void 0.1.6 → 0.7.0

package/dist/env-CyG3tvU0.mjs

@@ -0,0 +1,301 @@
+import { a as join } from "./pathe.M-eThtNZ-D-kmWkCS.mjs";
+import { n as cliTitle } from "./output-BwlcIYSR.mjs";
+import { c as R, g as ge, u as Se, y as ye } from "./dist-Dayj3gCK.mjs";
+import { r as readProjectConfig } from "./project-TqORyHn8.mjs";
+import { n as PlatformClient, s as getToken } from "./client-snXOjrp1.mjs";
+import { n as generateEnvTypes, t as findEnvFile } from "./env-types-DknSA4SO.mjs";
+import { a as loadUserEnvFile, i as validateProdEnv, n as formatEnvReport, t as fetchRemoteSecretNames } from "./env-validation-DJKjR_8q.mjs";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+//#region src/cli/env-example.ts
+/**
+* `void env example` — generate a `.env.example` block from the registered
+* env schema, managed as a marker-delimited section so any user-managed
+* entries (CI tokens, build flags, etc.) above or below the block survive
+* a refresh.
+*
+* Marker convention mirrors the one used by `init.ts` for CLAUDE.md /
+* AGENTS.md instructions: a literal start marker, a body, and a literal
+* end marker. The markers are hash-prefixed so they remain valid dotenv
+* comments and don't trip up tools that parse `.env` files.
+*
+* Schema introspection strategy:
+*   - Call `schema['~standard'].validate(undefined)`:
+*       • `{ value: undefined }` → optional (no default)
+*       • `{ value: <x> }`       → has a default (value is `<x>`)
+*       • `{ issues: [...] }`    → required
+*   - For enum hints, probe with a sentinel that is unlikely to match and
+*     parse the built-in `oneOf` error message ("Expected one of A, B, got ..."),
+*     yielding the valid values. This only works for Void's built-in
+*     `oneOf()` helper — third-party validators silently degrade to no hint,
+*     which is fine because `.env.example` is purely informational.
+*
+* This keeps the introspection layer Standard Schema-friendly (no private
+* fields, no type-widening) while still giving a good DX for the common
+* Void helpers.
+*/
+/** Load the user's env.ts so `defineEnv` registers the schema. */
+async function loadRegisteredSchema(envFile) {
+	await loadUserEnvFile(envFile);
+	return (await import("./runtime/env-public.mjs"))._getRegisteredSchema();
+}
+/**
+* Introspect a single schema into an {@link EntryKind}.
+*
+* The probing logic is pure: it only calls the public `~standard.validate`
+* contract, so it works for any Standard Schema-compliant validator.
+*/
+function classifySchema(schema) {
+	const enumValues = tryExtractEnumValues(schema);
+	const probe = schema["~standard"].validate(void 0);
+	if (probe instanceof Promise) return {
+		kind: "required",
+		enumValues
+	};
+	if ("issues" in probe && probe.issues) return {
+		kind: "required",
+		enumValues
+	};
+	if (probe.value === void 0) return {
+		kind: "optional",
+		enumValues
+	};
+	return {
+		kind: "default",
+		defaultValue: probe.value,
+		enumValues
+	};
+}
+/**
+* Attempt to pull enum values out of a Void `oneOf()` schema by probing with
+* an invalid sentinel and parsing the error message. Returns undefined for
+* any schema that isn't a built-in `oneOf`.
+*/
+function tryExtractEnumValues(schema) {
+	const result = schema["~standard"].validate("__void_env_example_probe__");
+	if (result instanceof Promise) return;
+	if (!("issues" in result) || !result.issues || result.issues.length === 0) return;
+	const message = result.issues[0].message;
+	const match = /^Expected one of (.+), got "/.exec(message);
+	if (!match) return;
+	return match[1].split(",").map((s) => s.trim());
+}
+/** Serialize a default value into a dotenv-friendly string. */
+function serializeDefault(value) {
+	if (typeof value === "string") return value;
+	if (typeof value === "number" || typeof value === "boolean") return String(value);
+	try {
+		return JSON.stringify(value);
+	} catch {
+		return "";
+	}
+}
+/**
+* Build the body of the managed env block (no markers) from a registered
+* schema map.
