@akshxy/envgit 0.5.1 → 0.6.0

package/README.md

@@ -61,7 +61,7 @@ envgit join abc123... --code Xk9mP2...==
 # ✓ Key saved to ~/.config/envgit/keys/<project-id>.key
 
 envgit verify        # confirm the key works
-envgit unpack dev    # writes .env
+envgit unpack        # writes .env (picks up active env)
 ```
 
 The relay is **cryptographically blind** — it stores only AES-256-GCM ciphertext and never sees the passphrase. The link is deleted the moment your teammate uses it.
@@ -131,16 +131,15 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 | Command | Description |
 |---------|-------------|
 | `envgit init` | Initialize project, generate key, save to `~/.config/envgit/keys/` |
-| `envgit keygen` | Generate a new key for the current project |
-| `envgit keygen --show` | Print current key |
-| `envgit keygen --set <key>` | Save a key for the current project |
 | `envgit share` | Upload encrypted key to a one-time relay link |
 | `envgit join <token> --code <passphrase>` | Download and save a key shared via `envgit share` |
-| `envgit rotate-key` | Generate new key and re-encrypt all environments |
+| `envgit rotate-key` | Generate new key and re-encrypt all environments, then run `envgit share` |
 | `envgit verify` | Confirm all environments decrypt with the current key |
 
 ### Variables
 
+All variable commands are **interactive** — run them without arguments to get a fuzzy search picker.
+
 | Command | Description |
 |---------|-------------|
 | `envgit set KEY=VALUE ...` | Set one or more variables |
@@ -149,6 +148,7 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 | `envgit get KEY` | Print a single value |
 | `envgit delete KEY` | Remove a variable |
 | `envgit rename OLD NEW` | Rename a variable |
+| `envgit copy KEY --from dev --to prod` | Copy a variable between environments |
 | `envgit list` | List all keys in the active environment |
 | `envgit list --show-values` | List keys and their values |
 
@@ -157,9 +157,9 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 | Command | Description |
 |---------|-------------|
 | `envgit envs` | List all environments with variable counts |
+| `envgit use <env>` | Switch active environment (like `git checkout`) |
 | `envgit add-env <name>` | Create a new environment |
-| `envgit unpack <env>` | Decrypt and write a formatted `.env` file |
-| `envgit copy KEY --from dev --to prod` | Copy a variable between environments |
+| `envgit unpack [env]` | Decrypt and write a formatted `.env` file |
 | `envgit diff dev prod` | Show what's different between two environments |
 | `envgit diff dev prod --show-values` | Include values in the diff |
 
@@ -178,16 +178,12 @@ Supports 100+ services out of the box: OpenAI, Anthropic, Groq, Stripe, Supabase
 
 | Command | Description |
 |---------|-------------|
+| `envgit status` | Show project root, active env, key location, `.env` state |
 | `envgit doctor` | Check everything — key, envs, git safety — in one shot |
 | `envgit audit` | Show which keys are missing across environments |
+| `envgit scan` | Scan codebase for hardcoded secrets using patterns and entropy analysis |
 | `envgit template` | Generate a `.env.example` with all keys, no values |
-| `envgit template --output .env.example --force` | Overwrite existing file |
-
-### Status
-
-| Command | Description |
-|---------|-------------|
-| `envgit status` | Show project root, active env, key location, `.env` state |
+| `envgit fix` | Post-upgrade repair: migrate config, fix permissions, update `.gitignore` |
 
 ---
 
@@ -235,3 +231,66 @@ ENVGIT_KEY=$(cat ~/.config/envgit/keys/<id>.key) envgit run -- node server.js
 - **Relay is blind** — `envgit share` encrypts your key with a one-time passphrase before upload. The relay stores only ciphertext and never sees the passphrase. Even a full relay compromise leaks nothing.
 - **One-time links** — tokens are deleted on first use via a strongly consistent Durable Object. Replay attacks are impossible.
