@akshxy/envgit 0.5.1 → 0.6.0

package/src/commands/fix.js

@@ -0,0 +1,130 @@
+import { execFileSync } from 'child_process';
+import { existsSync, readFileSync, writeFileSync, chmodSync, statSync, mkdirSync } from 'fs';
+import { join, basename } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot, globalKeyPath } from '../keystore.js';
+import { loadConfig, saveConfig } from '../config.js';
+import { bold, dim, ok, warn } from '../ui.js';
+
+function fixed(msg) { console.log(chalk.green(`  ✦ fixed   ${msg}`)); }
+function check(msg) { console.log(chalk.dim( `  ✓ ok      ${msg}`)); }
+function skipped(msg) { console.log(chalk.dim(`  – skip    ${msg}`)); }
+
+export async function fix() {
+  const projectRoot = findProjectRoot();
+  if (!projectRoot) {
+    console.log('');
+    console.log(chalk.red('  No envgit project found. Run envgit init first.'));
+    console.log('');
+    process.exit(1);
+  }
+
+  let fixes = 0;
+  console.log('');
+  console.log(bold('Running envgit fix...'));
+  console.log('');
+
+  // ── 1. Ensure .envgit dir and state file exist ────────────────────────────
+  const envgitDir  = join(projectRoot, '.envgit');
+  const currentFile = join(envgitDir, '.current');
+  mkdirSync(envgitDir, { recursive: true });
+  if (!existsSync(currentFile)) {
+    writeFileSync(currentFile, '', 'utf8');
+    fixed('.envgit/.current state file created');
+    fixes++;
+  } else {
+    check('.envgit/.current exists');
+  }
+
+  // ── 2. Config migration — add missing fields introduced in newer versions ──
+  let config;
+  try {
+    config = loadConfig(projectRoot);
+    let configChanged = false;
+
+    // v0.2+: default_env field
+    if (!config.default_env) {
+      config.default_env = config.envs?.[0] ?? 'dev';
+      configChanged = true;
+    }
+
+    // v0.3+: project name field
+    if (!config.project) {
+      config.project = basename(projectRoot);
+      configChanged = true;
+    }
+
+    if (configChanged) {
+      saveConfig(projectRoot, config);
+      fixed('config.yml migrated to latest schema');
+      fixes++;
+    } else {
+      check('config.yml schema is current');
+    }
+  } catch {
+    warn('Could not load config — skipping migration (run envgit init first)');
+  }
+
+  // ── 3. Key file permissions ───────────────────────────────────────────────
+  if (config?.key_id) {
+    const keyPath = globalKeyPath(config.key_id);
+    if (existsSync(keyPath)) {
+      const mode = statSync(keyPath).mode & 0o777;
+      if (mode & 0o077) {
+        chmodSync(keyPath, 0o600);
+        fixed(`key file permissions set to 600`);
+        fixes++;
+      } else {
+        check('key file permissions are 600');
+      }
+    } else {
+      skipped('key file not on this machine (normal for fresh clones)');
+    }
+  }
+
+  // ── 4. .gitignore — ensure .env and .envgit.key are ignored ──────────────
+  const gitignorePath = join(projectRoot, '.gitignore');
+  let gitignore = existsSync(gitignorePath) ? readFileSync(gitignorePath, 'utf8') : '';
+  const lines   = gitignore.split('\n').map(l => l.trim());
+  const missing = [];
+
+  if (!lines.some(l => l === '.env' || l === '.env.*')) missing.push('.env');
+  if (!lines.some(l => l === '.envgit.key'))            missing.push('.envgit.key');
+
+  if (missing.length > 0) {
+    gitignore = gitignore.trimEnd() + '\n\n# envgit\n' + missing.join('\n') + '\n';
+    writeFileSync(gitignorePath, gitignore, 'utf8');
+    fixed(`.gitignore — added: ${missing.join(', ')}`);
+    fixes++;
+  } else {
+    check('.gitignore has .env and .envgit.key');
+  }
+
+  // ── 5. Remove .env from git tracking if accidentally staged ──────────────
+  try {
+    const tracked = execFileSync('git', ['ls-files', '.env'], {
+      cwd: projectRoot, stdio: ['pipe', 'pipe', 'pipe'],
+    }).toString().trim();
+
+    if (tracked) {
+      execFileSync('git', ['rm', '--cached', '.env'], {
+        cwd: projectRoot, stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      fixed('.env removed from git tracking (file kept on disk)');
+      fixes++;
+    } else {
+      check('.env is not tracked by git');
+    }
+  } catch {
+    skipped('not a git repo — skipping git tracking check');
+  }
+
+  // ── Summary ───────────────────────────────────────────────────────────────
+  console.log('');
+  if (fixes === 0) {
+    console.log(chalk.green(bold('  Everything looks good. Nothing to fix.')));
+  } else {
+    console.log(chalk.green(bold(`  Applied ${fixes} fix${fixes !== 1 ? 'es' : ''}. Run envgit doctor to verify.`)));
+  }
+  console.log('');
+}

