varlock 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (137) hide show
  1. package/dist/audit.command-LLD5UIAW.js +16 -0
  2. package/dist/audit.command-LLD5UIAW.js.map +1 -0
  3. package/dist/auto-load.js +6 -6
  4. package/dist/{chunk-QSYH5IDD.js → chunk-5DRCCFKV.js} +3 -3
  5. package/dist/{chunk-QSYH5IDD.js.map → chunk-5DRCCFKV.js.map} +1 -1
  6. package/dist/{chunk-E3F6QKDZ.js → chunk-C5LW5EET.js} +6 -6
  7. package/dist/{chunk-E3F6QKDZ.js.map → chunk-C5LW5EET.js.map} +1 -1
  8. package/dist/chunk-CESFJIM4.js +198 -0
  9. package/dist/chunk-CESFJIM4.js.map +1 -0
  10. package/dist/{chunk-5DUWGI2N.js → chunk-DIPEXEIL.js} +3 -3
  11. package/dist/{chunk-5DUWGI2N.js.map → chunk-DIPEXEIL.js.map} +1 -1
  12. package/dist/{chunk-SDN53OAC.js → chunk-F6ZYIWAR.js} +160 -72
  13. package/dist/chunk-F6ZYIWAR.js.map +1 -0
  14. package/dist/{chunk-2PFIYNFA.js → chunk-FA5SNEKN.js} +30 -13
  15. package/dist/chunk-FA5SNEKN.js.map +1 -0
  16. package/dist/{chunk-XWYFSG46.js → chunk-GKN3UJNE.js} +651 -821
  17. package/dist/chunk-GKN3UJNE.js.map +1 -0
  18. package/dist/{chunk-TQXYC3G3.js → chunk-HH647LSU.js} +5 -5
  19. package/dist/{chunk-TQXYC3G3.js.map → chunk-HH647LSU.js.map} +1 -1
  20. package/dist/{chunk-6RF54KKR.js → chunk-HMWAOBZR.js} +78 -24
  21. package/dist/chunk-HMWAOBZR.js.map +1 -0
  22. package/dist/{chunk-H6NILU2I.js → chunk-INGOLNLE.js} +4 -4
  23. package/dist/{chunk-H6NILU2I.js.map → chunk-INGOLNLE.js.map} +1 -1
  24. package/dist/{chunk-JIUWL2NT.js → chunk-IO2OGZQU.js} +9 -9
  25. package/dist/chunk-IO2OGZQU.js.map +1 -0
  26. package/dist/chunk-IRXBCLL2.js +2045 -0
  27. package/dist/chunk-IRXBCLL2.js.map +1 -0
  28. package/dist/{chunk-QP7TS4SU.js → chunk-JOGGSYT2.js} +6 -6
  29. package/dist/chunk-JOGGSYT2.js.map +1 -0
  30. package/dist/{chunk-F6RTQ5QX.js → chunk-KFALDUEO.js} +3 -3
  31. package/dist/{chunk-F6RTQ5QX.js.map → chunk-KFALDUEO.js.map} +1 -1
  32. package/dist/{chunk-VN4LKYXR.js → chunk-KI5QLKPU.js} +6 -6
  33. package/dist/{chunk-VN4LKYXR.js.map → chunk-KI5QLKPU.js.map} +1 -1
  34. package/dist/{chunk-JUPAI2X4.js → chunk-M6QE3D2O.js} +7 -7
  35. package/dist/{chunk-JUPAI2X4.js.map → chunk-M6QE3D2O.js.map} +1 -1
  36. package/dist/{chunk-CDLU5P62.js → chunk-MPHVA4WC.js} +3 -3
  37. package/dist/{chunk-CDLU5P62.js.map → chunk-MPHVA4WC.js.map} +1 -1
  38. package/dist/{chunk-U2O3AUM2.js → chunk-NW4KR67N.js} +8 -8
  39. package/dist/{chunk-U2O3AUM2.js.map → chunk-NW4KR67N.js.map} +1 -1
  40. package/dist/{chunk-S5O4AAVX.js → chunk-OGGTDFVX.js} +8 -8
  41. package/dist/{chunk-S5O4AAVX.js.map → chunk-OGGTDFVX.js.map} +1 -1
  42. package/dist/chunk-P33JXOU6.js +523 -0
  43. package/dist/chunk-P33JXOU6.js.map +1 -0
  44. package/dist/{chunk-R73FENLU.js → chunk-QDEAHBCB.js} +3 -3
  45. package/dist/{chunk-R73FENLU.js.map → chunk-QDEAHBCB.js.map} +1 -1
  46. package/dist/{chunk-RBFS2QGC.js → chunk-RQZZDYWL.js} +8 -8
  47. package/dist/{chunk-RBFS2QGC.js.map → chunk-RQZZDYWL.js.map} +1 -1
  48. package/dist/{chunk-MGWUDHT5.js → chunk-UUJK65RS.js} +11 -3
  49. package/dist/chunk-UUJK65RS.js.map +1 -0
  50. package/dist/{chunk-A6THM3IR.js → chunk-WJLMLKSG.js} +5 -5
  51. package/dist/{chunk-A6THM3IR.js.map → chunk-WJLMLKSG.js.map} +1 -1
  52. package/dist/{chunk-YO6WHPM4.js → chunk-WTBUNHUJ.js} +5 -5
  53. package/dist/{chunk-YO6WHPM4.js.map → chunk-WTBUNHUJ.js.map} +1 -1
  54. package/dist/chunk-XUY3HAO2.js +171 -0
  55. package/dist/chunk-XUY3HAO2.js.map +1 -0
  56. package/dist/{chunk-ZJNDICC4.js → chunk-XXSPHSF7.js} +6 -6
  57. package/dist/{chunk-ZJNDICC4.js.map → chunk-XXSPHSF7.js.map} +1 -1
  58. package/dist/{chunk-GURKQO4J.js → chunk-YWTIKDGU.js} +7 -2
  59. package/dist/chunk-YWTIKDGU.js.map +1 -0
  60. package/dist/{chunk-F5H5MJ6U.js → chunk-ZTFQ7ZVH.js} +2 -5
  61. package/dist/chunk-ZTFQ7ZVH.js.map +1 -0
  62. package/dist/cli/cli-executable.js +54 -51
  63. package/dist/cli/cli-executable.js.map +1 -1
  64. package/dist/config-item-SQFJ2BJ2.js +7 -0
  65. package/dist/{config-item-6LTV4PNH.js.map → config-item-SQFJ2BJ2.js.map} +1 -1
  66. package/dist/dist-ZBZ52DPW.js +4 -0
  67. package/dist/{dist-WGIHRGBZ.js.map → dist-ZBZ52DPW.js.map} +1 -1
  68. package/dist/dotenv-compat.js +6 -6
  69. package/dist/encrypt.command-WISNYCTG.js +14 -0
  70. package/dist/{encrypt.command-F2OTB6HD.js.map → encrypt.command-WISNYCTG.js.map} +1 -1
  71. package/dist/{env-graph-iNQyTcya.d.ts → env-graph-DImkUkjl.d.ts} +30 -19
  72. package/dist/explain.command-THO6CRHD.js +15 -0
  73. package/dist/{explain.command-TEIPRC7Q.js.map → explain.command-THO6CRHD.js.map} +1 -1
  74. package/dist/index.d.ts +2 -2
  75. package/dist/index.js +14 -15
  76. package/dist/index.js.map +1 -1
  77. package/dist/init.command-3EDACW36.js +14 -0
  78. package/dist/{init.command-5LP3UFKD.js.map → init.command-3EDACW36.js.map} +1 -1
  79. package/dist/install-plugin.command-MXBZTBTE.js +13 -0
  80. package/dist/{install-plugin.command-X7RSLPUJ.js.map → install-plugin.command-MXBZTBTE.js.map} +1 -1
  81. package/dist/lib/exec-sync-varlock.js +1 -1
  82. package/dist/load.command-XRABTXAE.js +15 -0
  83. package/dist/{load.command-7SQRDQ3E.js.map → load.command-XRABTXAE.js.map} +1 -1
  84. package/dist/lock.command-O5MPBQ2I.js +7 -0
  85. package/dist/{lock.command-4LTGMJA3.js.map → lock.command-O5MPBQ2I.js.map} +1 -1
  86. package/dist/plugin-lib.d.ts +2 -2
  87. package/dist/plugin-lib.js +2 -2
  88. package/dist/printenv.command-DLCI4IPZ.js +15 -0
  89. package/dist/{printenv.command-ON7RMFEU.js.map → printenv.command-DLCI4IPZ.js.map} +1 -1
  90. package/dist/reveal.command-6BTK3FJZ.js +15 -0
  91. package/dist/{reveal.command-BW6XYVXH.js.map → reveal.command-6BTK3FJZ.js.map} +1 -1
  92. package/dist/run.command-5CIHZECD.js +16 -0
  93. package/dist/{run.command-5QADABYL.js.map → run.command-5CIHZECD.js.map} +1 -1
  94. package/dist/runtime/env.d.ts +1 -1
  95. package/dist/runtime/env.js +1 -1
  96. package/dist/runtime/init-edge.cjs +9 -1
  97. package/dist/runtime/init-server.cjs +9 -1
  98. package/dist/runtime/patch-console.js +2 -2
  99. package/dist/runtime/patch-response.js +2 -2
  100. package/dist/runtime/patch-server-response.js +2 -2
  101. package/dist/scan.command-PW3OOLQY.js +16 -0
  102. package/dist/{scan.command-ZVW3XAUG.js.map → scan.command-PW3OOLQY.js.map} +1 -1
  103. package/dist/telemetry.command-TZDNG2WR.js +13 -0
  104. package/dist/{telemetry.command-PY6E4QSH.js.map → telemetry.command-TZDNG2WR.js.map} +1 -1
  105. package/dist/typegen.command-QD26Q3MP.js +14 -0
  106. package/dist/{typegen.command-KZ4O5IKQ.js.map → typegen.command-QD26Q3MP.js.map} +1 -1
  107. package/native-bins/darwin/VarlockEnclave.app/Contents/CodeResources +0 -0
  108. package/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt +0 -0
  109. package/native-bins/win32-x64/varlock-local-encrypt.exe +0 -0
  110. package/package.json +2 -2
  111. package/dist/chunk-2PFIYNFA.js.map +0 -1
  112. package/dist/chunk-6RF54KKR.js.map +0 -1
  113. package/dist/chunk-7GFD2ATN.js +0 -136
  114. package/dist/chunk-7GFD2ATN.js.map +0 -1
  115. package/dist/chunk-F5H5MJ6U.js.map +0 -1
  116. package/dist/chunk-GURKQO4J.js.map +0 -1
  117. package/dist/chunk-HDKXXS2X.js +0 -1959
  118. package/dist/chunk-HDKXXS2X.js.map +0 -1
  119. package/dist/chunk-JIUWL2NT.js.map +0 -1
  120. package/dist/chunk-MGWUDHT5.js.map +0 -1
  121. package/dist/chunk-QP7TS4SU.js.map +0 -1
  122. package/dist/chunk-SDN53OAC.js.map +0 -1
  123. package/dist/chunk-XWYFSG46.js.map +0 -1
  124. package/dist/config-item-6LTV4PNH.js +0 -7
  125. package/dist/dist-WGIHRGBZ.js +0 -4
  126. package/dist/encrypt.command-F2OTB6HD.js +0 -14
  127. package/dist/explain.command-TEIPRC7Q.js +0 -15
  128. package/dist/init.command-5LP3UFKD.js +0 -13
  129. package/dist/install-plugin.command-X7RSLPUJ.js +0 -13
  130. package/dist/load.command-7SQRDQ3E.js +0 -15
  131. package/dist/lock.command-4LTGMJA3.js +0 -7
