@akshxy/envgit 0.5.2 → 0.6.1

package/src/commands/fix.js

@@ -0,0 +1,130 @@
+import { execFileSync } from 'child_process';
+import { existsSync, readFileSync, writeFileSync, chmodSync, statSync, mkdirSync } from 'fs';
+import { join, basename } from 'path';
+import chalk from 'chalk';
+import { findProjectRoot, globalKeyPath } from '../keystore.js';
+import { loadConfig, saveConfig } from '../config.js';
+import { bold, dim, ok, warn } from '../ui.js';
+
+function fixed(msg) { console.log(chalk.green(`  ✦ fixed   ${msg}`)); }
+function check(msg) { console.log(chalk.dim( `  ✓ ok      ${msg}`)); }
+function skipped(msg) { console.log(chalk.dim(`  – skip    ${msg}`)); }
+
+export async function fix() {
+  const projectRoot = findProjectRoot();
+  if (!projectRoot) {
+    console.log('');
+    console.log(chalk.red('  No envgit project found. Run envgit init first.'));
+    console.log('');
+    process.exit(1);
+  }
+
+  let fixes = 0;
+  console.log('');
+  console.log(bold('Running envgit fix...'));
+  console.log('');
+
+  // ── 1. Ensure .envgit dir and state file exist ────────────────────────────
+  const envgitDir  = join(projectRoot, '.envgit');
+  const currentFile = join(envgitDir, '.current');
+  mkdirSync(envgitDir, { recursive: true });
+  if (!existsSync(currentFile)) {
+    writeFileSync(currentFile, '', 'utf8');
+    fixed('.envgit/.current state file created');
+    fixes++;
+  } else {
+    check('.envgit/.current exists');
+  }
+
+  // ── 2. Config migration — add missing fields introduced in newer versions ──
+  let config;
+  try {
+    config = loadConfig(projectRoot);
+    let configChanged = false;
+
+    // v0.2+: default_env field
+    if (!config.default_env) {
+      config.default_env = config.envs?.[0] ?? 'dev';
+      configChanged = true;
+    }
+
+    // v0.3+: project name field
+    if (!config.project) {
+      config.project = basename(projectRoot);
+      configChanged = true;
+    }
+
+    if (configChanged) {
+      saveConfig(projectRoot, config);
+      fixed('config.yml migrated to latest schema');
+      fixes++;
+    } else {
+      check('config.yml schema is current');
+    }
+  } catch {
+    warn('Could not load config — skipping migration (run envgit init first)');
+  }
+
+  // ── 3. Key file permissions ───────────────────────────────────────────────
+  if (config?.key_id) {
+    const keyPath = globalKeyPath(config.key_id);
+    if (existsSync(keyPath)) {
+      const mode = statSync(keyPath).mode & 0o777;
+      if (mode & 0o077) {
+        chmodSync(keyPath, 0o600);
+        fixed(`key file permissions set to 600`);
+        fixes++;
+      } else {
+        check('key file permissions are 600');
+      }
+    } else {
+      skipped('key file not on this machine (normal for fresh clones)');
+    }
+  }
+
+  // ── 4. .gitignore — ensure .env and .envgit.key are ignored ──────────────
+  const gitignorePath = join(projectRoot, '.gitignore');
+  let gitignore = existsSync(gitignorePath) ? readFileSync(gitignorePath, 'utf8') : '';
+  const lines   = gitignore.split('\n').map(l => l.trim());
+  const missing = [];
+
+  if (!lines.some(l => l === '.env' || l === '.env.*')) missing.push('.env');
+  if (!lines.some(l => l === '.envgit.key'))            missing.push('.envgit.key');
+
+  if (missing.length > 0) {
+    gitignore = gitignore.trimEnd() + '\n\n# envgit\n' + missing.join('\n') + '\n';
+    writeFileSync(gitignorePath, gitignore, 'utf8');
+    fixed(`.gitignore — added: ${missing.join(', ')}`);
+    fixes++;
+  } else {
+    check('.gitignore has .env and .envgit.key');
+  }
+
+  // ── 5. Remove .env from git tracking if accidentally staged ──────────────
+  try {
+    const tracked = execFileSync('git', ['ls-files', '.env'], {
+      cwd: projectRoot, stdio: ['pipe', 'pipe', 'pipe'],
+    }).toString().trim();
+
+    if (tracked) {
+      execFileSync('git', ['rm', '--cached', '.env'], {
+        cwd: projectRoot, stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      fixed('.env removed from git tracking (file kept on disk)');
+      fixes++;
+    } else {
+      check('.env is not tracked by git');
+    }
+  } catch {
+    skipped('not a git repo — skipping git tracking check');
+  }
+
+  // ── Summary ───────────────────────────────────────────────────────────────
+  console.log('');
+  if (fixes === 0) {
+    console.log(chalk.green(bold('  Everything looks good. Nothing to fix.')));
+  } else {
+    console.log(chalk.green(bold(`  Applied ${fixes} fix${fixes !== 1 ? 'es' : ''}. Run envgit doctor to verify.`)));
+  }
+  console.log('');
+}