package/src/commands/get.js

@@ -2,7 +2,8 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { fatal, label } from '../ui.js';
+import { fatal, label, envLabel } from '../ui.js';
+import { pickKey } from '../interactive.js';
 
 export async function get(key, options) {
   const projectRoot = requireProjectRoot();
@@ -11,9 +12,9 @@ export async function get(key, options) {
 
   const vars = readEncEnv(projectRoot, envName, encKey);
 
-  if (!(key in vars)) {
-    fatal(`Key '${key}' not found in ${label(envName)}`);
-  }
+  const keyName = key ?? await pickKey(vars, `Key to get from [${envName}]`);
 
-  console.log(vars[key]);
+  if (!(keyName in vars)) fatal(`Key '${keyName}' not found in ${envLabel(envName)}`);
+
+  console.log(vars[keyName]);
 }

package/src/commands/init.js

@@ -44,8 +44,8 @@ export async function init(options) {
   console.log(dim('Commit .envgit/ to share encrypted environments with your team.'));
   console.log(dim('Your key never touches the repo — it lives only on your machine.'));
   console.log('');
-  console.log(`Share your key with teammates:  ${bold('envgit keygen --show')}`);
-  console.log(`Teammates save it with:         ${bold('envgit keygen --set <key>')}`);
+  console.log(`Share your key with teammates:  ${bold('envgit share')}`);
+  console.log(`Teammates receive it with:      ${bold('envgit join <token> --code <passphrase>')}`);
   console.log('');
 }
 

package/src/commands/join.js

@@ -45,6 +45,6 @@ export async function join(token, options) {
   console.log(dim(`  Stored at: ${keyPath}`));
   console.log('');
   console.log(dim('Run `envgit verify` to confirm it works.'));
-  console.log(dim('Run `envgit unpack dev` to write your .env file.'));
+  console.log(dim('Run `envgit unpack` to write your .env file.'));
   console.log('');
 }

package/src/commands/rename-key.js

@@ -2,7 +2,8 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, promptInput } from '../interactive.js';
 
 export async function renameKey(oldName, newName, options) {
   const projectRoot = requireProjectRoot();
@@ -11,19 +12,17 @@ export async function renameKey(oldName, newName, options) {
 
   const vars = readEncEnv(projectRoot, envName, key);
 
-  if (!(oldName in vars)) {
-    fatal(`Key '${oldName}' not found in ${label(envName)}`);
-  }
+  const from = oldName ?? await pickKey(vars, `Key to rename in [${envName}]`);
+  const to   = newName ?? await promptInput(`New name for ${from}`);
 
