envrcctl 0.2.0__tar.gz → 0.2.2__tar.gz

{envrcctl-0.2.0 → envrcctl-0.2.2}/PKG-INFO

@@ -1,35 +1,39 @@
-Metadata-Version: 2.4
+Metadata-Version: 2.3
 Name: envrcctl
-Version: 0.2.0
+Version: 0.2.2
 Summary: Manage .envrc with managed blocks and OS-backed secrets.
+Author: Rio Fujita
+Author-email: Rio Fujita <rio_github@rio.st>
 License: MIT License
-        
-        Copyright (c) 2026 Rio Fujita
-        
-        Permission is hereby granted, free of charge, to any person obtaining a copy
-        of this software and associated documentation files (the "Software"), to deal
-        in the Software without restriction, including without limitation the rights
-        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-        copies of the Software, and to permit persons to whom the Software is
-        furnished to do so, subject to the following conditions:
-        
-        The above copyright notice and this permission notice shall be included in all
-        copies or substantial portions of the Software.
-        
-        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-        SOFTWARE.
-License-File: LICENSE
-Requires-Python: >=3.14
+         
+         Copyright (c) 2026 Rio Fujita
+         
+         Permission is hereby granted, free of charge, to any person obtaining a copy
+         of this software and associated documentation files (the "Software"), to deal
+         in the Software without restriction, including without limitation the rights
+         to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+         copies of the Software, and to permit persons to whom the Software is
+         furnished to do so, subject to the following conditions:
+         
+         The above copyright notice and this permission notice shall be included in all
+         copies or substantial portions of the Software.
+         
+         THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+         IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+         FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+         AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+         LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+         OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+         SOFTWARE.
 Requires-Dist: typer>=0.24.1
+Requires-Dist: pytest>=9 ; extra == 'test'
+Requires-Dist: pytest-cov>=7 ; extra == 'test'
+Requires-Dist: bandit>=1.7.10 ; extra == 'test'
+Requires-Python: >=3.14
+Project-URL: Homepage, https://github.com/rioriost/envrcctl
+Project-URL: Issues, https://github.com/rioriost/envrcctl/issues
+Project-URL: Repository, https://github.com/rioriost/envrcctl
 Provides-Extra: test
-Requires-Dist: bandit>=1.7.10; extra == 'test'
-Requires-Dist: pytest-cov>=7.0.0; extra == 'test'
-Requires-Dist: pytest>=9.0.2; extra == 'test'
 Description-Content-Type: text/markdown
 
 # envrcctl
@@ -63,16 +67,21 @@ It is designed for macOS first, with Linux support via SecretService.
 
 ## Installation
 
-### macOS (Homebrew)
+### macOS (Homebrew, Apple Silicon)
 
 Tap and install:
 
 ```sh
-brew tap rioriost/envrcctl
+brew tap rioriost/tap
 brew install envrcctl
 ```
 
-After release, Homebrew will download the release from GitHub.
+This Homebrew path is intended for:
+
+- Apple Silicon (`arm64`) Macs
+- macOS installs that should not require a full Xcode.app build dependency
+
+Intel Macs are not a target for this Homebrew distribution path.
 
 Install direnv with Homebrew:
 
@@ -92,26 +101,25 @@ pipx install envrcctl
 uv tool install envrcctl
 ```
 
-### From source (macOS/Linux)
-
-```sh
-git clone <REPO_URL>
-cd envrcctl
-uv sync
-uv run python -m envrcctl.main --help
-```
-
-### Build the macOS auth helper (macOS only)
+### About the macOS auth helper (Apple Silicon macOS only)
 
 The macOS device owner authentication flow requires a native helper named
 `envrcctl-macos-auth`.
 
-Build it and place the binary at either:
+Homebrew on Apple Silicon is intended to install this helper automatically, so
+you should not need to build it yourself in the common case.
+
+Manual helper installation is still useful when:
+
+- you want to place the helper in a custom location
+- you are not using the Apple Silicon Homebrew distribution path
+
+If you are building the helper yourself, use Apple Silicon (`arm64`) macOS and place the binary at either:
 
 - `src/envrcctl/envrcctl-macos-auth`
 - or a custom path set via `ENVRCCTL_MACOS_AUTH_HELPER`
 
-Example build flow:
+Example build flow on Apple Silicon macOS:
 
