PyPI - envrcctl - Versions diffs - 0.2.1__tar.gz → 0.2.2__tar.gz - Mend

envrcctl 0.2.1tar.gz → 0.2.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

{envrcctl-0.2.1 → envrcctl-0.2.2}/PKG-INFO RENAMED Viewed

@@ -1,35 +1,39 @@
-Metadata-Version: 2.4
+Metadata-Version: 2.3
 Name: envrcctl
-Version: 0.2.1
+Version: 0.2.2
 Summary: Manage .envrc with managed blocks and OS-backed secrets.
+Author: Rio Fujita
+Author-email: Rio Fujita <rio_github@rio.st>
 License: MIT License
-        Copyright (c) 2026 Rio Fujita
-        Permission is hereby granted, free of charge, to any person obtaining a copy
-        of this software and associated documentation files (the "Software"), to deal
-        in the Software without restriction, including without limitation the rights
-        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-        copies of the Software, and to permit persons to whom the Software is
-        furnished to do so, subject to the following conditions:
-        The above copyright notice and this permission notice shall be included in all
-        copies or substantial portions of the Software.
-        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-        SOFTWARE.
-License-File: LICENSE
-Requires-Python: >=3.14
+         Copyright (c) 2026 Rio Fujita
+         Permission is hereby granted, free of charge, to any person obtaining a copy
+         of this software and associated documentation files (the "Software"), to deal
+         in the Software without restriction, including without limitation the rights
+         to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+         copies of the Software, and to permit persons to whom the Software is
+         furnished to do so, subject to the following conditions:
+         The above copyright notice and this permission notice shall be included in all
+         copies or substantial portions of the Software.
+         THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+         IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+         FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+         AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+         LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+         OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+         SOFTWARE.
 Requires-Dist: typer>=0.24.1
+Requires-Dist: pytest>=9 ; extra == 'test'
+Requires-Dist: pytest-cov>=7 ; extra == 'test'
+Requires-Dist: bandit>=1.7.10 ; extra == 'test'
+Requires-Python: >=3.14
+Project-URL: Homepage, https://github.com/rioriost/envrcctl
+Project-URL: Issues, https://github.com/rioriost/envrcctl/issues
+Project-URL: Repository, https://github.com/rioriost/envrcctl
 Provides-Extra: test
-Requires-Dist: bandit>=1.7.10; extra == 'test'
-Requires-Dist: pytest-cov>=7.0.0; extra == 'test'
-Requires-Dist: pytest>=9.0.2; extra == 'test'
 Description-Content-Type: text/markdown
 # envrcctl
@@ -68,23 +72,17 @@ It is designed for macOS first, with Linux support via SecretService.
 Tap and install:
 ```sh
-brew tap rioriost/envrcctl
+brew tap rioriost/tap
 brew install envrcctl
 ```
-For the next patch release, the Homebrew formula is intended to install a
-prebuilt Apple Silicon macOS authentication helper from a GitHub release
-`tar.gz` asset instead of compiling it at install time.
-This Homebrew path is therefore intended for:
+This Homebrew path is intended for:
 - Apple Silicon (`arm64`) Macs
 - macOS installs that should not require a full Xcode.app build dependency
 Intel Macs are not a target for this Homebrew distribution path.
-After release, Homebrew will download the release from GitHub.
 Install direnv with Homebrew:
 ```sh
@@ -103,42 +101,25 @@ pipx install envrcctl
 uv tool install envrcctl
 ```
-### From source (macOS/Linux)
-```sh
-git clone <REPO_URL>
-cd envrcctl
-uv sync
-uv run python -m envrcctl.main --help
-```
-### Build the macOS auth helper manually (macOS only)
+### About the macOS auth helper (Apple Silicon macOS only)
 The macOS device owner authentication flow requires a native helper named
 `envrcctl-macos-auth`.
-On Apple Silicon macOS, the Homebrew installation path for the next patch
-release is intended to install a prebuilt helper automatically from a GitHub
-release `tar.gz` asset, so you should not need to compile it yourself in the
-common case.
+Homebrew on Apple Silicon is intended to install this helper automatically, so
+you should not need to build it yourself in the common case.
 Manual helper installation is still useful when:
-- you are running from source
-- you are developing on this repository
 - you want to place the helper in a custom location
