vaulter 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Forattini
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,490 @@
+<div align="center">
+
+# 🔐 vaulter
+
+### Multi-Backend Environment & Secrets Manager
+
+**One CLI to manage all your environment variables.**
+
+</div>
+
+## Quick Start
+
+```bash
+npm install -g vaulter
+```
+
+```bash
+# Initialize project
+vaulter init
+
+# Set some secrets
+vaulter set DATABASE_URL "postgres://localhost/mydb" -e dev
+vaulter set API_KEY "sk-secret-key" -e dev
+
+# Export to shell
+eval $(vaulter export -e dev)
+
+# Deploy to Kubernetes
+vaulter k8s:secret -e prd | kubectl apply -f -
+```
+
+---
+
+<div align="center">
+
+[![npm version](https://img.shields.io/npm/v/vaulter.svg?style=flat-square&color=F5A623)](https://www.npmjs.com/package/vaulter)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5.0+-3178C6?style=flat-square&logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
+[![Node.js](https://img.shields.io/badge/Node.js-22+-339933?style=flat-square&logo=node.js&logoColor=white)](https://nodejs.org/)
+[![License](https://img.shields.io/npm/l/vaulter.svg?style=flat-square&color=007AFF)](https://github.com/forattini-dev/vaulter/blob/main/LICENSE)
+
+Store secrets anywhere: AWS S3, MinIO, R2, Spaces, B2, or local filesystem.
+<br>
+AES-256-GCM encryption. Native K8s, Helm & Terraform integration.
+<br>
+MCP server for Claude AI. Zero config for dev, production-ready.
+
+[📖 Documentation](#configuration) · [🔧 CLI](#commands) · [🚀 Highlights](#highlights)
+
+</div>
+
+---
+
+## What's Inside
+
+| Category | Features |
+|:---------|:---------|
+| **Backends** | AWS S3, MinIO, Cloudflare R2, DigitalOcean Spaces, Backblaze B2, FileSystem, Memory |
+| **Encryption** | AES-256-GCM via s3db.js, field-level encryption, key rotation |
+| **Environments** | dev, stg, prd, sbx, dr (fully customizable) |
+| **Integrations** | Kubernetes Secret/ConfigMap, Helm values.yaml, Terraform tfvars |
+| **Monorepo** | Service discovery, batch operations, config inheritance |
+| **MCP Server** | Claude AI integration via Model Context Protocol |
+| **Unix Pipes** | Full stdin/stdout support for scripting |
+| **Dotenv** | Drop-in compatible: `import 'vaulter/load'` |
+
+## Highlights
+
+### Multi-Backend with Fallback
+
+Configure multiple backends - vaulter tries each until one succeeds:
+
+```yaml
+backend:
+  urls:
+    - s3://bucket/envs?region=us-east-1     # Primary (CI/CD)
+    - file:///home/user/.vaulter-store       # Fallback (local dev)
+```
+
+### Native Integrations
+
+```bash
+# Kubernetes - deploy secrets directly
+vaulter k8s:secret -e prd | kubectl apply -f -
+
+# Helm - generate values file
+vaulter helm:values -e prd | helm upgrade myapp ./chart -f -
+
+# Terraform - export as tfvars
+vaulter tf:vars -e prd > terraform.tfvars
+```
+
+### Unix Pipes
+
+```bash
+# Import from Vault
+vault kv get -format=json secret/app | \
+  jq -r '.data.data | to_entries | .[] | "\(.key)=\(.value)"' | \
+  vaulter sync -e prd
+
+# Export to kubectl
+vaulter export -e prd --format=env | \
+  kubectl create secret generic myapp --from-env-file=/dev/stdin
+```
+
+### MCP Server for Claude
+
+```bash
+# Start MCP server
+vaulter mcp
+```
+
+```json
+{
+  "mcpServers": {
+    "vaulter": {
+      "command": "npx",
+      "args": ["vaulter", "mcp"]
+    }
+  }
+}
+```
+
+### Dotenv Compatible
+
+Drop-in replacement for dotenv - works with your existing setup:
+
+```typescript
+// Auto-load .env into process.env
+import 'vaulter/load'
+
+// Or programmatically with options
+import { loader } from 'vaulter'
+loader({ path: '.env.local', override: true })
+```
+
+## Commands
+
+### Core
+
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `init` | Initialize project | `vaulter init` |
+| `get <key>` | Get a variable | `vaulter get DATABASE_URL -e prd` |
+| `set <key> <value>` | Set a variable | `vaulter set API_KEY "sk-..." -e prd` |
+| `delete <key>` | Delete a variable | `vaulter delete OLD_KEY -e dev` |
+| `list` | List all variables | `vaulter list -e prd` |
