets-rotate.js.map +1 -0
package/dist/secrets-service.d.ts +73 -0
package/dist/secrets-service.js +283 -0
package/dist/secrets-service.js.map +1 -0
package/dist/secrets-set.d.ts +25 -0
package/dist/secrets-set.js +33 -0
package/dist/secrets-set.js.map +1 -0
package/dist/secrets-sync.d.ts +21 -0
package/dist/secrets-sync.js +215 -0
package/dist/secrets-sync.js.map +1 -0
package/dist/secrets-validate.d.ts +41 -0
package/dist/secrets-validate.js +126 -0
package/dist/secrets-validate.js.map +1 -0
package/dist/secrets-vault-migrate.d.ts +71 -0
package/dist/secrets-vault-migrate.js +258 -0
package/dist/secrets-vault-migrate.js.map +1 -0
package/dist/secrets.d.ts +16 -0
package/dist/secrets.js +72 -0
package/dist/secrets.js.map +1 -0
package/dist/security-hardening.d.ts +150 -0
package/dist/security-hardening.js +275 -0
package/dist/security-hardening.js.map +1 -0
package/dist/security-policy.d.ts +89 -0
package/dist/security-policy.js +174 -0
package/dist/security-policy.js.map +1 -0
package/dist/security-prescan.d.ts +117 -0
package/dist/security-prescan.js +566 -0
package/dist/security-prescan.js.map +1 -0
package/dist/sentry-adapter.d.ts +49 -0
package/dist/sentry-adapter.js +227 -0
package/dist/sentry-adapter.js.map +1 -0
package/dist/service-adapter.d.ts +94 -0
package/dist/service-adapter.js +162 -0
package/dist/service-adapter.js.map +1 -0
package/dist/skills.d.ts +13 -0
package/dist/skills.js +17 -0
package/dist/skills.js.map +1 -0
package/dist/sla-monitor.d.ts +107 -0
package/dist/sla-monitor.js +233 -0
package/dist/sla-monitor.js.map +1 -0
package/dist/stack-detector.d.ts +12 -0
package/dist/stack-detector.js +251 -0
package/dist/stack-detector.js.map +1 -0
package/dist/team-model.d.ts +58 -0
package/dist/team-model.js +83 -0
package/dist/team-model.js.map +1 -0
package/dist/team-service.d.ts +54 -0
package/dist/team-service.js +206 -0
package/dist/team-service.js.map +1 -0
package/dist/toml-generator.d.ts +8 -0
package/dist/toml-generator.js +223 -0
package/dist/toml-generator.js.map +1 -0
package/dist/triage-sandbox.d.ts +34 -0
package/dist/triage-sandbox.js +167 -0
package/dist/triage-sandbox.js.map +1 -0
package/dist/triage.d.ts +30 -0
package/dist/triage.js +79 -0
package/dist/triage.js.map +1 -0
package/dist/update-check.d.ts +13 -0
package/dist/update-check.js +91 -0
package/dist/update-check.js.map +1 -0
package/dist/utils/colors.d.ts +14 -0
package/dist/utils/colors.js +15 -0
package/dist/utils/colors.js.map +1 -0
package/dist/utils/didYouMean.d.ts +15 -0
package/dist/utils/didYouMean.js +47 -0
package/dist/utils/didYouMean.js.map +1 -0
package/dist/utils/exec.d.ts +21 -0
package/dist/utils/exec.js +23 -0
package/dist/utils/exec.js.map +1 -0
package/dist/utils/execFileNoThrow.d.ts +14 -0
package/dist/utils/execFileNoThrow.js +29 -0
package/dist/utils/execFileNoThrow.js.map +1 -0
package/dist/utils/flags.d.ts +19 -0
package/dist/utils/flags.js +36 -0
package/dist/utils/flags.js.map +1 -0
package/dist/utils/parseCommand.d.ts +16 -0
package/dist/utils/parseCommand.js +13 -0
package/dist/utils/parseCommand.js.map +1 -0
package/dist/utils/prompt.d.ts +13 -0
package/dist/utils/prompt.js +35 -0
package/dist/utils/prompt.js.map +1 -0
package/dist/utils/promptSelect.d.ts +19 -0
package/dist/utils/promptSelect.js +89 -0
package/dist/utils/promptSelect.js.map +1 -0
package/dist/utils/redactSecrets.d.ts +24 -0
package/dist/utils/redactSecrets.js +134 -0
package/dist/utils/redactSecrets.js.map +1 -0
package/dist/validation/dynamic-schema.d.ts +29 -0
package/dist/validation/dynamic-schema.js +76 -0
package/dist/validation/dynamic-schema.js.map +1 -0
package/package.json +52 -0

package/dist/secrets-purge-history.js ADDED Viewed

@@ -0,0 +1,144 @@
+/**
+ * Destructive git-history secret scrubbing — opt-in only.