  132. package/dist/printenv.command-ON7RMFEU.js +0 -15
  133. package/dist/reveal.command-BW6XYVXH.js +0 -15
  134. package/dist/run.command-5QADABYL.js +0 -16
  135. package/dist/scan.command-ZVW3XAUG.js +0 -16
  136. package/dist/telemetry.command-PY6E4QSH.js +0 -13
  137. package/dist/typegen.command-KZ4O5IKQ.js +0 -15
package/dist/{chunk-TQXYC3G3.js → chunk-HH647LSU.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import { define } from './chunk-4A54P4EM.js';
2
- import { checkForSchemaErrors, checkForNoEnvFiles } from './chunk-7GFD2ATN.js';
3
- import { loadVarlockEnvGraph } from './chunk-E3F6QKDZ.js';
4
- import { CliExitError } from './chunk-QP7TS4SU.js';
2
+ import { checkForSchemaErrors, checkForNoEnvFiles } from './chunk-XUY3HAO2.js';
3
+ import { loadVarlockEnvGraph } from './chunk-C5LW5EET.js';
4
+ import { CliExitError } from './chunk-JOGGSYT2.js';
5
5
  import { __name } from './chunk-6PEHRAEP.js';
6
6
 
7
7
  // src/cli/commands/typegen.command.ts
@@ -45,5 +45,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
45
45
  }, "commandFn");
46
46
 
47
47
  export { commandFn, commandSpec };
48
- //# sourceMappingURL=chunk-TQXYC3G3.js.map
49
- //# sourceMappingURL=chunk-TQXYC3G3.js.map
48
+ //# sourceMappingURL=chunk-HH647LSU.js.map
49
+ //# sourceMappingURL=chunk-HH647LSU.js.map
package/dist/{chunk-TQXYC3G3.js.map → chunk-HH647LSU.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/cli/commands/typegen.command.ts"],"names":[],"mappings":";;;;;;;AAOO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EAAa,gDAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA,CAAA,CAWV,IAAA;AACF,CAAC;AAGM,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,cAAA,EAAgB,IAAI,MAAA,CAAO;AAAA,GAC5B,CAAA;AACD,EAAA,oBAAA,CAAqB,QAAQ,CAAA;AAC7B,EAAA,kBAAA,CAAmB,QAAQ,CAAA;AAG3B,EAAA,MAAM,iBAAiB,MAAM,QAAA,CAAS,sBAAsB,EAAE,eAAA,EAAiB,MAAM,CAAA;AAErF,EAAA,IAAI,mBAAmB,CAAA,EAAG;AACxB,IAAA,MAAM,IAAI,aAAa,kDAAA,EAAoD;AAAA,MACzE,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,OAAA,CAAQ,IAAI,qCAAgC,CAAA;AAC9C,CAAA,EAjBmE,WAAA","file":"chunk-TQXYC3G3.js","sourcesContent":["import { define } from 'gunshi';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { checkForNoEnvFiles, checkForSchemaErrors } from '../helpers/error-checks';\nimport { CliExitError } from '../helpers/exit-error';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\n\nexport const commandSpec = define({\n name: 'typegen',\n description: 'Generate TypeScript types from your env schema',\n args: {\n path: {\n type: 'string',\n short: 'p',\n multiple: true,\n description: 'Path to a specific .env file or directory to use as the entry point (can be specified multiple times)',\n },\n },\n examples: `\nGenerates TypeScript type definitions from your .env schema files.\nUses only non-environment-specific schema info, so output is deterministic\nregardless of which environment is active.\n\nThis is useful when you have \\`@generateTypes(lang=ts, path=env.d.ts, auto=false)\\`\nin your schema to disable automatic type generation during \\`varlock load\\` or \\`varlock run\\`.\n\nExamples:\n varlock typegen # Generate types using default schema\n varlock typegen --path .env.prod # Generate types from a specific .env file\n`.trim(),\n});\n\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n const envGraph = await loadVarlockEnvGraph({\n entryFilePaths: ctx.values.path,\n });\n checkForSchemaErrors(envGraph);\n checkForNoEnvFiles(envGraph);\n\n // Force type generation even if auto=false is set\n const generatedCount = await envGraph.generateTypesIfNeeded({ ignoreAutoFalse: true });\n\n if (generatedCount === 0) {\n throw new CliExitError('No @generateTypes decorator found in your schema', {\n suggestion: 'Add `@generateTypes(lang=ts, path=env.d.ts)` to your .env.schema file.',\n });\n }\n\n console.log('✅ Types generated successfully');\n};\n"]}
1
+ {"version":3,"sources":["../src/cli/commands/typegen.command.ts"],"names":[],"mappings":";;;;;;;AAOO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EAAa,gDAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;AAAA;;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA,CAAA,CAWV,IAAA;AACF,CAAC;AAGM,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,cAAA,EAAgB,IAAI,MAAA,CAAO;AAAA,GAC5B,CAAA;AACD,EAAA,oBAAA,CAAqB,QAAQ,CAAA;AAC7B,EAAA,kBAAA,CAAmB,QAAQ,CAAA;AAG3B,EAAA,MAAM,iBAAiB,MAAM,QAAA,CAAS,sBAAsB,EAAE,eAAA,EAAiB,MAAM,CAAA;AAErF,EAAA,IAAI,mBAAmB,CAAA,EAAG;AACxB,IAAA,MAAM,IAAI,aAAa,kDAAA,EAAoD;AAAA,MACzE,UAAA,EAAY;AAAA,KACb,CAAA;AAAA,EACH;AAEA,EAAA,OAAA,CAAQ,IAAI,qCAAgC,CAAA;AAC9C,CAAA,EAjBmE,WAAA","file":"chunk-HH647LSU.js","sourcesContent":["import { define } from 'gunshi';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { checkForNoEnvFiles, checkForSchemaErrors } from '../helpers/error-checks';\nimport { CliExitError } from '../helpers/exit-error';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\n\nexport const commandSpec = define({\n name: 'typegen',\n description: 'Generate TypeScript types from your env schema',\n args: {\n path: {\n type: 'string',\n short: 'p',\n multiple: true,\n description: 'Path to a specific .env file or directory to use as the entry point (can be specified multiple times)',\n },\n },\n examples: `\nGenerates TypeScript type definitions from your .env schema files.\nUses only non-environment-specific schema info, so output is deterministic\nregardless of which environment is active.\n\nThis is useful when you have \\`@generateTypes(lang=ts, path=env.d.ts, auto=false)\\`\nin your schema to disable automatic type generation during \\`varlock load\\` or \\`varlock run\\`.\n\nExamples:\n varlock typegen # Generate types using default schema\n varlock typegen --path .env.prod # Generate types from a specific .env file\n`.trim(),\n});\n\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n const envGraph = await loadVarlockEnvGraph({\n entryFilePaths: ctx.values.path,\n });\n checkForSchemaErrors(envGraph);\n checkForNoEnvFiles(envGraph);\n\n // Force type generation even if auto=false is set\n const generatedCount = await envGraph.generateTypesIfNeeded({ ignoreAutoFalse: true });\n\n if (generatedCount === 0) {\n throw new CliExitError('No @generateTypes decorator found in your schema', {\n suggestion: 'Add `@generateTypes(lang=ts, path=env.d.ts)` to your .env.schema file.',\n });\n }\n\n console.log('✅ Types generated successfully');\n};\n"]}
package/dist/{chunk-6RF54KKR.js → chunk-HMWAOBZR.js} RENAMED
@@ -1,8 +1,10 @@
1
- import { define } from './chunk-4A54P4EM.js';
2
- import { checkForSchemaErrors, checkForNoEnvFiles, checkForConfigErrors, showPluginWarnings } from './chunk-7GFD2ATN.js';
3
- import { loadVarlockEnvGraph } from './chunk-E3F6QKDZ.js';
4
1
  import { gracefulExit } from './chunk-CHQDS2PI.js';
5
- import { getItemSummary } from './chunk-QP7TS4SU.js';
2
+ import { define } from './chunk-4A54P4EM.js';
3
+ import { checkForSchemaErrors, checkForNoEnvFiles, checkForConfigErrors, showPluginWarnings } from './chunk-XUY3HAO2.js';
4
+ import { loadVarlockEnvGraph } from './chunk-C5LW5EET.js';
5
+ import { getItemSummary } from './chunk-JOGGSYT2.js';
6
+ import { ansis_default } from './chunk-GKN3UJNE.js';
7
+ import { redactString } from './chunk-XLYSNOR3.js';
6
8
  import { __name } from './chunk-6PEHRAEP.js';
7
9
  import { writeFileSync } from 'fs';
8
10
 
@@ -17,6 +19,10 @@ var commandSpec = define({
17
19
  description: "Format of output",
18
20
  default: "pretty"
19
21
  },
22
+ agent: {
23
+ type: "boolean",
24
+ description: "Agent-safe mode: redact sensitive values (defaults to JSON format if --format is not set)"
25
+ },
20
26
  compact: {
21
27
  type: "boolean",
22
28
  description: "Use compact format (for json-full: no indentation, for env/shell: skip undefined values)"
@@ -59,6 +65,7 @@ Examples:
59
65
  varlock load --env production # Load for a specific environment (\u26A0\uFE0F ignored if using @currentEnv!)