+| `export` | Export for shell | `eval $(vaulter export -e dev)` |
+
+### Sync
+
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `sync` | Merge local .env and backend | `vaulter sync -f .env.local -e dev` |
+| `pull` | Download to .env | `vaulter pull -e prd -o .env.prd` |
+| `push` | Upload from .env | `vaulter push -f .env.local -e dev` |
+
+### Integrations
+
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `k8s:secret` | Kubernetes Secret | `vaulter k8s:secret -e prd \| kubectl apply -f -` |
+| `k8s:configmap` | Kubernetes ConfigMap | `vaulter k8s:configmap -e prd` |
+| `helm:values` | Helm values.yaml | `vaulter helm:values -e prd` |
+| `tf:vars` | Terraform .tfvars | `vaulter tf:vars -e prd > terraform.tfvars` |
+| `tf:json` | Terraform JSON | `vaulter tf:json -e prd` |
+
+### Utilities
+
+| Command | Description | Example |
+|:--------|:------------|:--------|
+| `key generate` | Generate encryption key | `vaulter key generate` |
+| `services` | List monorepo services | `vaulter services` |
+| `mcp` | Start MCP server | `vaulter mcp` |
+
+## Global Options
+
+```
+-p, --project <name>    Project name
+-s, --service <name>    Service name (monorepos)
+-e, --env <env>         Environment: dev, stg, prd, sbx, dr
+-b, --backend <url>     Backend URL override
+-k, --key <path|value>  Encryption key file path or raw key
+-v, --verbose           Verbose output
+--all                   All services (monorepo batch)
+--dry-run               Preview without applying
+--json                  JSON output
+--force                 Skip confirmations
+```
+
+## Configuration
+
+### Basic Config
+
+```yaml
+# .vaulter/config.yaml
+version: "1"
+
+project: my-project
+service: api  # optional
+
+backend:
+  # Single URL
+  url: s3://bucket/envs?region=us-east-1
+
+  # Or multiple with fallback
+  urls:
+    - s3://bucket/envs?region=us-east-1
+    - file:///home/user/.vaulter-store
+
+encryption:
+  key_source:
+    - env: VAULTER_KEY           # 1. Environment variable
+    - file: .vaulter/.key        # 2. Local file
+    - s3: s3://keys/vaulter.key  # 3. Remote S3
+
+environments:
+  - dev
+  - stg
+  - prd
+
+default_environment: dev
+```
+
+### Sync Settings
+
+Sync merges local and remote variables. Conflicts are resolved by `sync.conflict`.
+
+```yaml
+sync:
+  conflict: local   # local | remote | prompt | error
+  ignore:
+    - "PUBLIC_*"
+  required:
+    dev:
+      - DATABASE_URL
+```
+
+Notes:
+- `prompt` and `error` will stop the sync if conflicts are detected.
+- When reading from stdin, sync only updates the backend (local file is not changed).
+
+### Hooks
+
+```yaml
+hooks:
+  pre_sync: "echo pre sync"
+  post_sync: "echo post sync"
+  pre_pull: "echo pre pull"
+  post_pull: "echo post pull"
+```
+
+### Environment Variable Expansion
+
+Config values support `${VAR}`, `${VAR:-default}`, and `$VAR`:
+
+```yaml
+backend:
+  url: s3://${AWS_ACCESS_KEY_ID}:${AWS_SECRET_ACCESS_KEY}@bucket/envs
+  # Or
+  url: ${VAULTER_BACKEND_URL}
+```
+
+### Local Override (config.local.yaml)
+
+For credentials that should **never** be committed:
+
+```yaml
+# .vaulter/config.local.yaml (gitignored)
+backend:
+  url: s3://real-key:real-secret@bucket/envs?region=us-east-1
+```
+
+## Backend URLs
+
+| Provider | URL Format |
+|:---------|:-----------|
+| **AWS S3** | `s3://bucket/path?region=us-east-1` |
+| **AWS S3 + Profile** | `s3://bucket/path?region=us-east-1&profile=myprofile` |
+| **AWS S3 + Credentials** | `s3://${KEY}:${SECRET}@bucket/path` |
+| **MinIO** | `http://${KEY}:${SECRET}@localhost:9000/bucket` |
+| **Cloudflare R2** | `https://${KEY}:${SECRET}@${ACCOUNT}.r2.cloudflarestorage.com/bucket` |
+| **DigitalOcean Spaces** | `https://${KEY}:${SECRET}@nyc3.digitaloceanspaces.com/bucket` |
+| **Backblaze B2** | `https://${KEY}:${SECRET}@s3.us-west-002.backblazeb2.com/bucket` |
+| **FileSystem** | `file:///path/to/storage` |
+| **Memory** | `memory://bucket-name` |
+
+## Encryption
+
+All secrets are encrypted with **AES-256-GCM** before storage.