package/src/commands/get.js

@@ -2,7 +2,8 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { fatal, label } from '../ui.js';
+import { fatal, label, envLabel } from '../ui.js';
+import { pickKey } from '../interactive.js';
 
 export async function get(key, options) {
   const projectRoot = requireProjectRoot();
@@ -11,9 +12,9 @@ export async function get(key, options) {
 
   const vars = readEncEnv(projectRoot, envName, encKey);
 
-  if (!(key in vars)) {
-    fatal(`Key '${key}' not found in ${label(envName)}`);
-  }
+  const keyName = key ?? await pickKey(vars, `Key to get from [${envName}]`);
 
-  console.log(vars[key]);
+  if (!(keyName in vars)) fatal(`Key '${keyName}' not found in ${envLabel(envName)}`);
+
+  console.log(vars[keyName]);
 }

package/src/commands/init.js

@@ -44,8 +44,8 @@ export async function init(options) {
   console.log(dim('Commit .envgit/ to share encrypted environments with your team.'));
   console.log(dim('Your key never touches the repo — it lives only on your machine.'));
   console.log('');
-  console.log(`Share your key with teammates:  ${bold('envgit keygen --show')}`);
-  console.log(`Teammates save it with:         ${bold('envgit keygen --set <key>')}`);
+  console.log(`Share your key with teammates:  ${bold('envgit share')}`);
+  console.log(`Teammates receive it with:      ${bold('envgit join <token> --code <passphrase>')}`);
   console.log('');
 }
 

package/src/commands/join.js

@@ -45,6 +45,6 @@ export async function join(token, options) {
   console.log(dim(`  Stored at: ${keyPath}`));
   console.log('');
   console.log(dim('Run `envgit verify` to confirm it works.'));
-  console.log(dim('Run `envgit unpack dev` to write your .env file.'));
+  console.log(dim('Run `envgit unpack` to write your .env file.'));
   console.log('');
 }

package/src/commands/rename-key.js

@@ -2,7 +2,8 @@ import { requireProjectRoot, loadKey } from '../keystore.js';
 import { resolveEnv } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
 import { getCurrentEnv } from '../state.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, promptInput } from '../interactive.js';
 
 export async function renameKey(oldName, newName, options) {
   const projectRoot = requireProjectRoot();
@@ -11,19 +12,17 @@ export async function renameKey(oldName, newName, options) {
 
   const vars = readEncEnv(projectRoot, envName, key);
 
-  if (!(oldName in vars)) {
-    fatal(`Key '${oldName}' not found in ${label(envName)}`);
-  }
+  const from = oldName ?? await pickKey(vars, `Key to rename in [${envName}]`);
+  const to   = newName ?? await promptInput(`New name for ${from}`);
 