-  if (newName in vars) {
-    fatal(`Key '${newName}' already exists in ${label(envName)}`);
-  }
+  if (!(from in vars)) fatal(`Key '${from}' not found in ${envLabel(envName)}`);
+  if (to in vars)      fatal(`Key '${to}' already exists in ${envLabel(envName)}`);
 
   const ordered = {};
   for (const [k, v] of Object.entries(vars)) {
-    ordered[k === oldName ? newName : k] = v;
+    ordered[k === from ? to : k] = v;
   }
 
   writeEncEnv(projectRoot, envName, key, ordered);
-  ok(`Renamed ${oldName} → ${newName} in ${label(envName)}`);
+  ok(`Renamed ${from} → ${to} in ${envLabel(envName)}`);
 }

package/src/commands/rotate-key.js

@@ -30,10 +30,7 @@ export async function rotateKey() {
   console.log(dim(`Old hint: ${oldHint}`));
   console.log(dim(`New hint: ${newHint}`));
   console.log('');
-  console.log(bold('New key:'));
-  console.log(`  ${newKey}`);
-  console.log('');
-  warn('Share the new key with your team! Old key is now invalid.');
-  console.log(dim('They can save it with: envgit keygen --set <key>'));
+  warn('Old key is now invalid — teammates need the new one.');
+  console.log(dim('Run envgit share, then send teammates the join command.'));
   console.log('');
 }

