varlock 0.0.12 → 0.0.14

package/dist/auto-load.js

@@ -1,7 +1,7 @@
-import './chunk-TWKAUCTT.js';
-import './chunk-UPKIHHPE.js';
+import './chunk-ZYL5D2UA.js';
+import './chunk-C5BEZMSO.js';
 import './chunk-OM3JCP4E.js';
-import './chunk-POJECYSY.js';
+import './chunk-7JMYT62X.js';
 import './chunk-2SPIWTVE.js';
 import './chunk-FGMXIEFA.js';
 import './chunk-XN24GZXQ.js';

package/dist/{chunk-23GW4X5J.js → chunk-4QTFFYV6.js}

@@ -1,9 +1,9 @@
-import { ansis_default, gracefulExit, my_dash_default, getItemSummary, joinAndCompact } from './chunk-NXAXPMO5.js';
+import { ansis_default, gracefulExit, my_dash_default, getItemSummary, joinAndCompact, loadEnvGraph } from './chunk-FCVBOYES.js';
 import { __name } from './chunk-XN24GZXQ.js';
 
 // src/cli/helpers/error-checks.ts
 function checkForSchemaErrors(envGraph) {
-  for (const source of envGraph.dataSources) {
+  for (const source of envGraph.sortedDataSources) {
     if (source.loadingError) {
       console.log(`\u{1F6A8} Error encountered while loading ${source.label}`);
       console.log(source.loadingError.message);
@@ -64,6 +64,17 @@ function checkForConfigErrors(envGraph, opts) {
 }
 __name(checkForConfigErrors, "checkForConfigErrors");
 
-export { InvalidEnvError, checkForConfigErrors, checkForSchemaErrors };
-//# sourceMappingURL=chunk-23GW4X5J.js.map
-//# sourceMappingURL=chunk-23GW4X5J.js.map
+// src/lib/load-graph.ts
+async function loadVarlockEnvGraph(opts) {
+  const envGraph = await loadEnvGraph({
+    ...opts,
+    afterInit: /* @__PURE__ */ __name(async (_g) => {
+    }, "afterInit")
+  });
+  return envGraph;
+}
+__name(loadVarlockEnvGraph, "loadVarlockEnvGraph");
+
+export { InvalidEnvError, checkForConfigErrors, checkForSchemaErrors, loadVarlockEnvGraph };
+//# sourceMappingURL=chunk-4QTFFYV6.js.map
+//# sourceMappingURL=chunk-4QTFFYV6.js.map

