ultraenv 1.0.0

package/dist/index.js

@@ -0,0 +1,3212 @@
+import {
+  computeIntegrity,
+  computeVaultChecksum,
+  verifyIntegrity,
+  verifyVaultChecksum
+} from "./chunk-N5PAV4NM.js";
+import {
+  compareEnvironments,
+  formatComparison
+} from "./chunk-3UV2QNJL.js";
+import {
+  discoverEnvironments,
+  getActiveEnvironment,
+  listEnvironments,
+  switchEnvironment,
+  validateAllEnvironments
+} from "./chunk-GC7RXHLA.js";
+import {
+  createEnvironment,
+  duplicateEnvironment,
+  removeEnvironment
+} from "./chunk-AWN6ADV7.js";
+import {
+  addCustomPattern,
+  detectHighEntropyStrings,
+  formatScanResult,
+  isHighEntropy,
+  matchPatterns,
+  removeCustomPattern,
+  resetPatterns,
+  scan,
+  scanDiff,
+  scanFiles,
+  scanGitHistory,
+  scanLineForEntropy,
+  scanStagedFiles,
+  shannonEntropy
+} from "./chunk-MSXMESFP.js";
+import {
+  getEnvironmentData,
+  getVaultEnvironments,
+  parseVaultFile,
+  readVaultFile,
+  serializeVaultFile,
+  writeVaultFile
+} from "./chunk-NBOABPHM.js";
+import "./chunk-R7PZRSZ7.js";
+import {
+  generateExampleContent,
+  generateExampleFile,
+  needsUpdate
+} from "./chunk-CHVO6NWI.js";
+import {
+  maskValue
+} from "./chunk-TE7HPLA6.js";
+import {
+  compareSync,
+  compareValues
+} from "./chunk-YVWLXFUT.js";
+import {
+  generateDeclaration
+} from "./chunk-IGFVP24Q.js";
+import {
+  generateModule
+} from "./chunk-YMMP4VQL.js";
+import {
+  generateJsonSchema
+} from "./chunk-6KS56D6E.js";
+import {
+  expandVariables,
+  load,
+  loadSync,
+  loadWithResult,
+  loadWithResultSync,
+  mergeCascade,
+  resolveCascade
+} from "./chunk-MNVFG7H4.js";
+import {
+  parseEnvFile
+} from "./chunk-HFXQGJY3.js";
+import {
+  healthCheckRoute,
+  ultraenvMiddleware
+} from "./chunk-IKPTKALB.js";
+import {
+  createUltraenvPlugin,
+  ultraenvPlugin
+} from "./chunk-JB7RKV3C.js";
+import {
+  defineEnv,
+  t,
+  tryDefineEnv,
+  validate
+} from "./chunk-CIFMBJ4H.js";
+import {
+  findConfig,
+  loadConfig
+} from "./chunk-4XUYMRK5.js";
+import {
+  copyFile,
+  ensureDir,
+  exists,
+  findUp,
+  isDirectory,
+  isFile,
+  listFiles,
+  readFile,
+  readFileSync,
+  removeFile,
+  writeFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  deriveEnvironmentKey,
+  formatKey,
+  generateKeysFile,
+  generateMasterKey,
+  isValidKeyFormat,
+  maskKey,
+  parseKey,
+  parseKeysFile,
+  rotateKey
+} from "./chunk-UEWYFN6A.js";
+import {
+  decryptEnvironment,
+  decryptValue,
+  encryptEnvironment,
+  encryptValue,
+  isEncryptedValue
+} from "./chunk-2USZPWLZ.js";
+import {
+  VERSION
+} from "./chunk-XC65ORJ5.js";
+import {
+  ConfigError,
+  EncryptionError,
+  FileSystemError,
+  InterpolationError,
+  ParseError,
+  ScanError,
+  UltraenvError,
+  ValidationError,
+  VaultError,
+  isUltraenvError
+} from "./chunk-5G2DU52U.js";
+
+// src/core/watcher.ts
+import { watch } from "fs";
+import { existsSync } from "fs";
+import { resolve, join } from "path";
+var DEFAULT_WATCH_OPTIONS = {
+  files: [".env", ".env.local", ".env.development", ".env.production", ".env.staging"],
+  recursive: false,
+  debounceMs: 100,
+  initial: false,
+  pollIntervalMs: 0,
+  ignore: []
+};
+var EnvFileWatcher = class {
+  state;
+  constructor(options) {
+    this.state = {
+      nativeWatchers: /* @__PURE__ */ new Map(),
+      debounceTimers: /* @__PURE__ */ new Map(),
+      callbacks: /* @__PURE__ */ new Map(),
+      active: false,
+      cascadeResult: null,
+      watchOptions: { ...DEFAULT_WATCH_OPTIONS, ...options?.watchOptions },
+      cascadeOptions: options?.cascadeOptions ?? {}
+    };
+  }
+  /**
+   * Start watching all .env files in the cascade.
+   * If `initial` is true in WatchOptions, emits a 'ready' event immediately.
+   */
+  start() {
+    if (this.state.active) return;
+    this.state.active = true;
+    this.state.cascadeResult = resolveCascade(this.state.cascadeOptions);
+    const filesToWatch = this.state.cascadeResult.existingFiles;
+    this.watchDirectory(this.state.cascadeResult.envDir);
+    for (const entry of filesToWatch) {
+      this.watchFile(entry.absolutePath);
+    }
+    if (this.state.watchOptions.initial) {
+      this.emitEvent({
+        type: "change",
+        path: "",
+        timestamp: Date.now()
+      });
+    }
+  }
+  /**
+   * Stop watching all files and clean up resources.
+   */
+  stop() {
+    if (!this.state.active) return;
+    this.state.active = false;
+    for (const [, nativeWatcher] of this.state.nativeWatchers) {
+      try {
+        nativeWatcher.close();
+      } catch {
+      }
+    }
+    this.state.nativeWatchers.clear();
+    for (const [, timer] of this.state.debounceTimers) {
+      clearTimeout(timer);
+    }
+    this.state.debounceTimers.clear();
+  }
+  /**
+   * Whether the watcher is currently active.
+   */
+  get active() {
+    return this.state.active;
+  }
+  /**
+   * Register a callback for a specific event type.
+   *
+   * @param event - The event type: 'change', 'error', or 'ready'
+   * @param callback - The callback to invoke when the event occurs
+   * @returns This watcher instance (for chaining)
+   */
+  on(event, callback) {
+    if (!this.state.callbacks.has(event)) {
+      this.state.callbacks.set(event, /* @__PURE__ */ new Set());
+    }
+    this.state.callbacks.get(event).add(callback);
+    return this;
+  }
+  /**
+   * Remove a previously registered callback.
+   *
+   * @param event - The event type
+   * @param callback - The callback to remove
+   * @returns This watcher instance (for chaining)
+   */
+  off(event, callback) {
+    const callbacks = this.state.callbacks.get(event);
+    if (callbacks !== void 0) {
+      callbacks.delete(callback);
+    }
+    return this;
+  }
+  /**
+   * Stop watching and release all resources (alias for stop()).
+   */
+  close() {
+    this.stop();
+  }
+  // -------------------------------------------------------------------------
+  // Private Methods
+  // -------------------------------------------------------------------------
+  /**
+   * Watch a specific file for changes.
+   */
+  watchFile(filePath) {
+    if (!existsSync(filePath)) return;
+    if (this.state.nativeWatchers.has(filePath)) return;
+    if (this.shouldIgnore(filePath)) return;
+    try {
+      const nativeWatcher = watch(filePath, {
+        persistent: true
+      }, (eventType, filename) => {
+        this.handleFileEvent(eventType, filePath, filename);
+      });
+      nativeWatcher.on("error", () => {
+        this.emitChangeEvent(filePath);
+        this.state.nativeWatchers.delete(filePath);
+        setTimeout(() => {
+          if (this.state.active && existsSync(filePath)) {
+            this.watchFile(filePath);
+          }
+        }, 1e3);
+      });
+      this.state.nativeWatchers.set(filePath, nativeWatcher);
+    } catch (error) {
+      throw new FileSystemError(`Failed to watch file "${filePath}"`, {
+        path: filePath,
+        operation: "watch",
+        cause: error instanceof Error ? error : void 0
+      });
+    }
+  }
+  /**
+   * Watch a directory for file additions/removals.
+   */
+  watchDirectory(dirPath) {
+    const dirWatchKey = `__dir__:${dirPath}`;
+    if (this.state.nativeWatchers.has(dirWatchKey)) return;
+    try {
+      const nativeWatcher = watch(dirPath, {
+        persistent: true
+      }, (eventType, filename) => {
+        if (filename === null) return;
+        const fullPath = resolve(join(dirPath, filename));
+        if (isEnvFileName(filename) && !this.shouldIgnore(fullPath)) {
+          if (eventType === "rename") {
+            if (existsSync(fullPath) && !this.state.nativeWatchers.has(fullPath)) {
+              this.watchFile(fullPath);
+              this.debouncedEmit(fullPath, "add");
+            } else if (!existsSync(fullPath) && this.state.nativeWatchers.has(fullPath)) {
+              const watcher = this.state.nativeWatchers.get(fullPath);
+              if (watcher !== void 0) {
+                watcher.close();
+                this.state.nativeWatchers.delete(fullPath);
+              }
+              this.debouncedEmit(fullPath, "unlink");
+            }
+          }
+        }
+      });
+      nativeWatcher.on("error", () => {
+        this.state.nativeWatchers.delete(dirWatchKey);
+        setTimeout(() => {
+          if (this.state.active) {
+            this.watchDirectory(dirPath);
+          }
+        }, 5e3);
+      });
+      this.state.nativeWatchers.set(dirWatchKey, nativeWatcher);
+    } catch {
+    }
+  }
+  /**
+   * Handle a file system event from a file watcher.
+   */
+  handleFileEvent(eventType, filePath, _filename) {
+    if (eventType === "change" || eventType === "rename") {
+      if (existsSync(filePath)) {
+        this.debouncedEmit(filePath, "change");
+      } else {
+        this.debouncedEmit(filePath, "unlink");
+      }
+    }
+  }
+  /**
+   * Emit a change event after debouncing.
+   */
+  debouncedEmit(filePath, type) {
+    const debounceMs = this.state.watchOptions.debounceMs;
+    const existingTimer = this.state.debounceTimers.get(filePath);
+    if (existingTimer !== void 0) {
+      clearTimeout(existingTimer);
+    }
+    const timer = setTimeout(() => {
+      this.state.debounceTimers.delete(filePath);
+      this.emitEvent({
+        type,
+        path: filePath,
+        timestamp: Date.now()
+      });
+    }, debounceMs);
+    this.state.debounceTimers.set(filePath, timer);
+  }
+  /**
+   * Emit a change event (used by error recovery).
+   */
+  emitChangeEvent(filePath) {
+    this.debouncedEmit(filePath, "change");
+  }
+  /**
+   * Emit an event to all registered change callbacks.
+   */
+  emitEvent(event) {
+    const changeCallbacks = this.state.callbacks.get("change");
+    if (changeCallbacks !== void 0) {
+      for (const cb of changeCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+    if (event.type === "unlink") {
+      const errorCallbacks = this.state.callbacks.get("error");
+      if (errorCallbacks !== void 0) {
+        for (const cb of errorCallbacks) {
+          try {
+            cb(event);
+          } catch {
+          }
+        }
+      }
+    }
+  }
+  /**
+   * Check if a file path should be ignored based on ignore patterns.