+ *
+ * When a credential lands in a committed file the next thing to do is
+ * rotate it; the value in `git log` keeps leaking until the history is
+ * rewritten. This module wraps `git filter-repo` (preferred) or `bfg-repo-
+ * cleaner` (fallback) to remove the value from every commit in the repo.
+ *
+ * **Destructive**: rewrites every commit hash from the first affected commit
+ * forward, force-pushing is required afterwards, and every existing clone
+ * (including CI runners, teammates' laptops, deploy pipelines that fork
+ * from the same remote) must re-clone — pulling won't catch up cleanly.
+ *
+ * For this reason the CLI surface always requires:
+ *   1. A live elevation marker (from `kit auth elevate`)
+ *   2. An explicit `--force-history` flag — no auto-run, no default
+ *   3. Confirmation prompt with the full impact spelled out, unless
+ *      `--yes` is set (CI escape hatch; still requires elevation)
+ */
+import { writeFile, mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { exec } from "./utils/exec.js";
+export async function detectTools() {
+    let filterRepoAvailable = false;
+    let bfgAvailable = false;
+    try {
+        await exec("git", ["filter-repo", "--version"], { timeout: 3_000 });
+        filterRepoAvailable = true;
+    }
+    catch {
+        /* not installed */
+    }
+    try {
+        await exec("bfg", ["--version"], { timeout: 3_000 });
+        bfgAvailable = true;
+    }
+    catch {
+        /* not installed */
+    }
+    return { filterRepoAvailable, bfgAvailable };
+}
+/**
+ * Reports how many commits in the current branch's history reference the
+ * pattern. Useful for showing impact before the destructive step.
+ */
+export async function previewMatches(pattern, cwd = process.cwd()) {
+    const { stdout: hashesOut } = await exec("git", ["log", "--pretty=%H", "-S", pattern, "--all"], { cwd, timeout: 30_000, maxBuffer: 10 * 1024 * 1024 }).catch(() => ({ stdout: "" }));
+    const hashes = hashesOut.split("\n").filter(Boolean);
+    const fileSet = new Set();
+    if (hashes.length > 0) {
+        // For the first up-to-10 matching commits, extract the changed files
+        // that mentioned the pattern so the user knows what got touched.
+        for (const h of hashes.slice(0, 10)) {
+            try {
+                const { stdout } = await exec("git", ["log", "-1", "--name-only", "--pretty=", "-S", pattern, h], { cwd, timeout: 10_000 });
+                for (const f of stdout.split("\n").filter(Boolean))
+                    fileSet.add(f);
+            }
+            catch {
+                /* skip */
+            }
+        }
+    }
+    return {
+        pattern,
+        matchedCommits: hashes.length,
+        matchedFiles: [...fileSet],
+        sampleHashes: hashes.slice(0, 5),
+    };
+}
+/**
+ * Runs `git filter-repo --replace-text <file>` where the replacement file
+ * contains one regex per line in `pattern==>***REDACTED***` syntax. Falls
+ * back to `bfg --replace-text` when filter-repo is missing. The replacement
+ * file is created in a tempdir and removed after the run.
+ *
+ * Caller is responsible for:
+ *   - confirming the destructive action with the user
+ *   - holding a fresh elevation marker
+ *   - communicating "force-push + re-clone for everyone" afterwards
+ */
+export async function purgeHistory(patterns, cwd = process.cwd()) {
+    if (patterns.length === 0) {
+        return {
+            toolUsed: "git-filter-repo",
+            ok: false,
+            detail: "no patterns provided",
+        };
+    }
+    const tools = await detectTools();
+    const dir = await mkdtemp(join(tmpdir(), "kit-purge-"));
+    try {
+        const replacementFile = join(dir, "replacements.txt");
+        // git filter-repo replace-text format: `literal==>REPLACEMENT` or
+        // `regex:<pattern>==>REPLACEMENT`. We default to literal for safety.
+        await writeFile(replacementFile, patterns.map((p) => `${p}==>***REMOVED***`).join("\n") + "\n", "utf-8");
+        if (tools.filterRepoAvailable) {
+            try {
+                const { stdout } = await exec("git", ["filter-repo", "--replace-text", replacementFile, "--force"], { cwd, timeout: 600_000, maxBuffer: 50 * 1024 * 1024 });
+                return {
+                    toolUsed: "git-filter-repo",
+                    ok: true,
+                    detail: stdout.split("\n").slice(-3).join(" ").trim() || "history rewritten",
+                };
+            }
+            catch (err) {
+                return {
+                    toolUsed: "git-filter-repo",
+                    ok: false,
+                    detail: err instanceof Error ? err.message.split("\n")[0] : String(err),
+                };
+            }
+        }
+        if (tools.bfgAvailable) {
+            try {
+                const { stdout } = await exec("bfg", ["--replace-text", replacementFile, cwd], { cwd, timeout: 600_000, maxBuffer: 50 * 1024 * 1024 });
+                // bfg leaves dangling refs; user must run `git reflog expire --expire=now --all && git gc --prune=now --aggressive`.