+
+### Key Sources
+
+```bash
+# 1. Environment variable (CI/CD)
+export VAULTER_KEY="base64-encoded-32-byte-key"
+vaulter export -e prd
+
+# 2. Local file (development)
+vaulter key generate -o .vaulter/.key
+
+# 3. Remote S3 (production)
+# Configured in config.yaml
+```
+
+You can also pass a key directly:
+
+```bash
+vaulter list -e prd --key .vaulter/.key
+```
+
+### Security Settings
+
+```yaml
+security:
+  paranoid: true  # Fail if no encryption key is found
+  auto_encrypt:
+    patterns:
+      - "*_KEY"
+      - "*_SECRET"
+      - "DATABASE_URL"
+```
+
+`auto_encrypt.patterns` is used to classify secrets for integrations (K8s/Helm).
+
+## Monorepo Support
+
+```
+my-monorepo/
+├── .vaulter/
+│   ├── config.yaml          # Root config
+│   └── environments/
+├── services/
+│   ├── api/
+│   │   └── .vaulter/
+│   │       ├── config.yaml  # extends: ../../../.vaulter/config.yaml
+│   │       └── environments/
+│   └── worker/
+│       └── .vaulter/
+```
+
+```bash
+# List services
+vaulter services
+
+# Sync all services
+vaulter sync -e dev --all
+
+# Sync specific services
+vaulter sync -e dev -s api,worker
+```
+
+## MCP Tools
+
+| Tool | Description |
+|:-----|:------------|
+| `vaulter_get` | Get a single variable |
+| `vaulter_set` | Set a variable |
+| `vaulter_delete` | Delete a variable |
+| `vaulter_list` | List all variables |
+| `vaulter_export` | Export in various formats |
+| `vaulter_sync` | Sync with .env file |
+
+## CI/CD
+
+### GitHub Actions
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Deploy secrets
+        env:
+          VAULTER_KEY: ${{ secrets.VAULTER_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        run: |
+          npx vaulter k8s:secret -e prd | kubectl apply -f -
+```
+
+### GitLab CI
+
+```yaml
+deploy:
+  script:
+    - npx vaulter k8s:secret -e prd | kubectl apply -f -
+  variables:
+    VAULTER_KEY: $VAULTER_KEY
+```
+
+## Security Best Practices
+
+| Practice | How |
+|:---------|:----|
+| Never commit credentials | Use `config.local.yaml` or env vars |
+| Never commit encryption keys | Add `.vaulter/.key` to `.gitignore` |
+| Use env var expansion | `${AWS_ACCESS_KEY_ID}` instead of hardcoding |
+| Use AWS credential chain | No credentials in URL, use IAM roles |
+| Separate keys per environment | Different keys for dev/stg/prd |
+| Restrict S3 bucket access | IAM policies to limit readers |
+
+### Files to .gitignore
+
+```gitignore
+.vaulter/.key
+.vaulter/config.local.yaml
+**/config.local.yaml
+.env
+.env.*
+```
+
+## API Usage
+
+```typescript
+import { VaulterClient, loadConfig } from 'vaulter'
+
+const config = loadConfig()
+const client = new VaulterClient({ config })
+
+await client.connect()
+
+// Get
+const value = await client.get('DATABASE_URL', 'my-project', 'prd')
+
+// Set
+await client.set({
+  key: 'API_KEY',
+  value: 'sk-secret',
+  project: 'my-project',
+  environment: 'prd'
+})
+
+// List
+const vars = await client.list({
+  project: 'my-project',
+  environment: 'prd'
+})
+
+// Export
+const envVars = await client.export('my-project', 'prd')
+
+await client.disconnect()
+```
+
+## Comparison
+
+| Feature | vaulter | dotenv | doppler | vault |
+|:--------|:-------:|:------:|:-------:|:-----:|
+| Multi-backend | ✅ | ❌ | ❌ | ❌ |
+| Encryption | AES-256-GCM | ❌ | ✅ | ✅ |
+| K8s integration | Native | ❌ | Plugin | Plugin |
+| Self-hosted | ✅ | N/A | ❌ | ✅ |
+| Monorepo | Native | ❌ | Limited | ❌ |
+| MCP/AI | ✅ | ❌ | ❌ | ❌ |
+| Complexity | Low | Low | Medium | High |
+
