varlock 0.0.2 → 0.0.3

package/dist/chunk-7QXRUUDC.js

@@ -0,0 +1,137 @@
+import { redactString } from './chunk-FGMXIEFA.js';
+import { __name } from './chunk-XN24GZXQ.js';
+
+// src/runtime/env.ts
+function isString(s) {
+  return Object.prototype.toString.call(s) === "[object String]";
+}
+__name(isString, "isString");
+var UNMASK_STR = "\u{1F441}";
+var sensitiveSecretsMap = {};
+var redactorFindReplace;
+function resetRedactionMap(graph) {
+  sensitiveSecretsMap = {};
+  for (const itemKey in graph.config) {
+    const item = graph.config[itemKey];
+    if (item.isSensitive && item.value && isString(item.value)) {
+      const redacted = redactString(item.value);
+      if (redacted) sensitiveSecretsMap[item.value] = { key: itemKey, redacted };
+    }
+  }
+  const findRegex = new RegExp(
+    [
+      `(${UNMASK_STR} )?`,
+      "(",
+      Object.keys(sensitiveSecretsMap).map((s) => s.replace(/[()[\]{}*+?^$|#.,/\\\s-]/g, "\\$&")).sort((a, b) => b.length - a.length).join("|"),
+      ")",
+      `( ${UNMASK_STR})?`
+    ].join(""),
+    "g"
+  );
+  const replaceFn = /* @__PURE__ */ __name((match, pre, val, post) => {
+    if (pre && post) return match;
+    return sensitiveSecretsMap[val].redacted;
+  }, "replaceFn");
+  redactorFindReplace = { find: findRegex, replace: replaceFn };
+}
+__name(resetRedactionMap, "resetRedactionMap");
+function redactSensitiveConfig(o) {
+  if (!redactorFindReplace) return o;
+  if (!o) return o;
+  if (Array.isArray(o)) {
+    return o.map(redactSensitiveConfig);
+  }
+  if (o && typeof o === "object" && Object.getPrototypeOf(o) === Object.prototype) {
+    try {
+      return JSON.parse(redactSensitiveConfig(JSON.stringify(o)));
+    } catch (err) {
+      return o;
+    }
+  }
+  const type = typeof o;
+  if (type === "string" || type === "object" && Object.prototype.toString.call(o) === "[object String]") {
+    return o.replaceAll(redactorFindReplace.find, redactorFindReplace.replace);
+  }
+  return o;
+}
+__name(redactSensitiveConfig, "redactSensitiveConfig");
+function revealSensitiveConfig(secretStr) {
+  if (!globalThis._varlockOrigWriteToConsoleFn) return secretStr;
+  return `${UNMASK_STR} ${secretStr} ${UNMASK_STR}`;
+}
+__name(revealSensitiveConfig, "revealSensitiveConfig");
+function scanForLeaks(toScan, meta) {
+  function scanStrForLeaks(strToScan) {
+    for (const sensitiveValue in sensitiveSecretsMap) {
+      if (strToScan.includes(sensitiveValue)) {
+        const itemKey = sensitiveSecretsMap[sensitiveValue].key;
+        console.error([
+          "",
+          `\u{1F6A8} ${"DETECTED LEAKED SENSITIVE CONFIG"} \u{1F6A8}`,
+          `> Config item key: ${itemKey}`,
+          ...meta?.method ? [`> Scan method: ${meta.method}`] : [],
+          ...meta?.file ? [`> File: ${meta.file}`] : [],
+          ""
+        ].join("\n"));
+        throw new Error(`\u{1F6A8} DETECTED LEAKED SENSITIVE CONFIG - ${itemKey}`);
+      }
+    }
+  }
+  __name(scanStrForLeaks, "scanStrForLeaks");
+  if (isString(toScan)) {
+    scanStrForLeaks(toScan);
+    return toScan;
+  } else if (toScan instanceof Buffer) {
+    scanStrForLeaks(toScan.toString());
+    return toScan;
+  } else if (toScan instanceof ReadableStream) {
+    if (toScan.locked) {
+      return toScan;
+    }
+    const chunkDecoder = new TextDecoder();
+    return toScan.pipeThrough(
+      new TransformStream({
+        transform(chunk, controller) {
+          const chunkStr = chunkDecoder.decode(chunk);
+          scanStrForLeaks(chunkStr);
+          controller.enqueue(chunk);
+        }
+      })
+    );
+  }
+  return toScan;
+}
+__name(scanForLeaks, "scanForLeaks");
+var initializedEnv = false;
+var envValues = {};
+var varlockSettings = {};
+function initVarlockEnv(opts) {
+  try {
+    const serializedEnvData = JSON.parse(process.env.__VARLOCK_ENV || "{}");
+    Object.assign(varlockSettings, serializedEnvData.settings);
+    resetRedactionMap(serializedEnvData);
+    for (const itemKey in serializedEnvData.config) {
+      const itemValue = serializedEnvData.config[itemKey].value;
+      envValues[itemKey] = itemValue;
+      if (opts?.setProcessEnv !== false && itemValue !== void 0) process.env[itemKey] = String(itemValue);
+    }
+  } catch (err) {
+    console.error("failed to load varlock env", err, process.env.__VARLOCK_ENV);
+  }
+  initializedEnv = true;
+}
+__name(initVarlockEnv, "initVarlockEnv");
+if (process.env.__VARLOCK_ENV && !initializedEnv) {
+  initVarlockEnv({ setProcessEnv: false });
+}
+var EnvProxy = new Proxy({}, {
+  get(target, prop) {
+    if (typeof prop !== "string") throw new Error("prop keys cannot be symbols");
+    return envValues[prop];
+  }
+});
+var ENV = EnvProxy;
+
+export { ENV, initVarlockEnv, redactSensitiveConfig, resetRedactionMap, revealSensitiveConfig, scanForLeaks, varlockSettings };
+//# sourceMappingURL=chunk-7QXRUUDC.js.map
+//# sourceMappingURL=chunk-7QXRUUDC.js.map