60
66
  varlock load --format json-full --summary-stderr # JSON on stdout + redacted human summary on stderr
61
67
  varlock load --format json-full --summary-file /tmp/summary.txt # JSON on stdout + redacted human summary written to file
68
+ varlock load --agent # Agent-safe JSON output with sensitive values redacted
62
69
  `.trim()
63
70
  });
64
71
  function formatShellValue(value) {
@@ -71,25 +78,40 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
71
78
  compact,
72
79
  "show-all": showAll,
73
80
  "summary-stderr": summaryStderr,
74
- "summary-file": summaryFile
81
+ "summary-file": summaryFile,
82
+ agent
75
83
  } = ctx.values;
84
+ const outputFormat = agent && format === "pretty" ? "json" : format;
85
+ if (agent && (outputFormat === "env" || outputFormat === "shell")) {
86
+ throw new Error(`--agent is not compatible with --format ${outputFormat}`);
87
+ }
76
88
  const envGraph = await loadVarlockEnvGraph({
77
89
  currentEnvFallback: ctx.values.env,
78
90
  entryFilePaths: ctx.values.path
79
91
  });
80
- if (format !== "json-full") {
81
- checkForSchemaErrors(envGraph);
92
+ let hasSchemaErrors = false;
93
+ let hadSchemaOutput = false;
94
+ if (outputFormat === "json-full") {
95
+ const result = checkForSchemaErrors(envGraph, { noThrow: true });
96
+ hasSchemaErrors = result.hasErrors;
97
+ hadSchemaOutput = result.hasOutput;
98
+ checkForNoEnvFiles(envGraph, { noThrow: true });
99
+ } else {
100
+ const result = checkForSchemaErrors(envGraph);
101
+ hadSchemaOutput = result.hasOutput;
82
102
  checkForNoEnvFiles(envGraph);
83
103
  }
84
104
  if (!envGraph.rootDataSource) throw new Error("expected root data source to be set");
85
- await envGraph.generateTypesIfNeeded();
86
- await envGraph.resolveEnvValues();
87
- if (format === "json-full") {
88
- checkForConfigErrors(envGraph, { showAll, noThrow: true });
89
- } else {
90
- checkForConfigErrors(envGraph, { showAll });
105
+ if (!hasSchemaErrors) {
106
+ await envGraph.generateTypesIfNeeded();
107
+ await envGraph.resolveEnvValues();
108
+ if (outputFormat === "json-full") {
109
+ checkForConfigErrors(envGraph, { showAll, noThrow: true });
110
+ } else {
111
+ checkForConfigErrors(envGraph, { showAll });
112
+ }
91
113
  }
92
- if ((summaryStderr || summaryFile) && format !== "pretty") {
114
+ if ((summaryStderr || summaryFile) && outputFormat !== "pretty") {
93
115
  const summaryLines = envGraph.sortedConfigKeys.map(
94
116
  (key) => getItemSummary(envGraph.configSchema[key])
95
117
  );
@@ -102,25 +124,57 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
102
124
  writeFileSync(summaryFile, summaryStr);
103
125
  }
104
126
  }
105
- if (format === "pretty") {
127
+ function getRedactedEnvObject() {
128
+ const redactedEnv = {};
129
+ const resolvedEnv = envGraph.getResolvedEnvObject();
130
+ for (const itemKey of envGraph.sortedConfigKeys) {
131
+ const item = envGraph.configSchema[itemKey];
132
+ const value = resolvedEnv[itemKey];
133
+ if (item.isSensitive && typeof value === "string") {
134
+ redactedEnv[itemKey] = redactString(value);
135
+ } else if (item.isSensitive && value !== void 0) {
136
+ redactedEnv[itemKey] = "[REDACTED]";
137
+ } else {
138
+ redactedEnv[itemKey] = value;
139
+ }
140
+ }
141
+ return redactedEnv;
142
+ }
143
+ __name(getRedactedEnvObject, "getRedactedEnvObject");
144
+ if (outputFormat === "pretty") {
106
145
  showPluginWarnings(envGraph);
146
+ if (hadSchemaOutput) {
147
+ console.error();
148
+ }
149
+ console.error(ansis_default.bold.green("-- Resolved config --"));
107
150
  for (const itemKey of envGraph.sortedConfigKeys) {
108
151
  const item = envGraph.configSchema[itemKey];
109
152
  console.log(getItemSummary(item));
110
153
  }
111
- } else if (format === "json") {
112
- console.log(JSON.stringify(envGraph.getResolvedEnvObject(), null, 2));
113
- } else if (format === "json-full") {
154
+ } else if (outputFormat === "json") {
155
+ const env = agent ? getRedactedEnvObject() : envGraph.getResolvedEnvObject();
156
+ console.log(JSON.stringify(env, null, 2));
157
+ } else if (outputFormat === "json-full") {
114
158
  const indent = compact ? 0 : 2;
115
159
  const serialized = envGraph.getSerializedGraph();
160
+ if (agent) {
161
+ for (const key in serialized.config) {
162
+ const item = serialized.config[key];
163
+ if (item.isSensitive && typeof item.value === "string") {
164
+ item.value = redactString(item.value);
165
+ } else if (item.isSensitive && item.value !== void 0) {
166
+ item.value = "[REDACTED]";
167
+ }
168
+ }
169
+ }
116
170
  console.log(JSON.stringify(serialized, null, indent));
117
171
  if (serialized.errors) {
118
172
  gracefulExit(1);
119
173
  }
120
- } else if (format === "env" || format === "shell") {
174
+ } else if (outputFormat === "env" || outputFormat === "shell") {
121
175
  const resolvedEnv = envGraph.getResolvedEnvObject();
122
176
  const skipUndefined = compact === true;
123
- const prefix = format === "shell" ? "export " : "";
177
+ const prefix = outputFormat === "shell" ? "export " : "";
124
178
  for (const key in resolvedEnv) {
125
179
  const value = resolvedEnv[key];
126
180
  if (value === void 0 && skipUndefined) {
@@ -130,7 +184,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
130
184
  if (value === void 0) {
131
185
  strValue = "";
132
186
  } else if (typeof value === "string") {
133
- if (format === "shell") {
187
+ if (outputFormat === "shell") {
134
188
  strValue = formatShellValue(value);
135
189
  } else {
136
190
  strValue = `"${value.replaceAll('"', '\\"').replaceAll("\n", "\\n")}"`;
@@ -141,10 +195,10 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
141
195
  console.log(`${prefix}${key}=${strValue}`);
142
196
  }
143
197
  } else {
144
- throw new Error(`Unknown format: ${format}`);
198
+ throw new Error(`Unknown format: ${outputFormat}`);
145
199
  }
146
200
  }, "commandFn");
147
201
 
148
202
  export { commandFn, commandSpec, formatShellValue };
149
- //# sourceMappingURL=chunk-6RF54KKR.js.map
150
- //# sourceMappingURL=chunk-6RF54KKR.js.map
203
+ //# sourceMappingURL=chunk-HMWAOBZR.js.map
204
+ //# sourceMappingURL=chunk-HMWAOBZR.js.map
package/dist/chunk-HMWAOBZR.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/cli/commands/load.command.ts"],"names":[],"mappings":";;;;;;;;;;AAaO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,MAAA;AAAA,EACN,WAAA,EAAa,iDAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,MAAA,EAAQ;AAAA,MACN,IAAA,EAAM,MAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,SAAS,CAAC,QAAA,EAAU,MAAA,EAAQ,KAAA,EAAO,SAAS,WAAW,CAAA;AAAA,MACvD,WAAA,EAAa,kBAAA;AAAA,MACb,OAAA,EAAS;AAAA,KACX;AAAA,IACA,KAAA,EAAO;AAAA,MACL,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,OAAA,EAAS;AAAA,MACP,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,UAAA,EAAY;AAAA,MACV,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,GAAA,EAAK;AAAA,MACH,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,KAAA,EAAO,GAAA;AAAA,MACP,QAAA,EAAU,IAAA;AAAA,MACV,WAAA,EAAa;AAAA,KACf;AAAA,IACA,gBAAA,EAAkB;AAAA,MAChB,IAAA,EAAM,SAAA;AAAA,MACN,WAAA,EAAa;AAAA,KACf;AAAA,IACA,cAAA,EAAgB;AAAA,MACd,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa;AAAA;AACf,GACF;AAAA,EACA,QAAA,EAAU;AAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,CAAA,CAgBV,IAAA;AACF,CAAC;AAQM,SAAS,iBAAiB,KAAA,EAAuB;AACtD,EAAA,OAAO,CAAA,CAAA,EAAI,KAAA,CAAM,UAAA,CAAW,GAAA,EAAK,OAAO,CAAC,CAAA,CAAA,CAAA;AAC3C;AAFgB,MAAA,CAAA,gBAAA,EAAA,kBAAA,CAAA;AAIT,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IAAQ,OAAA;AAAA,IAAS,UAAA,EAAY,OAAA;AAAA,IAAS,gBAAA,EAAkB,aAAA;AAAA,IAAe,cAAA,EAAgB,WAAA;AAAA,IAAa;AAAA,MAClG,GAAA,CAAI,MAAA;AAER,EAAA,MAAM,YAAA,GAAe,KAAA,IAAS,MAAA,KAAW,QAAA,GAAW,MAAA,GAAS,MAAA;AAE7D,EAAA,IAAI,KAAA,KAAU,YAAA,KAAiB,KAAA,IAAS,YAAA,KAAiB,OAAA,CAAA,EAAU;AACjE,