+*
+* Grouped by:
+*   1. required (no default, not optional)
+*   2. required with default (prefilled value)
+*   3. optional (empty value)
+*
+* Enum-valued keys get a leading `# enum: A | B | C` comment.
+*/
+function formatEnvExample(schema) {
+	const entries = Object.entries(schema).map(([key, s]) => ({
+		key,
+		classification: classifySchema(s)
+	}));
+	const required = entries.filter((e) => e.classification.kind === "required");
+	const withDefault = entries.filter((e) => e.classification.kind === "default");
+	const optional = entries.filter((e) => e.classification.kind === "optional");
+	const lines = [];
+	const writeGroup = (label, group) => {
+		if (group.length === 0) return;
+		if (lines.length > 0) lines.push("");
+		lines.push(`# ${label}`);
+		for (const entry of group) {
+			const enumValues = entry.classification.enumValues;
+			if (enumValues && enumValues.length > 0) lines.push(`# enum: ${enumValues.join(" | ")}`);
+			if (entry.classification.kind === "default") lines.push(`${entry.key}=${serializeDefault(entry.classification.defaultValue)}`);
+			else lines.push(`${entry.key}=`);
+		}
+	};
+	writeGroup("required", required);
+	writeGroup("with defaults", withDefault);
+	writeGroup("optional", optional);
+	return lines.join("\n") + (lines.length > 0 ? "\n" : "");
+}
+/**
+* Literal start/end markers for the void-managed block. They are valid
+* dotenv comments (hash-prefixed) so any tool that parses `.env.example`
+* silently ignores them, and they are matched as whole lines (with
+* defensive trailing-whitespace tolerance) when locating the block.
+*/
+const ENV_EXAMPLE_START_MARKER = "# >>> void env: managed block — do not edit between markers <<<";
+const ENV_EXAMPLE_END_MARKER = "# >>> end void env <<<";
+const ENV_EXAMPLE_MARKER_HINT = "# Run `void env example` to refresh.";
+/** Regex matchers for the markers — full line, ignore trailing whitespace. */
+const START_MARKER_RE = new RegExp(`^${ENV_EXAMPLE_START_MARKER.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*$`);
+const END_MARKER_RE = new RegExp(`^${ENV_EXAMPLE_END_MARKER.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*$`);
+function buildMarkerBlock(body) {
+	const trimmedBody = body.endsWith("\n") ? body.slice(0, -1) : body;
+	const parts = [ENV_EXAMPLE_START_MARKER, ENV_EXAMPLE_MARKER_HINT];
+	if (trimmedBody.length > 0) parts.push(trimmedBody);
+	parts.push(ENV_EXAMPLE_END_MARKER);
+	return parts.join("\n") + "\n";
+}
+/**
+* Pure helper that produces the new `.env.example` content given the
+* existing file contents (or `null` when the file does not exist) and the
+* formatted env body (without marker lines).
+*
+* Behavior matrix:
+*   - existing == null               → `create` a fresh marker-only file
+*   - both markers present           → `replace` the lines between them
+*   - no markers present             → `append` the block at the end
+*   - exactly one marker present     → `error` (mismatched markers)
+*/
+function applyMarkerBlock(existing, body) {
+	const block = buildMarkerBlock(body);
+	if (existing === null) return {
+		content: block,
+		action: "create"
+	};
+	const lines = existing.split("\n");
+	let startIdx = -1;
+	let endIdx = -1;
+	for (let i = 0; i < lines.length; i++) {
+		if (startIdx === -1 && START_MARKER_RE.test(lines[i])) {
+			startIdx = i;
+			continue;
+		}
+		if (startIdx !== -1 && END_MARKER_RE.test(lines[i])) {
+			endIdx = i;
+			break;
+		}
+	}
+	const hasStart = lines.some((l) => START_MARKER_RE.test(l));
+	const hasEnd = lines.some((l) => END_MARKER_RE.test(l));
+	if (hasStart && !hasEnd) return {
+		content: existing,
+		action: "error",
+		reason: "Found start marker but no matching end marker in .env.example. Restore `# >>> end void env <<<` or delete the file and re-run `void env example`."
