@akshxy/envgit 0.1.0

package/bin/envgit.js

@@ -0,0 +1,139 @@
+#!/usr/bin/env node
+import { program } from 'commander';
+import { init } from '../src/commands/init.js';
+import { set } from '../src/commands/set.js';
+import { get } from '../src/commands/get.js';
+import { unpack } from '../src/commands/unpack.js';
+import { list } from '../src/commands/list.js';
+import { importEnv } from '../src/commands/import.js';
+import { addEnv } from '../src/commands/add-env.js';
+import { status } from '../src/commands/status.js';
+import { keygen } from '../src/commands/keygen.js';
+import { deleteKey } from '../src/commands/delete.js';
+import { copy } from '../src/commands/copy.js';
+import { renameKey } from '../src/commands/rename-key.js';
+import { diff } from '../src/commands/diff.js';
+import { run } from '../src/commands/run.js';
+import { envs } from '../src/commands/envs.js';
+import { exportEnv } from '../src/commands/export.js';
+import { verify } from '../src/commands/verify.js';
+import { rotateKey } from '../src/commands/rotate-key.js';
+
+program
+  .name('envgit')
+  .description('Encrypted per-project environment variable manager')
+  .version('0.1.0')
+  .enablePositionalOptions();
+
+program
+  .command('init')
+  .description('Initialize envgit in the current project')
+  .option('--env <name>', 'default environment name', 'dev')
+  .action(init);
+
+program
+  .command('status')
+  .description('Show project root, active env, key source, and .env state')
+  .action(status);
+
+program
+  .command('set <assignments...>')
+  .description('Set one or more KEY=VALUE pairs (defaults to active env)')
+  .option('--env <name>', 'target environment')
+  .action(set);
+
+program
+  .command('get <key>')
+  .description('Print a value by key (defaults to active env)')
+  .option('--env <name>', 'target environment')
+  .action(get);
+
+program
+  .command('unpack <env>')
+  .alias('switch')
+  .alias('pull')
+  .description('Decrypt <env> and write a clean .env file, sets it as active')
+  .action(unpack);
+
+program
+  .command('list')
+  .description('List keys in an environment (defaults to active env)')
+  .option('--env <name>', 'target environment')
+  .option('--show-values', 'print values alongside keys')
+  .action(list);
+
+program
+  .command('import')
+  .description('Encrypt an existing .env file into an environment')
+  .option('--env <name>', 'target environment')
+  .option('--file <path>', 'source file to import', '.env')
+  .action(importEnv);
+
+program
+  .command('add-env <name>')
+  .description('Add a new environment')
+  .action(addEnv);
+
+program
+  .command('keygen')
+  .description('Generate or manage the encryption key')
+  .option('--show', 'print current key (for sharing with teammates)')
+  .option('--set <key>', 'save a received key to .envgit.key')
+  .action(keygen);
+
+program
+  .command('delete <key>')
+  .description('Remove a key from the encrypted env')
+  .option('--env <name>', 'target environment')
+  .action(deleteKey);
+
+program
+  .command('copy <key>')
+  .description('Copy a key\'s value between two environments')
+  .requiredOption('--from <env>', 'source environment')
+  .requiredOption('--to <env>', 'destination environment')
+  .action(copy);
+
+program
+  .command('rename <old-key> <new-key>')
+  .description('Rename a key within an environment')
+  .option('--env <name>', 'target environment')
+  .action(renameKey);
+
+program
+  .command('diff [env1] [env2]')
+  .description('Show differences between two environments')
+  .option('--show-values', 'reveal values in diff output')
+  .action(diff);
+
+program
+  .command('run [args...]')
+  .description('Spawn a command with decrypted env vars injected')
+  .option('--env <name>', 'environment to use')
+  .allowUnknownOption()
+  .passThroughOptions()
+  .action(run);
+
+program
+  .command('envs')
+  .description('List all environments with variable counts')
+  .action(envs);
+
+program
+  .command('export')
+  .description('Print decrypted vars to stdout (dotenv, json, or shell format)')
+  .option('--env <name>', 'target environment')
+  .option('--format <fmt>', 'output format: dotenv, json, shell', 'dotenv')
+  .action(exportEnv);
+
+program
+  .command('verify')
+  .description('Attempt to decrypt every .enc file with the current key')
+  .action(verify);
+
+program
+  .command('rotate-key')
+  .description('Generate a new key and re-encrypt all environments')
+  .action(rotateKey);
+
+program.parse();

package/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@akshxy/envgit",
+  "version": "0.1.0",
+  "description": "Encrypted per-project environment variable manager",
+  "type": "module",
+  "bin": {
+    "envgit": "./bin/envgit.js"
+  },
+  "files": [
+    "bin",
+    "src"
+  ],
+  "license": "MIT",
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "commander": "^12.0.0",
+    "js-yaml": "^4.1.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/commands/add-env.js