package/dist/chunk-7QXRUUDC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime/env.ts"],"names":[],"mappings":";;;;AASA,SAAS,SAAS,CAAQ,EAAA;AACxB,EAAA,OAAO,MAAO,CAAA,SAAA,CAAU,QAAS,CAAA,IAAA,CAAK,CAAC,CAAM,KAAA,iBAAA;AAC/C;AAFS,MAAA,CAAA,QAAA,EAAA,UAAA,CAAA;AAIT,IAAM,UAAa,GAAA,WAAA;AAInB,IAAI,sBAAyE,EAAC;AAG9E,IAAI,mBAAA;AAEG,SAAS,kBAAkB,KAA2B,EAAA;AAE3D,EAAA,mBAAA,GAAsB,EAAC;AACvB,EAAW,KAAA,MAAA,OAAA,IAAW,MAAM,MAAQ,EAAA;AAClC,IAAM,MAAA,IAAA,GAAO,KAAM,CAAA,MAAA,CAAO,OAAO,CAAA;AACjC,IAAA,IAAI,KAAK,WAAe,IAAA,IAAA,CAAK,SAAS,QAAS,CAAA,IAAA,CAAK,KAAK,CAAG,EAAA;AAE1D,MAAM,MAAA,QAAA,GAAW,YAAa,CAAA,IAAA,CAAK,KAAK,CAAA;AACxC,MAAI,IAAA,QAAA,sBAA8B,IAAK,CAAA,KAAK,IAAI,EAAE,GAAA,EAAK,SAAS,QAAS,EAAA;AAAA;AAC3E;AAIF,EAAA,MAAM,YAAY,IAAI,MAAA;AAAA,IACpB;AAAA,MACE,IAAI,UAAU,CAAA,GAAA,CAAA;AAAA,MACd,GAAA;AAAA,MACA,MAAA,CAAO,KAAK,mBAAmB,CAAA,CAE5B,IAAI,CAAC,CAAA,KAAM,CAAE,CAAA,OAAA,CAAQ,2BAA6B,EAAA,MAAM,CAAC,CAEzD,CAAA,IAAA,CAAK,CAAC,CAAA,EAAG,CAAM,KAAA,CAAA,CAAE,SAAS,CAAE,CAAA,MAAM,CAClC,CAAA,IAAA,CAAK,GAAG,CAAA;AAAA,MACX,GAAA;AAAA,MACA,KAAK,UAAU,CAAA,EAAA;AAAA,KACjB,CAAE,KAAK,EAAE,CAAA;AAAA,IACT;AAAA,GACF;AAEA,EAAA,MAAM,SAAuB,mBAAA,MAAA,CAAA,CAAC,KAAO,EAAA,GAAA,EAAK,KAAK,IAAS,KAAA;AAGtD,IAAI,IAAA,GAAA,IAAO,MAAa,OAAA,KAAA;AACxB,IAAO,OAAA,mBAAA,CAAoB,GAAG,CAAE,CAAA,QAAA;AAAA,GAJL,EAAA,WAAA,CAAA;AAM7B,EAAA,mBAAA,GAAsB,EAAE,IAAA,EAAM,SAAW,EAAA,OAAA,EAAS,SAAU,EAAA;AAC9D;AApCgB,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAgDT,SAAS,sBAAsB,CAAa,EAAA;AACjD,EAAI,IAAA,CAAC,qBAA4B,OAAA,CAAA;AACjC,EAAI,IAAA,CAAC,GAAU,OAAA,CAAA;AAKf,EAAI,IAAA,KAAA,CAAM,OAAQ,CAAA,CAAC,CAAG,EAAA;AACpB,IAAO,OAAA,CAAA,CAAE,IAAI,qBAAqB,CAAA;AAAA;AAGpC,EAAI,IAAA,CAAA,IAAK,OAAQ,CAAO,KAAA,QAAA,IAAY,OAAO,cAAe,CAAA,CAAC,CAAM,KAAA,MAAA,CAAO,SAAW,EAAA;AACjF,IAAI,IAAA;AACF,MAAA,OAAO,KAAK,KAAM,CAAA,qBAAA,CAAsB,KAAK,SAAU,CAAA,CAAC,CAAC,CAAC,CAAA;AAAA,aACnD,GAAK,EAAA;AACZ,MAAO,OAAA,CAAA;AAAA;AACT;AAGF,EAAA,MAAM,OAAO,OAAO,CAAA;AACpB,EAAI,IAAA,IAAA,KAAS,QAAa,IAAA,IAAA,KAAS,QAAY,IAAA,MAAA,CAAO,UAAU,QAAS,CAAA,IAAA,CAAK,CAAC,CAAA,KAAM,iBAAoB,EAAA;AACvG,IAAA,OAAQ,CAAa,CAAA,UAAA,CAAW,mBAAoB,CAAA,IAAA,EAAM,oBAAoB,OAAO,CAAA;AAAA;AAGvF,EAAO,OAAA,CAAA;AACT;AAzBgB,MAAA,CAAA,qBAAA,EAAA,uBAAA,CAAA;AA+BT,SAAS,sBAAsB,SAAmB,EAAA;AAEvD,EAAI,IAAA,CAAE,UAAmB,CAAA,4BAAA,EAAqC,OAAA,SAAA;AAE9D,EAAA,OAAO,CAAG,EAAA,UAAU,CAAI,CAAA,EAAA,SAAS,IAAI,UAAU,CAAA,CAAA;AACjD;AALgB,MAAA,CAAA,qBAAA,EAAA,uBAAA,CAAA;AAYT,SAAS,YAAA,CACd,QAEA,IAIA,EAAA;AACA,EAAA,SAAS,gBAAgB,SAAmB,EAAA;AAI1C,IAAA,KAAA,MAAW,kBAAkB,mBAAqB,EAAA;AAChD,MAAI,IAAA,SAAA,CAAU,QAAS,CAAA,cAAc,CAAG,EAAA;AACtC,QAAM,MAAA,OAAA,GAAU,mBAAoB,CAAA,cAAc,CAAE,CAAA,GAAA;AAIpD,QAAA,OAAA,CAAQ,KAAM,CAAA;AAAA,UACZ,EAAA;AAAA,UACA,aAAM,kCAAkC,CAAA,UAAA,CAAA;AAAA,UACxC,sBAAsB,OAAO,CAAA,CAAA;AAAA,UAC7B,GAAG,MAAM,MAAS,GAAA,CAAC,kBAAkB,IAAK,CAAA,MAAM,CAAE,CAAA,CAAA,GAAI,EAAC;AAAA,UACvD,GAAG,MAAM,IAAO,GAAA,CAAC,WAAW,IAAK,CAAA,IAAI,CAAE,CAAA,CAAA,GAAI,EAAC;AAAA,UAC5C;AAAA,SACF,CAAE,IAAK,CAAA,IAAI,CAAC,CAAA;AAEZ,QAAA,MAAM,IAAI,KAAA,CAAM,CAAyC,6CAAA,EAAA,OAAO,CAAE,CAAA,CAAA;AAAA;AACpE;AACF;AArBO,EAAA,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAyBT,EAAI,IAAA,QAAA,CAAS,MAAM,CAAG,EAAA;AACpB,IAAA,eAAA,CAAgB,MAAgB,CAAA;AAChC,IAAO,OAAA,MAAA;AAAA,GACT,MAAA,IAAW,kBAAkB,MAAQ,EAAA;AACnC,IAAgB,eAAA,CAAA,MAAA,CAAO,UAAU,CAAA;AACjC,IAAO,OAAA,MAAA;AAAA,GAET,MAAA,IAAW,kBAAkB,cAAgB,EAAA;AAC3C,IAAA,IAAI,OAAO,MAAQ,EAAA;AAEjB,MAAO,OAAA,MAAA;AAAA;AAIT,IAAM,MAAA,YAAA,GAAe,IAAI,WAAY,EAAA;AACrC,IAAA,OAAO,MAAO,CAAA,WAAA;AAAA,MACZ,IAAI,eAAgB,CAAA;AAAA,QAClB,SAAA,CAAU,OAAO,UAAY,EAAA;AAC3B,UAAM,MAAA,QAAA,GAAW,YAAa,CAAA,MAAA,CAAO,KAAK,CAAA;AAC1C,UAAA,eAAA,CAAgB,QAAQ,CAAA;AACxB,UAAA,UAAA,CAAW,QAAQ,KAAK,CAAA;AAAA;AAC1B,OACD;AAAA,KACH;AAAA;AAGF,EAAO,OAAA,MAAA;AACT;AA5DgB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;AAqEhB,IAAI,cAAiB,GAAA,KAAA;AACrB,IAAM,YAAY,EAAC;AACZ,IAAM,kBAAkB;AAExB,SAAS,eAAe,IAE5B,EAAA;AAED,EAAI,IAAA;AACF,IAAA,MAAM,oBAAwC,IAAK,CAAA,KAAA,CAAM,OAAQ,CAAA,GAAA,CAAI,iBAAiB,IAAI,CAAA;AAC1F,IAAO,MAAA,CAAA,MAAA,CAAO,eAAiB,EAAA,iBAAA,CAAkB,QAAQ,CAAA;AACzD,IAAA,iBAAA,CAAkB,iBAAiB,CAAA;AACnC,IAAW,KAAA,MAAA,OAAA,IAAW,kBAAkB,MAAQ,EAAA;AAC9C,MAAA,MAAM,SAAY,GAAA,iBAAA,CAAkB,MAAO,CAAA,OAAO,CAAE,CAAA,KAAA;AACpD,MAAA,SAAA,CAAU,OAAO,CAAI,GAAA,SAAA;AACrB,MAAI,IAAA,IAAA,EAAM,aAAkB,KAAA,KAAA,IAAS,SAAc,KAAA,KAAA,CAAA,UAAmB,GAAI,CAAA,OAAO,CAAI,GAAA,MAAA,CAAO,SAAS,CAAA;AAAA;AACvG,WACO,GAAK,EAAA;AACZ,IAAA,OAAA,CAAQ,KAAM,CAAA,4BAAA,EAA8B,GAAK,EAAA,OAAA,CAAQ,IAAI,aAAa,CAAA;AAAA;AAE5E,EAAiB,cAAA,GAAA,IAAA;AACnB;AAjBgB,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAmBhB,IAAI,OAAQ,CAAA,GAAA,CAAI,aAAiB,IAAA,CAAC,cAAgB,EAAA;AAGhD,EAAe,cAAA,CAAA,EAAE,aAAe,EAAA,KAAA,EAAO,CAAA;AACzC;AAKA,IAAM,QAAW,GAAA,IAAI,KAAsB,CAAA,EAAI,EAAA;AAAA,EAC7C,GAAA,CAAI,QAAQ,IAAM,EAAA;AAChB,IAAA,IAAI,OAAO,IAAS,KAAA,QAAA,EAAgB,MAAA,IAAI,MAAM,6BAA6B,CAAA;AAC3E,IAAA,OAAO,UAAU,IAAI,CAAA;AAAA;AAEzB,CAAC,CAAA;AAEM,IAAM,GAAM,GAAA","file":"chunk-7QXRUUDC.js","sourcesContent":["import { type SerializedEnvGraph } from '@env-spec/env-graph';\nimport { debug } from './lib/debug';\nimport { redactString } from './lib/redaction';\n\n// TODO: would like to move all of the redaction utils out of this file\n// but its complicated since it is imported by code that may be run in the backend and frontend\n// but the patching code (which only runs in the backend) use these helper functions\n\n// this does not cover all cases, but serves our needs so far for Next.js\nfunction isString(s: any) {\n  return Object.prototype.toString.call(s) === '[object String]';\n}\n\nconst UNMASK_STR = '👁';\n\n\n/** key value lookup of sensitive values to their redacted version */\nlet sensitiveSecretsMap: Record<string, { key: string, redacted: string }> = {};\n\ntype ReplaceFn = (match: string, pre: string, val: string, post: string) => string;\nlet redactorFindReplace: undefined | { find: RegExp, replace: ReplaceFn };\n\nexport function resetRedactionMap(graph: SerializedEnvGraph) {\n  // reset map of { [sensitive] => redacted }\n  sensitiveSecretsMap = {};\n  for (const itemKey in graph.config) {\n    const item = graph.config[itemKey];\n    if (item.isSensitive && item.value && isString(item.value)) {\n      // TODO: we want to respect masking settings from the schema (once added)\n      const redacted = redactString(item.value);\n      if (redacted) sensitiveSecretsMap[item.value] = { key: itemKey, redacted };\n    }\n  }\n\n  // reset find/replace regex+fn used for redacting secrets in strings\n  const findRegex = new RegExp(\n    [\n      `(${UNMASK_STR} )?`,\n      '(',\n      Object.keys(sensitiveSecretsMap)\n        // Escape special characters\n        .map((s) => s.replace(/[()[\\]{}*+?^$|#.,/\\\\\\s-]/g, '\\\\$&'))\n        // Sort for maximal munch\n        .sort((a, b) => b.length - a.length)\n        .join('|'),\n      ')',\n      `( ${UNMASK_STR})?`,\n    ].join(''),\n    'g',\n  );\n\n  const replaceFn: ReplaceFn = (match, pre, val, post) => {\n    // the pre and post matches only will be populated if they were present\n    // and they are used to unmask the secret - so we do not want to replace in this case\n    if (pre && post) return match;\n    return sensitiveSecretsMap[val].redacted;\n  };\n  redactorFindReplace = { find: findRegex, replace: replaceFn };\n}\n\n\n// While the module itself acts as a singleton to hold the current map of redacted values\n// we expose only the below const to end users\n\n\n/**\n * Redacts senstive config values from any string/array/object/etc\n *\n * NOTE - must be used only after varlock has loaded config\n * */\nexport function redactSensitiveConfig(o: any): any {\n  if (!redactorFindReplace) return o;\n  if (!o) return o;\n\n  // TODO: handle more cases?\n  // we can probably redact safely from a few other datatypes - like set,map,etc?\n  // objects are a bit tougher\n  if (Array.isArray(o)) {\n    return o.map(redactSensitiveConfig);\n  }\n  // try to redact if it's a plain object - not necessarily great for perf...\n  if (o && typeof (o) === 'object' && Object.getPrototypeOf(o) === Object.prototype) {\n    try {\n      return JSON.parse(redactSensitiveConfig(JSON.stringify(o)));\n    } catch (err) {\n      return o;\n    }\n  }\n\n  const type = typeof o;\n  if (type === 'string' || (type === 'object' && Object.prototype.toString.call(o) === '[object String]')) {\n    return (o as string).replaceAll(redactorFindReplace.find, redactorFindReplace.replace);\n  }\n\n  return o;\n}\n\n/**\n * utility to unmask a secret/sensitive value when logging to the console\n * currently this only works on a single secret, not objects or aggregated strings\n * */\nexport function revealSensitiveConfig(secretStr: string) {\n  // if redaction not enabled, we just return the secret itself\n  if (!(globalThis as any)._varlockOrigWriteToConsoleFn) return secretStr;\n  // otherwise we add some wrapper characters which will be removed by the patched console behaviour\n  return `${UNMASK_STR} ${secretStr} ${UNMASK_STR}`;\n}\n\n\n\n\n\n// reusable leak scanning helper function, used by various integrations\nexport function scanForLeaks(\n  toScan: string | Response | ReadableStream,\n  // optional additional information about what is being scanned to be used in error messages\n  meta?: {\n    method?: string,\n    file?: string,\n  },\n) {\n  function scanStrForLeaks(strToScan: string) {\n    // console.log('[varlock leak scanner] ', strToScan.substr(0, 100));\n\n    // TODO: probably should use a single regex\n    for (const sensitiveValue in sensitiveSecretsMap) {\n      if (strToScan.includes(sensitiveValue)) {\n        const itemKey = sensitiveSecretsMap[sensitiveValue].key;\n\n        // error stack can gets awkwardly buried since we're so deep in the internals\n        // so we'll write a nicer error message to help the user debug\n        console.error([\n          '',\n          `🚨 ${'DETECTED LEAKED SENSITIVE CONFIG'} 🚨`,\n          `> Config item key: ${itemKey}`,\n          ...meta?.method ? [`> Scan method: ${meta.method}`] : [],\n          ...meta?.file ? [`> File: ${meta.file}`] : [],\n          '',\n        ].join('\\n'));\n\n        throw new Error(`🚨 DETECTED LEAKED SENSITIVE CONFIG - ${itemKey}`);\n      }\n    }\n  }\n\n  // scan a string\n  if (isString(toScan)) {\n    scanStrForLeaks(toScan as string);\n    return toScan;\n  } else if (toScan instanceof Buffer) {\n    scanStrForLeaks(toScan.toString());\n    return toScan;\n  // scan a ReadableStream by piping it through a scanner\n  } else if (toScan instanceof ReadableStream) {\n    if (toScan.locked) {\n      // console.log('> stream already locked');\n      return toScan;\n    } else {\n      // console.log('> stream will be scanned!');\n    }\n    const chunkDecoder = new TextDecoder();\n    return toScan.pipeThrough(\n      new TransformStream({\n        transform(chunk, controller) {\n          const chunkStr = chunkDecoder.decode(chunk);\n          scanStrForLeaks(chunkStr);\n          controller.enqueue(chunk);\n        },\n      }),\n    );\n  }\n  // other things may be passed in like Buffer... but we'll ignore for now\n  return toScan;\n}\n\n// -----------\n\n\n\n\n// --------------\n\nlet initializedEnv = false;\nconst envValues = {} as Record<string, any>;\nexport const varlockSettings = {} as Record<string, any>;\n\nexport function initVarlockEnv(opts?: {\n  setProcessEnv?: boolean,\n}) {\n  // console.log('⚡️ INIT VARLOCK ENV!', initializedEnv, !!process.env.__VARLOCK_ENV);\n  try {\n    const serializedEnvData: SerializedEnvGraph = JSON.parse(process.env.__VARLOCK_ENV || '{}');\n    Object.assign(varlockSettings, serializedEnvData.settings);\n    resetRedactionMap(serializedEnvData);\n    for (const itemKey in serializedEnvData.config) {\n      const itemValue = serializedEnvData.config[itemKey].value;\n      envValues[itemKey] = itemValue;\n      if (opts?.setProcessEnv !== false && itemValue !== undefined) process.env[itemKey] = String(itemValue);\n    }\n  } catch (err) {\n    console.error('failed to load varlock env', err, process.env.__VARLOCK_ENV);\n  }\n  initializedEnv = true;\n}\n\nif (process.env.__VARLOCK_ENV && !initializedEnv) {\n  // if we are automatically loading because __VARLOCK_ENV is already set\n  // then we assume process.env vars have also already been set (although might not harm anything?)\n  initVarlockEnv({ setProcessEnv: false });\n}\n\n\nexport interface TypedEnvSchema {}\n\nconst EnvProxy = new Proxy<TypedEnvSchema>({}, {\n  get(target, prop) {\n    if (typeof prop !== 'string') throw new Error('prop keys cannot be symbols');\n    return envValues[prop];\n  },\n});\n\nexport const ENV = EnvProxy;\n"]}

package/dist/chunk-FGMXIEFA.js

@@ -0,0 +1,20 @@
+import { __name } from './chunk-XN24GZXQ.js';
+
+// src/runtime/lib/redaction.ts
+function redactString(valStr, mode, hideLength = true) {
+  if (!valStr) return valStr;
+  const hiddenLength = hideLength ? 5 : valStr.length - 2;
+  const hiddenStr = "\u2592".repeat(hiddenLength);
+  if (mode === "show_last_2") {
+    return `${hiddenStr}${valStr.substring(valStr.length - 2, valStr.length)}`;
+  } else if (mode === "show_first_last") {
+    return `${valStr.substring(0, 1)}${hiddenStr}${valStr.substring(valStr.length - 1, valStr.length)}`;
+  } else {
+    return `${valStr.substring(0, 2)}${hiddenStr}`;
+  }
+}
+__name(redactString, "redactString");
+
+export { redactString };
+//# sourceMappingURL=chunk-FGMXIEFA.js.map
+//# sourceMappingURL=chunk-FGMXIEFA.js.map