-  if (newName in vars) {
-    fatal(`Key '${newName}' already exists in ${label(envName)}`);
-  }
+  if (!(from in vars)) fatal(`Key '${from}' not found in ${envLabel(envName)}`);
+  if (to in vars)      fatal(`Key '${to}' already exists in ${envLabel(envName)}`);
 
   const ordered = {};
   for (const [k, v] of Object.entries(vars)) {
-    ordered[k === oldName ? newName : k] = v;
+    ordered[k === from ? to : k] = v;
   }
 
   writeEncEnv(projectRoot, envName, key, ordered);
-  ok(`Renamed ${oldName} → ${newName} in ${label(envName)}`);
+  ok(`Renamed ${from} → ${to} in ${envLabel(envName)}`);
 }

package/src/commands/rotate-key.js

@@ -30,10 +30,7 @@ export async function rotateKey() {
   console.log(dim(`Old hint: ${oldHint}`));
   console.log(dim(`New hint: ${newHint}`));
   console.log('');
-  console.log(bold('New key:'));
-  console.log(`  ${newKey}`);
-  console.log('');
-  warn('Share the new key with your team! Old key is now invalid.');
-  console.log(dim('They can save it with: envgit keygen --set <key>'));
+  warn('Old key is now invalid — teammates need the new one.');
+  console.log(dim('Run envgit share, then send teammates the join command.'));
   console.log('');
 }

package/src/commands/scan.js

@@ -21,28 +21,84 @@ const PATTERNS = [
   { name: 'Slack User Token',       regex: /\bxoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9a-zA-Z]{24}\b/ },
   { name: 'SendGrid API Key',       regex: /\bSG\.[0-9a-zA-Z_-]{22}\.[0-9a-zA-Z_-]{43}\b/ },
   { name: 'Twilio API Key',         regex: /\bSK[0-9a-fA-F]{32}\b/ },
-  { name: 'Private Key Block',      regex: /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
+  // Only flag actual PEM blocks — not code/tests referencing the header string
+  { name: 'Private Key Block',      regex: /^-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----/ },
   { name: 'Hardcoded secret',       regex: /(?:secret|password|passwd|api_?key|auth_?token)\s*[:=]\s*["']([^"'$`{]{8,})["']/i },
 ];
 
 const SKIP_DIRS = new Set([
-  'node_modules', '.git', '.envgit', 'dist', 'build', 'out',
-  '.next', '.nuxt', 'coverage', '.nyc_output', 'vendor', '.turbo',
+  // JS/TS
+  'node_modules', 'dist', 'build', 'out', '.next', '.nuxt', '.turbo',
+  'coverage', '.nyc_output',
+  // Python
+  '.venv', 'venv', 'env', '__pycache__', '.eggs', '*.egg-info',
+  'site-packages', '.pytest_cache', '.mypy_cache', '.ruff_cache',
+  // Ruby / Go / Rust
+  'vendor', 'target',
+  // VCS / tooling
+  '.git', '.envgit',
 ]);
 
 const SKIP_EXTENSIONS = new Set([
+  // Binaries & media
   '.png', '.jpg', '.jpeg', '.gif', '.ico', '.svg', '.webp',
   '.woff', '.woff2', '.ttf', '.eot', '.otf',
   '.mp4', '.mp3', '.wav', '.pdf',
-  '.zip', '.tar', '.gz', '.tgz',
+  '.zip', '.tar', '.gz', '.tgz', '.rar', '.7z',
+  // Compiled / generated
+  '.pyc', '.pyo', '.class', '.so', '.dylib', '.dll', '.exe',
   '.map', '.lock', '.snap',
 ]);
 
 const SKIP_FILES = new Set([
-  'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml', 'poetry.lock',
   '.env.example', '.env.sample', '.env.template',
 ]);
 