+## Numbers
+
+| Metric | Value |
+|:-------|:------|
+| Backends | 7 (S3, MinIO, R2, Spaces, B2, FileSystem, Memory) |
+| Environments | 5 (dev, stg, prd, sbx, dr) |
+| Export Formats | 5 (shell, json, yaml, env, tfvars) |
+| MCP Tools | 6 |
+| Integrations | 5 (K8s Secret, K8s ConfigMap, Helm, Terraform, tfvars) |
+
+## Pre-built Binaries
+
+Download from [Releases](https://github.com/forattini-dev/vaulter/releases):
+
+| Platform | Binary |
+|:---------|:-------|
+| Linux x64 | `vaulter-linux` |
+| Linux ARM64 | `vaulter-linux-arm64` |
+| macOS x64 | `vaulter-macos` |
+| macOS ARM64 | `vaulter-macos-arm64` |
+| Windows | `vaulter-win.exe` |
+
+## License
+
+MIT © [Forattini](https://github.com/forattini-dev)
+
+---
+
+<div align="center">
+
+**[Documentation](#configuration)** · **[Issues](https://github.com/forattini-dev/vaulter/issues)** · **[Releases](https://github.com/forattini-dev/vaulter/releases)**
+
+</div>

package/dist/bin/minienv-mcp.cjs

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+"use strict";var Q=Object.create;var _=Object.defineProperty;var X=Object.getOwnPropertyDescriptor;var J=Object.getOwnPropertyNames;var ee=Object.getPrototypeOf,ne=Object.prototype.hasOwnProperty;var te=(n,e,r,t)=>{if(e&&typeof e=="object"||typeof e=="function")for(let i of J(e))!ne.call(n,i)&&i!==r&&_(n,i,{get:()=>e[i],enumerable:!(t=X(e,i))||t.enumerable});return n};var E=(n,e,r)=>(r=n!=null?Q(ee(n)):{},te(e||!n||!n.__esModule?_(r,"default",{value:n,enumerable:!0}):r,n));process.setMaxListeners(50);var G=require("@modelcontextprotocol/sdk/server/index.js"),Z=require("@modelcontextprotocol/sdk/server/stdio.js"),p=require("@modelcontextprotocol/sdk/types.js");var I=require("s3db.js"),re=`file://${process.env.HOME||"/tmp"}/.minienv/store`,ie="minienv-default-dev-key",g=class{db=null;resource=null;connectionString;passphrase;initialized=!1;constructor(e={}){this.connectionString=e.connectionString||re,this.passphrase=e.passphrase||ie}async connect(){this.initialized||(this.db=new I.S3db({connectionString:this.connectionString,passphrase:this.passphrase}),await this.db.connect(),this.resource=await this.db.createResource({name:"environment-variables",attributes:{key:"string|required",value:"secret|required",project:"string|required",service:"string|optional",environment:"enum:dev,stg,prd,sbx,dr|required",tags:"array|items:string|optional",metadata:{description:"string|optional",owner:"string|optional",rotateAfter:"date|optional",source:"enum:manual,sync,import|optional"}},partitions:{byProject:{fields:{project:"string"}},byProjectEnv:{fields:{project:"string",environment:"string"}},byProjectServiceEnv:{fields:{project:"string",service:"string",environment:"string"}}},behavior:"body-overflow",timestamps:!0,asyncPartitions:!0}),this.initialized=!0)}ensureConnected(){if(!this.initialized||!this.resource)throw new Error("MiniEnvClient not initialized. Call connect() first.")}async get(e,r,t,i){this.ensureConnected();let s=i?"byProjectServiceEnv":"byProjectEnv",o=i?{project:r,service:i,environment:t}:{project:r,environment:t};return(await this.resource.list({partition:s,partitionValues:o})).find(l=>l.key===e)||null}async set(e){this.ensureConnected();let r=await this.get(e.key,e.project,e.environment,e.service);return r?await this.resource.update(r.id,{value:e.value,tags:e.tags,metadata:{...r.metadata,...e.metadata,source:e.metadata?.source||"manual"}}):await this.resource.insert({...e,metadata:{...e.metadata,source:e.metadata?.source||"manual"}})}async delete(e,r,t,i){this.ensureConnected();let s=await this.get(e,r,t,i);return s?