+                return {
+                    toolUsed: "bfg",
+                    ok: true,
+                    detail: `${stdout.split("\n").length} lines emitted; run \`git reflog expire --expire=now --all && git gc --prune=now --aggressive\` next`,
+                };
+            }
+            catch (err) {
+                return {
+                    toolUsed: "bfg",
+                    ok: false,
+                    detail: err instanceof Error ? err.message.split("\n")[0] : String(err),
+                };
+            }
+        }
+        return {
+            toolUsed: "git-filter-repo",
+            ok: false,
+            detail: "Neither `git filter-repo` nor `bfg` is installed. Install one: " +
+                "`pip install git-filter-repo` or `brew install bfg`.",
+        };
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+}
+//# sourceMappingURL=secrets-purge-history.js.map

package/dist/secrets-purge-history.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secrets-purge-history.js","sourceRoot":"","sources":["../src/secrets-purge-history.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAUvC,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,IAAI,mBAAmB,GAAG,KAAK,CAAC;IAChC,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,aAAa,EAAE,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACpE,mBAAmB,GAAG,IAAI,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,mBAAmB;IACrB,CAAC;IACD,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,YAAY,GAAG,IAAI,CAAC;IACtB,CAAC;IAAC,MAAM,CAAC;QACP,mBAAmB;IACrB,CAAC;IACD,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,CAAC;AAC/C,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAe,EACf,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CACtC,KAAK,EACL,CAAC,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,EAC9C,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACtD,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,qEAAqE;QACrE,iEAAiE;QACjE,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,KAAK,EACL,CAAC,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,EAC3D,EAAE,GAAG,EAAE,OAAO,EAAE,MAAM,EAAE,CACzB,CAAC;gBACF,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;oBAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrE,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,OAAO;QACP,cAAc,EAAE,MAAM,CAAC,MAAM;QAC7B,YAAY,EAAE,CAAC,GAAG,OAAO,CAAC;QAC1B,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;KACjC,CAAC;AACJ,CAAC;AAQD;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,QAAQ,EAAE,iBAAiB;YAC3B,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,sBAAsB;SAC/B,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,WAAW,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,YAAY,CAAC,CAAC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACtD,kEAAkE;QAClE,qEAAqE;QACrE,MAAM,SAAS,CACb,eAAe,EACf,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAC7D,OAAO,CACR,CAAC;QAEF,IAAI,KAAK,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,KAAK,EACL,CAAC,aAAa,EAAE,gBAAgB,EAAE,eAAe,EAAE,SAAS,CAAC,EAC7D,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACvD,CAAC;gBACF,OAAO;oBACL,QAAQ,EAAE,iBAAiB;oBAC3B,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,IAAI,mBAAmB;iBAC7E,CAAC;YACJ,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,OAAO;oBACL,QAAQ,EAAE,iBAAiB;oBAC3B,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAC3B,KAAK,EACL,CAAC,gBAAgB,EAAE,eAAe,EAAE,GAAG,CAAC,EACxC,EAAE,GAAG,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,CACvD,CAAC;gBACF,qHAAqH;gBACrH,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,sGAAsG;iBAC3I,CAAC;YACJ,CAAC;YAAC,OAAO,GAAY,EAAE,CAAC;gBACtB,OAAO;oBACL,QAAQ,EAAE,KAAK;oBACf,EAAE,EAAE,KAAK;oBACT,MAAM,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxE,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,QAAQ,EAAE,iBAAiB;YAC3B,EAAE,EAAE,KAAK;YACT,MAAM,EACJ,iEAAiE;gBACjE,sDAAsD;SACzD,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;AACH,CAAC"}

package/dist/secrets-rotate-cli.d.ts ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * Service-native rotation playbooks.
+ *
+ * Full automation (kit calls provider admin API → new key minted →
+ * old key revoked) varies per provider and needs admin-tier credentials
+ * (Stripe API platform key, AWS IAM root, GCP project owner). kit's
+ * MVP gives a *guided* path instead:
+ *
+ *   1. Identify the provider from the key name + heuristic
+ *   2. Print the exact CLI commands to mint + revoke
+ *   3. Accept the new value back (`--value` after the user runs them)
+ *   4. Let the existing `kit secrets rotate` flow do the vault-write
+ *      + propagation
+ *
+ * The output is precise enough that an agent (with elevation) can pipe it
+ * to its own subprocess if it has the right credentials.
+ */
+export interface RotationPlaybook {
+    provider: "stripe" | "aws-iam" | "gcp-iam" | "github-pat" | "openai" | "unknown";
+    /** Step-by-step commands the user (or an authorized agent) should run. */
+    steps: string[];
+    /** Where to read the resulting new value back from. */
+    newValueSource: string;
+    /** Notes on rollback / revoke-old flow. */
+    revokeStep?: string;
+    /** Documentation link for the provider's official rotation flow. */
+    docsUrl?: string;
+}
+export declare function identifyProvider(keyName: string): RotationPlaybook["provider"];
+export declare function buildPlaybook(keyName: string): RotationPlaybook;
+/**
+ * `kit secrets rotate` CLI orchestration — extracted from cli.ts
+ * (codebase-review follow-up). cmdSecretsRotate is the dispatch entry;
+ * cmdSecretsRotateSupabaseMgmt handles the fully-automated Supabase
+ * Mgmt-API path; pickBackendOpts maps .kit.toml key-config to
+ * backend-write options.