 - **24-hour TTL** — unclaimed tokens are automatically destroyed
+
+---
+
+## Threat model
+
+**What envgit protects against**
+
+| Threat | Protection |
+|--------|-----------|
+| `.env` accidentally committed to git | Encrypted files are safe to commit — plaintext never touches the repo |
+| Secrets shared over Slack, email, chat | `envgit share` uses a blind relay and one-time encrypted links |
+| Teammate's machine is compromised | Key is per-machine — compromise one machine, not all |
+| Relay is breached | Relay stores only AES-256-GCM ciphertext. Passphrase never sent to relay. Useless without the passphrase. |
+| Secrets hardcoded in source | `envgit scan` detects these using pattern matching and entropy analysis |
+
+**What envgit does NOT protect against**
+
+- A compromised machine where the key file is readable — if your machine is owned, the key is accessible
+- Secrets that have already been committed in plaintext to git history — use `git filter-repo` to scrub those
+- An attacker who intercepts both the relay token AND the passphrase at the same time — treat the passphrase like a password
+
+---
+
+## How it works
+
+```
+Your machine                  Relay                    Teammate's machine
+────────────────              ──────────────────       ──────────────────────
+                              (Cloudflare Worker)
+project.key (32 bytes)
+    │
+    ▼
+encrypt with                  ┌──────────────────┐
+one-time passphrase  ──────►  │  ciphertext only │  ──────►  fetch + decrypt
+                              │  deleted on read  │           with passphrase
+    │                         │  TTL: 24 hours   │               │
+    ▼                         └──────────────────┘               ▼
+envgit share                                             envgit join <token>
+prints:                                                  --code <passphrase>
+  token + passphrase                                         │
+                                                             ▼
+                                                     key saved to
+                                                     ~/.config/envgit/keys/
+```
+
+The relay is stateless and blind. It cannot reconstruct the key. Only the machine with the passphrase can decrypt.
+
+---
+
+## Crypto decisions
+
+**Why AES-256-GCM?**
+GCM is an authenticated encryption mode — it detects tampering. If anyone modifies the ciphertext (even one byte), decryption fails loudly rather than silently returning corrupt data. This matters for secrets: you want to know immediately if something has been tampered with.
+
+**Why 32 bytes of entropy?**
+NIST recommends 128-bit minimum for symmetric keys. envgit uses 256-bit (32 bytes) from `crypto.randomBytes`, which reads from the OS CSPRNG. This is the same source used by OpenSSL and Node's TLS stack.
+
+**Why a fresh IV per write?**
+AES-GCM requires a unique IV per (key, message) pair. Reusing an IV with the same key catastrophically breaks confidentiality — an attacker can XOR two ciphertexts to cancel out the keystream. envgit generates a new random IV on every write, making this impossible.
+
+**Why zeroize key bytes after use?**
+Node.js buffers live in V8's heap. Without explicit zeroization, key bytes can persist in memory until GC runs — and could potentially be read from a core dump or swap file. envgit calls `buffer.fill(0)` immediately after the crypto operation completes.