(await this.resource.delete(s.id),!0):!1}async list(e={}){this.ensureConnected();let{project:r,service:t,environment:i,limit:s,offset:o}=e,a,c;r&&t&&i?(a="byProjectServiceEnv",c={project:r,service:t,environment:i}):r&&i?(a="byProjectEnv",c={project:r,environment:i}):r&&(a="byProject",c={project:r});let l={};return a&&c&&(l.partition=a,l.partitionValues=c),s&&(l.limit=s),o&&(l.offset=o),await this.resource.list(l)}async insertMany(e){this.ensureConnected();let r=[];for(let t of e){let i=await this.set(t);r.push(i)}return r}async deleteAll(e,r,t){this.ensureConnected();let i=await this.list({project:e,environment:r,service:t}),s=0;for(let o of i)await this.resource.delete(o.id),s++;return s}async export(e,r,t){let i=await this.list({project:e,environment:r,service:t}),s={};for(let o of i)s[o.key]=o.value;return s}async sync(e,r,t,i,s={}){this.ensureConnected();let o=await this.list({project:r,environment:t,service:i}),a=new Map(o.map(l=>[l.key,l])),c={added:[],updated:[],deleted:[],unchanged:[],conflicts:[]};for(let[l,d]of Object.entries(e)){let u=a.get(l);u?u.value!==d?(await this.set({key:l,value:d,project:r,environment:t,service:i,metadata:{source:s.source||"sync"}}),c.updated.push(l)):c.unchanged.push(l):(await this.set({key:l,value:d,project:r,environment:t,service:i,metadata:{source:s.source||"sync"}}),c.added.push(l)),a.delete(l)}for(let[l]of a)c.deleted.push(l);return c}async disconnect(){this.db&&(await this.db.disconnect(),this.db=null,this.resource=null,this.initialized=!1)}isConnected(){return this.initialized}getConnectionString(){return this.connectionString}};var v=E(require("node:fs"),1),f=E(require("node:path"),1),A=require("yaml");function se(n){let e=new URL(n);if(e.protocol==="s3:"){let r=e.hostname,t=e.pathname.slice(1),i=e.searchParams.get("region")||void 0;return{bucket:r,key:t,region:i}}if(e.protocol==="http:"||e.protocol==="https:"){let r=`${e.protocol}//${e.host}`,t=e.pathname.slice(1).split("/"),i=t[0],s=t.slice(1).join("/");return{bucket:i,key:s,endpoint:r,accessKeyId:e.username||void 0,secretAccessKey:e.password||void 0}}throw new Error(`Unsupported S3 URL format: ${n}`)}async function oe(n){try{let{S3Client:e,GetObjectCommand:r}=await import("@aws-sdk/client-s3"),t={};n.region&&(t.region=n.region),n.endpoint&&(t.endpoint=n.endpoint,t.forcePathStyle=!0),n.accessKeyId&&n.secretAccessKey&&(t.credentials={accessKeyId:n.accessKeyId,secretAccessKey:n.secretAccessKey});let i=new e(t),s=new r({Bucket:n.bucket,Key:n.key}),o=await i.send(s);if(!o.Body)throw new Error("Empty response from S3");return(await o.Body.transformToString()).trim()}catch(e){throw e.code==="ERR_MODULE_NOT_FOUND"||e.message?.includes("Cannot find module")?new Error("AWS SDK not installed. To use S3 key source, install: pnpm add @aws-sdk/client-s3"):new Error(`Failed to fetch key from S3: ${e.message}`)}}async function T(n){let e=se(n);return oe(e)}var ae=".minienv",O="config.yaml",ce=5,M=10,V={version:"1",project:"",environments:["dev","stg","prd","sbx","dr"],default_environment:"dev",sync:{conflict:"local"},security:{paranoid:!1,confirm_production:!0,auto_encrypt:{patterns:["*_KEY","*_SECRET","*_TOKEN","*_PASSWORD","*_CREDENTIAL","DATABASE_URL","REDIS_URL"]}}};function $(n=process.cwd()){let e=f.default.resolve(n),r=0;for(;r<ce;){let t=f.default.join(e,ae),i=f.default.join(t,O);if(v.default.existsSync(i))return t;let s=f.default.dirname(e);if(s===e)break;e=s,r++}return null}function le(n){if(!v.default.existsSync(n))throw new Error(`Config file not found: ${n}`);let e=v.default.readFileSync(n,"utf-8");return(0,A.parse)(e)||{}}function C(n,e){let r={...n};for(let t of Object.keys(e)){let i=e[t],s=r[t];i!