+ */
+export declare function pickBackendOpts(secrets: {
+    keys?: Record<string, {
+        ref?: string;
+        azure_vault?: string;
+        gcp_project?: string;
+        aws_region?: string;
+        vault_path?: string;
+    }>;
+}, keyName: string, { envFallback }?: {
+    envFallback?: boolean;
+}): {
+    vault?: string;
+    project?: string;
+    region?: string;
+    vaultPath?: string;
+};
+export declare function cmdSecretsRotate(): Promise<boolean>;

package/dist/secrets-rotate-cli.js ADDED Viewed

@@ -0,0 +1,438 @@
+/**
+ * Service-native rotation playbooks.
+ *
+ * Full automation (kit calls provider admin API → new key minted →
+ * old key revoked) varies per provider and needs admin-tier credentials
+ * (Stripe API platform key, AWS IAM root, GCP project owner). kit's
+ * MVP gives a *guided* path instead:
+ *
+ *   1. Identify the provider from the key name + heuristic
+ *   2. Print the exact CLI commands to mint + revoke
+ *   3. Accept the new value back (`--value` after the user runs them)
+ *   4. Let the existing `kit secrets rotate` flow do the vault-write
+ *      + propagation
+ *
+ * The output is precise enough that an agent (with elevation) can pipe it
+ * to its own subprocess if it has the right credentials.
+ */
+export function identifyProvider(keyName) {
+    const upper = keyName.toUpperCase();
+    if (upper.startsWith("STRIPE_"))
+        return "stripe";
+    if (upper.startsWith("AWS_") || upper === "AWS_ACCESS_KEY_ID" || upper === "AWS_SECRET_ACCESS_KEY")
+        return "aws-iam";
+    if (upper.startsWith("GCP_") || upper.endsWith("_GOOGLE_APPLICATION_CREDENTIALS"))
+        return "gcp-iam";
+    if (upper.startsWith("GITHUB_") || upper === "GH_TOKEN")
+        return "github-pat";
+    if (upper.startsWith("OPENAI_"))
+        return "openai";
+    return "unknown";
+}
+export function buildPlaybook(keyName) {
+    const provider = identifyProvider(keyName);
+    switch (provider) {
+        case "stripe":
+            return {
+                provider,
+                steps: [
+                    "# Use Stripe Dashboard or API to roll a restricted key:",
+                    "#   https://dashboard.stripe.com/apikeys",
+                    "# Programmatic (requires platform/account API key):",
+                    "stripe api_keys create --restricted --description 'kit-rotated $(date +%FT%T)' --livemode false",
+                    "# Capture the returned 'secret' field; that is the new value.",
+                ],
+                newValueSource: "Stripe API response.secret",
+                revokeStep: "stripe api_keys revoke <old-key-id>   # after smoke-test confirms the new key works",
+                docsUrl: "https://docs.stripe.com/keys-best-practices",
+            };
+        case "aws-iam":
+            return {
+                provider,
+                steps: [
+                    "# Mint a fresh access-key pair for the same IAM user/role.",
+                    "# Requires IAM permission iam:CreateAccessKey on the target user.",
+                    "aws iam create-access-key --user-name <iam-user>",
+                    "# Read AccessKeyId + SecretAccessKey from the response and feed them",
+                    "# back into kit as a pair.",
+                ],
+                newValueSource: "aws iam create-access-key output",
+                revokeStep: "aws iam update-access-key --access-key-id <old-id> --status Inactive\naws iam delete-access-key --access-key-id <old-id>",
+                docsUrl: "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html",
+            };
+        case "gcp-iam":
+            return {
+                provider,
+                steps: [
+                    "# Create a new service-account key (RSA JSON or P12).",
+                    "gcloud iam service-accounts keys create new-key.json --iam-account=<sa-email>",
+                    "# Capture the contents of new-key.json (or just the private_key field).",
+                ],
+                newValueSource: "contents of new-key.json",
+                revokeStep: "gcloud iam service-accounts keys delete <old-key-id> --iam-account=<sa-email>",
+                docsUrl: "https://cloud.google.com/iam/docs/keys-create-delete",
+            };
+        case "github-pat":
+            return {
+                provider,
+                steps: [
+                    "# GitHub doesn't expose PAT creation via an API today; rotate via UI:",
+                    "#   https://github.com/settings/tokens",
+                    "# Create a new fine-grained PAT with the same scopes/expiry as the",
+                    "# one you're replacing.",
+                ],
+                newValueSource: "GitHub settings UI",
+                revokeStep: "Revoke the old PAT in the same UI (Delete button beside the entry).",