+	};
+	if (!hasStart && hasEnd) return {
+		content: existing,
+		action: "error",
+		reason: "Found end marker but no matching start marker in .env.example. Restore `# >>> void env: ... <<<` or delete the file and re-run `void env example`."
+	};
+	if (startIdx !== -1 && endIdx !== -1) {
+		const before = lines.slice(0, startIdx);
+		const after = lines.slice(endIdx + 1);
+		const beforeText = before.length > 0 ? before.join("\n") + "\n" : "";
+		const afterText = after.join("\n");
+		return {
+			content: beforeText + block + afterText,
+			action: "replace"
+		};
+	}
+	const trimmed = existing.replace(/\s+$/, "");
+	return {
+		content: trimmed + (trimmed.length > 0 ? "\n\n" : "") + block,
+		action: "append"
+	};
+}
+/** CLI entrypoint: load schema, manage marker block, write `.env.example`. */
+async function runEnvExample(root, options) {
+	const envFile = findEnvFile(root);
+	if (!envFile) {
+		ye("No env.ts found at project root — nothing to generate.");
+		return;
+	}
+	const schema = await loadRegisteredSchema(envFile);
+	if (!schema || Object.keys(schema).length === 0) {
+		ye("env.ts registered no keys — nothing to generate.");
+		return;
+	}
+	const outPath = join(root, ".env.example");
+	const existing = existsSync(outPath) ? readFileSync(outPath, "utf-8") : null;
+	const result = applyMarkerBlock(existing, formatEnvExample(schema));
+	if (result.action === "error") {
+		R.error(result.reason ?? "Failed to update .env.example.");
+		process.exit(1);
+	}
+	if (existing !== null && existing === result.content) {
+		ye(".env.example is already up to date.");
+		return;
+	}
+	writeFileSync(outPath, result.content);
+	const count = Object.keys(schema).length;
+	const keyCount = `${count} key${count === 1 ? "" : "s"}`;
+	if (result.action === "create") R.success(`Wrote .env.example (${keyCount}).`);
+	else if (result.action === "replace") R.success(`Refreshed void env block in .env.example (${keyCount}).`);
+	else if (result.action === "append") {
+		R.success(`Refreshed void env block in .env.example (${keyCount}).`);
+		if (!options.force) R.info("appended void env block to existing .env.example");
+	}
+	ye("Done.");
+}
+//#endregion
+//#region src/cli/env.ts
+async function runEnvCommand(root, args) {
+	console.log();
+	ge(cliTitle(`env ${args.subcommand}`));
+	if (args.subcommand === "check") {
+		await runCheck(root, args.useRemoteSecrets);
+		return;
+	}
+	if (args.subcommand === "types") {
+		runTypes(root);
+		return;
+	}
+	if (args.subcommand === "example") {
+		await runEnvExample(root, { force: args.force });
+		return;
+	}
+}
+async function runCheck(root, useRemoteSecrets) {
+	let remoteSecrets;
+	if (useRemoteSecrets) {
+		const token = getToken(root);
+		if (!token) {
+			R.error("--remote requires authentication. Run `void auth login` first.");
+			process.exit(1);
+		}
+		const config = readProjectConfig(root);
+		if (!config) {
+			R.error("--remote requires a linked project. Run `void project link` first.");
+			process.exit(1);
+		}
+		remoteSecrets = await fetchRemoteSecretNames(new PlatformClient(token, { root }), config.projectId);
+	}
+	const { hasSchema, report } = await validateProdEnv(root, {
+		productionOnly: true,
+		remoteSecrets
+	});
+	if (!hasSchema) {
+		ye("No env.ts found — nothing to validate.");
+		return;
+	}
+	if (report.valid) {
+		ye("All required env vars are present and valid.");
+		return;
