@akshxy/envgit 0.5.0 → 0.5.1

package/README.md

@@ -174,6 +174,15 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 | `envgit run -- node server.js` | Run a command with env vars injected, nothing written to disk |
 | `envgit import --file .env.local` | Encrypt an existing `.env` file |
 
+### Utilities
+
+| Command | Description |
+|---------|-------------|
+| `envgit doctor` | Check everything — key, envs, git safety — in one shot |
+| `envgit audit` | Show which keys are missing across environments |
+| `envgit template` | Generate a `.env.example` with all keys, no values |
+| `envgit template --output .env.example --force` | Overwrite existing file |
+
 ### Status
 
 | Command | Description |

package/bin/envgit.js

@@ -20,6 +20,9 @@ import { verify } from '../src/commands/verify.js';
 import { rotateKey } from '../src/commands/rotate-key.js';
 import { share } from '../src/commands/share.js';
 import { join } from '../src/commands/join.js';
+import { doctor } from '../src/commands/doctor.js';
+import { audit } from '../src/commands/audit.js';
+import { template } from '../src/commands/template.js';
 
 program
   .name('envgit')
@@ -139,6 +142,23 @@ program
   .description('Generate a new key and re-encrypt all environments')
   .action(rotateKey);
 
+program
+  .command('doctor')
+  .description('Check project health — key, envs, git safety')
+  .action(doctor);
+
+program
+  .command('audit')
+  .description('Show which keys are missing across environments')
+  .action(audit);
+
+program
+  .command('template')
+  .description('Generate a .env.example with all keys but no values')
+  .option('-o, --output <path>', 'output file path', '.env.example')
+  .option('-f, --force', 'overwrite if file already exists')
+  .action(template);
+
 program
   .command('share')
   .description('Encrypt your key and upload it to a one-time link — send the output to a teammate')

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@akshxy/envgit",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Encrypted per-project environment variable manager",
   "type": "module",
   "bin": {

package/src/commands/audit.js

@@ -0,0 +1,86 @@
+import chalk from 'chalk';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { bold, dim, ok } from '../ui.js';
+
+export async function audit() {
+  const projectRoot = requireProjectRoot();
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+
+  if (config.envs.length < 2) {
+    console.log(dim('\n  Need at least 2 environments to audit.\n'));
+    return;
+  }
+
+  // Load all envs
+  const envVars = {};
+  for (const envName of config.envs) {
+    envVars[envName] = readEncEnv(projectRoot, envName, key);
+  }
+
+  // Collect every key across all envs
+  const allKeys = [...new Set(config.envs.flatMap(e => Object.keys(envVars[e])))].sort();
+
+  if (allKeys.length === 0) {
+    console.log(dim('\n  No variables found across any environment.\n'));
+    return;
+  }
+
+  // Find keys that are missing from at least one env
+  const missing = {};   // key → [envs it's missing from]
+  const present = {};   // key → [envs it's in]
+
+  for (const key of allKeys) {
+    missing[key] = config.envs.filter(e => !(key in envVars[e]));
+    present[key] = config.envs.filter(e =>  (key in envVars[e]));
+  }
+
+  const problemKeys = allKeys.filter(k => missing[k].length > 0);
+  const cleanKeys   = allKeys.filter(k => missing[k].length === 0);
+
+  // ── Header ────────────────────────────────────────────────────────────────
+  console.log('');
+  console.log(bold('Audit') + dim(` — ${config.envs.join(', ')}`));
+  console.log('');
+
+  // ── Missing keys ──────────────────────────────────────────────────────────
+  if (problemKeys.length === 0) {
+    ok(`All ${allKeys.length} keys are present in every environment.`);
+    console.log('');
+    return;
+  }
+
+  // Column header
+  const pad = Math.max(...allKeys.map(k => k.length), 4) + 2;
+  const envHeaders = config.envs.map(e => e.padEnd(8)).join('  ');
+  console.log(dim('  ' + 'KEY'.padEnd(pad) + envHeaders));
+  console.log(dim('  ' + '─'.repeat(pad + config.envs.length * 10)));
+
+  for (const key of problemKeys) {
+    const cols = config.envs.map(e => {
+      if (key in envVars[e]) return chalk.green('  ✓'.padEnd(10));
+      return chalk.red('  ✗'.padEnd(10));
+    }).join('');
+    console.log(`  ${chalk.bold(key.padEnd(pad))}${cols}`);
+  }
+
+  if (cleanKeys.length > 0) {
+    console.log(dim(`\n  ${cleanKeys.length} key${cleanKeys.length !== 1 ? 's' : ''} present in all envs (hidden)`));
+  }
+
+  console.log('');
+  console.log(chalk.yellow(bold(`${problemKeys.length} key${problemKeys.length !== 1 ? 's' : ''} missing from one or more environments.`)));
+
+  // Per-env fix hints
+  console.log('');
+  for (const envName of config.envs) {
+    const needed = problemKeys.filter(k => !(k in envVars[envName]));
+    if (needed.length > 0) {
+      console.log(dim(`  Fix ${envName}:  envgit set ${needed.join('=... ')}=... --env ${envName}`));
+    }
+  }
+
+  console.log('');
+}