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wCAAA,EAA2C,YAAY,CAAA,CAAE,CAAA;AAAA,EAC3E;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,CAAoB;AAAA,IACzC,kBAAA,EAAoB,IAAI,MAAA,CAAO,GAAA;AAAA,IAC/B,cAAA,EAAgB,IAAI,MAAA,CAAO;AAAA,GAC5B,CAAA;AAKD,EAAA,IAAI,eAAA,GAAkB,KAAA;AACtB,EAAA,IAAI,eAAA,GAAkB,KAAA;AACtB,EAAA,IAAI,iBAAiB,WAAA,EAAa;AAChC,IAAA,MAAM,SAAS,oBAAA,CAAqB,QAAA,EAAU,EAAE,OAAA,EAAS,MAAM,CAAA;AAC/D,IAAA,eAAA,GAAkB,MAAA,CAAO,SAAA;AACzB,IAAA,eAAA,GAAkB,MAAA,CAAO,SAAA;AACzB,IAAA,kBAAA,CAAmB,QAAA,EAAU,EAAE,OAAA,EAAS,IAAA,EAAM,CAAA;AAAA,EAChD,CAAA,MAAO;AACL,IAAA,MAAM,MAAA,GAAS,qBAAqB,QAAQ,CAAA;AAC5C,IAAA,eAAA,GAAkB,MAAA,CAAO,SAAA;AACzB,IAAA,kBAAA,CAAmB,QAAQ,CAAA;AAAA,EAC7B;AAEA,EAAA,IAAI,CAAC,QAAA,CAAS,cAAA,EAAgB,MAAM,IAAI,MAAM,qCAAqC,CAAA;AAInF,EAAA,IAAI,CAAC,eAAA,EAAiB;AAEpB,IAAA,MAAM,SAAS,qBAAA,EAAsB;AAErC,IAAA,MAAM,SAAS,gBAAA,EAAiB;AAEhC,IAAA,IAAI,iBAAiB,WAAA,EAAa;AAChC,MAAA,oBAAA,CAAqB,QAAA,EAAU,EAAE,OAAA,EAAS,OAAA,EAAS,MAAM,CAAA;AAAA,IAC3D,CAAA,MAAO;AACL,MAAA,oBAAA,CAAqB,QAAA,EAAU,EAAE,OAAA,EAAS,CAAA;AAAA,IAC5C;AAAA,EACF;AAEA,EAAA,IAAA,CAAK,aAAA,IAAiB,WAAA,KAAgB,YAAA,KAAiB,QAAA,EAAU;AAC/D,IAAA,MAAM,YAAA,GAAe,SAAS,gBAAA,CAAiB,GAAA;AAAA,MAC7C,CAAC,GAAA,KAAQ,cAAA,CAAe,QAAA,CAAS,YAAA,CAAa,GAAG,CAAC;AAAA,KACpD;AACA,IAAA,MAAM,UAAA,GAAa,CAAA,EAAG,YAAA,CAAa,IAAA,CAAK,IAAI,CAAC;AAAA,CAAA;AAC7C,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,OAAA,CAAQ,MAAA,CAAO,MAAM,UAAU,CAAA;AAAA,IACjC;AACA,IAAA,IAAI,WAAA,EAAa;AACf,MAAA,aAAA,CAAc,aAAa,UAAU,CAAA;AAAA,IACvC;AAAA,EACF;AAGA,EAAA,SAAS,oBAAA,GAAuB;AAC9B,IAAA,MAAM,cAAuC,EAAC;AAC9C,IAAA,MAAM,WAAA,GAAc,SAAS,oBAAA,EAAqB;AAClD,IAAA,KAAA,MAAW,OAAA,IAAW,SAAS,gBAAA,EAAkB;AAC/C,MAAA,MAAM,IAAA,GAAO,QAAA,CAAS,YAAA,CAAa,OAAO,CAAA;AAC1C,MAAA,MAAM,KAAA,GAAQ,YAAY,OAAO,CAAA;AACjC,MAAA,IAAI,IAAA,CAAK,WAAA,IAAe,OAAO,KAAA,KAAU,QAAA,EAAU;AACjD,QAAA,WAAA,CAAY,OAAO,CAAA,GAAI,YAAA,CAAa,KAAK,CAAA;AAAA,MAC3C,CAAA,MAAA,IAAW,IAAA,CAAK,WAAA,IAAe,KAAA,KAAU,MAAA,EAAW;AAClD,QAAA,WAAA,CAAY,OAAO,CAAA,GAAI,YAAA;AAAA,MACzB,CAAA,MAAO;AACL,QAAA,WAAA,CAAY,OAAO,CAAA,GAAI,KAAA;AAAA,MACzB;AAAA,IACF;AACA,IAAA,OAAO,WAAA;AAAA,EACT;AAfS,EAAA,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAiBT,EAAA,IAAI,iBAAiB,QAAA,EAAU;AAC7B,IAAA,kBAAA,CAAmB,QAAQ,CAAA;AAC3B,IAAA,IAAI,eAAA,EAAiB;AACnB,MAAA,OAAA,CAAQ,KAAA,EAAM;AAAA,IAChB;AACA,IAAA,OAAA,CAAQ,KAAA,CAAM,aAAA,CAAM,IAAA,CAAK,KAAA,CAAM,uBAAuB,CAAC,CAAA;AACvD,IAAA,KAAA,MAAW,OAAA,IAAW,SAAS,gBAAA,EAAkB;AAC/C,MAAA,MAAM,IAAA,GAAO,QAAA,CAAS,YAAA,CAAa,OAAO,CAAA;AAC1C,MAAA,OAAA,CAAQ,GAAA,CAAI,cAAA,CAAe,IAAI,CAAC,CAAA;AAAA,IAClC;AAAA,EACF,CAAA,MAAA,IAAW,iBAAiB,MAAA,EAAQ;AAClC,IAAA,MAAM,GAAA,GAAM,KAAA,GAAQ,oBAAA,EAAqB,GAAI,SAAS,oBAAA,EAAqB;AAC3E,IAAA,OAAA,CAAQ,IAAI,IAAA,CAAK,SAAA,CAAU,GAAA,EAAK,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EAC1C,CAAA,MAAA,IAAW,iBAAiB,WAAA,EAAa;AACvC,IAAA,MAAM,MAAA,GAAS,UAAU,CAAA,GAAI,CAAA;AAC7B,IAAA,MAAM,UAAA,GAAa,SAAS,kBAAA,EAAmB;AAC/C,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,KAAA,MAAW,GAAA,IAAO,WAAW,MAAA,EAAQ;AACnC,QAAA,MAAM,IAAA,GAAO,UAAA,CAAW,MAAA,CAAO,GAAG,CAAA;AAClC,QAAA,IAAI,IAAA,CAAK,WAAA,IAAe,OAAO,IAAA,CAAK,UAAU,QAAA,EAAU;AACtD,UAAA,IAAA,CAAK,KAAA,GAAQ,YAAA,CAAa,IAAA,CAAK,KAAK,CAAA;AAAA,QACtC,CAAA,MAAA,IAAW,IAAA,CAAK,WAAA,IAAe,IAAA,CAAK,UAAU,MAAA,EAAW;AACvD,UAAA,IAAA,CAAK,KAAA,GAAQ,YAAA;AAAA,QACf;AAAA,MACF;AAAA,IACF;AACA,IAAA,OAAA,CAAQ,IAAI,IAAA,CAAK,SAAA,CAAU,UAAA,EAAY,IAAA,EAAM,MAAM,CAAC,CAAA;AAGpD,IAAA,IAAI,WAAW,MAAA,EAAQ;AACrB,MAAA,YAAA,CAAa,CAAC,CAAA;AAAA,IAChB;AAAA,EACF,CAAA,MAAA,IAAW,YAAA,KAAiB,KAAA,IAAS,YAAA,KAAiB,OAAA,EAAS;AAC7D,IAAA,MAAM,WAAA,GAAc,SAAS,oBAAA,EAAqB;AAClD,IAAA,MAAM,gBAAgB,OAAA,KAAY,IAAA;AAClC,IAAA,MAAM,MAAA,GAAS,YAAA,KAAiB,OAAA,GAAU,SAAA,GAAY,EAAA;AAEtD,IAAA,KAAA,MAAW,OAAO,WAAA,EAAa;AAC7B,MAAA,MAAM,KAAA,GAAQ,YAAY,GAAG,CAAA;AAE7B,MAAA,IAAI,KAAA,KAAU,UAAa,aAAA,EAAe;AACxC,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,QAAA;AACJ,MAAA,IAAI,UAAU,MAAA,EAAW;AACvB,QAAA,QAAA,GAAW,EAAA;AAAA,MACb,CAAA,MAAA,IAAW,OAAO,KAAA,KAAU,QAAA,EAAU;AACpC,QAAA,IAAI,iBAAiB,OAAA,EAAS;AAC5B,UAAA,QAAA,GAAW,iBAAiB,KAAK,CAAA;AAAA,QACnC,CAAA,MAAO;AACL,UAAA,QAAA,GAAW,CAAA,CAAA,EAAI,MAAM,UAAA,CAAW,GAAA,EAAK,KAAK,CAAA,CAAE,UAAA,CAAW,IAAA,EAAM,KAAK,CAAC,CAAA,CAAA,CAAA;AAAA,QACrE;AAAA,MACF,CAAA,MAAO;AACL,QAAA,QAAA,GAAW,IAAA,CAAK,UAAU,KAAK,CAAA;AAAA,MACjC;AACA,MAAA,OAAA,CAAQ,IAAI,CAAA,EAAG,MAAM,GAAG,GAAG,CAAA,CAAA,EAAI,QAAQ,CAAA,CAAE,CAAA;AAAA,IAC3C;AAAA,EACF,CAAA,MAAO;AACL,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmB,YAAY,CAAA,CAAE,CAAA;AAAA,EACnD;AACF,CAAA,EA7ImE,WAAA","file":"chunk-HMWAOBZR.js","sourcesContent":["import { writeFileSync } from 'node:fs';\nimport { define } from 'gunshi';\nimport { gracefulExit } from 'exit-hook';\n\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { getItemSummary } from '../../lib/formatting';\nimport { redactString } from '../../runtime/lib/redaction';\nimport {\n checkForConfigErrors, checkForNoEnvFiles, checkForSchemaErrors, showPluginWarnings,\n} from '../helpers/error-checks';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport ansis from 'ansis';\n\nexport const commandSpec = define({\n name: 'load',\n description: 'Load env according to schema and resolve values',\n args: {\n format: {\n type: 'enum',\n short: 'f',\n choices: ['pretty', 'json', 'env', 'shell', 'json-full'],\n description: 'Format of output',\n default: 'pretty',\n },\n agent: {\n type: 'boolean',\n description: 'Agent-safe mode: redact sensitive values (defaults to JSON format if --format is not set)',\n },\n compact: {\n type: 'boolean',\n description: 'Use compact format (for json-full: no indentation, for env/shell: skip undefined values)',\n },\n 'show-all': {\n type: 'boolean',\n description: 'When load is failing, show all items rather than only failing items',\n },\n env: {\n type: 'string',\n description: 'Set the environment (e.g., production, development, etc) - will be overridden by @currentEnv in the schema if present',\n },\n path: {\n type: 'string',\n short: 'p',\n multiple: true,\n description: 'Path to a specific .env file or directory to use as the entry point (can be specified multiple times)',\n },\n 'summary-stderr': {\n type: 'boolean',\n description: 'Also output the pretty (redacted) summary to stderr (useful alongside --format json-full to get both machine-readable output on stdout and a human-readable summary on stderr)',\n },\n 'summary-file': {\n type: 'string',\n description: 'Also write the pretty (redacted) summary to a file path (useful for CI, e.g. $GITHUB_STEP_SUMMARY)',\n },\n },\n examples: `\nLoads and validates environment variables according to your .env files, and prints the results.\nUseful for debugging locally, and in CI to print out a summary of env vars.\n\nExamples:\n varlock load # Load and validate with pretty output\n varlock load --format json # Output in JSON format\n eval \"$(varlock load --format shell)\" # Load vars into current shell (useful with direnv)\n varlock load --show-all # Show all items when validation fails\n varlock load --path .env.prod # Load from a specific .env file\n varlock load -p ./envs -p ./overrides # Load from multiple directories\n varlock load --compact # Use compact format - skips undefined values, no indentation for json-full\n varlock load --env production # Load for a specific environment (⚠️ ignored if using @currentEnv!)\n varlock load --format json-full --summary-stderr # JSON on stdout + redacted human summary on stderr\n varlock load --format json-full --summary-file /tmp/summary.txt # JSON on stdout + redacted human summary written to file\n varlock load --agent # Agent-safe JSON output with sensitive values redacted\n`.trim(),\n});\n\n\n/**\n * Formats a string value for safe use in a shell export statement.\n * Uses single-quoted strings to prevent shell injection via backticks, `$`, etc.