+function isPlaceholder(v) {
+  v = v.trim();
+  if (v.length < 8) return true;
+
+  // Template syntax: <YOUR_KEY>, ${VAR}, env(VAR)
+  if (/^<.+>$/.test(v))          return true;
+  if (/^\$\{?.+\}?$/.test(v))    return true;
+  if (/^env\(.+\)$/.test(v))     return true;
+
+  // ALL_CAPS — it's an env var name being used as a placeholder value
+  if (/^[A-Z][A-Z0-9_]{3,}$/.test(v)) return true;
+
+  // snake_case_with_multiple_parts — looks like a variable name, not a secret
+  // e.g. google_api_key, test_api_key, gemini_api_key, client_secret
+  if (/^[a-z][a-z0-9]*(_[a-z0-9]+){2,}$/.test(v)) return true;
+
+  // Stripe / other test-mode key prefixes
+  if (/^sk_test_|^pk_test_|^rk_test_/.test(v)) return true;
+
+  // Contains ellipsis, stars, hashes — clearly masked/truncated
+  if (/\.{2,}|\*{3,}|#{3,}/.test(v)) return true;
+
+  // Repeating character (aaaaaaa, 111111)
+  if (/^(.)\1{4,}$/.test(v)) return true;
+
+  // Common placeholder keywords anywhere in the value
+  if (/\b(your|my|sample|example|demo|fake|dummy|mock|placeholder|changeme|replace|insert|fill_?in|put_?here|goes_?here|api_?key_?here)\b/i.test(v)) return true;
+
+  // Starts with "test" or "TEST" followed by separator (test-key, TEST_TOKEN)
+  if (/^test[-_]/i.test(v)) return true;
+
+  // The value IS the field name (secret = "secret", api_key = "api_key", token = "token")
+  if (/^(api[_-]?key|auth[_-]?token|access[_-]?token|client[_-]?secret|bearer[_-]?token|x[_-]?api[_-]?key|private[_-]?key|secret[_-]?key)$/i.test(v)) return true;
+
+  // Common weak/example passwords
+  if (/^(password|passwd|p@ssw0rd|qwerty|admin|login|welcome|letmein|abc123|secret|monkey|dragon|master)/i.test(v)) return true;
+
+  // For Private Key Block pattern — only flag if it's an actual key block,
+  // not a string constant, comment, or code referencing the PEM header format
+  // (handled per-pattern in the caller)
+
+  return false;
+}
+
 // ── Shannon entropy ───────────────────────────────────────────────────────────
 
 function entropy(str) {
@@ -93,7 +149,10 @@ export async function scan() {
 
       // Known pattern matching
       for (const { name, regex } of PATTERNS) {
-        if (regex.test(line)) {
+        const m = line.match(regex);
+        if (m) {
+          const captured = m[1] ?? m[0];
+          if (isPlaceholder(captured)) continue;
           findings.push({ file: relPath, line: lineNum, type: name, snippet: line.trim(), how: 'pattern' });
           break;
         }
@@ -104,7 +163,8 @@ export async function scan() {
       let match;
       HIGH_ENTROPY_PATTERN.lastIndex = 0;
       while ((match = HIGH_ENTROPY_PATTERN.exec(line)) !== null) {
-        if (entropy(match[1]) >= ENTROPY_THRESHOLD && !alreadyCaught()) {
+        const value = match[1];
+        if (!isPlaceholder(value) && entropy(value) >= ENTROPY_THRESHOLD && !alreadyCaught()) {
           findings.push({ file: relPath, line: lineNum, type: 'High-entropy secret', snippet: line.trim(), how: 'entropy' });
         }
       }

package/src/commands/set.js

@@ -5,7 +5,8 @@ import { resolveEnv } from '../config.js';
 import { readEncEnv, writeEncEnv } from '../enc.js';
 import { readEnvFile } from '../envfile.js';
 import { getCurrentEnv } from '../state.js';
-import { ok, fatal, label } from '../ui.js';
+import { ok, fatal, label, envLabel } from '../ui.js';
+import { pickKey, promptValue } from '../interactive.js';
 
 export async function set(assignments, options) {
   const projectRoot = requireProjectRoot();
@@ -16,28 +17,28 @@ export async function set(assignments, options) {
 