+

package/bin/envgit.js

@@ -1,35 +1,42 @@
 #!/usr/bin/env node
+import { createRequire } from 'module';
 import { program } from 'commander';
-import { init } from '../src/commands/init.js';
-import { set } from '../src/commands/set.js';
-import { get } from '../src/commands/get.js';
-import { unpack } from '../src/commands/unpack.js';
-import { list } from '../src/commands/list.js';
+import { init }      from '../src/commands/init.js';
+import { set }       from '../src/commands/set.js';
+import { get }       from '../src/commands/get.js';
+import { unpack }    from '../src/commands/unpack.js';
+import { list }      from '../src/commands/list.js';
 import { importEnv } from '../src/commands/import.js';
-import { addEnv } from '../src/commands/add-env.js';
-import { status } from '../src/commands/status.js';
-import { keygen } from '../src/commands/keygen.js';
+import { addEnv }    from '../src/commands/add-env.js';
+import { status }    from '../src/commands/status.js';
 import { deleteKey } from '../src/commands/delete.js';
-import { copy } from '../src/commands/copy.js';
+import { copy }      from '../src/commands/copy.js';
 import { renameKey } from '../src/commands/rename-key.js';
-import { diff } from '../src/commands/diff.js';
-import { run } from '../src/commands/run.js';
-import { envs } from '../src/commands/envs.js';
+import { diff }      from '../src/commands/diff.js';
+import { run }       from '../src/commands/run.js';
+import { envs }      from '../src/commands/envs.js';
 import { exportEnv } from '../src/commands/export.js';
-import { verify } from '../src/commands/verify.js';
+import { verify }    from '../src/commands/verify.js';
 import { rotateKey } from '../src/commands/rotate-key.js';
-import { share } from '../src/commands/share.js';
-import { join } from '../src/commands/join.js';
-import { doctor } from '../src/commands/doctor.js';
-import { audit } from '../src/commands/audit.js';
-import { template } from '../src/commands/template.js';
+import { share }     from '../src/commands/share.js';
+import { join }      from '../src/commands/join.js';
+import { doctor }    from '../src/commands/doctor.js';
+import { audit }     from '../src/commands/audit.js';
+import { template }  from '../src/commands/template.js';
+import { scan }      from '../src/commands/scan.js';
+import { use }       from '../src/commands/use.js';
+import { fix }       from '../src/commands/fix.js';
+
+const { version } = createRequire(import.meta.url)('../package.json');
 
 program
   .name('envgit')
   .description('Encrypted per-project environment variable manager')
-  .version('0.1.0')
+  .version(version)
   .enablePositionalOptions();
 
+// ── Setup ────────────────────────────────────────────────────────────────────
+
 program
   .command('init')
   .description('Initialize envgit in the current project')
@@ -37,33 +44,77 @@ program
   .action(init);
 
 program
-  .command('status')
-  .description('Show project root, active env, key source, and .env state')
-  .action(status);
+  .command('fix')
+  .description('Fix everything after an upgrade — .gitignore, permissions, config migration')
+  .action(fix);
+
+// ── Environments ──────────────────────────────────────────────────────────────
+
+program
+  .command('use [env]')
+  .description('Switch active environment — omit to pick interactively')
+  .action(use);
+
+program
+  .command('envs')
+  .description('List all environments with variable counts')
+  .action(envs);
+
+program
+  .command('add-env <name>')
+  .alias('new')
+  .description('Create a new environment')
+  .action(addEnv);
+
+program
+  .command('unpack [env]')
+  .alias('pull')
+  .description('Write .env for the active env — or specify one explicitly')
+  .action(unpack);
+
+program
+  .command('diff [env1] [env2]')
+  .description('Show differences between two environments')
+  .option('--show-values', 'reveal values in diff output')
+  .action(diff);
+
+// ── Variables ─────────────────────────────────────────────────────────────────
 
 program
   .command('set [assignments...]')
-  .description('Set KEY=VALUE pairs, or load from a file with -f')
+  .description('Set KEY=VALUE — omit args to pick interactively')
   .option('--env <name>', 'target environment')