\n * Single quotes within the value are escaped using the `'\\''` sequence.\n */\nexport function formatShellValue(value: string): string {\n return `'${value.replaceAll(\"'\", \"'\\\\''\")}'`;\n}\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n const {\n format, compact, 'show-all': showAll, 'summary-stderr': summaryStderr, 'summary-file': summaryFile, agent,\n } = ctx.values;\n // --agent defaults to json if no explicit --format was set, but respects --format if provided\n const outputFormat = agent && format === 'pretty' ? 'json' : format;\n\n if (agent && (outputFormat === 'env' || outputFormat === 'shell')) {\n throw new Error(`--agent is not compatible with --format ${outputFormat}`);\n }\n\n const envGraph = await loadVarlockEnvGraph({\n currentEnvFallback: ctx.values.env,\n entryFilePaths: ctx.values.path,\n });\n\n // For json-full, still run the checks so their pretty output goes to stderr,\n // but use noThrow so we can continue to output JSON to stdout.\n // For all other formats, exit on errors as before.\n let hasSchemaErrors = false;\n let hadSchemaOutput = false;\n if (outputFormat === 'json-full') {\n const result = checkForSchemaErrors(envGraph, { noThrow: true });\n hasSchemaErrors = result.hasErrors;\n hadSchemaOutput = result.hasOutput;\n checkForNoEnvFiles(envGraph, { noThrow: true });\n } else {\n const result = checkForSchemaErrors(envGraph);\n hadSchemaOutput = result.hasOutput;\n checkForNoEnvFiles(envGraph);\n }\n\n if (!envGraph.rootDataSource) throw new Error('expected root data source to be set');\n\n // Skip resolution + config checks when schema has errors — the downstream\n // errors would just be noise caused by the parse/schema failure\n if (!hasSchemaErrors) {\n // Generate types before resolving values — uses only non-env-specific schema info\n await envGraph.generateTypesIfNeeded();\n\n await envGraph.resolveEnvValues();\n\n if (outputFormat === 'json-full') {\n checkForConfigErrors(envGraph, { showAll, noThrow: true });\n } else {\n checkForConfigErrors(envGraph, { showAll });\n }\n }\n\n if ((summaryStderr || summaryFile) && outputFormat !== 'pretty') {\n const summaryLines = envGraph.sortedConfigKeys.map(\n (key) => getItemSummary(envGraph.configSchema[key]),\n );\n const summaryStr = `${summaryLines.join('\\n')}\\n`;\n if (summaryStderr) {\n process.stderr.write(summaryStr);\n }\n if (summaryFile) {\n writeFileSync(summaryFile, summaryStr);\n }\n }\n\n /** When --agent is set, return a copy of the resolved env with sensitive values redacted */\n function getRedactedEnvObject() {\n const redactedEnv: Record<string, unknown> = {};\n const resolvedEnv = envGraph.getResolvedEnvObject();\n for (const itemKey of envGraph.sortedConfigKeys) {\n const item = envGraph.configSchema[itemKey];\n const value = resolvedEnv[itemKey];\n if (item.isSensitive && typeof value === 'string') {\n redactedEnv[itemKey] = redactString(value);\n } else if (item.isSensitive && value !== undefined) {\n redactedEnv[itemKey] = '[REDACTED]';\n } else {\n redactedEnv[itemKey] = value;\n }\n }\n return redactedEnv;\n }\n\n if (outputFormat === 'pretty') {\n showPluginWarnings(envGraph);\n if (hadSchemaOutput) {\n console.error();\n }\n console.error(ansis.bold.green('-- Resolved config --'));\n for (const itemKey of envGraph.sortedConfigKeys) {\n const item = envGraph.configSchema[itemKey];\n console.log(getItemSummary(item));\n }\n } else if (outputFormat === 'json') {\n const env = agent ? getRedactedEnvObject() : envGraph.getResolvedEnvObject();\n console.log(JSON.stringify(env, null, 2));\n } else if (outputFormat === 'json-full') {\n const indent = compact ? 0 : 2;\n const serialized = envGraph.getSerializedGraph();\n if (agent) {\n for (const key in serialized.config) {\n const item = serialized.config[key];\n if (item.isSensitive && typeof item.value === 'string') {\n item.value = redactString(item.value);\n } else if (item.isSensitive && item.value !== undefined) {\n item.value = '[REDACTED]';\n }\n }\n }\n console.log(JSON.stringify(serialized, null, indent));\n // Output JSON to stdout even on failure (so consumers can parse err.stdout),\n // but still exit non-zero so execSync callers know something is wrong\n if (serialized.errors) {\n gracefulExit(1);\n }\n } else if (outputFormat === 'env' || outputFormat === 'shell') {\n const resolvedEnv = envGraph.getResolvedEnvObject();\n const skipUndefined = compact === true;\n const prefix = outputFormat === 'shell' ? 'export ' : '';\n\n for (const key in resolvedEnv) {\n const value = resolvedEnv[key];\n\n if (value === undefined && skipUndefined) {\n continue;\n }\n\n let strValue: string;\n if (value === undefined) {\n strValue = '';\n } else if (typeof value === 'string') {\n if (outputFormat === 'shell') {\n strValue = formatShellValue(value);\n } else {\n strValue = `\"${value.replaceAll('\"', '\\\\\"').replaceAll('\\n', '\\\\n')}\"`;\n }\n } else {\n strValue = JSON.stringify(value);\n }\n console.log(`${prefix}${key}=${strValue}`);\n }\n } else {\n throw new Error(`Unknown format: ${outputFormat}`);\n }\n};\n"]}
package/dist/{chunk-H6NILU2I.js → chunk-INGOLNLE.js} RENAMED
@@ -1,5 +1,5 @@
1
- import { CliExitError } from './chunk-QP7TS4SU.js';
2
- import { detectWorkspaceInfo, ansis_default } from './chunk-XWYFSG46.js';
1
+ import { CliExitError } from './chunk-JOGGSYT2.js';
2
+ import { detectWorkspaceInfo, ansis_default } from './chunk-GKN3UJNE.js';
3
3
  import { __name } from './chunk-6PEHRAEP.js';
4
4
  import path from 'path';
5
5
  import fs, { existsSync } from 'fs';
@@ -64,5 +64,5 @@ var logLines = /* @__PURE__ */ __name((lines) => {
64
64
  }, "logLines");
65
65
 
66
66
  export { detectJsPackageManager, fmt, installJsDependency, logLines };
67
- //# sourceMappingURL=chunk-H6NILU2I.js.map
68
- //# sourceMappingURL=chunk-H6NILU2I.js.map
67
+ //# sourceMappingURL=chunk-INGOLNLE.js.map
68
+ //# sourceMappingURL=chunk-INGOLNLE.js.map
package/dist/{chunk-H6NILU2I.js.map → chunk-INGOLNLE.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/cli/helpers/js-package-manager-utils.ts","../src/cli/helpers/pretty-format.ts"],"names":[],"mappings":";;;;;;;AAkBO,SAAS,uBAAuB,IAAA,EAGpC;AACD,EAAA,MAAM,OAAO,mBAAA,CAAoB,EAAE,GAAA,EAAK,IAAA,EAAM,KAAK,CAAA;AACnD,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,MAAA,MAAM,IAAI,aAAa,mDAAA,EAAqD;AAAA,QAC1E,UAAA,EAAY,oHAAA;AAAA,QACZ,SAAA,EAAW;AAAA,OACZ,CAAA;AAAA,IACH;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAA,CAAK,cAAA;AACd;AAfgB,MAAA,CAAA,sBAAA,EAAA,wBAAA,CAAA;AAiBT,SAAS,oBAAoB,IAAA,EAKjC;AACD,EAAA,MAAM,eAAA,GAAkB,KAAK,IAAA,CAAK,IAAA,CAAK,eAAe,OAAA,CAAQ,GAAA,IAAO,cAAc,CAAA;AAGnF,EAAA,IAAI,CAAC,UAAA,CAAW,eAAe,CAAA,EAAG,OAAO,KAAA;AAEzC,EAAA,MAAM,cAAc,IAAA,CAAK,KAAA,CAAM,GAAG,YAAA,CAAa,eAAA,EAAiB,MAAM,CAAC,CAAA;AAEvE,EAAA,IAAI,WAAA,CAAY,YAAA,EAAc,OAAA,EAAS,OAAO,KAAA;AAG9C,EAAA,QAAA,CAAS;AAAA;AAAA,IAEP,IAAA,CAAK,WAAA,IAAe,CAAA,GAAA,EAAM,IAAA,CAAK,WAAW,CAAA,GAAA,CAAA;AAAA;AAAA,IAE1C,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA,KAAA,EAAQ,KAAK,WAAW,CAAA,CAAA;AAAA;AAAA;AAAA,IAG9C,IAAA,CAAK,cAAA,KAAmB,MAAA,KAAW,IAAA,CAAK,iBAAiB,IAAA,GAAO,+BAAA;AAAA,IAChE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA;AAE3B,EAAA,OAAO,IAAA;AACT;AA3BgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;;;AC/BT,IAAM,GAAA,GAAM;AAAA,EACjB,2BAAW,MAAA,CAAA,CAAC,CAAA,KAAc,aAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,EAA9B,WAAA,CAAA;AAAA,EACX,QAAA,0BAAW,CAAA,KAAc,CAAA,UAAA,EAAM,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAzC,UAAA,CAAA;AAAA,EACV,QAAA,0BAAW,CAAA,KAAc,CAAA,EAAG,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAtC,UAAA,CAAA;AAAA,EACV,OAAA,kBAAS,MAAA,CAAA,CAAC,CAAA,EAAW,IAAA,KAA8D;AACjF,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,IAAA,EAAM,qBAAqB,IAAA,EAAM;AACnC,MAAA,gBAAA,GAAmB,sBAAA,EAAuB;AAAA,IAC5C,CAAA,MAAA,IAAW,MAAM,gBAAA,EAAkB;AACjC,MAAA,gBAAA,GAAmB,IAAA,CAAK,gBAAA;AAAA,IAC1B;AACA,IAAA,IAAI,gBAAA,EAAkB;AACpB,MAAA,CAAA,GAAI,CAAA,EAAG,gBAAA,CAAiB,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA;AAAA,IACnC;AACA,IAAA,OAAO,aAAA,CAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA;AAAA,EAC7B,CAAA,EAXS,SAAA,CAAA;AAAA,EAYT,6BAAa,MAAA,CAAA,CAAC,CAAA,KAAc,cAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,EAAnC,aAAA;AACf;AAEO,IAAM,QAAA,2BAAY,KAAA,KAA6C;AACpE,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AAExB,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI;AAC1B,IAAA,OAAA,CAAQ,IAAI,IAAI,CAAA;AAAA,EAClB;AACF,CAAA,EANwB,UAAA","file":"chunk-H6NILU2I.js","sourcesContent":["// Re-exports