@asafarim/envage 0.1.0

package/README.md

@@ -0,0 +1,367 @@
+# @asafarim/envage
+
+> **Secure, age-based encryption for `.env` files across monorepo environments.**
+
+`envage` lets you safely commit encrypted `.env` files to Git while keeping the
+decrypted secrets out of version control. It uses the battle-tested
+[age](https://age-encryption.org) encryption format — the same tool used by
+Go, Rust, and DevSecOps toolchains worldwide.
+
+---
+
+## Features
+
+- 🔐 **age encryption** — uses `age-encryption` (pure TypeScript, no native deps)
+- 🌍 **Multi-environment** — `dev`, `staging`, `prod` and any custom names
+- 📁 **Monorepo-aware** — encrypt/decrypt all apps at once with `--all`
+- 🔑 **Key or passphrase** — supports X25519 keypairs and passphrase-based encryption
+- 🛡 **Git-safe** — auto-updates `.gitignore`; warns if you stage a decrypted file
+- ✅ **Production guard** — interactive confirmation required to decrypt `prod` files
+- 🧩 **Programmatic API** — use as a library in your own scripts
+- 📦 **pnpm / monorepo friendly** — works seamlessly with pnpm workspaces
+
+---
+
+## Installation
+
+```bash
+# In your monorepo root
+pnpm add -D @asafarim/envage
+
+# Or globally
+pnpm add -g @asafarim/envage
+```
+
+---
+
+## Quick Start
+
+### 1. Generate a keypair
+
+```bash
+npx envage init-key
+```
+
+This creates:
+```
+.age/key.txt   ← private key (mode 0600, gitignored automatically)
+.age/key.pub   ← public key  (safe to share with teammates)
+```
+
+### 2. Create your config
+
+```bash
+# envage.config.json (at the monorepo root)
+{
+  "apps": ["apps/web", "apps/admin", "packages/api"],
+  "envs": ["dev", "staging", "prod"],
+  "keyFile": ".age/key.txt"
+}
+```
+
+### 3. Encrypt your env files
+
+```bash
+# Encrypt a single app/env
+npx envage encrypt apps/web --env dev
+
+# Encrypt all apps at once
+npx envage encrypt --all --env prod
+```
+
+### 4. Check status
+
+```bash
+npx envage status
+```
+
+```
+apps/web
+  dev        🔒 encrypted
+  staging    🔒 encrypted
+  prod       🔒 encrypted
+
+apps/admin
+  dev        🔓 decrypted (not yet encrypted)
+  prod       🔒 encrypted
+
+packages/api
+  dev        🔒 encrypted
+  prod       🔒 encrypted
+
+9 entries — 8 encrypted  1 decrypted
+```
+
+### 5. Decrypt on a new machine
+
+```bash
+# Copy your private key to .age/key.txt (never commit it!)
+npx envage decrypt apps/web --env dev
+
+# Decrypt all at once
+npx envage decrypt --all --env dev
+```
+
+---
+
+## CLI Reference
+
+### `envage init-key`
+
+Generate a new age X25519 keypair.
+
+```bash
+envage init-key [--output <folder>]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `--output` | `.age` | Output folder for `key.txt` and `key.pub` |
+
+---
+
+### `envage encrypt`
+
+Encrypt `.env.<env>` → `.env.<env>.age`.
+
+```bash
+envage encrypt [path] [options]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `--env` | `dev` | Environment name |
+| `--key` | auto-detected | Path to age key file |
+| `--passphrase` | — | Passphrase (prompted if omitted) |
+| `--all` | — | Encrypt all apps in `envage.config.json` |
+
+**Examples:**
+```bash
+envage encrypt apps/web --env dev
+envage encrypt apps/web --env prod --key .age/key.txt
+envage encrypt --all --env staging
+envage encrypt apps/web --env dev --passphrase "my secret"
+```
+
+---
+
+### `envage decrypt`
+
+Decrypt `.env.<env>.age` → `.env.<env>`.
+
+```bash
+envage decrypt [path] [options]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `--env` | `dev` | Environment name |
+| `--key` | auto-detected | Path to age private key file |
+| `--passphrase` | — | Passphrase |
+| `--all` | — | Decrypt all apps in `envage.config.json` |
+
+> ⚠️ Decrypting `prod` or `production` environments always prompts for
+> manual confirmation.
+
+**Examples:**
+```bash
+envage decrypt apps/web --env dev
+envage decrypt --all --env prod
+```
+
+---
+
+### `envage status`
+
+Show encryption status for all configured apps and environments.
+
+```bash
+envage status [path]
+```
+
+| Option | Description |
+|--------|-------------|