package/dist/chunk-FGMXIEFA.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime/lib/redaction.ts"],"names":[],"mappings":";;;AASO,SAAS,YAAa,CAAA,MAAA,EAA4B,IAAmB,EAAA,UAAA,GAAa,IAAM,EAAA;AAC7F,EAAI,IAAA,CAAC,QAAe,OAAA,MAAA;AAEpB,EAAA,MAAM,YAAe,GAAA,UAAA,GAAa,CAAI,GAAA,MAAA,CAAO,MAAS,GAAA,CAAA;AACtD,EAAM,MAAA,SAAA,GAAY,QAAI,CAAA,MAAA,CAAO,YAAY,CAAA;AAEzC,EAAA,IAAI,SAAS,aAAe,EAAA;AAC1B,IAAO,OAAA,CAAA,EAAG,SAAS,CAAA,EAAG,MAAO,CAAA,SAAA,CAAU,OAAO,MAAS,GAAA,CAAA,EAAG,MAAO,CAAA,MAAM,CAAC,CAAA,CAAA;AAAA,GAC1E,MAAA,IAAW,SAAS,iBAAmB,EAAA;AACrC,IAAA,OAAO,GAAG,MAAO,CAAA,SAAA,CAAU,CAAG,EAAA,CAAC,CAAC,CAAG,EAAA,SAAS,CAAG,EAAA,MAAA,CAAO,UAAU,MAAO,CAAA,MAAA,GAAS,CAAG,EAAA,MAAA,CAAO,MAAM,CAAC,CAAA,CAAA;AAAA,GAC5F,MAAA;AACL,IAAA,OAAO,GAAG,MAAO,CAAA,SAAA,CAAU,GAAG,CAAC,CAAC,GAAG,SAAS,CAAA,CAAA;AAAA;AAEhD;AAbgB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA","file":"chunk-FGMXIEFA.js","sourcesContent":["\nexport type RedactMode = 'show_first_2' | 'show_last_2' | 'show_first_last';\n\n/**\n * utility to mask/redact a string, for example transforming \"hello\" into \"he▒▒▒\"\n * this function just redacts _any_ string passed in\n *\n * To redact sensitive parts of a larger object/string, use redactSensitiveConfig\n * */\nexport function redactString(valStr: string | undefined, mode?: RedactMode, hideLength = true) {\n  if (!valStr) return valStr;\n\n  const hiddenLength = hideLength ? 5 : valStr.length - 2;\n  const hiddenStr = '▒'.repeat(hiddenLength);\n\n  if (mode === 'show_last_2') {\n    return `${hiddenStr}${valStr.substring(valStr.length - 2, valStr.length)}`;\n  } else if (mode === 'show_first_last') {\n    return `${valStr.substring(0, 1)}${hiddenStr}${valStr.substring(valStr.length - 1, valStr.length)}`;\n  } else { // 'show_first_2' - also default\n    return `${valStr.substring(0, 2)}${hiddenStr}`;\n  }\n}\n"]}

package/dist/{chunk-4WO4BGKU.js → chunk-NAZPFZOO.js}

@@ -1,7 +1,7 @@
-import { checkForSchemaErrors, checkForConfigErrors } from './chunk-Z55UMN2B.js';
 import { define } from './chunk-33ROL4J5.js';
-import { loadVarlockEnvGraph, getItemSummary } from './chunk-6YLXKXKR.js';
-import { my_dash_default } from './chunk-G4BD2BPH.js';
+import { checkForSchemaErrors, checkForConfigErrors } from './chunk-OSSLRXKM.js';
+import { loadVarlockEnvGraph, getItemSummary } from './chunk-Q5P7F3WA.js';
+import { my_dash_default } from './chunk-TYL3Q4QG.js';
 import { __name } from './chunk-XN24GZXQ.js';
 
 // src/cli/commands/load.command.ts
@@ -18,12 +18,18 @@ var commandSpec = define({
     "show-all": {
       type: "boolean",
       description: "When load is fialing, show all items rather than only failing items"
+    },
+    env: {
+      type: "string",
+      description: "Set the environment (e.g., production, development, etc) - will be overridden by @envFlag in the schema if present"
     }
   }
 });
 var commandFn = /* @__PURE__ */ __name(async (ctx) => {
   const { format, "show-all": showAll } = ctx.values;
-  const envGraph = await loadVarlockEnvGraph();
+  const envGraph = await loadVarlockEnvGraph({
+    currentEnvFallback: ctx.values.env
+  });
   checkForSchemaErrors(envGraph);
   if (envGraph.schemaDataSource?.decorators.generateTypes) {
     const typeGenSettings = envGraph.schemaDataSource?.decorators.generateTypes.bareFnArgs?.simplifiedValues;
@@ -44,8 +50,9 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
       console.log(getItemSummary(item));
     }
   } else if (format === "json") {
-    const resolvedEnv = envGraph.getResolvedEnvObject();
-    console.log(JSON.stringify(resolvedEnv, null, 2));
+    console.log(JSON.stringify(envGraph.getResolvedEnvObject(), null, 2));
+  } else if (format === "json-full") {
+    console.log(JSON.stringify(envGraph.getSerializedGraph(), null, 2));
   } else if (format === "env") {
     const resolvedEnv = envGraph.getResolvedEnvObject();
     for (const key in resolvedEnv) {
@@ -66,5 +73,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
 }, "commandFn");
 
 export { commandFn, commandSpec };
-//# sourceMappingURL=chunk-4WO4BGKU.js.map
-//# sourceMappingURL=chunk-4WO4BGKU.js.map
+//# sourceMappingURL=chunk-NAZPFZOO.js.map
+//# sourceMappingURL=chunk-NAZPFZOO.js.map

package/dist/chunk-NAZPFZOO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/commands/load.command.ts"],"names":[],"mappings":";;;;;;;AAQO,IAAM,cAAc,MAAO,CAAA;AAAA,EAChC,IAAM,EAAA,MAAA;AAAA,EACN,WAAa,EAAA,iDAAA;AAAA,EACb,IAAM,EAAA;AAAA,IACJ,MAAQ,EAAA;AAAA,MACN,IAAM,EAAA,QAAA;AAAA,MACN,KAAO,EAAA,GAAA;AAAA,MACP,WAAa,EAAA,qDAAA;AAAA,MACb,OAAS,EAAA;AAAA,KACX;AAAA,IACA,UAAY,EAAA;AAAA,MACV,IAAM,EAAA,SAAA;AAAA,MACN,WAAa,EAAA;AAAA,KACf;AAAA,IACA,GAAK,EAAA;AAAA,MACH,IAAM,EAAA,QAAA;AAAA,MACN,WAAa,EAAA;AAAA;AACf;AAEJ,CAAC;AAGY,IAAA,SAAA,iCAA6D,GAAQ,KAAA;AAChF,EAAA,MAAM,EAAE,MAAA,EAAQ,UAAY,EAAA,OAAA,KAAY,GAAI,CAAA,MAAA;AAE5C,EAAM,MAAA,QAAA,GAAW,MAAM,mBAAoB,CAAA;AAAA,IACzC,kBAAA,EAAoB,IAAI,MAAO,CAAA;AAAA,GAChC,CAAA;AACD,EAAA,oBAAA,CAAqB,QAAQ,CAAA;AAG7B,EAAI,IAAA,QAAA,CAAS,gBAAkB,EAAA,UAAA,CAAW,aAAe,EAAA;AAEvD,IAAA,MAAM,eAAkB,GAAA,QAAA,CAAS,gBAAkB,EAAA,UAAA,CAAW,cAAc,UAAY,EAAA,gBAAA;AACxF,IAAA,IAAI,CAAC,eAAA,CAAE,aAAc,CAAA,eAAe,CAAG,EAAA;AACrC,MAAM,MAAA,IAAI,MAAM,wDAAwD,CAAA;AAAA;AAE1E,IAAA,IAAI,CAAC,eAAgB,CAAA,IAAA,EAAY,MAAA,IAAI,MAAM,sCAAsC,CAAA;AACjF,IAAI,IAAA,eAAA,CAAgB,SAAS,IAAM,EAAA,MAAM,IAAI,KAAM,CAAA,CAAA,uCAAA,EAA0C,eAAgB,CAAA,IAAI,CAAE,CAAA,CAAA;AACnH,IAAA,IAAI,CAAC,eAAgB,CAAA,IAAA,EAAY,MAAA,IAAI,MAAM,sCAAsC,CAAA;AACjF,IAAI,IAAA,CAAC,gBAAE,QAAS,CAAA,eAAA,CAAgB,IAAI,CAAG,EAAA,MAAM,IAAI,KAAA,CAAM,8CAA8C,CAAA;AACrG,IAAA,MAAM,QAAS,CAAA,aAAA,CAAc,eAAgB,CAAA,IAAA,EAAM,gBAAgB,IAAI,CAAA;AAAA;AAGzE,EAAA,MAAM,SAAS,gBAAiB,EAAA;AAChC,EAAqB,oBAAA,CAAA,QAAA,EAAU,EAAE,OAAA,EAAS,CAAA;AAE1C,EAAA,IAAI,WAAW,QAAU,EAAA;AACvB,IAAW,KAAA,MAAA,OAAA,IAAW,SAAS,YAAc,EAAA;AAC3C,MAAM,MAAA,IAAA,GAAO,QAAS,CAAA,YAAA,CAAa,OAAO,CAAA;AAC1C,MAAQ,OAAA,CAAA,GAAA,CAAI,cAAe,CAAA,IAAI,CAAC,CAAA;AAAA;AAClC,GACF,MAAA,IAAW,WAAW,MAAQ,EAAA;AAC5B,IAAQ,OAAA,CAAA,GAAA,CAAI,KAAK,SAAU,CAAA,QAAA,CAAS,sBAAwB,EAAA,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,GACtE,MAAA,IAAW,WAAW,WAAa,EAAA;AACjC,IAAQ,OAAA,CAAA,GAAA,CAAI,KAAK,SAAU,CAAA,QAAA,CAAS,oBAAsB,EAAA,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,GACpE,MAAA,IAAW,WAAW,KAAO,EAAA;AAC3B,IAAM,MAAA,WAAA,GAAc,SAAS,oBAAqB,EAAA;AAClD,IAAA,KAAA,MAAW,OAAO,WAAa,EAAA;AAC7B,MAAM,MAAA,KAAA,GAAQ,YAAY,GAAG,CAAA;AAC7B,MAAI,IAAA,QAAA;AACJ,MAAA,IAAI,UAAU,MAAW,EAAA;AACvB,QAAW,QAAA,GAAA,EAAA;AAAA,OACb,MAAA,IAAW,OAAO,KAAA,KAAU,QAAU,EAAA;AACpC,QAAW,QAAA,GAAA,CAAA,CAAA,EAAI,MAAM,UAAW,CAAA,GAAA,EAAK,KAAK,CAAE,CAAA,UAAA,CAAW,IAAM,EAAA,KAAK,CAAC,CAAA,CAAA,CAAA;AAAA,OAC9D,MAAA;AACL,QAAW,QAAA,GAAA,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA;AAEjC,MAAA,OAAA,CAAQ,GAAI,CAAA,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,QAAQ,CAAE,CAAA,CAAA;AAAA;AAClC,GACK,MAAA;AACL,IAAA,MAAM,IAAI,KAAA,CAAM,CAAmB,gBAAA,EAAA,MAAM,CAAE,CAAA,CAAA;AAAA;AAK/C,CAtDmE,EAAA,WAAA","file":"chunk-NAZPFZOO.js","sourcesContent":["import { define } from 'gunshi';\nimport _ from '@env-spec/utils/my-dash';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { getItemSummary } from '../../lib/formatting';\nimport { checkForConfigErrors, checkForSchemaErrors } from '../helpers/error-checks';\nimport { TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\n\nexport const commandSpec = define({\n  name: 'load',\n  description: 'Load env according to schema and resolve values',\n  args: {\n    format: {\n      type: 'string',\n      short: 'f',\n      description: 'Format of output (if not pretty printed to console)',\n      default: 'pretty',\n    },\n    'show-all': {\n      type: 'boolean',\n      description: 'When load is fialing, show all items rather than only failing items',\n    },\n    env: {\n      type: 'string',\n      description: 'Set the environment (e.g., production, development, etc) - will be overridden by @envFlag in the schema if present',\n    },\n  },\n});\n\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  const { format, 'show-all': showAll } = ctx.values;\n\n  const envGraph = await loadVarlockEnvGraph({\n    currentEnvFallback: ctx.values.env,\n  });\n  checkForSchemaErrors(envGraph);\n\n  // TODO: move into a more general post-load hook system\n  if (envGraph.schemaDataSource?.decorators.generateTypes) {\n    // TODO: much of this logic should move to the definition of the decorator itself\n    const typeGenSettings = envGraph.schemaDataSource?.decorators.generateTypes.bareFnArgs?.simplifiedValues;\n    if (!_.isPlainObject(typeGenSettings)) {\n      throw new Error('@generateTypes - must be a fn call with key/value args');\n    }\n    if (!typeGenSettings.lang) throw new Error('@generateTypes - must set `lang` arg');\n    if (typeGenSettings.lang !== 'ts') throw new Error(`@generateTypes - unsupported language: ${typeGenSettings.lang}`);\n    if (!typeGenSettings.path) throw new Error('@generateTypes - must set `path` arg');\n    if (!_.isString(typeGenSettings.path)) throw new Error('@generateTypes - `path` arg must be a string');\n    await envGraph.generateTypes(typeGenSettings.lang, typeGenSettings.path);\n  }\n\n  await envGraph.resolveEnvValues();\n  checkForConfigErrors(envGraph, { showAll });\n\n  if (format === 'pretty') {\n    for (const itemKey in envGraph.configSchema) {\n      const item = envGraph.configSchema[itemKey];\n      console.log(getItemSummary(item));\n    }\n  } else if (format === 'json') {\n    console.log(JSON.stringify(envGraph.getResolvedEnvObject(), null, 2));\n  } else if (format === 'json-full') {\n    console.log(JSON.stringify(envGraph.getSerializedGraph(), null, 2));\n  } else if (format === 'env') {\n    const resolvedEnv = envGraph.getResolvedEnvObject();\n    for (const key in resolvedEnv) {\n      const value = resolvedEnv[key];\n      let strValue: string;\n      if (value === undefined) {\n        strValue = '';\n      } else if (typeof value === 'string') {\n        strValue = `\"${value.replaceAll('\"', '\\\\\"').replaceAll('\\n', '\\\\n')}\"`;\n      } else {\n        strValue = JSON.stringify(value);\n      }\n      console.log(`${key}=${strValue}`);\n    }\n  } else {\n    throw new Error(`Unknown format: ${format}`);\n  }\n\n  // const resolvedEnv = envGraph.getResolvedEnvObject();\n  // console.log(resolvedEnv);\n};\n"]}

package/dist/{chunk-Z55UMN2B.js → chunk-OSSLRXKM.js}

@@ -1,6 +1,6 @@
-import { getItemSummary, joinAndCompact } from './chunk-6YLXKXKR.js';
-import { my_dash_default } from './chunk-G4BD2BPH.js';
+import { getItemSummary, joinAndCompact } from './chunk-Q5P7F3WA.js';
 import { ansis_default } from './chunk-7UQXFWKN.js';
+import { my_dash_default } from './chunk-TYL3Q4QG.js';
 import { __name } from './chunk-XN24GZXQ.js';
 