for backward compatibility - prefer importing from lib/workspace-utils directly\nexport {\n JS_PACKAGE_MANAGERS,\n detectWorkspaceInfo,\n getWorkspaceInfo,\n runWithWorkspaceInfo,\n type JsPackageManager,\n type JsPackageManagerMeta,\n type WorkspaceInfo,\n type MonorepoTool,\n} from '../../lib/workspace-utils';\n\nimport path from 'node:path';\nimport fs, { existsSync } from 'node:fs';\nimport { execSync } from 'node:child_process';\nimport { CliExitError } from './exit-error';\nimport { detectWorkspaceInfo, type JsPackageManager } from '../../lib/workspace-utils';\n\nexport function detectJsPackageManager(opts?: {\n cwd?: string,\n exitIfNotFound?: boolean,\n}) {\n const info = detectWorkspaceInfo({ cwd: opts?.cwd });\n if (!info) {\n if (opts?.exitIfNotFound) {\n throw new CliExitError('Unable to detect your JavaScript package manager!', {\n suggestion: 'We look for lock files (ex: package-lock.json) so you may just need to run a dependency install (ie `npm install`)',\n forceExit: true,\n });\n }\n return undefined;\n }\n return info.packageManager;\n}\n\nexport function installJsDependency(opts: {\n packageName: string,\n packageManager: JsPackageManager,\n packagePath?: string,\n isMonoRepoRoot?: boolean,\n}) {\n const packageJsonPath = path.join(opts.packagePath || process.cwd(), 'package.json');\n\n // for now, we'll just bail if we dont see a package.json\n if (!existsSync(packageJsonPath)) return false;\n\n const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));\n // bail if already installed\n if (packageJson.dependencies?.varlock) return false;\n\n // TODO: might want to check first if it's already installed?\n execSync([\n // move to the correct directory if needed\n opts.packagePath && `cd ${opts.packagePath} &&`,\n // `add` works in all of them\n `${opts.packageManager} add ${opts.packageName}`,\n // tells pnpm to either install in the workspace root explicitly\n // or to not check if we are the in the root\n opts.packageManager === 'pnpm' && (opts.isMonoRepoRoot ? '-w' : '--ignore-workspace-root-check'),\n ].filter(Boolean).join(' '));\n\n return true;\n}\n","import ansis from 'ansis';\nimport { detectJsPackageManager, type JsPackageManagerMeta } from './js-package-manager-utils';\n\n\nexport const fmt = {\n decorator: (s: string) => ansis.magenta(s),\n filePath: (s: string) => `📂 ${ansis.cyan.italic(s)}`,\n fileName: (s: string) => `${ansis.cyan.italic(s)}`,\n command: (s: string, opts?: { jsPackageManager?: JsPackageManagerMeta | true }) => {\n let jsPackageManager: JsPackageManagerMeta | undefined;\n if (opts?.jsPackageManager === true) {\n jsPackageManager = detectJsPackageManager();\n } else if (opts?.jsPackageManager) {\n jsPackageManager = opts.jsPackageManager;\n }\n if (jsPackageManager) {\n s = `${jsPackageManager.exec} ${s}`;\n }\n return ansis.green.italic(s);\n },\n packageName: (s: string) => ansis.green.italic(s),\n};\n\nexport const logLines = (lines: Array<string | false | undefined>) => {\n for (const line of lines) {\n // skip false, null, undefined, but not empty strings\n if (!line && line !== '') continue;\n console.log(line);\n }\n};\n"]}
1
+ {"version":3,"sources":["../src/cli/helpers/js-package-manager-utils.ts","../src/cli/helpers/pretty-format.ts"],"names":[],"mappings":";;;;;;;AAkBO,SAAS,uBAAuB,IAAA,EAGpC;AACD,EAAA,MAAM,OAAO,mBAAA,CAAoB,EAAE,GAAA,EAAK,IAAA,EAAM,KAAK,CAAA;AACnD,EAAA,IAAI,CAAC,IAAA,EAAM;AACT,IAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,MAAA,MAAM,IAAI,aAAa,mDAAA,EAAqD;AAAA,QAC1E,UAAA,EAAY,oHAAA;AAAA,QACZ,SAAA,EAAW;AAAA,OACZ,CAAA;AAAA,IACH;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAA,CAAK,cAAA;AACd;AAfgB,MAAA,CAAA,sBAAA,EAAA,wBAAA,CAAA;AAiBT,SAAS,oBAAoB,IAAA,EAKjC;AACD,EAAA,MAAM,eAAA,GAAkB,KAAK,IAAA,CAAK,IAAA,CAAK,eAAe,OAAA,CAAQ,GAAA,IAAO,cAAc,CAAA;AAGnF,EAAA,IAAI,CAAC,UAAA,CAAW,eAAe,CAAA,EAAG,OAAO,KAAA;AAEzC,EAAA,MAAM,cAAc,IAAA,CAAK,KAAA,CAAM,GAAG,YAAA,CAAa,eAAA,EAAiB,MAAM,CAAC,CAAA;AAEvE,EAAA,IAAI,WAAA,CAAY,YAAA,EAAc,OAAA,EAAS,OAAO,KAAA;AAG9C,EAAA,QAAA,CAAS;AAAA;AAAA,IAEP,IAAA,CAAK,WAAA,IAAe,CAAA,GAAA,EAAM,IAAA,CAAK,WAAW,CAAA,GAAA,CAAA;AAAA;AAAA,IAE1C,CAAA,EAAG,IAAA,CAAK,cAAc,CAAA,KAAA,EAAQ,KAAK,WAAW,CAAA,CAAA;AAAA;AAAA;AAAA,IAG9C,IAAA,CAAK,cAAA,KAAmB,MAAA,KAAW,IAAA,CAAK,iBAAiB,IAAA,GAAO,+BAAA;AAAA,IAChE,MAAA,CAAO,OAAO,CAAA,CAAE,IAAA,CAAK,GAAG,CAAC,CAAA;AAE3B,EAAA,OAAO,IAAA;AACT;AA3BgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;;;AC/BT,IAAM,GAAA,GAAM;AAAA,EACjB,2BAAW,MAAA,CAAA,CAAC,CAAA,KAAc,aAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,EAA9B,WAAA,CAAA;AAAA,EACX,QAAA,0BAAW,CAAA,KAAc,CAAA,UAAA,EAAM,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAzC,UAAA,CAAA;AAAA,EACV,QAAA,0BAAW,CAAA,KAAc,CAAA,EAAG,cAAM,IAAA,CAAK,MAAA,CAAO,CAAC,CAAC,CAAA,CAAA,EAAtC,UAAA,CAAA;AAAA,EACV,OAAA,kBAAS,MAAA,CAAA,CAAC,CAAA,EAAW,IAAA,KAA8D;AACjF,IAAA,IAAI,gBAAA;AACJ,IAAA,IAAI,IAAA,EAAM,qBAAqB,IAAA,EAAM;AACnC,MAAA,gBAAA,GAAmB,sBAAA,EAAuB;AAAA,IAC5C,CAAA,MAAA,IAAW,MAAM,gBAAA,EAAkB;AACjC,MAAA,gBAAA,GAAmB,IAAA,CAAK,gBAAA;AAAA,IAC1B;AACA,IAAA,IAAI,gBAAA,EAAkB;AACpB,MAAA,CAAA,GAAI,CAAA,EAAG,gBAAA,CAAiB,IAAI,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA;AAAA,IACnC;AACA,IAAA,OAAO,aAAA,CAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA;AAAA,EAC7B,CAAA,EAXS,SAAA,CAAA;AAAA,EAYT,6BAAa,MAAA,CAAA,CAAC,CAAA,KAAc,cAAM,KAAA,CAAM,MAAA,CAAO,CAAC,CAAA,EAAnC,aAAA;AACf;AAEO,IAAM,QAAA,2BAAY,KAAA,KAA6C;AACpE,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AAExB,IAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI;AAC1B,IAAA,OAAA,CAAQ,IAAI,IAAI,CAAA;AAAA,EAClB;AACF,CAAA,EANwB,UAAA","file":"chunk-INGOLNLE.js","sourcesContent":["// Re-exports for backward compatibility - prefer importing from lib/workspace-utils directly\nexport {\n JS_PACKAGE_MANAGERS,\n detectWorkspaceInfo,\n getWorkspaceInfo,\n runWithWorkspaceInfo,\n type JsPackageManager,\n type JsPackageManagerMeta,\n type WorkspaceInfo,\n type MonorepoTool,\n} from '../../lib/workspace-utils';\n\nimport path from 'node:path';\nimport fs, { existsSync } from 'node:fs';\nimport { execSync } from 'node:child_process';\nimport { CliExitError } from './exit-error';\nimport { detectWorkspaceInfo, type JsPackageManager } from '../../lib/workspace-utils';\n\nexport function detectJsPackageManager(opts?: {\n cwd?: string,\n exitIfNotFound?: boolean,\n}) {\n const info = detectWorkspaceInfo({ cwd: opts?.cwd });\n if (!info) {\n if (opts?.exitIfNotFound) {\n throw new CliExitError('Unable to detect your JavaScript package manager!', {\n suggestion: 'We look for lock files (ex: package-lock.json) so you may just need to run a dependency install (ie `npm install`)',\n forceExit: true,\n });\n }\n return undefined;\n }\n return info.packageManager;\n}\n\nexport function installJsDependency(opts: {\n packageName: string,\n packageManager: JsPackageManager,\n packagePath?: string,\n isMonoRepoRoot?: boolean,\n}) {\n const packageJsonPath = path.join(opts.packagePath || process.cwd(), 'package.json');\n\n // for now, we'll just bail if we dont see a package.json\n if (!existsSync(packageJsonPath)) return false;\n\n const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));\n // bail if already installed\n if (packageJson.dependencies?.varlock) return false;\n\n // TODO: might want to check first if it's already installed?