package/dist/chunk-4QTFFYV6.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/helpers/error-checks.ts","../src/lib/load-graph.ts"],"names":[],"mappings":";;;;AAMO,SAAS,qBAAqB,QAAA,EAAoB;AAEvD,EAAA,KAAA,MAAW,MAAA,IAAU,SAAS,iBAAA,EAAmB;AAO/C,IAAA,IAAI,OAAO,YAAA,EAAc;AACvB,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,0CAAA,EAAsC,MAAA,CAAO,KAAK,CAAA,CAAE,CAAA;AAChE,MAAA,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,YAAA,CAAa,OAAO,CAAA;AAGvC,MAAA,IAAI,UAAA,IAAc,OAAO,YAAA,EAAc;AACrC,QAAA,OAAA,CAAQ,GAAA,CAAK,MAAA,CAAO,YAAA,CAAqC,QAAQ,CAAA;AAEjE,QAAA,MAAM,MAAA,GAAU,OAAO,YAAA,CAAqC,QAAA;AAE5D,QAAA,MAAM,UAAA,GAAa;AAAA,UACjB,MAAA,CAAO,OAAA;AAAA,UACP,CAAA,EAAG,aAAA,CAAM,IAAA,CAAK,GAAA,CAAI,OAAO,MAAA,CAAO,SAAA,GAAY,CAAC,CAAC,CAAC,CAAA,EAAG,aAAA,CAAM,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,SAClE,CAAE,KAAK,IAAI,CAAA;AAEX,QAAA,OAAA,CAAQ,IAAI,yBAAyB,CAAA;AACrC,QAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,EAAI,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,OAAO,UAAU,CAAA,CAAA,EAAI,MAAA,CAAO,SAAS,CAAA,CAAE,CAAA;AACtE,QAAA,OAAA,CAAQ,IAAI,UAAU,CAAA;AAAA,MACxB;AAEA,MAAA,OAAO,aAAa,CAAC,CAAA;AAAA,IACvB;AAAA,EACF;AASF;AAxCgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AA0CT,IAAM,eAAA,GAAN,cAA8B,KAAA,CAAM;AAAA,EAhD3C;AAgD2C,IAAA,MAAA,CAAA,IAAA,EAAA,iBAAA,CAAA;AAAA;AAAA,EACzC,WAAA,GAAc;AACZ,IAAA,KAAA,CAAM,6CAA6C,CAAA;AAAA,EACrD;AAAA,EACA,kBAAA,GAAqB;AACnB,IAAA,OAAO;AAAA,UAAA,EAAQ,aAAA,CAAM,GAAA,CAAI,IAAA,CAAK,OAAO,CAAC,CAAA;AAAA,CAAA;AAAA,EACxC;AACF;AAEO,SAAS,oBAAA,CAAqB,UAAoB,IAAA,EAEtD;AACD,EAAA,MAAM,YAAA,GAAe,eAAA,CAAE,MAAA,CAAO,eAAA,CAAE,MAAA,CAAO,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,IAAA,KAAqB,IAAA,CAAK,eAAA,KAAoB,OAAO,CAAA;AAGrH,EAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,IAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,+BAAA,EAAe,aAAA,CAAM,IAAA,CAAK,SAAA,CAAU,qCAAqC,CAAC,CAAA;AAAA,CAAc,CAAA;AACpG,IAAA,OAAA,CAAQ,IAAI,kBAAkB,CAAA;AAE9B,IAAA,eAAA,CAAE,IAAA,CAAK,YAAA,EAAc,CAAC,IAAA,KAAqB;AACzC,MAAA,OAAA,CAAQ,GAAA,CAAI,cAAA,CAAe,IAAI,CAAC,CAAA;AAChC,MAAA,OAAA,CAAQ,GAAA,EAAI;AAAA,IACd,CAAC,CAAA;AACD,IAAA,IAAI,MAAM,OAAA,EAAS;AACjB,MAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,MAAA,OAAA,CAAQ,IAAI,cAAA,CAAe;AAAA,QACzB,cAAA;AAAA,QACA,aAAA,CAAM,MAAA,CAAO,IAAA,CAAK,oCAAoC;AAAA,OACvD,CAAC,CAAA;AACF,MAAA,OAAA,CAAQ,GAAA,EAAI;AACZ,MAAA,MAAM,UAAA,GAAa,eAAA,CAAE,MAAA,CAAO,eAAA,CAAE,MAAA,CAAO,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,CAAA,KAAkB,CAAC,CAAC,EAAE,OAAO,CAAA;AAC3F,MAAA,eAAA,CAAE,IAAA,CAAK,UAAA,EAAY,CAAC,IAAA,KAAqB;AACvC,QAAA,OAAA,CAAQ,GAAA,CAAI,cAAA,CAAe,IAAI,CAAC,CAAA;AAAA,MAClC,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,IAAI,eAAA,EAAgB;AAAA,EAC5B;AACF;AA7BgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;;;ACvDhB,eAAsB,oBAAoB,IAAA,EAEvC;AACD,EAAA,MAAM,QAAA,GAAW,MAAM,YAAA,CAAa;AAAA,IAClC,GAAG,IAAA;AAAA,IACH,SAAA,gCAAkB,EAAA,KAAO;AAAA,IAEzB,CAAA,EAFW,WAAA;AAAA,GAGZ,CAAA;AAED,EAAA,OAAO,QAAA;AACT;AAXsB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA","file":"chunk-4QTFFYV6.js","sourcesContent":["import ansis from 'ansis';\nimport { EnvGraph, ConfigItem, EnvSourceParseError } from '../../../env-graph';\nimport _ from '@env-spec/utils/my-dash';\nimport { getItemSummary, joinAndCompact } from '../../lib/formatting';\nimport { gracefulExit } from 'exit-hook';\n\nexport function checkForSchemaErrors(envGraph: EnvGraph) {\n  // first we check for loading/parse errors - some cases we may want to let it fail silently?\n  for (const source of envGraph.sortedDataSources) {\n    // do we care about loading errors from disabled sources?\n    // if (source.disabled) continue;\n\n    // console.log(source);\n\n    // TODO: use a formatting helper to show the error - which will include location/stack/etc appropriately\n    if (source.loadingError) {\n      console.log(`🚨 Error encountered while loading ${source.label}`);\n      console.log(source.loadingError.message);\n\n      // Check if the error has a location property (like EnvSourceParseError)\n      if ('location' in source.loadingError) {\n        console.log((source.loadingError as EnvSourceParseError).location);\n\n        const errLoc = (source.loadingError as EnvSourceParseError).location;\n\n        const errPreview = [\n          errLoc.lineStr,\n          `${ansis.gray('-'.repeat(errLoc.colNumber - 1))}${ansis.red('^')}`,\n        ].join('\\n');\n\n        console.log('Error parsing .env file');\n        console.log(` ${errLoc.path}:${errLoc.lineNumber}:${errLoc.colNumber}`);\n        console.log(errPreview);\n      }\n\n      return gracefulExit(1);\n    }\n  }\n\n  // now we check for any schema errors - where something about how things are wired up is invalid\n  // NOTE - we should not have run any resolution yet\n  // TODO: make sure we are calling this before attempting to resolve values\n  // const failingItems = _.filter(_.values(envGraph.configSchema), (item) => item.validationState === 'error');\n  // if (failingItems.length > 0) {\n  //   throw new CliExitError('Schema is currently invalid');\n  // }\n}\n\nexport class InvalidEnvError extends Error {\n  constructor() {\n    super('Resolved config/env did not pass validation');\n  }\n  getFormattedOutput() {\n    return `\\n💥 ${ansis.red(this.message)} 💥\\n`;\n  }\n}\n\nexport function checkForConfigErrors(envGraph: EnvGraph, opts?: {\n  showAll?: boolean\n}) {\n  const failingItems = _.filter(_.values(envGraph.configSchema), (item: ConfigItem) => item.validationState === 'error');\n\n  // TODO: use service.isValid?\n  if (failingItems.length > 0) {\n    console.log(`\\n🚨 🚨 🚨  ${ansis.bold.underline('Configuration is currently invalid ')}  🚨 🚨 🚨\\n`);\n    console.log('Invalid items:\\n');\n\n    _.each(failingItems, (item: ConfigItem) => {\n      console.log(getItemSummary(item));\n      console.log();\n    });\n    if (opts?.showAll) {\n      console.log();\n      console.log(joinAndCompact([\n        'Valid items:',\n        ansis.italic.gray('(remove `--show-all` flag to hide)'),\n      ]));\n      console.log();\n      const validItems = _.filter(_.values(envGraph.configSchema), (i: ConfigItem) => !!i.isValid);\n      _.each(validItems, (item: ConfigItem) => {\n        console.log(getItemSummary(item));\n      });\n    }\n\n    throw new InvalidEnvError();\n  }\n}\n","import { loadEnvGraph } from '../../env-graph';\n\nexport async function loadVarlockEnvGraph(opts?: {\n  currentEnvFallback?: string,\n}) {\n  const envGraph = await loadEnvGraph({\n    ...opts,\n    afterInit: async (_g) => {\n      // TODO: register varlock resolver\n    },\n  });\n\n  return envGraph;\n}\n"]}

package/dist/{chunk-POJECYSY.js → chunk-7JMYT62X.js}

@@ -19,7 +19,7 @@ function patchGlobalServerResponse(opts) {
   ServerResponse.prototype.write = /* @__PURE__ */ __name(function varlockPatchedServerResponseWrite(...args) {
     const rawChunk = args[0];
     const contentType = this.getHeader("content-type")?.toString() || "";
-    let runScan = contentType.startsWith("text/") || contentType.startsWith("application/json");
+    let runScan = contentType.startsWith("text/") || contentType.startsWith("application/json") || !contentType && typeof rawChunk === "string";
     const reqUrl = this.req.url;
     if (runScan && reqUrl && opts?.ignoreUrlPatterns?.some((pattern) => pattern.test(reqUrl))) {
       runScan = false;
@@ -88,5 +88,5 @@ function patchGlobalServerResponse(opts) {
 __name(patchGlobalServerResponse, "patchGlobalServerResponse");
 
 export { patchGlobalServerResponse };
-//# sourceMappingURL=chunk-POJECYSY.js.map
-//# sourceMappingURL=chunk-POJECYSY.js.map
+//# sourceMappingURL=chunk-7JMYT62X.js.map
+//# sourceMappingURL=chunk-7JMYT62X.js.map