+   */
+  shouldIgnore(filePath) {
+    const patterns = this.state.watchOptions.ignore;
+    const fileName = filePath.split("/").pop() ?? filePath;
+    for (const pattern of patterns) {
+      if (pattern === fileName) return true;
+      if (pattern.startsWith("*") && fileName.endsWith(pattern.slice(1))) return true;
+      if (pattern.endsWith("*") && fileName.startsWith(pattern.slice(0, -1))) return true;
+      if (pattern.includes("*")) {
+        const regex = new RegExp("^" + pattern.replace(/\*/g, ".*") + "$");
+        if (regex.test(fileName)) return true;
+      }
+    }
+    return false;
+  }
+};
+function createWatcher(options) {
+  return new EnvFileWatcher(options);
+}
+function isEnvFileName(name) {
+  if (typeof name !== "string") return false;
+  return name === ".env" || name.startsWith(".env.");
+}
+
+// src/vault/secure-memory.ts
+import { randomBytes, timingSafeEqual as cryptoTimingSafeEqual } from "crypto";
+var SecureBuffer = class _SecureBuffer {
+  _buffer;
+  _length;
+  _zeroed;
+  /** Track all live SecureBuffers for FinalizationRegistry cleanup */
+  static registry = new FinalizationRegistry((buf) => {
+    buf.fill(0);
+  });
+  /** Counter for generating unique token identifiers */
+  static _instanceCount = 0;
+  /**
+   * Create a new SecureBuffer.
+   *
+   * @param size - The size of the buffer in bytes.
+   * @throws RangeError if size is not a positive integer.
+   */
+  constructor(size) {
+    if (size < 1 || !Number.isInteger(size)) {
+      throw new RangeError(
+        `SecureBuffer: size must be a positive integer, got ${size}`
+      );
+    }
+    this._buffer = Buffer.alloc(size);
+    this._length = size;
+    this._zeroed = false;
+    _SecureBuffer._instanceCount++;
+    _SecureBuffer.registry.register(this, this._buffer, this);
+  }
+  /**
+   * Create a SecureBuffer from an existing Buffer.
+   * The source buffer is NOT modified — a copy is made.
+   *
+   * @param source - The source buffer to copy.
+   * @returns A new SecureBuffer containing a copy of the source data.
+   */
+  static from(source) {
+    const buf = new _SecureBuffer(source.length);
+    Buffer.from(source).copy(buf._buffer);
+    buf._zeroed = false;
+    return buf;
+  }
+  /**
+   * Create a SecureBuffer from a string.
+   *
+   * @param str - The string to encode.
+   * @param encoding - The character encoding (default: 'utf-8').
+   * @returns A new SecureBuffer containing the encoded string.
+   */
+  static fromString(str, encoding = "utf-8") {
+    const buf = new _SecureBuffer(Buffer.byteLength(str, encoding));
+    buf._buffer.write(str, encoding);
+    buf._zeroed = false;
+    return buf;
+  }
+  /**
+   * The size of the buffer in bytes.
+   */
+  get length() {
+    return this._length;
+  }
+  /**
+   * Whether the buffer has been zeroed.
+   */
+  get isZeroed() {
+    return this._zeroed;
+  }
+  /**
+   * Fill the buffer with the specified byte value.
+   *
+   * @param value - The byte value to fill with (0-255).
+   * @returns This SecureBuffer for chaining.
+   */
+  fill(value) {
+    if (value < 0 || value > 255 || !Number.isInteger(value)) {
+      throw new RangeError(
+        `SecureBuffer.fill: value must be an integer 0-255, got ${value}`
+      );
+    }
+    this._buffer.fill(value);
+    this._zeroed = value === 0;
+    return this;
+  }
+  /**
+   * Fill the buffer with random bytes.
+   *
+   * @returns This SecureBuffer for chaining.
+   */
+  fillRandom() {
+    randomBytes(this._length).copy(this._buffer);
+    this._zeroed = false;
+    return this;
+  }
+  /**
+   * Zero out all bytes in the buffer.
+   *
+   * This should be called as soon as the sensitive data is no longer needed.
+   * The buffer will also be zeroed automatically on garbage collection, but
+   * explicit zeroing provides faster cleanup for time-sensitive operations.
+   *
+   * @returns This SecureBuffer for chaining.
+   */
+  zero() {
+    this._buffer.fill(0);
+    this._zeroed = true;
+    return this;
+  }
+  /**
+   * Get a read-only copy of the underlying buffer.
+   *
+   * **Warning**: This returns a COPY of the buffer contents.
+   * The caller is responsible for zeroing the returned buffer when done.
+   * Use toString() when possible to avoid managing raw buffers.
+   *
+   * @returns A copy of the buffer contents.
+   */
+  getBuffer() {
+    if (this._zeroed) {
+      return Buffer.alloc(this._length);
+    }
+    return Buffer.from(this._buffer);
+  }
+  /**
+   * Get a single byte at the specified index.
+   *
+   * @param index - The byte index.
+   * @returns The byte value (0-255).
+   */
+  getByte(index) {
+    if (index < 0 || index >= this._length) {
+      throw new RangeError(
+        `SecureBuffer.getByte: index ${index} out of bounds (length: ${this._length})`
+      );
+    }
+    return this._buffer[index];
+  }
+  /**
+   * Convert the buffer contents to a string.
+   *
+   * @param encoding - The character encoding (default: 'utf-8').
+   * @returns The decoded string.
+   */
+  toString(encoding = "utf-8") {
+    if (this._zeroed) {
+      return "";
+    }
+    return this._buffer.toString(encoding);
+  }
+  /**
+   * Convert to hex string.
+   *
+   * @returns Lowercase hex string.
+   */
+  toHex() {
+    if (this._zeroed) {
+      return "0".repeat(this._length * 2);
+    }
+    return this._buffer.toString("hex");
+  }
+  /**
+   * Convert to base64 string.
+   *
+   * @returns Base64-encoded string.
+   */
+  toBase64() {
+    if (this._zeroed) {
+      return "";
+    }
+    return this._buffer.toString("base64");
+  }
+  /**
+   * JSON serialization — never exposes the buffer contents.
+   * Returns a placeholder string to prevent accidental logging of secrets.
+   *
+   * @returns A safe placeholder string.
+   */
+  toJSON() {
+    return "[SecureBuffer]";
+  }
+  /**
+   * Custom inspect for console.log — never exposes contents.
+   */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  [/* @__PURE__ */ Symbol.for("nodejs.util.inspect.custom")](_depth, _options) {
+    return `[SecureBuffer: ${this._length} bytes${this._zeroed ? " (zeroed)" : ""}]`;
+  }
+  /* v8 ignore stop */
+  /**
+   * Manual cleanup — call when the SecureBuffer is no longer needed.
+   * Zeros the buffer and unregisters from the FinalizationRegistry.
+   *
+   * After calling dispose(), the buffer cannot be used.
+   */
+  dispose() {
+    this._buffer.fill(0);
+    this._zeroed = true;
+    _SecureBuffer.registry.unregister(this);
+  }
+};
+var SecureString = class {
+  _buffer;
+  _disposed;
+  /**
+   * Create a new SecureString.
+   *
+   * **Internal**: Use the `createSecureString()` factory function instead
+   * of calling this constructor directly.
+   *
+   * @param buffer - The SecureBuffer backing this string.
+   * @internal
+   */
+  constructor(buffer) {
+    this._buffer = buffer;
+    this._disposed = false;
+  }
+  /**
+   * The string value.
+   * Returns empty string if the backing buffer has been zeroed/disposed.
+   */
+  get value() {
+    if (this._disposed) return "";
+    return this._buffer.toString("utf-8");
+  }
+  /**
+   * The length of the string in characters.
+   */
+  get length() {
+    return this.value.length;
+  }
+  /**
+   * Whether this SecureString has been disposed.
+   */
+  get disposed() {
+    return this._disposed;
+  }
+  /**
+   * Zero the backing buffer and mark as disposed.
+   * After calling dispose(), value will always return ''.
+   */
+  dispose() {
+    this._buffer.zero();
+    this._buffer.dispose();
+    this._disposed = true;
+  }
+  /**
+   * JSON serialization — never exposes the string contents.
+   */
+  toJSON() {
+    return "[SecureString]";
+  }
+  /**
+   * Custom inspect for console.log.
+   */
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  [/* @__PURE__ */ Symbol.for("nodejs.util.inspect.custom")](_depth, _options) {
+    return `[SecureString: ${this._disposed ? "disposed" : `${this.length} chars`}]`;
+  }
+  /* v8 ignore stop */
+};
+function createSecureString(value) {
+  const buffer = SecureBuffer.fromString(value, "utf-8");
+  return new SecureString(buffer);
+}
+function createSecureStringFromBuffer(buffer, encoding = "utf-8") {
+  const secureBuf = SecureBuffer.from(buffer);
+  const strBuf = SecureBuffer.fromString(buffer.toString(encoding), encoding);
+  secureBuf.zero();
+  return new SecureString(strBuf);
+}
+function wipeString(str) {
+  try {
+    const chars = str.split("");
+    for (let i = 0; i < chars.length; i++) {
+      chars[i] = "\0";
+    }
+    const _wiped = chars.join("");
+    void _wiped;
+  } catch {
+  }
+}
+function secureCompare(a, b) {
+  if (a === b) return true;
+  const bufA = typeof a === "string" ? Buffer.from(a, "utf-8") : a;
+  const bufB = typeof b === "string" ? Buffer.from(b, "utf-8") : b;
+  if (bufA.length !== bufB.length) {
+    const maxLen = Math.max(bufA.length, bufB.length);
+    const padA = Buffer.alloc(maxLen, 0);
+    const padB = Buffer.alloc(maxLen, 0);
+    bufA.copy(padA, maxLen - bufA.length);
+    bufB.copy(padB, maxLen - bufB.length);
+    try {
+      cryptoTimingSafeEqual(padA, padB);
+      return false;
+    } catch {
+      return false;
+    }
+  }
+  try {
+    return cryptoTimingSafeEqual(bufA, bufB);
+  } catch {
+    return false;
+  }
+}
+
+// src/sync/watcher.ts
+import { watch as watch2 } from "fs";
+import { existsSync as existsSync2 } from "fs";
+var SyncWatcher = class {
+  nativeWatcher = null;
+  debounceTimer = null;
+  callbacks = /* @__PURE__ */ new Map();
+  _active = false;
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Start watching the .env file for changes.
+   */
+  start() {
+    if (this._active) return;
+    const envPath = this.options.envPath;
+    if (!existsSync2(envPath)) {
+      this.emitError(new Error(`File not found: "${envPath}"`));
+      return;
+    }
+    this._active = true;
+    try {
+      this.nativeWatcher = watch2(envPath, { persistent: true }, (_eventType, _filename) => {
+        this.debouncedSync();
+      });
+      this.nativeWatcher.on("error", (error) => {
+        this.emitError(error);
+        this.nativeWatcher = null;
+        setTimeout(() => {
+          if (this._active && existsSync2(envPath)) {
+            this.start();
+          }
+        }, 1e3);
+      });
+      this.emitEvent({
+        type: "change",
+        path: envPath,
+        timestamp: Date.now()
+      });
+    } catch (error) {
+      this._active = false;
+      this.emitError(error instanceof Error ? error : new Error(String(error)));
+    }
+  }
+  /**
+   * Stop watching and release all resources.