+| `--env` | Filter output to a single environment |
+
+---
+
+## Configuration — `envage.config.json`
+
+Place this file at the root of your monorepo:
+
+```json
+{
+  "apps": [
+    "apps/web",
+    "apps/admin",
+    "packages/api"
+  ],
+  "envs": ["dev", "staging", "prod"],
+  "keyFile": ".age/key.txt",
+  "keyPubFile": ".age/key.pub"
+}
+```
+
+| Field | Type | Default | Description |
+|-------|------|---------|-------------|
+| `apps` | `string[]` | `[]` | App folder paths (relative to cwd) |
+| `envs` | `string[]` | `["dev","staging","prod"]` | Environment names to manage |
+| `keyFile` | `string` | `.age/key.txt` | Path to private key |
+| `keyPubFile` | `string` | `.age/key.pub` | Path to public key |
+
+---
+
+## Programmatic API
+
+```typescript
+import {
+  encryptEnv,
+  decryptEnv,
+  generateKeyPair,
+  generateKeyPairToFolder,
+  getEnvStatus,
+  loadConfig,
+  ensureGitignore,
+} from "@asafarim/envage";
+
+// Generate a keypair
+const { identity, recipient } = await generateKeyPair();
+
+// Write keypair to disk
+await generateKeyPairToFolder(".age");
+
+// Encrypt a file (key-based)
+await encryptEnv({
+  folder: "apps/web",
+  env: "dev",
+  keyFile: ".age/key.txt",
+});
+
+// Encrypt a file (passphrase-based)
+await encryptEnv({
+  folder: "apps/web",
+  env: "dev",
+  passphrase: "my-secret-passphrase",
+});
+
+// Decrypt a file
+await decryptEnv({
+  folder: "apps/web",
+  env: "dev",
+  keyFile: ".age/key.txt",
+});
+
+// Check status
+const config = await loadConfig();
+const statuses = await getEnvStatus(config);
+statuses.forEach((s) => {
+  console.log(`${s.folder} [${s.env}]: encrypted=${s.encrypted} decrypted=${s.decrypted}`);
+});
+
+// Ensure .gitignore rules are present
+await ensureGitignore();
+```
+
+---
+
+## Git Integration
+
+### `.gitignore` rules
+
+Running `envage init-key` automatically adds these rules to your `.gitignore`:
+
+```gitignore
+# --- envage managed ---
+# Decrypted env files — never commit
+.env*
+!.env*.age
+!.env.example
+!.env.template
+# Age private key
+.age/key.txt
+# --- end envage ---
+```
+
+### Staged file warning
+
+If you accidentally `git add` a decrypted env file before encrypting, the
+`encrypt` command will catch it and exit with:
+
+```
+✖ You are trying to commit a decrypted env file.
+✖ Only encrypted .age files are allowed.
+  apps/web/.env.prod
+```
+
+### Optional: pre-commit hook
+
+Add this to `.git/hooks/pre-commit` to prevent accidental commits entirely:
+
+```bash
+#!/usr/bin/env bash
+npx envage status 2>/dev/null | grep -q "decrypted" && \
+  echo "❌ You have decrypted env files. Run: npx envage encrypt --all" && \
+  exit 1
+exit 0
+```
+
+---
+
+## Monorepo Structure
+
+```
+monorepo/
+├── .age/
+│   ├── key.txt          ← private key (gitignored)
+│   └── key.pub          ← public key  (commit this)
+├── apps/
+│   ├── web/
+│   │   ├── .env.dev     ← decrypted (gitignored)
+│   │   ├── .env.dev.age ← encrypted (committed ✅)
+│   │   ├── .env.prod    ← decrypted (gitignored)
+│   │   └── .env.prod.age← encrypted (committed ✅)
+│   └── admin/
+│       ├── .env.dev.age
+│       └── .env.prod.age
+├── packages/
+│   └── api/
+│       ├── .env.dev.age
+│       └── .env.prod.age
+├── envage.config.json   ← committed ✅
+└── .gitignore           ← auto-updated by envage
+```
+
+---
+
+## Security Notes
+
+- **Never commit `.age/key.txt`** — it is your private key. Share it with
+  teammates via a secrets manager (1Password, Vault, AWS SSM, etc.)
+- **Decrypted values are never logged** — not in verbose mode, not in errors
+- **Production decryption is gated** — always requires explicit `y` confirmation
+- **Encrypted files are binary** — they cannot be accidentally read as text
+- The `age` format provides authenticated encryption; tampering is detectable
+
+---
+
+## Development
+
+```bash
+# Install dependencies
+pnpm install
+
+# Build
+pnpm build
+
+# Run tests
+pnpm test
+
+# Type-check only
+pnpm lint
+```
+
+---
+
+## License
+
+MIT © [Ali Safarim](https://github.com/asafarim)