package/dist/chunk-7JMYT62X.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime/patch-server-response.ts"],"names":[],"mappings":";;;;;AAUA,IAAM,UAAA,GAAa,mBAAA;AACZ,SAAS,0BAA0B,IAAA,EAGvC;AACD,EAAA,KAAA,CAAM,6CAAmC,CAAA;AACzC,EAAA,IAAI,MAAA,CAAO,wBAAA,CAAyB,cAAA,CAAe,SAAA,EAAW,UAAU,CAAA,EAAG;AACzE,IAAA,KAAA,CAAM,mBAAmB,CAAA;AACzB,IAAA;AAAA,EACF;AACA,EAAA,IAAI,eAAA,CAAgB,iBAAiB,KAAA,EAAO;AAC1C,IAAA,KAAA,CAAM,wBAAwB,CAAA;AAC9B,IAAA;AAAA,EACF;AAEA,EAAA,MAAA,CAAO,eAAe,cAAA,CAAe,SAAA,EAAW,YAAY,EAAE,KAAA,EAAO,MAAM,CAAA;AAE3E,EAAA,MAAM,mBAAA,GAAsB,eAAe,SAAA,CAAU,KAAA;AAGrD,EAAA,cAAA,CAAe,SAAA,CAAU,KAAA,mBAAQ,MAAA,CAAA,SAAS,iCAAA,CAAA,GAAqC,IAAA,EAAM;AAGnF,IAAA,MAAM,QAAA,GAAW,KAAK,CAAC,CAAA;AAKvB,IAAA,MAAM,cAAc,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA,EAAG,UAAS,IAAK,EAAA;AAElE,IAAA,IAAI,OAAA,GACF,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,IAC3B,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,IACxC,CAAC,WAAA,IAAe,OAAO,QAAA,KAAa,QAAA;AAI1C,IAAA,MAAM,MAAA,GAAU,KAAa,GAAA,CAAI,GAAA;AAEjC,IAAA,IAAI,OAAA,IAAW,MAAA,IAAU,IAAA,EAAM,iBAAA,EAAmB,IAAA,CAAK,CAAC,OAAA,KAAY,OAAA,CAAQ,IAAA,CAAK,MAAM,CAAC,CAAA,EAAG;AACzF,MAAA,OAAA,GAAU,KAAA;AAAA,IACZ;AAIA,IAAA,IAAI,CAAC,OAAA,EAAS;AAEZ,MAAA,OAAO,mBAAA,CAAoB,KAAA,CAAM,IAAA,EAAM,IAAI,CAAA;AAAA,IAC7C;AAGA,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,SAAA,CAAU,kBAAkB,CAAA;AACzD,IAAA,IAAI,QAAA;AACJ,IAAA,IAAI,SAAA,GAAkD,IAAA;AACtD,IAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,MAAA,SAAA,GAAY,QAAA;AACZ,MAAA,QAAA,GAAW,QAAA;AAAA,IACb,CAAA,MAAA,IAAW,CAAC,eAAA,EAAiB;AAC3B,MAAA,SAAA,GAAY,SAAA;AACZ,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,MAAA,QAAA,GAAW,OAAA,CAAQ,OAAO,QAAQ,CAAA;AAAA,IACpC,CAAA,MAAA,IAAW,oBAAoB,MAAA,EAAQ;AACrC,MAAA,SAAA,GAAY,MAAA;AAEZ,MAAA,IAAI,CAAE,KAAa,WAAA,EAAa;AAE9B,QAAC,IAAA,CAAa,WAAA,GAAc,CAAC,QAAQ,CAAA;AAAA,MACvC,CAAA,MAAO;AAEL,QAAC,IAAA,CAAa,WAAA,EAAa,IAAA,CAAK,QAAQ,CAAA;AACxC,QAAA,IAAI;AACF,UAAA,MAAM,aAAA,GAAgB,KAAK,SAAA,CAAU,MAAA,CAAO,OAAQ,IAAA,CAAa,WAAA,IAAe,EAAE,CAAA,EAAG;AAAA,YACnF,KAAA,EAAO,KAAK,SAAA,CAAU,YAAA;AAAA,YACtB,WAAA,EAAa,KAAK,SAAA,CAAU;AAAA,WAC7B,CAAA;AACD,UAAA,MAAM,gBAAA,GAAmB,aAAA,CAAc,QAAA,CAAS,OAAO,CAAA;AACvD,UAAA,QAAA,GAAW,gBAAA,CAAiB,SAAA,CAAW,IAAA,CAAa,kBAAA,IAAsB,CAAC,CAAA;AAC3E,UAAC,IAAA,CAAa,qBAAqB,gBAAA,CAAiB,MAAA;AAAA,QACtD,SAAS,GAAA,EAAK;AAAA,QAEd;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI,QAAA,EAAU;AAIZ,MAAA,IAAI;AACF,QAAA,YAAA,CAAa,QAAA,EAAU,EAAE,MAAA,EAAQ,8BAAA,EAAgC,MAAO,IAAA,CAAa,GAAA,CAAI,KAAK,CAAA;AAAA,MAChG,SAAS,GAAA,EAAK;AAGZ,QAAA,IAAI,MAAM,oBAAA,EAAsB;AAC9B,UAAA,QAAA,GAAW,sBAAsB,QAAQ,CAAA;AACzC,UAAA,IAAI,cAAc,QAAA,EAAU;AAC1B,YAAA,IAAA,CAAK,CAAC,CAAA,GAAI,QAAA;AAAA,UACZ,CAAA,MAAA,IAAW,cAAc,SAAA,EAAW;AAClC,YAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,YAAA,IAAA,CAAK,CAAC,CAAA,GAAI,OAAA,CAAQ,MAAA,CAAO,QAAQ,CAAA;AAAA,UACnC,CAAA,MAAA,IAAW,cAAc,MAAA,EAAQ,CAQjC,MAAO;AACL,YAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,SAAS,CAAA,CAAE,CAAA;AAAA,UACrE;AAAA,QACF,CAAA,MAAO;AACL,UAAA,MAAM,GAAA;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,IAAA,OAAO,mBAAA,CAAoB,KAAA,CAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC7C,CAAA,EAnGiC,mCAAA,CAAA;AAsGjC,EAAA,MAAM,iBAAA,GAAoB,eAAe,SAAA,CAAU,GAAA;AAEnD,EAAA,cAAA,CAAe,SAAA,CAAU,GAAA,mBAAM,MAAA,CAAA,SAAS,wBAAA,CAAA,GAA4B,IAAA,EAAM;AAExE,IAAA,MAAM,QAAA,GAAW,KAAK,CAAC,CAAA;AAEvB,IAAA,IAAI,QAAA,IAAY,OAAO,QAAA,KAAa,QAAA,EAAU;AAE5C,MAAA,YAAA,CAAa,QAAA,EAAU,EAAE,MAAA,EAAQ,4BAAA,EAA8B,CAAA;AAAA,IACjE;AAEA,IAAA,OAAO,iBAAA,CAAkB,KAAA,CAAM,IAAA,EAAM,IAAI,CAAA;AAAA,EAC3C,CAAA,EAV+B,0BAAA,CAAA;AAWjC;AAtIgB,MAAA,CAAA,yBAAA,EAAA,2BAAA,CAAA","file":"chunk-7JMYT62X.js","sourcesContent":["/*\n  This patches the global ServerResponse object to scan for secret leaks - currently used for next.js and remix\n*/\n\nimport zlib from 'node:zlib';\nimport { ServerResponse } from 'node:http';\nimport { redactSensitiveConfig, scanForLeaks, varlockSettings } from './env';\nimport { debug } from './lib/debug';\n\n// NOTE - previously was using a symbol but got weird because of multiple builds and contexts...\nconst patchedKey = '_patchedByVarlock';\nexport function patchGlobalServerResponse(opts?: {\n  ignoreUrlPatterns?: Array<RegExp>,\n  redactInsteadOfThrow?: boolean,\n}) {\n  debug('⚡️ PATCHING global ServerResponse');\n  if (Object.getOwnPropertyDescriptor(ServerResponse.prototype, patchedKey)) {\n    debug('> already patched');\n    return;\n  }\n  if (varlockSettings.preventLeaks === false) {\n    debug('> disabled by settings');\n    return;\n  }\n\n  Object.defineProperty(ServerResponse.prototype, patchedKey, { value: true });\n\n  const serverResponseWrite = ServerResponse.prototype.write;\n\n  // @ts-ignore\n  ServerResponse.prototype.write = function varlockPatchedServerResponseWrite(...args) {\n    // TODO: do we want to filter out some requests here? maybe based on the file type?