 - you are not using the Apple Silicon Homebrew distribution path
-The Homebrew release asset is expected to be named
-`envrcctl-macos-auth-arm64.tar.gz` and to contain an executable named
-`envrcctl-macos-auth`.
-If you are building the helper yourself, place the binary at either:
+If you are building the helper yourself, use Apple Silicon (`arm64`) macOS and place the binary at either:
 - `src/envrcctl/envrcctl-macos-auth`
 - or a custom path set via `ENVRCCTL_MACOS_AUTH_HELPER`
-Example build flow:
+Example build flow on Apple Silicon macOS:
 ```sh
 swiftc -O -framework LocalAuthentication -framework Security \
@@ -147,20 +128,6 @@ swiftc -O -framework LocalAuthentication -framework Security \
 chmod +x src/envrcctl/envrcctl-macos-auth
 ```
-You can also use the repository build script:
-```sh
-sh scripts/build_macos_auth_helper.sh
-```
-If you want to write the helper to a custom location, pass the source and output paths explicitly:
-```sh
-sh scripts/build_macos_auth_helper.sh \
-  scripts/macos/envrcctl-macos-auth.swift \
-  /usr/local/bin/envrcctl-macos-auth
-```
 If you install the helper elsewhere, set:
 ```sh
@@ -407,12 +374,7 @@ uv run python scripts/generate_completions.py
 - Audit integrity is based on a hash chain and can be checked with `envrcctl audit verify`
 - The tool refuses to write to world-writable `.envrc`
-## Development
-```sh
-uv sync
-.venv/bin/envrcctl --help
-```
 ## Acknowledgements

{envrcctl-0.2.1 → envrcctl-0.2.2}/README.md RENAMED Viewed

@@ -34,23 +34,17 @@ It is designed for macOS first, with Linux support via SecretService.
 Tap and install:
 ```sh
-brew tap rioriost/envrcctl
+brew tap rioriost/tap
 brew install envrcctl
 ```
-For the next patch release, the Homebrew formula is intended to install a
-prebuilt Apple Silicon macOS authentication helper from a GitHub release
-`tar.gz` asset instead of compiling it at install time.
-This Homebrew path is therefore intended for:
+This Homebrew path is intended for:
 - Apple Silicon (`arm64`) Macs
 - macOS installs that should not require a full Xcode.app build dependency
 Intel Macs are not a target for this Homebrew distribution path.
-After release, Homebrew will download the release from GitHub.
 Install direnv with Homebrew:
 ```sh
@@ -69,42 +63,25 @@ pipx install envrcctl
 uv tool install envrcctl
 ```
-### From source (macOS/Linux)
-```sh
-git clone <REPO_URL>
-cd envrcctl
-uv sync
-uv run python -m envrcctl.main --help
-```
-### Build the macOS auth helper manually (macOS only)
+### About the macOS auth helper (Apple Silicon macOS only)
 The macOS device owner authentication flow requires a native helper named
 `envrcctl-macos-auth`.
-On Apple Silicon macOS, the Homebrew installation path for the next patch
-release is intended to install a prebuilt helper automatically from a GitHub
-release `tar.gz` asset, so you should not need to compile it yourself in the
-common case.
+Homebrew on Apple Silicon is intended to install this helper automatically, so
+you should not need to build it yourself in the common case.
 Manual helper installation is still useful when:
-- you are running from source
-- you are developing on this repository
 - you want to place the helper in a custom location
 - you are not using the Apple Silicon Homebrew distribution path
-The Homebrew release asset is expected to be named
-`envrcctl-macos-auth-arm64.tar.gz` and to contain an executable named
-`envrcctl-macos-auth`.
-If you are building the helper yourself, place the binary at either:
+If you are building the helper yourself, use Apple Silicon (`arm64`) macOS and place the binary at either:
 - `src/envrcctl/envrcctl-macos-auth`
 - or a custom path set via `ENVRCCTL_MACOS_AUTH_HELPER`
-Example build flow:
+Example build flow on Apple Silicon macOS:
 ```sh
 swiftc -O -framework LocalAuthentication -framework Security \
@@ -113,20 +90,6 @@ swiftc -O -framework LocalAuthentication -framework Security \
 chmod +x src/envrcctl/envrcctl-macos-auth
 ```
-You can also use the repository build script:
-```sh
-sh scripts/build_macos_auth_helper.sh
-```
-If you want to write the helper to a custom location, pass the source and output paths explicitly:
-```sh
-sh scripts/build_macos_auth_helper.sh \
-  scripts/macos/envrcctl-macos-auth.swift \
-  /usr/local/bin/envrcctl-macos-auth
-```
 If you install the helper elsewhere, set:
 ```sh
@@ -373,12 +336,7 @@ uv run python scripts/generate_completions.py
 - Audit integrity is based on a hash chain and can be checked with `envrcctl audit verify`
 - The tool refuses to write to world-writable `.envrc`
-## Development
-```sh
-uv sync
-.venv/bin/envrcctl --help
-```
 ## Acknowledgements