package/src/commands/scan.js

@@ -0,0 +1,207 @@
+import { readdirSync, readFileSync } from 'fs';
+import { join, relative, extname } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot } from '../keystore.js';
+import { bold, dim, ok } from '../ui.js';
+
+// ── Known secret patterns ─────────────────────────────────────────────────────
+
+const PATTERNS = [
+  { name: 'AWS Access Key ID',      regex: /\bAKIA[0-9A-Z]{16}\b/ },
+  { name: 'Stripe Secret Key',      regex: /\bsk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'Stripe Restricted Key',  regex: /\brk_live_[0-9a-zA-Z]{24,}\b/ },
+  { name: 'GitHub Token',           regex: /\bghp_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub OAuth Token',     regex: /\bgho_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub App Token',       regex: /\bghs_[0-9a-zA-Z]{36}\b/ },
+  { name: 'GitHub PAT',             regex: /\bgithub_pat_[0-9a-zA-Z_]{82}\b/ },
+  { name: 'OpenAI API Key',         regex: /\bsk-[a-zA-Z0-9]{48}\b/ },
+  { name: 'OpenAI Project Key',     regex: /\bsk-proj-[0-9a-zA-Z_-]{48,}\b/ },
+  { name: 'Anthropic API Key',      regex: /\bsk-ant-[0-9a-zA-Z_-]{80,}\b/ },
+  { name: 'Slack Bot Token',        regex: /\bxoxb-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'Slack User Token',       regex: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
+  { name: 'SendGrid API Key',       regex: /\bSG\.[0-9a-zA-Z_-]{22}\.[0-9a-zA-Z_-]{43}\b/ },
+  { name: 'Twilio API Key',         regex: /\bSK[0-9a-fA-F]{32}\b/ },
+  // Only flag actual PEM blocks — not code/tests referencing the header string
+  { name: 'Private Key Block',      regex: /^-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  { name: 'Hardcoded secret',       regex: /(?:secret|password|passwd|api_?key|auth_?token)\s*[:=]\s*["']([^"'$`{]{8,})["']/i },
+];
+
+const SKIP_DIRS = new Set([
+  // JS/TS
+  'node_modules', 'dist', 'build', 'out', '.next', '.nuxt', '.turbo',
+  'coverage', '.nyc_output',
+  // Python
+  '.venv', 'venv', 'env', '__pycache__', '.eggs', '*.egg-info',
+  'site-packages', '.pytest_cache', '.mypy_cache', '.ruff_cache',
+  // Ruby / Go / Rust
+  'vendor', 'target',
+  // VCS / tooling
+  '.git', '.envgit',
+]);
+
+const SKIP_EXTENSIONS = new Set([
+  // Binaries & media
+  '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg', '.webp',
+  '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  '.mp4', '.mp3', '.wav', '.pdf',
+  '.zip', '.tar', '.gz', '.tgz', '.rar', '.7z',
+  // Compiled / generated
+  '.pyc', '.pyo', '.class', '.so', '.dylib', '.dll', '.exe',
+  '.map', '.lock', '.snap',
+]);
+
+const SKIP_FILES = new Set([
+  'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'poetry.lock',
+  '.env.example', '.env.sample', '.env.template',
+]);
+
+function isPlaceholder(v) {
+  v = v.trim();
+  if (v.length < 8) return true;
+
+  // Template syntax: <YOUR_KEY>, ${VAR}, env(VAR)
+  if (/^<.+>$/.test(v))          return true;
+  if (/^\$\{?.+\}?$/.test(v))    return true;
+  if (/^env\(.+\)$/.test(v))     return true;
+
+  // ALL_CAPS — it's an env var name being used as a placeholder value
+  if (/^[A-Z][A-Z0-9_]{3,}$/.test(v)) return true;
+
+  // snake_case_with_multiple_parts — looks like a variable name, not a secret
+  // e.g. google_api_key, test_api_key, gemini_api_key, client_secret
+  if (/^[a-z][a-z0-9]*(_[a-z0-9]+){2,}$/.test(v)) return true;
+
+  // Stripe / other test-mode key prefixes
+  if (/^sk_test_|^pk_test_|^rk_test_/.test(v)) return true;
+
+  // Contains ellipsis, stars, hashes — clearly masked/truncated
+  if (/\.{2,}|\*{3,}|#{3,}/.test(v)) return true;
+
+  // Repeating character (aaaaaaa, 111111)
+  if (/^(.)\1{4,}$/.test(v)) return true;
+
+  // Common placeholder keywords anywhere in the value
+  if (/\b(your|my|sample|example|demo|fake|dummy|mock|placeholder|changeme|replace|insert|fill_?in|put_?here|goes_?here|api_?key_?here)\b/i.test(v)) return true;
+
+  // Starts with "test" or "TEST" followed by separator (test-key, TEST_TOKEN)
+  if (/^test[-_]/i.test(v)) return true;
+
+  // The value IS the field name (secret = "secret", api_key = "api_key", token = "token")
+  if (/^(api[_-]?key|auth[_-]?token|access[_-]?token|client[_-]?secret|bearer[_-]?token|x[_-]?api[_-]?key|private[_-]?key|secret[_-]?key)$/i.test(v)) return true;