+	}
+	Se(formatEnvReport(report), "Env validation failed");
+	if (report.missing.length > 0) R.info(`Set missing values via .env / .env.production, or upload as secrets with \`void secret put <NAME>\`.`);
+	process.exit(1);
+}
+function runTypes(root) {
+	const envFile = findEnvFile(root);
+	if (!envFile) {
+		ye("No env.ts found at project root — nothing to generate.");
+		return;
+	}
+	const outDir = join(root, ".void");
+	mkdirSync(outDir, { recursive: true });
+	const { dts } = generateEnvTypes(envFile, outDir);
+	writeFileSync(join(outDir, "env.d.ts"), dts);
+	ye(`Wrote ${join(".void", "env.d.ts")}.`);
+}
+//#endregion
+export { runEnvCommand };

package/dist/env-helpers-Dr9Y7RnE.d.mts

@@ -0,0 +1,52 @@
+import { t as StandardSchemaV1 } from "./standard-schema-9CRjx-uR.mjs";
+
+//#region src/shared/env-mask.d.ts
+/** Per-key override set by `.secret()` / `.public()` on built-in helpers. */
+type SecretOverride = "secret" | "public" | undefined;
+//#endregion
+//#region src/runtime/env-helpers.d.ts
+/**
+* Marker property read by the mask helpers. Present only on built-in
+* schema builders; third-party Standard Schema validators fall back to the
+* name/value heuristic (documented in `docs/guide/env-vars.md`).
+*/
+declare const SECRET_OVERRIDE_SYMBOL: unique symbol;
+/**
+* Pull the explicit `.secret()` / `.public()` flag off a Standard Schema
+* validator, if it was authored through our built-in helpers. Returns
+* `undefined` for third-party validators (valibot, zod, arktype, …) —
+* they are redacted purely via the heuristic.
+*/
+declare function getSecretOverride(validator: {
+  [SECRET_OVERRIDE_SYMBOL]?: SecretOverride;
+} | unknown): SecretOverride;
+interface EnvSchema<T> extends StandardSchemaV1<unknown, T> {
+  optional(): EnvSchema<T | undefined>;
+  default(value: NonNullable<T>): EnvSchema<NonNullable<T>>;
+  /**
+  * Force redaction of this key's value in every validation/error surface,
+  * regardless of the key-name / value-content heuristics.
+  */
+  secret(): EnvSchema<T>;
+  /**
+  * Opt this key out of redaction — useful for public config (URLs, app
+  * titles) that happens to match the heuristic (`PUBLIC_KEY`, `…_TOKEN_URL`).
+  */
+  public(): EnvSchema<T>;
+}
+/** Required string env value. */
+declare function string(): EnvSchema<string>;
+/** Numeric env value. Parses with `Number(raw)`; rejects NaN. */
+declare function number(): EnvSchema<number>;
+/** Boolean env value. Accepts "true"/"false"/"1"/"0" (case-insensitive). */
+declare function boolean(): EnvSchema<boolean>;
+/** URL string — validated via `new URL(raw)`. */
+declare function url(): EnvSchema<string>;
+/** Email string — basic shape validation. */
+declare function email(): EnvSchema<string>;
+/** One of a fixed set of literal string values. */
+declare function oneOf<const Values extends ReadonlyArray<string>>(values: Values): EnvSchema<Values[number]>;
+/** JSON-parsed env value. Specify `T` to type the parsed result. */
+declare function json<T = unknown>(): EnvSchema<T>;
+//#endregion
+export { getSecretOverride as a, oneOf as c, email as i, string as l, SECRET_OVERRIDE_SYMBOL as n, json as o, boolean as r, number as s, EnvSchema as t, url as u };

package/dist/env-raw-BDL4TvdN.mjs

@@ -0,0 +1,32 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+//#region src/runtime/env-raw.ts
+/**
+* Raw runtime env resolution — framework-internal only.