package/bin/envage.js

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+/**
+ * @asafarim/envage CLI entrypoint
+ * Compiled output lives in dist/cli/index.js
+ */
+import { runCLI } from "../dist/cli/index.js";
+
+runCLI().catch((err) => {
+  console.error(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+});

package/dist/cli/commands/decrypt.d.ts

@@ -0,0 +1,12 @@
+/**
+ * CLI `decrypt` command.
+ *
+ * Usage:
+ *   envage decrypt [path] [--env prod] [--key .age/key.txt]
+ *   envage decrypt --all [--env prod]
+ *
+ * Production decryption always prompts for manual confirmation.
+ */
+import type { Command } from "commander";
+export declare function registerDecrypt(program: Command): void;
+//# sourceMappingURL=decrypt.d.ts.map

package/dist/cli/commands/decrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/decrypt.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBzC,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA6CtD"}

package/dist/cli/commands/decrypt.js

@@ -0,0 +1,91 @@
+import path from "path";
+import { decryptEnv } from "../../lib/decrypt.js";
+import { loadConfig } from "../../lib/config.js";
+import { logger } from "../../lib/logger.js";
+import { confirm, promptPassphrase } from "../prompt.js";
+const PROD_ENVS = new Set(["prod", "production"]);
+export function registerDecrypt(program) {
+    program
+        .command("decrypt [path]")
+        .description("Decrypt .env.<env>.age → .env.<env>")
+        .option("-e, --env <env>", "environment name (e.g. dev, prod)", "dev")
+        .option("-k, --key <keyFile>", "path to age private key file (.age/key.txt)")
+        .option("-p, --passphrase <pass>", "passphrase for decryption")
+        .option("--all", "decrypt all apps defined in envage.config.json")
+        .action(async (folderArg, opts) => {
+        const envName = opts.env ?? "dev";
+        let keyFile = opts.key;
+        let passphrase = opts.passphrase;
+        // Production guard — always require explicit confirmation
+        if (PROD_ENVS.has(envName)) {
+            logger.warn(`You are about to decrypt PRODUCTION environment files.`);
+            const ok = await confirm("Are you sure you want to continue?");
+            if (!ok) {
+                logger.info("Aborted.");
+                process.exit(0);
+            }
+        }
+        // Resolve credential
+        if (!passphrase && !keyFile) {
+            const config = await loadConfig();
+            const defaultKey = config.keyFile;
+            try {
+                const { readIdentityFromFile } = await import("../../lib/keygen.js");
+                await readIdentityFromFile(path.resolve(process.cwd(), defaultKey));
+                keyFile = path.resolve(process.cwd(), defaultKey);
+                logger.detail(`Using key file: ${keyFile}`);
+            }
+            catch {
+                logger.info("No key file found. Enter the passphrase for decryption:");
+                passphrase = await promptPassphrase();
+            }
+        }
+        if (opts.all) {
+            await decryptAll(envName, keyFile, passphrase);
+        }
+        else {
+            const folder = folderArg ? path.resolve(process.cwd(), folderArg) : process.cwd();
+            await decryptOne(folder, envName, keyFile, passphrase);
+        }
+    });
+}
+async function decryptOne(folder, env, keyFile, passphrase) {
+    const fromFile = path.join(folder, `.env.${env}.age`);
+    const toFile = path.join(folder, `.env.${env}`);
+    logger.decrypting(fromFile, toFile);
+    try {
+        await decryptEnv({ folder, env, keyFile, passphrase });
+        logger.success("Done");
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error(msg);
+        process.exit(1);
+    }
+}
+async function decryptAll(env, keyFile, passphrase) {
+    const config = await loadConfig();
+    if (config.apps.length === 0) {
+        logger.warn("No apps defined in envage.config.json. Nothing to decrypt.");
+        return;
+    }
+    let anyFailed = false;
+    for (const app of config.apps) {
+        const folder = path.resolve(process.cwd(), app);
+        const fromFile = path.join(folder, `.env.${env}.age`);
+        const toFile = path.join(folder, `.env.${env}`);
+        logger.decrypting(fromFile, toFile);
+        try {
+            await decryptEnv({ folder, env, keyFile, passphrase });
+            logger.success("Done");
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            logger.error(msg);
+            anyFailed = true;
+        }
+    }
+    if (anyFailed)
+        process.exit(1);
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/cli/commands/decrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../../src/cli/commands/decrypt.ts"],"names":[],"mappings":"AAUA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AASzD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC;AAElD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,OAAO;SACJ,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,qCAAqC,CAAC;SAClD,MAAM,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,KAAK,CAAC;SACrE,MAAM,CAAC,qBAAqB,EAAE,6CAA6C,CAAC;SAC5E,MAAM,CAAC,yBAAyB,EAAE,2BAA2B,CAAC;SAC9D,MAAM,CAAC,OAAO,EAAE,gDAAgD,CAAC;SACjE,MAAM,CAAC,KAAK,EAAE,SAA6B,EAAE,IAAoB,EAAE,EAAE;QACpE,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC;QAClC,IAAI,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC;QACvB,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAEjC,0DAA0D;QAC1D,IAAI,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;YACtE,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,oCAAoC,CAAC,CAAC;YAC/D,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,qBAAqB;QACrB,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;gBACrE,MAAM,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;gBACpE,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;gBAClD,MAAM,CAAC,MAAM,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC,yDAAyD,CAAC,CAAC;gBACvE,UAAU,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACxC,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAClF,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACzD,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,GAAW,EACX,OAA2B,EAC3B,UAA8B;IAE9B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;IACtD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;IAEhD,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACvD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAW,EACX,OAA2B,EAC3B,UAA8B;IAE9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO;IACT,CAAC;IAED,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;QAChD,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;YACvD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClB,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC;IACH,CAAC;IAED,IAAI,SAAS;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjC,CAAC"}