envrcctl-0.2.2/pyproject.toml ADDED Viewed

@@ -0,0 +1,56 @@
+[project]
+name = "envrcctl"
+version = "0.2.2"
+description = "Manage .envrc with managed blocks and OS-backed secrets."
+readme = { file = "README.md", content-type = "text/markdown" }
+license = { file = "LICENSE" }
+requires-python = ">=3.14"
+authors = [
+    { name = "Rio Fujita", email = "rio_github@rio.st" },
+]
+dependencies = [
+    "typer>=0.24.1",
+]
+[tool.uv.build-backend]
+module-root = "src"
+source-include = [
+    "completions/**",
+]
+[project.urls]
+Homepage = "https://github.com/rioriost/envrcctl"
+Issues = "https://github.com/rioriost/envrcctl/issues"
+Repository = "https://github.com/rioriost/envrcctl"
+[project.scripts]
+envrcctl = "envrcctl.main:main"
+[project.optional-dependencies]
+test = [
+    "pytest>=9",
+    "pytest-cov>=7",
+    "bandit>=1.7.10",
+]
+[dependency-groups]
+dev = [
+    "build>=1.2.2",
+    "twine>=6.1.0",
+    "ruff>=0.12.0",
+]
+[build-system]
+requires = ["uv_build>=0.9.27,<0.10.0"]
+build-backend = "uv_build"
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+python_files = ["test_*.py"]
+[tool.ruff]
+line-length = 100
+target-version = "py314"
+[tool.ruff.lint]
+select = ["E", "F", "I", "B", "UP"]