\n\n    const rawChunk = args[0];\n    // console.log('⚡️ patched ServerResponse.write', rawChunk);\n\n    // for now, we only scan rendered html... may need to change this though for server components?\n    // so we bail if it looks like this response does not contain html\n    const contentType = this.getHeader('content-type')?.toString() || '';\n    // console.log('patched ServerResponse.write', contentType);\n    let runScan = (\n      contentType.startsWith('text/')\n      || contentType.startsWith('application/json')\n      || (!contentType && typeof rawChunk === 'string')\n      // || contentType.startsWith('application/javascript')\n    );\n\n    const reqUrl = (this as any).req.url;\n    // console.log('> scan ServerResponse.write', contentType, reqUrl);\n    if (runScan && reqUrl && opts?.ignoreUrlPatterns?.some((pattern) => pattern.test(reqUrl))) {\n      runScan = false;\n    }\n\n    // we want to run the scanner on text/html and text/x-component (server actions)\n    // TODO: anything else?\n    if (!runScan) {\n      // @ts-ignore\n      return serverResponseWrite.apply(this, args);\n    }\n\n    // have to deal with compressed data, which is awkward but possible\n    const compressionType = this.getHeader('Content-Encoding');\n    let chunkStr;\n    let chunkType: 'string' | 'encoded' | 'gzip' | null = null;\n    if (typeof rawChunk === 'string') {\n      chunkType = 'string';\n      chunkStr = rawChunk;\n    } else if (!compressionType) {\n      chunkType = 'encoded';\n      const decoder = new TextDecoder();\n      chunkStr = decoder.decode(rawChunk);\n    } else if (compressionType === 'gzip') {\n      chunkType = 'gzip';\n      // first chunk of data contains only compression headers\n      if (!(this as any)._zlibChunks) {\n        // (this as any)._zlibHeadersChunk = rawChunk;\n        (this as any)._zlibChunks = [rawChunk];\n      } else {\n        // TODO: figure out how we can unzip one chunk at a time instead of storing everything\n        (this as any)._zlibChunks?.push(rawChunk);\n        try {\n          const unzippedChunk = zlib.unzipSync(Buffer.concat((this as any)._zlibChunks || []), {\n            flush: zlib.constants.Z_SYNC_FLUSH,\n            finishFlush: zlib.constants.Z_SYNC_FLUSH,\n          });\n          const fullUnzippedData = unzippedChunk.toString('utf-8');\n          chunkStr = fullUnzippedData.substring((this as any)._lastChunkEndIndex || 0);\n          (this as any)._lastChunkEndIndex = fullUnzippedData.length;\n        } catch (err) {\n          // console.log('error unzipping chunk', err);\n        }\n      }\n    }\n    // TODO: we may want to support other compression schemes? but currently only used in nextjs which is using gzip\n    if (chunkStr) {\n      // console.log('scanning!', chunkStr.substring(0, 1000));\n\n\n      try {\n        scanForLeaks(chunkStr, { method: 'patched ServerResponse.write', file: (this as any).req.url });\n      } catch (err) {\n        // console.log('found secret in chunk', chunkType, chunkStr);\n        // console.log(this)\n        if (opts?.redactInsteadOfThrow) {\n          chunkStr = redactSensitiveConfig(chunkStr);\n          if (chunkType === 'string') {\n            args[0] = chunkStr;\n          } else if (chunkType === 'encoded') {\n            const encoder = new TextEncoder();\n            args[0] = encoder.encode(chunkStr);\n          } else if (chunkType === 'gzip') {\n            // currently unable to scrub gzip chunks\n            // this works sometimes, but othertimes causes decoding error\n            // we'll need to pass through chunks from a new gzip stream, because we don't have access to the underlying one\n            // args[0] = zlib.gzipSync(chunkStr, {\n            //   flush: zlib.constants.Z_SYNC_FLUSH,\n            //   finishFlush: zlib.constants.Z_SYNC_FLUSH,\n            // });\n          } else {\n            throw new Error(`unable to scrub - unknown chunk type ${chunkType}`);\n          }\n        } else {\n          throw err;\n        }\n      }\n    }\n\n    // @ts-ignore\n    return serverResponseWrite.apply(this, args);\n  };\n\n  // calling `res.json()` in the api routes on pages router calls `res.end` without called `res.write`\n  const serverResponseEnd = ServerResponse.prototype.end;\n  // @ts-ignore\n  ServerResponse.prototype.end = function patchedServerResponseEnd(...args) {\n    // console.log('⚡️ patched ServerResponse.end');\n    const endChunk = args[0];\n    // this just needs to work (so far) for nextjs sending json bodies, so does not need to handle all cases...\n    if (endChunk && typeof endChunk === 'string') {\n      // TODO: currently this throws the error and then things just hang... do we want to try to return an error type response instead?\n      scanForLeaks(endChunk, { method: 'patched ServerResponse.end' });\n    }\n    // @ts-ignore\n    return serverResponseEnd.apply(this, args);\n  };\n}\n\n"]}

