@akshxy/envgit 0.1.0 → 0.2.0

package/README.md

@@ -0,0 +1,128 @@
+# envgit
+
+Encrypted per-project environment variable manager. Store secrets safely alongside your code — encrypted at rest, never in plaintext.
+
+```
+npm install -g @akshxy/envgit
+```
+
+## Why
+
+`.env` files get committed by accident. `envgit` keeps your secrets encrypted in `.envgit/` so you can safely commit them to git and share them with your team — only people with the key can decrypt them.
+
+## Quick start
+
+```bash
+# 1. Initialize in your project
+envgit init
+
+# 2. Set some variables
+envgit set API_KEY=abc123 DB_PASS=secret
+
+# 3. Commit the encrypted store (not the key!)
+git add .envgit/
+git commit -m "add encrypted env"
+
+# 4. Share your key with teammates
+envgit keygen --show
+# → teammate runs: envgit keygen --set <key>
+
+# 5. Write .env when you need it locally
+envgit unpack dev
+```
+
+## Commands
+
+### Key management
+
+| Command | Description |
+|---------|-------------|
+| `envgit init` | Initialize in current project, generates key |
+| `envgit keygen` | Generate a new key and save it |
+| `envgit keygen --show` | Print current key for sharing with teammates |
+| `envgit keygen --set <key>` | Save a key received from a teammate |
+| `envgit rotate-key` | Generate new key, re-encrypt all environments |
+| `envgit verify` | Check all environments decrypt correctly |
+
+### Variables
+
+| Command | Description |
+|---------|-------------|
+| `envgit set KEY=VALUE ...` | Set one or more variables |
+| `envgit get KEY` | Print a single value |
+| `envgit delete KEY` | Remove a variable |
+| `envgit rename OLD NEW` | Rename a variable |
+| `envgit list` | List all keys in active environment |
+| `envgit list --show-values` | List keys and values |
+
+### Environments
+
+| Command | Description |
+|---------|-------------|
+| `envgit envs` | List all environments with variable counts |
+| `envgit add-env <name>` | Create a new environment |
+| `envgit unpack <env>` | Decrypt env and write `.env` file |
+| `envgit copy KEY --from dev --to prod` | Copy a variable between environments |
+| `envgit diff dev prod` | Show differences between two environments |
+| `envgit diff dev prod --show-values` | Include values in diff |
+
+### Export & run
+
+| Command | Description |
+|---------|-------------|
+| `envgit export` | Print as `KEY=VALUE` lines (pipeable) |
+| `envgit export --format json` | Print as JSON |
+| `envgit export --format shell` | Print as `export KEY="VALUE"` (eval-able) |
+| `envgit run -- node server.js` | Run a command with env vars injected |
+| `envgit import --file .env.local` | Encrypt an existing `.env` file |
+
+### Status
+
+| Command | Description |
+|---------|-------------|
+| `envgit status` | Show project, active env, key source, .env state |
+
+## All options support `--env <name>`
+
+Most commands default to the active environment. Pass `--env` to target a specific one:
+
+```bash
+envgit set API_KEY=prod-key --env prod
+envgit list --env staging
+envgit export --env prod --format json
+```
+
+## Team workflow
+
+```bash
+# Developer A (project owner)
+envgit init
+envgit set DB_URL=postgres://... API_KEY=...
+git add .envgit/ && git commit -m "encrypted env"
+envgit keygen --show   # share this key securely with teammates
+
+# Developer B (teammate)
+git clone <repo>
+envgit keygen --set <key-from-teammate>
+envgit unpack dev      # writes .env
+```
+
+## Security
+
+- **AES-256-GCM** — authenticated encryption, tamper-proof
+- **32-byte random key** from OS cryptographic RNG
+- **Fresh random IV** per encryption — same value encrypts differently each time
+- **Key file locked to `0o600`** — unreadable by other users
+- **Permission check on load** — errors if `.envgit.key` is world-readable
+- **Key bytes zeroized** from memory immediately after use
+
+The key (`~/.envgit.key`) is gitignored automatically. Never commit it.
+
+## Environment variable
+
+Set `ENVGIT_KEY` instead of using a key file — useful in CI:
+
+```bash
+export ENVGIT_KEY=$(cat .envgit.key)
+envgit export --format shell | source /dev/stdin
+```