-  .option('-f, --file <path>', 'read variables from a .env file')
+  .option('-f, --file <path>', 'import from a .env file')
   .action(set);
 
 program
-  .command('get <key>')
-  .description('Print a value by key (defaults to active env)')
+  .command('get [key]')
+  .description('Print a value — omit key to pick interactively')
   .option('--env <name>', 'target environment')
   .action(get);
 
 program
-  .command('unpack <env>')
-  .alias('switch')
-  .alias('pull')
-  .description('Decrypt <env> and write a clean .env file, sets it as active')
-  .action(unpack);
+  .command('delete [key]')
+  .description('Remove a key — omit to pick interactively')
+  .option('--env <name>', 'target environment')
+  .action(deleteKey);
+
+program
+  .command('rename [old-key] [new-key]')
+  .description('Rename a key — omit args to pick interactively')
+  .option('--env <name>', 'target environment')
+  .action(renameKey);
+
+program
+  .command('copy [key]')
+  .description('Copy a key between environments — omit args to pick interactively')
+  .option('--from <env>', 'source environment')
+  .option('--to <env>',   'destination environment')
+  .action(copy);
 
 program
   .command('list')
-  .description('List keys in an environment (defaults to active env)')
+  .description('List all keys in the active environment')
   .option('--env <name>', 'target environment')
   .option('--show-values', 'print values alongside keys')
   .action(list);
@@ -72,75 +123,50 @@ program
   .command('import')
   .description('Encrypt an existing .env file into an environment')
   .option('--env <name>', 'target environment')
-  .option('--file <path>', 'source file to import', '.env')
+  .option('--file <path>', 'source file', '.env')
   .action(importEnv);
 
-program
-  .command('add-env <name>')
-  .description('Add a new environment')
-  .action(addEnv);
+// ── Key management ───────────────────────────────────────────────────────────
 
 program
-  .command('keygen')
-  .description('Generate or manage the encryption key')
-  .option('--show', 'print current key (for sharing with teammates)')
-  .option('--set <key>', 'save a received key to .envgit.key')
-  .action(keygen);
+  .command('share')
+  .description('Upload encrypted key as a one-time link to send to a teammate')
+  .action(share);
 
 program
-  .command('delete <key>')
-  .description('Remove a key from the encrypted env')
-  .option('--env <name>', 'target environment')
-  .action(deleteKey);
+  .command('join <token>')
+  .description('Download and save a key shared via envgit share')
+  .requiredOption('--code <passphrase>', 'passphrase from the share output')
+  .action(join);
 
 program
-  .command('copy <key>')
-  .description('Copy a key\'s value between two environments')
-  .requiredOption('--from <env>', 'source environment')
-  .requiredOption('--to <env>', 'destination environment')
-  .action(copy);
+  .command('rotate-key')
+  .description('Generate a new key and re-encrypt all environments')
+  .action(rotateKey);
 
-program
-  .command('rename <old-key> <new-key>')
-  .description('Rename a key within an environment')
-  .option('--env <name>', 'target environment')
-  .action(renameKey);
+// ── Export & run ─────────────────────────────────────────────────────────────
 
 program
-  .command('diff [env1] [env2]')
-  .description('Show differences between two environments')
-  .option('--show-values', 'reveal values in diff output')
-  .action(diff);
+  .command('export')
+  .description('Print decrypted vars to stdout')
+  .option('--env <name>', 'target environment')
+  .option('--format <fmt>', 'dotenv | json | shell', 'dotenv')
+  .action(exportEnv);
 
 program
   .command('run [args...]')
-  .description('Spawn a command with decrypted env vars injected')
+  .description('Run a command with decrypted env vars injected — nothing written to disk')
   .option('--env <name>', 'environment to use')
   .allowUnknownOption()
   .passThroughOptions()
   .action(run);
 
-program
-  .command('envs')
-  .description('List all environments with variable counts')
-  .action(envs);
-
-program
-  .command('export')
-  .description('Print decrypted vars to stdout (dotenv, json, or shell format)')
-  .option('--env <name>', 'target environment')