package/dist/{chunk-UPKIHHPE.js → chunk-C5BEZMSO.js}

@@ -40,5 +40,5 @@ function unpatchGlobalConsole() {
 __name(unpatchGlobalConsole, "unpatchGlobalConsole");
 
 export { patchGlobalConsole, unpatchGlobalConsole };
-//# sourceMappingURL=chunk-UPKIHHPE.js.map
-//# sourceMappingURL=chunk-UPKIHHPE.js.map
+//# sourceMappingURL=chunk-C5BEZMSO.js.map
+//# sourceMappingURL=chunk-C5BEZMSO.js.map

package/dist/{chunk-UPKIHHPE.js.map → chunk-C5BEZMSO.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/runtime/patch-console.ts"],"names":[],"mappings":";;;;AAWO,SAAS,kBAAA,GAAqB;AACnC,EAAA,KAAA,CAAM,8CAAoC,CAAA;AAC1C,EAAA,IAAK,OAAA,CAAQ,IAAY,iBAAA,EAAmB;AAC1C,IAAA,KAAA,CAAM,mBAAmB,CAAA;AACzB,IAAA;AAAA,EACF;AACA,EAAA,IAAI,eAAA,CAAgB,eAAe,KAAA,EAAO;AACxC,IAAA,KAAA,CAAM,wBAAwB,CAAA;AAC9B,IAAA;AAAA,EACF;AAQA,EAAA,MAAM,qBAAA,GAAwB,MAAA,CAAO,qBAAA,CAAsB,UAAA,CAAW,OAAO,CAAA,CAAE,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,KAAgB,iBAAiB,CAAA;AAG9H,EAAC,UAAA,CAAmB,4BAAA,KAAiC,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA;AAE7F,EAAA,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA,GAAI,WAAY;AACtD,IAAC,UAAA,CAAmB,4BAAA,CAA6B,KAAA,CAAM,IAAA,EAAM;AAAA,MAC3D,UAAU,CAAC,CAAA;AAAA,MACX,qBAAA,CAAsB,SAAA,CAAU,CAAC,CAAC,CAAA;AAAA,MAClC,UAAU,CAAC;AAAA,KACZ,CAAA;AAAA,EACH,CAAA;AAOA,EAAA,KAAA,MAAW,aAAA,IAAiB,CAAC,OAAA,EAAS,OAAA,EAAS,QAAQ,KAAA,EAAO,MAAA,EAAQ,MAAA,EAAQ,OAAO,CAAA,EAAG;AAEtF,IAAA,MAAM,iBAAA,GAAoB,UAAA,CAAW,OAAA,CAAQ,aAAa,CAAA;AAE1D,IAAA,MAAM,4BAAY,MAAA,CAAA,WAAY;AAE5B,MAAA,iBAAA,CAAkB,KAAA,CAAM,MAAM,KAAA,CAAM,IAAA,CAAK,SAAS,CAAA,CAAE,GAAA,CAAI,qBAAqB,CAAC,CAAA;AAAA,IAChF,CAAA,EAHkB,WAAA,CAAA;AAIlB,IAAA,SAAA,CAAU,iBAAA,GAAoB,IAAA;AAG9B,IAAA,UAAA,CAAW,OAAA,CAAQ,aAAa,CAAA,GAAI,SAAA;AAAA,EACtC;AACF;AAhDgB,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAuDT,SAAS,oBAAA,GAAuB;AAErC,EAAA,IAAI,CAAE,WAAmB,4BAAA,EAA8B;AAEvD,EAAA,MAAM,qBAAA,GAAwB,MAAA,CAAO,qBAAA,CAAsB,UAAA,CAAW,OAAO,CAAA,CAAE,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,KAAgB,iBAAiB,CAAA;AAE9H,EAAA,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA,GAAK,UAAA,CAAmB,4BAAA;AAChE,EAAA,OAAQ,UAAA,CAAmB,4BAAA;AAC7B;AARgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA","file":"chunk-UPKIHHPE.js","sourcesContent":["/* eslint-disable func-names, no-console, prefer-rest-params */\n\nimport { redactSensitiveConfig, varlockSettings } from './env';\nimport { debug } from './lib/debug';\n\n\n/**\n * patches global console methods to redact sensitive config\n *\n * NOTE - this may not be 100% foolproof depending on the platform\n * */\nexport function patchGlobalConsole() {\n  debug('⚡️ PATCHING global console methods');\n  if ((console.log as any)._varlockPatchedFn) {\n    debug('> already patched');\n    return;\n  }\n  if (varlockSettings.redactLogs === false) {\n    debug('> disabled by settings');\n    return;\n  }\n\n  // our method of patching involves replacing an internal node method which may not be called if console.log itself has also been patched\n  // for example AWS lambdas patches this to write the logs to a file which then is pushed to the rest of their system\n\n  // so first we'll just patch the internal method do deal with normal stdout/stderr logs -------------------------------------\n\n  // we need the internal symbol name to access the internal method\n  const kWriteToConsoleSymbol = Object.getOwnPropertySymbols(globalThis.console).find((s) => s.description === 'kWriteToConsole');\n\n  // @ts-ignore\n  (globalThis as any)._varlockOrigWriteToConsoleFn ||= globalThis.console[kWriteToConsoleSymbol];\n  // @ts-ignore\n  globalThis.console[kWriteToConsoleSymbol] = function () {\n    (globalThis as any)._varlockOrigWriteToConsoleFn.apply(this, [\n      arguments[0],\n      redactSensitiveConfig(arguments[1]),\n      arguments[2],\n    ]);\n  };\n\n  // and now we'll wrap console.log (and the other methods) if it looks like they have been patched already ------------------\n  // NOTE - this will not fully redact from everything since we can't safely reach deep into objects\n  // ideally we would only turn this when the above method does not work, but it's not trivial to detect when it that is the case\n  // so we'll turn it on all the time for now...\n\n  for (const logMethodName of ['trace', 'debug', 'info', 'log', 'info', 'warn', 'error']) {\n    // @ts-ignore\n    const originalLogMethod = globalThis.console[logMethodName];\n\n    const patchedFn = function () {\n      // @ts-ignore\n      originalLogMethod.apply(this, Array.from(arguments).map(redactSensitiveConfig));\n    };\n    patchedFn._varlockPatchedFn = true;\n\n    // @ts-ignore\n    globalThis.console[logMethodName] = patchedFn;\n  }\n}\n\n/**\n * restore's original global console methods to stop redacting secrets\n *\n * (only needed during local development when switching settings on/off in a process that does not reload)\n * */\nexport function unpatchGlobalConsole() {\n  // we'll only care about the normal case where console.log has NOT been patched by something else... (see above)\n  if (!(globalThis as any)._varlockOrigWriteToConsoleFn) return;\n\n  const kWriteToConsoleSymbol = Object.getOwnPropertySymbols(globalThis.console).find((s) => s.description === 'kWriteToConsole');\n  // @ts-ignore\n  globalThis.console[kWriteToConsoleSymbol] = (globalThis as any)._varlockOrigWriteToConsoleFn;\n  delete (globalThis as any)._varlockOrigWriteToConsoleFn;\n}\n\n// ---\n\n// patchGlobalConsole();\n"]}
