varlock 0.2.3 → 0.3.0

package/dist/chunk-JDMZWNQA.js

@@ -0,0 +1,68 @@
+import { CliExitError } from './chunk-KKPD7AYU.js';
+import { define } from './chunk-4A54P4EM.js';
+import { checkForSchemaErrors } from './chunk-TLXFVH7P.js';
+import { loadVarlockEnvGraph } from './chunk-GEJNYKR4.js';
+import { gracefulExit } from './chunk-VQ5I7WMP.js';
+import { __name } from './chunk-6PEHRAEP.js';
+
+// src/cli/commands/printenv.command.ts
+var commandSpec = define({
+  name: "printenv",
+  description: "Print the resolved value of a single environment variable",
+  args: {
+    path: {
+      type: "string",
+      short: "p",
+      description: "Path to a specific .env file or directory (with trailing slash) to use as the entry point"
+    }
+  },
+  examples: `
+Prints the resolved value of a single environment variable.
+Useful within larger shell commands where you need a single env var value.
+
+Examples:
+  varlock printenv MY_VAR                    # Print the value of MY_VAR
+  varlock printenv --path .env.prod MY_VAR   # Use a specific .env file
+  varlock printenv --path ./config/ MY_VAR   # Use a specific directory
+
+\u{1F4CD} Note: Use sh -c to embed this in shell commands, e.g.:
+       sh -c 'do-something --token $(varlock printenv MY_TOKEN)'
+
+\u{1F4A1} Tip: Unlike \`varlock run -- echo $MY_VAR\`, this works because the shell
+       expansion happens after varlock has printed the value.
+  `.trim()
+});
+var commandFn = /* @__PURE__ */ __name(async (ctx) => {
+  const positionals = ctx.positionals ?? [];
+  if (!positionals.length) {
+    throw new CliExitError("Missing required argument: variable name", {
+      suggestion: "Run `varlock printenv MY_VAR` to print the value of MY_VAR"
+    });
+  }
+  const varName = positionals[0];
+  const envGraph = await loadVarlockEnvGraph({
+    entryFilePath: ctx.values.path
+  });
+  checkForSchemaErrors(envGraph);
+  if (!(varName in envGraph.configSchema)) {
+    throw new CliExitError(`Variable "${varName}" not found in schema`);
+  }
+  await envGraph.resolveItemWithDeps(varName);
+  const item = envGraph.configSchema[varName];
+  if (item.validationState === "error") {
+    for (const err of item.errors) {
+      console.error(`\u{1F6A8} ${err.message}`);
+    }
+    return gracefulExit(1);
+  }
+  const value = item.resolvedValue;
+  if (value === void 0 || value === null) {
+    console.log("");
+  } else {
+    console.log(String(value));
+  }
+}, "commandFn");
+
+export { commandFn, commandSpec };
+//# sourceMappingURL=chunk-JDMZWNQA.js.map
+//# sourceMappingURL=chunk-JDMZWNQA.js.map

package/dist/chunk-JDMZWNQA.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/commands/printenv.command.ts"],"names":[],"mappings":";;;;;;;;AAQO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,UAAA;AAAA,EACN,WAAA,EAAa,2DAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA,EAAA,CAAA,CAcR,IAAA;AACJ,CAAC;AAEM,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,WAAA,GAAc,GAAA,CAAI,WAAA,IAAe,EAAC;AACxC,EAAA,IAAI,CAAC,YAAY,MAAA,EAAQ;AACvB,IAAA,MAAM,IAAI,aAAa,0CAAA,EAA4C;AAAA,MACjE,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AACA,EAAA,MAAM,OAAA,GAAU,YAAY,CAAC,CAAA;AAE7B,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,aAAA,EAAe,IAAI,MAAA,CAAO;AAAA,GAC3B,CAAA;AACD,EAAA,oBAAA,CAAqB,QAAQ,CAAA;AAE7B,EAAA,IAAI,EAAE,OAAA,IAAW,QAAA,CAAS,YAAA,CAAA,EAAe;AACvC,IAAA,MAAM,IAAI,YAAA,CAAa,CAAA,UAAA,EAAa,OAAO,CAAA,qBAAA,CAAuB,CAAA;AAAA,EACpE;AAGA,EAAA,MAAM,QAAA,CAAS,oBAAoB,OAAO,CAAA;AAE1C,EAAA,MAAM,IAAA,GAAO,QAAA,CAAS,YAAA,CAAa,OAAO,CAAA;AAC1C,EAAA,IAAI,IAAA,CAAK,oBAAoB,OAAA,EAAS;AACpC,IAAA,KAAA,MAAW,GAAA,IAAO,KAAK,MAAA,EAAQ;AAC7B,MAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,UAAA,EAAM,GAAA,CAAI,OAAO,CAAA,CAAE,CAAA;AAAA,IACnC;AACA,IAAA,OAAO,aAAa,CAAC,CAAA;AAAA,EACvB;AAEA,EAAA,MAAM,QAAQ,IAAA,CAAK,aAAA;AACnB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AAAA,EAChB,CAAA,MAAO;AACL,IAAA,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,EAC3B;AACF,CAAA,EAnCmE,WAAA","file":"chunk-JDMZWNQA.js","sourcesContent":["import { define } from 'gunshi';\nimport { gracefulExit } from 'exit-hook';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { checkForSchemaErrors } from '../helpers/error-checks';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport { CliExitError } from '../helpers/exit-error';\n\nexport const commandSpec = define({\n  name: 'printenv',\n  description: 'Print the resolved value of a single environment variable',\n  args: {\n    path: {\n      type: 'string',\n      short: 'p',\n      description: 'Path to a specific .env file or directory (with trailing slash) to use as the entry point',\n    },\n  },\n  examples: `\nPrints the resolved value of a single environment variable.\nUseful within larger shell commands where you need a single env var value.\n\nExamples:\n  varlock printenv MY_VAR                    # Print the value of MY_VAR\n  varlock printenv --path .env.prod MY_VAR   # Use a specific .env file\n  varlock printenv --path ./config/ MY_VAR   # Use a specific directory\n\n📍 Note: Use sh -c to embed this in shell commands, e.g.:\n       sh -c 'do-something --token $(varlock printenv MY_TOKEN)'\n\n💡 Tip: Unlike \\`varlock run -- echo $MY_VAR\\`, this works because the shell\n       expansion happens after varlock has printed the value.\n  `.trim(),\n});\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  const positionals = ctx.positionals ?? [];\n  if (!positionals.length) {\n    throw new CliExitError('Missing required argument: variable name', {\n      suggestion: 'Run `varlock printenv MY_VAR` to print the value of MY_VAR',\n    });\n  }\n  const varName = positionals[0];\n\n  const envGraph = await loadVarlockEnvGraph({\n    entryFilePath: ctx.values.path,\n  });\n  checkForSchemaErrors(envGraph);\n\n  if (!(varName in envGraph.configSchema)) {\n    throw new CliExitError(`Variable \"${varName}\" not found in schema`);\n  }\n\n  // Resolve only the requested item and its transitive dependencies\n  await envGraph.resolveItemWithDeps(varName);\n\n  const item = envGraph.configSchema[varName];\n  if (item.validationState === 'error') {\n    for (const err of item.errors) {\n      console.error(`🚨 ${err.message}`);\n    }\n    return gracefulExit(1);\n  }\n\n  const value = item.resolvedValue;\n  if (value === undefined || value === null) {\n    console.log('');\n  } else {\n    console.log(String(value));\n  }\n};\n"]}

package/dist/chunk-KKPD7AYU.js

@@ -0,0 +1,34 @@
+import { ansis_default, joinAndCompact } from './chunk-VQ5I7WMP.js';
+import { my_dash_default } from './chunk-WZW7QS6M.js';
+import { __name } from './chunk-6PEHRAEP.js';
+
+// src/cli/helpers/exit-error.ts
+var CliExitError = class extends Error {
+  constructor(message, more) {
+    super(message);
+    this.more = more;
+  }
+  static {
+    __name(this, "CliExitError");
+  }
+  get forceExit() {
+    return !!this.more?.forceExit;
+  }
+  getFormattedOutput() {
+    let msg = `
+\u{1F4A5} ${ansis_default.red(this.message)} \u{1F4A5}
+`;
+    if (this.more?.details) {
+      msg += joinAndCompact(my_dash_default.castArray(this.more?.details), "\n");
+    }
+    if (this.more?.suggestion) {
+      msg += joinAndCompact(my_dash_default.castArray(this.more?.suggestion), "\n");
+    }
+    msg += "\n";
+    return msg;
+  }
+};
+
+export { CliExitError };
+//# sourceMappingURL=chunk-KKPD7AYU.js.map
+//# sourceMappingURL=chunk-KKPD7AYU.js.map