+   */
+  stop() {
+    if (!this._active) return;
+    this._active = false;
+    if (this.nativeWatcher !== null) {
+      try {
+        this.nativeWatcher.close();
+      } catch {
+      }
+      this.nativeWatcher = null;
+    }
+    if (this.debounceTimer !== null) {
+      clearTimeout(this.debounceTimer);
+      this.debounceTimer = null;
+    }
+  }
+  /**
+   * Whether the watcher is currently active.
+   */
+  get active() {
+    return this._active;
+  }
+  /**
+   * Register a callback for a specific event type.
+   */
+  on(event, callback) {
+    if (!this.callbacks.has(event)) {
+      this.callbacks.set(event, /* @__PURE__ */ new Set());
+    }
+    this.callbacks.get(event).add(callback);
+    return this;
+  }
+  /**
+   * Remove a previously registered callback.
+   */
+  off(event, callback) {
+    const cbs = this.callbacks.get(event);
+    if (cbs !== void 0) {
+      cbs.delete(callback);
+    }
+    return this;
+  }
+  // -------------------------------------------------------------------------
+  // Private Methods
+  // -------------------------------------------------------------------------
+  /**
+   * Debounce sync operations to avoid excessive file writes.
+   */
+  debouncedSync() {
+    const debounceMs = this.options.debounceMs ?? 300;
+    if (this.debounceTimer !== null) {
+      clearTimeout(this.debounceTimer);
+    }
+    this.debounceTimer = setTimeout(() => {
+      this.debounceTimer = null;
+      void this.performSync();
+    }, debounceMs);
+  }
+  /**
+   * Perform the actual sync: regenerate .env.example if needed.
+   */
+  async performSync() {
+    const result = {
+      success: false,
+      envPath: this.options.envPath,
+      examplePath: this.options.examplePath,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    try {
+      const needs = await needsUpdate(
+        this.options.envPath,
+        this.options.examplePath,
+        {
+          schemaPath: void 0,
+          includeDescriptions: this.options.includeDescriptions,
+          includeTypes: this.options.includeTypes,
+          includeDefaults: this.options.includeDefaults
+        }
+      );
+      if (!needs) {
+        result.success = true;
+        if (this.options.onSync !== void 0) {
+          this.options.onSync(result);
+        }
+        return;
+      }
+      await generateExampleFile(
+        this.options.envPath,
+        this.options.examplePath,
+        {
+          schemaPath: void 0,
+          includeDescriptions: this.options.includeDescriptions,
+          includeTypes: this.options.includeTypes,
+          includeDefaults: this.options.includeDefaults
+        }
+      );
+      result.success = true;
+      this.emitEvent({
+        type: "change",
+        path: this.options.examplePath,
+        timestamp: Date.now()
+      });
+    } catch (error) {
+      result.error = error instanceof Error ? error.message : String(error);
+      this.emitError(error instanceof Error ? error : new Error(String(error)));
+    }
+    if (this.options.onSync !== void 0) {
+      this.options.onSync(result);
+    }
+  }
+  /**
+   * Emit a change event to all registered change callbacks.
+   */
+  emitEvent(event) {
+    const changeCallbacks = this.callbacks.get("change");
+    if (changeCallbacks !== void 0) {
+      for (const cb of changeCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+    const readyCallbacks = this.callbacks.get("ready");
+    if (readyCallbacks !== void 0 && event.type === "change") {
+      for (const cb of readyCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+  }
+  /**
+   * Emit an error event.
+   */
+  emitError(_error) {
+    const errorCallbacks = this.callbacks.get("error");
+    if (errorCallbacks !== void 0) {
+      const event = {
+        type: "change",
+        path: this.options.envPath,
+        timestamp: Date.now()
+      };
+      for (const cb of errorCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+  }
+};
+function createSyncWatcher(options) {
+  return new SyncWatcher(options);
+}
+
+// src/typegen/watcher.ts
+import { watch as watch3 } from "fs";
+import { existsSync as existsSync3 } from "fs";
+import { dirname, resolve as resolve2 } from "path";
+var TypegenWatcher = class {
+  nativeWatchers = /* @__PURE__ */ new Map();
+  debounceTimer = null;
+  callbacks = /* @__PURE__ */ new Map();
+  _active = false;
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  /**
+   * Start watching the configured files.
+   */
+  start() {
+    if (this._active) return;
+    this._active = true;
+    if (this.options.schemaPath !== void 0) {
+      this.watchFile(this.options.schemaPath);
+    }
+    if (this.options.envPath !== void 0) {
+      this.watchFile(this.options.envPath);
+    }
+    const outputDir = dirname(resolve2(this.options.outputPath));
+    this.watchDirectory(outputDir);
+    this.emitChange("");
+  }
+  /**
+   * Stop watching and release all resources.
+   */
+  stop() {
+    if (!this._active) return;
+    this._active = false;
+    for (const [, nativeWatcher] of this.nativeWatchers) {
+      try {
+        nativeWatcher.close();
+      } catch {
+      }
+    }
+    this.nativeWatchers.clear();
+    if (this.debounceTimer !== null) {
+      clearTimeout(this.debounceTimer);
+      this.debounceTimer = null;
+    }
+  }
+  /**
+   * Whether the watcher is currently active.
+   */
+  get active() {
+    return this._active;
+  }
+  /**
+   * Register a callback for a specific event type.
+   */
+  on(event, callback) {
+    if (!this.callbacks.has(event)) {
+      this.callbacks.set(event, /* @__PURE__ */ new Set());
+    }
+    this.callbacks.get(event).add(callback);
+    return this;
+  }
+  /**
+   * Remove a previously registered callback.
+   */
+  off(event, callback) {
+    const cbs = this.callbacks.get(event);
+    if (cbs !== void 0) {
+      cbs.delete(callback);
+    }
+    return this;
+  }
+  // -------------------------------------------------------------------------
+  // Private Methods
+  // -------------------------------------------------------------------------
+  /**
+   * Watch a specific file for changes.
+   */
+  watchFile(filePath) {
+    if (!existsSync3(filePath)) return;
+    try {
+      const nativeWatcher = watch3(filePath, { persistent: true }, () => {
+        this.debouncedGenerate();
+      });
+      nativeWatcher.on("error", () => {
+        this.nativeWatchers.delete(filePath);
+        setTimeout(() => {
+          if (this._active && existsSync3(filePath)) {
+            this.watchFile(filePath);
+          }
+        }, 1e3);
+      });
+      this.nativeWatchers.set(filePath, nativeWatcher);
+    } catch {
+    }
+  }
+  /**
+   * Watch a directory for changes.
+   */
+  watchDirectory(dirPath) {
+    const dirKey = `__dir__:${dirPath}`;
+    if (this.nativeWatchers.has(dirKey)) return;
+    try {
+      const nativeWatcher = watch3(dirPath, { persistent: true }, () => {
+        this.debouncedGenerate();
+      });
+      nativeWatcher.on("error", () => {
+        this.nativeWatchers.delete(dirKey);
+        setTimeout(() => {
+          if (this._active) {
+            this.watchDirectory(dirPath);
+          }
+        }, 5e3);
+      });
+      this.nativeWatchers.set(dirKey, nativeWatcher);
+    } catch {
+    }
+  }
+  /**
+   * Debounce generation to avoid excessive rewrites.
+   */
+  debouncedGenerate() {
+    const debounceMs = this.options.debounceMs ?? 300;
+    if (this.debounceTimer !== null) {
+      clearTimeout(this.debounceTimer);
+    }
+    this.debounceTimer = setTimeout(() => {
+      this.debounceTimer = null;
+      void this.performGenerate();
+    }, debounceMs);
+  }
+  /**
+   * Perform the actual type generation.
+   */
+  async performGenerate() {
+    const format = this.options.format ?? "declaration";
+    const result = {
+      success: false,
+      format,
+      outputPaths: [],
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    try {
+      let vars = {};
+      if (this.options.envPath !== void 0 && existsSync3(this.options.envPath)) {
+        const envContent = await readFile(this.options.envPath);
+        const parsed = parseEnvFile(envContent, this.options.envPath);
+        for (const envVar of parsed.vars) {
+          vars[envVar.key] = envVar.value;
+        }
+      }
+      const outputPath = this.options.outputPath;
+      const outputPaths = [];
+      if (format === "declaration" || format === "all") {
+        const declPath = format === "all" ? outputPath.replace(/\.\w+$/, ".d.ts") || "ultraenv.d.ts" : outputPath;
+        await generateDeclaration(vars, this.options.schema, declPath);
+        outputPaths.push(declPath);
+      }
+      if (format === "module" || format === "all") {
+        const modulePath = format === "all" ? outputPath.replace(/\.\w+$/, ".env.ts") || "ultraenv.env.ts" : outputPath;
+        if (this.options.schema !== void 0) {
+          await generateModule(this.options.schema, modulePath);
+        }
+        outputPaths.push(modulePath);
+      }
+      if (format === "json-schema" || format === "all") {
+        const jsonPath = format === "all" ? outputPath.replace(/\.\w+$/, ".schema.json") || "ultraenv.schema.json" : outputPath;
+        if (this.options.schema !== void 0) {
+          await generateJsonSchema(this.options.schema, jsonPath);
+        }
+        outputPaths.push(jsonPath);
+      }
+      result.success = true;
+      result.outputPaths = outputPaths;
+      this.emitChange(outputPaths[0] ?? outputPath);
+    } catch (error) {
+      result.error = error instanceof Error ? error.message : String(error);
+      this.emitError(error instanceof Error ? error : new Error(String(error)));
+    }
+    if (this.options.onGenerate !== void 0) {
+      this.options.onGenerate(result);
+    }
+  }
+  /**
+   * Emit a change event to all registered callbacks.
+   */
+  emitChange(filePath) {
+    const event = {
+      type: "change",
+      path: filePath,
+      timestamp: Date.now()
+    };
+    const changeCallbacks = this.callbacks.get("change");
+    if (changeCallbacks !== void 0) {
+      for (const cb of changeCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+    const readyCallbacks = this.callbacks.get("ready");
+    if (readyCallbacks !== void 0) {
+      for (const cb of readyCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+  }
+  /**
+   * Emit an error event.
+   */
+  emitError(_error) {
+    const event = {
+      type: "change",
+      path: "",
+      timestamp: Date.now()
+    };
+    const errorCallbacks = this.callbacks.get("error");
+    if (errorCallbacks !== void 0) {
+      for (const cb of errorCallbacks) {
+        try {
+          cb(event);
+        } catch {
+        }
+      }
+    }
+  }
+};
+function createTypegenWatcher(options) {
+  return new TypegenWatcher(options);
+}
+
+// src/presets/nextjs.ts
+var nextjsSchema = {
+  // ── Public (client-exposed) Variables ──────────────────────────────
+  NEXT_PUBLIC_API_URL: {
+    type: "string",
+    format: "url",
+    description: "Public API base URL exposed to the client bundle"
+  },
+  NEXT_PUBLIC_SITE_URL: {
+    type: "string",
+    format: "url",
+    description: "Canonical site URL (used for SEO, OG tags, etc.)"