+{"version":3,"sources":["../src/runtime/patch-console.ts"],"names":[],"mappings":";;;;AAWO,SAAS,kBAAA,GAAqB;AACnC,EAAA,KAAA,CAAM,8CAAoC,CAAA;AAC1C,EAAA,IAAK,OAAA,CAAQ,IAAY,iBAAA,EAAmB;AAC1C,IAAA,KAAA,CAAM,mBAAmB,CAAA;AACzB,IAAA;AAAA,EACF;AACA,EAAA,IAAI,eAAA,CAAgB,eAAe,KAAA,EAAO;AACxC,IAAA,KAAA,CAAM,wBAAwB,CAAA;AAC9B,IAAA;AAAA,EACF;AAQA,EAAA,MAAM,qBAAA,GAAwB,MAAA,CAAO,qBAAA,CAAsB,UAAA,CAAW,OAAO,CAAA,CAAE,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,KAAgB,iBAAiB,CAAA;AAG9H,EAAC,UAAA,CAAmB,4BAAA,KAAiC,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA;AAE7F,EAAA,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA,GAAI,WAAY;AACtD,IAAC,UAAA,CAAmB,4BAAA,CAA6B,KAAA,CAAM,IAAA,EAAM;AAAA,MAC3D,UAAU,CAAC,CAAA;AAAA,MACX,qBAAA,CAAsB,SAAA,CAAU,CAAC,CAAC,CAAA;AAAA,MAClC,UAAU,CAAC;AAAA,KACZ,CAAA;AAAA,EACH,CAAA;AAOA,EAAA,KAAA,MAAW,aAAA,IAAiB,CAAC,OAAA,EAAS,OAAA,EAAS,QAAQ,KAAA,EAAO,MAAA,EAAQ,MAAA,EAAQ,OAAO,CAAA,EAAG;AAEtF,IAAA,MAAM,iBAAA,GAAoB,UAAA,CAAW,OAAA,CAAQ,aAAa,CAAA;AAE1D,IAAA,MAAM,4BAAY,MAAA,CAAA,WAAY;AAE5B,MAAA,iBAAA,CAAkB,KAAA,CAAM,MAAM,KAAA,CAAM,IAAA,CAAK,SAAS,CAAA,CAAE,GAAA,CAAI,qBAAqB,CAAC,CAAA;AAAA,IAChF,CAAA,EAHkB,WAAA,CAAA;AAIlB,IAAA,SAAA,CAAU,iBAAA,GAAoB,IAAA;AAG9B,IAAA,UAAA,CAAW,OAAA,CAAQ,aAAa,CAAA,GAAI,SAAA;AAAA,EACtC;AACF;AAhDgB,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAuDT,SAAS,oBAAA,GAAuB;AAErC,EAAA,IAAI,CAAE,WAAmB,4BAAA,EAA8B;AAEvD,EAAA,MAAM,qBAAA,GAAwB,MAAA,CAAO,qBAAA,CAAsB,UAAA,CAAW,OAAO,CAAA,CAAE,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,KAAgB,iBAAiB,CAAA;AAE9H,EAAA,UAAA,CAAW,OAAA,CAAQ,qBAAqB,CAAA,GAAK,UAAA,CAAmB,4BAAA;AAChE,EAAA,OAAQ,UAAA,CAAmB,4BAAA;AAC7B;AARgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA","file":"chunk-C5BEZMSO.js","sourcesContent":["/* eslint-disable func-names, no-console, prefer-rest-params */\n\nimport { redactSensitiveConfig, varlockSettings } from './env';\nimport { debug } from './lib/debug';\n\n\n/**\n * patches global console methods to redact sensitive config\n *\n * NOTE - this may not be 100% foolproof depending on the platform\n * */\nexport function patchGlobalConsole() {\n  debug('⚡️ PATCHING global console methods');\n  if ((console.log as any)._varlockPatchedFn) {\n    debug('> already patched');\n    return;\n  }\n  if (varlockSettings.redactLogs === false) {\n    debug('> disabled by settings');\n    return;\n  }\n\n  // our method of patching involves replacing an internal node method which may not be called if console.log itself has also been patched\n  // for example AWS lambdas patches this to write the logs to a file which then is pushed to the rest of their system\n\n  // so first we'll just patch the internal method do deal with normal stdout/stderr logs -------------------------------------\n\n  // we need the internal symbol name to access the internal method\n  const kWriteToConsoleSymbol = Object.getOwnPropertySymbols(globalThis.console).find((s) => s.description === 'kWriteToConsole');\n\n  // @ts-ignore\n  (globalThis as any)._varlockOrigWriteToConsoleFn ||= globalThis.console[kWriteToConsoleSymbol];\n  // @ts-ignore\n  globalThis.console[kWriteToConsoleSymbol] = function () {\n    (globalThis as any)._varlockOrigWriteToConsoleFn.apply(this, [\n      arguments[0],\n      redactSensitiveConfig(arguments[1]),\n      arguments[2],\n    ]);\n  };\n\n  // and now we'll wrap console.log (and the other methods) if it looks like they have been patched already ------------------\n  // NOTE - this will not fully redact from everything since we can't safely reach deep into objects\n  // ideally we would only turn this when the above method does not work, but it's not trivial to detect when it that is the case\n  // so we'll turn it on all the time for now...\n\n  for (const logMethodName of ['trace', 'debug', 'info', 'log', 'info', 'warn', 'error']) {\n    // @ts-ignore\n    const originalLogMethod = globalThis.console[logMethodName];\n\n    const patchedFn = function () {\n      // @ts-ignore\n      originalLogMethod.apply(this, Array.from(arguments).map(redactSensitiveConfig));\n    };\n    patchedFn._varlockPatchedFn = true;\n\n    // @ts-ignore\n    globalThis.console[logMethodName] = patchedFn;\n  }\n}\n\n/**\n * restore's original global console methods to stop redacting secrets\n *\n * (only needed during local development when switching settings on/off in a process that does not reload)\n * */\nexport function unpatchGlobalConsole() {\n  // we'll only care about the normal case where console.log has NOT been patched by something else... (see above)\n  if (!(globalThis as any)._varlockOrigWriteToConsoleFn) return;\n\n  const kWriteToConsoleSymbol = Object.getOwnPropertySymbols(globalThis.console).find((s) => s.description === 'kWriteToConsole');\n  // @ts-ignore\n  globalThis.console[kWriteToConsoleSymbol] = (globalThis as any)._varlockOrigWriteToConsoleFn;\n  delete (globalThis as any)._varlockOrigWriteToConsoleFn;\n}\n"]}