package/dist/chunk-KKPD7AYU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/helpers/exit-error.ts"],"names":[],"mappings":";;;;;AAIO,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA,EACtC,WAAA,CACE,SACQ,IAAA,EAMR;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAPL,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAAA,EAQV;AAAA,EAfF;AAIwC,IAAA,MAAA,CAAA,IAAA,EAAA,cAAA,CAAA;AAAA;AAAA,EAatC,IAAI,SAAA,GAAY;AAAE,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,IAAA,EAAM,SAAA;AAAA,EAAW;AAAA,EAEjD,kBAAA,GAAqB;AACnB,IAAA,IAAI,GAAA,GAAM;AAAA,UAAA,EAAQ,aAAA,CAAM,GAAA,CAAI,IAAA,CAAK,OAAO,CAAC,CAAA;AAAA,CAAA;AAEzC,IAAA,IAAI,IAAA,CAAK,MAAM,OAAA,EAAS;AACtB,MAAA,GAAA,IAAO,eAAe,eAAA,CAAE,SAAA,CAAU,KAAK,IAAA,EAAM,OAAO,GAAG,IAAI,CAAA;AAAA,IAC7D;AAEA,IAAA,IAAI,IAAA,CAAK,MAAM,UAAA,EAAY;AACzB,MAAA,GAAA,IAAO,eAAe,eAAA,CAAE,SAAA,CAAU,KAAK,IAAA,EAAM,UAAU,GAAG,IAAI,CAAA;AAAA,IAChE;AAEA,IAAA,GAAA,IAAO,IAAA;AACP,IAAA,OAAO,GAAA;AAAA,EACT;AACF","file":"chunk-KKPD7AYU.js","sourcesContent":["import ansis from 'ansis';\nimport _ from '@env-spec/utils/my-dash';\nimport { joinAndCompact } from '../../lib/formatting';\n\nexport class CliExitError extends Error {\n  constructor(\n    message: string,\n    private more?: {\n      details?: string | Array<string>,\n      suggestion?: string | Array<string>,\n      /** always triggers a full exit, even in watch mode - useful if problem is irrecoverable */\n      forceExit?: boolean,\n    },\n  ) {\n    super(message);\n  }\n\n  get forceExit() { return !!this.more?.forceExit; }\n\n  getFormattedOutput() {\n    let msg = `\\n💥 ${ansis.red(this.message)} 💥\\n`;\n\n    if (this.more?.details) {\n      msg += joinAndCompact(_.castArray(this.more?.details), '\\n');\n    }\n\n    if (this.more?.suggestion) {\n      msg += joinAndCompact(_.castArray(this.more?.suggestion), '\\n');\n    }\n\n    msg += '\\n';\n    return msg;\n  }\n}\n"]}

package/dist/{chunk-HTF7NU5C.js → chunk-LZ52O5WU.js}

@@ -1,6 +1,8 @@
-import { define } from './chunk-UDXNNRWI.js';
-import { loadVarlockEnvGraph, checkForSchemaErrors, checkForConfigErrors } from './chunk-ISSW6NKZ.js';
-import { my_dash_default, FileBasedDataSource, getItemSummary } from './chunk-OY5U5WTF.js';
+import { define } from './chunk-4A54P4EM.js';
+import { checkForSchemaErrors, checkForNoEnvFiles, checkForConfigErrors } from './chunk-TLXFVH7P.js';
+import { loadVarlockEnvGraph } from './chunk-GEJNYKR4.js';
+import { getItemSummary } from './chunk-VQ5I7WMP.js';
+import { my_dash_default, FileBasedDataSource } from './chunk-WZW7QS6M.js';
 import { __name } from './chunk-6PEHRAEP.js';
 import path from 'path';
 
@@ -30,7 +32,7 @@ var commandSpec = define({
     path: {
       type: "string",
       short: "p",
-      description: "Path to a specific .env file or directory (with trailing slash) to use as the entry point"
+      description: "Path to a specific .env file or directory to use as the entry point"
     }
   },
   examples: `
@@ -53,6 +55,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
     entryFilePath: ctx.values.path
   });
   checkForSchemaErrors(envGraph);
+  checkForNoEnvFiles(envGraph);
   if (!envGraph.rootDataSource) throw new Error("expected root data source to be set");
   await envGraph.resolveEnvValues();
   const generateTypesDecs = envGraph.getRootDecFns("generateTypes");
@@ -68,7 +71,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
   }
   checkForConfigErrors(envGraph, { showAll });
   if (format === "pretty") {
-    for (const itemKey in envGraph.configSchema) {
+    for (const itemKey of envGraph.sortedConfigKeys) {
       const item = envGraph.configSchema[itemKey];
       console.log(getItemSummary(item));
     }
@@ -101,5 +104,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
 }, "commandFn");
 
 export { commandFn, commandSpec };
-//# sourceMappingURL=chunk-HTF7NU5C.js.map
-//# sourceMappingURL=chunk-HTF7NU5C.js.map
+//# sourceMappingURL=chunk-LZ52O5WU.js.map
+//# sourceMappingURL=chunk-LZ52O5WU.js.map

package/dist/chunk-LZ52O5WU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/commands/load.command.ts"],"names":[],"mappings":";;;;;;;;AAUO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,MAAA;AAAA,EACN,WAAA,EAAa,iDAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,OAAA,EAAS,CAAC,QAAA,EAAU,MAAA,EAAQ,OAAO,WAAW,CAAA;AAAA,MAC9C,WAAA,EAAa,kBAAA;AAAA,MACb,OAAA,EAAS;AAAA,KACX;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA,CAWV,IAAA;AACF,CAAC;AAGM,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,UAAA,EAAY,OAAA,KAAY,GAAA,CAAI,MAAA;AAErD,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,kBAAA,EAAoB,IAAI,MAAA,CAAO,GAAA;AAAA,IAC/B,aAAA,EAAe,IAAI,MAAA,CAAO;AAAA,GAC3B,CAAA;AACD,EAAA,oBAAA,CAAqB,QAAQ,CAAA;AAC7B,EAAA,kBAAA,CAAmB,QAAQ,CAAA;AAE3B,EAAA,IAAI,CAAC,QAAA,CAAS,cAAA,EAAgB,MAAM,IAAI,MAAM,qCAAqC,CAAA;AAEnF,EAAA,MAAM,SAAS,gBAAA,EAAiB;AAIhC,EAAA,MAAM,iBAAA,GAAoB,QAAA,CAAS,aAAA,CAAc,eAAe,CAAA;AAChE,EAAA,KAAA,MAAW,oBAAoB,iBAAA,EAAmB;AAChD,IAAA,MAAM,eAAA,GAAkB,MAAM,gBAAA,CAAiB,OAAA,EAAQ;AAIvD,IAAA,IAAI,iBAAiB,UAAA,CAAW,QAAA,IAAY,CAAC,eAAA,CAAgB,IAAI,mBAAA,EAAqB;AAEtF,IAAA,IAAI,CAAC,eAAA,CAAgB,GAAA,CAAI,MAAM,MAAM,IAAI,MAAM,sCAAsC,CAAA;AACrF,IAAA,IAAI,eAAA,CAAgB,GAAA,CAAI,IAAA,KAAS,IAAA,EAAM,MAAM,IAAI,KAAA,CAAM,CAAA,uCAAA,EAA0C,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,CAAE,CAAA;AAC3H,IAAA,IAAI,CAAC,eAAA,CAAgB,GAAA,CAAI,MAAM,MAAM,IAAI,MAAM,sCAAsC,CAAA;AACrF,IAAA,IAAI,CAAC,eAAA,CAAE,QAAA,CAAS,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,EAAG,MAAM,IAAI,KAAA,CAAM,8CAA8C,CAAA;AAEzG,IAAA,MAAM,UAAA,GAAa,gBAAA,CAAiB,UAAA,YAAsB,mBAAA,GACtD,KAAK,OAAA,CAAQ,gBAAA,CAAiB,UAAA,CAAW,QAAA,EAAU,MAAM,eAAA,CAAgB,GAAA,CAAI,IAAI,CAAA,GACjF,gBAAgB,GAAA,CAAI,IAAA;AAExB,IAAA,MAAM,QAAA,CAAS,aAAA,CAAc,eAAA,CAAgB,GAAA,CAAI,MAAM,UAAU,CAAA;AAAA,EACnE;AAEA,EAAA,oBAAA,CAAqB,QAAA,EAAU,EAAE,OAAA,EAAS,CAAA;AAE1C,EAAA,IAAI,WAAW,QAAA,EAAU;AACvB,IAAA,KAAA,MAAW,OAAA,IAAW,SAAS,gBAAA,EAAkB;AAC/C,MAAA,MAAM,IAAA,GAAO,QAAA,CAAS,YAAA,CAAa,OAAO,CAAA;AAC1C,MAAA,OAAA,CAAQ,GAAA,CAAI,cAAA,CAAe,IAAI,CAAC,CAAA;AAAA,IAClC;AAAA,EACF,CAAA,MAAA,IAAW,WAAW,MAAA,EAAQ;AAC5B,IAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,SAAA,CAAU,QAAA,CAAS,sBAAqB,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACtE,CAAA,MAAA,IAAW,WAAW,WAAA,EAAa;AACjC,IAAA,MAAM,MAAA,GAAS,UAAU,CAAA,GAAI,CAAA;AAC7B,IAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,SAAA,CAAU,QAAA,CAAS,oBAAmB,EAAG,IAAA,EAAM,MAAM,CAAC,CAAA;AAAA,EACzE,CAAA,MAAA,IAAW,WAAW,KAAA,EAAO;AAC3B,IAAA,MAAM,WAAA,GAAc,SAAS,oBAAA,EAAqB;AAClD,IAAA,MAAM,gBAAgB,OAAA,KAAY,IAAA;AAElC,IAAA,KAAA,MAAW,OAAO,WAAA,EAAa;AAC7B,MAAA,MAAM,KAAA,GAAQ,YAAY,GAAG,CAAA;AAE7B,MAAA,IAAI,KAAA,KAAU,UAAa,aAAA,EAAe;AACxC,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,QAAA;AACJ,MAAA,IAAI,UAAU,MAAA,EAAW;AACvB,QAAA,QAAA,GAAW,EAAA;AAAA,MACb,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,QAAA,QAAA,GAAW,CAAA,CAAA,EAAI,MAAM,UAAA,CAAW,GAAA,EAAK,KAAK,CAAA,CAAE,UAAA,CAAW,IAAA,EAAM,KAAK,CAAC,CAAA,CAAA,CAAA;AAAA,MACrE,CAAA,MAAO;AACL,QAAA,QAAA,GAAW,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA,MACjC;AACA,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,QAAQ,CAAA,CAAE,CAAA;AAAA,IAClC;AAAA,EACF,CAAA,MAAO;AACL,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmB,MAAM,CAAA,CAAE,CAAA;AAAA,EAC7C;AAIF,CAAA,EA3EmE,WAAA","file":"chunk-LZ52O5WU.js","sourcesContent":["import { define } from 'gunshi';\nimport _ from '@env-spec/utils/my-dash';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { getItemSummary } from '../../lib/formatting';\nimport { checkForConfigErrors, checkForNoEnvFiles, checkForSchemaErrors } from '../helpers/error-checks';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport path from 'node:path';\nimport { FileBasedDataSource } from '../../env-graph';\n\nexport const commandSpec = define({\n  name: 'load',\n  description: 'Load env according to schema and resolve values',\n  args: {\n    format: {\n      type: 'enum',\n      short: 'f',\n      choices: ['pretty', 'json', 'env', 'json-full'],\n      description: 'Format of output',\n      default: 'pretty',\n    },\n    compact: {\n      type: 'boolean',\n      description: 'Use compact format (for json-full: no indentation, for env: skip undefined values)',\n    },\n    'show-all': {\n      type: 'boolean',\n      description: 'When load is failing, show all items rather than only failing items',\n    },\n    env: {\n      type: 'string',\n      description: 'Set the environment (e.g., production, development, etc) - will be overridden by @currentEnv in the schema if present',\n    },\n    path: {\n      type: 'string',\n      short: 'p',\n      description: 'Path to a specific .env file or directory to use as the entry point',\n    },\n  },\n  examples: `\nLoads and validates environment variables according to your .env files, and prints the results.\nUseful for debugging locally, and in CI to print out a summary of env vars.\n\nExamples:\n  varlock load                    # Load and validate with pretty output\n  varlock load --format json      # Output in JSON format\n  varlock load --show-all         # Show all items when validation fails\n  varlock load --path .env.prod   # Load from a specific .env file\n  varlock looad --compact         # Use compact format - skips undefined values, no indentation for json-full\n  varlock load --env production   # Load for a specific environment (⚠️ ignored if using @currentEnv!)\n`.trim(),\n});\n\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  const { format, compact, 'show-all': showAll } = ctx.values;\n\n  const envGraph = await loadVarlockEnvGraph({\n    currentEnvFallback: ctx.values.env,\n    entryFilePath: ctx.values.path,\n  });\n  checkForSchemaErrors(envGraph);\n  checkForNoEnvFiles(envGraph);\n\n  if (!envGraph.rootDataSource) throw new Error('expected root data source to be set');\n\n  await envGraph.resolveEnvValues();\n\n  // ideally we could be smarter about generating types without needing to resolve values\n  // but for now the decorators are all resolved as part of the general resolution process\n  const generateTypesDecs = envGraph.getRootDecFns('generateTypes');\n  for (const generateTypesDec of generateTypesDecs) {\n    const typeGenSettings = await generateTypesDec.resolve();\n\n    // we skip generating types if `@generateTypes` was not in the main file\n    // unless the `executeWhenImported` flag is set\n    if (generateTypesDec.dataSource.isImport && !typeGenSettings.obj.executeWhenImported) continue;\n\n    if (!typeGenSettings.obj.lang) throw new Error('@generateTypes - must set `lang` arg');\n    if (typeGenSettings.obj.lang !== 'ts') throw new Error(`@generateTypes - unsupported language: ${typeGenSettings.obj.lang}`);\n    if (!typeGenSettings.obj.path) throw new Error('@generateTypes - must set `path` arg');\n    if (!_.isString(typeGenSettings.obj.path)) throw new Error('@generateTypes - `path` arg must be a string');\n\n    const outputPath = generateTypesDec.dataSource instanceof FileBasedDataSource\n      ? path.resolve(generateTypesDec.dataSource.fullPath, '..', typeGenSettings.obj.path)\n      : typeGenSettings.obj.path;\n\n    await envGraph.generateTypes(typeGenSettings.obj.lang, outputPath);\n  }\n\n  checkForConfigErrors(envGraph, { showAll });\n\n  if (format === 'pretty') {\n    for (const itemKey of envGraph.sortedConfigKeys) {\n      const item = envGraph.configSchema[itemKey];\n      console.log(getItemSummary(item));\n    }\n  } else if (format === 'json') {\n    console.log(JSON.stringify(envGraph.getResolvedEnvObject(), null, 2));\n  } else if (format === 'json-full') {\n    const indent = compact ? 0 : 2;\n    console.log(JSON.stringify(envGraph.getSerializedGraph(), null, indent));\n  } else if (format === 'env') {\n    const resolvedEnv = envGraph.getResolvedEnvObject();\n    const skipUndefined = compact === true;\n\n    for (const key in resolvedEnv) {\n      const value = resolvedEnv[key];\n\n      if (value === undefined && skipUndefined) {\n        continue;\n      }\n\n      let strValue: string;\n      if (value === undefined) {\n        strValue = '';\n      } else if (typeof value === 'string') {\n        strValue = `\"${value.replaceAll('\"', '\\\\\"').replaceAll('\\n', '\\\\n')}\"`;\n      } else {\n        strValue = JSON.stringify(value);\n      }\n      console.log(`${key}=${strValue}`);\n    }\n  } else {\n    throw new Error(`Unknown format: ${format}`);\n  }\n\n  // const resolvedEnv = envGraph.getResolvedEnvObject();\n  // console.log(resolvedEnv);\n};\n"]}

package/dist/chunk-MHIFZAPA.js

@@ -0,0 +1,405 @@
+import { spawnAsync } from './chunk-Y3ITSQA4.js';
+import { detectJsPackageManager, logLines, fmt } from './chunk-MXZI2FC6.js';
+import { CliExitError } from './chunk-KKPD7AYU.js';
+import { define } from './chunk-4A54P4EM.js';
+import { loadVarlockEnvGraph } from './chunk-GEJNYKR4.js';
+import { ansis_default, gracefulExit } from './chunk-VQ5I7WMP.js';
+import { pathExists, my_dash_default } from './chunk-WZW7QS6M.js';
+import { redactString } from './chunk-MIBOBKI4.js';
+import { __name } from './chunk-6PEHRAEP.js';
+import path from 'path';
+import fs from 'fs/promises';
+
+// src/cli/helpers/install-detection.ts
+function isBundledSEA() {
+  try {
+    return false;
+  } catch (e) {
+    return false;
+  }
+}
+__name(isBundledSEA, "isBundledSEA");
+
+// src/cli/commands/scan.command.ts
+var SKIP_DIRS = /* @__PURE__ */ new Set([
+  ".git",
+  "node_modules",
+  "dist",
+  "build",
+  ".next",
+  ".nuxt",
+  "vendor",
+  ".venv",
+  "venv",
+  "__pycache__",
+  ".turbo",
+  "coverage"
+]);
+var BINARY_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".bmp",
+  ".ico",
+  ".mp3",
+  ".mp4",
+  ".wav",
+  ".avi",
+  ".mov",
+  ".zip",
+  ".tar",
+  ".gz",
+  ".rar",
+  ".7z",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".bin",
+  ".pdf",
+  ".doc",
+  ".docx",
+  ".xls",
+  ".xlsx",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".eot",
+  ".pyc",
+  ".class",
+  ".o"
+]);
+var commandSpec = define({
+  name: "scan",
+  description: "Scan files for sensitive config values that should not be in plaintext",
+  args: {
+    staged: {
+      type: "boolean",
+      description: "Only scan staged git files"
+    },
+    "include-ignored": {
+      type: "boolean",
+      description: "Include git-ignored files in the scan"
+    },
+    "install-hook": {
+      type: "boolean",
+      description: "Set up varlock scan as a git pre-commit hook"
+    },
+    path: {
+      type: "string",
+      short: "p",
+      description: 'Path to a specific .env file (e.g. .env.prod) or directory ending with "/" to use as the schema entry point (default: current directory)'
+    }
+  },
+  examples: `
+Loads your varlock config, resolves all sensitive values, then scans files to
+ensure none of those sensitive values appear in plaintext.