@@ -0,0 +1,20 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig, saveConfig } from '../config.js';
+import { writeEncEnv } from '../enc.js';
+
+export async function addEnv(name) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+
+  if (config.envs.includes(name)) {
+    console.error(`Error: Environment '${name}' already exists.`);
+    process.exit(1);
+  }
+
+  config.envs.push(name);
+  saveConfig(projectRoot, config);
+  writeEncEnv(projectRoot, name, key, {});
+
+  console.log(`Added environment '${name}'.`);
+}

package/src/commands/copy.js

@@ -0,0 +1,24 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { readEncEnv, writeEncEnv } from '../enc.js';
+import { ok, fatal, label } from '../ui.js';
+
+export async function copy(keyName, options) {
+  if (!options.from || !options.to) {
+    fatal('Both --from and --to environments are required.');
+  }
+
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+
+  const srcVars = readEncEnv(projectRoot, options.from, key);
+
+  if (!(keyName in srcVars)) {
+    fatal(`Key '${keyName}' not found in ${label(options.from)}`);
+  }
+
+  const dstVars = readEncEnv(projectRoot, options.to, key);
+  dstVars[keyName] = srcVars[keyName];
+  writeEncEnv(projectRoot, options.to, key, dstVars);
+
+  ok(`Copied ${keyName} from ${label(options.from)} → ${label(options.to)}`);
+}

package/src/commands/delete.js

@@ -0,0 +1,21 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv, writeEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { ok, fatal, label } from '../ui.js';
+
+export async function deleteKey(keyName, options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, key);
+
+  if (!(keyName in vars)) {
+    fatal(`Key '${keyName}' not found in ${label(envName)}`);
+  }
+
+  delete vars[keyName];
+  writeEncEnv(projectRoot, envName, key, vars);
+  ok(`Deleted ${keyName} from ${label(envName)}`);
+}

package/src/commands/diff.js

@@ -0,0 +1,87 @@
+import chalk from 'chalk';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { fatal, label, dim } from '../ui.js';
+
+export async function diff(env1Arg, env2Arg, options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+  const current = getCurrentEnv(projectRoot);
+
+  let env1, env2;
+  if (env1Arg && env2Arg) {
+    env1 = env1Arg;
+    env2 = env2Arg;
+  } else if (env1Arg) {
+    env1 = current || config.default_env;
+    env2 = env1Arg;
+  } else {
+    if (config.envs.length < 2) {
+      fatal('Need at least 2 environments to diff. Pass two env names.');
+    }
+    [env1, env2] = config.envs;
+  }
+
+  if (!config.envs.includes(env1)) fatal(`Environment '${env1}' does not exist.`);
+  if (!config.envs.includes(env2)) fatal(`Environment '${env2}' does not exist.`);
+
+  const vars1 = readEncEnv(projectRoot, env1, key);
+  const vars2 = readEncEnv(projectRoot, env2, key);
+
+  const allKeys = new Set([...Object.keys(vars1), ...Object.keys(vars2)]);
+
+  const onlyIn1 = [];
+  const onlyIn2 = [];
+  const changed = [];
+  let identical = 0;
+
+  for (const k of allKeys) {
+    const inEnv1 = k in vars1;
+    const inEnv2 = k in vars2;
+    if (inEnv1 && !inEnv2) {
+      onlyIn1.push(k);
+    } else if (!inEnv1 && inEnv2) {
+      onlyIn2.push(k);
+    } else if (vars1[k] !== vars2[k]) {
+      changed.push(k);
+    } else {
+      identical++;
+    }
+  }
+
+  console.log(`\nDiff ${label(env1)} ↔ ${label(env2)}\n`);
+
+  if (onlyIn1.length === 0 && onlyIn2.length === 0 && changed.length === 0) {
+    console.log(dim(`  Environments are identical (${identical} var${identical !== 1 ? 's' : ''})`));
+    console.log('');
+    return;
+  }
+
+  for (const k of onlyIn1) {
+    const suffix = options.showValues ? ` = ${vars1[k]}` : '';
+    console.log(chalk.red(`  - ${k}${suffix}`) + dim(` (only in ${env1})`));
+  }
+
+  for (const k of onlyIn2) {
+    const suffix = options.showValues ? ` = ${vars2[k]}` : '';
+    console.log(chalk.green(`  + ${k}${suffix}`) + dim(` (only in ${env2})`));
+  }
+
+  for (const k of changed) {
+    if (options.showValues) {
+      console.log(chalk.yellow(`  ~ ${k}`) + dim(` (changed)`));
+      console.log(chalk.dim(`      ${env1}: ${vars1[k]}`));
+      console.log(chalk.dim(`      ${env2}: ${vars2[k]}`));
+    } else {
+      console.log(chalk.yellow(`  ~ ${k}`) + dim(` (changed)`));
+    }
+  }
+
+  if (identical > 0) {
+    console.log(dim(`\n  ${identical} key${identical !== 1 ? 's' : ''} identical`));
+  }
+  console.log('');
+}