 ```sh
 swiftc -O -framework LocalAuthentication -framework Security \
@@ -120,20 +128,6 @@ swiftc -O -framework LocalAuthentication -framework Security \
 chmod +x src/envrcctl/envrcctl-macos-auth
 ```
 
-You can also use the repository build script:
-
-```sh
-sh scripts/build_macos_auth_helper.sh
-```
-
-If you want to write the helper to a custom location, pass the source and output paths explicitly:
-
-```sh
-sh scripts/build_macos_auth_helper.sh \
-  scripts/macos/envrcctl-macos-auth.swift \
-  /usr/local/bin/envrcctl-macos-auth
-```
-
 If you install the helper elsewhere, set:
 
 ```sh
@@ -380,12 +374,7 @@ uv run python scripts/generate_completions.py
 - Audit integrity is based on a hash chain and can be checked with `envrcctl audit verify`
 - The tool refuses to write to world-writable `.envrc`
 
-## Development
 
-```sh
-uv sync
-.venv/bin/envrcctl --help
-```
 
 ## Acknowledgements
 

{envrcctl-0.2.0 → envrcctl-0.2.2}/README.md

@@ -29,16 +29,21 @@ It is designed for macOS first, with Linux support via SecretService.
 
 ## Installation
 
-### macOS (Homebrew)
+### macOS (Homebrew, Apple Silicon)
 
 Tap and install:
 
 ```sh
-brew tap rioriost/envrcctl
+brew tap rioriost/tap
 brew install envrcctl
 ```
 
-After release, Homebrew will download the release from GitHub.
+This Homebrew path is intended for:
+
+- Apple Silicon (`arm64`) Macs
+- macOS installs that should not require a full Xcode.app build dependency
+
+Intel Macs are not a target for this Homebrew distribution path.
 
 Install direnv with Homebrew:
 
@@ -58,26 +63,25 @@ pipx install envrcctl
 uv tool install envrcctl
 ```
 
-### From source (macOS/Linux)
-
-```sh
-git clone <REPO_URL>
-cd envrcctl
-uv sync
-uv run python -m envrcctl.main --help
-```
-
-### Build the macOS auth helper (macOS only)
+### About the macOS auth helper (Apple Silicon macOS only)
 
 The macOS device owner authentication flow requires a native helper named
 `envrcctl-macos-auth`.
 
-Build it and place the binary at either:
+Homebrew on Apple Silicon is intended to install this helper automatically, so
+you should not need to build it yourself in the common case.
+
+Manual helper installation is still useful when:
+
+- you want to place the helper in a custom location
+- you are not using the Apple Silicon Homebrew distribution path
+
+If you are building the helper yourself, use Apple Silicon (`arm64`) macOS and place the binary at either:
 
 - `src/envrcctl/envrcctl-macos-auth`
 - or a custom path set via `ENVRCCTL_MACOS_AUTH_HELPER`
 
-Example build flow:
+Example build flow on Apple Silicon macOS:
 
 ```sh
 swiftc -O -framework LocalAuthentication -framework Security \
@@ -86,20 +90,6 @@ swiftc -O -framework LocalAuthentication -framework Security \
 chmod +x src/envrcctl/envrcctl-macos-auth
 ```
 
-You can also use the repository build script:
-
-```sh
-sh scripts/build_macos_auth_helper.sh
-```
-
-If you want to write the helper to a custom location, pass the source and output paths explicitly:
-
-```sh
-sh scripts/build_macos_auth_helper.sh \
-  scripts/macos/envrcctl-macos-auth.swift \
-  /usr/local/bin/envrcctl-macos-auth
-```
-
 If you install the helper elsewhere, set:
 
 ```sh
@@ -346,12 +336,7 @@ uv run python scripts/generate_completions.py
 - Audit integrity is based on a hash chain and can be checked with `envrcctl audit verify`
 - The tool refuses to write to world-writable `.envrc`
 