=null&&typeof i=="object"&&!Array.isArray(i)&&s!==null&&s!==void 0&&typeof s=="object"&&!Array.isArray(s)?r[t]=C(s,i):i!==void 0&&(r[t]=i)}return r}function N(n,e=new Set,r=0){if(r>M)throw new Error(`Config inheritance depth exceeded (max ${M})`);let t=f.default.resolve(n);if(e.has(t))throw new Error(`Circular config inheritance detected: ${t}`);e.add(t);let i=le(t);if(i.extends){let s=f.default.resolve(f.default.dirname(t),i.extends),o=N(s,e,r+1),{extends:a,...c}=i;return C(o,c)}return C(V,i)}function w(n){let e=$(n);if(!e)return{...V};let r=f.default.join(e,O);return N(r)}function de(n){return f.default.join(n,"environments")}function D(n,e){return f.default.join(de(n),`${e}.env`)}async function j(n){let e=n.encryption?.key_source||[];for(let r of e)if("env"in r){let t=process.env[r.env];if(t)return t}else if("file"in r){let t=f.default.resolve(r.file);if(v.default.existsSync(t))return v.default.readFileSync(t,"utf-8").trim()}else if("s3"in r)try{let t=await T(r.s3);if(t)return t}catch(t){process.env.MINIENV_VERBOSE&&console.warn(`Failed to load key from S3: ${t.message}`)}return process.env.MINIENV_KEY?process.env.MINIENV_KEY:null}var K=E(require("node:fs"),1),P=100;function F(n,e={}){let r=K.default.readFileSync(n,"utf-8");return ue(r,e)}function ue(n,e={}){let{expand:r=!0,env:t=process.env}=e,i={},s=n.split(/\r?\n/),o=0;for(;o<s.length;){let a=s[o].trim();if(o++,!a||a.startsWith("#")||a.startsWith(";"))continue;let c=a.match(/^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$/);if(!c)continue;let l=c[1],d=c[2];if(d.startsWith('"')){let u=pe(d,s,o);d=u.value,o=u.nextIndex}else if(d.startsWith("'")){let u=fe(d,s,o);d=u.value,o=u.nextIndex}else if(d.startsWith("`")){let u=me(d,s,o);d=u.value,o=u.nextIndex}else{let u=d.indexOf("#");u>0&&(d=d.substring(0,u).trim())}r&&(d=ge(d,{...t,...i})),i[l]=d}return i}function pe(n,e,r){let t=n.substring(1),i=0,s="",o=0,a=r;for(;i<P;){for(;o<t.length;){let c=t[o];if(c==="\\"&&o+1<t.length){let l=t[o+1];switch(l){case"n":s+=`
+`;break;case"r":s+="\r";break;case"t":s+="	";break;case'"':s+='"';break;case"\\":s+="\\";break;case"$":s+="$";break;default:s+=c+l}o+=2}else{if(c==='"')return{value:s,nextIndex:a};s+=c,o++}}if(a>=e.length)break;s+=`
+`,t=e[a],a++,o=0,i++}return{value:s,nextIndex:a}}function fe(n,e,r){let t=n.substring(1),i=0,s="",o=0,a=r;for(;i<P;){for(;o<t.length;){let c=t[o];if(c==="'"&&t[o+1]!=="'")return{value:s,nextIndex:a};c==="'"&&t[o+1]==="'"?(s+="'",o+=2):(s+=c,o++)}if(a>=e.length)break;s+=`
+`,t=e[a],a++,o=0,i++}return{value:s,nextIndex:a}}function me(n,e,r){let t=n.substring(1),i=0,s="",o=0,a=r;for(;i<P;){let c=t.indexOf("`",o);if(c!==-1)return s+=t.substring(o,c),{value:s,nextIndex:a};if(s+=t.substring(o),a>=e.length)break;s+=`
+`,t=e[a],a++,o=0,i++}return{value:s,nextIndex:a}}function ge(n,e){return n=n.replace(/\$\{([a-zA-Z_][a-zA-Z0-9_]*):-([^}]*)\}/g,(r,t,i)=>e[t]??i),n=n.replace(/\$\{([a-zA-Z_][a-zA-Z0-9_]*)\}/g,(r,t)=>e[t]??""),n=n.replace(/\$([a-zA-Z_][a-zA-Z0-9_]*)/g,(r,t)=>e[t]??""),n}var L=E(require("node:fs"),1);async function ve(){let n=null;try{n=w()}catch{}let e=n?.backend?.url,r=n?await j(n):void 0;return{client:new g({connectionString:e||void 0,passphrase:r||void 0}),config:n}}function U(){return[{name:"minienv_get",description:"Get the value of an environment