package/src/commands/doctor.js

@@ -0,0 +1,146 @@
+import { execFileSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot, globalKeyPath } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { bold, dim } from '../ui.js';
+
+function pass(msg)      { console.log(chalk.green(`  ✓ ${msg}`)); }
+function fail(msg)      { console.log(chalk.red(`  ✗ ${msg}`)); }
+function warn(msg)      { console.log(chalk.yellow(`  ⚠ ${msg}`)); }
+function section(title) { console.log(`\n${bold(title)}`); }
+
+export async function doctor() {
+  let issues = 0;
+
+  // ── Project ───────────────────────────────────────────────────────────────
+  section('Project');
+
+  const projectRoot = findProjectRoot();
+  if (!projectRoot) {
+    fail('No envgit project found — run envgit init first.');
+    console.log('');
+    process.exit(1);
+  }
+  pass(`Project root: ${dim(projectRoot)}`);
+
+  let config;
+  try {
+    config = loadConfig(projectRoot);
+    pass(`Config loaded ${dim(`(${config.envs.length} env${config.envs.length !== 1 ? 's' : ''}: ${config.envs.join(', ')})`)}`)
+  } catch (e) {
+    fail(`Config unreadable — ${e.message}`);
+    issues++;
+  }
+
+  // ── Key ───────────────────────────────────────────────────────────────────
+  section('Key');
+
+  let key = null;
+  if (process.env.ENVGIT_KEY) {
+    pass('Key loaded from ENVGIT_KEY environment variable');
+    key = process.env.ENVGIT_KEY;
+  } else if (config?.key_id) {
+    const keyPath = globalKeyPath(config.key_id);
+    if (existsSync(keyPath)) {
+      pass(`Key file found ${dim(keyPath)}`);
+      key = readFileSync(keyPath, 'utf8').trim();
+    } else {
+      fail('Key file missing — run: envgit share / envgit join');
+      issues++;
+    }
+  } else {
+    const legacyPath = join(projectRoot, '.envgit.key');
+    if (existsSync(legacyPath)) {
+      warn(`Legacy key file at project root ${dim('(consider migrating)')}`);
+      key = readFileSync(legacyPath, 'utf8').trim();
+    } else {
+      fail('No key found — run: envgit keygen');
+      issues++;
+    }
+  }
+
+  if (key) {
+    const decoded = Buffer.from(key, 'base64');
+    if (decoded.length === 32) {
+      pass('Key length valid (256-bit)');
+    } else {
+      fail(`Key length invalid — got ${decoded.length} bytes, expected 32`);
+      issues++;
+    }
+  }
+
+  // ── Environments ──────────────────────────────────────────────────────────
+  if (config && key) {
+    section('Environments');
+    for (const envName of config.envs) {
+      try {
+        const vars = readEncEnv(projectRoot, envName, key);
+        const count = Object.keys(vars).length;
+        pass(`${envName} decrypts OK ${dim(`(${count} var${count !== 1 ? 's' : ''})`)}`);
+      } catch (e) {
+        fail(`${envName} failed to decrypt — ${e.message}`);
+        issues++;
+      }
+    }
+  }
+
+  // ── Git safety ────────────────────────────────────────────────────────────
+  section('Git safety');
+
+  const gitignorePath = join(projectRoot, '.gitignore');
+  if (existsSync(gitignorePath)) {
+    const gitignore = readFileSync(gitignorePath, 'utf8');
+    const lines = gitignore.split('\n').map(l => l.trim());
+
+    const envIgnored = lines.some(l => l === '.env' || l === '.env.*' || l === '*.env');
+    if (envIgnored) {
+      pass('.env is in .gitignore');
+    } else {
+      warn('.env is not in .gitignore — add it to prevent accidental commits');
+      issues++;
+    }
+
+    if (existsSync(join(projectRoot, '.envgit.key'))) {
+      const keyIgnored = lines.some(l => l === '.envgit.key');
+      if (!keyIgnored) {
+        fail('.envgit.key is not in .gitignore — this would expose your key!');
+        issues++;
+      }
+    }
+  } else {
+    warn('No .gitignore found');
+    issues++;
+  }
+
+  // Check for .env files tracked by git (no shell, no injection)
+  try {
+    const tracked = execFileSync('git', ['ls-files', '.env', '.env.local', '.env.production'], {
+      cwd: projectRoot,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    }).toString().trim();
+
+    if (tracked) {
+      const files = tracked.split('\n').map(f => `    ${f}`).join('\n');
+      fail(`Plaintext .env file tracked by git:\n${files}`);
+      fail('Remove with: git rm --cached .env');
+      issues++;
+    } else {
+      pass('No plaintext .env files tracked by git');
+    }
+  } catch {
+    warn('Not a git repo — skipping git tracking check');
+  }
+
+  // ── Summary ───────────────────────────────────────────────────────────────
+  console.log('');
+  if (issues === 0) {
+    console.log(chalk.green(bold('All checks passed.')));
+  } else {
+    console.log(chalk.red(bold(`${issues} issue${issues !== 1 ? 's' : ''} found.`)));
+    process.exit(1);
+  }
+  console.log('');
+}