+*
+* This module is NOT exported in package.json, so it cannot be imported
+* via "void/..." subpaths. Only framework modules using relative imports
+* (isr.ts, ai.ts, env.ts) can access it.
+*/
+/** Prefixes for platform-internal bindings that must be hidden from user code. */
+const INTERNAL_BINDING_PREFIXES = ["__VOID_", "__PROJECT_"];
+const envContext = new AsyncLocalStorage();
+let cloudflareEnv;
+if (typeof navigator !== "undefined" && navigator.userAgent === "Cloudflare-Workers") import("cloudflare:workers").then((mod) => {
+	cloudflareEnv = asEnv(mod.env) ?? void 0;
+}).catch(() => {});
+function asEnv(value) {
+	if (typeof value !== "object" || value === null) return null;
+	if ("then" in value && typeof value.then === "function") return null;
+	return value;
+}
+function getNuxtEnv() {
+	return asEnv(globalThis.__env__);
+}
+/** Resolve raw env from AsyncLocalStorage, Nuxt globals, or CF module env. */
+function getRawRuntimeEnv() {
+	return envContext.getStore() ?? getNuxtEnv() ?? cloudflareEnv ?? (() => {
+		throw new Error("env: Cloudflare env is unavailable. Use void runtime bindings inside Nuxt/SvelteKit/Analog server request handlers or Worker handlers.");
+	})();
+}
+//#endregion
+export { getRawRuntimeEnv as i, asEnv as n, envContext as r, INTERNAL_BINDING_PREFIXES as t };

package/dist/env-types-DknSA4SO.mjs

@@ -0,0 +1,64 @@
+import { a as join, o as relative } from "./pathe.M-eThtNZ-D-kmWkCS.mjs";
+import { i as voidWarn } from "./log-DXdqnmhF.mjs";
+import { existsSync } from "node:fs";
+//#region src/codegen/env-types.ts
+/** Possible source locations for the user env schema, in priority order.
+*  Root-level files win over `src/`-nested ones. */
+const ENV_FILE_CANDIDATES = [
+	"env.ts",
+	"env.mts",
+	"env.js",
+	"env.mjs",
+	"src/env.ts",
+	"src/env.mts",
+	"src/env.js",
+	"src/env.mjs"
+];
+/** Roots already warned about duplicate env.ts files — dedupes noisy repeat calls. */
+const warnedRoots = /* @__PURE__ */ new Set();
+/** Find the user's env schema file, if any. Warns once per root when multiple candidates exist. */
+function findEnvFile(root) {
+	const matches = [];
+	for (const candidate of ENV_FILE_CANDIDATES) {
+		const abs = join(root, candidate);
+		if (existsSync(abs)) matches.push(abs);
+	}
+	if (matches.length > 1 && !warnedRoots.has(root)) {
+		warnedRoots.add(root);
+		const rel = matches.map((m) => relative(root, m));
+		voidWarn(`Multiple env schema files found — using "${rel[0]}" and ignoring ${rel.slice(1).map((r) => `"${r}"`).join(", ")}. Keep just one.`);
+	}
+	return matches[0] ?? null;
+}
+/**
+* Generate `.void/env.d.ts` content. Augments:
+*   - `void/env`'s `ValidatedEnv` so `env.X` is typed
+*   - `void/handler`'s `CloudBindings` so `c.env.X` is typed
+*
+* Uses `typeof import("../env.ts").default` so TypeScript handles the
+* inference — codegen never analyses types itself.
+*
+* @param envFileAbs Absolute path to the user's env schema file.
+* @param outDir Absolute path to the project's `.void/` directory.