+                docsUrl: "https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens",
+            };
+        case "openai":
+            return {
+                provider,
+                steps: [
+                    "# OpenAI keys are dashboard-managed; create a fresh one via:",
+                    "#   https://platform.openai.com/api-keys",
+                    "# Optional: pin a per-key spend cap when you create it.",
+                ],
+                newValueSource: "OpenAI dashboard 'Create new secret key' modal",
+                revokeStep: "Revoke the old key in the same dashboard.",
+                docsUrl: "https://platform.openai.com/docs/guides/production-best-practices/api-keys",
+            };
+        case "unknown":
+            return {
+                provider,
+                steps: [
+                    "# kit doesn't have a service-native playbook for this key.",
+                    "# Falling back to opaque rotation: --random generates a fresh",
+                    "# token, but the provider may reject anything but their own format.",
+                ],
+                newValueSource: "manual / provider-specific",
+            };
+    }
+}
+import { loadConfig } from "./config.js";
+import { resolve } from "node:path";
+import { isNonInteractive } from "./environment.js";
+import { writeSecretToBackend } from "./secrets-migrate.js";
+import { planRotation } from "./secrets-rotate.js";
+import { requireElevation, consumeElevation } from "./elevation.js";
+import { propagate, parseTargets, ALL_TARGETS } from "./secrets-propagate.js";
+import { promptConfirm } from "./utils/prompt.js";
+import { c } from "./utils/colors.js";
+function resolveConfigPath() {
+    return resolve(process.cwd(), ".kit.toml");
+}
+/**
+ * `kit secrets rotate` CLI orchestration — extracted from cli.ts
+ * (codebase-review follow-up). cmdSecretsRotate is the dispatch entry;
+ * cmdSecretsRotateSupabaseMgmt handles the fully-automated Supabase
+ * Mgmt-API path; pickBackendOpts maps .kit.toml key-config to
+ * backend-write options.
+ */
+export function pickBackendOpts(secrets, keyName, { envFallback = false } = {}) {
+    const opts = {};
+    const key = secrets.keys?.[keyName] ?? Object.values(secrets.keys ?? {})[0];
+    if (key?.ref) {
+        const m = key.ref.match(/^op:\/\/([^/]+)\/([^/]+)\//);
+        if (m) {
+            opts.vault = m[1];
+            opts.project = m[2];
+        }
+    }
+    // envFallback (migrate/rotate flows): fall back to the platform's standard env
+    // vars when the .kit.toml key doesn't pin a value. Never clobber a value
+    // already derived from the 1Password ref above.
+    if (key?.azure_vault)
+        opts.vault = key.azure_vault;
+    else if (envFallback && !opts.vault && process.env.AZURE_KEYVAULT_NAME)
+        opts.vault = process.env.AZURE_KEYVAULT_NAME;
+    if (key?.gcp_project)
+        opts.project = key.gcp_project;
+    else if (envFallback && !opts.project && (process.env.GCP_PROJECT || process.env.GOOGLE_CLOUD_PROJECT))
+        opts.project = process.env.GCP_PROJECT || process.env.GOOGLE_CLOUD_PROJECT;
+    if (key?.aws_region)
+        opts.region = key.aws_region;
+    else if (envFallback && process.env.AWS_REGION)
+        opts.region = process.env.AWS_REGION;
+    if (key?.vault_path)
+        opts.vaultPath = key.vault_path;
+    return opts;
+}
+async function cmdSecretsRotateSupabaseMgmt(keyName, args) {
+    console.log(`${c.bold}${c.cyan}kit secrets rotate --via supabase-mgmt-api${c.reset}`);
+    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
+    // Project ref: --project <ref> flag or SUPABASE_PROJECT_REF env var.
+    const projectIdx = args.indexOf("--project");
+    const projectRef = projectIdx >= 0 ? args[projectIdx + 1] : process.env.SUPABASE_PROJECT_REF;
+    if (!projectRef) {
+        console.error(`${c.red}--project <ref> required (or set SUPABASE_PROJECT_REF).${c.reset}`);
+        console.error(`${c.dim}Find your project ref at https://supabase.com/dashboard/project/_/settings/general (URL contains the ref).${c.reset}`);
+        return false;
+    }
+    // Rotation mode: explicit --mode, otherwise auto-detect from project state.
+    const modeIdx = args.indexOf("--mode");
+    let mode = modeIdx >= 0 ? args[modeIdx + 1] : undefined;
+    if (mode !== undefined && mode !== "scoped-key-mint" && mode !== "jwt-secret-roll") {
+        console.error(`${c.red}Invalid --mode "${mode}" — use "scoped-key-mint" or "jwt-secret-roll".${c.reset}`);
+        return false;
+    }
+    const explicitMode = mode !== undefined;
+    const dryRun = args.includes("--dry-run");
+    const force = args.includes("--force");
+    // Lazy-import the workspace plugin so kit core boots fine without it.