{envrcctl-0.2.1 → envrcctl-0.2.2}/src/envrcctl/cli.py RENAMED Viewed

@@ -217,17 +217,13 @@ def _write_envrc(doc, block: ManagedBlock) -> None:
     _ensure_not_world_writable(path)
     warn = write_envrc(path, doc, block)
     if warn:
-        raise EnvrcctlError(
-            ".envrc is world-writable after write. Fix permissions and retry."
-        )
+        raise EnvrcctlError(".envrc is world-writable after write. Fix permissions and retry.")
 @app.command()
 def init(
     yes: bool = typer.Option(False, "--yes", help="Confirm modifying existing .envrc."),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Create .envrc if missing and insert managed block."""
@@ -264,9 +260,7 @@ def inherit(state: str = typer.Argument(..., help="on/off")) -> None:
 def set(
     var: str,
     value: str,
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Set a non-secret export in the managed block."""
@@ -329,14 +323,10 @@ def list_exports() -> None:
 def secret_set(
     var: str,
     account: str = typer.Option(..., "--account", help="Keychain account name."),
-    service: str = typer.Option(
-        DEFAULT_SERVICE, "--service", help="Keychain service name."
-    ),
+    service: str = typer.Option(DEFAULT_SERVICE, "--service", help="Keychain service name."),
     kind: str = typer.Option("runtime", "--kind", help="Secret kind (runtime/admin)."),
     stdin: bool = typer.Option(False, "--stdin", help="Read secret from stdin."),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Store a secret and add its reference to the managed block."""
@@ -380,8 +370,7 @@ def secret_unset(var: str) -> None:
         parsed = parse_ref(ref)
         shared_ref_in_use = any(
-            name != var and other_ref == ref
-            for name, other_ref in block.secret_refs.items()
+            name != var and other_ref == ref for name, other_ref in block.secret_refs.items()
         )
         if not shared_ref_in_use:
@@ -448,9 +437,7 @@ def secret_get(
                 typer.echo(value)
                 return
-            auth_reason = _require_secret_access_auth(
-                f"Access secret {var} with envrcctl"
-            )
+            auth_reason = _require_secret_access_auth(f"Access secret {var} with envrcctl")
             value = _get_secret_value(backend, parsed, auth_reason)
             _record_secret_access_event(
                 action="secret_get",
@@ -556,9 +543,7 @@ def exec_cmd(
         command = list(ctx.args)
         try:
             if not ctx.args:
-                raise EnvrcctlError(
-                    "No command provided. Use -- to separate the command."
-                )
+                raise EnvrcctlError("No command provided. Use -- to separate the command.")
             if not _is_interactive():
                 if sys.platform == "darwin":
                     raise EnvrcctlError(
@@ -575,9 +560,7 @@ def exec_cmd(
                 missing = selected_keys - available_keys
                 if missing:
                     missing_list = ", ".join(sorted(missing))
-                    raise EnvrcctlError(
-                        f"Secrets not found in managed block: {missing_list}"
-                    )
+                    raise EnvrcctlError(f"Secrets not found in managed block: {missing_list}")
             env = os.environ.copy()
             for name, value in block.exports.items():
@@ -634,9 +617,7 @@ def audit_list(
     action: str | None = typer.Option(None, "--action", help="Filter by audit action."),
     var: str | None = typer.Option(None, "--var", help="Filter by variable name."),
     status: str | None = typer.Option(None, "--status", help="Filter by audit status."),
-    json_output: bool = typer.Option(
-        False, "--json", help="Emit matching events as JSON."
-    ),
+    json_output: bool = typer.Option(False, "--json", help="Emit matching events as JSON."),
 ) -> None:
     """List recent audit events."""
@@ -713,9 +694,7 @@ def audit_show(
     index: int | None = typer.Option(
         None, "--index", min=0, help="Show an event by zero-based index."
     ),
-    json_output: bool = typer.Option(
-        False, "--json", help="Emit the selected event as JSON."
-    ),
+    json_output: bool = typer.Option(False, "--json", help="Emit the selected event as JSON."),
 ) -> None:
     """Show one audit event in detail."""
@@ -911,9 +890,7 @@ def doctor() -> None:
             )
             warnings += 1
-        before_clean, before_exports, before_secrets = extract_unmanaged_exports(
-            doc.before
-        )
+        before_clean, before_exports, before_secrets = extract_unmanaged_exports(doc.before)
         after_clean, after_exports, after_secrets = extract_unmanaged_exports(doc.after)
         unmanaged = {**before_exports, **after_exports}
         unmanaged_secrets = {**before_secrets, **after_secrets}
@@ -983,12 +960,8 @@ def doctor() -> None:
 @app.command()
 def migrate(
-    yes: bool = typer.Option(
-        False, "--yes", help="Confirm migrating unmanaged exports."
-    ),
-    inject: bool = typer.Option(
-        False, "--inject", help="Add inject line to managed block."
-    ),
+    yes: bool = typer.Option(False, "--yes", help="Confirm migrating unmanaged exports."),
+    inject: bool = typer.Option(False, "--inject", help="Add inject line to managed block."),
 ) -> None:
     """Move unmanaged exports into the managed block."""
@@ -999,9 +972,7 @@ def migrate(
         doc = load_envrc(path)
         block = ensure_managed_block(doc)
-        before_clean, before_exports, before_secrets = extract_unmanaged_exports(
-            doc.before
-        )
+        before_clean, before_exports, before_secrets = extract_unmanaged_exports(doc.before)
         after_clean, after_exports, after_secrets = extract_unmanaged_exports(doc.after)
         if before_exports or after_exports or before_secrets or after_secrets:

envrcctl-0.2.1/.gitignore DELETED Viewed

@@ -1,11 +0,0 @@
-.venv/
-.agent/
-.rules
-__pycache__/
-*.py[cod]
-.pytest_cache/
-.coverage
-htmlcov/
-.DS_Store
-.envrc

envrcctl-0.2.1/pyproject.toml DELETED Viewed

@@ -1,31 +0,0 @@
-[project]
-name = "envrcctl"
-version = "0.2.1"
-description = "Manage .envrc with managed blocks and OS-backed secrets."
-readme = "README.md"
-license = { file = "LICENSE" }
-requires-python = ">=3.14"
-dependencies = [
-    "typer>=0.24.1",
-]
-[project.scripts]
-envrcctl = "envrcctl.main:main"
-[build-system]
-requires = ["hatchling>=1.24.2"]
-build-backend = "hatchling.build"
-[tool.hatch.build.targets.wheel]
-packages = ["src/envrcctl"]
-include = ["completions/**", "src/envrcctl/envrcctl-macos-auth"]
-[tool.hatch.build.targets.sdist]
-include = ["src/envrcctl/**", "completions/**", "scripts/**", "README.md", "LICENSE", "pyproject.toml"]
-[project.optional-dependencies]
-test = [
-    "pytest>=9.0.2",
-    "pytest-cov>=7.0.0",
-    "bandit>=1.7.10",
-]