package/src/commands/template.js

@@ -0,0 +1,53 @@
+import { writeFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { readEncEnv } from '../enc.js';
+import { ok, warn, fatal, bold, dim } from '../ui.js';
+
+export async function template(options) {
+  const projectRoot = requireProjectRoot();
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+
+  // Merge keys from all envs (union), sorted
+  const allKeys = [...new Set(
+    config.envs.flatMap(envName => Object.keys(readEncEnv(projectRoot, envName, key)))
+  )].sort();
+
+  if (allKeys.length === 0) {
+    warn('No variables found — nothing to template.');
+    return;
+  }
+
+  const outPath = join(projectRoot, options.output ?? '.env.example');
+
+  if (existsSync(outPath) && !options.force) {
+    fatal(`${outPath} already exists. Use --force to overwrite.`);
+  }
+
+  const projectName = config.project ?? 'your-project';
+  const envList     = config.envs.join(', ');
+
+  const lines = [
+    `# .env.example — generated by envgit`,
+    `# Project : ${projectName}`,
+    `# Envs    : ${envList}`,
+    `#`,
+    `# Do not put real values here. This file is safe to commit.`,
+    `# To get the real values: envgit join <token> --code <passphrase>`,
+    `#                    then: envgit unpack dev`,
+    ``,
+    ...allKeys.map(k => `${k}=`),
+    ``,
+  ].join('\n');
+
+  writeFileSync(outPath, lines, 'utf8');
+
+  console.log('');
+  ok(`Generated ${dim(outPath)} with ${allKeys.length} key${allKeys.length !== 1 ? 's' : ''}`);
+  console.log(dim(`  Envs scanned: ${envList}`));
+  console.log('');
+  console.log(dim(`  Commit it:  git add ${options.output ?? '.env.example'} && git commit -m "chore: update .env.example"`));
+  console.log('');
+}