+  },
+  NEXT_PUBLIC_VERCEL_URL: {
+    type: "string",
+    format: "url",
+    optional: true,
+    description: "Vercel deployment URL (auto-set by Vercel)"
+  },
+  NEXT_PUBLIC_GA_ID: {
+    type: "string",
+    optional: true,
+    description: "Google Analytics measurement ID (e.g., G-XXXXXXXXXX)"
+  },
+  NEXT_PUBLIC_SENTRY_DSN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Sentry DSN for client-side error reporting"
+  },
+  NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: {
+    type: "string",
+    optional: true,
+    description: "Stripe publishable key for client-side usage"
+  },
+  // ── Server-Only Variables ─────────────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    format: "url",
+    description: "Primary database connection URL (server-only)"
+  },
+  DATABASE_URL_UNPOOLED: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Unpooled database connection for migrations (server-only)"
+  },
+  DIRECT_URL: {
+    type: "string",
+    optional: true,
+    description: "Direct database URL for Prisma migrations"
+  },
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  NEXT_PUBLIC_NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    optional: true,
+    description: "Node.js environment mode exposed to client (usually set by Next.js)"
+  },
+  NEXT_TELEMETRY_DISABLED: {
+    type: "boolean",
+    optional: true,
+    description: "Disable Next.js telemetry collection"
+  },
+  NEXT_PUBLIC_APP_ENV: {
+    type: "string",
+    optional: true,
+    description: "Application environment name exposed to the client"
+  },
+  // ── Authentication ────────────────────────────────────────────────
+  NEXTAUTH_URL: {
+    type: "string",
+    format: "url",
+    optional: true,
+    description: "NextAuth.js callback URL (server-only)"
+  },
+  NEXTAUTH_SECRET: {
+    type: "string",
+    optional: true,
+    description: "NextAuth.js secret for signing tokens (server-only)"
+  },
+  NEXTAUTH_CLIENT_ID: {
+    type: "string",
+    optional: true,
+    description: "OAuth client ID for NextAuth.js (server-only)"
+  },
+  NEXTAUTH_CLIENT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "OAuth client secret for NextAuth.js (server-only)"
+  },
+  // ── Image Optimization ────────────────────────────────────────────
+  NEXT_PUBLIC_IMAGE_DOMAINS: {
+    type: "array",
+    optional: true,
+    separator: ",",
+    trimItems: true,
+    description: "Allowed image optimization domains (comma-separated)"
+  },
+  NEXT_PUBLIC_IMAGE_REMOTE_PATTERNS: {
+    type: "json",
+    optional: true,
+    description: "Remote image patterns for next/image (JSON array)"
+  },
+  // ── Feature Flags ─────────────────────────────────────────────────
+  NEXT_PUBLIC_ENABLE_ANALYTICS: {
+    type: "boolean",
+    optional: true,
+    description: "Enable client-side analytics tracking"
+  },
+  NEXT_PUBLIC_ENABLE_MOCK_MODE: {
+    type: "boolean",
+    optional: true,
+    description: "Enable mock API mode for development"
+  }
+};
+var NEXTJS_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var nextjsPreset = {
+  id: "nextjs",
+  name: "Next.js",
+  description: "Configuration preset for Next.js applications with client/server variable separation",
+  schema: nextjsSchema,
+  files: NEXTJS_FILES,
+  tags: ["framework", "react", "ssr", "fullstack"]
+};
+
+// src/presets/vite.ts
+var VITE_MODES = [
+  "development",
+  "production",
+  "test"
+];
+var viteSchema = {
+  // ── Public (client-exposed) Variables ──────────────────────────────
+  VITE_API_URL: {
+    type: "string",
+    format: "url",
+    description: "Public API base URL exposed via import.meta.env"
+  },
+  VITE_APP_TITLE: {
+    type: "string",
+    optional: true,
+    description: "Application title for the HTML document"
+  },
+  VITE_APP_BASE_URL: {
+    type: "string",
+    optional: true,
+    description: "Base URL for the application (used in router)"
+  },
+  VITE_ENABLE_DEVTOOLS: {
+    type: "boolean",
+    optional: true,
+    description: "Enable Vue/React devtools in development"
+  },
+  VITE_SENTRY_DSN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Sentry DSN for client-side error reporting"
+  },
+  VITE_GA_ID: {
+    type: "string",
+    optional: true,
+    description: "Google Analytics measurement ID"
+  },
+  // ── Mode-Based Variables ──────────────────────────────────────────
+  MODE: {
+    type: "enum",
+    values: VITE_MODES,
+    description: "Vite mode (development | production | test)",
+    default: "development"
+  },
+  VITE_MODE: {
+    type: "enum",
+    values: VITE_MODES,
+    optional: true,
+    description: "Vite mode exposed to client code via import.meta.env.MODE"
+  },
+  DEV: {
+    type: "boolean",
+    optional: true,
+    description: "Whether the app is running in dev mode (set by Vite)"
+  },
+  PROD: {
+    type: "boolean",
+    optional: true,
+    description: "Whether the app is running in production mode (set by Vite)"
+  },
+  SSR: {
+    type: "boolean",
+    optional: true,
+    description: "Whether the app is running in SSR mode (set by Vite SSR plugin)"
+  },
+  // ── Server-Only Variables ─────────────────────────────────────────
+  NODE_ENV: {
+    type: "enum",
+    values: VITE_MODES,
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Dev server port (server-only)",
+    default: 5173
+  },
+  HOST: {
+    type: "string",
+    optional: true,
+    description: "Dev server hostname (server-only)"
+  },
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Database connection URL (server-only)"
+  },
+  API_SECRET: {
+    type: "string",
+    optional: true,
+    description: "API secret key for backend authentication (server-only)"
+  },
+  JWT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "JWT signing secret (server-only)"
+  }
+};
+var VITE_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var vitePreset = {
+  id: "vite",
+  name: "Vite",
+  description: "Configuration preset for Vite-powered applications with mode-based env loading",
+  schema: viteSchema,
+  files: VITE_FILES,
+  tags: ["build-tool", "frontend", "spa"]
+};
+
+// src/presets/nuxt.ts
+var nuxtSchema = {
+  // ── Nuxt Runtime Config (exposed to client with NUXT_PUBLIC_ prefix) ────
+  NUXT_PUBLIC_API_BASE: {
+    type: "string",
+    optional: true,
+    description: "Public API base URL (exposed to client via useRuntimeConfig)"
+  },
+  NUXT_PUBLIC_SITE_URL: {
+    type: "string",
+    format: "url",
+    optional: true,
+    description: "Canonical site URL (exposed to client)"
+  },
+  NUXT_PUBLIC_APP_NAME: {
+    type: "string",
+    optional: true,
+    description: "Application name (exposed to client)"
+  },
+  NUXT_PUBLIC_GA_ID: {
+    type: "string",
+    optional: true,
+    description: "Google Analytics measurement ID (exposed to client)"
+  },
+  NUXT_PUBLIC_SENTRY_DSN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Sentry DSN for client-side error reporting"
+  },
+  // ── Nuxt Private Runtime Config (server-only) ─────────────────────
+  NUXT_API_SECRET: {
+    type: "string",
+    optional: true,
+    description: "API secret key (server-only runtime config)"
+  },
+  NUXT_SESSION_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Session encryption secret (server-only)"
+  },
+  NUXT_OAUTH_GITHUB_CLIENT_ID: {
+    type: "string",
+    optional: true,
+    description: "GitHub OAuth client ID (server-only)"
+  },
+  NUXT_OAUTH_GITHUB_CLIENT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "GitHub OAuth client secret (server-only)"
+  },
+  NUXT_DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Database URL (server-only runtime config)"
+  },
+  // ── Nitro Server Variables ────────────────────────────────────────
+  NITRO_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Nitro server port",
+    default: 3e3
+  },
+  NITRO_HOST: {
+    type: "string",
+    optional: true,
+    description: "Nitro server hostname"
+  },
+  NITRO_PRESET: {
+    type: "string",
+    optional: true,
+    description: "Nitro deployment preset (e.g., node, vercel, netlify)"
+  },
+  NITRO_BODY_SIZE_LIMIT: {
+    type: "string",
+    optional: true,
+    description: 'Nitro request body size limit (e.g., "16mb")'
+  },
+  // ── Core Variables ────────────────────────────────────────────────
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  NUXT_APP_ENV: {
+    type: "string",
+    optional: true,
+    description: "Application environment identifier"
+  }
+};
+var NUXT_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */,
+  ".env.staging" /* EnvStaging */,
+  ".env.staging.local" /* EnvStagingLocal */
+];
+var nuxtPreset = {
+  id: "nuxt",
+  name: "Nuxt",
+  description: "Configuration preset for Nuxt 3 with NUXT/NITRO runtime config separation",
+  schema: nuxtSchema,
+  files: NUXT_FILES,
+  tags: ["framework", "vue", "ssr", "fullstack"]
+};
+
+// src/presets/remix.ts
+var remixSchema = {
+  // ── Core Variables ────────────────────────────────────────────────
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Remix dev server port",
+    default: 3e3
+  },
+  HOST: {
+    type: "string",
+    optional: true,
+    description: "Remix dev server hostname"
+  },
+  // ── Session Management ────────────────────────────────────────────
+  SESSION_SECRET: {
+    type: "string",
+    description: "Secret for signing Remix sessions (required)"
+  },
+  SESSION_MAX_AGE: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Session maximum age in seconds"
+  },
+  // ── Database ──────────────────────────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Primary database connection URL (server-only)"
+  },
+  DATABASE_POOL_SIZE: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Database connection pool size"
+  },
+  // ── Authentication ────────────────────────────────────────────────
+  AUTH_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Authentication secret for Remix Auth (server-only)"
+  },
+  AUTH_REDIRECT_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Post-authentication redirect URL (server-only)"
+  },
+  // ── API & External Services ───────────────────────────────────────
+  API_BASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Backend API base URL (server-only)"
+  },
+  STRIPE_SECRET_KEY: {
+    type: "string",
+    optional: true,
+    description: "Stripe secret key (server-only)"
+  },
+  STRIPE_WEBHOOK_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Stripe webhook signing secret (server-only)"
+  },
+  SENTRY_DSN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Sentry DSN for server-side error reporting"
+  },
+  // ── Remix-Specific ───────────────────────────────────────────────