-## Development
 
-```sh
-uv sync
-.venv/bin/envrcctl --help
-```
 
 ## Acknowledgements
 

envrcctl-0.2.2/pyproject.toml

@@ -0,0 +1,56 @@
+[project]
+name = "envrcctl"
+version = "0.2.2"
+description = "Manage .envrc with managed blocks and OS-backed secrets."
+readme = { file = "README.md", content-type = "text/markdown" }
+license = { file = "LICENSE" }
+requires-python = ">=3.14"
+authors = [
+    { name = "Rio Fujita", email = "rio_github@rio.st" },
+]
+dependencies = [
+    "typer>=0.24.1",
+]
+
+[tool.uv.build-backend]
+module-root = "src"
+source-include = [
+    "completions/**",
+]
+
+[project.urls]
+Homepage = "https://github.com/rioriost/envrcctl"
+Issues = "https://github.com/rioriost/envrcctl/issues"
+Repository = "https://github.com/rioriost/envrcctl"
+
+[project.scripts]
+envrcctl = "envrcctl.main:main"
+
+[project.optional-dependencies]
+test = [
+    "pytest>=9",
+    "pytest-cov>=7",
+    "bandit>=1.7.10",
+]
+
+[dependency-groups]
+dev = [
+    "build>=1.2.2",
+    "twine>=6.1.0",
+    "ruff>=0.12.0",
+]
+
+[build-system]
+requires = ["uv_build>=0.9.27,<0.10.0"]
+build-backend = "uv_build"
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py314"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "B", "UP"]

{envrcctl-0.2.0 → envrcctl-0.2.2}/src/envrcctl/cli.py

@@ -217,17 +217,13 @@ def _write_envrc(doc, block: ManagedBlock) -> None:
     _ensure_not_world_writable(path)
     warn = write_envrc(path, doc, block)
     if warn:
-        raise EnvrcctlError(
-            ".envrc is world-writable after write. Fix permissions and retry."
-        )
+        raise EnvrcctlError(".envrc is world-writable after write. Fix permissions and retry.")
 
 
 @app.command()
 def init(
     yes: bool = typer.Option(False, "--yes", help="Confirm modifying existing .envrc."),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Create .envrc if missing and insert managed block."""
 
@@ -264,9 +260,7 @@ def inherit(state: str = typer.Argument(..., help="on/off")) -> None:
 def set(
     var: str,
     value: str,
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Set a non-secret export in the managed block."""
 
@@ -329,14 +323,10 @@ def list_exports() -> None:
 def secret_set(
     var: str,
     account: str = typer.Option(..., "--account", help="Keychain account name."),
-    service: str = typer.Option(
-        DEFAULT_SERVICE, "--service", help="Keychain service name."
-    ),
+    service: str = typer.Option(DEFAULT_SERVICE, "--service", help="Keychain service name."),
     kind: str = typer.Option("runtime", "--kind", help="Secret kind (runtime/admin)."),
     stdin: bool = typer.Option(False, "--stdin", help="Read secret from stdin."),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Store a secret and add its reference to the managed block."""
 
@@ -380,8 +370,7 @@ def secret_unset(var: str) -> None:
         parsed = parse_ref(ref)
 
         shared_ref_in_use = any(
-            name != var and other_ref == ref
-            for name, other_ref in block.secret_refs.items()
+            name != var and other_ref == ref for name, other_ref in block.secret_refs.items()
         )
 
         if not shared_ref_in_use:
@@ -448,9 +437,7 @@ def secret_get(
                 typer.echo(value)
                 return
 
-            auth_reason = _require_secret_access_auth(
-                f"Access secret {var} with envrcctl"
-            )
+            auth_reason = _require_secret_access_auth(f"Access secret {var} with envrcctl")
             value = _get_secret_value(backend, parsed, auth_reason)
             _record_secret_access_event(
                 action="secret_get",
@@ -556,9 +543,7 @@ def exec_cmd(
         command = list(ctx.args)
         try:
             if not ctx.args:
-                raise EnvrcctlError(
-                    "No command provided. Use -- to separate the command."
-                )
+                raise EnvrcctlError("No command provided. Use -- to separate the command.")
             if not _is_interactive():
                 if sys.platform == "darwin":
                     raise EnvrcctlError(
@@ -575,9 +560,7 @@ def exec_cmd(
                 missing = selected_keys - available_keys
                 if missing:
                     missing_list = ", ".join(sorted(missing))
-                    raise EnvrcctlError(
-                        f"Secrets not found in managed block: {missing_list}"
-                    )
+                    raise EnvrcctlError(f"Secrets not found in managed block: {missing_list}")
 