variable",inputSchema:{type:"object",properties:{key:{type:"string",description:"The name of the environment variable"},environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"}},required:["key"]}},{name:"minienv_set",description:"Set an environment variable value",inputSchema:{type:"object",properties:{key:{type:"string",description:"The name of the environment variable"},value:{type:"string",description:"The value to set"},environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"}},required:["key","value"]}},{name:"minienv_delete",description:"Delete an environment variable",inputSchema:{type:"object",properties:{key:{type:"string",description:"The name of the environment variable to delete"},environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"}},required:["key"]}},{name:"minienv_list",description:"List all environment variables for a project/environment",inputSchema:{type:"object",properties:{environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"},showValues:{type:"boolean",description:"Show values (default: false for security)",default:!1}}}},{name:"minienv_export",description:"Export environment variables in shell format",inputSchema:{type:"object",properties:{environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"},format:{type:"string",description:"Output format",enum:["shell","env","json","yaml"],default:"shell"}}}},{name:"minienv_sync",description:"Sync local .env file with backend storage",inputSchema:{type:"object",properties:{environment:{type:"string",description:"Environment (dev/stg/prd/sbx/dr)",enum:["dev","stg","prd","sbx","dr"],default:"dev"},project:{type:"string",description:"Project name (optional, defaults to config)"},service:{type:"string",description:"Service name for monorepos (optional)"},dryRun:{type:"boolean",description:"Show what would be changed without making changes",default:!1}}}}]}async function z(n,e){let{client:r,config:t}=await ve(),i=e.project||t?.project||"",s=e.environment||t?.default_environment||"dev",o=e.service;if(!i)return{content:[{type:"text",text:"Error: Project not specified. Either set project in args or run from a directory with .minienv/config.yaml"}]};try{switch(await r.connect(),n){case"minienv_get":{let a=e.key,c=await r.get(a,i,s,o);return{content:[{type:"text",text:c!==null?c.value:`Variable ${a} not found`}]}}case"minienv_set":{let a=e.key,c=e.value;return await r.set({key:a,value:c,project:i,environment:s,service:o,metadata:{source:"manual"}}),{content:[{type:"text",text:`\u2713 Set ${a} in ${i}/${s}`}]}}case"minienv_delete":{let a=e.key;return{content:[{type:"text",text:await r.delete(a,i,s,o)?`\u2713 Deleted ${a}`:`Variable ${a} not found`}]}}case"minienv_list":{let a=e.showValues||!1,c=await r.list({project:i,environment:s,service:o});if(c.length===0)return{content:[{type:"text",text:`No variables found for ${i}/${s}`}]};let l=c.map(d=>a?`${d.key}=${d.value}`:d.key);return{content:[{type:"text",text:`Variables in ${i}/${s}:
+${l.join(`
+`)}`}]}}case"minienv_export":{let a=e.format||"shell",c=await r.export(i,s,o),l;switch(a){case"json":l=JSON.stringify(c,null,2);break;case"yaml":l=Object.entries(c).map(([d,u])=>`${d}: "${u.replace(/"/g,'\\"')}"`).join(`
+`);break;case"env":l=Object.entries(c).map(([d,u])=>`${d}=${u}`).join(`
+`);break;default:l=Object.entries(c).map(([d,u])=>`export ${d}="${u.replace(/"/g,'\\"')}"`).join(`