+  REMIX_DEV_ORIGIN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Dev server origin URL for HMR"
+  },
+  REMIX_PUBLIC_PATH: {
+    type: "string",
+    optional: true,
+    description: "Public asset path prefix"
+  },
+  BASE_URL: {
+    type: "string",
+    format: "url",
+    optional: true,
+    description: "Application base URL"
+  }
+};
+var REMIX_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var remixPreset = {
+  id: "remix",
+  name: "Remix",
+  description: "Configuration preset for Remix with server-side-only env variable enforcement",
+  schema: remixSchema,
+  files: REMIX_FILES,
+  tags: ["framework", "react", "ssr", "fullstack"]
+};
+
+// src/presets/sveltekit.ts
+var sveltekitSchema = {
+  // ── Public Variables (exposed to client) ──────────────────────────
+  PUBLIC_API_URL: {
+    type: "string",
+    format: "url",
+    description: "Public API base URL (exposed to client via import.meta.env)"
+  },
+  PUBLIC_SITE_URL: {
+    type: "string",
+    format: "url",
+    description: "Canonical site URL (exposed to client)"
+  },
+  PUBLIC_APP_NAME: {
+    type: "string",
+    optional: true,
+    description: "Application name (exposed to client)"
+  },
+  PUBLIC_GA_ID: {
+    type: "string",
+    optional: true,
+    description: "Google Analytics measurement ID (exposed to client)"
+  },
+  PUBLIC_SENTRY_DSN: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Sentry DSN for client-side error reporting"
+  },
+  PUBLIC_STRIPE_PUBLISHABLE_KEY: {
+    type: "string",
+    optional: true,
+    description: "Stripe publishable key (exposed to client)"
+  },
+  PUBLICturnstileSiteKey: {
+    type: "string",
+    optional: true,
+    description: "Cloudflare Turnstile site key (exposed to client)"
+  },
+  // ── Server-Only Private Variables ─────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Database connection URL (server-only, $env/static/private)"
+  },
+  PRIVATE_API_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Private API secret (server-only)"
+  },
+  PRIVATE_SESSION_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Session encryption secret (server-only)"
+  },
+  PRIVATE_OAUTH_GITHUB_CLIENT_ID: {
+    type: "string",
+    optional: true,
+    description: "GitHub OAuth client ID (server-only)"
+  },
+  PRIVATE_OAUTH_GITHUB_CLIENT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "GitHub OAuth client secret (server-only)"
+  },
+  PRIVATE_COOKIE_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Cookie signing secret (server-only)"
+  },
+  JWT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "JWT signing secret (server-only)"
+  },
+  STRIPE_SECRET_KEY: {
+    type: "string",
+    optional: true,
+    description: "Stripe secret key (server-only)"
+  },
+  // ── Core Variables ────────────────────────────────────────────────
+  ORIGIN: {
+    type: "string",
+    format: "url",
+    optional: true,
+    description: "Server origin URL (used by SvelteKit adapter)"
+  },
+  PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Dev server port",
+    default: 5173
+  },
+  HOST: {
+    type: "string",
+    optional: true,
+    description: "Dev server hostname"
+  },
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  }
+};
+var SVELTEKIT_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var sveltekitPreset = {
+  id: "sveltekit",
+  name: "SvelteKit",
+  description: "Configuration preset for SvelteKit with PUBLIC_ prefix convention",
+  schema: sveltekitSchema,
+  files: SVELTEKIT_FILES,
+  tags: ["framework", "svelte", "ssr", "fullstack"]
+};
+
+// src/presets/express.ts
+var expressSchema = {
+  // ── Server Configuration ──────────────────────────────────────────
+  PORT: {
+    type: "number",
+    positive: true,
+    description: "HTTP server listen port",
+    default: 3e3
+  },
+  HOST: {
+    type: "string",
+    description: "HTTP server listen hostname",
+    default: "0.0.0.0"
+  },
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  TRUST_PROXY: {
+    type: "string",
+    optional: true,
+    description: "Trust proxy setting (ip, ipsubnet, hostname, loopback, boolean)"
+  },
+  // ── CORS ──────────────────────────────────────────────────────────
+  CORS_ORIGIN: {
+    type: "string",
+    optional: true,
+    description: 'CORS allowed origins (comma-separated or "*")'
+  },
+  CORS_CREDENTIALS: {
+    type: "boolean",
+    optional: true,
+    description: "Enable CORS credentials support"
+  },
+  CORS_METHODS: {
+    type: "array",
+    optional: true,
+    separator: ",",
+    trimItems: true,
+    description: "CORS allowed methods (comma-separated)"
+  },
+  CORS_HEADERS: {
+    type: "array",
+    optional: true,
+    separator: ",",
+    trimItems: true,
+    description: "CORS allowed headers (comma-separated)"
+  },
+  // ── Rate Limiting ─────────────────────────────────────────────────
+  RATE_LIMIT_WINDOW_MS: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Rate limit window in milliseconds"
+  },
+  RATE_LIMIT_MAX: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Maximum requests per rate limit window"
+  },
+  // ── Body Parsing ─────────────────────────────────────────────────
+  BODY_SIZE_LIMIT: {
+    type: "string",
+    optional: true,
+    description: 'Maximum request body size (e.g., "10mb")'
+  },
+  // ── Database ──────────────────────────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Primary database connection URL"
+  },
+  DATABASE_POOL_SIZE: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Database connection pool size"
+  },
+  // ── Authentication ────────────────────────────────────────────────
+  JWT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "JWT signing secret"
+  },
+  JWT_EXPIRES_IN: {
+    type: "string",
+    optional: true,
+    description: 'JWT token expiration (e.g., "7d", "24h")'
+  },
+  SESSION_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Express session secret"
+  },
+  COOKIE_SECRET: {
+    type: "string",
+    optional: true,
+    description: "Cookie signing secret"
+  },
+  // ── Logging ───────────────────────────────────────────────────────
+  LOG_LEVEL: {
+    type: "enum",
+    values: ["fatal", "error", "warn", "info", "debug", "trace", "silent"],
+    optional: true,
+    description: "Application log level",
+    default: "info"
+  },
+  LOG_FORMAT: {
+    type: "enum",
+    values: ["json", "text", "combined", "dev"],
+    optional: true,
+    description: "Log output format",
+    default: "dev"
+  },
+  // ── Security ──────────────────────────────────────────────────────
+  HELMET_ENABLED: {
+    type: "boolean",
+    optional: true,
+    description: "Enable Helmet security middleware",
+    default: true
+  },
+  HSTS_MAX_AGE: {
+    type: "number",
+    optional: true,
+    nonNegative: true,
+    description: "HTTP Strict Transport Security max age in seconds"
+  },
+  CSP_DIRECTIVES: {
+    type: "json",
+    optional: true,
+    description: "Content Security Policy directives (JSON object)"
+  },
+  // ── Compression ───────────────────────────────────────────────────
+  COMPRESSION_ENABLED: {
+    type: "boolean",
+    optional: true,
+    description: "Enable response compression",
+    default: true
+  },
+  // ── Health Check ──────────────────────────────────────────────────
+  HEALTH_CHECK_PATH: {
+    type: "string",
+    optional: true,
+    description: "Health check endpoint path",
+    default: "/health"
+  }
+};
+var EXPRESS_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var expressPreset = {
+  id: "express",
+  name: "Express",
+  description: "Configuration preset for Express.js backend applications",
+  schema: expressSchema,
+  files: EXPRESS_FILES,
+  tags: ["framework", "backend", "http", "node"]
+};
+
+// src/presets/fastify.ts
+var fastifySchema = {
+  // ── Server Configuration ──────────────────────────────────────────
+  PORT: {
+    type: "number",
+    positive: true,
+    description: "Fastify server listen port",
+    default: 3e3
+  },
+  HOST: {
+    type: "string",
+    description: "Fastify server listen hostname",
+    default: "0.0.0.0"
+  },
+  FASTIFY_ADDRESS: {
+    type: "string",
+    optional: true,
+    description: "Fastify listen address (alias for HOST)"
+  },
+  FASTIFY_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Fastify listen port (alias for PORT)"
+  },
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "development"
+  },
+  PREFIX: {
+    type: "string",
+    optional: true,
+    description: 'URL prefix for all routes (e.g., "/api/v1")'
+  },
+  // ── Fastify Core Options ──────────────────────────────────────────
+  FASTIFY_BODY_LIMIT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Maximum request body size in bytes"
+  },
+  FASTIFY_REQUEST_TIMEOUT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Request timeout in milliseconds"
+  },
+  FASTIFY_KEEP_ALIVE_TIMEOUT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Keep-alive timeout in milliseconds"
+  },
+  FASTIFY_MAX_HEADER_SIZE: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Maximum HTTP header size in bytes"
+  },
+  FASTIFY_HTTP2_ENABLED: {
+    type: "boolean",
+    optional: true,
+    description: "Enable HTTP/2 support"
+  },
+  FASTIFY_HTTPS_ENABLED: {
+    type: "boolean",
+    optional: true,
+    description: "Enable HTTPS (requires TLS cert/key)"
+  },
+  FASTIFY_HTTPS_CERT: {
+    type: "string",
+    optional: true,
+    description: "Path to TLS certificate file"
+  },
+  FASTIFY_HTTPS_KEY: {
+    type: "string",
+    optional: true,
+    description: "Path to TLS private key file"
+  },
+  // ── CORS ──────────────────────────────────────────────────────────
+  CORS_ORIGIN: {
+    type: "string",
+    optional: true,
+    description: "CORS allowed origins"
+  },
+  CORS_METHODS: {
+    type: "array",
+    optional: true,
+    separator: ",",
+    trimItems: true,
+    description: "CORS allowed methods"
+  },
+  // ── Database ──────────────────────────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Primary database connection URL"
+  },
+  // ── Authentication ────────────────────────────────────────────────
+  JWT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "JWT signing secret"
+  },
+  FASTIFY_JWT_SECRET: {
+    type: "string",
+    optional: true,
+    description: "JWT secret (Fastify JWT plugin specific)"
+  },
+  // ── Logging (Fastify uses Pino) ──────────────────────────────────
+  LOG_LEVEL: {
+    type: "enum",
+    values: ["fatal", "error", "warn", "info", "debug", "trace", "silent"],
+    optional: true,
+    description: "Pino log level",
+    default: "info"
+  },
+  LOG_PRETTY_PRINT: {
+    type: "boolean",
+    optional: true,
+    description: "Enable Pino pretty printing (development only)"