             env = os.environ.copy()
             for name, value in block.exports.items():
@@ -634,9 +617,7 @@ def audit_list(
     action: str | None = typer.Option(None, "--action", help="Filter by audit action."),
     var: str | None = typer.Option(None, "--var", help="Filter by variable name."),
     status: str | None = typer.Option(None, "--status", help="Filter by audit status."),
-    json_output: bool = typer.Option(
-        False, "--json", help="Emit matching events as JSON."
-    ),
+    json_output: bool = typer.Option(False, "--json", help="Emit matching events as JSON."),
 ) -> None:
     """List recent audit events."""
 
@@ -713,9 +694,7 @@ def audit_show(
     index: int | None = typer.Option(
         None, "--index", min=0, help="Show an event by zero-based index."
     ),
-    json_output: bool = typer.Option(
-        False, "--json", help="Emit the selected event as JSON."
-    ),
+    json_output: bool = typer.Option(False, "--json", help="Emit the selected event as JSON."),
 ) -> None:
     """Show one audit event in detail."""
 
@@ -911,9 +890,7 @@ def doctor() -> None:
             )
             warnings += 1
 
-        before_clean, before_exports, before_secrets = extract_unmanaged_exports(
-            doc.before
-        )
+        before_clean, before_exports, before_secrets = extract_unmanaged_exports(doc.before)
         after_clean, after_exports, after_secrets = extract_unmanaged_exports(doc.after)
         unmanaged = {**before_exports, **after_exports}
         unmanaged_secrets = {**before_secrets, **after_secrets}
@@ -983,12 +960,8 @@ def doctor() -> None:
 
 @app.command()
 def migrate(
-    yes: bool = typer.Option(
-        False, "--yes", help="Confirm migrating unmanaged exports."
-    ),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    yes: bool = typer.Option(False, "--yes", help="Confirm migrating unmanaged exports."),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Move unmanaged exports into the managed block."""
 
@@ -999,9 +972,7 @@ def migrate(
         doc = load_envrc(path)
         block = ensure_managed_block(doc)
 
-        before_clean, before_exports, before_secrets = extract_unmanaged_exports(
-            doc.before
-        )
+        before_clean, before_exports, before_secrets = extract_unmanaged_exports(doc.before)
         after_clean, after_exports, after_secrets = extract_unmanaged_exports(doc.after)
 
         if before_exports or after_exports or before_secrets or after_secrets:

envrcctl-0.2.0/.gitignore

@@ -1,11 +0,0 @@
-
-.venv/
-.agent/
-.rules
-__pycache__/
-*.py[cod]
-.pytest_cache/
-.coverage
-htmlcov/
-.DS_Store
-.envrc

envrcctl-0.2.0/pyproject.toml

@@ -1,31 +0,0 @@
-[project]
-name = "envrcctl"
-version = "0.2.0"
-description = "Manage .envrc with managed blocks and OS-backed secrets."
-readme = "README.md"
-license = { file = "LICENSE" }
-requires-python = ">=3.14"
-dependencies = [
-    "typer>=0.24.1",
-]
-
-[project.scripts]
-envrcctl = "envrcctl.main:main"
-
-[build-system]
-requires = ["hatchling>=1.24.2"]
-build-backend = "hatchling.build"
-
-[tool.hatch.build.targets.wheel]
-packages = ["src/envrcctl"]
-include = ["completions/**", "src/envrcctl/envrcctl-macos-auth"]
-
-[tool.hatch.build.targets.sdist]
-include = ["src/envrcctl/**", "completions/**", "scripts/**", "README.md", "LICENSE", "pyproject.toml"]
-
-[project.optional-dependencies]
-test = [
-    "pytest>=9.0.2",
-    "pytest-cov>=7.0.0",
-    "bandit>=1.7.10",
-]