+*/
+function generateEnvTypes(envFileAbs, outDir) {
+	const importPath = relative(outDir, envFileAbs).replace(/\\/g, "/");
+	const lines = [];
+	lines.push("// Auto-generated by void — do not edit");
+	lines.push("export {}");
+	lines.push("");
+	lines.push(`type _VoidEnvSchema = typeof import("${importPath}");`);
+	lines.push("type _VoidEnvShape = _VoidEnvSchema extends { default: infer D } ? D : _VoidEnvSchema extends { env: infer E } ? E : {};");
+	lines.push("");
+	lines.push("declare module \"void/env\" {");
+	lines.push("  interface ValidatedEnv extends _VoidEnvShape {}");
+	lines.push("}");
+	lines.push("");
+	lines.push("declare module \"void/handler\" {");
+	lines.push("  interface CloudBindings extends _VoidEnvShape {}");
+	lines.push("}");
+	lines.push("");
+	return { dts: lines.join("\n") };
+}
+//#endregion
+export { generateEnvTypes as n, findEnvFile as t };

package/dist/env-validation-DJKjR_8q.mjs

@@ -0,0 +1,163 @@
+import { a as join } from "./pathe.M-eThtNZ-D-kmWkCS.mjs";
+import { i as voidWarn } from "./log-DXdqnmhF.mjs";
+import { n as mergeAndExpand, r as parseDotenvFile } from "./dotenv-DwO4ti0Z.mjs";
+import { t as findEnvFile } from "./env-types-DknSA4SO.mjs";
+import { pathToFileURL } from "node:url";
+//#region src/host/load-user-env.ts
+/**
+* Loader for the user's `env.ts`.
+*
+* Uses Node's native `import()` (type-stripping is on by default in the
+* supported Node version), so only relative imports and bare package
+* specifiers resolve. tsconfig path aliases (`@/foo`, `~/foo`) are NOT
+* supported — if the user writes one, we detect the resulting resolution
+* error and re-throw with guidance pointing at the offending specifier.
+*
+* Used by:
+*   - `plugin-env-schema.ts` (dev plugin, HMR re-imports)
+*   - `cli/env-validation.ts` (deploy + `void env check`)
+*
+* Side-effect contract: loading the file evaluates the user's `defineEnv`
+* call, which registers the schema in the singleton state in
+* `runtime/env-public.ts`. Callers read the result from there.
+*
+* Node-only (lives under `host/`). Must not be imported from anything
+* that ships in worker bundles.
+*/
+let loadCounter = 0;
+/**
+* Returns the specifier from a Node resolution error if the error looks
+* like one — otherwise `null`. Both `ERR_MODULE_NOT_FOUND` and
+* `ERR_UNSUPPORTED_DIR_IMPORT` have the specifier embedded in the message.
+*/
+function extractFailedSpecifier(err) {
+	if (!(err instanceof Error)) return null;
+	const code = err.code;
+	if (code !== "ERR_MODULE_NOT_FOUND" && code !== "ERR_PACKAGE_PATH_NOT_EXPORTED") return null;
+	const match = /Cannot find (?:package|module) '([^']+)'/.exec(err.message);
+	return match ? match[1] ?? null : null;
+}
+/** A specifier is alias-shaped if it isn't relative, absolute, a node: URL, or a valid bare package name. */
+function looksLikeAlias(specifier) {
+	if (specifier.startsWith("./") || specifier.startsWith("../") || specifier.startsWith("/") || specifier.startsWith("node:") || specifier.startsWith("file:")) return false;
+	if (specifier.startsWith("@")) return !/^@[^/]+\/[^/]+/.test(specifier);
+	return specifier.startsWith("~") || specifier.startsWith("#");
+}
+/**
+* Load the user's env.ts via native `import()`. The URL gets a cache-busting
+* query param so HMR re-imports re-evaluate the file.
+*
+* On resolution failures, wraps the error with the source file path, and if
+* the failed specifier looks like a tsconfig path alias, appends guidance
+* explaining that env.ts doesn't resolve aliases.