+
+  // Common weak/example passwords
+  if (/^(password|passwd|p@ssw0rd|qwerty|admin|login|welcome|letmein|abc123|secret|monkey|dragon|master)/i.test(v)) return true;
+
+  // For Private Key Block pattern — only flag if it's an actual key block,
+  // not a string constant, comment, or code referencing the PEM header format
+  // (handled per-pattern in the caller)
+
+  return false;
+}
+
+// ── Shannon entropy ───────────────────────────────────────────────────────────
+
+function entropy(str) {
+  const freq = {};
+  for (const c of str) freq[c] = (freq[c] ?? 0) + 1;
+  return Object.values(freq).reduce((h, n) => {
+    const p = n / str.length;
+    return h - p * Math.log2(p);
+  }, 0);
+}
+
+const HIGH_ENTROPY_PATTERN = /(?:key|token|secret|password|credential|auth|api)\s*[:=]\s*["']([A-Za-z0-9+/=_\-]{20,})["']/gi;
+const ENTROPY_THRESHOLD = 4.0;
+
+// ── File walker ───────────────────────────────────────────────────────────────
+
+function* walk(dir) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    if (SKIP_DIRS.has(entry.name)) continue;
+    const full = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      yield* walk(full);
+    } else if (entry.isFile()) {
+      if (SKIP_EXTENSIONS.has(extname(entry.name).toLowerCase())) continue;
+      if (SKIP_FILES.has(entry.name)) continue;
+      yield full;
+    }
+  }
+}
+
+// ── Main ──────────────────────────────────────────────────────────────────────
+
+export async function scan() {
+  const projectRoot = findProjectRoot() ?? process.cwd();
+  const findings = [];
+
+  for (const filePath of walk(projectRoot)) {
+    let content;
+    try { content = readFileSync(filePath, 'utf8'); }
+    catch { continue; }
+
+    const relPath = relative(projectRoot, filePath);
+    const lines   = content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line    = lines[i];
+      const lineNum = i + 1;
+
+      // Known pattern matching
+      for (const { name, regex } of PATTERNS) {
+        const m = line.match(regex);
+        if (m) {
+          const captured = m[1] ?? m[0];
+          if (isPlaceholder(captured)) continue;
+          findings.push({ file: relPath, line: lineNum, type: name, snippet: line.trim(), how: 'pattern' });
+          break;
+        }
+      }
+
+      // Entropy analysis — catches secrets no pattern knows about
+      const alreadyCaught = () => findings.some(f => f.file === relPath && f.line === lineNum);
+      let match;
+      HIGH_ENTROPY_PATTERN.lastIndex = 0;
+      while ((match = HIGH_ENTROPY_PATTERN.exec(line)) !== null) {
+        const value = match[1];
+        if (!isPlaceholder(value) && entropy(value) >= ENTROPY_THRESHOLD && !alreadyCaught()) {
+          findings.push({ file: relPath, line: lineNum, type: 'High-entropy secret', snippet: line.trim(), how: 'entropy' });
+        }
+      }
+    }
+  }
+
+  // ── Output ────────────────────────────────────────────────────────────────
+  console.log('');
+
+  if (findings.length === 0) {
+    ok('No hardcoded secrets detected.');
+    console.log(dim(`  Scanned: ${projectRoot}`));
+    console.log('');
+    return;
+  }
+
+  console.log(chalk.red(bold(`  ${findings.length} potential secret${findings.length !== 1 ? 's' : ''} found\n`)));
+
+  const byFile = {};
+  for (const f of findings) (byFile[f.file] ??= []).push(f);
+
+  for (const [file, hits] of Object.entries(byFile)) {
+    console.log(chalk.cyan(`  ${file}`));
+    for (const hit of hits) {
+      const tag     = hit.how === 'entropy' ? chalk.yellow('[entropy]') : chalk.red(`[${hit.type}]`);
+      const snippet = hit.snippet.length > 80 ? hit.snippet.slice(0, 77) + '...' : hit.snippet;
+      console.log(`    ${dim(`line ${String(hit.line).padEnd(4)}`)} ${tag}`);
+      console.log(`    ${dim(snippet)}`);
+    }
+    console.log('');
+  }
+
+  console.log(chalk.yellow(bold('  What to do:')));
+  console.log(dim('  1. Move these values into envgit:  envgit set KEY=value'));
+  console.log(dim('  2. Replace hardcoded values with:  process.env.KEY'));
+  console.log(dim('  3. Rotate any secrets already in git history'));
+  console.log('');
+
+  process.exit(1);
+}