envrcctl-0.2.1/scripts/build_macos_auth_helper.sh DELETED Viewed

@@ -1,43 +0,0 @@
-#!/bin/sh
-set -eu
-SCRIPT_DIR="$(CDPATH= cd -- "$(dirname "$0")" && pwd)"
-REPO_ROOT="$(CDPATH= cd -- "$SCRIPT_DIR/.." && pwd)"
-SWIFT_SOURCE="${1:-$REPO_ROOT/scripts/macos/envrcctl-macos-auth.swift}"
-OUTPUT_PATH="${2:-$REPO_ROOT/src/envrcctl/envrcctl-macos-auth}"
-if [ "$(uname -s)" != "Darwin" ]; then
-  echo "This helper can only be built on macOS." >&2
-  exit 1
-fi
-if ! command -v swiftc >/dev/null 2>&1; then
-  echo "swiftc not found. Install Xcode Command Line Tools first." >&2
-  exit 1
-fi
-if [ ! -f "$SWIFT_SOURCE" ]; then
-  echo "Swift source not found: $SWIFT_SOURCE" >&2
-  echo "Pass the source path as the first argument or create scripts/macos/envrcctl-macos-auth.swift." >&2
-  exit 1
-fi
-mkdir -p "$(dirname "$OUTPUT_PATH")"
-echo "Building macOS auth helper..."
-echo "  source: $SWIFT_SOURCE"
-echo "  output: $OUTPUT_PATH"
-swiftc \
-  -O \
-  -framework LocalAuthentication \
-  -framework Security \
-  "$SWIFT_SOURCE" \
-  -o "$OUTPUT_PATH"
-chmod 755 "$OUTPUT_PATH"
-echo "Build complete: $OUTPUT_PATH"
-echo
-echo "You can override the helper path at runtime with:"
-echo "  ENVRCCTL_MACOS_AUTH_HELPER=$OUTPUT_PATH"

envrcctl-0.2.1/scripts/generate_completions.py DELETED Viewed

@@ -1,35 +0,0 @@
-from __future__ import annotations
-from pathlib import Path
-from click.shell_completion import get_completion_class
-from typer.main import get_command
-from envrcctl.cli import app
-SHELLS = ("bash", "zsh", "fish")
-def main() -> None:
-    repo_root = Path(__file__).resolve().parents[1]
-    output_dir = repo_root / "completions"
-    output_dir.mkdir(parents=True, exist_ok=True)
-    command = get_command(app)
-    complete_var = "_ENVRCCTL_COMPLETE"
-    for shell in SHELLS:
-        comp_cls = get_completion_class(shell)
-        if comp_cls is None:
-            raise RuntimeError(f"Unsupported shell: {shell}")
-        comp = comp_cls(command, {}, "envrcctl", complete_var)
-        content = comp.source()
-        if not content.strip():
-            raise RuntimeError(f"Failed to generate {shell} completion.")
-        if not content.endswith("\n"):
-            content += "\n"
-        (output_dir / f"envrcctl.{shell}").write_text(content, encoding="utf-8")
-if __name__ == "__main__":
-    main()