+
+Examples:
+  varlock scan                    # Scan non-git-ignored files in current directory
+  varlock scan --staged           # Only scan staged git files
+  varlock scan --include-ignored  # Scan all files, including git-ignored ones
+  varlock scan --path .env.prod   # Use a specific .env file as the schema entry point
+  varlock scan --install-hook     # Set up as a git pre-commit hook
+  `.trim()
+});
+async function getGitFiles(cwd, onlyStaged) {
+  try {
+    let output;
+    if (onlyStaged) {
+      output = await spawnAsync(
+        "git",
+        ["diff", "--cached", "--name-only", "-z", "--diff-filter=ACMR"],
+        { cwd }
+      );
+    } else {
+      output = await spawnAsync(
+        "git",
+        ["ls-files", "--cached", "--others", "--exclude-standard", "-z"],
+        { cwd }
+      );
+    }
+    return output.split("\0").filter(Boolean).filter((f) => !BINARY_EXTENSIONS.has(path.extname(f).toLowerCase())).map((f) => path.resolve(cwd, f));
+  } catch {
+    return null;
+  }
+}
+__name(getGitFiles, "getGitFiles");
+async function walkDirectory(dir) {
+  const files = [];
+  let entries;
+  try {
+    entries = await fs.readdir(dir, { withFileTypes: true });
+  } catch {
+    return files;
+  }
+  for (const entry of entries) {
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name)) continue;
+      files.push(...await walkDirectory(fullPath));
+    } else if (entry.isFile()) {
+      const ext = path.extname(entry.name).toLowerCase();
+      if (BINARY_EXTENSIONS.has(ext)) continue;
+      files.push(fullPath);
+    }
+  }
+  return files;
+}
+__name(walkDirectory, "walkDirectory");
+async function scanFileForValues(filePath, sensitiveValues) {
+  const findings = [];
+  let content;
+  try {
+    content = await fs.readFile(filePath, "utf-8");
+  } catch {
+    return findings;
+  }
+  if (content.includes("\0")) return findings;
+  let anyMatch = false;
+  for (const val of sensitiveValues.values()) {
+    if (content.includes(val)) {
+      anyMatch = true;
+      break;
+    }
+  }
+  if (!anyMatch) return findings;
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const [keyName, val] of sensitiveValues) {
+      const colIdx = line.indexOf(val);
+      if (colIdx !== -1) {
+        findings.push({
+          filePath,
+          lineNumber: i + 1,
+          columnNumber: colIdx + 1,
+          line: line.trim(),
+          sensitiveKeyName: keyName,
+          sensitiveValue: val
+        });
+        break;
+      }
+    }
+  }
+  return findings;
+}
+__name(scanFileForValues, "scanFileForValues");
+var SCAN_COMMAND = "varlock scan";
+function getHookCommand() {
+  if (isBundledSEA()) return SCAN_COMMAND;
+  const pm = detectJsPackageManager();
+  if (pm) return `${pm.exec} ${SCAN_COMMAND}`;
+  return SCAN_COMMAND;
+}
+__name(getHookCommand, "getHookCommand");
+async function detectHookManager(cwd) {
+  if (await pathExists(path.join(cwd, ".husky"))) return "husky";
+  const lefthookFiles = ["lefthook.yml", "lefthook.yaml", ".lefthook.yml", ".lefthook.yaml"];
+  for (const file of lefthookFiles) {
+    if (await pathExists(path.join(cwd, file))) return "lefthook";
+  }
+  const pkgJsonPath = path.join(cwd, "package.json");
+  if (await pathExists(pkgJsonPath)) {
+    try {
+      const pkgJson = JSON.parse(await fs.readFile(pkgJsonPath, "utf-8"));
+      if (pkgJson["simple-git-hooks"]) return "simple-git-hooks";
+    } catch {
+    }
+  }
+  return null;
+}
+__name(detectHookManager, "detectHookManager");
+async function findGitRoot(cwd) {
+  try {
+    const root = await spawnAsync("git", ["rev-parse", "--show-toplevel"], { cwd });
+    return root.trim();
+  } catch {
+    return null;
+  }
+}
+__name(findGitRoot, "findGitRoot");
+async function installHook(cwd) {
+  const gitRoot = await findGitRoot(cwd);
+  if (!gitRoot) {
+    throw new CliExitError("Not inside a git repository", {
+      suggestion: "Run `git init` first, or make sure you are inside a git repository."
+    });
+  }
+  const hookCommand = getHookCommand();
+  const hookScript = `#!/bin/sh
+${hookCommand}
+`;
+  const hookManager = await detectHookManager(gitRoot);
+  if (hookManager === "husky") {
+    logLines([
+      "",
+      `Detected ${ansis_default.bold("husky")} as your git hook manager.`,
+      "",
+      `Add ${ansis_default.bold(hookCommand)} to your pre-commit hook:`,
+      "",
+      ansis_default.dim(`  echo "${hookCommand}" >> .husky/pre-commit`),
+      "",
+      "Or if creating a new hook:",
+      "",
+      ansis_default.dim(`  echo "${hookCommand}" > .husky/pre-commit`),
+      ""
+    ]);
+    return;
+  }
+  if (hookManager === "lefthook") {
+    logLines([
+      "",
+      `Detected ${ansis_default.bold("lefthook")} as your git hook manager.`,
+      "",
+      "Add the following to your lefthook config:",
+      "",
+      ansis_default.dim("  pre-commit:"),
+      ansis_default.dim("    commands:"),
+      ansis_default.dim("      varlock-scan:"),
+      ansis_default.dim(`        run: ${hookCommand}`),
+      ""
+    ]);
+    return;
+  }
+  if (hookManager === "simple-git-hooks") {
+    logLines([
+      "",
+      `Detected ${ansis_default.bold("simple-git-hooks")} in your package.json.`,
+      "",
+      "Add the following to your package.json:",
+      "",
+      ansis_default.dim('  "simple-git-hooks": {'),
+      ansis_default.dim(`    "pre-commit": "${hookCommand}"`),
+      ansis_default.dim("  }"),
+      "",
+      `Then run ${ansis_default.dim("npx simple-git-hooks")} to update the hooks.`,
+      ""
+    ]);
+    return;
+  }
+  const hooksDir = path.join(gitRoot, ".git", "hooks");
+  const hookPath = path.join(hooksDir, "pre-commit");
+  await fs.mkdir(hooksDir, { recursive: true });
+  if (await pathExists(hookPath)) {
+    const existingContent = await fs.readFile(hookPath, "utf-8");
+    if (existingContent.includes(SCAN_COMMAND)) {
+      logLines([
+        "",
+        ansis_default.green(`The pre-commit hook already includes ${ansis_default.bold(SCAN_COMMAND)} - nothing to do!`),
+        ""
+      ]);
+      return;
+    }
+    const updatedContent = `${existingContent.trimEnd()}
+${hookCommand}
+`;
+    await fs.writeFile(hookPath, updatedContent);
+    await fs.chmod(hookPath, 493);
+    logLines([
+      "",
+      ansis_default.green(`Added ${ansis_default.bold(hookCommand)} to existing pre-commit hook.`),
+      fmt.filePath(hookPath),
+      ""
+    ]);
+    return;
+  }
+  await fs.writeFile(hookPath, hookScript);
+  await fs.chmod(hookPath, 493);
+  logLines([
+    "",
+    ansis_default.green(`Created pre-commit hook at ${fmt.filePath(hookPath)}`),
+    ansis_default.dim("Your staged files will now be scanned for sensitive values before each commit."),
+    ""
+  ]);
+}
+__name(installHook, "installHook");
+var commandFn = /* @__PURE__ */ __name(async (ctx) => {
+  if (ctx.values["install-hook"]) {
+    await installHook(process.cwd());
+    return;
+  }
+  const onlyStaged = ctx.values.staged ?? false;
+  const includeIgnored = ctx.values["include-ignored"] ?? false;
+  const envGraph = await loadVarlockEnvGraph({
+    entryFilePath: ctx.values.path
+  });
+  for (const source of envGraph.sortedDataSources) {
+    if (source.loadingError) {
+      throw new CliExitError(`Error loading config: ${source.loadingError.message}`, {
+        suggestion: "Make sure your .env.schema file is valid."
+      });
+    }
+  }
+  await envGraph.resolveEnvValues();
+  const sensitiveValues = /* @__PURE__ */ new Map();
+  for (const itemKey in envGraph.configSchema) {
+    const item = envGraph.configSchema[itemKey];
+    if (item.isSensitive && my_dash_default.isString(item.resolvedValue) && item.resolvedValue !== "") {
+      sensitiveValues.set(itemKey, item.resolvedValue);
+    }
+  }
+  if (sensitiveValues.size === 0) {
+    logLines([ansis_default.green("\u2705 No sensitive values found in config - nothing to scan for.")]);
+    return;
+  }
+  const cwd = process.cwd();
+  let files;
+  if (includeIgnored) {
+    files = await walkDirectory(cwd);
+  } else {
+    const gitFiles = await getGitFiles(cwd, onlyStaged);
+    if (gitFiles !== null) {
+      files = gitFiles;
+    } else {
+      if (onlyStaged) {
+        throw new CliExitError("Could not run git to find staged files", {
+          suggestion: "Make sure git is installed and you are inside a git repository."