+  },
+  FASTIFY_LOGGER: {
+    type: "boolean",
+    optional: true,
+    description: "Enable Fastify built-in Pino logger",
+    default: true
+  },
+  // ── Rate Limiting ─────────────────────────────────────────────────
+  RATE_LIMIT_MAX: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Max requests per time window"
+  },
+  RATE_LIMIT_TIME_WINDOW: {
+    type: "string",
+    optional: true,
+    description: 'Rate limit time window (e.g., "1 minute")'
+  },
+  // ── Health Check ──────────────────────────────────────────────────
+  HEALTH_CHECK_PATH: {
+    type: "string",
+    optional: true,
+    description: "Health check endpoint path",
+    default: "/health"
+  }
+};
+var FASTIFY_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.development" /* EnvDevelopment */,
+  ".env.development.local" /* EnvDevelopmentLocal */,
+  ".env.test" /* EnvTest */,
+  ".env.test.local" /* EnvTestLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var fastifyPreset = {
+  id: "fastify",
+  name: "Fastify",
+  description: "Configuration preset for Fastify HTTP framework with schema-based configuration",
+  schema: fastifySchema,
+  files: FASTIFY_FILES,
+  tags: ["framework", "backend", "http", "node", "performance"]
+};
+
+// src/presets/docker.ts
+var dockerSchema = {
+  // ── Docker Engine ─────────────────────────────────────────────────
+  DOCKER_HOST: {
+    type: "string",
+    optional: true,
+    description: "Docker daemon socket URL"
+  },
+  DOCKER_TLS_VERIFY: {
+    type: "boolean",
+    optional: true,
+    description: "Enable TLS verification for Docker daemon"
+  },
+  DOCKER_CERT_PATH: {
+    type: "string",
+    optional: true,
+    description: "Path to Docker TLS certificates"
+  },
+  DOCKER_API_VERSION: {
+    type: "string",
+    optional: true,
+    description: "Docker API version"
+  },
+  DOCKER_CONTEXT: {
+    type: "string",
+    optional: true,
+    description: "Docker context name"
+  },
+  // ── Docker Compose ────────────────────────────────────────────────
+  COMPOSE_FILE: {
+    type: "string",
+    optional: true,
+    description: "Docker Compose file path (default: docker-compose.yml)"
+  },
+  COMPOSE_PROJECT_NAME: {
+    type: "string",
+    optional: true,
+    description: "Docker Compose project name"
+  },
+  COMPOSE_PROFILES: {
+    type: "array",
+    optional: true,
+    separator: ",",
+    trimItems: true,
+    description: "Docker Compose active profiles"
+  },
+  COMPOSE_DOCKER_CLI_BUILD: {
+    type: "number",
+    optional: true,
+    description: "Use Docker CLI for builds (0 or 1)"
+  },
+  // ── Common Container Services ─────────────────────────────────────
+  // PostgreSQL
+  POSTGRES_USER: {
+    type: "string",
+    optional: true,
+    description: "PostgreSQL superuser name"
+  },
+  POSTGRES_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "PostgreSQL superuser password"
+  },
+  POSTGRES_DB: {
+    type: "string",
+    optional: true,
+    description: "PostgreSQL default database name"
+  },
+  POSTGRES_HOST: {
+    type: "string",
+    optional: true,
+    description: "PostgreSQL host (within Docker network)",
+    default: "postgres"
+  },
+  POSTGRES_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "PostgreSQL port",
+    default: 5432
+  },
+  // Redis
+  REDIS_HOST: {
+    type: "string",
+    optional: true,
+    description: "Redis host (within Docker network)",
+    default: "redis"
+  },
+  REDIS_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Redis port",
+    default: 6379
+  },
+  REDIS_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "Redis password"
+  },
+  // MySQL
+  MYSQL_ROOT_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "MySQL root password"
+  },
+  MYSQL_DATABASE: {
+    type: "string",
+    optional: true,
+    description: "MySQL default database name"
+  },
+  MYSQL_USER: {
+    type: "string",
+    optional: true,
+    description: "MySQL user name"
+  },
+  MYSQL_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "MySQL user password"
+  },
+  MYSQL_HOST: {
+    type: "string",
+    optional: true,
+    description: "MySQL host (within Docker network)",
+    default: "mysql"
+  },
+  MYSQL_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "MySQL port",
+    default: 3306
+  },
+  // MongoDB
+  MONGO_INITDB_ROOT_USERNAME: {
+    type: "string",
+    optional: true,
+    description: "MongoDB root username"
+  },
+  MONGO_INITDB_ROOT_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "MongoDB root password"
+  },
+  MONGO_HOST: {
+    type: "string",
+    optional: true,
+    description: "MongoDB host (within Docker network)",
+    default: "mongodb"
+  },
+  MONGO_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "MongoDB port",
+    default: 27017
+  },
+  // ── Networking ────────────────────────────────────────────────────
+  APP_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Application container exposed port"
+  },
+  APP_HOST: {
+    type: "string",
+    optional: true,
+    description: "Application container hostname"
+  },
+  VIRTUAL_HOST: {
+    type: "string",
+    optional: true,
+    description: "Virtual host for nginx-proxy"
+  },
+  VIRTUAL_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Virtual port for nginx-proxy"
+  },
+  LETSENCRYPT_HOST: {
+    type: "string",
+    optional: true,
+    description: "Let's Encrypt host(s) for nginx-proxy companion"
+  },
+  LETSENCRYPT_EMAIL: {
+    type: "string",
+    optional: true,
+    format: "email",
+    description: "Let's Encrypt notification email"
+  },
+  // ── Node.js App in Container ─────────────────────────────────────
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "production"
+  }
+};
+var DOCKER_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var dockerPreset = {
+  id: "docker",
+  name: "Docker",
+  description: "Configuration preset for Docker and Docker Compose with ARG/ENV awareness",
+  schema: dockerSchema,
+  files: DOCKER_FILES,
+  tags: ["infrastructure", "containers", "devops"]
+};
+
+// src/presets/aws-lambda.ts
+var awsLambdaSchema = {
+  // ── AWS System Variables (set by Lambda runtime) ──────────────────
+  AWS_REGION: {
+    type: "string",
+    optional: true,
+    description: "AWS region for the Lambda function (auto-set by Lambda)"
+  },
+  AWS_DEFAULT_REGION: {
+    type: "string",
+    optional: true,
+    description: "Default AWS region (usually same as AWS_REGION)"
+  },
+  AWS_ACCESS_KEY_ID: {
+    type: "string",
+    optional: true,
+    description: "AWS access key ID (auto-set by Lambda execution role)"
+  },
+  AWS_SECRET_ACCESS_KEY: {
+    type: "string",
+    optional: true,
+    description: "AWS secret access key (auto-set by Lambda execution role)"
+  },
+  AWS_SESSION_TOKEN: {
+    type: "string",
+    optional: true,
+    description: "AWS session token for temporary credentials"
+  },
+  // ── Lambda Runtime Info (read-only, set by runtime) ───────────────
+  AWS_LAMBDA_FUNCTION_NAME: {
+    type: "string",
+    optional: true,
+    description: "Lambda function name (set by runtime)"
+  },
+  AWS_LAMBDA_FUNCTION_VERSION: {
+    type: "string",
+    optional: true,
+    description: "Lambda function version (set by runtime)"
+  },
+  AWS_LAMBDA_FUNCTION_MEMORY_SIZE: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Allocated memory in MB (set by Lambda configuration)"
+  },
+  AWS_LAMBDA_FUNCTION_TIMEOUT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Function timeout in seconds (set by Lambda configuration)"
+  },
+  AWS_LAMBDA_LOG_GROUP_NAME: {
+    type: "string",
+    optional: true,
+    description: "CloudWatch log group name (set by runtime)"
+  },
+  AWS_LAMBDA_LOG_STREAM_NAME: {
+    type: "string",
+    optional: true,
+    description: "CloudWatch log stream name (set by runtime)"
+  },
+  // ── Custom Application Variables ──────────────────────────────────
+  NODE_ENV: {
+    type: "enum",
+    values: ["development", "production", "test"],
+    description: "Node.js environment mode",
+    default: "production"
+  },
+  APP_ENV: {
+    type: "string",
+    optional: true,
+    description: "Application environment identifier (e.g., staging, prod)"
+  },
+  LOG_LEVEL: {
+    type: "enum",
+    values: ["fatal", "error", "warn", "info", "debug", "trace", "silent"],
+    optional: true,
+    description: "Application log level",
+    default: "info"
+  },
+  // ── Database (common patterns) ────────────────────────────────────
+  DATABASE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Database connection URL"
+  },
+  DB_HOST: {
+    type: "string",
+    optional: true,
+    description: "Database host (within VPC)"
+  },
+  DB_PORT: {
+    type: "number",
+    optional: true,
+    positive: true,
+    description: "Database port"
+  },
+  DB_NAME: {
+    type: "string",
+    optional: true,
+    description: "Database name"
+  },
+  DB_USER: {
+    type: "string",
+    optional: true,
+    description: "Database user"
+  },
+  DB_PASSWORD: {
+    type: "string",
+    optional: true,
+    description: "Database password"
+  },
+  // ── Common AWS Service Variables ──────────────────────────────────
+  S3_BUCKET_NAME: {
+    type: "string",
+    optional: true,
+    description: "Default S3 bucket name"
+  },
+  SQS_QUEUE_URL: {
+    type: "string",
+    optional: true,
+    format: "url",
+    description: "Default SQS queue URL"
+  },
+  SNS_TOPIC_ARN: {
+    type: "string",
+    optional: true,
+    description: "Default SNS topic ARN"
+  },
+  DYNAMODB_TABLE_NAME: {
+    type: "string",
+    optional: true,
+    description: "Default DynamoDB table name"
+  },
+  KMS_KEY_ID: {
+    type: "string",
+    optional: true,
+    description: "Default KMS key ID for encryption"
+  },
+  COGNITO_USER_POOL_ID: {
+    type: "string",
+    optional: true,
+    description: "Cognito user pool ID"
+  },
+  COGNITO_CLIENT_ID: {
+    type: "string",
+    optional: true,
+    description: "Cognito app client ID"
+  },
+  // ── Secrets Manager / SSM Integration ─────────────────────────────
+  SECRETS_MANAGER_PREFIX: {
+    type: "string",
+    optional: true,
+    description: "AWS Secrets Manager path prefix for this function"
+  },
+  SSM_PARAMETER_PREFIX: {
+    type: "string",
+    optional: true,
+    description: "AWS SSM Parameter Store path prefix for this function"
+  },
+  // ── Feature Flags ─────────────────────────────────────────────────
+  FEATURE_FLAGS: {
+    type: "json",
+    optional: true,
+    description: "Feature flags configuration (JSON object)"
+  },
+  ENABLE_DEBUG_MODE: {
+    type: "boolean",
+    optional: true,
+    description: "Enable verbose debug logging"
+  }
+};
+var AWS_LAMBDA_FILES = [