envrcctl-0.2.1/scripts/macos/envrcctl-macos-auth.swift DELETED Viewed

@@ -1,340 +0,0 @@
-import Foundation
-import LocalAuthentication
-import Security
-enum HelperError: Error, LocalizedError {
-    case invalidArguments(String)
-    case authenticationUnavailable(String)
-    case authenticationFailed(String)
-    case keychainFailure(String)
-    case decodeFailure
-    case inputReadFailure(String)
-    case outputEncodeFailure
-    var errorDescription: String? {
-        switch self {
-        case .invalidArguments(let message):
-            return message
-        case .authenticationUnavailable(let message):
-            return message
-        case .authenticationFailed(let message):
-            return message
-        case .keychainFailure(let message):
-            return message
-        case .decodeFailure:
-            return "Keychain item contains non-UTF-8 data."
-        case .inputReadFailure(let message):
-            return message
-        case .outputEncodeFailure:
-            return "Failed to encode JSON response."
-        }
-    }
-}
-struct Arguments {
-    let authorizeOnly: Bool
-    let service: String?
-    let account: String?
-    let inputJSONPath: String?
-    let reason: String
-}
-struct BulkRequest: Decodable {
-    let items: [BulkRequestItem]
-}
-struct BulkRequestItem: Decodable {
-    let service: String
-    let account: String
-}
-struct BulkResponse: Encodable {
-    let items: [BulkResponseItem]
-}
-struct BulkResponseItem: Encodable {
-    let service: String
-    let account: String
-    let value: String
-}
-private func printErrorAndExit(_ error: Error) -> Never {
-    let message: String
-    if let helperError = error as? LocalizedError, let description = helperError.errorDescription {
-        message = description
-    } else {
-        message = "macOS authentication helper failed."
-    }
-    FileHandle.standardError.write(Data((message + "\n").utf8))
-    exit(1)
-}
-private func printHelpAndExit() -> Never {
-    let help = """
-        Usage:
-          envrcctl-macos-auth --authorize-only --reason <text>
-          envrcctl-macos-auth --service <service> --account <account> --reason <text>
-          envrcctl-macos-auth --input-json <path|- > --reason <text>
-        Options:
-          --authorize-only   Require device owner authentication only.
-          --service          Keychain service name.
-          --account          Keychain account name.
-          --input-json       JSON file path or '-' for stdin for bulk reads.
-          --reason           Localized reason shown in the auth prompt.
-          --help             Show this help.
-        Bulk JSON input:
-          {
-            "items": [
-              { "service": "st.rio.envrcctl", "account": "openai:prod" },
-              { "service": "st.rio.envrcctl", "account": "github:prod" }
-            ]
-          }
-        """
-    print(help)
-    exit(0)
-}
-private func parseArguments(_ argv: [String]) throws -> Arguments {
-    var authorizeOnly = false
-    var service: String?
-    var account: String?
-    var inputJSONPath: String?
-    var reason: String?
-    var index = 1
-    while index < argv.count {
-        let arg = argv[index]
-        switch arg {
-        case "--authorize-only":
-            authorizeOnly = true
-            index += 1
-        case "--service":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --service.")
-            }
-            service = argv[index + 1]
-            index += 2
-        case "--account":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --account.")
-            }
-            account = argv[index + 1]
-            index += 2
-        case "--input-json":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --input-json.")
-            }
-            inputJSONPath = argv[index + 1]
-            index += 2
-        case "--reason":
-            guard index + 1 < argv.count else {
-                throw HelperError.invalidArguments("Missing value for --reason.")
-            }
-            reason = argv[index + 1]
-            index += 2
-        case "--help", "-h":
-            printHelpAndExit()
-        default:
-            throw HelperError.invalidArguments("Unknown argument: \(arg)")
-        }
-    }
-    guard let reason, !reason.trimmingCharacters(in: .whitespacesAndNewlines).isEmpty else {
-        throw HelperError.invalidArguments("A non-empty --reason is required.")
-    }
-    if authorizeOnly {
-        if service != nil || account != nil || inputJSONPath != nil {
-            throw HelperError.invalidArguments(
-                "--authorize-only cannot be combined with --service, --account, or --input-json."
-            )
-        }
-        return Arguments(
-            authorizeOnly: true,
-            service: nil,
-            account: nil,
-            inputJSONPath: nil,
-            reason: reason
-        )
-    }
-    let hasSingle = service != nil || account != nil
-    let hasBulk = inputJSONPath != nil
-    if hasSingle && hasBulk {
-        throw HelperError.invalidArguments(
-            "--input-json cannot be combined with --service or --account."
-        )
-    }
-    if hasBulk {
-        return Arguments(
-            authorizeOnly: false,
-            service: nil,
-            account: nil,
-            inputJSONPath: inputJSONPath,
-            reason: reason
-        )