+        });
+      }
+      files = await walkDirectory(cwd);
+    }
+  }
+  if (files.length === 0) {
+    if (onlyStaged) {
+      console.log("No staged files to scan.");
+    } else {
+      console.log(ansis_default.green("\u2705 No files found to scan."));
+    }
+    return;
+  }
+  const allFindings = [];
+  for (const filePath of files) {
+    const findings = await scanFileForValues(filePath, sensitiveValues);
+    allFindings.push(...findings);
+  }
+  if (allFindings.length === 0) {
+    logLines([ansis_default.green(`\u2705 No sensitive values found in plaintext. (scanned ${files.length} file${files.length === 1 ? "" : "s"})`)]);
+    return;
+  }
+  const findingsByFile = /* @__PURE__ */ new Map();
+  for (const finding of allFindings) {
+    const existing = findingsByFile.get(finding.filePath) ?? [];
+    existing.push(finding);
+    findingsByFile.set(finding.filePath, existing);
+  }
+  console.error(ansis_default.red(`
+\u{1F6A8} Found ${allFindings.length} sensitive value(s) in plaintext across ${findingsByFile.size} file(s):
+`));
+  for (const [filePath, findings] of findingsByFile) {
+    const relPath = path.relative(cwd, filePath);
+    for (const finding of findings) {
+      const redactedLine = finding.line.replaceAll(finding.sensitiveValue, redactString(finding.sensitiveValue));
+      const truncatedLine = redactedLine.length > 100 ? `${redactedLine.substring(0, 100)}\u2026` : redactedLine;
+      console.error(`  ${fmt.fileName(`${relPath}:${finding.lineNumber}:${finding.columnNumber}`)} ${ansis_default.yellow(finding.sensitiveKeyName)}`);
+      console.error(`    ${ansis_default.dim(truncatedLine)}`);
+    }
+    console.error("");
+  }
+  gracefulExit(1);
+}, "commandFn");
+
+export { commandFn, commandSpec, getGitFiles, scanFileForValues, walkDirectory };
+//# sourceMappingURL=chunk-MHIFZAPA.js.map
+//# sourceMappingURL=chunk-MHIFZAPA.js.map

package/dist/chunk-MHIFZAPA.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/cli/helpers/install-detection.ts","../src/cli/commands/scan.command.ts"],"names":[],"mappings":";;;;;;;;;;;;;AACO,SAAS,YAAA,GAAe;AAC7B,EAAA,IAAI;AACF,IAAA,OAAO,KAAA;AAAA,EACT,SAAS,CAAA,EAAG;AACV,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AANgB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;;;ACiBhB,IAAM,SAAA,uBAAgB,GAAA,CAAI;AAAA,EACxB,MAAA;AAAA,EACA,cAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF,CAAC,CAAA;AAGD,IAAM,iBAAA,uBAAwB,GAAA,CAAI;AAAA,EAChC,MAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF,CAAC,CAAA;AAEM,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,MAAA;AAAA,EACN,WAAA,EAAa,wEAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,iBAAA,EAAmB;AAAA,MACjB,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,cAAA,EAAgB;AAAA,MACd,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAAA,CAAA,CAUR,IAAA;AACJ,CAAC;AAWD,eAAsB,WAAA,CAAY,KAAa,UAAA,EAAoD;AACjG,EAAA,IAAI;AACF,IAAA,IAAI,MAAA;AACJ,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,MAAA,GAAS,MAAM,UAAA;AAAA,QACb,KAAA;AAAA,QACA,CAAC,MAAA,EAAQ,UAAA,EAAY,aAAA,EAAe,MAAM,oBAAoB,CAAA;AAAA,QAC9D,EAAE,GAAA;AAAI,OACR;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAA,GAAS,MAAM,UAAA;AAAA,QACb,KAAA;AAAA,QACA,CAAC,UAAA,EAAY,UAAA,EAAY,UAAA,EAAY,sBAAsB,IAAI,CAAA;AAAA,QAC/D,EAAE,GAAA;AAAI,OACR;AAAA,IACF;AACA,IAAA,OAAO,MAAA,CAAO,KAAA,CAAM,IAAI,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,CACrC,MAAA,CAAO,CAAC,CAAA,KAAM,CAAC,iBAAA,CAAkB,GAAA,CAAI,IAAA,CAAK,OAAA,CAAQ,CAAC,CAAA,CAAE,WAAA,EAAa,CAAC,CAAA,CACnE,GAAA,CAAI,CAAC,CAAA,KAAM,IAAA,CAAK,OAAA,CAAQ,GAAA,EAAK,CAAC,CAAC,CAAA;AAAA,EACpC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAtBsB,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AAwBtB,eAAsB,cAAc,GAAA,EAAqC;AACvE,EAAA,MAAM,QAAuB,EAAC;AAC9B,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI;AACF,IAAA,OAAA,GAAU,MAAM,EAAA,CAAG,OAAA,CAAQ,KAAK,EAAE,aAAA,EAAe,MAAM,CAAA;AAAA,EACzD,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,KAAA,MAAW,SAAS,OAAA,EAAS;AAC3B,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,GAAA,EAAK,MAAM,IAAI,CAAA;AAC1C,IAAA,IAAI,KAAA,CAAM,aAAY,EAAG;AACvB,MAAA,IAAI,SAAA,CAAU,GAAA,CAAI,KAAA,CAAM,IAAI,CAAA,EAAG;AAC/B,MAAA,KAAA,CAAM,IAAA,CAAK,GAAG,MAAM,aAAA,CAAc,QAAQ,CAAC,CAAA;AAAA,IAC7C,CAAA,MAAA,IAAW,KAAA,CAAM,MAAA,EAAO,EAAG;AACzB,MAAA,MAAM,MAAM,IAAA,CAAK,OAAA,CAAQ,KAAA,CAAM,IAAI,EAAE,WAAA,EAAY;AACjD,MAAA,IAAI,iBAAA,CAAkB,GAAA,CAAI,GAAG,CAAA,EAAG;AAChC,MAAA,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,IACrB;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AApBsB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AA0BtB,eAAsB,iBAAA,CACpB,UACA,eAAA,EAC6B;AAC7B,EAAA,MAAM,WAA+B,EAAC;AACtC,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI;AACF,IAAA,OAAA,GAAU,MAAM,EAAA,CAAG,QAAA,CAAS,QAAA,EAAU,OAAO,CAAA;AAAA,EAC/C,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,QAAA;AAAA,EACT;AAGA,EAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,IAAI,CAAA,EAAG,OAAO,QAAA;AAGnC,EAAA,IAAI,QAAA,GAAW,KAAA;AACf,EAAA,KAAA,MAAW,GAAA,IAAO,eAAA,CAAgB,MAAA,EAAO,EAAG;AAC1C,IAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AACzB,MAAA,QAAA,GAAW,IAAA;AACX,MAAA;AAAA,IACF;AAAA,EACF;AACA,EAAA,IAAI,CAAC,UAAU,OAAO,QAAA;AAEtB,EAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,KAAA,CAAM,IAAI,CAAA;AAChC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,IAAA,KAAA,MAAW,CAAC,OAAA,EAAS,GAAG,CAAA,IAAK,eAAA,EAAiB;AAC5C,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA;AAC/B,MAAA,IAAI,WAAW,EAAA,EAAI;AACjB,QAAA,QAAA,CAAS,IAAA,CAAK;AAAA,UACZ,QAAA;AAAA,UACA,YAAY,CAAA,GAAI,CAAA;AAAA,UAChB,cAAc,MAAA,GAAS,CAAA;AAAA,UACvB,IAAA,EAAM,KAAK,IAAA,EAAK;AAAA,UAChB,gBAAA,EAAkB,OAAA;AAAA,UAClB,cAAA,EAAgB;AAAA,SACjB,CAAA;AACD,QAAA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACA,EAAA,OAAO,QAAA;AACT;AA5CsB,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AA8CtB,IAAM,YAAA,GAAe,cAAA;AAOrB,SAAS,cAAA,GAAyB;AAChC,EAAA,IAAI,YAAA,IAAgB,OAAO,YAAA;AAC3B,EAAA,MAAM,KAAK,sBAAA,EAAuB;AAClC,EAAA,IAAI,IAAI,OAAO,CAAA,EAAG,EAAA,CAAG,IAAI,IAAI,YAAY,CAAA,CAAA;AAEzC,EAAA,OAAO,YAAA;AACT;AANS,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAUT,eAAe,kBAAkB,GAAA,EAA8C;AAE7E,EAAA,IAAI,MAAM,WAAW,IAAA,CAAK,IAAA,CAAK,KAAK,QAAQ,CAAC,GAAG,OAAO,OAAA;AAGvD,EAAA,MAAM,aAAA,GAAgB,CAAC,cAAA,EAAgB,eAAA,EAAiB,iBAAiB,gBAAgB,CAAA;AACzF,EAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,IAAA,IAAI,MAAM,WAAW,IAAA,CAAK,IAAA,CAAK,KAAK,IAAI,CAAC,GAAG,OAAO,UAAA;AAAA,EACrD;AAGA,EAAA,MAAM,WAAA,GAAc,IAAA,CAAK,IAAA,CAAK,GAAA,EAAK,cAAc,CAAA;AACjD,EAAA,IAAI,MAAM,UAAA,CAAW,WAAW,CAAA,EAAG;AACjC,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,KAAK,KAAA,CAAM,MAAM,GAAG,QAAA,CAAS,WAAA,EAAa,OAAO,CAAC,CAAA;AAClE,MAAA,IAAI,OAAA,CAAQ,kBAAkB,CAAA,EAAG,OAAO,kBAAA;AAAA,IAC1C,CAAA,CAAA,MAAQ;AAAA,IAA4B;AAAA,EACtC;AAEA,EAAA,OAAO,IAAA;AACT;AApBe,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAsBf,eAAe,YAAY,GAAA,EAAqC;AAC9D,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,MAAM,UAAA,CAAW,KAAA,EAAO,CAAC,aAAa,iBAAiB,CAAA,EAAG,EAAE,GAAA,EAAK,CAAA;AAC9E,IAAA,OAAO,KAAK,IAAA,EAAK;AAAA,EACnB