+  ".env" /* Env */,
+  ".env.local" /* EnvLocal */,
+  ".env.production" /* EnvProduction */,
+  ".env.production.local" /* EnvProductionLocal */
+];
+var awsLambdaPreset = {
+  id: "aws-lambda",
+  name: "AWS Lambda",
+  description: "Configuration preset for AWS Lambda with AWS system variable awareness",
+  schema: awsLambdaSchema,
+  files: AWS_LAMBDA_FILES,
+  tags: ["serverless", "aws", "cloud", "infrastructure"]
+};
+
+// src/presets/index.ts
+var presets = {};
+function registerPreset(name, preset) {
+  if (presets[name] !== void 0) {
+    process.stderr.write(
+      `[ultraenv] Warning: overwriting existing preset "${name}"
+`
+    );
+  }
+  presets[name] = preset;
+}
+function getPreset(name) {
+  return presets[name];
+}
+function listPresets() {
+  return Object.keys(presets);
+}
+function hasPreset(name) {
+  return name in presets;
+}
+function unregisterPreset(name) {
+  if (name in presets) {
+    delete presets[name];
+    return true;
+  }
+  return false;
+}
+function getAllPresets() {
+  return { ...presets };
+}
+var BUILT_IN_PRESETS = [
+  ["nextjs", nextjsPreset],
+  ["vite", vitePreset],
+  ["nuxt", nuxtPreset],
+  ["remix", remixPreset],
+  ["sveltekit", sveltekitPreset],
+  ["express", expressPreset],
+  ["fastify", fastifyPreset],
+  ["docker", dockerPreset],
+  ["aws-lambda", awsLambdaPreset]
+];
+for (const [name, preset] of BUILT_IN_PRESETS) {
+  registerPreset(name, preset);
+}
+
+// src/middleware/health.ts
+function healthCheck(options = {}) {
+  const {
+    source = process.env,
+    loadedFiles = [],
+    validCount,
+    metadata = {}
+  } = options;
+  const envKeys = Object.entries(source).filter(
+    ([, value]) => value !== void 0 && value !== ""
+  );
+  const loaded = envKeys.length;
+  const environment = detectEnvironment(source);
+  const valid = validCount ?? loaded;
+  const files = loadedFiles.length > 0 ? loadedFiles.map((f) => {
+    const lastSlash = f.lastIndexOf("/");
+    const lastBackslash = f.lastIndexOf("\\");
+    const lastSep = Math.max(lastSlash, lastBackslash);
+    return lastSep >= 0 ? f.slice(lastSep + 1) : f;
+  }) : [];
+  return {
+    status: "ok",
+    loaded,
+    valid,
+    environment,
+    files,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    metadata
+  };
+}
+function liveCheck() {
+  return {
+    status: "ok",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function readinessCheck(requiredVars, source) {
+  const env = source ?? process.env;
+  const missing = [];
+  for (const varName of requiredVars) {
+    const value = env[varName];
+    if (value === void 0 || value === "") {
+      missing.push(varName);
+    }
+  }
+  return {
+    status: missing.length === 0 ? "ok" : "error",
+    ready: missing.length === 0,
+    missing,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function detectEnvironment(env) {
+  const candidates = [
+    "NODE_ENV",
+    "APP_ENV",
+    "ENVIRONMENT",
+    "ENV",
+    "STAGE"
+  ];
+  for (const candidate of candidates) {
+    const value = env[candidate];
+    if (value !== void 0 && value !== "") {
+      return value;
+    }
+  }
+  return "unknown";
+}
+
+// src/utils/box.ts
+var DOUBLE = {
+  topLeft: "\u2554",
+  topRight: "\u2557",
+  bottomLeft: "\u255A",
+  bottomRight: "\u255D",
+  horizontal: "\u2550",
+  vertical: "\u2551",
+  leftTee: "\u2560",
+  rightTee: "\u2563"
+};
+function hRuleBottom(width, chars = DOUBLE) {
+  return `${chars.bottomLeft}${chars.horizontal.repeat(width + 2)}${chars.bottomRight}`;
+}
+function boxLine(text, width, chars = DOUBLE) {
+  const padded = text.length <= width ? text.padEnd(width) : text.slice(0, width);
+  return `${chars.vertical} ${padded} ${chars.vertical}`;
+}
+function drawTitledBox(title, lines, chars = DOUBLE) {
+  if (lines.length === 0) {
+    return [hRuleTitled(title, 0, chars), boxLine("", 0, chars), hRuleBottom(0, chars)].join("\n");
+  }
+  const innerWidth = Math.max(
+    ...lines.map((line) => stripAnsi(line).length),
+    title.length + 2,
+    0
+  );
+  const result = [];
+  result.push(hRuleTitled(title, innerWidth, chars));
+  for (const line of lines) {
+    const stripped = stripAnsi(line);
+    const visibleLen = stripped.length;
+    const rightPad = Math.max(0, innerWidth - visibleLen);
+    result.push(`${chars.vertical} ${line}${" ".repeat(rightPad)} ${chars.vertical}`);
+  }
+  result.push(hRuleBottom(innerWidth, chars));
+  return result.join("\n");
+}
+function hRuleTitled(title, width, chars = DOUBLE) {
+  const paddedTitle = ` ${title} `;
+  const totalWidth = width + 2;
+  const remaining = Math.max(0, totalWidth - paddedTitle.length);
+  const right = remaining % 2 === 0 ? chars.horizontal.repeat(remaining) : chars.horizontal.repeat(remaining) + " ";
+  return `${chars.topLeft}${chars.horizontal}${paddedTitle}${right}${chars.topRight}`;
+}
+function stripAnsi(str) {
+  return str.replace(/\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g, "");
+}
+
+// src/reporters/terminal.ts
+var ANSI = {
+  reset: "\x1B[0m",
+  bold: "\x1B[1m",
+  dim: "\x1B[2m",
+  red: "\x1B[31m",
+  green: "\x1B[32m",
+  yellow: "\x1B[33m",
+  blue: "\x1B[34m",
+  magenta: "\x1B[35m",
+  cyan: "\x1B[36m",
+  white: "\x1B[37m",
+  gray: "\x1B[90m",
+  bgRed: "\x1B[41m",
+  bgGreen: "\x1B[42m",
+  bgYellow: "\x1B[43m"
+};
+var DEFAULT_BOX = {
+  topLeft: "\u2554",
+  topRight: "\u2557",
+  bottomLeft: "\u255A",
+  bottomRight: "\u255D",
+  horizontal: "\u2550",
+  vertical: "\u2551",
+  leftTee: "\u2560",
+  rightTee: "\u2563"
+};
+function reportValidation(result, options = {}) {
+  const { color = true, boxStyle = DEFAULT_BOX } = options;
+  const c = color ? ANSI : noColorANSI();
+  if (result.valid) {
+    const lines = [];
+    lines.push(`${c.green}${c.bold}  \u2713${c.reset}  All ${Object.keys(result.validated).length} variables passed validation`);
+    if (result.warnings.length > 0) {
+      lines.push("");
+      for (const warning of result.warnings) {
+        lines.push(`${c.yellow}  \u26A0${c.reset}  ${warning.field}: ${warning.message}`);
+      }
+    }
+    return lines.join("\n");
+  }
+  const errorLines = [];
+  for (const error of result.errors) {
+    const fieldDisplay = `${c.red}${c.bold}${error.field}${c.reset}`;
+    const messageDisplay = error.message;
+    const expectedDisplay = `${c.dim}expected: ${error.expected}${c.reset}`;
+    const valueDisplay = error.value !== void 0 && error.value !== "" ? `${c.dim}value: ${maskValue2(error.value)}${c.reset}` : `${c.dim}value: (empty)${c.reset}`;
+    const hintDisplay = error.hint !== void 0 ? `${c.cyan}hint: ${error.hint}${c.reset}` : "";
+    const sourceDisplay = error.source !== void 0 ? `${c.gray}source: ${error.source}${error.source !== void 0 && error.lineNumber !== void 0 ? `:${error.lineNumber}` : ""}${c.reset}` : "";
+    errorLines.push(`${fieldDisplay}  ${messageDisplay}`);
+    errorLines.push(`  ${expectedDisplay}`);
+    errorLines.push(`  ${valueDisplay}`);
+    if (hintDisplay) errorLines.push(`  ${hintDisplay}`);
+    if (sourceDisplay) errorLines.push(`  ${sourceDisplay}`);
+  }
+  const title = `${c.bgRed}${c.white}${c.bold} Validation Failed (${result.errors.length} error${result.errors.length === 1 ? "" : "s"}) ${c.reset}`;
+  const box = drawTitledBox(title, errorLines, boxStyle);
+  const output = [box];
+  if (result.warnings.length > 0) {
+    output.push("");
+    const warningLines = [];
+    for (const warning of result.warnings) {
+      warningLines.push(`${c.yellow}\u26A0${c.reset} ${warning.field}: ${warning.message} ${c.dim}[${warning.code}]${c.reset}`);
+    }
+    output.push(warningLines.join("\n"));
+  }
+  if (result.unknown.length > 0) {
+    output.push("");
+    output.push(`${c.gray}?${c.reset}  Unknown variables: ${result.unknown.map((u) => `${c.dim}${u}${c.reset}`).join(", ")}`);
+  }
+  return output.join("\n");
+}
+function reportError(error, options = {}) {
+  const { color = true, boxStyle = DEFAULT_BOX } = options;
+  const c = color ? ANSI : noColorANSI();
+  const code = error.code ?? "ULTRAENV_ERROR";
+  const lines = [
+    `${c.red}${c.bold}Error [${code}]${c.reset}`,
+    `  ${error.message}`
+  ];
+  if (error.hint !== void 0) {
+    lines.push("");
+    lines.push(`${c.cyan}  \u{1F4A1} ${error.hint}${c.reset}`);
+  }
+  const title = `${c.bgRed}${c.white}${c.bold} ${code} ${c.reset}`;
+  return drawTitledBox(title, lines, boxStyle);
+}
+function reportSuccess(message, options = {}) {
+  const { color = true } = options;
+  const c = color ? ANSI : noColorANSI();
+  return `${c.green}${c.bold}  \u2713${c.reset}  ${message}`;
+}
+function reportWarning(warning, options = {}) {
+  const { color = true } = options;
+  const c = color ? ANSI : noColorANSI();
+  const parts = [
+    `${c.yellow}  \u26A0${c.reset}  ${c.bold}${warning.field}${c.reset}: ${warning.message}`
+  ];
+  if (warning.value !== void 0 && warning.value !== "") {
+    parts.push(`${c.dim}  value: ${maskValue2(warning.value)}${c.reset}`);
+  }
+  if (warning.code !== void 0) {
+    parts.push(`${c.dim}  code: ${warning.code}${c.reset}`);
+  }
+  return parts.join("\n");
+}
+function reportInfo(message, options = {}) {
+  const { color = true } = options;
+  const c = color ? ANSI : noColorANSI();
+  return `${c.blue}  \u2139${c.reset}  ${message}`;
+}
+function reportScanResult(result, options = {}) {
+  const { color = true, boxStyle = DEFAULT_BOX } = options;
+  const c = color ? ANSI : noColorANSI();
+  if (!result.found) {
+    return `${c.green}${c.bold}  \u2713${c.reset}  No secrets detected. Scanned ${result.filesScanned.length} file(s) in ${result.scanTimeMs}ms.`;
+  }
+  const output = [];
+  const summaryLines = [
+    `${c.red}${c.bold}${result.secrets.length} secret(s) detected${c.reset} across ${result.secrets.length > 0 ? new Set(result.secrets.map((s) => s.file)).size : 0} file(s)`,
+    `Scanned: ${result.filesScanned.length} files | Skipped: ${result.filesSkipped.length} | Time: ${result.scanTimeMs}ms`
+  ];
+  const summaryTitle = `${c.bgRed}${c.white}${c.bold} Secret Scan Results ${c.reset}`;
+  output.push(drawTitledBox(summaryTitle, summaryLines, boxStyle));
+  output.push("");
+  const header = [
+    `${c.bold}Severity${c.reset}`,
+    `${c.bold}Type${c.reset}`,
+    `${c.bold}File${c.reset}`,
+    `${c.bold}Line${c.reset}`,
+    `${c.bold}Value${c.reset}`
+  ];
+  const rows = [header];
+  for (const secret of result.secrets) {
+    const severityColor = secret.pattern.severity === "critical" ? c.red : secret.pattern.severity === "high" ? c.yellow : c.dim;
+    const severityIcon = secret.pattern.severity === "critical" ? "\u2717" : secret.pattern.severity === "high" ? "!" : "?";