-    }
-    guard let service, !service.isEmpty else {
-        throw HelperError.invalidArguments("--service is required.")
-    }
-    guard let account, !account.isEmpty else {
-        throw HelperError.invalidArguments("--account is required.")
-    }
-    return Arguments(
-        authorizeOnly: false,
-        service: service,
-        account: account,
-        inputJSONPath: nil,
-        reason: reason
-    )
-}
-private func authenticate(reason: String) throws -> LAContext {
-    let context = LAContext()
-    context.localizedCancelTitle = "Cancel"
-    var canEvaluateError: NSError?
-    guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &canEvaluateError) else {
-        let message =
-            canEvaluateError?.localizedDescription
-            ?? "Device owner authentication is unavailable."
-        throw HelperError.authenticationUnavailable(message)
-    }
-    let semaphore = DispatchSemaphore(value: 0)
-    var authError: Error?
-    context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason) { success, error in
-        if !success {
-            authError = error ?? HelperError.authenticationFailed("Authentication failed.")
-        }
-        semaphore.signal()
-    }
-    semaphore.wait()
-    if let authError {
-        if let laError = authError as? LAError {
-            switch laError.code {
-            case .userCancel, .userFallback, .systemCancel, .appCancel:
-                throw HelperError.authenticationFailed("Authentication cancelled.")
-            default:
-                throw HelperError.authenticationFailed(laError.localizedDescription)
-            }
-        }
-        throw HelperError.authenticationFailed(authError.localizedDescription)
-    }
-    return context
-}
-private func readSecret(service: String, account: String, context: LAContext) throws -> String {
-    let query: [String: Any] = [
-        kSecClass as String: kSecClassGenericPassword,
-        kSecAttrService as String: service,
-        kSecAttrAccount as String: account,
-        kSecReturnData as String: true,
-        kSecMatchLimit as String: kSecMatchLimitOne,
-        kSecUseAuthenticationContext as String: context,
-    ]
-    var item: CFTypeRef?
-    let status = SecItemCopyMatching(query as CFDictionary, &item)
-    guard status == errSecSuccess else {
-        let message = SecCopyErrorMessageString(status, nil) as String? ?? "Keychain read failed."
-        throw HelperError.keychainFailure(message)
-    }
-    guard let data = item as? Data else {
-        throw HelperError.keychainFailure("Keychain returned an unexpected item type.")
-    }
-    guard let value = String(data: data, encoding: .utf8) else {
-        throw HelperError.decodeFailure
-    }
-    return value
-}
-private func readBulkRequest(from path: String) throws -> BulkRequest {
-    let data: Data
-    if path == "-" {
-        data = FileHandle.standardInput.readDataToEndOfFile()
-        if data.isEmpty {
-            throw HelperError.inputReadFailure("No JSON input received on stdin.")
-        }
-    } else {
-        let url = URL(fileURLWithPath: path)
-        do {
-            data = try Data(contentsOf: url)
-        } catch {
-            throw HelperError.inputReadFailure("Failed to read JSON input: \(path)")
-        }
-    }
-    do {
-        let request = try JSONDecoder().decode(BulkRequest.self, from: data)
-        if request.items.isEmpty {
-            throw HelperError.invalidArguments("Bulk JSON input must include at least one item.")
-        }
-        for item in request.items {
-            if item.service.isEmpty || item.account.isEmpty {
-                throw HelperError.invalidArguments(
-                    "Each bulk request item must include non-empty service and account values."
-                )
-            }
-        }
-        return request
-    } catch let helperError as HelperError {
-        throw helperError
-    } catch {
-        throw HelperError.invalidArguments("Failed to decode bulk JSON input.")
-    }
-}
-private func writeBulkResponse(_ response: BulkResponse) throws {
-    let encoder = JSONEncoder()
-    encoder.outputFormatting = [.sortedKeys]
-    guard let data = try? encoder.encode(response) else {
-        throw HelperError.outputEncodeFailure
-    }
-    FileHandle.standardOutput.write(data)
-}
-do {
-    let args = try parseArguments(CommandLine.arguments)
-    let context = try authenticate(reason: args.reason)
-    if args.authorizeOnly {
-        exit(0)
-    }
-    if let inputJSONPath = args.inputJSONPath {
-        let request = try readBulkRequest(from: inputJSONPath)
-        let items = try request.items.map { item in
-            BulkResponseItem(
-                service: item.service,
-                account: item.account,
-                value: try readSecret(
-                    service: item.service, account: item.account, context: context)
-            )
-        }
-        try writeBulkResponse(BulkResponse(items: items))
-        exit(0)
-    }
-    guard let service = args.service, let account = args.account else {
-        throw HelperError.invalidArguments("Both --service and --account are required.")
-    }
-    let secret = try readSecret(service: service, account: account, context: context)
-    FileHandle.standardOutput.write(Data(secret.utf8))
-    exit(0)
-} catch {
-    printErrorAndExit(error)
-}