package/src/commands/envs.js

@@ -0,0 +1,25 @@
+import chalk from 'chalk';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { dim } from '../ui.js';
+
+export async function envs() {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+  const current = getCurrentEnv(projectRoot);
+
+  console.log('');
+  for (const envName of config.envs) {
+    const isActive = envName === current;
+    const bullet = isActive ? chalk.green('●') : ' ';
+    const vars = readEncEnv(projectRoot, envName, key);
+    const count = Object.keys(vars).length;
+    const countStr = dim(`(${count} var${count !== 1 ? 's' : ''})`);
+    const activeSuffix = isActive ? chalk.cyan(' (active)') : '';
+    console.log(`  ${bullet} ${isActive ? chalk.bold(envName) : envName} ${countStr}${activeSuffix}`);
+  }
+  console.log('');
+}

package/src/commands/export.js

@@ -0,0 +1,31 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { fatal } from '../ui.js';
+
+export async function exportEnv(options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, key);
+  const format = options.format || 'dotenv';
+
+  if (format === 'json') {
+    process.stdout.write(JSON.stringify(vars, null, 2) + '\n');
+  } else if (format === 'shell') {
+    for (const [k, v] of Object.entries(vars)) {
+      const escaped = v.replace(/"/g, '\\"');
+      process.stdout.write(`export ${k}="${escaped}"\n`);
+    }
+  } else if (format === 'dotenv') {
+    for (const [k, v] of Object.entries(vars)) {
+      const needsQuotes = /[\s"'\\#]/.test(v) || v === '';
+      const escaped = v.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+      process.stdout.write(`${k}=${needsQuotes ? `"${escaped}"` : v}\n`);
+    }
+  } else {
+    fatal(`Unknown format '${format}'. Use: dotenv, json, shell`);
+  }
+}

package/src/commands/get.js

@@ -0,0 +1,19 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+
+export async function get(key, options) {
+  const projectRoot = requireProjectRoot();
+  const encKey = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, encKey);
+
+  if (!(key in vars)) {
+    console.error(`Error: Key '${key}' not found in [${envName}]`);
+    process.exit(1);
+  }
+
+  console.log(vars[key]);
+}

package/src/commands/import.js

@@ -0,0 +1,27 @@
+import { join } from 'path';
+import { existsSync } from 'fs';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { writeEncEnv } from '../enc.js';
+import { readEnvFile } from '../envfile.js';
+import { getCurrentEnv } from '../state.js';
+
+export async function importEnv(options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const filePath = join(projectRoot, options.file);
+  if (!existsSync(filePath)) {
+    console.error(`Error: File not found: ${options.file}`);
+    process.exit(1);
+  }
+
+  const vars = readEnvFile(filePath);
+  const count = Object.keys(vars).length;
+
+  writeEncEnv(projectRoot, envName, key, vars);
+  console.log(
+    `Imported ${count} variable${count !== 1 ? 's' : ''} from ${options.file} into [${envName}]`
+  );
+}