+    const lastSlash = secret.file.lastIndexOf("/");
+    const lastBackslash = secret.file.lastIndexOf("\\");
+    const lastSep = Math.max(lastSlash, lastBackslash);
+    const fileName = lastSep >= 0 ? secret.file.slice(lastSep + 1) : secret.file;
+    rows.push([
+      `${severityColor}${severityIcon} ${secret.pattern.severity}${c.reset}`,
+      secret.pattern.name,
+      `${c.cyan}${fileName}${c.reset}`,
+      `${c.dim}:${secret.line}:${secret.column}${c.reset}`,
+      `${c.dim}${maskValue2(secret.value, 6, 4)}${c.reset}`
+    ]);
+  }
+  const table = formatTable(rows);
+  output.push(table);
+  return output.join("\n");
+}
+function formatTable(rows) {
+  if (rows.length === 0) return "";
+  function visibleWidth(s) {
+    return s.replace(/\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])/g, "").length;
+  }
+  const colCount = Math.max(...rows.map((row) => row.length));
+  const colWidths = [];
+  for (let col = 0; col < colCount; col++) {
+    let maxW = 0;
+    for (const row of rows) {
+      if (col < row.length) {
+        const w = visibleWidth(row[col]);
+        if (w > maxW) maxW = w;
+      }
+    }
+    colWidths.push(maxW);
+  }
+  return rows.map(
+    (row) => row.map((cell, col) => {
+      const w = visibleWidth(cell);
+      const padding = Math.max(0, (colWidths[col] ?? 0) - w);
+      return cell + " ".repeat(padding);
+    }).join("  ")
+  ).join("\n");
+}
+function maskValue2(value, visibleStart = 4, visibleEnd = 4) {
+  if (value.length <= visibleStart + visibleEnd) {
+    return "*".repeat(value.length);
+  }
+  const start = value.slice(0, visibleStart);
+  const end = value.slice(-visibleEnd);
+  const masked = "*".repeat(Math.max(4, value.length - visibleStart - visibleEnd));
+  return `${start}${masked}${end}`;
+}
+function noColorANSI() {
+  const obj = {};
+  for (const [key, _value] of Object.entries(ANSI)) {
+    obj[key] = "";
+  }
+  return obj;
+}
+
+// src/reporters/json.ts
+function reportValidation2(result, options = {}) {
+  const { pretty = true, indent = 2 } = options;
+  const output = {
+    valid: result.valid,
+    errorCount: result.errors.length,
+    warningCount: result.warnings.length,
+    validatedCount: Object.keys(result.validated).length,
+    unknownCount: result.unknown.length
+  };
+  if (result.errors.length > 0) {
+    output.errors = result.errors.map((error) => ({
+      field: error.field,
+      message: error.message,
+      expected: error.expected,
+      hint: error.hint,
+      source: error.source ?? null,
+      lineNumber: error.lineNumber ?? null
+    }));
+  }
+  if (result.warnings.length > 0) {
+    output.warnings = result.warnings.map((warning) => ({
+      field: warning.field,
+      message: warning.message,
+      code: warning.code
+    }));
+  }
+  if (result.unknown.length > 0) {
+    output.unknown = result.unknown;
+  }
+  return serialize(output, pretty, indent);
+}
+function reportError2(error, options = {}) {
+  const { pretty = true, indent = 2, includeStack = false } = options;
+  const output = {
+    name: error.name,
+    code: error.code,
+    message: error.message
+  };
+  if (error.hint !== void 0) {
+    output.hint = error.hint;
+  }
+  if (includeStack && error.stack !== void 0) {
+    output.stack = error.stack;
+  }
+  if (error.cause !== void 0) {
+    output.cause = error.cause instanceof Error ? {
+      name: error.cause.name,
+      message: error.cause.message,
+      ...includeStack && error.cause.stack ? { stack: error.cause.stack } : {}
+    } : String(error.cause);
+  }
+  return serialize(output, pretty, indent);
+}
+function reportScanResult2(result, options = {}) {
+  const { pretty = true, indent = 2 } = options;
+  const severityCounts = { critical: 0, high: 0, medium: 0, low: 0 };
+  for (const secret of result.secrets) {
+    const severity = secret.pattern.severity;
+    severityCounts[severity] = (severityCounts[severity] ?? 0) + 1;
+  }
+  const output = {
+    found: result.found,
+    totalSecrets: result.secrets.length,
+    severityBreakdown: severityCounts,
+    filesScanned: result.filesScanned.length,
+    filesSkipped: result.filesSkipped.length,
+    scanTimeMs: result.scanTimeMs,
+    timestamp: result.timestamp
+  };
+  if (result.secrets.length > 0) {
+    output.secrets = result.secrets.map((secret) => ({
+      type: secret.pattern.name,
+      severity: secret.pattern.severity,
+      category: secret.pattern.category,
+      file: secret.file,
+      line: secret.line,
+      column: secret.column,
+      value: maskValue3(secret.value),
+      confidence: secret.confidence,
+      remediation: secret.pattern.remediation
+    }));
+  }
+  return serialize(output, pretty, indent);
+}
+function serialize(obj, pretty, indent) {
+  if (pretty) {
+    return JSON.stringify(obj, null, indent);
+  }
+  return JSON.stringify(obj);
+}
+function maskValue3(value, visibleChars = 4) {
+  if (value.length <= visibleChars + 4) {
+    return "*".repeat(value.length);
+  }
+  const start = value.slice(0, visibleChars);
+  const end = value.slice(-4);
+  const masked = "*".repeat(Math.max(4, value.length - visibleChars - 4));
+  return `${start}${masked}${end}`;
+}
+
+// src/reporters/sarif.ts
+function mapSeverity(severity) {
+  switch (severity) {
+    case "critical":
+      return { level: "error", securitySeverity: "9.0" };
+    case "high":
+      return { level: "error", securitySeverity: "7.0" };
+    case "medium":
+      return { level: "warning", securitySeverity: "5.0" };
+  }
+}
+function reportScanResult3(result, options = {}) {
+  const { toolVersion = "1.0.0" } = options;
+  const ruleMap = /* @__PURE__ */ new Map();
+  const rules = [];
+  for (const secret of result.secrets) {
+    const pattern = secret.pattern;
+    if (ruleMap.has(pattern.id)) continue;
+    const { securitySeverity } = mapSeverity(pattern.severity);
+    const rule = {
+      id: pattern.id,
+      name: pattern.name,
+      shortDescription: { text: pattern.name },
+      fullDescription: { text: pattern.description },
+      helpUri: `https://github.com/ultraenv/ultraenv/blob/main/docs/rules/${pattern.id}.md`,
+      properties: {
+        "security-severity": securitySeverity,
+        tags: [`security`, `secret`, pattern.category]
+      }
+    };
+    ruleMap.set(pattern.id, rule);
+    rules.push(rule);
+  }
+  if (options.additionalRules !== void 0) {
+    for (const rule of options.additionalRules) {
+      if (!ruleMap.has(rule.id)) {
+        ruleMap.set(rule.id, rule);
+        rules.push(rule);
+      }
+    }
+  }
+  const sarifResults = [];
+  for (const secret of result.secrets) {
+    const pattern = secret.pattern;
+    const ruleIndex = rules.findIndex((r) => r.id === pattern.id);
+    if (ruleIndex === -1) continue;
+    const { level } = mapSeverity(pattern.severity);
+    const sarifResult = {
+      ruleId: pattern.id,
+      ruleIndex,
+      level,
+      message: {
+        text: `Potential secret detected: ${pattern.name}. ${pattern.description}`
+      },
+      locations: [
+        {
+          physicalLocation: {
+            artifactLocation: {
+              uri: secret.file
+            },
+            region: {
+              startLine: secret.line,
+              startColumn: secret.column
+            }
+          },
+          message: {
+            text: pattern.remediation
+          }
+        }
+      ],
+      properties: {
+        confidence: secret.confidence,
+        category: pattern.category
+      }
+    };
+    sarifResults.push(sarifResult);
+  }
+  const document = {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "ultraenv",
+            version: toolVersion,
+            informationUri: "https://github.com/ultraenv/ultraenv",
+            rules
+          }
+        },
+        results: sarifResults,
+        invocations: [
+          {
+            executionSuccessful: true,
+            startTimeUtc: result.timestamp,
+            endTimeUtc: (/* @__PURE__ */ new Date()).toISOString()
+          }
+        ]
+      }
+    ]
+  };
+  return JSON.stringify(document, null, 2);
+}
+
+// src/index.ts
+var index_default = { version: VERSION };
+export {
+  ConfigError,
+  EncryptionError,
+  FileSystemError,
+  InterpolationError,
+  ParseError,
+  ScanError,
+  SecureBuffer,
+  SecureString,
+  UltraenvError,
+  ValidationError as UltraenvValidationError,
+  VERSION,
+  VaultError,
+  addCustomPattern,
+  compareEnvironments,
+  compareSync,
+  compareValues,
+  computeIntegrity,
+  computeVaultChecksum,
+  copyFile,
+  createEnvironment,
+  createSecureString,
+  createSecureStringFromBuffer,
+  createSyncWatcher,
+  createTypegenWatcher,
+  createUltraenvPlugin,
+  createWatcher,
+  decryptEnvironment,
+  decryptValue,
+  index_default as default,
+  defineEnv,
+  deriveEnvironmentKey,
+  detectHighEntropyStrings,
+  discoverEnvironments,
+  duplicateEnvironment,
+  encryptEnvironment,
+  encryptValue,
+  ensureDir,
+  exists,
+  expandVariables,
+  findConfig,
+  findUp,
+  formatComparison,
+  formatKey,
+  formatScanResult,
+  generateDeclaration,
+  generateExampleContent,
+  generateExampleFile,
+  generateJsonSchema,
+  generateKeysFile,
+  generateMasterKey,
+  generateModule,
+  getActiveEnvironment,
+  getAllPresets,
+  getEnvironmentData,
+  getPreset,
+  getVaultEnvironments,
+  hasPreset,
+  healthCheck,
+  healthCheckRoute,
+  isDirectory,
+  isEncryptedValue,
+  isFile,
+  isHighEntropy,
+  isUltraenvError,
+  isValidKeyFormat,
+  listEnvironments,
+  listFiles,
+  listPresets,
+  liveCheck,
+  load,
+  loadConfig,
+  loadSync,
+  loadWithResult,
+  loadWithResultSync,
+  maskKey,
+  maskValue as maskSecretValue,
+  matchPatterns,
+  mergeCascade,
+  needsUpdate,
+  parseEnvFile,
+  parseKey,
+  parseKeysFile,
+  parseVaultFile,
+  readFile,
+  readFileSync,
+  readVaultFile,
+  readinessCheck,
+  registerPreset,
+  removeCustomPattern,
+  removeEnvironment,
+  removeFile,
+  reportError,
+  reportError2 as reportErrorJson,
+  reportInfo,
+  reportScanResult2 as reportScanResultJson,
+  reportScanResult3 as reportScanResultSarif,
+  reportScanResult as reportScanResultTerminal,
+  reportSuccess,
+  reportValidation,
+  reportValidation2 as reportValidationJson,
+  reportWarning,
+  resetPatterns,
+  resolveCascade,
+  rotateKey,
+  scan,
+  scanDiff,
+  scanFiles,
+  scanGitHistory,
+  scanLineForEntropy,
+  scanStagedFiles,
+  secureCompare,
+  serializeVaultFile,
+  shannonEntropy,
+  switchEnvironment,
+  t,
+  tryDefineEnv,
+  ultraenvMiddleware,
+  ultraenvPlugin,
+  unregisterPreset,
+  validate,
+  validateAllEnvironments,
+  verifyIntegrity,
+  verifyVaultChecksum,
+  wipeString,
+  writeFile,
+  writeVaultFile
+};