envrcctl-0.2.0/scripts/build_macos_auth_helper.sh

@@ -1,43 +0,0 @@
-#!/bin/sh
-set -eu
-
-SCRIPT_DIR="$(CDPATH= cd -- "$(dirname "$0")" && pwd)"
-REPO_ROOT="$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)"
-SWIFT_SOURCE="${1:-$REPO_ROOT/scripts/macos/envrcctl-macos-auth.swift}"
-OUTPUT_PATH="${2:-$REPO_ROOT/src/envrcctl/envrcctl-macos-auth}"
-
-if [ "$(uname -s)" != "Darwin" ]; then
-  echo "This helper can only be built on macOS." >&2
-  exit 1
-fi
-
-if ! command -v swiftc >/dev/null 2>&1; then
-  echo "swiftc not found. Install Xcode Command Line Tools first." >&2
-  exit 1
-fi
-
-if [ ! -f "$SWIFT_SOURCE" ]; then
-  echo "Swift source not found: $SWIFT_SOURCE" >&2
-  echo "Pass the source path as the first argument or create scripts/macos/envrcctl-macos-auth.swift." >&2
-  exit 1
-fi
-
-mkdir -p "$(dirname "$OUTPUT_PATH")"
-
-echo "Building macOS auth helper..."
-echo "  source: $SWIFT_SOURCE"
-echo "  output: $OUTPUT_PATH"
-
-swiftc \
-  -O \
-  -framework LocalAuthentication \
-  -framework Security \
-  "$SWIFT_SOURCE" \
-  -o "$OUTPUT_PATH"
-
-chmod 755 "$OUTPUT_PATH"
-
-echo "Build complete: $OUTPUT_PATH"
-echo
-echo "You can override the helper path at runtime with:"
-echo "  ENVRCCTL_MACOS_AUTH_HELPER=$OUTPUT_PATH"

envrcctl-0.2.0/scripts/generate_completions.py

@@ -1,35 +0,0 @@
-from __future__ import annotations
-
-from pathlib import Path
-
-from click.shell_completion import get_completion_class
-from typer.main import get_command
-
-from envrcctl.cli import app
-
-SHELLS = ("bash", "zsh", "fish")
-
-
-def main() -> None:
-    repo_root = Path(__file__).resolve().parents[1]
-    output_dir = repo_root / "completions"
-    output_dir.mkdir(parents=True, exist_ok=True)
-
-    command = get_command(app)
-    complete_var = "_ENVRCCTL_COMPLETE"
-
-    for shell in SHELLS:
-        comp_cls = get_completion_class(shell)
-        if comp_cls is None:
-            raise RuntimeError(f"Unsupported shell: {shell}")
-        comp = comp_cls(command, {}, "envrcctl", complete_var)
-        content = comp.source()
-        if not content.strip():
-            raise RuntimeError(f"Failed to generate {shell} completion.")
-        if not content.endswith("\n"):
-            content += "\n"
-        (output_dir / f"envrcctl.{shell}").write_text(content, encoding="utf-8")
-
-
-if __name__ == "__main__":
-    main()