 // src/cli/helpers/error-checks.ts
@@ -65,5 +65,5 @@ function checkForConfigErrors(envGraph, opts) {
 __name(checkForConfigErrors, "checkForConfigErrors");
 
 export { InvalidEnvError, checkForConfigErrors, checkForSchemaErrors };
-//# sourceMappingURL=chunk-Z55UMN2B.js.map
-//# sourceMappingURL=chunk-Z55UMN2B.js.map
+//# sourceMappingURL=chunk-OSSLRXKM.js.map
+//# sourceMappingURL=chunk-OSSLRXKM.js.map

package/dist/{chunk-Z55UMN2B.js.map → chunk-OSSLRXKM.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/cli/helpers/error-checks.ts"],"names":[],"mappings":";;;;;;AAKO,SAAS,qBAAqB,QAAoB,EAAA;AAEvD,EAAW,KAAA,MAAA,MAAA,IAAU,SAAS,WAAa,EAAA;AAOzC,IAAA,IAAI,OAAO,YAAc,EAAA;AACvB,MAAA,OAAA,CAAQ,GAAI,CAAA,CAAA,0CAAA,EAAsC,MAAO,CAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAQ,OAAA,CAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,OAAO,CAAA;AACvC,MAAQ,OAAA,CAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,QAAQ,CAAA;AAExC,MAAM,MAAA,MAAA,GAAS,OAAO,YAAa,CAAA,QAAA;AAEnC,MAAA,MAAM,UAAa,GAAA;AAAA,QACjB,MAAO,CAAA,OAAA;AAAA,QACP,CAAG,EAAA,aAAA,CAAM,IAAK,CAAA,GAAA,CAAI,OAAO,MAAO,CAAA,SAAA,GAAY,CAAC,CAAC,CAAC,CAAA,EAAG,aAAM,CAAA,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,OAClE,CAAE,KAAK,IAAI,CAAA;AAEX,MAAA,OAAA,CAAQ,IAAI,yBAAyB,CAAA;AACrC,MAAQ,OAAA,CAAA,GAAA,CAAI,CAAI,CAAA,EAAA,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,OAAO,UAAU,CAAA,CAAA,EAAI,MAAO,CAAA,SAAS,CAAE,CAAA,CAAA;AACtE,MAAA,OAAA,CAAQ,IAAI,UAAU,CAAA;AAEtB,MAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA;AAChB;AAUJ;AApCgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAsCH,IAAA,eAAA,GAAN,cAA8B,KAAM,CAAA;AAAA,EA3C3C;AA2C2C,IAAA,MAAA,CAAA,IAAA,EAAA,iBAAA,CAAA;AAAA;AAAA,EACzC,WAAc,GAAA;AACZ,IAAA,KAAA,CAAM,6CAA6C,CAAA;AAAA;AACrD,EACA,kBAAqB,GAAA;AACnB,IAAO,OAAA;AAAA,UAAA,EAAQ,aAAM,CAAA,GAAA,CAAI,IAAK,CAAA,OAAO,CAAC,CAAA;AAAA,CAAA;AAAA;AAE1C;AAEO,SAAS,oBAAA,CAAqB,UAAoB,IAEtD,EAAA;AACD,EAAA,MAAM,YAAe,GAAA,eAAA,CAAE,MAAO,CAAA,eAAA,CAAE,MAAO,CAAA,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,IAAA,KAAS,IAAK,CAAA,eAAA,KAAoB,OAAO,CAAA;AAGzG,EAAI,IAAA,YAAA,CAAa,SAAS,CAAG,EAAA;AAC3B,IAAA,OAAA,CAAQ,GAAI,CAAA;AAAA,+BAAA,EAAe,aAAM,CAAA,IAAA,CAAK,SAAU,CAAA,qCAAqC,CAAC,CAAA;AAAA,CAAc,CAAA;AACpG,IAAA,OAAA,CAAQ,IAAI,kBAAkB,CAAA;AAE9B,IAAE,eAAA,CAAA,IAAA,CAAK,YAAc,EAAA,CAAC,IAAS,KAAA;AAC7B,MAAQ,OAAA,CAAA,GAAA,CAAI,cAAe,CAAA,IAAI,CAAC,CAAA;AAChC,MAAA,OAAA,CAAQ,GAAI,EAAA;AAAA,KACb,CAAA;AACD,IAAA,IAAI,MAAM,OAAS,EAAA;AACjB,MAAA,OAAA,CAAQ,GAAI,EAAA;AACZ,MAAA,OAAA,CAAQ,IAAI,cAAe,CAAA;AAAA,QACzB,cAAA;AAAA,QACA,aAAA,CAAM,MAAO,CAAA,IAAA,CAAK,oCAAoC;AAAA,OACvD,CAAC,CAAA;AACF,MAAA,OAAA,CAAQ,GAAI,EAAA;AACZ,MAAA,MAAM,UAAa,GAAA,eAAA,CAAE,MAAO,CAAA,eAAA,CAAE,MAAO,CAAA,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,CAAA,KAAM,CAAC,CAAC,EAAE,OAAO,CAAA;AAC/E,MAAE,eAAA,CAAA,IAAA,CAAK,UAAY,EAAA,CAAC,IAAS,KAAA;AAC3B,QAAQ,OAAA,CAAA,GAAA,CAAI,cAAe,CAAA,IAAI,CAAC,CAAA;AAAA,OACjC,CAAA;AAAA;AAGH,IAAA,MAAM,IAAI,eAAgB,EAAA;AAAA;AAE9B;AA7BgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA","file":"chunk-Z55UMN2B.js","sourcesContent":["import ansis from 'ansis';\nimport { EnvGraph } from '@env-spec/env-graph';\nimport _ from '@env-spec/utils/my-dash';\nimport { getItemSummary, joinAndCompact } from '../../lib/formatting';\n\nexport function checkForSchemaErrors(envGraph: EnvGraph) {\n  // first we check for loading/parse errors - some cases we may want to let it fail silently?\n  for (const source of envGraph.dataSources) {\n    // do we care about loading errors from disabled sources?\n    // if (source.disabled) continue;\n\n    // console.log(source);\n\n    // TODO: use a formatting helper to show the error - which will include location/stack/etc appropriately\n    if (source.loadingError) {\n      console.log(`🚨 Error encountered while loading ${source.label}`);\n      console.log(source.loadingError.message);\n      console.log(source.loadingError.location);\n\n      const errLoc = source.loadingError.location as any;\n\n      const errPreview = [\n        errLoc.lineStr,\n        `${ansis.gray('-'.repeat(errLoc.colNumber - 1))}${ansis.red('^')}`,\n      ].join('\\n');\n\n      console.log('Error parsing .env file');\n      console.log(` ${errLoc.path}:${errLoc.lineNumber}:${errLoc.colNumber}`);\n      console.log(errPreview);\n\n      process.exit(1);\n    }\n  }\n\n  // now we check for any schema errors - where something about how things are wired up is invalid\n  // NOTE - we should not have run any resolution yet\n  // TODO: make sure we are calling this before attempting to resolve values\n  // const failingItems = _.filter(_.values(envGraph.configSchema), (item) => item.validationState === 'error');\n  // if (failingItems.length > 0) {\n  //   throw new CliExitError('Schema is currently invalid');\n  // }\n}\n\nexport class InvalidEnvError extends Error {\n  constructor() {\n    super('Resolved config/env did not pass validation');\n  }\n  getFormattedOutput() {\n    return `\\n💥 ${ansis.red(this.message)} 💥\\n`;\n  }\n}\n\nexport function checkForConfigErrors(envGraph: EnvGraph, opts?: {\n  showAll?: boolean\n}) {\n  const failingItems = _.filter(_.values(envGraph.configSchema), (item) => item.validationState === 'error');\n\n  // TODO: use service.isValid?\n  if (failingItems.length > 0) {\n    console.log(`\\n🚨 🚨 🚨  ${ansis.bold.underline('Configuration is currently invalid ')}  🚨 🚨 🚨\\n`);\n    console.log('Invalid items:\\n');\n\n    _.each(failingItems, (item) => {\n      console.log(getItemSummary(item));\n      console.log();\n    });\n    if (opts?.showAll) {\n      console.log();\n      console.log(joinAndCompact([\n        'Valid items:',\n        ansis.italic.gray('(remove `--show-all` flag to hide)'),\n      ]));\n      console.log();\n      const validItems = _.filter(_.values(envGraph.configSchema), (i) => !!i.isValid);\n      _.each(validItems, (item) => {\n        console.log(getItemSummary(item));\n      });\n    }\n\n    throw new InvalidEnvError();\n  }\n}\n"]}
+{"version":3,"sources":["../src/cli/helpers/error-checks.ts"],"names":[],"mappings":";;;;;;AAKO,SAAS,qBAAqB,QAAoB,EAAA;AAEvD,EAAW,KAAA,MAAA,MAAA,IAAU,SAAS,WAAa,EAAA;AAOzC,IAAA,IAAI,OAAO,YAAc,EAAA;AACvB,MAAA,OAAA,CAAQ,GAAI,CAAA,CAAA,0CAAA,EAAsC,MAAO,CAAA,KAAK,CAAE,CAAA,CAAA;AAChE,MAAQ,OAAA,CAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,OAAO,CAAA;AACvC,MAAQ,OAAA,CAAA,GAAA,CAAI,MAAO,CAAA,YAAA,CAAa,QAAQ,CAAA;AAExC,MAAM,MAAA,MAAA,GAAS,OAAO,YAAa,CAAA,QAAA;AAEnC,MAAA,MAAM,UAAa,GAAA;AAAA,QACjB,MAAO,CAAA,OAAA;AAAA,QACP,CAAG,EAAA,aAAA,CAAM,IAAK,CAAA,GAAA,CAAI,OAAO,MAAO,CAAA,SAAA,GAAY,CAAC,CAAC,CAAC,CAAA,EAAG,aAAM,CAAA,GAAA,CAAI,GAAG,CAAC,CAAA;AAAA,OAClE,CAAE,KAAK,IAAI,CAAA;AAEX,MAAA,OAAA,CAAQ,IAAI,yBAAyB,CAAA;AACrC,MAAQ,OAAA,CAAA,GAAA,CAAI,CAAI,CAAA,EAAA,MAAA,CAAO,IAAI,CAAA,CAAA,EAAI,OAAO,UAAU,CAAA,CAAA,EAAI,MAAO,CAAA,SAAS,CAAE,CAAA,CAAA;AACtE,MAAA,OAAA,CAAQ,IAAI,UAAU,CAAA;AAEtB,MAAA,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA;AAChB;AAUJ;AApCgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAsCH,IAAA,eAAA,GAAN,cAA8B,KAAM,CAAA;AAAA,EA3C3C;AA2C2C,IAAA,MAAA,CAAA,IAAA,EAAA,iBAAA,CAAA;AAAA;AAAA,EACzC,WAAc,GAAA;AACZ,IAAA,KAAA,CAAM,6CAA6C,CAAA;AAAA;AACrD,EACA,kBAAqB,GAAA;AACnB,IAAO,OAAA;AAAA,UAAA,EAAQ,aAAM,CAAA,GAAA,CAAI,IAAK,CAAA,OAAO,CAAC,CAAA;AAAA,CAAA;AAAA;AAE1C;AAEO,SAAS,oBAAA,CAAqB,UAAoB,IAEtD,EAAA;AACD,EAAA,MAAM,YAAe,GAAA,eAAA,CAAE,MAAO,CAAA,eAAA,CAAE,MAAO,CAAA,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,IAAA,KAAS,IAAK,CAAA,eAAA,KAAoB,OAAO,CAAA;AAGzG,EAAI,IAAA,YAAA,CAAa,SAAS,CAAG,EAAA;AAC3B,IAAA,OAAA,CAAQ,GAAI,CAAA;AAAA,+BAAA,EAAe,aAAM,CAAA,IAAA,CAAK,SAAU,CAAA,qCAAqC,CAAC,CAAA;AAAA,CAAc,CAAA;AACpG,IAAA,OAAA,CAAQ,IAAI,kBAAkB,CAAA;AAE9B,IAAE,eAAA,CAAA,IAAA,CAAK,YAAc,EAAA,CAAC,IAAS,KAAA;AAC7B,MAAQ,OAAA,CAAA,GAAA,CAAI,cAAe,CAAA,IAAI,CAAC,CAAA;AAChC,MAAA,OAAA,CAAQ,GAAI,EAAA;AAAA,KACb,CAAA;AACD,IAAA,IAAI,MAAM,OAAS,EAAA;AACjB,MAAA,OAAA,CAAQ,GAAI,EAAA;AACZ,MAAA,OAAA,CAAQ,IAAI,cAAe,CAAA;AAAA,QACzB,cAAA;AAAA,QACA,aAAA,CAAM,MAAO,CAAA,IAAA,CAAK,oCAAoC;AAAA,OACvD,CAAC,CAAA;AACF,MAAA,OAAA,CAAQ,GAAI,EAAA;AACZ,MAAA,MAAM,UAAa,GAAA,eAAA,CAAE,MAAO,CAAA,eAAA,CAAE,MAAO,CAAA,QAAA,CAAS,YAAY,CAAA,EAAG,CAAC,CAAA,KAAM,CAAC,CAAC,EAAE,OAAO,CAAA;AAC/E,MAAE,eAAA,CAAA,IAAA,CAAK,UAAY,EAAA,CAAC,IAAS,KAAA;AAC3B,QAAQ,OAAA,CAAA,GAAA,CAAI,cAAe,CAAA,IAAI,CAAC,CAAA;AAAA,OACjC,CAAA;AAAA;AAGH,IAAA,MAAM,IAAI,eAAgB,EAAA;AAAA;AAE9B;AA7BgB,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA","file":"chunk-OSSLRXKM.js","sourcesContent":["import ansis from 'ansis';\nimport { EnvGraph } from '@env-spec/env-graph';\nimport _ from '@env-spec/utils/my-dash';\nimport { getItemSummary, joinAndCompact } from '../../lib/formatting';\n\nexport function checkForSchemaErrors(envGraph: EnvGraph) {\n  // first we check for loading/parse errors - some cases we may want to let it fail silently?\n  for (const source of envGraph.dataSources) {\n    // do we care about loading errors from disabled sources?\n    // if (source.disabled) continue;\n\n    // console.log(source);\n\n    // TODO: use a formatting helper to show the error - which will include location/stack/etc appropriately\n    if (source.loadingError) {\n      console.log(`🚨 Error encountered while loading ${source.label}`);\n      console.log(source.loadingError.message);\n      console.log(source.loadingError.location);\n\n      const errLoc = source.loadingError.location as any;\n\n      const errPreview = [\n        errLoc.lineStr,\n        `${ansis.gray('-'.repeat(errLoc.colNumber - 1))}${ansis.red('^')}`,\n      ].join('\\n');\n\n      console.log('Error parsing .env file');\n      console.log(` ${errLoc.path}:${errLoc.lineNumber}:${errLoc.colNumber}`);\n      console.log(errPreview);\n\n      process.exit(1);\n    }\n  }\n\n  // now we check for any schema errors - where something about how things are wired up is invalid\n  // NOTE - we should not have run any resolution yet\n  // TODO: make sure we are calling this before attempting to resolve values\n  // const failingItems = _.filter(_.values(envGraph.configSchema), (item) => item.validationState === 'error');\n  // if (failingItems.length > 0) {\n  //   throw new CliExitError('Schema is currently invalid');\n  // }\n}\n\nexport class InvalidEnvError extends Error {\n  constructor() {\n    super('Resolved config/env did not pass validation');\n  }\n  getFormattedOutput() {\n    return `\\n💥 ${ansis.red(this.message)} 💥\\n`;\n  }\n}\n\nexport function checkForConfigErrors(envGraph: EnvGraph, opts?: {\n  showAll?: boolean\n}) {\n  const failingItems = _.filter(_.values(envGraph.configSchema), (item) => item.validationState === 'error');\n\n  // TODO: use service.isValid?\n  if (failingItems.length > 0) {\n    console.log(`\\n🚨 🚨 🚨  ${ansis.bold.underline('Configuration is currently invalid ')}  🚨 🚨 🚨\\n`);\n    console.log('Invalid items:\\n');\n\n    _.each(failingItems, (item) => {\n      console.log(getItemSummary(item));\n      console.log();\n    });\n    if (opts?.showAll) {\n      console.log();\n      console.log(joinAndCompact([\n        'Valid items:',\n        ansis.italic.gray('(remove `--show-all` flag to hide)'),\n      ]));\n      console.log();\n      const validItems = _.filter(_.values(envGraph.configSchema), (i) => !!i.isValid);\n      _.each(validItems, (item) => {\n        console.log(getItemSummary(item));\n      });\n    }\n\n    throw new InvalidEnvError();\n  }\n}\n"]}