+`)}return{content:[{type:"text",text:l}]}}case"minienv_sync":{let a=e.dryRun||!1,c=$();if(!c)return{content:[{type:"text",text:"Error: No .minienv directory found"}]};let l=D(c,s);if(!L.default.existsSync(l))return{content:[{type:"text",text:`Error: Environment file not found: ${l}`}]};let d=F(l);if(a){let k=await r.export(i,s,o),x=[],b=[],S=[];for(let[m,Y]of Object.entries(d))m in k?k[m]!==Y&&b.push(m):x.push(m);for(let m of Object.keys(k))m in d||S.push(m);let h=["Dry run - changes that would be made:"];return x.length>0&&h.push(`  Add: ${x.join(", ")}`),b.length>0&&h.push(`  Update: ${b.join(", ")}`),S.length>0&&h.push(`  Delete: ${S.join(", ")}`),x.length===0&&b.length===0&&S.length===0&&h.push("  No changes needed"),{content:[{type:"text",text:h.join(`
+`)}]}}let u=await r.sync(d,i,s,o,{source:"sync"}),y=[`\u2713 Synced ${i}/${s}`];return u.added.length>0&&y.push(`  Added: ${u.added.length}`),u.updated.length>0&&y.push(`  Updated: ${u.updated.length}`),u.deleted.length>0&&y.push(`  Deleted: ${u.deleted.length}`),u.unchanged.length>0&&y.push(`  Unchanged: ${u.unchanged.length}`),{content:[{type:"text",text:y.join(`
+`)}]}}default:return{content:[{type:"text",text:`Unknown tool: ${n}`}]}}}finally{await r.disconnect()}}var q=["dev","stg","prd","sbx","dr"];async function W(){let n=null;try{n=w()}catch{}let e=n?.backend?.url,r=n?await j(n):void 0;return{client:new g({connectionString:e||void 0,passphrase:r||void 0}),config:n}}function ye(n){let e=n.match(/^minienv:\/\/([^/]+)\/([^/]+)(?:\/([^/]+))?$/);if(!e)return null;let[,r,t,i]=e;return q.includes(t)?{project:r,environment:t,service:i}:null}async function H(){let{config:n}=await W();if(!n?.project)return[];let e=n.project,r=n.environments||q,t=n.service,i=[];for(let s of r){let o=t?`minienv://${e}/${s}/${t}`:`minienv://${e}/${s}`;i.push({uri:o,name:`${e}/${s}${t?`/${t}`:""}`,description:`Environment variables for ${e} in ${s}`,mimeType:"text/plain"})}return i}async function B(n){let e=ye(n);if(!e)throw new Error(`Invalid resource URI: ${n}. Expected format: minienv://project/environment[/service]`);let{project:r,environment:t,service:i}=e,{client:s}=await W();try{await s.connect();let o=await s.export(r,t,i),a=Object.entries(o);if(a.length===0)return{contents:[{uri:n,mimeType:"text/plain",text:`# No variables found for ${r}/${t}`}]};let c=a.map(([l,d])=>`${l}=${d}`).join(`
+`);return{contents:[{uri:n,mimeType:"text/plain",text:`# Environment: ${r}/${t}${i?`/${i}`:""}
+# Variables: ${a.length}
+
+${c}`}]}}finally{await s.disconnect()}}var he="minienv",Ee="0.1.0";function xe(){let n=new G.Server({name:he,version:Ee},{capabilities:{tools:{},resources:{}}});return n.setRequestHandler(p.ListToolsRequestSchema,async()=>({tools:U()})),n.setRequestHandler(p.CallToolRequestSchema,async e=>{let{name:r,arguments:t}=e.params;try{return await z(r,t||{})}catch(i){let s=i instanceof Error?i.message:String(i);throw new p.McpError(p.ErrorCode.InternalError,s)}}),n.setRequestHandler(p.ListResourcesRequestSchema,async()=>({resources:await H()})),n.setRequestHandler(p.ReadResourceRequestSchema,async e=>{let{uri:r}=e.params;try{return await B(r)}catch(t){let i=t instanceof Error?t.message:String(t);throw new p.McpError(p.ErrorCode.InternalError,i)}}),n}async function R(){let n=xe(),e=new Z.StdioServerTransport;await n.connect(e),process.on("SIGINT",async()=>{await n.close(),process.exit(0)}),process.on("SIGTERM",async()=>{await n.close(),process.exit(0)})}(process.argv[1]?.endsWith("server.js")||process.argv[1]?.endsWith("server.ts"))&&R().catch(n=>{console.error("Failed to start MCP server:",n),process.exit(1)});R().catch(n=>{console.error("Failed to start MCP server:",n),process.exit(1)});