envrcctl-0.2.0/scripts/macos/envrcctl-macos-auth.swift

@@ -1,340 +0,0 @@
-import Foundation
-import LocalAuthentication
-import Security
-
-enum HelperError: Error, LocalizedError {
-    case invalidArguments(String)
-    case authenticationUnavailable(String)
-    case authenticationFailed(String)
-    case keychainFailure(String)
-    case decodeFailure
-    case inputReadFailure(String)
-    case outputEncodeFailure
-
-    var errorDescription: String? {
-        switch self {
-        case .invalidArguments(let message):
-            return message
-        case .authenticationUnavailable(let message):
-            return message
-        case .authenticationFailed(let message):
-            return message
-        case .keychainFailure(let message):
-            return message
-        case .decodeFailure:
-            return "Keychain item contains non-UTF-8 data."
-        case .inputReadFailure(let message):
-            return message
-        case .outputEncodeFailure:
-            return "Failed to encode JSON response."
-        }
-    }
-}
-
-struct Arguments {
-    let authorizeOnly: Bool
-    let service: String?
-    let account: String?
-    let inputJSONPath: String?
-    let reason: String
-}
-
-struct BulkRequest: Decodable {
-    let items: [BulkRequestItem]
-}
-
-struct BulkRequestItem: Decodable {
-    let service: String
-    let account: String
-}
-
-struct BulkResponse: Encodable {
-    let items: [BulkResponseItem]
-}
-
-struct BulkResponseItem: Encodable {
-    let service: String
-    let account: String
-    let value: String
-}
-
-private func printErrorAndExit(_ error: Error) -> Never {
-    let message: String
-    if let helperError = error as? LocalizedError, let description = helperError.errorDescription {
-        message = description
-    } else {
-        message = "macOS authentication helper failed."
-    }
-    FileHandle.standardError.write(Data((message + "\n").utf8))
-    exit(1)
-}
-
-private func printHelpAndExit() -> Never {
-    let help = """
-        Usage:
-          envrcctl-macos-auth --authorize-only --reason <text>
-          envrcctl-macos-auth --service <service> --account <account> --reason <text>
-          envrcctl-macos-auth --input-json <path|- > --reason <text>
-
-        Options:
-          --authorize-only   Require device owner authentication only.
-          --service          Keychain service name.
-          --account          Keychain account name.
-          --input-json       JSON file path or '-' for stdin for bulk reads.
-          --reason           Localized reason shown in the auth prompt.
-          --help             Show this help.
-
-        Bulk JSON input:
-          {
-            "items": [
-              { "service": "st.rio.envrcctl", "account": "openai:prod" },
-              { "service": "st.rio.envrcctl", "account": "github:prod" }
-            ]
-          }
-        """
-    print(help)
-    exit(0)
-}
-
-private func parseArguments(_ argv: [String]) throws -> Arguments {
-    var authorizeOnly = false
-    var service: String?
-    var account: String?
-    var inputJSONPath: String?
-    var reason: String?
-
-    var index = 1
-    while index < argv.count {
-        let arg = argv[index]
-        switch arg {
-        case "--authorize-only":
-            authorizeOnly = true
-            index += 1
-        case "--service":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --service.")
-            }
-            service = argv[index + 1]
-            index += 2
-        case "--account":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --account.")
-            }
-            account = argv[index + 1]
-            index += 2
-        case "--input-json":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --input-json.")
-            }
-            inputJSONPath = argv[index + 1]
-            index += 2
-        case "--reason":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --reason.")
-            }
-            reason = argv[index + 1]
-            index += 2
-        case "--help", "-h":
-            printHelpAndExit()
-        default:
-            throw HelperError.invalidArguments("Unknown argument: \(arg)")
-        }
-    }
-
-    guard let reason, !reason.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else {
-        throw HelperError.invalidArguments("A non-empty --reason is required.")
-    }
-
-    if authorizeOnly {
-        if service != nil || account != nil || inputJSONPath != nil {
-            throw HelperError.invalidArguments(
-                "--authorize-only cannot be combined with --service, --account, or --input-json."
-            )
-        }
-        return Arguments(
-            authorizeOnly: true,
-            service: nil,
-            account: nil,
-            inputJSONPath: nil,
-            reason: reason
-        )
-    }
-
-    let hasSingle = service != nil || account != nil
-    let hasBulk = inputJSONPath != nil
-
-    if hasSingle && hasBulk {
-        throw HelperError.invalidArguments(
-            "--input-json cannot be combined with --service or --account."
-        )
-    }
-
-    if hasBulk {
-        return Arguments(
-            authorizeOnly: false,
-            service: nil,
-            account: nil,
-            inputJSONPath: inputJSONPath,
-            reason: reason
-        )
-    }
-
-    guard let service, !service.isEmpty else {