package/dist/chunk-OXV76U3Y.js

@@ -0,0 +1,39 @@
+import { debug } from './chunk-XHOJF7U7.js';
+import { varlockSettings, scanForLeaks } from './chunk-7QXRUUDC.js';
+import { __name } from './chunk-XN24GZXQ.js';
+
+// src/runtime/patch-response.ts
+function patchGlobalResponse() {
+  debug("\u26A1\uFE0F PATCHING global Response");
+  if (!globalThis.Response._patchedByVarlock) {
+    debug("> already patched");
+    return;
+  }
+  if (varlockSettings.preventLeaks === false) {
+    debug("> disabled by settings");
+    return;
+  }
+  const _UnpatchedResponse = globalThis.Response;
+  globalThis.Response = class VarlockPatchedResponse extends _UnpatchedResponse {
+    static {
+      __name(this, "VarlockPatchedResponse");
+    }
+    static _patchedByVarlock = true;
+    constructor(body, init) {
+      debug("\u26A1\uFE0F patched Response constructor");
+      super(scanForLeaks(body, { method: "patched Response constructor" }), init);
+    }
+    static json(data, init) {
+      debug("\u26A1\uFE0F patched Response.json");
+      scanForLeaks(JSON.stringify(data), { method: "patched Response.json" });
+      const r = _UnpatchedResponse.json(data, init);
+      Object.setPrototypeOf(r, Response.prototype);
+      return r;
+    }
+  };
+}
+__name(patchGlobalResponse, "patchGlobalResponse");
+
+export { patchGlobalResponse };
+//# sourceMappingURL=chunk-OXV76U3Y.js.map
+//# sourceMappingURL=chunk-OXV76U3Y.js.map

package/dist/chunk-OXV76U3Y.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime/patch-response.ts"],"names":[],"mappings":";;;;;AAGO,SAAS,mBAAsB,GAAA;AACpC,EAAA,KAAA,CAAM,uCAA6B,CAAA;AACnC,EAAI,IAAA,CAAE,UAAW,CAAA,QAAA,CAAiB,iBAAmB,EAAA;AACnD,IAAA,KAAA,CAAM,mBAAmB,CAAA;AACzB,IAAA;AAAA;AAEF,EAAI,IAAA,eAAA,CAAgB,iBAAiB,KAAO,EAAA;AAC1C,IAAA,KAAA,CAAM,wBAAwB,CAAA;AAC9B,IAAA;AAAA;AAGF,EAAA,MAAM,qBAAqB,UAAW,CAAA,QAAA;AACtC,EAAW,UAAA,CAAA,QAAA,GAAW,MAAM,sBAAA,SAA+B,kBAAmB,CAAA;AAAA,IAfhF;AAegF,MAAA,MAAA,CAAA,IAAA,EAAA,wBAAA,CAAA;AAAA;AAAA,IAC5E,OAAO,iBAAoB,GAAA,IAAA;AAAA,IAC3B,WAAA,CAAY,MAAW,IAAW,EAAA;AAChC,MAAA,KAAA,CAAM,2CAAiC,CAAA;AACvC,MAAA,KAAA,CAAM,aAAa,IAAM,EAAA,EAAE,QAAQ,8BAA+B,EAAC,GAAU,IAAI,CAAA;AAAA;AACnF,IACA,OAAO,IAAK,CAAA,IAAA,EAAW,IAAW,EAAA;AAChC,MAAA,KAAA,CAAM,oCAA0B,CAAA;AAChC,MAAA,YAAA,CAAa,KAAK,SAAU,CAAA,IAAI,GAAG,EAAE,MAAA,EAAQ,yBAAyB,CAAA;AACtE,MAAA,MAAM,CAAI,GAAA,kBAAA,CAAmB,IAAK,CAAA,IAAA,EAAM,IAAI,CAAA;AAC5C,MAAO,MAAA,CAAA,cAAA,CAAe,CAAG,EAAA,QAAA,CAAS,SAAS,CAAA;AAC3C,MAAO,OAAA,CAAA;AAAA;AACT,GACF;AACF;AA1BgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA","file":"chunk-OXV76U3Y.js","sourcesContent":["import { scanForLeaks, varlockSettings } from './env';\nimport { debug } from './lib/debug';\n\nexport function patchGlobalResponse() {\n  debug('⚡️ PATCHING global Response');\n  if (!(globalThis.Response as any)._patchedByVarlock) {\n    debug('> already patched');\n    return;\n  }\n  if (varlockSettings.preventLeaks === false) {\n    debug('> disabled by settings');\n    return;\n  }\n\n  const _UnpatchedResponse = globalThis.Response;\n  globalThis.Response = class VarlockPatchedResponse extends _UnpatchedResponse {\n    static _patchedByVarlock = true;\n    constructor(body: any, init: any) {\n      debug('⚡️ patched Response constructor');\n      super(scanForLeaks(body, { method: 'patched Response constructor' }) as any, init);\n    }\n    static json(data: any, init: any) {\n      debug('⚡️ patched Response.json');\n      scanForLeaks(JSON.stringify(data), { method: 'patched Response.json' });\n      const r = _UnpatchedResponse.json(data, init);\n      Object.setPrototypeOf(r, Response.prototype);\n      return r;\n    }\n  };\n}\n"]}

package/dist/chunk-Q5P7F3WA.js

@@ -0,0 +1,107 @@
+import { ansis_default } from './chunk-7UQXFWKN.js';
+import { my_dash_default, loadEnvGraph } from './chunk-TYL3Q4QG.js';
+import { redactString } from './chunk-FGMXIEFA.js';
+import { __name } from './chunk-XN24GZXQ.js';
+
+// src/lib/formatting.ts
+function applyMods(str, mods) {
+  if (!mods) return str;
+  if (my_dash_default.isArray(mods)) {
+    let modStr = str;
+    mods.forEach((mod) => {
+      modStr = ansis_default[mod](modStr);
+    });
+    return modStr;
+  }
+  return ansis_default[mods](str);
+}
+__name(applyMods, "applyMods");
+function formattedValue(val, showType = false) {
+  let strVal = "";
+  let strType = "";
+  let mods;
+  if (my_dash_default.isBoolean(val)) {
+    strVal = val.toString();
+    mods = ["yellow", "italic"];
+    strType = "boolean";
+  } else if (my_dash_default.isNumber(val)) {
+    strVal = val.toString();
+    mods = "yellow";
+    strType = "number";
+  } else if (my_dash_default.isString(val)) {
+    strVal = `"${val}"`;
+    strType = "string";
+  } else if (my_dash_default.isPlainObject(val)) {
+    strVal = JSON.stringify(val);
+    strType = "object";
+  } else if (val === null) {
+    strVal = "null";
+    mods = "gray";
+  } else if (val === void 0) {
+    strVal = "undefined";
+    mods = "gray";
+  }
+  return [
+    applyMods(strVal, mods),
+    showType && strType ? ansis_default.gray(` (${strType})`) : ""
+  ].join("");
+}
+__name(formattedValue, "formattedValue");
+function joinAndCompact(strings, joinChar = " ") {
+  return strings.filter((s) => (
+    // we'll not filter out empty strings - because it's useful to just add newlines
+    s !== void 0 && s !== null && s !== false
+  )).join(joinChar);
+}
+__name(joinAndCompact, "joinAndCompact");
+var VALIDATION_STATE_COLORS = {
+  error: "red",
+  warn: "yellow",
+  valid: "cyan"
+};
+function getItemSummary(item) {
+  const summary = [];
+  const itemErrors = item.errors;
+  const icon = itemErrors.length ? itemErrors[0].icon : "\u2705";
+  const isSensitive = item.isSensitive;
+  const isRequired = item.isRequired;
+  summary.push(joinAndCompact([
+    icon,
+    ansis_default[VALIDATION_STATE_COLORS[item.validationState]](item.key) + (isRequired ? ansis_default.magenta("*") : ""),
+    // ansis.gray(`[type = ${item.type.typeLabel}]`),
+    isSensitive && ` \u{1F510}${ansis_default.gray.italic("sensitive")}`
+    // item.useAt ? ansis.gray.italic(`(${item.useAt?.join(', ')})`) : undefined,
+  ]));
+  let valAsStr = formattedValue(item.resolvedValue, false);
+  if (isSensitive && item.resolvedValue && my_dash_default.isString(item.resolvedValue)) {
+    valAsStr = redactString(item.resolvedValue);
+  }
+  summary.push(joinAndCompact([
+    ansis_default.gray("   \u2514"),
+    valAsStr,
+    item.isCoerced && ansis_default.gray.italic("< coerced from ") + (isSensitive ? formattedValue(item.resolvedRawValue) : formattedValue(item.resolvedRawValue, false))
+  ]));
+  itemErrors?.forEach((err) => {
+    summary.push(ansis_default[err.isWarning ? "yellow" : "red"](`   - ${err.isWarning ? "[WARNING] " : ""}${err.message}`));
+    if (err.tip) {
+      summary.push(...err.tip.split("\n").map((line) => `     ${line}`));
+    }
+  });
+  return summary.join("\n");
+}
+__name(getItemSummary, "getItemSummary");
+
+// src/lib/load-graph.ts
+async function loadVarlockEnvGraph(opts) {
+  const envGraph = await loadEnvGraph({
+    ...opts,
+    afterInit: /* @__PURE__ */ __name(async (g) => {
+    }, "afterInit")
+  });
+  return envGraph;
+}
+__name(loadVarlockEnvGraph, "loadVarlockEnvGraph");
+
+export { getItemSummary, joinAndCompact, loadVarlockEnvGraph };
+//# sourceMappingURL=chunk-Q5P7F3WA.js.map
+//# sourceMappingURL=chunk-Q5P7F3WA.js.map