package/dist/{chunk-MHDV65DI.js → chunk-EQQCW3OI.js}

@@ -1,10 +1,9 @@
-import { detectJsPackageManager, logLines, fmt, pathExists, installJsDependency } from './chunk-52FLZJCQ.js';
+import { detectJsPackageManager, logLines, fmt, installJsDependency } from './chunk-OJFTFBQG.js';
 import { define } from './chunk-33ROL4J5.js';
-import { loadVarlockEnvGraph } from './chunk-Y2EGAWAH.js';
-import { StaticValueResolver, DotEnvFileDataSource, gracefulExit, checkIsFileGitIgnored, ansis_default } from './chunk-NXAXPMO5.js';
+import { tryCatch, gracefulExit, checkIsFileGitIgnored, ansis_default, pathExists } from './chunk-FCVBOYES.js';
 import { __commonJS, __name, __toESM } from './chunk-XN24GZXQ.js';
-import path from 'path';
-import fs2 from 'fs/promises';
+import path2 from 'path';
+import fs3 from 'fs/promises';
 import 'util';
 import y2, { stdin, stdout } from 'process';
 import O from 'readline';
@@ -940,55 +939,70 @@ function inferSchemaUpdates(file) {
   }
 }
 __name(inferSchemaUpdates, "inferSchemaUpdates");
-function ensureAllItemsExist(envGraph, schemaFile) {
+function ensureAllItemsExist(schemaFile, otherFiles) {
   const addedItemKeys = [];
-  for (const itemKey in envGraph.configSchema) {
-    const item = envGraph.configSchema[itemKey];
-    const itemInSchema = schemaFile.configItems.find((i) => i.key === itemKey);
-    if (!itemInSchema) {
+  for (const otherFile of otherFiles) {
+    for (const item of otherFile.parsedFile.configItems) {
+      const itemInSchema = schemaFile.configItems.find((i) => i.key === item.key);
+      if (itemInSchema) continue;
       if (addedItemKeys.length === 0) {
         envSpecUpdater.injectFromStr(schemaFile, [
           "",
           "# items added to schema by `varlock init`",
-          "# that were missing in example, but detected in other env files",
+          "# that were missing in example, but detected in other .env files",
           "# PLEASE REVIEW THESE!",
           "# ---",
           ""
         ].join("\n"), { location: "end" });
       }
-      addedItemKeys.push(itemKey);
-      envSpecUpdater.injectFromStr(schemaFile, [`${itemKey}=`].join("\n"));
-      const itemValue = item.valueResolver instanceof StaticValueResolver && item.valueResolver.staticValue || "";
-      inferItemDecorators(schemaFile, itemKey, String(itemValue));
+      addedItemKeys.push(item.key);
+      envSpecUpdater.injectFromStr(schemaFile, `${item.key}=`);
+      const itemValue = item.value instanceof ParsedEnvSpecStaticValue && item.value.value?.toString() || "";
+      inferItemDecorators(schemaFile, item.key, String(itemValue));
     }
   }
 }
 __name(ensureAllItemsExist, "ensureAllItemsExist");
-async function detectRedundantValues(envGraph, opts = {}) {
-  const schema = envGraph.schemaDataSource;
-  if (!schema) return {};
+async function detectRedundantValues(schemaFile, otherFiles, opts = {}) {
   const redundantItemsBySourcePath = {};
-  const schemaValues = schema.getStaticValues();
-  for (const source of envGraph.dataSources) {
-    if (source === schema) continue;
-    if (source.type === "example") continue;
-    if (!(source instanceof DotEnvFileDataSource) || !source.parsedFile) continue;
-    const sourceValues = source.getStaticValues();
-    for (const [key, value] of Object.entries(sourceValues)) {
-      if (schemaValues[key] !== value) continue;
-      redundantItemsBySourcePath[source.fullPath] ||= [];
-      redundantItemsBySourcePath[source.fullPath].push(key);
+  const schemaValues = schemaFile.toSimpleObj();
+  for (const otherFile of Object.values(otherFiles)) {
+    if (otherFile.fileName.startsWith(".env.schema") || otherFile.fileName.startsWith(".env.example") || otherFile.fileName.startsWith(".env.sample") || otherFile.fileName.startsWith(".env.default")) continue;
+    const otherFileValues = otherFile.parsedFile.toSimpleObj();
+    for (const itemKey in otherFileValues) {
+      if (!(itemKey in schemaValues)) continue;
+      if (otherFileValues[itemKey] !== schemaValues[itemKey]) continue;
+      redundantItemsBySourcePath[otherFile.fullPath] ||= [];
+      redundantItemsBySourcePath[otherFile.fullPath].push(itemKey);
       if (opts.delete) {
-        envSpecUpdater.deleteItem(source.parsedFile, key);
+        envSpecUpdater.deleteItem(otherFile.parsedFile, itemKey);
       }
     }
     if (opts.delete) {
-      await fs2.writeFile(source.fullPath, source.parsedFile.toString(), "utf8");
+      await fs3.writeFile(otherFile.fullPath, otherFile.parsedFile.toString(), "utf8");
     }
   }
   return redundantItemsBySourcePath;
 }
 __name(detectRedundantValues, "detectRedundantValues");
+var SKIP_FILE_TYPES = [".md", ".d.ts"];
+async function findEnvFiles(opts) {
+  const cwd = opts?.cwd || process.cwd();
+  const envFiles = [];
+  const filesWithinDir = await fs3.readdir(cwd);
+  for (const fileName of filesWithinDir) {
+    if (fileName === ".env" || fileName.startsWith(".env.")) {
+      let skip = false;
+      for (const fileType of SKIP_FILE_TYPES) {
+        if (fileName.endsWith(fileType)) skip = true;
+      }
+      if (skip) continue;
+      envFiles.push(path2.join(cwd, fileName));
+    }
+  }
+  return envFiles;
+}
+__name(findEnvFiles, "findEnvFiles");
 