package/src/commands/init.js

@@ -0,0 +1,59 @@
+import { existsSync, mkdirSync, appendFileSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { generateKey } from '../crypto.js';
+import { saveKey } from '../keystore.js';
+import { saveConfig, getEnvctlDir } from '../config.js';
+import { writeEncEnv } from '../enc.js';
+import { ok, warn, fatal, bold, dim, label } from '../ui.js';
+
+export async function init(options) {
+  const projectRoot = process.cwd();
+  const envgitDir = getEnvctlDir(projectRoot);
+
+  if (existsSync(envgitDir)) {
+    fatal('envgit is already initialized in this directory.');
+  }
+
+  const defaultEnv = options.env;
+
+  mkdirSync(envgitDir, { recursive: true });
+
+  const key = generateKey();
+  saveKey(projectRoot, key);
+
+  saveConfig(projectRoot, {
+    version: 1,
+    default_env: defaultEnv,
+    envs: [defaultEnv],
+  });
+
+  writeEncEnv(projectRoot, defaultEnv, key, {});
+
+  updateGitignore(projectRoot);
+
+  console.log('');
+  console.log(bold('envgit initialized'));
+  console.log('');
+  ok(`Default environment: ${label(defaultEnv)}`);
+  ok('Key saved to .envgit.key');
+  console.log('');
+  console.log(dim('Keep .envgit.key secret and do not commit it.'));
+  console.log(dim('Commit .envgit/ to share encrypted environments with your team.'));
+  console.log('');
+}
+
+function updateGitignore(projectRoot) {
+  const gitignorePath = join(projectRoot, '.gitignore');
+  const entries = ['.env', '.envgit.key'];
+
+  let existing = '';
+  if (existsSync(gitignorePath)) {
+    existing = readFileSync(gitignorePath, 'utf8');
+  }
+
+  const toAdd = entries.filter((e) => !existing.split('\n').includes(e));
+  if (toAdd.length > 0) {
+    const prefix = existing && !existing.endsWith('\n') ? '\n' : '';
+    appendFileSync(gitignorePath, prefix + toAdd.join('\n') + '\n');
+  }
+}

package/src/commands/keygen.js

@@ -0,0 +1,69 @@
+import { generateKey } from '../crypto.js';
+import { findProjectRoot, saveKey, loadKey } from '../keystore.js';
+import { ok, warn, bold, dim } from '../ui.js';
+
+export async function keygen(options) {
+  const projectRoot = findProjectRoot();
+
+  if (options.show) {
+    if (!projectRoot) {
+      warn('No envgit project found — cannot show key.');
+      process.exit(1);
+    }
+    let key;
+    try {
+      key = loadKey(projectRoot);
+    } catch (e) {
+      warn(e.message);
+      process.exit(1);
+    }
+    const hint = key.slice(0, 8);
+    console.log('');
+    console.log(bold('Current key:'));
+    console.log(`  ${key}`);
+    console.log('');
+    console.log(dim(`Hint (first 8 chars): ${hint}`));
+    console.log(dim('Share this key with teammates via a secure channel (not git).'));
+    console.log(dim('They can save it with: envgit keygen --set <key>'));
+    console.log('');
+    return;
+  }
+
+  if (options.set) {
+    const key = options.set;
+    const decoded = Buffer.from(key, 'base64');
+    if (decoded.length !== 32) {
+      warn(`Invalid key — must decode to exactly 32 bytes (got ${decoded.length}). Generate one with: envgit keygen`);
+      process.exit(1);
+    }
+    if (!projectRoot) {
+      warn('No envgit project found. Run envgit init first.');
+      process.exit(1);
+    }
+    saveKey(projectRoot, key);
+    ok(`Key saved to .envgit.key`);
+    console.log(dim(`Hint: ${key.slice(0, 8)}`));
+    return;
+  }
+
+  // Generate new key
+  const key = generateKey();
+  const hint = key.slice(0, 8);
+
+  if (projectRoot) {
+    saveKey(projectRoot, key);
+    ok('New key generated and saved to .envgit.key');
+  } else {
+    console.log('');
+    console.log(bold('Generated key (no project found — not saved):'));
+  }
+
+  console.log('');
+  console.log(bold('Key:'));
+  console.log(`  ${key}`);
+  console.log('');
+  console.log(dim(`Hint (first 8 chars): ${hint}`));
+  console.log(dim('Share this key with teammates via a secure channel (not git).'));
+  console.log(dim('They can save it with: envgit keygen --set <key>'));
+  console.log('');
+}