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAPe,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AASf,eAAe,YAAY,GAAA,EAA4B;AACrD,EAAA,MAAM,OAAA,GAAU,MAAM,WAAA,CAAY,GAAG,CAAA;AACrC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,aAAa,6BAAA,EAA+B;AAAA,MACpD,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,MAAM,cAAc,cAAA,EAAe;AACnC,EAAA,MAAM,UAAA,GAAa,CAAA;AAAA,EAAc,WAAW;AAAA,CAAA;AAC5C,EAAA,MAAM,WAAA,GAAc,MAAM,iBAAA,CAAkB,OAAO,CAAA;AAEnD,EAAA,IAAI,gBAAgB,OAAA,EAAS;AAC3B,IAAA,QAAA,CAAS;AAAA,MACP,EAAA;AAAA,MACA,CAAA,SAAA,EAAY,aAAA,CAAM,IAAA,CAAK,OAAO,CAAC,CAAA,0BAAA,CAAA;AAAA,MAC/B,EAAA;AAAA,MACA,CAAA,IAAA,EAAO,aAAA,CAAM,IAAA,CAAK,WAAW,CAAC,CAAA,yBAAA,CAAA;AAAA,MAC9B,EAAA;AAAA,MACA,aAAA,CAAM,GAAA,CAAI,CAAA,QAAA,EAAW,WAAW,CAAA,sBAAA,CAAwB,CAAA;AAAA,MACxD,EAAA;AAAA,MACA,4BAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAM,GAAA,CAAI,CAAA,QAAA,EAAW,WAAW,CAAA,qBAAA,CAAuB,CAAA;AAAA,MACvD;AAAA,KACD,CAAA;AACD,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,gBAAgB,UAAA,EAAY;AAC9B,IAAA,QAAA,CAAS;AAAA,MACP,EAAA;AAAA,MACA,CAAA,SAAA,EAAY,aAAA,CAAM,IAAA,CAAK,UAAU,CAAC,CAAA,0BAAA,CAAA;AAAA,MAClC,EAAA;AAAA,MACA,4CAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAM,IAAI,eAAe,CAAA;AAAA,MACzB,aAAA,CAAM,IAAI,eAAe,CAAA;AAAA,MACzB,aAAA,CAAM,IAAI,qBAAqB,CAAA;AAAA,MAC/B,aAAA,CAAM,GAAA,CAAI,CAAA,aAAA,EAAgB,WAAW,CAAA,CAAE,CAAA;AAAA,MACvC;AAAA,KACD,CAAA;AACD,IAAA;AAAA,EACF;AAEA,EAAA,IAAI,gBAAgB,kBAAA,EAAoB;AACtC,IAAA,QAAA,CAAS;AAAA,MACP,EAAA;AAAA,MACA,CAAA,SAAA,EAAY,aAAA,CAAM,IAAA,CAAK,kBAAkB,CAAC,CAAA,sBAAA,CAAA;AAAA,MAC1C,EAAA;AAAA,MACA,yCAAA;AAAA,MACA,EAAA;AAAA,MACA,aAAA,CAAM,IAAI,yBAAyB,CAAA;AAAA,MACnC,aAAA,CAAM,GAAA,CAAI,CAAA,mBAAA,EAAsB,WAAW,CAAA,CAAA,CAAG,CAAA;AAAA,MAC9C,aAAA,CAAM,IAAI,KAAK,CAAA;AAAA,MACf,EAAA;AAAA,MACA,CAAA,SAAA,EAAY,aAAA,CAAM,GAAA,CAAI,sBAAsB,CAAC,CAAA,qBAAA,CAAA;AAAA,MAC7C;AAAA,KACD,CAAA;AACD,IAAA;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,OAAA,EAAS,QAAQ,OAAO,CAAA;AACnD,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,QAAA,EAAU,YAAY,CAAA;AAGjD,EAAA,MAAM,GAAG,KAAA,CAAM,QAAA,EAAU,EAAE,SAAA,EAAW,MAAM,CAAA;AAG5C,EAAA,IAAI,MAAM,UAAA,CAAW,QAAQ,CAAA,EAAG;AAC9B,IAAA,MAAM,eAAA,GAAkB,MAAM,EAAA,CAAG,QAAA,CAAS,UAAU,OAAO,CAAA;AAC3D,IAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,YAAY,CAAA,EAAG;AAC1C,MAAA,QAAA,CAAS;AAAA,QACP,EAAA;AAAA,QACA,cAAM,KAAA,CAAM,CAAA,qCAAA,EAAwC,cAAM,IAAA,CAAK,YAAY,CAAC,CAAA,iBAAA,CAAmB,CAAA;AAAA,QAC/F;AAAA,OACD,CAAA;AACD,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,cAAA,GAAiB,CAAA,EAAG,eAAA,CAAgB,OAAA,EAAS;AAAA,EAAK,WAAW;AAAA,CAAA;AACnE,IAAA,MAAM,EAAA,CAAG,SAAA,CAAU,QAAA,EAAU,cAAc,CAAA;AAC3C,IAAA,MAAM,EAAA,CAAG,KAAA,CAAM,QAAA,EAAU,GAAK,CAAA;AAC9B,IAAA,QAAA,CAAS;AAAA,MACP,EAAA;AAAA,MACA,cAAM,KAAA,CAAM,CAAA,MAAA,EAAS,cAAM,IAAA,CAAK,WAAW,CAAC,CAAA,6BAAA,CAA+B,CAAA;AAAA,MAC3E,GAAA,CAAI,SAAS,QAAQ,CAAA;AAAA,MACrB;AAAA,KACD,CAAA;AACD,IAAA;AAAA,EACF;AAGA,EAAA,MAAM,EAAA,CAAG,SAAA,CAAU,QAAA,EAAU,UAAU,CAAA;AACvC,EAAA,MAAM,EAAA,CAAG,KAAA,CAAM,QAAA,EAAU,GAAK,CAAA;AAC9B,EAAA,QAAA,CAAS;AAAA,IACP,EAAA;AAAA,IACA,cAAM,KAAA,CAAM,CAAA,2BAAA,EAA8B,IAAI,QAAA,CAAS,QAAQ,CAAC,CAAA,CAAE,CAAA;AAAA,IAClE,aAAA,CAAM,IAAI,gFAAgF,CAAA;AAAA,IAC1F;AAAA,GACD,CAAA;AACH;AAtGe,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AAwGR,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAEhF,EAAA,IAAI,GAAA,CAAI,MAAA,CAAO,cAAc,CAAA,EAAG;AAC9B,IAAA,MAAM,WAAA,CAAY,OAAA,CAAQ,GAAA,EAAK,CAAA;AAC/B,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,UAAA,GAAa,GAAA,CAAI,MAAA,CAAO,MAAA,IAAU,KAAA;AACxC,EAAA,MAAM,cAAA,GAAiB,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,IAAK,KAAA;AAGxD,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,aAAA,EAAe,IAAI,MAAA,CAAO;AAAA,GAC3B,CAAA;AAGD,EAAA,KAAA,MAAW,MAAA,IAAU,SAAS,iBAAA,EAAmB;AAC/C,IAAA,IAAI,OAAO,YAAA,EAAc;AACvB,MAAA,MAAM,IAAI,YAAA,CAAa,CAAA,sBAAA,EAAyB,MAAA,CAAO,YAAA,CAAa,OAAO,CAAA,CAAA,EAAI;AAAA,QAC7E,UAAA,EAAY;AAAA,OACb,CAAA;AAAA,IACH;AAAA,EACF;AAEA,EAAA,MAAM,SAAS,gBAAA,EAAiB;AAGhC,EAAA,MAAM,eAAA,uBAAsB,GAAA,EAAoB;AAChD,EAAA,KAAA,MAAW,OAAA,IAAW,SAAS,YAAA,EAAc;AAC3C,IAAA,MAAM,IAAA,GAAO,QAAA,CAAS,YAAA,CAAa,OAAO,CAAA;AAC1C,IAAA,IAAI,IAAA,CAAK,eAAe,eAAA,CAAE,QAAA,CAAS,KAAK,aAAa,CAAA,IAAK,IAAA,CAAK,aAAA,KAAkB,EAAA,EAAI;AACnF,MAAA,eAAA,CAAgB,GAAA,CAAI,OAAA,EAAS,IAAA,CAAK,aAAa,CAAA;AAAA,IACjD;AAAA,EACF;AAEA,EAAA,IAAI,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC9B,IAAA,QAAA,CAAS,CAAC,aAAA,CAAM,KAAA,CAAM,mEAA8D,CAAC,CAAC,CAAA;AACtF,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,GAAA,GAAM,QAAQ,GAAA,EAAI;AACxB,EAAA,IAAI,KAAA;AAEJ,EAAA,IAAI,cAAA,EAAgB;AAElB,IAAA,KAAA,GAAQ,MAAM,cAAc,GAAG,CAAA;AAAA,EACjC,CAAA,MAAO;AAEL,IAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,GAAA,EAAK,UAAU,CAAA;AAClD,IAAA,IAAI,aAAa,IAAA,EAAM;AACrB,MAAA,KAAA,GAAQ,QAAA;AAAA,IACV,CAAA,MAAO;AAEL,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,MAAM,IAAI,aAAa,wCAAA,EAA0C;AAAA,UAC/D,UAAA,EAAY;AAAA,SACb,CAAA;AAAA,MACH;AACA,MAAA,KAAA,GAAQ,MAAM,cAAc,GAAG,CAAA;AAAA,IACjC;AAAA,EACF;AAEA,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,OAAA,CAAQ,IAAI,0BAA0B,CAAA;AAAA,IACxC,CAAA,MAAO;AACL,MAAA,OAAA,CAAQ,GAAA,CAAI,aAAA,CAAM,KAAA,CAAM,gCAA2B,CAAC,CAAA;AAAA,IACtD;AACA,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,cAAkC,EAAC;AACzC,EAAA,KAAA,MAAW,YAAY,KAAA,EAAO;AAC5B,IAAA,MAAM,QAAA,GAAW,MAAM,iBAAA,CAAkB,QAAA,EAAU,eAAe,CAAA;AAClE,IAAA,WAAA,CAAY,IAAA,CAAK,GAAG,QAAQ,CAAA;AAAA,EAC9B;AAEA,EAAA,IAAI,WAAA,CAAY,WAAW,CAAA,EAAG;AAC5B,IAAA,QAAA,CAAS,CAAC,aAAA,CAAM,KAAA,CAAM,CAAA,wDAAA,EAAsD,MAAM,MAAM,CAAA,KAAA,EAAQ,KAAA,CAAM,MAAA,KAAW,CAAA,GAAI,EAAA,GAAK,GAAG,CAAA,CAAA,CAAG,CAAC,CAAC,CAAA;AAClI,IAAA;AAAA,EACF;AAGA,EAAA,MAAM,cAAA,uBAAqB,GAAA,EAAgC;AAC3D,EAAA,KAAA,MAAW,WAAW,WAAA,EAAa;AACjC,IAAA,MAAM,WAAW,cAAA,CAAe,GAAA,CAAI,OAAA,CAAQ,QAAQ,KAAK,EAAC;AAC1D,IAAA,QAAA,CAAS,KAAK,OAAO,CAAA;AACrB,IAAA,cAAA,CAAe,GAAA,CAAI,OAAA,CAAQ,QAAA,EAAU,QAAQ,CAAA;AAAA,EAC/C;AAEA,EAAA,OAAA,CAAQ,KAAA,CAAM,cAAM,GAAA,CAAI;AAAA,gBAAA,EAAc,WAAA,CAAY,MAAM,CAAA,wCAAA,EAA2C,cAAA,CAAe,IAAI,CAAA;AAAA,CAAa,CAAC,CAAA;AACpI,EAAA,KAAA,MAAW,CAAC,QAAA,EAAU,QAAQ,CAAA,IAAK,cAAA,EAAgB;AACjD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,EAAK,QAAQ,CAAA;AAC3C,IAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAE9B,MAAA,MAAM,YAAA,GAAe,QAAQ,IAAA,CAAK,UAAA,CAAW,QAAQ,cAAA,EAAgB,YAAA,CAAa,OAAA,CAAQ,cAAc,CAAE,CAAA;AAC1G,MAAA,MAAM,aAAA,GAAgB,YAAA,CAAa,MAAA,GAAS,GAAA,GACxC,CAAA,EAAG,aAAa,SAAA,CAAU,CAAA,EAAG,GAAG,CAAC,CAAA,MAAA,CAAA,GACjC,YAAA;AACJ,MAAA,OAAA,CAAQ,KAAA,CAAM,KAAK,GAAA,CAAI,QAAA,CAAS,GAAG,OAAO,CAAA,CAAA,EAAI,QAAQ,UAAU,CAAA,CAAA,EAAI,QAAQ,YAAY,CAAA,CAAE,CAAC,CAAA,CAAA,EAAI,aAAA,CAAM,OAAO,OAAA,CAAQ,gBAAgB,CAAC,CAAA,CAAE,CAAA;AACvI,MAAA,OAAA,CAAQ,MAAM,CAAA,IAAA,EAAO,aAAA,CAAM,GAAA,CAAI,aAAa,CAAC,CAAA,CAAE,CAAA;AAAA,IACjD;AACA,IAAA,OAAA,CAAQ,MAAM,EAAE,CAAA;AAAA,EAClB;AAEA,EAAA,YAAA,CAAa,CAAC,CAAA;AAChB,CAAA,EA1GmE,WAAA","file":"chunk-MHIFZAPA.js","sourcesContent":["\nexport function isBundledSEA() {\n  try {\n    return __VARLOCK_SEA_BUILD__;\n  } catch (e) {\n    return false;\n  }\n}\n","import path from 'node:path';\nimport fs from 'node:fs/promises';\nimport { define } from 'gunshi';\nimport ansis from 