package/src/commands/set.js

@@ -5,7 +5,8 @@ import { resolveEnv } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
 import { readEnvFile } from '../envfile.js';
 import { getCurrentEnv } from '../state.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, promptValue } from '../interactive.js';
 
 export async function set(assignments, options) {
   const projectRoot = requireProjectRoot();
@@ -16,28 +17,28 @@ export async function set(assignments, options) {
 
   if (options.file) {
     const filePath = join(projectRoot, options.file);
-    if (!existsSync(filePath)) {
-      fatal(`File not found: ${options.file}`);
-    }
+    if (!existsSync(filePath)) fatal(`File not found: ${options.file}`);
     const fileVars = readEnvFile(filePath);
     const entries = Object.entries(fileVars);
-    if (entries.length === 0) {
-      fatal(`No variables found in ${options.file}`);
-    }
+    if (entries.length === 0) fatal(`No variables found in ${options.file}`);
     for (const [k, v] of entries) {
       vars[k] = v;
-      ok(`Set ${k} in ${label(envName)}`);
+      ok(`Set ${k} in ${envLabel(envName)}`);
     }
+  } else if (assignments.length === 0) {
+    // ── Interactive mode ───────────────────────────────────────────────────
+    const keyName = await pickKey(vars, `Key to set in [${envName}]`, { allowNew: true });
+    const value   = await promptValue(keyName, vars[keyName]);
+    vars[keyName] = value;
+    ok(`Set ${keyName} in ${envLabel(envName)}`);
   } else {
     for (const assignment of assignments) {
       const eqIdx = assignment.indexOf('=');
-      if (eqIdx === -1) {
-        fatal(`Invalid assignment '${assignment}'. Expected KEY=VALUE format.`);
-      }
+      if (eqIdx === -1) fatal(`Invalid assignment '${assignment}'. Expected KEY=VALUE format.`);
       const k = assignment.slice(0, eqIdx).trim();
       const v = assignment.slice(eqIdx + 1);
       vars[k] = v;
-      ok(`Set ${k} in ${label(envName)}`);
+      ok(`Set ${k} in ${envLabel(envName)}`);
     }
   }
 

package/src/commands/status.js

@@ -4,35 +4,47 @@ import { requireProjectRoot, globalKeyPath } from '../keystore.js';
 import { loadConfig } from '../config.js';
 import { getCurrentEnv } from '../state.js';
 import chalk from 'chalk';
-import { bold, label, dim } from '../ui.js';
+import { bold, dim, envLabel } from '../ui.js';
 
 export async function status() {
   const projectRoot = requireProjectRoot();
-  const config = loadConfig(projectRoot);
-  const current = getCurrentEnv(projectRoot);
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
 
+  // Key source
   let keySource;
   if (process.env.ENVGIT_KEY) {
     keySource = chalk.green('ENVGIT_KEY') + dim(' (env var)');
   } else if (config.key_id) {
     const keyPath = globalKeyPath(config.key_id);
     keySource = existsSync(keyPath)
-      ? chalk.green('~/.config/envgit/keys/') + dim(config.key_id.slice(0, 8) + '…')
-      : chalk.red('not found on this machine') + dim(' — run: envgit keygen --set <key>');
+      ? chalk.green('✓ key found') + dim(` ~/.config/envgit/keys/${config.key_id.slice(0, 8)}…`)
+      : chalk.red('✗ key missing') + dim(' — run: envgit join <token> --code <passphrase>');
   } else {
-    // Legacy
     const legacyPath = join(projectRoot, '.envgit.key');
-    keySource = existsSync(legacyPath) ? dim('.envgit.key (legacy)') : chalk.red('(not found)');
+    keySource = existsSync(legacyPath) ? dim('.envgit.key (legacy)') : chalk.red('✗ not found');
   }
 
   const dotenvExists = existsSync(join(projectRoot, '.env'));
 
+  // Active env banner — front and center
+  const activeDisplay = current
+    ? envLabel(current)
+    : chalk.dim('none');
+
+  console.log('');
+  console.log(`  ${bold('Active env')}   ${activeDisplay}${!current ? chalk.dim('  — run: envgit use <env>') : ''}`);
   console.log('');
-  console.log(`${bold('Project:')}  ${dim(projectRoot)}`);
-  console.log(`${bold('Envs:')}     ${config.envs.map((e) => (e === current ? chalk.cyan(e) : e)).join(', ')}`);
-  console.log(`${bold('Default:')}  ${config.default_env}`);
-  console.log(`${bold('Active:')}   ${current ? label(current) : dim('(none — run envgit unpack <env>)')}`);
-  console.log(`${bold('Key:')}      ${keySource}`);
-  console.log(`${bold('.env:')}     ${dotenvExists ? chalk.green('present') : chalk.yellow('missing')}`);
+
+  // All envs in a row, active one highlighted
+  const envRow = config.envs.map(e =>
+    e === current
+      ? envLabel(e)
+      : chalk.dim(e)
+  ).join('  ');
+  console.log(`  ${bold('Environments')} ${envRow}`);
+  console.log(`  ${bold('Key')}          ${keySource}`);
+  console.log(`  ${bold('.env')}         ${dotenvExists ? chalk.green('present') : chalk.dim('missing')}${!dotenvExists && current ? chalk.dim('  — run: envgit unpack') : ''}`);
+  console.log(`  ${bold('Project')}      ${dim(projectRoot)}`);
   console.log('');
 }