 // src/cli/commands/init.command.ts
 var commandSpec = define({
@@ -999,10 +1013,28 @@ var commandSpec = define({
 var commandFn = /* @__PURE__ */ __name(async (ctx) => {
   const jsPackageManager = detectJsPackageManager();
   console.log("\u{1F9D9} Hello and welcome to Varlock \u{1F512}\u{1F525}\u2728");
-  let envGraph = await loadVarlockEnvGraph();
-  const existingSchemaFile = envGraph.dataSources.find((dataSource) => {
-    return dataSource.type === "schema";
-  });
+  const envFilePaths = await findEnvFiles();
+  const parsedEnvFiles = {};
+  for (const filePath of envFilePaths) {
+    const fileContents = await fs3.readFile(filePath, "utf-8");
+    const fileName = path2.basename(filePath);
+    const parsedFile = await tryCatch(async () => parseEnvSpecDotEnvFile(fileContents), () => {
+      logLines([
+        "",
+        `Unable to parse ${fmt.filePath(filePath)}`,
+        "This file will be skipped."
+      ]);
+    });
+    if (!parsedFile) {
+      continue;
+    }
+    parsedEnvFiles[fileName] = {
+      fileName,
+      fullPath: filePath,
+      parsedFile
+    };
+  }
+  const existingSchemaFile = parsedEnvFiles[".env.schema"];
   if (existingSchemaFile) {
     logLines([
       `It looks like you already have a ${fmt.fileName(".env.schema")} file \u{1F389}`,
@@ -1011,45 +1043,45 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       "See more docs at https://varlock.dev/guides/schema"
     ]);
   } else {
-    let exampleFileToConvert = null;
-    const allExampleFiles = envGraph.dataSources.filter((dataSource) => {
-      return dataSource instanceof DotEnvFileDataSource && dataSource.type === "example";
+    const allExampleFileNames = Object.keys(parsedEnvFiles).filter((fileName) => {
+      return fileName.startsWith(".env.example") || fileName.startsWith(".env.sample");
     });
-    if (allExampleFiles.length === 1) {
-      exampleFileToConvert = allExampleFiles[0];
-    } else if (allExampleFiles.length > 1) {
+    let exampleFileToConvert;
+    if (allExampleFileNames.length === 1) {
+      exampleFileToConvert = parsedEnvFiles[allExampleFileNames[0]];
+    } else if (allExampleFileNames.length > 1) {
       console.log("");
       const selectedExample = await ve({
         message: `We detected more than one example .env file. Which one should we use to create your new ${fmt.fileName(".env.schema")}?`,
-        options: allExampleFiles.map((file) => ({
-          label: file.fileName,
-          value: file
+        options: allExampleFileNames.map((fileName) => ({
+          label: fileName,
+          value: parsedEnvFiles[fileName]
         }))
       });
       if (pD(selectedExample)) return gracefulExit(0);
       exampleFileToConvert = selectedExample;
     }
-    const parsedEnvFile = exampleFileToConvert?.parsedFile || parseEnvSpecDotEnvFile("");
-    if (!parsedEnvFile) throw new Error("No parsed .env file found");
-    envSpecUpdater.ensureHeader(parsedEnvFile, [
+    const parsedEnvSchemaFile = exampleFileToConvert?.parsedFile || parseEnvSpecDotEnvFile("");
+    if (!parsedEnvSchemaFile) throw new Error("expected parsed .env example file");
+    envSpecUpdater.ensureHeader(parsedEnvSchemaFile, [
       "This env file uses @env-spec - see https://varlock.dev/env-spec for more info",
       ""
       // TODO: add env spec version? real links?
     ].join("\n"));
-    envSpecUpdater.setRootDecorator(parsedEnvFile, "defaultRequired", "false", { explicitTrue: true });
-    envSpecUpdater.setRootDecorator(parsedEnvFile, "defaultSensitive", "false", { explicitTrue: true });
-    envSpecUpdater.setRootDecorator(parsedEnvFile, "generateTypes", "lang=ts, path=env.d.ts", { bareFnArgs: true });
-    envSpecUpdater.injectFromStr(parsedEnvFile, [
+    envSpecUpdater.setRootDecorator(parsedEnvSchemaFile, "defaultRequired", "infer", { explicitTrue: true });
+    envSpecUpdater.setRootDecorator(parsedEnvSchemaFile, "defaultSensitive", "false", { explicitTrue: true });
+    envSpecUpdater.setRootDecorator(parsedEnvSchemaFile, "generateTypes", "lang=ts, path=env.d.ts", { bareFnArgs: true });
+    envSpecUpdater.injectFromStr(parsedEnvSchemaFile, [
       "",
       "# example env variable injected by `varlock init` \u26A0\uFE0F DELETE THIS ITEM! \u26A0\uFE0F",
       '# @required @sensitive @example="example value"',
       'EXAMPLE_ITEM="delete me!"',
       ""
     ].join("\n"), { location: "after_header" });
-    inferSchemaUpdates(parsedEnvFile);
-    ensureAllItemsExist(envGraph, parsedEnvFile);
-    const schemaFilePath = path.join(process.cwd(), ".env.schema");
-    await fs2.writeFile(schemaFilePath, parsedEnvFile.toString());
+    inferSchemaUpdates(parsedEnvSchemaFile);
+    ensureAllItemsExist(parsedEnvSchemaFile, Object.values(parsedEnvFiles));
+    const schemaFilePath = path2.join(process.cwd(), ".env.schema");
+    await fs3.writeFile(schemaFilePath, parsedEnvSchemaFile.toString());
     if (exampleFileToConvert) {
       logLines([
         "",
@@ -1065,7 +1097,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
     }
     if (await checkIsFileGitIgnored(schemaFilePath)) {
       logLines([ansis_default.dim(`(and updated ${fmt.fileName(".gitignore")} to ensure it will be tracked by git)`)]);
-      await fs2.appendFile(".gitignore", "\n!.env.schema");
+      await fs3.appendFile(".gitignore", "\n!.env.schema");
     }
     logLines([
       "",
@@ -1084,8 +1116,8 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       message: `Have you reviewed and updated your new ${fmt.fileName(".env.schema")} file?`
     });
     if (pD(confirmReviewed)) return gracefulExit(0);
-    envGraph = await loadVarlockEnvGraph();
-    if (envGraph.configSchema.EXAMPLE_ITEM) {
+    const reloadedSchemaFile = await parseEnvSpecDotEnvFile(await fs3.readFile(schemaFilePath, "utf-8"));
+    if (reloadedSchemaFile.configItems.find((i) => i.key === "EXAMPLE_ITEM")) {
       logLines([
         "",
         ansis_default.bold(`\u{1F6A8} Really? ${ansis_default.red("You didn't remove the EXAMPLE_ITEM!")}`),
@@ -1098,20 +1130,20 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       });
       if (pD(confirmDeleteExample)) return gracefulExit(0);
       if (confirmDeleteExample) {
-        await fs2.unlink(exampleFileToConvert.fullPath);
+        await fs3.unlink(exampleFileToConvert.fullPath);
       }
     }
-    const defaultsFile = envGraph.dataSources.find((dataSource) => {
-      return dataSource instanceof DotEnvFileDataSource && dataSource.type === "defaults";
+    const defaultsFile = Object.values(parsedEnvFiles).find((f) => {
+      return f.fileName.startsWith(".env.default");
     });
     if (defaultsFile) {
       logLines([
         "",
         `\u{1F6A7} We detected a ${fmt.fileName(defaultsFile.fileName)} file in your project`,
-        `You should migrate these default values into ${fmt.fileName(".env.schema")} and delete ${fmt.fileName(defaultsFile.fileName)}`
+        `You should migrate these default values into ${fmt.fileName(".env.schema")} and delete it.`
       ]);
     }
-    const redundantInfo = await detectRedundantValues(envGraph);
+    const redundantInfo = await detectRedundantValues(parsedEnvSchemaFile, parsedEnvFiles);
     if (Object.keys(redundantInfo).length > 0) {
       logLines([
         "",
@@ -1126,7 +1158,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       });
       if (pD(confirmDeleteRedundant)) return gracefulExit(0);
       if (confirmDeleteRedundant) {
-        await detectRedundantValues(envGraph, { delete: true });
+        await detectRedundantValues(parsedEnvSchemaFile, parsedEnvFiles, { delete: true });
       }
     }
     logLines([
@@ -1140,7 +1172,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       ""
     ]);
   }
-  if (jsPackageManager && await pathExists(path.join(process.cwd(), "package.json"))) {
+  if (jsPackageManager && await pathExists(path2.join(process.cwd(), "package.json"))) {
     const installResult = installJsDependency({
       packageManager: jsPackageManager.name,
       packageName: "varlock"
@@ -1155,5 +1187,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
 }, "commandFn");
 
 export { commandFn, commandSpec };
-//# sourceMappingURL=chunk-MHDV65DI.js.map
-//# sourceMappingURL=chunk-MHDV65DI.js.map
+//# sourceMappingURL=chunk-EQQCW3OI.js.map
+//# sourceMappingURL=chunk-EQQCW3OI.js.map