'ansis';\nimport { gracefulExit } from 'exit-hook';\nimport _ from '@env-spec/utils/my-dash';\n\nimport { spawnAsync } from '@env-spec/utils/exec-helpers';\nimport { pathExists } from '@env-spec/utils/fs-utils';\nimport { redactString } from '../../runtime/lib/redaction';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport { CliExitError } from '../helpers/exit-error';\nimport { fmt, logLines } from '../helpers/pretty-format';\nimport { detectJsPackageManager } from '../helpers/js-package-manager-utils';\nimport { isBundledSEA } from '../helpers/install-detection';\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\n\n// Directories to always skip when walking the file tree\nconst SKIP_DIRS = new Set([\n  '.git',\n  'node_modules',\n  'dist',\n  'build',\n  '.next',\n  '.nuxt',\n  'vendor',\n  '.venv',\n  'venv',\n  '__pycache__',\n  '.turbo',\n  'coverage',\n]);\n\n// File extensions that are binary and should be skipped\nconst BINARY_EXTENSIONS = new Set([\n  '.png',\n  '.jpg',\n  '.jpeg',\n  '.gif',\n  '.bmp',\n  '.ico',\n  '.mp3',\n  '.mp4',\n  '.wav',\n  '.avi',\n  '.mov',\n  '.zip',\n  '.tar',\n  '.gz',\n  '.rar',\n  '.7z',\n  '.exe',\n  '.dll',\n  '.so',\n  '.dylib',\n  '.bin',\n  '.pdf',\n  '.doc',\n  '.docx',\n  '.xls',\n  '.xlsx',\n  '.woff',\n  '.woff2',\n  '.ttf',\n  '.eot',\n  '.pyc',\n  '.class',\n  '.o',\n]);\n\nexport const commandSpec = define({\n  name: 'scan',\n  description: 'Scan files for sensitive config values that should not be in plaintext',\n  args: {\n    staged: {\n      type: 'boolean',\n      description: 'Only scan staged git files',\n    },\n    'include-ignored': {\n      type: 'boolean',\n      description: 'Include git-ignored files in the scan',\n    },\n    'install-hook': {\n      type: 'boolean',\n      description: 'Set up varlock scan as a git pre-commit hook',\n    },\n    path: {\n      type: 'string',\n      short: 'p',\n      description: 'Path to a specific .env file (e.g. .env.prod) or directory ending with \"/\" to use as the schema entry point (default: current directory)',\n    },\n  },\n  examples: `\nLoads your varlock config, resolves all sensitive values, then scans files to\nensure none of those sensitive values appear in plaintext.\n\nExamples:\n  varlock scan                    # Scan non-git-ignored files in current directory\n  varlock scan --staged           # Only scan staged git files\n  varlock scan --include-ignored  # Scan all files, including git-ignored ones\n  varlock scan --path .env.prod   # Use a specific .env file as the schema entry point\n  varlock scan --install-hook     # Set up as a git pre-commit hook\n  `.trim(),\n});\n\nexport interface ScanFinding {\n  filePath: string;\n  lineNumber: number;\n  columnNumber: number;\n  line: string;\n  sensitiveKeyName: string;\n  sensitiveValue: string;\n}\n\nexport async function getGitFiles(cwd: string, onlyStaged: boolean): Promise<Array<string> | null> {\n  try {\n    let output: string;\n    if (onlyStaged) {\n      output = await spawnAsync(\n        'git',\n        ['diff', '--cached', '--name-only', '-z', '--diff-filter=ACMR'],\n        { cwd },\n      );\n    } else {\n      output = await spawnAsync(\n        'git',\n        ['ls-files', '--cached', '--others', '--exclude-standard', '-z'],\n        { cwd },\n      );\n    }\n    return output.split('\\0').filter(Boolean)\n      .filter((f) => !BINARY_EXTENSIONS.has(path.extname(f).toLowerCase()))\n      .map((f) => path.resolve(cwd, f));\n  } catch {\n    return null;\n  }\n}\n\nexport async function walkDirectory(dir: string): Promise<Array<string>> {\n  const files: Array<string> = [];\n  let entries;\n  try {\n    entries = await fs.readdir(dir, { withFileTypes: true });\n  } catch {\n    return files;\n  }\n  for (const entry of entries) {\n    const fullPath = path.join(dir, entry.name);\n    if (entry.isDirectory()) {\n      if (SKIP_DIRS.has(entry.name)) continue;\n      files.push(...await walkDirectory(fullPath));\n    } else if (entry.isFile()) {\n      const ext = path.extname(entry.name).toLowerCase();\n      if (BINARY_EXTENSIONS.has(ext)) continue;\n      files.push(fullPath);\n    }\n  }\n  return files;\n}\n\n/**\n * Scans a single file for occurrences of any of the provided sensitive values.\n * sensitiveValues is a map from env key name to its resolved string value.\n */\nexport async function scanFileForValues(\n  filePath: string,\n  sensitiveValues: Map<string, string>,\n): Promise<Array<ScanFinding>> {\n  const findings: Array<ScanFinding> = [];\n  let content: string;\n  try {\n    content = await fs.readFile(filePath, 'utf-8');\n  } catch {\n    return findings;\n  }\n\n  // Skip binary files (contain null bytes)\n  if (content.includes('\\0')) return findings;\n\n  // Quick pre-check: skip the file entirely if none of the values appear\n  let anyMatch = false;\n  for (const val of sensitiveValues.values()) {\n    if (content.includes(val)) {\n      anyMatch = true;\n      break;\n    }\n  }\n  if (!anyMatch) return findings;\n\n  const lines = content.split('\\n');\n  for (let i = 0; i < lines.length; i++) {\n    const line = lines[i];\n    for (const [keyName, val] of sensitiveValues) {\n      const colIdx = line.indexOf(val);\n      if (colIdx !== -1) {\n        findings.push({\n          filePath,\n          lineNumber: i + 1,\n          columnNumber: colIdx + 1,\n          line: line.trim(),\n          sensitiveKeyName: keyName,\n          sensitiveValue: val,\n        });\n        break; // one finding per line is enough\n      }\n    }\n  }\n  return findings;\n}\n\nconst SCAN_COMMAND = 'varlock scan';\n\n/**\n * Determines the correct command to use in a git hook script.\n * If varlock is installed as a standalone binary, uses `varlock` directly.\n * Otherwise, prefixes with the detected JS package manager's exec command.\n */\nfunction getHookCommand(): string {\n  if (isBundledSEA()) return SCAN_COMMAND;\n  const pm = detectJsPackageManager();\n  if (pm) return `${pm.exec} ${SCAN_COMMAND}`;\n  // fallback - assume varlock is available on PATH\n  return SCAN_COMMAND;\n}\n\ntype HookManagerKind = 'husky' | 'lefthook' | 'simple-git-hooks';\n\nasync function detectHookManager(cwd: string): Promise<HookManagerKind | null> {\n  // Check for husky\n  if (await pathExists(path.join(cwd, '.husky'))) return 'husky';\n\n  // Check for lefthook config files\n  const lefthookFiles = ['lefthook.yml', 'lefthook.yaml', '.lefthook.yml', '.lefthook.yaml'];\n  for (const file of lefthookFiles) {\n    if (await pathExists(path.join(cwd, file))) return 'lefthook';\n  }\n\n  // Check for simple-git-hooks in package.json\n  const pkgJsonPath = path.join(cwd, 'package.json');\n  if (await pathExists(pkgJsonPath)) {\n    try {\n      const pkgJson = JSON.parse(await fs.readFile(pkgJsonPath, 'utf-8'));\n      if (pkgJson['simple-git-hooks']) return 'simple-git-hooks';\n    } catch { /* ignore parse errors */ }\n  }\n\n  return null;\n}\n\nasync function findGitRoot(cwd: string): Promise<string | null> {\n  try {\n    const root = await spawnAsync('git', ['rev-parse', '--show-toplevel'], { cwd });\n    return root.trim();\n  } catch {\n    return null;\n  }\n}\n\nasync function installHook(cwd: string): Promise<void> {\n  const gitRoot = await findGitRoot(cwd);\n  if (!gitRoot) {\n    throw new CliExitError('Not inside a git repository', {\n      suggestion: 'Run `git init` first, or make sure you are inside a git repository.',\n    });\n  }\n\n  const hookCommand = getHookCommand();\n  const hookScript = `#!