package/dist/chunk-Q5P7F3WA.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/formatting.ts","../src/lib/load-graph.ts"],"names":[],"mappings":";;;;;;AAUA,SAAS,SAAA,CAAU,KAAa,IAAkB,EAAA;AAChD,EAAI,IAAA,CAAC,MAAa,OAAA,GAAA;AAClB,EAAI,IAAA,eAAA,CAAE,OAAQ,CAAA,IAAI,CAAG,EAAA;AACnB,IAAA,IAAI,MAAS,GAAA,GAAA;AACb,IAAK,IAAA,CAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AACpB,MAAS,MAAA,GAAA,aAAA,CAAM,GAAG,CAAA,CAAE,MAAM,CAAA;AAAA,KAC3B,CAAA;AACD,IAAO,OAAA,MAAA;AAAA;AAET,EAAO,OAAA,aAAA,CAAM,IAAI,CAAA,CAAE,GAAG,CAAA;AACxB;AAVS,MAAA,CAAA,SAAA,EAAA,WAAA,CAAA;AAYF,SAAS,cAAA,CAAe,GAAU,EAAA,QAAA,GAAW,KAAO,EAAA;AACzD,EAAA,IAAI,MAAiB,GAAA,EAAA;AACrB,EAAA,IAAI,OAAkB,GAAA,EAAA;AACtB,EAAI,IAAA,IAAA;AACJ,EAAI,IAAA,eAAA,CAAE,SAAU,CAAA,GAAG,CAAG,EAAA;AACpB,IAAA,MAAA,GAAS,IAAI,QAAS,EAAA;AACtB,IAAO,IAAA,GAAA,CAAC,UAAU,QAAQ,CAAA;AAC1B,IAAU,OAAA,GAAA,SAAA;AAAA,GACD,MAAA,IAAA,eAAA,CAAE,QAAS,CAAA,GAAG,CAAG,EAAA;AAC1B,IAAA,MAAA,GAAS,IAAI,QAAS,EAAA;AACtB,IAAO,IAAA,GAAA,QAAA;AACP,IAAU,OAAA,GAAA,QAAA;AAAA,GACD,MAAA,IAAA,eAAA,CAAE,QAAS,CAAA,GAAG,CAAG,EAAA;AAC1B,IAAA,MAAA,GAAS,IAAI,GAAG,CAAA,CAAA,CAAA;AAChB,IAAU,OAAA,GAAA,QAAA;AAAA,GACD,MAAA,IAAA,eAAA,CAAE,aAAc,CAAA,GAAG,CAAG,EAAA;AAE/B,IAAS,MAAA,GAAA,IAAA,CAAK,UAAU,GAAG,CAAA;AAC3B,IAAU,OAAA,GAAA,QAAA;AAAA,GACZ,MAAA,IAAW,QAAQ,IAAM,EAAA;AACvB,IAAS,MAAA,GAAA,MAAA;AACT,IAAO,IAAA,GAAA,MAAA;AAAA,GACT,MAAA,IAAW,QAAQ,MAAW,EAAA;AAC5B,IAAS,MAAA,GAAA,WAAA;AACT,IAAO,IAAA,GAAA,MAAA;AAAA;AAET,EAAO,OAAA;AAAA,IACL,SAAA,CAAU,QAAQ,IAAI,CAAA;AAAA,IACtB,YAAY,OAAU,GAAA,aAAA,CAAM,KAAK,CAAK,EAAA,EAAA,OAAO,GAAG,CAAI,GAAA;AAAA,GACtD,CAAE,KAAK,EAAE,CAAA;AACX;AA9BgB,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAwDT,SAAS,cAAA,CAAe,OAAsE,EAAA,QAAA,GAAW,GAAK,EAAA;AACnH,EAAO,OAAA,OAAA,CAAQ,OAAO,CAAC,CAAA;AAAA;AAAA,IAErB,CAAM,KAAA,MAAA,IAAa,CAAM,KAAA,IAAA,IAAQ,CAAM,KAAA;AAAA,GACxC,CAAA,CAAE,KAAK,QAAQ,CAAA;AAClB;AALgB,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAOhB,IAAM,uBAA0B,GAAA;AAAA,EAC9B,KAAO,EAAA,KAAA;AAAA,EACP,IAAM,EAAA,QAAA;AAAA,EACN,KAAO,EAAA;AACT,CAAA;AAEO,SAAS,eAAe,IAAkB,EAAA;AAC/C,EAAA,MAAM,UAAyB,EAAC;AAChC,EAAA,MAAM,aAAa,IAAK,CAAA,MAAA;AACxB,EAAA,MAAM,OAAO,UAAW,CAAA,MAAA,GAAS,UAAW,CAAA,CAAC,EAAE,IAAO,GAAA,QAAA;AACtD,EAAA,MAAM,cAAc,IAAK,CAAA,WAAA;AACzB,EAAA,MAAM,aAAa,IAAK,CAAA,UAAA;AACxB,EAAA,OAAA,CAAQ,KAAK,cAAe,CAAA;AAAA,IAC1B,IAAA;AAAA,IACA,aAAM,CAAA,uBAAA,CAAwB,IAAK,CAAA,eAAe,CAAC,CAAA,CAAE,IAAK,CAAA,GAAG,CAAK,IAAA,UAAA,GAAa,aAAM,CAAA,OAAA,CAAQ,GAAG,CAAI,GAAA,EAAA,CAAA;AAAA;AAAA,IAGpG,eAAe,CAAM,UAAA,EAAA,aAAA,CAAM,IAAK,CAAA,MAAA,CAAO,WAAW,CAAC,CAAA;AAAA;AAAA,GAGpD,CAAC,CAAA;AAEF,EAAA,IAAI,QAAW,GAAA,cAAA,CAAe,IAAK,CAAA,aAAA,EAAe,KAAK,CAAA;AACvD,EAAA,IAAI,eAAe,IAAK,CAAA,aAAA,IAAiB,gBAAE,QAAS,CAAA,IAAA,CAAK,aAAa,CAAG,EAAA;AACvE,IAAW,QAAA,GAAA,YAAA,CAAa,KAAK,aAAa,CAAA;AAAA;AAG5C,EAAA,OAAA,CAAQ,KAAK,cAAe,CAAA;AAAA,IAC1B,aAAA,CAAM,KAAK,WAAM,CAAA;AAAA,IACjB,QAAA;AAAA,IACA,IAAK,CAAA,SAAA,IACH,aAAM,CAAA,IAAA,CAAK,OAAO,iBAAiB,CAAA,IAChC,WAAc,GAAA,cAAA,CAAe,KAAK,gBAAgB,CAAA,GAAI,cAAe,CAAA,IAAA,CAAK,kBAAkB,KAAK,CAAA;AAAA,GAEvG,CAAC,CAAA;AAUF,EAAY,UAAA,EAAA,OAAA,CAAQ,CAAC,GAAQ,KAAA;AAC3B,IAAA,OAAA,CAAQ,KAAK,aAAM,CAAA,GAAA,CAAI,SAAY,GAAA,QAAA,GAAW,KAAK,CAAE,CAAA,CAAA,KAAA,EAAQ,GAAI,CAAA,SAAA,GAAY,eAAe,EAAE,CAAA,EAAG,GAAI,CAAA,OAAO,EAAE,CAAC,CAAA;AAK/G,IAAA,IAAI,IAAI,GAAK,EAAA;AACX,MAAA,OAAA,CAAQ,IAAK,CAAA,GAAG,GAAI,CAAA,GAAA,CAAI,KAAM,CAAA,IAAI,CAAE,CAAA,GAAA,CAAI,CAAC,IAAA,KAAS,CAAQ,KAAA,EAAA,IAAI,EAAE,CAAC,CAAA;AAAA;AACnE,GACD,CAAA;AAQD,EAAO,OAAA,OAAA,CAAQ,KAAK,IAAI,CAAA;AAC1B;AAxDgB,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;;;ACzFhB,eAAsB,oBAAoB,IAEvC,EAAA;AACD,EAAM,MAAA,QAAA,GAAW,MAAM,YAAa,CAAA;AAAA,IAClC,GAAG,IAAA;AAAA,IACH,SAAA,gCAAkB,CAAM,KAAA;AAAA,KAAb,EAAA,WAAA;AAAA,GAGZ,CAAA;AAED,EAAO,OAAA,QAAA;AACT;AAXsB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA","file":"chunk-Q5P7F3WA.js","sourcesContent":["import ansis, { AnsiColors, AnsiStyles } from 'ansis';\nimport _ from '@env-spec/utils/my-dash';\n\nimport { ConfigItem } from '../../../env-graph/src/lib/config-item';\nimport { VarlockError } from '../../../env-graph/src/lib/errors';\nimport { redactString } from '../runtime/lib/redaction';\n\ntype ColorMod = AnsiStyles | AnsiColors;\ntype ColorMods = ColorMod | Array<ColorMod>;\n\nfunction applyMods(str: string, mods?: ColorMods) {\n  if (!mods) return str;\n  if (_.isArray(mods)) {\n    let modStr = str;\n    mods.forEach((mod) => {\n      modStr = ansis[mod](modStr);\n    });\n    return modStr;\n  }\n  return ansis[mods](str);\n}\n\nexport function formattedValue(val: any, showType = false) {\n  let strVal: string = '';\n  let strType: string = '';\n  let mods: ColorMods | undefined;\n  if (_.isBoolean(val)) {\n    strVal = val.toString();\n    mods = ['yellow', 'italic'];\n    strType = 'boolean';\n  } else if (_.isNumber(val)) {\n    strVal = val.toString();\n    mods = 'yellow';\n    strType = 'number';\n  } else if (_.isString(val)) {\n    strVal = `\"${val}\"`;\n    strType = 'string';\n  } else if (_.isPlainObject(val)) {\n    // TODO: can definitely make this better...\n    strVal = JSON.stringify(val);\n    strType = 'object';\n  } else if (val === null) {\n    strVal = 'null';\n    mods = 'gray';\n  } else if (val === undefined) {\n    strVal = 'undefined';\n    mods = 'gray';\n  }\n  return [\n    applyMods(strVal, mods),\n    showType && strType ? ansis.gray(` (${strType})`) : '',\n  ].join('');\n}\n\n\nexport function formatError(err: VarlockError) {\n  let whenStr = '';\n  if (err.type === 'SchemaError') {\n    whenStr += 'during schema initialization';\n  }\n  if (err.type === 'ValidationError') {\n    whenStr += 'during validation';\n  }\n  if (err.type === 'CoercionError') {\n    whenStr += 'during coercion';\n  }\n  if (err.type === 'ResolutionError') {\n    whenStr += 'during resolution';\n  }\n\n  let errStr = `${err.icon} ${err.message}`;\n  if (err.isUnexpected) {\n    errStr += ansis.gray.italic(`\\n   (unexpected error${whenStr ? ` ${whenStr}` : ''})`);\n    if ('stack' in err) errStr += err.stack;\n  }\n  return errStr;\n}\n\nexport function joinAndCompact(strings: Array<string | number | boolean | undefined | null | false>, joinChar = ' ') {\n  return strings.filter((s) => (\n    // we'll not filter out empty strings - because it's useful to just add newlines\n    s !== undefined && s !== null && s !== false\n  )).join(joinChar);\n}\n\nconst VALIDATION_STATE_COLORS = {\n  error: 'red',\n  warn: 'yellow',\n  valid: 'cyan',\n} as const;\n\nexport function getItemSummary(item: ConfigItem) {\n  const summary: Array<string> = [];\n  const itemErrors = item.errors;\n  const icon = itemErrors.length ? itemErrors[0].icon : '✅';\n  const isSensitive = item.isSensitive;\n  const isRequired = item.isRequired;\n  summary.push(joinAndCompact([\n    icon,\n    ansis[VALIDATION_STATE_COLORS[item.validationState]](item.key) + (isRequired ? ansis.magenta('*') : ''),\n\n    // ansis.gray(`[type = ${item.type.typeLabel}]`),\n    isSensitive && ` 🔐${ansis.gray.italic('sensitive')}`,\n\n    // item.useAt ? ansis.gray.italic(`(${item.useAt?.join(', ')})`) : undefined,\n  ]));\n\n  let valAsStr = formattedValue(item.resolvedValue, false);\n  if (isSensitive && item.resolvedValue && _.isString(item.resolvedValue)) {\n    valAsStr = redactString(item.resolvedValue)!;\n  }\n\n  summary.push(joinAndCompact([\n    ansis.gray('   └'),\n    valAsStr,\n    item.isCoerced && (\n      ansis.gray.italic('< coerced from ')\n      + (isSensitive ? formattedValue(item.resolvedRawValue) : formattedValue(item.resolvedRawValue, false))\n    ),\n  ]));\n\n  // if (item.overrides?.length) {\n  //   const activeOverride = item.overrides[0];\n  //   let overrideNote = ansis.gray.italic('value set via override: ');\n  //   overrideNote += ansis.gray(activeOverride.sourceType);\n  //   if (activeOverride.sourceLabel) overrideNote += ansis.gray(` - ${activeOverride.sourceLabel}`);\n  //   summary.push(`      ${overrideNote}`);\n  // }\n\n  itemErrors?.forEach((err) => {\n    summary.push(ansis[err.isWarning ? 'yellow' : 'red'](`   - ${err.isWarning ? '[WARNING] ' : ''}${err.message}`));\n\n    // TODO: standardize here how we show parse error locations and stack info?\n\n    // summary.push(...err.cleanedStack || '');\n    if (err.tip) {\n      summary.push(...err.tip.split('\\n').map((line) => `     ${line}`));\n    }\n  });\n\n  // NO OBJECT/CHILDREN FOR NOW\n  // for (const childItem of _.values(item.children)) {\n  //   const childSummary = getItemSummary(childItem);\n  //   summary.push(childSummary.split('\\n').map((l) => `  ${l}`).join('\\n'));\n  // }\n\n  return summary.join('\\n');\n}\n","import { loadEnvGraph } from '@env-spec/env-graph';\n\nexport async function loadVarlockEnvGraph(opts?: {\n  currentEnvFallback?: string,\n}) {\n  const envGraph = await loadEnvGraph({\n    ...opts,\n    afterInit: async (g) => {\n      // TODO: register varlock resolver\n    },\n  });\n\n  return envGraph;\n}\n"]}