+    const supabase = await import("sandstream-kit-plugin-supabase").catch(() => null);
+    if (!supabase) {
+        console.error(`${c.red}sandstream-kit-plugin-supabase not installed. Run ${c.bold}npm install sandstream-kit-plugin-supabase${c.reset}${c.red} or build the workspace.${c.reset}`);
+        return false;
+    }
+    // Preview pass — confirms the PAT works AND detects which mode is
+    // compatible. Today's incident was caused by minting a scoped key in a
+    // project that PostgREST still treats as JWT-only.
+    const preview = await supabase.previewSupabaseRotation({ projectRef });
+    if (!preview.ok) {
+        console.error(`${c.red}✗ Supabase Management API: ${preview.error}${c.reset}`);
+        return false;
+    }
+    console.log(`${c.dim}PAT verified. Project has ${preview.existingKeyCount} API key(s).${c.reset}`);
+    if (preview.keyMode) {
+        console.log(`${c.dim}Key mode: scoped=${preview.keyMode.supportsScopedKeys}, legacy-jwt=${preview.keyMode.supportsLegacyJwt}${c.reset}`);
+    }
+    // Default to the recommended mode when the user didn't pin one.
+    if (!mode) {
+        mode = (preview.recommendedMode ?? "scoped-key-mint");
+    }
+    console.log(`${c.dim}Mode: ${c.bold}${mode}${c.reset}${c.dim}${explicitMode ? "" : " (auto)"}${c.reset}`);
+    // If the explicit mode conflicts with what the project supports, warn
+    // loudly and require --force. This is the gate that would have prevented
+    // the 2026-06-03 prod break.
+    if (explicitMode &&
+        preview.keyMode &&
+        mode === "scoped-key-mint" &&
+        !preview.keyMode.supportsScopedKeys &&
+        preview.keyMode.supportsLegacyJwt) {
+        console.error(`${c.red}✗ Refusing scoped-key-mint: project still uses legacy JWT keys.${c.reset}`);
+        console.error(`${c.dim}A scoped key minted now would be treated as anon by PostgREST and break every service_role call.${c.reset}`);
+        console.error(`${c.dim}Recommended: ${c.bold}--mode jwt-secret-roll${c.reset}${c.dim} (invalidates all tokens) or migrate the project to scoped keys first.${c.reset}`);
+        if (!force) {
+            console.error(`${c.dim}Override with ${c.bold}--force${c.reset}${c.dim} if you know what you're doing.${c.reset}\n`);
+            return false;
+        }
+        console.error(`${c.yellow}--force set; proceeding with scoped-key-mint despite incompatibility.${c.reset}\n`);
+    }
+    if (preview.warning && !explicitMode) {
+        console.log(`${c.yellow}⚠ ${preview.warning}${c.reset}`);
+    }
+    if (mode === "jwt-secret-roll") {
+        console.warn(`${c.yellow}⚠ jwt-secret-roll invalidates EVERY existing token (anon, service_role, signed URLs, active sessions).${c.reset}`);
+    }
+    console.log();
+    if (dryRun) {
+        console.log(`${c.dim}--dry-run: not rotating. Remove flag to proceed.${c.reset}\n`);
+        return true;
+    }
+    // S12 elevation required for rotation. jwt-secret-roll is a hard cutover
+    // — one elevation = one rotation. Other modes (scoped-key-mint with
+    // rollback) keep the standard 15-min TTL.
+    const elev = mode === "jwt-secret-roll"
+        ? await consumeElevation("rotate")
+        : await requireElevation("rotate");
+    if (!elev.ok) {
+        console.error(`${c.red}✗ ${elev.reason}${c.reset}`);
+        return false;
+    }
+    // Interactive confirmation for jwt-secret-roll (destructive); a YES prompt
+    // for scoped-key-mint is enough since old tokens stay live.
+    if (!isNonInteractive()) {
+        const confirmMsg = mode === "jwt-secret-roll"
+            ? `Confirm jwt-secret-roll (HARD CUTOVER) [y/N, auto-no in 15s]: `
+            : `Mint new scoped key? [Y/n, auto-yes in 10s]: `;
+        // jwt-secret-roll is an irreversible HARD CUTOVER and its prompt promises
+        // "auto-no" — fail closed on walk-away/pipe. Scoped-key mint is additive → auto-yes.