-  .option('--format <fmt>', 'output format: dotenv, json, shell', 'dotenv')
-  .action(exportEnv);
-
-program
-  .command('verify')
-  .description('Attempt to decrypt every .enc file with the current key')
-  .action(verify);
+// ── Health & safety ──────────────────────────────────────────────────────────
 
 program
-  .command('rotate-key')
-  .description('Generate a new key and re-encrypt all environments')
-  .action(rotateKey);
+  .command('status')
+  .description('Show active environment, key status, and project info')
+  .action(status);
 
 program
   .command('doctor')
@@ -153,21 +179,20 @@ program
   .action(audit);
 
 program
-  .command('template')
-  .description('Generate a .env.example with all keys but no values')
-  .option('-o, --output <path>', 'output file path', '.env.example')
-  .option('-f, --force', 'overwrite if file already exists')
-  .action(template);
+  .command('verify')
+  .description('Confirm all environments decrypt correctly with the current key')
+  .action(verify);
 
 program
-  .command('share')
-  .description('Encrypt your key and upload it to a one-time link — send the output to a teammate')
-  .action(share);
+  .command('scan')
+  .description('Scan codebase for hardcoded secrets')
+  .action(scan);
 
 program
-  .command('join <token>')
-  .description('Download and save a key from a link generated by envgit share')
-  .requiredOption('--code <passphrase>', 'passphrase printed by envgit share')
-  .action(join);
+  .command('template')
+  .description('Generate a .env.example with all keys, no values')
+  .option('-o, --output <path>', 'output path', '.env.example')
+  .option('-f, --force', 'overwrite existing file')
+  .action(template);
 
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@akshxy/envgit",
-  "version": "0.5.1",
+  "version": "0.6.0",
   "description": "Encrypted per-project environment variable manager",
   "type": "module",
   "bin": {
@@ -13,6 +13,7 @@
   ],
   "license": "MIT",
   "dependencies": {
+    "@inquirer/prompts": "^8.3.0",
     "chalk": "^5.6.2",
     "commander": "^12.0.0",
     "js-yaml": "^4.1.0"

package/src/commands/add-env.js

@@ -8,6 +8,10 @@ export async function addEnv(name) {
   const key = loadKey(projectRoot);
   const config = loadConfig(projectRoot);
 
+  if (!/^[a-z0-9_-]+$/i.test(name)) {
+    fatal(`Invalid environment name '${name}' — use only letters, numbers, hyphens, and underscores.`);
+  }
+
   if (config.envs.includes(name)) {
     fatal(`Environment '${name}' already exists.`);
   }

package/src/commands/audit.js

@@ -10,7 +10,10 @@ export async function audit() {
   const config      = loadConfig(projectRoot);
 
   if (config.envs.length < 2) {
-    console.log(dim('\n  Need at least 2 environments to audit.\n'));
+    console.log('');
+    console.log(dim('  Only one environment — nothing to compare.'));
+    console.log(dim('  Add more with: envgit add-env <name>'));
+    console.log('');
     return;
   }
 

package/src/commands/copy.js

@@ -1,24 +1,26 @@
 import { requireProjectRoot, loadKey } from '../keystore.js';
+import { loadConfig } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, pickEnv } from '../interactive.js';
 
 export async function copy(keyName, options) {
-  if (!options.from || !options.to) {
-    fatal('Both --from and --to environments are required.');
-  }
-
   const projectRoot = requireProjectRoot();
   const key = loadKey(projectRoot);
+  const config = loadConfig(projectRoot);
+
+  const from = options.from ?? await pickEnv(config.envs, 'Copy from environment');
+  const to   = options.to   ?? await pickEnv(config.envs.filter(e => e !== from), 'Copy to environment');
+
+  const srcVars = readEncEnv(projectRoot, from, key);
 
-  const srcVars = readEncEnv(projectRoot, options.from, key);
+  const name = keyName ?? await pickKey(srcVars, `Key to copy from [${from}]`);
 
-  if (!(keyName in srcVars)) {
-    fatal(`Key '${keyName}' not found in ${label(options.from)}`);
-  }
+  if (!(name in srcVars)) fatal(`Key '${name}' not found in ${envLabel(from)}`);
 
-  const dstVars = readEncEnv(projectRoot, options.to, key);
-  dstVars[keyName] = srcVars[keyName];
-  writeEncEnv(projectRoot, options.to, key, dstVars);
+  const dstVars = readEncEnv(projectRoot, to, key);