package/dist/chunk-RF3YMFUX.js

@@ -0,0 +1,93 @@
+import { debug } from './chunk-XHOJF7U7.js';
+import { varlockSettings, scanForLeaks, redactSensitiveConfig } from './chunk-7QXRUUDC.js';
+import { __name } from './chunk-XN24GZXQ.js';
+import zlib from 'node:zlib';
+import { ServerResponse } from 'node:http';
+
+var patchedKey = "_patchedByVarlock";
+function patchGlobalServerResponse(opts) {
+  debug("\u26A1\uFE0F PATCHING global ServerResponse");
+  if (Object.getOwnPropertyDescriptor(ServerResponse.prototype, patchedKey)) {
+    debug("> already patched");
+    return;
+  }
+  if (varlockSettings.preventLeaks === false) {
+    debug("> disabled by settings");
+    return;
+  }
+  Object.defineProperty(ServerResponse.prototype, patchedKey, { value: true });
+  const serverResponseWrite = ServerResponse.prototype.write;
+  ServerResponse.prototype.write = /* @__PURE__ */ __name(function varlockPatchedServerResponseWrite(...args) {
+    const rawChunk = args[0];
+    const contentType = this.getHeader("content-type")?.toString() || "";
+    let runScan = contentType.startsWith("text/") || contentType.startsWith("application/json");
+    const reqUrl = this.req.url;
+    if (runScan && reqUrl && opts?.ignoreUrlPatterns?.some((pattern) => pattern.test(reqUrl))) {
+      runScan = false;
+    }
+    if (!runScan) {
+      return serverResponseWrite.apply(this, args);
+    }
+    const compressionType = this.getHeader("Content-Encoding");
+    let chunkStr;
+    let chunkType = null;
+    if (typeof rawChunk === "string") {
+      chunkType = "string";
+      chunkStr = rawChunk;
+    } else if (!compressionType) {
+      chunkType = "encoded";
+      const decoder = new TextDecoder();
+      chunkStr = decoder.decode(rawChunk);
+    } else if (compressionType === "gzip") {
+      chunkType = "gzip";
+      if (!this._zlibChunks) {
+        this._zlibChunks = [rawChunk];
+      } else {
+        this._zlibChunks?.push(rawChunk);
+        try {
+          const unzippedChunk = zlib.unzipSync(Buffer.concat(this._zlibChunks || []), {
+            flush: zlib.constants.Z_SYNC_FLUSH,
+            finishFlush: zlib.constants.Z_SYNC_FLUSH
+          });
+          const fullUnzippedData = unzippedChunk.toString("utf-8");
+          chunkStr = fullUnzippedData.substring(this._lastChunkEndIndex || 0);
+          this._lastChunkEndIndex = fullUnzippedData.length;
+        } catch (err) {
+        }
+      }
+    }
+    if (chunkStr) {
+      try {
+        scanForLeaks(chunkStr, { method: "patched ServerResponse.write", file: this.req.url });
+      } catch (err) {
+        if (opts?.redactInsteadOfThrow) {
+          chunkStr = redactSensitiveConfig(chunkStr);
+          if (chunkType === "string") {
+            args[0] = chunkStr;
+          } else if (chunkType === "encoded") {
+            const encoder = new TextEncoder();
+            args[0] = encoder.encode(chunkStr);
+          } else if (chunkType === "gzip") ; else {
+            throw new Error(`unable to scrub - unknown chunk type ${chunkType}`);
+          }
+        } else {
+          throw err;
+        }
+      }
+    }
+    return serverResponseWrite.apply(this, args);
+  }, "varlockPatchedServerResponseWrite");
+  const serverResponseEnd = ServerResponse.prototype.end;
+  ServerResponse.prototype.end = /* @__PURE__ */ __name(function patchedServerResponseEnd(...args) {
+    const endChunk = args[0];
+    if (endChunk && typeof endChunk === "string") {
+      scanForLeaks(endChunk, { method: "patched ServerResponse.end" });
+    }
+    return serverResponseEnd.apply(this, args);
+  }, "patchedServerResponseEnd");
+}
+__name(patchGlobalServerResponse, "patchGlobalServerResponse");
+
+export { patchGlobalServerResponse };
+//# sourceMappingURL=chunk-RF3YMFUX.js.map
+//# sourceMappingURL=chunk-RF3YMFUX.js.map