+        const ok = await promptConfirm(confirmMsg, mode === "jwt-secret-roll" ? 15_000 : 10_000, mode !== "jwt-secret-roll");
+        if (!ok && mode === "jwt-secret-roll") {
+            console.log(`${c.dim}Aborted.${c.reset}`);
+            return false;
+        }
+    }
+    const outcome = await supabase.rotateSupabaseKey({ projectRef, mode });
+    if (!outcome.ok || !outcome.result) {
+        console.error(`${c.red}✗ ${outcome.error ?? "rotation failed"}${c.reset}`);
+        return false;
+    }
+    const newValue = outcome.result.newKey ?? outcome.result.newJwtSecret;
+    if (!newValue) {
+        console.error(`${c.red}✗ Rotation completed but no key was returned in the response. Check the Supabase Dashboard.${c.reset}`);
+        return false;
+    }
+    console.log(`  ${c.green}✓${c.reset} ${mode} succeeded.  ${c.dim}new value is ${newValue.length} chars${c.reset}`);
+    // Wire through the existing vault-write path so the new value lands in
+    // the configured upstream vault and the placeholder logic stays consistent.
+    const config = await loadConfig(resolveConfigPath());
+    if (!config.secrets?.store || config.secrets.store === "env") {
+        console.warn(`${c.yellow}⚠ No upstream vault configured. New value printed once below — copy it now.${c.reset}\n`);
+        console.log(`${newValue}\n`);
+        return true;
+    }
+    const writeResult = await writeSecretToBackend(config.secrets.store, keyName, newValue, pickBackendOpts(config.secrets, keyName));
+    if (!writeResult.ok) {
+        console.error(`${c.red}✗ vault write failed: ${writeResult.detail}${c.reset}`);
+        console.error(`${c.yellow}New value (copy now — it won't be shown again):${c.reset}\n${newValue}\n`);
+        return false;
+    }
+    console.log(`  ${c.green}✓${c.reset} wrote to vault (${config.secrets.store})`);
+    console.log(`\n${c.dim}Next: re-run with ${c.bold}--propagate vercel,github${c.reset}${c.dim} to push to deploy targets.${c.reset}\n`);
+    return true;
+}
+export async function cmdSecretsRotate() {
+    console.log(`${c.bold}${c.cyan}kit secrets rotate${c.reset}`);
+    console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
+    const args = process.argv.slice(4);
+    const keyName = args[0];
+    if (!keyName || keyName.startsWith("--")) {
+        console.error(`${c.red}Usage: kit secrets rotate <KEY> [--value <new>] [--random [N]] [--dry-run]${c.reset}`);
+        return false;
+    }
+    const valueIdx = args.indexOf("--value");
+    const explicitValue = valueIdx >= 0 ? args[valueIdx + 1] : undefined;
+    const randomIdx = args.indexOf("--random");
+    let randomFlag;
+    if (randomIdx >= 0) {
+        const next = args[randomIdx + 1];
+        if (next && /^\d+$/.test(next)) {
+            randomFlag = Number.parseInt(next, 10);
+        }
+        else {
+            randomFlag = true;
+        }
+    }
+    const dryRun = args.includes("--dry-run");
+    const fromCli = args.includes("--from-cli");
+    const viaIdx = args.indexOf("--via");
+    const via = viaIdx >= 0 ? args[viaIdx + 1] : undefined;
+    // ── Supabase Management API rotation ─────────────────────────────────────
+    if (via === "supabase-mgmt-api") {
+        return await cmdSecretsRotateSupabaseMgmt(keyName, args);
+    }
+    // ── R3: service-native playbook ──────────────────────────────────────────
+    // When --from-cli is set, print the provider-specific rotation steps
+    // BEFORE asking for --value. Useful as a guided workflow: the user
+    // (or an authorized agent) runs the provider CLI, copies the new
+    // value, then re-runs `kit secrets rotate <KEY> --value <new>`.
+    if (fromCli) {
+        const playbook = buildPlaybook(keyName);
+        console.log(`${c.bold}${c.cyan}kit secrets rotate --from-cli${c.reset}`);
+        console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
+        console.log(`${c.bold}Provider:${c.reset} ${c.bold}${playbook.provider}${c.reset}  ${c.dim}(detected from key name)${c.reset}\n`);
+        console.log(`${c.bold}Steps to mint the new credential:${c.reset}`);
+        for (const step of playbook.steps) {
+            const isComment = step.startsWith("#");
+            console.log(isComment
+                ? `  ${c.dim}${step}${c.reset}`
+                : `  ${c.green}$${c.reset} ${step}`);
+        }
+        console.log();
+        console.log(`${c.bold}New value source:${c.reset} ${c.dim}${playbook.newValueSource}${c.reset}`);
+        if (playbook.revokeStep) {
+            console.log(`${c.bold}Revoke the old key (after smoke-test):${c.reset}`);
+            for (const line of playbook.revokeStep.split("\n")) {
+                console.log(`  ${c.yellow}$${c.reset} ${line}`);
+            }
+        }
+        if (playbook.docsUrl) {
+            console.log(`${c.dim}Docs: ${playbook.docsUrl}${c.reset}`);
+        }
+        console.log();
+        console.log(`${c.dim}When you have the new value, re-run: ${c.bold}kit secrets rotate ${keyName} --value <new>${c.reset}${c.dim} (or pipe it with --value file:///path).${c.reset}\n`);
+        return true;
+    }
+    const config = await loadConfig(resolveConfigPath());
+    if (!config.secrets?.store || config.secrets.store === "env") {
+        console.error(`${c.red}No vault configured in .kit.toml — set ${c.bold}[secrets].store${c.reset}${c.red} first.${c.reset}`);
+        return false;
+    }
+    const result = planRotation(keyName, config.secrets, {
+        value: explicitValue,
+        random: randomFlag,
+    });
+    if ("error" in result) {
+        console.error(`${c.red}${result.error}${c.reset}`);
+        return false;
+    }
+    const { plan, value } = result;
+    console.log(`${c.bold}Plan${c.reset}  ${c.dim}rotate ${plan.key} → ${plan.store} (source: ${plan.source}, ${plan.newValueLength} chars)${c.reset}\n`);
+    if (dryRun) {
+        console.log(`${c.dim}--dry-run: not writing. Remove flag to perform rotation.${c.reset}\n`);
+        return true;
+    }
+    // S12: gate destructive op behind explicit elevation.