\n execSync([\n // move to the correct directory if needed\n opts.packagePath && `cd ${opts.packagePath} &&`,\n // `add` works in all of them\n `${opts.packageManager} add ${opts.packageName}`,\n // tells pnpm to either install in the workspace root explicitly\n // or to not check if we are the in the root\n opts.packageManager === 'pnpm' && (opts.isMonoRepoRoot ? '-w' : '--ignore-workspace-root-check'),\n ].filter(Boolean).join(' '));\n\n return true;\n}\n","import ansis from 'ansis';\nimport { detectJsPackageManager, type JsPackageManagerMeta } from './js-package-manager-utils';\n\n\nexport const fmt = {\n decorator: (s: string) => ansis.magenta(s),\n filePath: (s: string) => `📂 ${ansis.cyan.italic(s)}`,\n fileName: (s: string) => `${ansis.cyan.italic(s)}`,\n command: (s: string, opts?: { jsPackageManager?: JsPackageManagerMeta | true }) => {\n let jsPackageManager: JsPackageManagerMeta | undefined;\n if (opts?.jsPackageManager === true) {\n jsPackageManager = detectJsPackageManager();\n } else if (opts?.jsPackageManager) {\n jsPackageManager = opts.jsPackageManager;\n }\n if (jsPackageManager) {\n s = `${jsPackageManager.exec} ${s}`;\n }\n return ansis.green.italic(s);\n },\n packageName: (s: string) => ansis.green.italic(s),\n};\n\nexport const logLines = (lines: Array<string | false | undefined>) => {\n for (const line of lines) {\n // skip false, null, undefined, but not empty strings\n if (!line && line !== '') continue;\n console.log(line);\n }\n};\n"]}
package/dist/{chunk-JIUWL2NT.js → chunk-IO2OGZQU.js} RENAMED
@@ -1,10 +1,10 @@
1
- import { define } from './chunk-4A54P4EM.js';
2
- import { loadVarlockEnvGraph, writeBackValue } from './chunk-E3F6QKDZ.js';
3
- import { encryptValue, getBackendInfo, ensureKey, getDaemonClient } from './chunk-GURKQO4J.js';
4
1
  import { gracefulExit } from './chunk-CHQDS2PI.js';
5
- import { CliExitError } from './chunk-QP7TS4SU.js';
6
- import { FileBasedDataSource, ParsedEnvSpecFunctionCall, ParsedEnvSpecStaticValue, multiselect, ansis_default, password } from './chunk-XWYFSG46.js';
7
- import { q } from './chunk-HDKXXS2X.js';
2
+ import { define } from './chunk-4A54P4EM.js';
3
+ import { loadVarlockEnvGraph, writeBackValue } from './chunk-C5LW5EET.js';
4
+ import { encryptValue, getBackendInfo, ensureKey, getDaemonClient } from './chunk-YWTIKDGU.js';
5
+ import { CliExitError } from './chunk-JOGGSYT2.js';
6
+ import { FileBasedDataSource, ParsedEnvSpecFunctionCall, ParsedEnvSpecStaticValue, multiselect, ansis_default, password } from './chunk-GKN3UJNE.js';
7
+ import { q } from './chunk-IRXBCLL2.js';
8
8
  import { __name } from './chunk-6PEHRAEP.js';
9
9
  import path from 'path';
10
10
  import fs from 'fs';
@@ -121,7 +121,7 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
121
121
  `Encryption failed: ${err instanceof Error ? err.message : err}`
122
122
  );
123
123
  }
124
- } else if (backend.biometricAvailable) {
124
+ } else if (backend.biometricAvailable && backend.type === "secure-enclave") {
125
125
  const client = getDaemonClient();
126
126
  const result = await client.promptSecret({ keyId });
127
127
  if (!result) {
@@ -145,5 +145,5 @@ var commandFn = /* @__PURE__ */ __name(async (ctx) => {
145
145
  }, "commandFn");
146
146
 
147
147
  export { commandFn, commandSpec };
148
- //# sourceMappingURL=chunk-JIUWL2NT.js.map
149
- //# sourceMappingURL=chunk-JIUWL2NT.js.map
148
+ //# sourceMappingURL=chunk-IO2OGZQU.js.map
149
+ //# sourceMappingURL=chunk-IO2OGZQU.js.map
package/dist/chunk-IO2OGZQU.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/cli/commands/encrypt.command.ts"],"names":[],"mappings":";;;;;;;;;;;AAmBO,IAAM,cAAc,MAAA,CAAO;AAAA,EAChC,IAAA,EAAM,SAAA;AAAA,EACN,WAAA,EAAa,+CAAA;AAAA,EACb,IAAA,EAAM;AAAA,IACJ,QAAA,EAAU;AAAA,MACR,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa,8CAAA;AAAA,MACb,OAAA,EAAS;AAAA,KACX;AAAA,IACA,IAAA,EAAM;AAAA,MACJ,IAAA,EAAM,QAAA;AAAA,MACN,WAAA,EAAa;AAAA;AACf;AAEJ,CAAC;AAED,eAAe,WAAA,CAAY,OAAe,QAAA,EAAkB;AAC1D,EAAA,MAAM,YAAA,GAAe,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA;AAC1C,EAAA,IAAI,CAAC,EAAA,CAAG,UAAA,CAAW,YAAY,CAAA,EAAG;AAChC,IAAA,MAAM,IAAI,YAAA,CAAa,CAAA,gBAAA,EAAmB,YAAY,CAAA,CAAE,CAAA;AAAA,EAC1D;AAGA,EAAA,MAAM,QAAA,GAAW,MAAM,mBAAA,EAAoB;AAC3C,EAAA,MAAM,SAAS,gBAAA,EAAiB;AAGhC,EAAA,MAAM,YAAA,GAAe,SAAS,iBAAA,CAAkB,IAAA;AAAA,IAC9C,CAAC,CAAA,KAAM,CAAA,YAAa,mBAAA,IAAuB,EAAE,QAAA,KAAa;AAAA,GAC5D;AAEA,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,SAAS,QAAQ,CAAA,qCAAA,CAAA;AAAA,MACjB,EAAE,YAAY,4EAAA;AAA6E,KAC7F;AAAA,EACF;AAGA,EAAA,MAAM,iBAAwD,EAAC;AAE/D,EAAA,KAAA,MAAW,CAAC,KAAK,OAAO,CAAA,IAAK,OAAO,OAAA,CAAQ,YAAA,CAAa,cAAc,CAAA,EAAG;AACxE,IAAA,MAAM,SAAA,GAAY,QAAA,CAAS,YAAA,CAAa,GAAG,CAAA;AAC3C,IAAA,IAAI,CAAC,WAAW,WAAA,EAAa;AAG7B,IAAA,IAAI,OAAA,CAAQ,uBAAuB,yBAAA,EAA2B;AAG9D,IAAA,IAAI,EAAE,OAAA,CAAQ,WAAA,YAAuB,wBAAA,CAAA,EAA2B;AAChE,IAAA,MAAM,GAAA,GAAM,QAAQ,WAAA,CAAY,cAAA;AAChC,IAAA,IAAI,QAAQ,MAAA,IAAa,GAAA,KAAQ,EAAA,IAAM,OAAO,QAAQ,QAAA,EAAU;AAEhE,IAAA,cAAA,CAAe,IAAA,CAAK,EAAE,GAAA,EAAK,KAAA,EAAO,KAAK,CAAA;AAAA,EACzC;AAEA,EAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,IAAA,OAAA,CAAQ,IAAI,iDAAiD,CAAA;AAC7D,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,0DAA0D,CAAA;AACtE,EAAA,OAAA,CAAQ,IAAI,kEAAkE,CAAA;AAE9E,EAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY;AAAA,IACjC,SAAS,CAAA,6BAAA,EAAgC,QAAQ,IAAI,aAAA,CAAM,IAAA,CAAK,iDAAiD,CAAC,CAAA,CAAA;AAAA,IAClH,OAAA,EAAS,cAAA,CAAe,GAAA,CAAI,CAAC,IAAA,MAAU;AAAA,MACrC,OAAO,IAAA,CAAK,GAAA;AAAA,MACZ,OAAO,IAAA,CAAK;AAAA,KACd,CAAE,CAAA;AAAA,IACF,eAAe,cAAA,CAAe,GAAA,CAAI,CAAC,IAAA,KAAS,KAAK,GAAG;AAAA,GACrD,CAAA;AAED,EAAA,IAAI,CAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,YAAA,EAAa;AAE5C,EAAA,MAAM,YAAA,GAAe,IAAI,GAAA,CAAI,QAAyB,CAAA;AACtD,EAAA,MAAM,aAAA,GAAgB,eAAe,MAAA,CAAO,CAAC,SAAS,YAAA,CAAa,GAAA,CAAI,IAAA,CAAK,GAAG,CAAC,CAAA;AAEhF,EAAA,IAAI,aAAA,CAAc,WAAW,CAAA,EAAG;AAC9B,IAAA,OAAA,CAAQ,IAAI,oBAAoB,CAAA;AAChC,IAAA;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AAEd,EAAA,IAAI,cAAA,GAAiB,CAAA;AACrB,EAAA,KAAA,MAAW,QAAQ,aAAA,EAAe;AAChC,IAAA,MAAM,UAAA,GAAa,MAAmB,YAAA,CAAa,IAAA,CAAK,OAAO,KAAK,CAAA;AACpE,IAAA,MAAM,SAAS,cAAA,CAAe,IAAA,CAAK,KAAK,CAAA,eAAA,EAAkB,UAAU,MAAM,YAAY,CAAA;AAEtF,IAAA,IAAI,OAAO,OAAA,EAAS;AAClB,MAAA,cAAA,EAAA;AACA,MAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,aAAA,EAAgB,IAAA,CAAK,GAAG,CAAA,CAAE,CAAA;AAAA,IACxC;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI;AAAA,UAAA,EAAe,cAAc,SAAS,cAAA,KAAmB,CAAA,GAAI,MAAM,EAAE,CAAA,IAAA,EAAO,QAAQ,CAAA,CAAE,CAAA;AACpG;AAjFe,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AAmFR,IAAM,SAAA,iCAA6D,GAAA,KAAQ;AAChF,EAAA,MAAM,QAAQ,MAAA,CAAO,GAAA,CAAI,MAAA,CAAO,QAAQ,KAAK,iBAAiB,CAAA;AAC9D,EAAA,MAAM,UAAuB,cAAA,EAAe;AAE5C,EAAA,IAAI;AACF,IAAA,MAAmB,UAAU,KAAK,CAAA;AAAA,EACpC,SAAS,GAAA,EAAK;AACZ,IAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,IAAA,MAAM,IAAI,YAAA;AAAA,MACR,CAAA,uCAAA,EAA0C,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,KACpF;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,SAAS,OAAA,CAAQ,IAAI,aAAa,OAAA,CAAQ,cAAA,GAAiB,iBAAA,GAAoB,YAAY,CAAA,CAAA,CAAG,CAAA;AAE1G,EAAA,MAAM,QAAA,GAAW,IAAI,MAAA,CAAO,IAAA;AAG5B,EAAA,IAAI,QAAA,EAAU;AACZ,IAAA,MAAM,WAAA,CAAY,OAAO,QAAQ,CAAA;AACjC,IAAA;AAAA,EACF;AAIA,EAAA,OAAA,CAAQ,IAAI,EAAE,CAAA;AAEd,EAAA,IAAI,UAAA;AAEJ,EAAA,IAAI,CAAC,OAAA,CAAQ,KAAA,CAAM,KAAA,EAAO;AACxB,IAAA,MAAM,SAAwB,EAAC;AAC/B,IAAA,WAAA,MAAiB,KAAA,IAAS,QAAQ,KAAA,EAAO;AACvC,MAAA,MAAA,CAAO,KAAK,KAAe,CAAA;AAAA,IAC7B;AACA,IAAA,MAAM,QAAA,GAAW,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA,CAAE,SAAS,OAAO,CAAA,CAAE,OAAA,CAAQ,QAAA,EAAU,EAAE,CAAA;AAC7E,IAAA