/bin/sh\\n${hookCommand}\\n`;\n  const hookManager = await detectHookManager(gitRoot);\n\n  if (hookManager === 'husky') {\n    logLines([\n      '',\n      `Detected ${ansis.bold('husky')} as your git hook manager.`,\n      '',\n      `Add ${ansis.bold(hookCommand)} to your pre-commit hook:`,\n      '',\n      ansis.dim(`  echo \"${hookCommand}\" >> .husky/pre-commit`),\n      '',\n      'Or if creating a new hook:',\n      '',\n      ansis.dim(`  echo \"${hookCommand}\" > .husky/pre-commit`),\n      '',\n    ]);\n    return;\n  }\n\n  if (hookManager === 'lefthook') {\n    logLines([\n      '',\n      `Detected ${ansis.bold('lefthook')} as your git hook manager.`,\n      '',\n      'Add the following to your lefthook config:',\n      '',\n      ansis.dim('  pre-commit:'),\n      ansis.dim('    commands:'),\n      ansis.dim('      varlock-scan:'),\n      ansis.dim(`        run: ${hookCommand}`),\n      '',\n    ]);\n    return;\n  }\n\n  if (hookManager === 'simple-git-hooks') {\n    logLines([\n      '',\n      `Detected ${ansis.bold('simple-git-hooks')} in your package.json.`,\n      '',\n      'Add the following to your package.json:',\n      '',\n      ansis.dim('  \"simple-git-hooks\": {'),\n      ansis.dim(`    \"pre-commit\": \"${hookCommand}\"`),\n      ansis.dim('  }'),\n      '',\n      `Then run ${ansis.dim('npx simple-git-hooks')} to update the hooks.`,\n      '',\n    ]);\n    return;\n  }\n\n  // No hook manager detected -- install directly to .git/hooks/pre-commit\n  const hooksDir = path.join(gitRoot, '.git', 'hooks');\n  const hookPath = path.join(hooksDir, 'pre-commit');\n\n  // Ensure hooks directory exists\n  await fs.mkdir(hooksDir, { recursive: true });\n\n  // Check if a pre-commit hook already exists\n  if (await pathExists(hookPath)) {\n    const existingContent = await fs.readFile(hookPath, 'utf-8');\n    if (existingContent.includes(SCAN_COMMAND)) {\n      logLines([\n        '',\n        ansis.green(`The pre-commit hook already includes ${ansis.bold(SCAN_COMMAND)} - nothing to do!`),\n        '',\n      ]);\n      return;\n    }\n    // Append to existing hook\n    const updatedContent = `${existingContent.trimEnd()}\\n${hookCommand}\\n`;\n    await fs.writeFile(hookPath, updatedContent);\n    await fs.chmod(hookPath, 0o755);\n    logLines([\n      '',\n      ansis.green(`Added ${ansis.bold(hookCommand)} to existing pre-commit hook.`),\n      fmt.filePath(hookPath),\n      '',\n    ]);\n    return;\n  }\n\n  // Create new hook\n  await fs.writeFile(hookPath, hookScript);\n  await fs.chmod(hookPath, 0o755);\n  logLines([\n    '',\n    ansis.green(`Created pre-commit hook at ${fmt.filePath(hookPath)}`),\n    ansis.dim('Your staged files will now be scanned for sensitive values before each commit.'),\n    '',\n  ]);\n}\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n  // Handle --install-hook before doing any scanning\n  if (ctx.values['install-hook']) {\n    await installHook(process.cwd());\n    return;\n  }\n\n  const onlyStaged = ctx.values.staged ?? false;\n  const includeIgnored = ctx.values['include-ignored'] ?? false;\n\n  // Load the varlock env graph to get the actual sensitive values\n  const envGraph = await loadVarlockEnvGraph({\n    entryFilePath: ctx.values.path,\n  });\n\n  // Check for loading/schema errors\n  for (const source of envGraph.sortedDataSources) {\n    if (source.loadingError) {\n      throw new CliExitError(`Error loading config: ${source.loadingError.message}`, {\n        suggestion: 'Make sure your .env.schema file is valid.',\n      });\n    }\n  }\n\n  await envGraph.resolveEnvValues();\n\n  // Collect all sensitive string values that are non-empty\n  const sensitiveValues = new Map<string, string>();\n  for (const itemKey in envGraph.configSchema) {\n    const item = envGraph.configSchema[itemKey];\n    if (item.isSensitive && _.isString(item.resolvedValue) && item.resolvedValue !== '') {\n      sensitiveValues.set(itemKey, item.resolvedValue);\n    }\n  }\n\n  if (sensitiveValues.size === 0) {\n    logLines([ansis.green('✅ No sensitive values found in config - nothing to scan for.')]);\n    return;\n  }\n\n  const cwd = process.cwd();\n  let files: Array<string>;\n\n  if (includeIgnored) {\n    // Walk the full directory tree, no git filtering\n    files = await walkDirectory(cwd);\n  } else {\n    // Try to use git to get non-ignored files\n    const gitFiles = await getGitFiles(cwd, onlyStaged);\n    if (gitFiles !== null) {\n      files = gitFiles;\n    } else {\n      // Git not available - fall back to walking directory\n      if (onlyStaged) {\n        throw new CliExitError('Could not run git to find staged files', {\n          suggestion: 'Make sure git is installed and you are inside a git repository.',\n        });\n      }\n      files = await walkDirectory(cwd);\n    }\n  }\n\n  if (files.length === 0) {\n    if (onlyStaged) {\n      console.log('No staged files to scan.');\n    } else {\n      console.log(ansis.green('✅ No files found to scan.'));\n    }\n    return;\n  }\n\n  const allFindings: Array<ScanFinding> = [];\n  for (const filePath of files) {\n    const findings = await scanFileForValues(filePath, sensitiveValues);\n    allFindings.push(...findings);\n  }\n\n  if (allFindings.length === 0) {\n    logLines([ansis.green(`✅ No sensitive values found in plaintext. (scanned ${files.length} file${files.length === 1 ? '' : 's'})`)]);\n    return;\n  }\n\n  // Group findings by file for display\n  const findingsByFile = new Map<string, Array<ScanFinding>>();\n  for (const finding of allFindings) {\n    const existing = findingsByFile.get(finding.filePath) ?? [];\n    existing.push(finding);\n    findingsByFile.set(finding.filePath, existing);\n  }\n\n  console.error(ansis.red(`\\n🚨 Found ${allFindings.length} sensitive value(s) in plaintext across ${findingsByFile.size} file(s):\\n`));\n  for (const [filePath, findings] of findingsByFile) {\n    const relPath = path.relative(cwd, filePath);\n    for (const finding of findings) {\n      // Redact the actual secret value in the displayed line\n      const redactedLine = finding.line.replaceAll(finding.sensitiveValue, redactString(finding.sensitiveValue)!);\n      const truncatedLine = redactedLine.length > 100\n        ? `${redactedLine.substring(0, 100)}…`\n        : redactedLine;\n      console.error(`  ${fmt.fileName(`${relPath}:${finding.lineNumber}:${finding.columnNumber}`)} ${ansis.yellow(finding.sensitiveKeyName)}`);\n      console.error(`    ${ansis.dim(truncatedLine)}`);\n    }\n    console.error('');\n  }\n\n  gracefulExit(1);\n};\n"]}