package/src/commands/list.js

@@ -0,0 +1,36 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv, loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { fatal, label, dim, bold } from '../ui.js';
+
+export async function list(options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  if (!config.envs.includes(envName)) {
+    fatal(`Environment '${envName}' does not exist. Available: ${config.envs.join(', ')}`);
+  }
+
+  const vars = readEncEnv(projectRoot, envName, key);
+  const entries = Object.entries(vars);
+
+  console.log('');
+  if (entries.length === 0) {
+    console.log(`${label(envName)} is empty.`);
+    console.log('');
+    return;
+  }
+
+  console.log(label(envName));
+  for (const [k, v] of entries) {
+    if (options.showValues) {
+      console.log(`  ${bold(k)}=${dim(v)}`);
+    } else {
+      console.log(`  ${k}`);
+    }
+  }
+  console.log('');
+}

package/src/commands/rename-key.js

@@ -0,0 +1,29 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv, writeEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { ok, fatal, label } from '../ui.js';
+
+export async function renameKey(oldName, newName, options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, key);
+
+  if (!(oldName in vars)) {
+    fatal(`Key '${oldName}' not found in ${label(envName)}`);
+  }
+
+  if (newName in vars) {
+    fatal(`Key '${newName}' already exists in ${label(envName)}`);
+  }
+
+  const ordered = {};
+  for (const [k, v] of Object.entries(vars)) {
+    ordered[k === oldName ? newName : k] = v;
+  }
+
+  writeEncEnv(projectRoot, envName, key, ordered);
+  ok(`Renamed ${oldName} → ${newName} in ${label(envName)}`);
+}

package/src/commands/rotate-key.js

@@ -0,0 +1,39 @@
+import { requireProjectRoot, loadKey, saveKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv, writeEncEnv } from '../enc.js';
+import { generateKey } from '../crypto.js';
+import { ok, warn, bold, dim } from '../ui.js';
+
+export async function rotateKey() {
+  const projectRoot = requireProjectRoot();
+  const oldKey = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+
+  const oldHint = oldKey.slice(0, 8);
+
+  const newKey = generateKey();
+  const newHint = newKey.slice(0, 8);
+
+  console.log('');
+  console.log(bold('Rotating encryption key...'));
+  console.log('');
+
+  for (const envName of config.envs) {
+    const vars = readEncEnv(projectRoot, envName, oldKey);
+    writeEncEnv(projectRoot, envName, newKey, vars);
+    ok(`Re-encrypted ${envName}`);
+  }
+
+  saveKey(projectRoot, newKey);
+
+  console.log('');
+  console.log(dim(`Old hint: ${oldHint}`));
+  console.log(dim(`New hint: ${newHint}`));
+  console.log('');
+  console.log(bold('New key:'));
+  console.log(`  ${newKey}`);
+  console.log('');
+  warn('Share the new key with your team! Old key is now invalid.');
+  console.log(dim('They can save it with: envgit keygen --set <key>'));
+  console.log('');
+}

package/src/commands/run.js

@@ -0,0 +1,36 @@
+import { spawn } from 'child_process';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { fatal, dim } from '../ui.js';
+
+export async function run(args, options) {
+  if (!args || args.length === 0) {
+    fatal('No command specified. Usage: envgit run [--env <name>] -- <command> [args...]');
+  }
+
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, key);
+
+  const env = { ...process.env, ...vars };
+
+  const [cmd, ...cmdArgs] = args;
+
+  const child = spawn(cmd, cmdArgs, {
+    env,
+    stdio: 'inherit',
+    shell: false,
+  });
+
+  child.on('error', (err) => {
+    fatal(`Failed to start command '${cmd}': ${err.message}`);
+  });
+
+  child.on('close', (code) => {
+    process.exit(code ?? 0);
+  });
+}

package/src/commands/set.js

@@ -0,0 +1,26 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { resolveEnv } from '../config.js';
+import { readEncEnv, writeEncEnv } from '../enc.js';
+import { getCurrentEnv } from '../state.js';
+import { ok, fatal, label } from '../ui.js';
+
+export async function set(assignments, options) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const envName = resolveEnv(projectRoot, options.env, getCurrentEnv(projectRoot));
+
+  const vars = readEncEnv(projectRoot, envName, key);
+
+  for (const assignment of assignments) {
+    const eqIdx = assignment.indexOf('=');
+    if (eqIdx === -1) {
+      fatal(`Invalid assignment '${assignment}'. Expected KEY=VALUE format.`);
+    }
+    const k = assignment.slice(0, eqIdx).trim();
+    const v = assignment.slice(eqIdx + 1);
+    vars[k] = v;
+    ok(`Set ${k} in ${label(envName)}`);
+  }
+
+  writeEncEnv(projectRoot, envName, key, vars);
+}