,IAAI,CAAC,QAAA,EAAU;AACb,MAAA,MAAM,IAAI,aAAa,4BAA4B,CAAA;AAAA,IACrD;AACA,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAmB,YAAA,CAAa,QAAA,EAAU,KAAK,CAAA;AAAA,IAC9D,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,CAAA,mBAAA,EAAsB,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,OAChE;AAAA,IACF;AAAA,EACF,CAAA,MAAA,IAAW,OAAA,CAAQ,kBAAA,IAAsB,OAAA,CAAQ,SAAS,gBAAA,EAAkB;AAI1E,IAAA,MAAM,SAAsB,eAAA,EAAgB;AAC5C,IAAA,MAAM,SAAS,MAAM,MAAA,CAAO,YAAA,CAAa,EAAE,OAAO,CAAA;AAClD,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,OAAO,YAAA,EAAa;AAAA,IACtB;AACA,IAAA,UAAA,GAAa,MAAA;AAAA,EACf,CAAA,MAAO;AACL,IAAA,MAAM,QAAA,GAAW,MAAM,QAAA,CAAS,EAAE,SAAS,qCAAA,EAAuC,IAAA,EAAM,yCAAyC,CAAA;AACjI,IAAA,IAAI,CAAA,CAAS,QAAQ,CAAA,EAAG,OAAO,YAAA,EAAa;AAC5C,IAAA,IAAI;AACF,MAAA,UAAA,GAAa,MAAmB,YAAA,CAAa,QAAA,EAAU,KAAK,CAAA;AAAA,IAC9D,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,CAAA,mBAAA,EAAsB,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,UAAU,GAAG,CAAA;AAAA,OAChE;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAA,CAAQ,IAAI,2EAA2E,CAAA;AACvF,EAAA,OAAA,CAAQ,GAAA,CAAI,CAAA,kCAAA,EAAqC,UAAU,CAAA,EAAA,CAAI,CAAA;AACjE,CAAA,EAvEmE,WAAA","file":"chunk-IO2OGZQU.js","sourcesContent":["import { define } from 'gunshi';\nimport { isCancel } from '@clack/prompts';\nimport ansis from 'ansis';\nimport path from 'node:path';\nimport fs from 'node:fs';\n\nimport {\n ParsedEnvSpecStaticValue,\n ParsedEnvSpecFunctionCall,\n} from '@env-spec/parser';\nimport { FileBasedDataSource } from '../../env-graph';\nimport { loadVarlockEnvGraph } from '../../lib/load-graph';\nimport { type TypedGunshiCommandFn } from '../helpers/gunshi-type-utils';\nimport { CliExitError } from '../helpers/exit-error';\nimport { multiselect, password } from '../helpers/prompts';\nimport { gracefulExit } from 'exit-hook';\nimport * as localEncrypt from '../../lib/local-encrypt';\nimport { writeBackValue } from '../../lib/local-encrypt/write-back';\n\nexport const commandSpec = define({\n name: 'encrypt',\n description: 'Encrypt a value using device-local encryption',\n args: {\n 'key-id': {\n type: 'string',\n description: 'Encryption key ID (default: varlock-default)',\n default: 'varlock-default',\n },\n file: {\n type: 'string',\n description: 'Path to a .env file — encrypts all sensitive plaintext values in-place',\n },\n },\n});\n\nasync function encryptFile(keyId: string, filePath: string) {\n const resolvedPath = path.resolve(filePath);\n if (!fs.existsSync(resolvedPath)) {\n throw new CliExitError(`File not found: ${resolvedPath}`);\n }\n\n // Load the full env graph and resolve to get sensitivity info from the schema\n const envGraph = await loadVarlockEnvGraph();\n await envGraph.resolveEnvValues();\n\n // Find the data source matching the target file\n const targetSource = envGraph.sortedDataSources.find(\n (s) => s instanceof FileBasedDataSource && s.fullPath === resolvedPath,\n ) as FileBasedDataSource | undefined;\n\n if (!targetSource) {\n throw new CliExitError(\n `File \"${filePath}\" is not part of the loaded env graph`,\n { suggestion: 'Make sure the file is in the project directory or imported by your schema.' },\n );\n }\n\n // Find sensitive items that have plaintext static values in this file\n const itemsToEncrypt: Array<{ key: string; value: string }> = [];\n\n for (const [key, itemDef] of Object.entries(targetSource.configItemDefs)) {\n const graphItem = envGraph.configSchema[key];\n if (!graphItem?.isSensitive) continue;\n\n // Skip items already using varlock() or another function call\n if (itemDef.parsedValue instanceof ParsedEnvSpecFunctionCall) continue;\n\n // Only encrypt items with actual static string values\n if (!(itemDef.parsedValue instanceof ParsedEnvSpecStaticValue)) continue;\n const val = itemDef.parsedValue.unescapedValue;\n if (val === undefined || val === '' || typeof val !== 'string') continue;\n\n itemsToEncrypt.push({ key, value: val });\n }\n\n if (itemsToEncrypt.length === 0) {\n console.log('No sensitive plaintext values found to encrypt.');\n return;\n }\n\n console.log('Only items marked as @sensitive in the schema are shown.');\n console.log('If a key is missing, add @sensitive to it in your schema file.\\n');\n\n const selected = await multiselect({\n message: `Confirm values to encrypt in ${filePath} ${ansis.gray('(use arrows, space to toggle, enter to confirm)')}`,\n options: itemsToEncrypt.map((item) => ({\n value: item.key,\n label: item.key,\n })),\n initialValues: itemsToEncrypt.map((item) => item.key),\n });\n\n if (isCancel(selected)) return gracefulExit();\n\n const selectedKeys = new Set(selected as Array<string>);\n const filteredItems = itemsToEncrypt.filter((item) => selectedKeys.has(item.key));\n\n if (filteredItems.length === 0) {\n console.log('No items selected.');\n return;\n }\n\n console.log('');\n\n let encryptedCount = 0;\n for (const item of filteredItems) {\n const ciphertext = await localEncrypt.encryptValue(item.value, keyId);\n const result = writeBackValue(item.key, `varlock(\"local:${ciphertext}\")`, resolvedPath);\n\n if (result.updated) {\n encryptedCount++;\n console.log(` Encrypted: ${item.key}`);\n }\n }\n\n console.log(`\\nEncrypted ${encryptedCount} value${encryptedCount !== 1 ? 's' : ''} in ${filePath}`);\n}\n\nexport const commandFn: TypedGunshiCommandFn<typeof commandSpec> = async (ctx) => {\n const keyId = String(ctx.values['key-id'] || 'varlock-default');\n const backend = localEncrypt.getBackendInfo();\n\n try {\n await localEncrypt.ensureKey(keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Failed to check/create encryption key: ${err instanceof Error ? err.message : err}`,\n );\n }\n\n console.log(`Using ${backend.type} backend (${backend.hardwareBacked ? 'hardware-backed' : 'file-based'})`);\n\n const filePath = ctx.values.file;\n\n // --file mode: encrypt all sensitive plaintext values in a .env file\n if (filePath) {\n await encryptFile(keyId, filePath);\n return;\n }\n\n // Single-value mode — read from stdin if piped, otherwise prompt interactively.\n // Avoids putting secrets in shell history (e.g. `echo $SECRET | varlock encrypt`).\n console.log('');\n\n let ciphertext: string;\n\n if (!process.stdin.isTTY) {\n const chunks: Array<Buffer> = [];\n for await (const chunk of process.stdin) {\n chunks.push(chunk as Buffer);\n }\n const rawValue = Buffer.concat(chunks).toString('utf-8').replace(/\\r?\\n$/, '');\n if (!rawValue) {\n throw new CliExitError('No value received on stdin');\n }\n try {\n ciphertext = await localEncrypt.encryptValue(rawValue, keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Encryption failed: ${err instanceof Error ? err.message : err}`,\n );\n }\n } else if (backend.biometricAvailable && backend.type === 'secure-enclave') {\n // Use native secure input dialog (supports multi-line paste) — macOS Secure Enclave only.\n // Windows Hello (windows-tpm) and WSL2 do not support the prompt-secret daemon action;\n // those backends fall through to the terminal prompt below.\n const client = localEncrypt.getDaemonClient();\n const result = await client.promptSecret({ keyId });\n if (!result) {\n return gracefulExit();\n }\n ciphertext = result;\n } else {\n const prompted = await password({ message: 'Enter the value you want to encrypt', hint: 'for multi-line values, pipe via stdin' });\n if (isCancel(prompted)) return gracefulExit();\n try {\n ciphertext = await localEncrypt.encryptValue(prompted, keyId);\n } catch (err) {\n if (err instanceof CliExitError) throw err;\n throw new CliExitError(\n `Encryption failed: ${err instanceof Error ? err.message : err}`,\n );\n }\n }\n\n console.log('\\nCopy this into your .env.local file and rename the key appropriately:\\n');\n console.log(`SOME_SENSITIVE_KEY=varlock(\"local:${ciphertext}\")`);\n};\n"]}