-        throw HelperError.invalidArguments("--service is required.")
-    }
-    guard let account, !account.isEmpty else {
-        throw HelperError.invalidArguments("--account is required.")
-    }
-
-    return Arguments(
-        authorizeOnly: false,
-        service: service,
-        account: account,
-        inputJSONPath: nil,
-        reason: reason
-    )
-}
-
-private func authenticate(reason: String) throws -> LAContext {
-    let context = LAContext()
-    context.localizedCancelTitle = "Cancel"
-
-    var canEvaluateError: NSError?
-    guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &canEvaluateError) else {
-        let message =
-            canEvaluateError?.localizedDescription
-            ?? "Device owner authentication is unavailable."
-        throw HelperError.authenticationUnavailable(message)
-    }
-
-    let semaphore = DispatchSemaphore(value: 0)
-    var authError: Error?
-
-    context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason) { success, error in
-        if !success {
-            authError = error ?? HelperError.authenticationFailed("Authentication failed.")
-        }
-        semaphore.signal()
-    }
-
-    semaphore.wait()
-
-    if let authError {
-        if let laError = authError as? LAError {
-            switch laError.code {
-            case .userCancel, .userFallback, .systemCancel, .appCancel:
-                throw HelperError.authenticationFailed("Authentication cancelled.")
-            default:
-                throw HelperError.authenticationFailed(laError.localizedDescription)
-            }
-        }
-        throw HelperError.authenticationFailed(authError.localizedDescription)
-    }
-
-    return context
-}
-
-private func readSecret(service: String, account: String, context: LAContext) throws -> String {
-    let query: [String: Any] = [
-        kSecClass as String: kSecClassGenericPassword,
-        kSecAttrService as String: service,
-        kSecAttrAccount as String: account,
-        kSecReturnData as String: true,
-        kSecMatchLimit as String: kSecMatchLimitOne,
-        kSecUseAuthenticationContext as String: context,
-    ]
-
-    var item: CFTypeRef?
-    let status = SecItemCopyMatching(query as CFDictionary, &item)
-
-    guard status == errSecSuccess else {
-        let message = SecCopyErrorMessageString(status, nil) as String? ?? "Keychain read failed."
-        throw HelperError.keychainFailure(message)
-    }
-
-    guard let data = item as? Data else {
-        throw HelperError.keychainFailure("Keychain returned an unexpected item type.")
-    }
-    guard let value = String(data: data, encoding: .utf8) else {
-        throw HelperError.decodeFailure
-    }
-    return value
-}
-
-private func readBulkRequest(from path: String) throws -> BulkRequest {
-    let data: Data
-    if path == "-" {
-        data = FileHandle.standardInput.readDataToEndOfFile()
-        if data.isEmpty {
-            throw HelperError.inputReadFailure("No JSON input received on stdin.")
-        }
-    } else {
-        let url = URL(fileURLWithPath: path)
-        do {
-            data = try Data(contentsOf: url)
-        } catch {
-            throw HelperError.inputReadFailure("Failed to read JSON input: \(path)")
-        }
-    }
-
-    do {
-        let request = try JSONDecoder().decode(BulkRequest.self, from: data)
-        if request.items.isEmpty {
-            throw HelperError.invalidArguments("Bulk JSON input must include at least one item.")
-        }
-        for item in request.items {
-            if item.service.isEmpty || item.account.isEmpty {
-                throw HelperError.invalidArguments(
-                    "Each bulk request item must include non-empty service and account values."
-                )
-            }
-        }
-        return request
-    } catch let helperError as HelperError {
-        throw helperError
-    } catch {
-        throw HelperError.invalidArguments("Failed to decode bulk JSON input.")
-    }
-}
-
-private func writeBulkResponse(_ response: BulkResponse) throws {
-    let encoder = JSONEncoder()
-    encoder.outputFormatting = [.sortedKeys]
-    guard let data = try? encoder.encode(response) else {
-        throw HelperError.outputEncodeFailure
-    }
-    FileHandle.standardOutput.write(data)
-}
-
-do {
-    let args = try parseArguments(CommandLine.arguments)
-    let context = try authenticate(reason: args.reason)
-
-    if args.authorizeOnly {
-        exit(0)
-    }
-
-    if let inputJSONPath = args.inputJSONPath {
-        let request = try readBulkRequest(from: inputJSONPath)
-        let items = try request.items.map { item in
-            BulkResponseItem(
-                service: item.service,
-                account: item.account,
-                value: try readSecret(
-                    service: item.service, account: item.account, context: context)
-            )
-        }
-        try writeBulkResponse(BulkResponse(items: items))
-        exit(0)
-    }
-
-    guard let service = args.service, let account = args.account else {
-        throw HelperError.invalidArguments("Both --service and --account are required.")
-    }
-
-    let secret = try readSecret(service: service, account: account, context: context)
-    FileHandle.standardOutput.write(Data(secret.utf8))
-    exit(0)
-} catch {
-    printErrorAndExit(error)
-}