package/src/commands/status.js

@@ -0,0 +1,30 @@
+import { existsSync } from 'fs';
+import { join } from 'path';
+import { requireProjectRoot } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { getCurrentEnv } from '../state.js';
+import chalk from 'chalk';
+import { bold, label, dim } from '../ui.js';
+
+export async function status() {
+  const projectRoot = requireProjectRoot();
+  const config = loadConfig(projectRoot);
+  const current = getCurrentEnv(projectRoot);
+
+  const keySource = process.env.ENVCTL_KEY
+    ? 'ENVCTL_KEY env var'
+    : existsSync(join(projectRoot, '.envgit.key'))
+    ? '.envgit.key'
+    : chalk.red('(not found)');
+
+  const dotenvExists = existsSync(join(projectRoot, '.env'));
+
+  console.log('');
+  console.log(`${bold('Project:')}  ${dim(projectRoot)}`);
+  console.log(`${bold('Envs:')}     ${config.envs.map((e) => (e === current ? chalk.cyan(e) : e)).join(', ')}`);
+  console.log(`${bold('Default:')}  ${config.default_env}`);
+  console.log(`${bold('Active:')}   ${current ? label(current) : dim('(none — run envgit unpack <env>)')}`);
+  console.log(`${bold('Key:')}      ${keySource}`);
+  console.log(`${bold('.env:')}     ${dotenvExists ? chalk.green('present') : chalk.yellow('missing')}`);
+  console.log('');
+}

package/src/commands/switch.js

@@ -0,0 +1,26 @@
+import { join } from 'path';
+import { existsSync } from 'fs';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { getEncPath } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { writeEnvFile } from '../envfile.js';
+
+export async function switchEnv(envName) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+
+  const encPath = getEncPath(projectRoot, envName);
+  if (!existsSync(encPath)) {
+    console.error(
+      `Error: Environment '${envName}' does not exist. Use 'envgit add-env ${envName}' to create it.`
+    );
+    process.exit(1);
+  }
+
+  const vars = readEncEnv(projectRoot, envName, key);
+  const dotenvPath = join(projectRoot, '.env');
+  writeEnvFile(dotenvPath, vars);
+
+  const count = Object.keys(vars).length;
+  console.log(`Switched to [${envName}] — wrote ${count} variable${count !== 1 ? 's' : ''} to .env`);
+}

package/src/commands/unpack.js

@@ -0,0 +1,27 @@
+import { join } from 'path';
+import { existsSync } from 'fs';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { getEncPath } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { writeEnvFile } from '../envfile.js';
+import { setCurrentEnv } from '../state.js';
+import { ok, fatal, label, dim } from '../ui.js';
+
+export async function unpack(envName) {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+
+  const encPath = getEncPath(projectRoot, envName);
+  if (!existsSync(encPath)) {
+    fatal(`Environment '${envName}' does not exist. Use 'envgit add-env ${envName}' to create it.`);
+  }
+
+  const vars = readEncEnv(projectRoot, envName, key);
+  const dotenvPath = join(projectRoot, '.env');
+  writeEnvFile(dotenvPath, vars, { envName, projectRoot });
+  setCurrentEnv(projectRoot, envName);
+
+  const count = Object.keys(vars).length;
+  console.log(dim(projectRoot));
+  ok(`Unpacked ${label(envName)} → .env ${dim(`(${count} variable${count !== 1 ? 's' : ''})`)}`);
+}