package/package.json

@@ -1,14 +1,15 @@
 {
   "name": "@akshxy/envgit",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Encrypted per-project environment variable manager",
   "type": "module",
   "bin": {
-    "envgit": "./bin/envgit.js"
+    "envgit": "bin/envgit.js"
   },
   "files": [
     "bin",
-    "src"
+    "src",
+    "README.md"
   ],
   "license": "MIT",
   "dependencies": {

package/src/commands/add-env.js

@@ -1,6 +1,7 @@
 import { requireProjectRoot, loadKey } from '../keystore.js';
 import { loadConfig, saveConfig } from '../config.js';
 import { writeEncEnv } from '../enc.js';
+import { ok, fatal } from '../ui.js';
 
 export async function addEnv(name) {
   const projectRoot = requireProjectRoot();
@@ -8,13 +9,12 @@ export async function addEnv(name) {
   const config = loadConfig(projectRoot);
 
   if (config.envs.includes(name)) {
-    console.error(`Error: Environment '${name}' already exists.`);
-    process.exit(1);
+    fatal(`Environment '${name}' already exists.`);
   }
 
   config.envs.push(name);
   saveConfig(projectRoot, config);
   writeEncEnv(projectRoot, name, key, {});
 
-  console.log(`Added environment '${name}'.`);
+  ok(`Added environment '${name}'`);
 }

package/src/commands/get.js

@@ -2,6 +2,7 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
+import { fatal, label } from '../ui.js';
 
 export async function get(key, options) {
   const projectRoot = requireProjectRoot();
@@ -11,8 +12,7 @@ export async function get(key, options) {
   const vars = readEncEnv(projectRoot, envName, encKey);
 
   if (!(key in vars)) {
-    console.error(`Error: Key '${key}' not found in [${envName}]`);
-    process.exit(1);
+    fatal(`Key '${key}' not found in ${label(envName)}`);
   }
 
   console.log(vars[key]);

package/src/commands/import.js

@@ -5,6 +5,7 @@ import { resolveEnv } from '../config.js';
 import { writeEncEnv } from '../enc.js';
 import { readEnvFile } from '../envfile.js';
 import { getCurrentEnv } from '../state.js';
+import { ok, fatal, label, dim } from '../ui.js';
 
 export async function importEnv(options) {
   const projectRoot = requireProjectRoot();
@@ -13,15 +14,12 @@ export async function importEnv(options) {
 
   const filePath = join(projectRoot, options.file);
   if (!existsSync(filePath)) {
-    console.error(`Error: File not found: ${options.file}`);
-    process.exit(1);
+    fatal(`File not found: ${options.file}`);
   }
 
   const vars = readEnvFile(filePath);
   const count = Object.keys(vars).length;
 
   writeEncEnv(projectRoot, envName, key, vars);
-  console.log(
-    `Imported ${count} variable${count !== 1 ? 's' : ''} from ${options.file} into [${envName}]`
-  );
+  ok(`Imported ${count} variable${count !== 1 ? 's' : ''} from ${dim(options.file)} into ${label(envName)}`);
 }

package/src/commands/switch.js

@@ -1,26 +0,0 @@
-import { join } from 'path';
-import { existsSync } from 'fs';
-import { requireProjectRoot, loadKey } from '../keystore.js';
-import { getEncPath } from '../config.js';
-import { readEncEnv } from '../enc.js';
-import { writeEnvFile } from '../envfile.js';
-
-export async function switchEnv(envName) {
-  const projectRoot = requireProjectRoot();
-  const key = loadKey(projectRoot);
-
-  const encPath = getEncPath(projectRoot, envName);
-  if (!existsSync(encPath)) {
-    console.error(
-      `Error: Environment '${envName}' does not exist. Use 'envgit add-env ${envName}' to create it.`
-    );
-    process.exit(1);
-  }
-
-  const vars = readEncEnv(projectRoot, envName, key);
-  const dotenvPath = join(projectRoot, '.env');
-  writeEnvFile(dotenvPath, vars);
-
-  const count = Object.keys(vars).length;
-  console.log(`Switched to [${envName}] — wrote ${count} variable${count !== 1 ? 's' : ''} to .env`);
-}