+  dstVars[name] = srcVars[name];
+  writeEncEnv(projectRoot, to, key, dstVars);
 
-  ok(`Copied ${keyName} from ${label(options.from)} → ${label(options.to)}`);
+  ok(`Copied ${name} from ${envLabel(from)} → ${envLabel(to)}`);
 }

package/src/commands/delete.js

@@ -2,7 +2,8 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, promptConfirm } from '../interactive.js';
 
 export async function deleteKey(keyName, options) {
   const projectRoot = requireProjectRoot();
@@ -11,11 +12,16 @@ export async function deleteKey(keyName, options) {
 
   const vars = readEncEnv(projectRoot, envName, key);
 
-  if (!(keyName in vars)) {
-    fatal(`Key '${keyName}' not found in ${label(envName)}`);
+  const name = keyName ?? await pickKey(vars, `Key to delete from [${envName}]`);
+
+  if (!(name in vars)) fatal(`Key '${name}' not found in ${envLabel(envName)}`);
+
+  if (!keyName) {
+    const confirmed = await promptConfirm(`Delete ${name} from [${envName}]?`);
+    if (!confirmed) { process.exit(0); }
   }
 
-  delete vars[keyName];
+  delete vars[name];
   writeEncEnv(projectRoot, envName, key, vars);
-  ok(`Deleted ${keyName} from ${label(envName)}`);
+  ok(`Deleted ${name} from ${envLabel(envName)}`);
 }

package/src/commands/doctor.js

@@ -5,11 +5,8 @@ import chalk from 'chalk';
 import { findProjectRoot, globalKeyPath } from '../keystore.js';
 import { loadConfig } from '../config.js';
 import { readEncEnv } from '../enc.js';
-import { bold, dim } from '../ui.js';
+import { ok as pass, fail, warn, bold, dim } from '../ui.js';
 
-function pass(msg)      { console.log(chalk.green(`  ✓ ${msg}`)); }
-function fail(msg)      { console.log(chalk.red(`  ✗ ${msg}`)); }
-function warn(msg)      { console.log(chalk.yellow(`  ⚠ ${msg}`)); }
 function section(title) { console.log(`\n${bold(title)}`); }
 
 export async function doctor() {
@@ -48,7 +45,7 @@ export async function doctor() {
       pass(`Key file found ${dim(keyPath)}`);
       key = readFileSync(keyPath, 'utf8').trim();
     } else {
-      fail('Key file missing — run: envgit share / envgit join');
+      fail('Key file missing — get it from a teammate: envgit join <token> --code <passphrase>');
       issues++;
     }
   } else {
@@ -57,7 +54,7 @@ export async function doctor() {
       warn(`Legacy key file at project root ${dim('(consider migrating)')}`);
       key = readFileSync(legacyPath, 'utf8').trim();
     } else {
-      fail('No key found — run: envgit keygen');
+      fail('No key found — ask a teammate to run: envgit share');
       issues++;
     }
   }

package/src/commands/envs.js

@@ -1,25 +1,31 @@
-import chalk from 'chalk';
 import { requireProjectRoot, loadKey } from '../keystore.js';
 import { loadConfig } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { dim } from '../ui.js';
+import { dim, envLabel } from '../ui.js';
+import chalk from 'chalk';
 
 export async function envs() {
   const projectRoot = requireProjectRoot();
-  const key = loadKey(projectRoot);
-  const config = loadConfig(projectRoot);
+  const key     = loadKey(projectRoot);
+  const config  = loadConfig(projectRoot);
   const current = getCurrentEnv(projectRoot);
 
   console.log('');
   for (const envName of config.envs) {
     const isActive = envName === current;
-    const bullet = isActive ? chalk.green('●') : ' ';
-    const vars = readEncEnv(projectRoot, envName, key);
-    const count = Object.keys(vars).length;
-    const countStr = dim(`(${count} var${count !== 1 ? 's' : ''})`);
-    const activeSuffix = isActive ? chalk.cyan(' (active)') : '';
-    console.log(`  ${bullet} ${isActive ? chalk.bold(envName) : envName} ${countStr}${activeSuffix}`);
+    const bullet   = isActive ? chalk.green('●') : chalk.dim('○');
+    const vars     = readEncEnv(projectRoot, envName, key);
+    const count    = Object.keys(vars).length;
+    const label    = isActive ? envLabel(envName) : chalk.dim(`[${envName}]`);
+    const countStr = dim(`${count} var${count !== 1 ? 's' : ''}`);
+    const hint     = isActive ? chalk.dim(' ← active') : '';
+    console.log(`  ${bullet} ${label} ${countStr}${hint}`);
+  }
+
+  if (!current) {
+    console.log('');
+    console.log(dim('  No active environment. Run: envgit use <env>'));
   }
   console.log('');
 }