package/src/commands/verify.js

@@ -0,0 +1,35 @@
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig, getEncPath } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { ok, fail, bold, dim } from '../ui.js';
+
+export async function verify() {
+  const projectRoot = requireProjectRoot();
+  const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+
+  console.log('');
+  console.log(bold('Verifying all environments...'));
+  console.log('');
+
+  let allOk = true;
+  for (const envName of config.envs) {
+    try {
+      const vars = readEncEnv(projectRoot, envName, key);
+      const count = Object.keys(vars).length;
+      ok(`${envName} ${dim(`(${count} var${count !== 1 ? 's' : ''})`)}`);
+    } catch (e) {
+      fail(`${envName} — ${e.message}`);
+      allOk = false;
+    }
+  }
+
+  console.log('');
+  if (allOk) {
+    ok('All environments verified successfully.');
+  } else {
+    fail('Some environments failed to decrypt. Check your key.');
+    process.exit(1);
+  }
+  console.log('');
+}

package/src/config.js

@@ -0,0 +1,35 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+import yaml from 'js-yaml';
+
+const ENVCTL_DIR = '.envgit';
+const CONFIG_NAME = 'config.yml';
+
+export function getEnvctlDir(projectRoot) {
+  return join(projectRoot, ENVCTL_DIR);
+}
+
+export function loadConfig(projectRoot) {
+  const configPath = join(projectRoot, ENVCTL_DIR, CONFIG_NAME);
+  if (!existsSync(configPath)) {
+    throw new Error("No envgit config found. Run 'envgit init' first.");
+  }
+  return yaml.load(readFileSync(configPath, 'utf8'));
+}
+
+export function saveConfig(projectRoot, config) {
+  const dir = getEnvctlDir(projectRoot);
+  mkdirSync(dir, { recursive: true });
+  writeFileSync(join(dir, CONFIG_NAME), yaml.dump(config), 'utf8');
+}
+
+export function getEncPath(projectRoot, envName) {
+  return join(projectRoot, ENVCTL_DIR, `${envName}.enc`);
+}
+
+export function resolveEnv(projectRoot, envOption, currentEnv) {
+  if (envOption) return envOption;
+  if (currentEnv) return currentEnv;
+  const config = loadConfig(projectRoot);
+  return config.default_env || 'dev';
+}

package/src/crypto.js

@@ -0,0 +1,49 @@
+import { randomBytes, createCipheriv, createDecipheriv } from 'crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12; // 96-bit IV for GCM
+
+export function generateKey() {
+  return randomBytes(32).toString('base64');
+}
+
+export function encrypt(plaintext, keyBase64) {
+  const key = Buffer.from(keyBase64, 'base64');
+  try {
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+      cipher.update(plaintext, 'utf8'),
+      cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    const result = JSON.stringify({
+      v: 1,
+      iv: iv.toString('base64'),
+      tag: tag.toString('base64'),
+      data: encrypted.toString('base64'),
+    });
+    encrypted.fill(0);
+    return result;
+  } finally {
+    key.fill(0);
+  }
+}
+
+export function decrypt(ciphertext, keyBase64) {
+  const key = Buffer.from(keyBase64, 'base64');
+  try {
+    const { iv, tag, data } = JSON.parse(ciphertext);
+    const decipher = createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(tag, 'base64'));
+    const decrypted = Buffer.concat([
+      decipher.update(Buffer.from(data, 'base64')),
+      decipher.final(),
+    ]);
+    const result = decrypted.toString('utf8');
+    decrypted.fill(0);
+    return result;
+  } finally {
+    key.fill(0);
+  }
+}

package/src/enc.js

@@ -0,0 +1,24 @@
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { encrypt, decrypt } from './crypto.js';
+import { getEncPath } from './config.js';
+import { parseEnv, stringifyEnv } from './envfile.js';
+
+export function readEncEnv(projectRoot, envName, key) {
+  const encPath = getEncPath(projectRoot, envName);
+  if (!existsSync(encPath)) return {};
+  const ciphertext = readFileSync(encPath, 'utf8').trim();
+  if (!ciphertext) return {};
+  try {
+    const plaintext = decrypt(ciphertext, key);
+    return parseEnv(plaintext);
+  } catch (e) {
+    throw new Error(`Failed to decrypt ${envName}.enc — wrong key? (${e.message})`);
+  }
+}
+
+export function writeEncEnv(projectRoot, envName, key, vars) {
+  const encPath = getEncPath(projectRoot, envName);
+  const plaintext = stringifyEnv(vars);
+  const ciphertext = encrypt(plaintext, key);
+  writeFileSync(encPath, ciphertext, 'utf8');
+}