package/dist/chunk-RF3YMFUX.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/runtime/patch-server-response.ts"],"names":[],"mappings":";;;;;;AAUA,IAAM,UAAa,GAAA,mBAAA;AACZ,SAAS,0BAA0B,IAGvC,EAAA;AACD,EAAA,KAAA,CAAM,6CAAmC,CAAA;AACzC,EAAA,IAAI,MAAO,CAAA,wBAAA,CAAyB,cAAe,CAAA,SAAA,EAAW,UAAU,CAAG,EAAA;AACzE,IAAA,KAAA,CAAM,mBAAmB,CAAA;AACzB,IAAA;AAAA;AAEF,EAAI,IAAA,eAAA,CAAgB,iBAAiB,KAAO,EAAA;AAC1C,IAAA,KAAA,CAAM,wBAAwB,CAAA;AAC9B,IAAA;AAAA;AAGF,EAAA,MAAA,CAAO,eAAe,cAAe,CAAA,SAAA,EAAW,YAAY,EAAE,KAAA,EAAO,MAAM,CAAA;AAE3E,EAAM,MAAA,mBAAA,GAAsB,eAAe,SAAU,CAAA,KAAA;AAGrD,EAAA,cAAA,CAAe,SAAU,CAAA,KAAA,mBAAiB,MAAA,CAAA,SAAA,iCAAA,CAAA,GAAqC,IAAM,EAAA;AAInF,IAAM,MAAA,QAAA,GAAW,KAAK,CAAC,CAAA;AAIvB,IAAA,MAAM,cAAc,IAAK,CAAA,SAAA,CAAU,cAAc,CAAA,EAAG,UAAc,IAAA,EAAA;AAElE,IAAA,IAAI,UACF,WAAY,CAAA,UAAA,CAAW,OAAO,CAC3B,IAAA,WAAA,CAAY,WAAW,kBAAkB,CAAA;AAI9C,IAAM,MAAA,MAAA,GAAU,KAAa,GAAI,CAAA,GAAA;AAEjC,IAAI,IAAA,OAAA,IAAW,MAAU,IAAA,IAAA,EAAM,iBAAmB,EAAA,IAAA,CAAK,CAAC,OAAA,KAAY,OAAQ,CAAA,IAAA,CAAK,MAAM,CAAC,CAAG,EAAA;AACzF,MAAU,OAAA,GAAA,KAAA;AAAA;AAKZ,IAAA,IAAI,CAAC,OAAS,EAAA;AAEZ,MAAO,OAAA,mBAAA,CAAoB,KAAM,CAAA,IAAA,EAAM,IAAI,CAAA;AAAA;AAI7C,IAAM,MAAA,eAAA,GAAkB,IAAK,CAAA,SAAA,CAAU,kBAAkB,CAAA;AACzD,IAAI,IAAA,QAAA;AACJ,IAAA,IAAI,SAAkD,GAAA,IAAA;AACtD,IAAI,IAAA,OAAO,aAAa,QAAU,EAAA;AAChC,MAAY,SAAA,GAAA,QAAA;AACZ,MAAW,QAAA,GAAA,QAAA;AAAA,KACb,MAAA,IAAW,CAAC,eAAiB,EAAA;AAC3B,MAAY,SAAA,GAAA,SAAA;AACZ,MAAM,MAAA,OAAA,GAAU,IAAI,WAAY,EAAA;AAChC,MAAW,QAAA,GAAA,OAAA,CAAQ,OAAO,QAAQ,CAAA;AAAA,KACpC,MAAA,IAAW,oBAAoB,MAAQ,EAAA;AACrC,MAAY,SAAA,GAAA,MAAA;AAEZ,MAAI,IAAA,CAAE,KAAa,WAAa,EAAA;AAE9B,QAAC,IAAA,CAAa,WAAc,GAAA,CAAC,QAAQ,CAAA;AAAA,OAChC,MAAA;AAEL,QAAC,IAAA,CAAa,WAAa,EAAA,IAAA,CAAK,QAAQ,CAAA;AACxC,QAAI,IAAA;AACF,UAAM,MAAA,aAAA,GAAgB,KAAK,SAAU,CAAA,MAAA,CAAO,OAAQ,IAAa,CAAA,WAAA,IAAe,EAAE,CAAG,EAAA;AAAA,YACnF,KAAA,EAAO,KAAK,SAAU,CAAA,YAAA;AAAA,YACtB,WAAA,EAAa,KAAK,SAAU,CAAA;AAAA,WAC7B,CAAA;AACD,UAAM,MAAA,gBAAA,GAAmB,aAAc,CAAA,QAAA,CAAS,OAAO,CAAA;AACvD,UAAA,QAAA,GAAW,gBAAiB,CAAA,SAAA,CAAW,IAAa,CAAA,kBAAA,IAAsB,CAAC,CAAA;AAC3E,UAAC,IAAA,CAAa,qBAAqB,gBAAiB,CAAA,MAAA;AAAA,iBAC7C,GAAK,EAAA;AAAA;AAEd;AACF;AAGF,IAAA,IAAI,QAAU,EAAA;AAIZ,MAAI,IAAA;AACF,QAAa,YAAA,CAAA,QAAA,EAAU,EAAE,MAAQ,EAAA,8BAAA,EAAgC,MAAO,IAAa,CAAA,GAAA,CAAI,KAAK,CAAA;AAAA,eACvF,GAAK,EAAA;AAGZ,QAAA,IAAI,MAAM,oBAAsB,EAAA;AAC9B,UAAA,QAAA,GAAW,sBAAsB,QAAQ,CAAA;AACzC,UAAA,IAAI,cAAc,QAAU,EAAA;AAC1B,YAAA,IAAA,CAAK,CAAC,CAAI,GAAA,QAAA;AAAA,WACZ,MAAA,IAAW,cAAc,SAAW,EAAA;AAClC,YAAM,MAAA,OAAA,GAAU,IAAI,WAAY,EAAA;AAChC,YAAA,IAAA,CAAK,CAAC,CAAA,GAAI,OAAQ,CAAA,MAAA,CAAO,QAAQ,CAAA;AAAA,WACnC,MAAA,IAAW,cAAc,MAAQ,EAAA,CAQ1B,MAAA;AACL,YAAA,MAAM,IAAI,KAAA,CAAM,CAAwC,qCAAA,EAAA,SAAS,CAAE,CAAA,CAAA;AAAA;AACrE,SACK,MAAA;AACL,UAAM,MAAA,GAAA;AAAA;AACR;AACF;AAIF,IAAO,OAAA,mBAAA,CAAoB,KAAM,CAAA,IAAA,EAAM,IAAI,CAAA;AAAA,GAjGZ,EAAA,mCAAA,CAAA;AAsGjC,EAAM,MAAA,iBAAA,GAAoB,eAAe,SAAU,CAAA,GAAA;AAEnD,EAAA,cAAA,CAAe,SAAU,CAAA,GAAA,mBAAe,MAAA,CAAA,SAAA,wBAAA,CAAA,GAA4B,IAAM,EAAA;AAExE,IAAM,MAAA,QAAA,GAAW,KAAK,CAAC,CAAA;AAGvB,IAAI,IAAA,QAAA,IAAY,OAAO,QAAA,KAAa,QAAU,EAAA;AAE5C,MAAA,YAAA,CAAa,QAAU,EAAA,EAAE,MAAQ,EAAA,4BAAA,EAA8B,CAAA;AAAA;AAGjE,IAAO,OAAA,iBAAA,CAAkB,KAAM,CAAA,IAAA,EAAM,IAAI,CAAA;AAAA,GAVZ,EAAA,0BAAA,CAAA;AAYjC;AAvIgB,MAAA,CAAA,yBAAA,EAAA,2BAAA,CAAA","file":"chunk-RF3YMFUX.js","sourcesContent":["/*\n  This patches the global ServerResponse object to scan for secret leaks - currently used for next.js and remix\n*/\n\nimport zlib from 'node:zlib';\nimport { ServerResponse } from 'node:http';\nimport { redactSensitiveConfig, scanForLeaks, varlockSettings } from './env';\nimport { debug } from './lib/debug';\n\n// NOTE - previously was using a symbol but got weird because of multiple builds and contexts...\nconst patchedKey = '_patchedByVarlock';\nexport function patchGlobalServerResponse(opts?: {\n  ignoreUrlPatterns?: Array<RegExp>,\n  redactInsteadOfThrow?: boolean,\n}) {\n  debug('⚡️ PATCHING global ServerResponse');\n  if (Object.getOwnPropertyDescriptor(ServerResponse.prototype, patchedKey)) {\n    debug('> already patched');\n    return;\n  }\n  if (varlockSettings.preventLeaks === false) {\n    debug('> disabled by settings');\n    return;\n  }\n\n  Object.defineProperty(ServerResponse.prototype, patchedKey, { value: true });\n\n  const serverResponseWrite = ServerResponse.prototype.write;\n\n  // @ts-ignore\n  ServerResponse.prototype.write = function varlockPatchedServerResponseWrite(...args) {\n    // console.log('⚡️ patched ServerResponse.write');\n    // TODO: do we want to filter out some requests here? maybe based on the file type?\n\n    const rawChunk = args[0];\n\n    // for now, we only scan rendered html... may need to change this though for server components?\n    // so we bail if it looks like this response does not contain html\n    const contentType = this.getHeader('content-type')?.toString() || '';\n    // console.log('patched ServerResponse.write', contentType);\n    let runScan = (\n      contentType.startsWith('text/')\n      || contentType.startsWith('application/json')\n      // || contentType.startsWith('application/javascript')\n    );\n\n    const reqUrl = (this as any).req.url;\n    // console.log('> scan ServerResponse.write', contentType, reqUrl);\n    if (runScan && reqUrl && opts?.ignoreUrlPatterns?.some((pattern) => pattern.test(reqUrl))) {\n      runScan = false;\n    }\n\n    // we want to run the scanner on text/html and text/x-component (server actions)\n    // TODO: anything else?\n    if (!runScan) {\n      // @ts-ignore\n      return serverResponseWrite.apply(this, args);\n    }\n\n    // have to deal with compressed data, which is awkward but possible\n    const compressionType = this.getHeader('Content-Encoding');\n    let chunkStr;\n    let chunkType: 'string' | 'encoded' | 'gzip' | null = null;\n    if (typeof rawChunk === 'string') {\n      chunkType = 'string';\n      chunkStr = rawChunk;\n    } else if (!compressionType) {\n      chunkType = 'encoded';\n      const decoder = new TextDecoder();\n      chunkStr = decoder.decode(rawChunk);\n    } else if (compressionType === 'gzip') {\n      chunkType = 'gzip';\n      // first chunk of data contains only compression headers\n      if (!(this as any)._zlibChunks) {\n        // (this as any)._zlibHeadersChunk = rawChunk;\n        (this as any)._zlibChunks = [rawChunk];\n      } else {\n        // TODO: figure out how we can unzip one chunk at a time instead of storing everything\n        (this as any)._zlibChunks?.push(rawChunk);\n        try {\n          const unzippedChunk = zlib.unzipSync(Buffer.concat((this as any)._zlibChunks || []), {\n            flush: zlib.constants.Z_SYNC_FLUSH,\n            finishFlush: zlib.constants.Z_SYNC_FLUSH,\n          });\n          const fullUnzippedData = unzippedChunk.toString('utf-8');\n          chunkStr = fullUnzippedData.substring((this as any)._lastChunkEndIndex || 0);\n          (this as any)._lastChunkEndIndex = fullUnzippedData.length;\n        } catch (err) {\n          // console.log('error unzipping chunk', err);\n        }\n      }\n    }\n    // TODO: we may want to support other compression schemes? but currently only used in nextjs which is using gzip\n    if (chunkStr) {\n      // console.log('scanning!', chunkStr.substring(0, 1000));\n\n\n      try {\n        scanForLeaks(chunkStr, { method: 'patched ServerResponse.write', file: (this as any).req.url });\n      } catch (err) {\n        // console.log('found secret in chunk', chunkType, chunkStr);\n        // console.log(this)\n        if (opts?.redactInsteadOfThrow) {\n          chunkStr = redactSensitiveConfig(chunkStr);\n          if (chunkType === 'string') {\n            args[0] = chunkStr;\n          } else if (chunkType === 'encoded') {\n            const encoder = new TextEncoder();\n            args[0] = encoder.encode(chunkStr);\n          } else if (chunkType === 'gzip') {\n            // currently unable to scrub gzip chunks\n            // this works sometimes, but othertimes causes decoding error\n            // we'll need to pass through chunks from a new gzip stream, because we don't have access to the underlying one\n            // args[0] = zlib.gzipSync(chunkStr, {\n            //   flush: zlib.constants.Z_SYNC_FLUSH,\n            //   finishFlush: zlib.constants.Z_SYNC_FLUSH,\n            // });\n          } else {\n            throw new Error(`unable to scrub - unknown chunk type ${chunkType}`);\n          }\n        } else {\n          throw err;\n        }\n      }\n    }\n\n    // @ts-ignore\n    return serverResponseWrite.apply(this, args);\n  };\n\n\n  // calling `res.json()` in the api routes on pages router calls `res.end` without called `res.write`\n  const serverResponseEnd = ServerResponse.prototype.end;\n  // @ts-ignore\n  ServerResponse.prototype.end = function patchedServerResponseEnd(...args) {\n    // console.log('⚡️ patched ServerResponse.end');\n    const endChunk = args[0];\n    // console.log('patched ServerResponse.end', endChunk);\n    // this just needs to work (so far) for nextjs sending json bodies, so does not need to handle all cases...\n    if (endChunk && typeof endChunk === 'string') {\n      // TODO: currently this throws the error and then things just hang... do we want to try to return an error type response instead?\n      scanForLeaks(endChunk, { method: 'patched ServerResponse.end' });\n    }\n    // @ts-ignore\n    return serverResponseEnd.apply(this, args);\n  };\n}\n\n// ---\n// patchGlobalServerResponse();\n"]}

package/dist/{chunk-XCFZJA7V.js → chunk-RPLDMNWT.js}

@@ -1,5 +1,5 @@
 import { define } from './chunk-33ROL4J5.js';
-import { loadEnvGraph } from './chunk-G4BD2BPH.js';
+import { loadEnvGraph } from './chunk-TYL3Q4QG.js';
 import { __name } from './chunk-XN24GZXQ.js';
 
 // src/cli/helpers/install-detection.ts
@@ -28,5 +28,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
 }, "commandFn");
 
 export { commandFn, commandSpec };
-//# sourceMappingURL=chunk-XCFZJA7V.js.map
-//# sourceMappingURL=chunk-XCFZJA7V.js.map
+//# sourceMappingURL=chunk-RPLDMNWT.js.map
+//# sourceMappingURL=chunk-RPLDMNWT.js.map

package/dist/{chunk-XCFZJA7V.js.map → chunk-RPLDMNWT.js.map}

@@ -1 +1 @@
-{"version":3,"sources":["../src/cli/helpers/install-detection.ts","../src/cli/commands/doctor.command.ts"],"names":[],"mappings":";;;;;AACO,SAAS,YAAe,GAAA;AAC7B,EAAI,IAAA;AACF,IAAO,OAAA,KAAA;AAAA,WACA,CAAG,EAAA;AACV,IAAO,OAAA,KAAA;AAAA;AAEX;AANgB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;;;ACIT,IAAM,cAAc,MAAO,CAAA;AAAA,EAChC,IAAM,EAAA,QAAA;AAAA,EACN,WAAa,EAAA,4DAAA;AAAA,EACb,MAAM;AACR,CAAC;AAEY,IAAA,SAAA,iCAA6D,GAAQ,KAAA;AAChF,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AACd,EAAM,MAAA,OAAA,CAAQ,IAAI,yCAA6B,CAAA;AAE/C,EAAQ,OAAA,CAAA,GAAA,CAAI,cAAgB,EAAA,YAAA,EAAc,CAAA;AAE1C,EAAM,MAAA,QAAA,GAAW,MAAM,YAAa,EAAA;AACpC,EAAA,MAAM,SAAS,gBAAiB,EAAA;AAChC,EAAoB,SAAS,oBAAqB;AAIpD,CAZmE,EAAA,WAAA","file":"chunk-XCFZJA7V.js","sourcesContent":["\nexport function isBundledSEA() {\n  try {\n    return __VARLOCK_SEA_BUILD__;\n  } catch (e) {\n    return false;\n  }\n}\n","import { define } from 'gunshi';\nimport { loadEnvGraph } from '@env-spec/env-graph';\nimport { isBundledSEA } from '../helpers/install-detection';\nimport { TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\n\nexport const commandSpec = define({\n  name: 'doctor',\n  description: 'Debug and diagnose issues with your env file(s) and system',\n  args: {},\n});\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  console.log('');\n  await console.log('🧙 Scanning for issues... ✨');\n\n  console.log('Bundled SEA?', isBundledSEA());\n\n  const envGraph = await loadEnvGraph();\n  await envGraph.resolveEnvValues();\n  const resolvedEnv = envGraph.getResolvedEnvObject();\n\n  // TODO: Mac app checks\n  // - installed, running, logged in, set up (keys exist), locked/unlocked state\n};\n\n"]}
+{"version":3,"sources":["../src/cli/helpers/install-detection.ts","../src/cli/commands/doctor.command.ts"],"names":[],"mappings":";;;;;AACO,SAAS,YAAe,GAAA;AAC7B,EAAI,IAAA;AACF,IAAO,OAAA,KAAA;AAAA,WACA,CAAG,EAAA;AACV,IAAO,OAAA,KAAA;AAAA;AAEX;AANgB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;;;ACIT,IAAM,cAAc,MAAO,CAAA;AAAA,EAChC,IAAM,EAAA,QAAA;AAAA,EACN,WAAa,EAAA,4DAAA;AAAA,EACb,MAAM;AACR,CAAC;AAEY,IAAA,SAAA,iCAA6D,GAAQ,KAAA;AAChF,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AACd,EAAM,MAAA,OAAA,CAAQ,IAAI,yCAA6B,CAAA;AAE/C,EAAQ,OAAA,CAAA,GAAA,CAAI,cAAgB,EAAA,YAAA,EAAc,CAAA;AAE1C,EAAM,MAAA,QAAA,GAAW,MAAM,YAAa,EAAA;AACpC,EAAA,MAAM,SAAS,gBAAiB,EAAA;AAChC,EAAoB,SAAS,oBAAqB;AAIpD,CAZmE,EAAA,WAAA","file":"chunk-RPLDMNWT.js","sourcesContent":["\nexport function isBundledSEA() {\n  try {\n    return __VARLOCK_SEA_BUILD__;\n  } catch (e) {\n    return false;\n  }\n}\n","import { define } from 'gunshi';\nimport { loadEnvGraph } from '@env-spec/env-graph';\nimport { isBundledSEA } from '../helpers/install-detection';\nimport { TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\n\nexport const commandSpec = define({\n  name: 'doctor',\n  description: 'Debug and diagnose issues with your env file(s) and system',\n  args: {},\n});\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  console.log('');\n  await console.log('🧙 Scanning for issues... ✨');\n\n  console.log('Bundled SEA?', isBundledSEA());\n\n  const envGraph = await loadEnvGraph();\n  await envGraph.resolveEnvValues();\n  const resolvedEnv = envGraph.getResolvedEnvObject();\n\n  // TODO: Mac app checks\n  // - installed, running, logged in, set up (keys exist), locked/unlocked state\n};\n\n"]}