   if (options.file) {
     const filePath = join(projectRoot, options.file);
-    if (!existsSync(filePath)) {
-      fatal(`File not found: ${options.file}`);
-    }
+    if (!existsSync(filePath)) fatal(`File not found: ${options.file}`);
     const fileVars = readEnvFile(filePath);
     const entries = Object.entries(fileVars);
-    if (entries.length === 0) {
-      fatal(`No variables found in ${options.file}`);
-    }
+    if (entries.length === 0) fatal(`No variables found in ${options.file}`);
     for (const [k, v] of entries) {
       vars[k] = v;
-      ok(`Set ${k} in ${label(envName)}`);
+      ok(`Set ${k} in ${envLabel(envName)}`);
     }
+  } else if (assignments.length === 0) {
+    // ── Interactive mode ───────────────────────────────────────────────────
+    const keyName = await pickKey(vars, `Key to set in [${envName}]`, { allowNew: true });
+    const value   = await promptValue(keyName, vars[keyName]);
+    vars[keyName] = value;
+    ok(`Set ${keyName} in ${envLabel(envName)}`);
   } else {
     for (const assignment of assignments) {
       const eqIdx = assignment.indexOf('=');
-      if (eqIdx === -1) {
-        fatal(`Invalid assignment '${assignment}'. Expected KEY=VALUE format.`);
-      }
+      if (eqIdx === -1) fatal(`Invalid assignment '${assignment}'. Expected KEY=VALUE format.`);
       const k = assignment.slice(0, eqIdx).trim();
       const v = assignment.slice(eqIdx + 1);
       vars[k] = v;
-      ok(`Set ${k} in ${label(envName)}`);
+      ok(`Set ${k} in ${envLabel(envName)}`);
     }
   }
 

package/src/commands/status.js

@@ -4,35 +4,47 @@ import { requireProjectRoot, globalKeyPath } from '../keystore.js';
 import { loadConfig } from '../config.js';
 import { getCurrentEnv } from '../state.js';
 import chalk from 'chalk';
-import { bold, label, dim } from '../ui.js';
+import { bold, dim, envLabel } from '../ui.js';
 
 export async function status() {
   const projectRoot = requireProjectRoot();
-  const config = loadConfig(projectRoot);
-  const current = getCurrentEnv(projectRoot);
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
 
+  // Key source
   let keySource;
   if (process.env.ENVGIT_KEY) {
     keySource = chalk.green('ENVGIT_KEY') + dim(' (env var)');
   } else if (config.key_id) {
     const keyPath = globalKeyPath(config.key_id);
     keySource = existsSync(keyPath)
-      ? chalk.green('~/.config/envgit/keys/') + dim(config.key_id.slice(0, 8) + '…')
-      : chalk.red('not found on this machine') + dim(' — run: envgit keygen --set <key>');
+      ? chalk.green('✓ key found') + dim(` ~/.config/envgit/keys/${config.key_id.slice(0, 8)}…`)
+      : chalk.red('✗ key missing') + dim(' — run: envgit join <token> --code <passphrase>');
   } else {
-    // Legacy
     const legacyPath = join(projectRoot, '.envgit.key');
-    keySource = existsSync(legacyPath) ? dim('.envgit.key (legacy)') : chalk.red('(not found)');
+    keySource = existsSync(legacyPath) ? dim('.envgit.key (legacy)') : chalk.red('✗ not found');
   }
 
   const dotenvExists = existsSync(join(projectRoot, '.env'));
 