package/src/envfile.js

@@ -0,0 +1,48 @@
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+
+export function parseEnv(content) {
+  const vars = {};
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    // Strip surrounding quotes
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1);
+    }
+    vars[key] = value;
+  }
+  return vars;
+}
+
+export function stringifyEnv(vars) {
+  const lines = Object.entries(vars).map(([k, v]) => {
+    const needsQuotes = /[\s"'\\#]/.test(v) || v === '';
+    const escaped = v.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+    return `${k}=${needsQuotes ? `"${escaped}"` : v}`;
+  });
+  return lines.join('\n') + (lines.length ? '\n' : '');
+}
+
+export function readEnvFile(filePath) {
+  if (!existsSync(filePath)) return {};
+  return parseEnv(readFileSync(filePath, 'utf8'));
+}
+
+export function writeEnvFile(filePath, vars, { envName, projectRoot } = {}) {
+  let content = '';
+  if (envName) {
+    const projectName = projectRoot ? projectRoot.split('/').pop() : null;
+    content += `# Generated by envgit from [${envName}]`;
+    if (projectName) content += ` (${projectName})`;
+    content += '\n# Do not edit directly — use envgit set to update values\n\n';
+  }
+  content += stringifyEnv(vars);
+  writeFileSync(filePath, content, 'utf8');
+}

package/src/keystore.js

@@ -0,0 +1,52 @@
+import { readFileSync, writeFileSync, chmodSync, existsSync, statSync } from 'fs';
+import { join, dirname } from 'path';
+
+const KEY_FILE = '.envgit.key';
+const ENV_VAR = 'ENVGIT_KEY';
+const SECURE_MODE = 0o600;
+
+export function findProjectRoot(startDir = process.cwd()) {
+  let dir = startDir;
+  while (true) {
+    if (existsSync(join(dir, '.envgit'))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) return null; // reached filesystem root
+    dir = parent;
+  }
+}
+
+export function requireProjectRoot() {
+  const root = findProjectRoot();
+  if (!root) {
+    console.error("Error: No envgit project found. Run 'envgit init' first.");
+    process.exit(1);
+  }
+  return root;
+}
+
+export function loadKey(projectRoot) {
+  if (process.env[ENV_VAR]) return process.env[ENV_VAR];
+  const keyPath = join(projectRoot, KEY_FILE);
+  if (existsSync(keyPath)) {
+    const stat = statSync(keyPath);
+    const mode = stat.mode & 0o777;
+    if (mode & 0o077) {
+      console.error(
+        `Error: ${KEY_FILE} has insecure permissions (${mode.toString(8)}). Run: chmod 600 ${KEY_FILE}`
+      );
+      process.exit(1);
+    }
+    return readFileSync(keyPath, 'utf8').trim();
+  }
+  throw new Error(
+    `No encryption key found. Add it to ${KEY_FILE} or set the ENVGIT_KEY environment variable.`
+  );
+}
+
+export function saveKey(projectRoot, key) {
+  const keyPath = join(projectRoot, KEY_FILE);
+  writeFileSync(keyPath, key + '\n', { mode: SECURE_MODE });
+  // Explicitly tighten permissions in case the file already existed —
+  // writeFileSync's mode option only applies when creating a new file.
+  chmodSync(keyPath, SECURE_MODE);
+}

package/src/state.js

@@ -0,0 +1,14 @@
+import { readFileSync, writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+
+const CURRENT_FILE = '.envgit/.current';
+
+export function getCurrentEnv(projectRoot) {
+  const path = join(projectRoot, CURRENT_FILE);
+  if (!existsSync(path)) return null;
+  return readFileSync(path, 'utf8').trim() || null;
+}
+
+export function setCurrentEnv(projectRoot, envName) {
+  writeFileSync(join(projectRoot, CURRENT_FILE), envName + '\n', 'utf8');
+}

package/src/ui.js

@@ -0,0 +1,9 @@
+import chalk from 'chalk';
+
+export const ok = (msg) => console.log(chalk.green(`✓ ${msg}`));
+export const fail = (msg) => console.log(chalk.red(`✗ ${msg}`));
+export const warn = (msg) => console.log(chalk.yellow(`⚠ ${msg}`));
+export const fatal = (msg) => { console.error(chalk.red(`✗ ${msg}`)); process.exit(1); };
+export const label = (text) => chalk.cyan(`[${text}]`);
+export const dim = (text) => chalk.dim(text);
+export const bold = (text) => chalk.bold(text);