package/src/commands/unpack.js

@@ -1,27 +1,33 @@
 import { join } from 'path';
 import { existsSync } from 'fs';
 import { requireProjectRoot, loadKey } from '../keystore.js';
-import { getEncPath } from '../config.js';
+import { loadConfig, getEncPath } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { writeEnvFile } from '../envfile.js';
-import { setCurrentEnv } from '../state.js';
-import { ok, fatal, label, dim } from '../ui.js';
+import { getCurrentEnv, setCurrentEnv } from '../state.js';
+import { ok, fatal, dim, envLabel } from '../ui.js';
+import { pickEnv } from '../interactive.js';
 
-export async function unpack(envName) {
+export async function unpack(envArg) {
   const projectRoot = requireProjectRoot();
-  const key = loadKey(projectRoot);
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
 
-  const encPath = getEncPath(projectRoot, envName);
+  // Priority: explicit arg → active env → interactive pick
+  const name = envArg
+    ?? current
+    ?? await pickEnv(config.envs, 'Which environment to unpack?');
+
+  const encPath = getEncPath(projectRoot, name);
   if (!existsSync(encPath)) {
-    fatal(`Environment '${envName}' does not exist. Use 'envgit add-env ${envName}' to create it.`);
+    fatal(`Environment '${name}' does not exist. Create it with: envgit add-env ${name}`);
   }
 
-  const vars = readEncEnv(projectRoot, envName, key);
-  const dotenvPath = join(projectRoot, '.env');
-  writeEnvFile(dotenvPath, vars, { envName, projectRoot });
-  setCurrentEnv(projectRoot, envName);
+  const vars = readEncEnv(projectRoot, name, key);
+  writeEnvFile(join(projectRoot, '.env'), vars, { envName: name, projectRoot });
+  setCurrentEnv(projectRoot, name);
 
   const count = Object.keys(vars).length;
-  console.log(dim(projectRoot));
-  ok(`Unpacked ${label(envName)} → .env ${dim(`(${count} variable${count !== 1 ? 's' : ''})`)}`);
+  ok(`Unpacked ${envLabel(name)} → .env ${dim(`(${count} var${count !== 1 ? 's' : ''})`)}`);
 }

package/src/commands/use.js

@@ -0,0 +1,29 @@
+import { requireProjectRoot } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { setCurrentEnv, getCurrentEnv } from '../state.js';
+import { ok, fatal, envLabel, dim } from '../ui.js';
+import { pickEnv } from '../interactive.js';
+
+export async function use(envName) {
+  const projectRoot = requireProjectRoot();
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
+
+  const name = envName ?? await pickEnv(config.envs, 'Switch to environment');
+
+  if (!config.envs.includes(name)) {
+    fatal(`Environment '${name}' does not exist. Create it with: envgit add-env ${name}`);
+  }
+
+  if (name === current) {
+    ok(`Already on ${envLabel(name)}`);
+    return;
+  }
+
+  setCurrentEnv(projectRoot, name);
+
+  console.log('');
+  ok(`Switched to ${envLabel(name)}`);
+  console.log(dim(`  Run envgit unpack to write .env for this environment.`));
+  console.log('');
+}