+  // Active env banner — front and center
+  const activeDisplay = current
+    ? envLabel(current)
+    : chalk.dim('none');
+
+  console.log('');
+  console.log(`  ${bold('Active env')}   ${activeDisplay}${!current ? chalk.dim('  — run: envgit use <env>') : ''}`);
   console.log('');
-  console.log(`${bold('Project:')}  ${dim(projectRoot)}`);
-  console.log(`${bold('Envs:')}     ${config.envs.map((e) => (e === current ? chalk.cyan(e) : e)).join(', ')}`);
-  console.log(`${bold('Default:')}  ${config.default_env}`);
-  console.log(`${bold('Active:')}   ${current ? label(current) : dim('(none — run envgit unpack <env>)')}`);
-  console.log(`${bold('Key:')}      ${keySource}`);
-  console.log(`${bold('.env:')}     ${dotenvExists ? chalk.green('present') : chalk.yellow('missing')}`);
+
+  // All envs in a row, active one highlighted
+  const envRow = config.envs.map(e =>
+    e === current
+      ? envLabel(e)
+      : chalk.dim(e)
+  ).join('  ');
+  console.log(`  ${bold('Environments')} ${envRow}`);
+  console.log(`  ${bold('Key')}          ${keySource}`);
+  console.log(`  ${bold('.env')}         ${dotenvExists ? chalk.green('present') : chalk.dim('missing')}${!dotenvExists && current ? chalk.dim('  — run: envgit unpack') : ''}`);
+  console.log(`  ${bold('Project')}      ${dim(projectRoot)}`);
   console.log('');
 }

package/src/commands/unpack.js

@@ -1,27 +1,33 @@
 import { join } from 'path';
 import { existsSync } from 'fs';
 import { requireProjectRoot, loadKey } from '../keystore.js';
-import { getEncPath } from '../config.js';
+import { loadConfig, getEncPath } from '../config.js';
 import { readEncEnv } from '../enc.js';
 import { writeEnvFile } from '../envfile.js';
-import { setCurrentEnv } from '../state.js';
-import { ok, fatal, label, dim } from '../ui.js';
+import { getCurrentEnv, setCurrentEnv } from '../state.js';
+import { ok, fatal, dim, envLabel } from '../ui.js';
+import { pickEnv } from '../interactive.js';
 
-export async function unpack(envName) {
+export async function unpack(envArg) {
   const projectRoot = requireProjectRoot();
-  const key = loadKey(projectRoot);
+  const key         = loadKey(projectRoot);
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
 
-  const encPath = getEncPath(projectRoot, envName);
+  // Priority: explicit arg → active env → interactive pick
+  const name = envArg
+    ?? current
+    ?? await pickEnv(config.envs, 'Which environment to unpack?');
+
+  const encPath = getEncPath(projectRoot, name);
   if (!existsSync(encPath)) {
-    fatal(`Environment '${envName}' does not exist. Use 'envgit add-env ${envName}' to create it.`);
+    fatal(`Environment '${name}' does not exist. Create it with: envgit add-env ${name}`);
   }
 
-  const vars = readEncEnv(projectRoot, envName, key);
-  const dotenvPath = join(projectRoot, '.env');
-  writeEnvFile(dotenvPath, vars, { envName, projectRoot });
-  setCurrentEnv(projectRoot, envName);
+  const vars = readEncEnv(projectRoot, name, key);
+  writeEnvFile(join(projectRoot, '.env'), vars, { envName: name, projectRoot });
+  setCurrentEnv(projectRoot, name);
 
   const count = Object.keys(vars).length;
-  console.log(dim(projectRoot));
-  ok(`Unpacked ${label(envName)} → .env ${dim(`(${count} variable${count !== 1 ? 's' : ''})`)}`);
+  ok(`Unpacked ${envLabel(name)} → .env ${dim(`(${count} var${count !== 1 ? 's' : ''})`)}`);
 }