+*/
+async function loadUserEnvFile(envFile) {
+	const url = pathToFileURL(envFile).href + `?t=${Date.now()}-${++loadCounter}`;
+	try {
+		await import(
+			/* @vite-ignore */
+			url
+);
+	} catch (err) {
+		const specifier = extractFailedSpecifier(err);
+		const base = `env: Failed to load '${envFile}': '${err.message}'.`;
+		if (specifier && looksLikeAlias(specifier)) throw new Error(`${base}\n\nHint: '${specifier}' looks like a tsconfig path alias. env.ts is loaded directly by Node and does not resolve tsconfig "paths" — use a relative import (e.g. "./shared/...") instead.`);
+		throw new Error(base);
+	}
+}
+//#endregion
+//#region src/cli/env-validation.ts
+/**
+* Shared env-schema validation for CLI commands.
+*
+* Loads the user's `env.ts` (which calls `defineEnv` as a side effect),
+* collects sources of env values (`.env*` files, remote secrets), and
+* validates each declared key against the registered schema.
+*
+* Used by both `void deploy` (hard error on missing prod env) and
+* `void env check` (CI/pre-push validation).
+*/
+/**
+* After the user's env.ts has been imported (via `validateProdEnv` or
+* `loadSchema`), read the registered schema's `.default(value)` entries.
+* Returns `{}` if no schema was registered.
+*/
+async function getDeployEnvDefaults(root) {
+	const envFile = findEnvFile(root);
+	if (!envFile) return {};
+	const mod = await loadSchema(envFile);
+	if (!mod) return {};
+	return mod._getSchemaDefaults();
+}
+/** Load the registered schema by importing the user's env.ts. */
+async function loadSchema(envFile) {
+	await loadUserEnvFile(envFile);
+	const mod = await import("./runtime/env-public.mjs");
+	if (!mod._hasRegisteredSchema()) return null;
+	return mod;
+}
+function emptyReport() {
+	return {
+		valid: true,
+		missing: [],
+		invalid: [],
+		values: /* @__PURE__ */ new Map()
+	};
+}
+/**
+* Validate the user's env schema against the union of .env files and
+* remote secret names. Remote secrets are treated as "present" (we can't
+* fetch their values), which is sufficient for the missing-key check.
+*/
+async function validateProdEnv(root, options) {
+	const envFile = findEnvFile(root);
+	if (!envFile) return {
+		hasSchema: false,
+		report: emptyReport()
+	};
+	const mod = await loadSchema(envFile);
+	if (!mod) return {
+		hasSchema: false,
+		report: emptyReport()
+	};
+	const merged = mergeAndExpand((options.productionOnly ? [".env", ".env.production"] : [
+		".env",
+		".env.local",
+		".env.production",
+		".env.production.local"
+	]).map((file) => parseDotenvFile(join(root, file), { expand: false })), { onWarn: (msg) => voidWarn(msg) });
+	const report = await mod.validateAllEnv(merged);
+	const remoteSet = new Set(options.remoteSecrets ?? []);
+	if (remoteSet.size > 0 && report.missing.length > 0) {
+		report.missing = report.missing.filter((key) => !remoteSet.has(key));
+		if (report.missing.length === 0 && report.invalid.length === 0) report.valid = true;
+	}
+	return {
+		hasSchema: true,
+		report
+	};
+}
+/** Format an EnvValidationReport into a human-readable multi-line string. */
+function formatEnvReport(report) {
+	const lines = [];
+	if (report.missing.length > 0) {
+		lines.push("Missing required env vars:");
+		for (const key of report.missing) lines.push(`  • ${key}`);
+	}
+	if (report.invalid.length > 0) {
+		if (lines.length > 0) lines.push("");
+		lines.push("Invalid env vars:");
+		for (const { key, messages } of report.invalid) lines.push(`  • ${key}: ${messages.join("; ")}`);
+	}
+	return lines.join("\n");
+}
+/** Convenience: fetch remote secret names from the platform. */
+async function fetchRemoteSecretNames(client, projectId) {
+	try {
+		return (await client.listSecrets(projectId)).map((s) => s.name);
+	} catch {
+		return [];
+	}
+}
+//#endregion
+export { loadUserEnvFile as a, validateProdEnv as i, formatEnvReport as n, getDeployEnvDefaults as r, fetchRemoteSecretNames as t };