+    const elev = await requireElevation("rotate");
+    if (!elev.ok) {
+        console.error(`${c.red}✗ ${elev.reason}${c.reset}`);
+        return false;
+    }
+    // Build the same backend-options the migrate flow uses so we land in the
+    // right vault / region / project / Azure vault.
+    const backendOpts = pickBackendOpts(config.secrets, keyName, { envFallback: true });
+    const writeResult = await writeSecretToBackend(plan.store, plan.key, value, backendOpts);
+    if (!writeResult.ok) {
+        console.error(`${c.red}✗ ${writeResult.detail}${c.reset}`);
+        return false;
+    }
+    console.log(`  ${c.green}✓${c.reset} ${writeResult.detail}\n`);
+    // ── R2: propagate to deploy platforms ────────────────────────────────────
+    const propagateIdx = args.indexOf("--propagate");
+    if (propagateIdx >= 0) {
+        const spec = args[propagateIdx + 1];
+        const targets = spec ? parseTargets(spec) : [];
+        if (targets.length === 0) {
+            console.error(`${c.red}--propagate requires comma list. Valid: ${ALL_TARGETS.join(", ")}${c.reset}`);
+            return false;
+        }
+        const propOpts = {};
+        const envIdx = args.indexOf("--target-env");
+        if (envIdx >= 0)
+            propOpts.env = args[envIdx + 1];
+        const flyAppIdx = args.indexOf("--fly-app");
+        if (flyAppIdx >= 0)
+            propOpts.flyApp = args[flyAppIdx + 1];
+        const cfWorkerIdx = args.indexOf("--cf-worker");
+        if (cfWorkerIdx >= 0)
+            propOpts.cfWorker = args[cfWorkerIdx + 1];
+        const railwayServiceIdx = args.indexOf("--railway-service");
+        if (railwayServiceIdx >= 0)
+            propOpts.railwayService = args[railwayServiceIdx + 1];
+        const awsRegionIdx = args.indexOf("--aws-region");
+        if (awsRegionIdx >= 0)
+            propOpts.awsRegion = args[awsRegionIdx + 1];
+        const ghRepoIdx = args.indexOf("--github-repo");
+        if (ghRepoIdx >= 0)
+            propOpts.githubRepo = args[ghRepoIdx + 1];
+        const vercelScopeIdx = args.indexOf("--vercel-scope");
+        if (vercelScopeIdx >= 0)
+            propOpts.vercelScope = args[vercelScopeIdx + 1];
+        console.log(`${c.bold}Propagation${c.reset}  ${c.dim}→ ${targets.join(", ")}${c.reset}\n`);
+        const results = await propagate(plan.key, value, targets, propOpts);
+        let propAllOk = true;
+        for (const r of results) {
+            const icon = r.ok ? `${c.green}✓${c.reset}` : `${c.red}✗${c.reset}`;
+            const argvWarn = r.valueInArgv ? `  ${c.yellow}[value in argv]${c.reset}` : "";
+            console.log(`  ${icon} ${r.target.padEnd(10)}  ${c.dim}${r.detail}${c.reset}${argvWarn}`);
+            if (!r.ok)
+                propAllOk = false;
+        }
+        console.log();
+        if (!propAllOk) {
+            console.log(`${c.yellow}Some propagations failed — check CLI auth (vercel/gh/fly/wrangler/railway/aws) and retry with the same value.${c.reset}\n`);
+        }
+    }
+    else {
+        console.log(`${c.bold}Next steps${c.reset}`);
+        console.log(`${c.dim}${"─".repeat(50)}${c.reset}\n`);
+        for (const target of plan.externalTargets) {
+            console.log(`  ${c.yellow}→${c.reset} update ${target}`);
+        }
+        console.log();
+        console.log(`${c.dim}Or re-run with ${c.bold}--propagate vercel,github,fly,cloudflare,railway,aws-ssm${c.reset}${c.dim} to push automatically.${c.reset}\n`);
+    }
+    return true;
+}
+//# sourceMappingURL=secrets-rotate-cli.js.map