package/src/commands/use.js

@@ -0,0 +1,29 @@
+import { requireProjectRoot } from '../keystore.js';
+import { loadConfig } from '../config.js';
+import { setCurrentEnv, getCurrentEnv } from '../state.js';
+import { ok, fatal, envLabel, dim } from '../ui.js';
+import { pickEnv } from '../interactive.js';
+
+export async function use(envName) {
+  const projectRoot = requireProjectRoot();
+  const config      = loadConfig(projectRoot);
+  const current     = getCurrentEnv(projectRoot);
+
+  const name = envName ?? await pickEnv(config.envs, 'Switch to environment');
+
+  if (!config.envs.includes(name)) {
+    fatal(`Environment '${name}' does not exist. Create it with: envgit add-env ${name}`);
+  }
+
+  if (name === current) {
+    ok(`Already on ${envLabel(name)}`);
+    return;
+  }
+
+  setCurrentEnv(projectRoot, name);
+
+  console.log('');
+  ok(`Switched to ${envLabel(name)}`);
+  console.log(dim(`  Run envgit unpack to write .env for this environment.`));
+  console.log('');
+}

package/src/interactive.js

@@ -0,0 +1,83 @@
+import { search, input, password, confirm } from '@inquirer/prompts';
+
+// Fuzzy match — returns true if all chars of query appear in order in str
+function fuzzy(str, query) {
+  if (!query) return true;
+  let si = 0;
+  const s = str.toLowerCase();
+  const q = query.toLowerCase();
+  for (let i = 0; i < q.length; i++) {
+    si = s.indexOf(q[i], si);
+    if (si === -1) return false;
+    si++;
+  }
+  return true;
+}
+
+/**
+ * Interactive fuzzy key picker.
+ * @param {Record<string,string>} vars  — existing key/value pairs
+ * @param {string} message
+ * @param {{ allowNew?: boolean }} opts
+ * @returns {Promise<string>} chosen key name
+ */
+export async function pickKey(vars, message = 'Select a key', { allowNew = false } = {}) {
+  const keys = Object.keys(vars).sort();
+
+  return search({
+    message,
+    source(term) {
+      const matches = keys.filter(k => fuzzy(k, term));
+      const choices = matches.map(k => ({ name: k, value: k }));
+
+      // If the typed term isn't an exact match and allowNew is set, offer to create it
+      if (allowNew && term && !keys.includes(term)) {
+        choices.unshift({ name: `+ create "${term}"`, value: term });
+      }
+
+      return choices;
+    },
+  });
+}
+
+/**
+ * Interactive fuzzy environment picker.
+ * @param {string[]} envs
+ * @param {string} message
+ * @returns {Promise<string>} chosen env name
+ */
+export async function pickEnv(envs, message = 'Select an environment') {
+  return search({
+    message,
+    source(term) {
+      return envs
+        .filter(e => fuzzy(e, term))
+        .map(e => ({ name: e, value: e }));
+    },
+  });
+}
+
+/**
+ * Prompt for a secret value (masked by default).
+ */
+export async function promptValue(keyName, existing) {
+  const msg = existing !== undefined
+    ? `New value for ${keyName} (current: ${'*'.repeat(Math.min(existing.length, 8))})`
+    : `Value for ${keyName}`;
+
+  return password({ message: msg, mask: false });
+}
+
+/**
+ * Prompt for a plain (visible) string.
+ */
+export async function promptInput(message, defaultValue) {
+  return input({ message, default: defaultValue });
+}
+
+/**
+ * Prompt for confirmation.
+ */
+export async function promptConfirm(message, defaultValue = false) {
+  return confirm({ message, default: defaultValue });
+}

package/src/keystore.js

@@ -46,7 +46,7 @@ export function loadKey(projectRoot) {
     }
     // Project found, but this machine doesn't have the key yet
     console.error(
-      `No key found for this project. Ask your team for the key, then run:\n  envgit keygen --set <key>`
+      `No key found for this project. Ask a teammate to run:\n  envgit share\nthen run the join command they send you.`
     );
     process.exit(1);
   }
@@ -59,7 +59,7 @@ export function loadKey(projectRoot) {
   }
 
   console.error(
-    `No key found for this project. Ask your team for the key, then run:\n  envgit keygen --set <key>`
+    `No key found for this project. Ask a teammate to run:\n  envgit share\nthen run the join command they send you.`
   );
   process.exit(1);
 }