package/dist/cli/commands/encrypt.d.ts

@@ -0,0 +1,11 @@
+/**
+ * CLI `encrypt` command.
+ *
+ * Usage:
+ *   envage encrypt [path] [--env dev] [--key .age/key.txt] [--passphrase ...]
+ *   envage encrypt --all [--env dev] [--key .age/key.txt]
+ */
+import type { Command } from "commander";
+export declare function registerEncrypt(program: Command): void;
+export declare function runEncryptAll(env: string, keyFile?: string, passphrase?: string): Promise<void>;
+//# sourceMappingURL=encrypt.d.ts.map

package/dist/cli/commands/encrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/encrypt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAezC,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CA+CtD;AAqDD,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErG"}

package/dist/cli/commands/encrypt.js

@@ -0,0 +1,95 @@
+import path from "path";
+import { encryptEnv } from "../../lib/encrypt.js";
+import { loadConfig } from "../../lib/config.js";
+import { checkStagedEnvFiles } from "../../lib/gitignore.js";
+import { logger } from "../../lib/logger.js";
+import { promptPassphrase } from "../prompt.js";
+export function registerEncrypt(program) {
+    program
+        .command("encrypt [path]")
+        .description("Encrypt .env.<env> → .env.<env>.age")
+        .option("-e, --env <env>", "environment name (e.g. dev, prod)", "dev")
+        .option("-k, --key <keyFile>", "path to age key file (.age/key.txt or .age/key.pub)")
+        .option("-p, --passphrase <pass>", "passphrase for encryption (not recommended via CLI arg — use without value to be prompted)")
+        .option("--all", "encrypt all apps defined in envage.config.json")
+        .action(async (folderArg, opts) => {
+        // Warn about staged decrypted files first
+        const staged = checkStagedEnvFiles();
+        if (staged.length > 0) {
+            logger.error("You are trying to commit a decrypted env file.");
+            logger.error("Only encrypted .age files are allowed.");
+            staged.forEach((f) => logger.detail(f));
+            process.exit(1);
+        }
+        // Resolve encryption credential
+        let passphrase = opts.passphrase;
+        let keyFile = opts.key;
+        if (!passphrase && !keyFile) {
+            // Auto-detect default key file
+            const config = await loadConfig();
+            const defaultKey = config.keyFile;
+            try {
+                const { readIdentityFromFile } = await import("../../lib/keygen.js");
+                await readIdentityFromFile(path.resolve(process.cwd(), defaultKey));
+                keyFile = path.resolve(process.cwd(), defaultKey);
+                logger.detail(`Using key file: ${keyFile}`);
+            }
+            catch {
+                // No key file found — prompt for passphrase
+                logger.info("No key file found. Enter a passphrase for encryption:");
+                passphrase = await promptPassphrase();
+            }
+        }
+        const envName = opts.env ?? "dev";
+        if (opts.all) {
+            await encryptAll(envName, keyFile, passphrase);
+        }
+        else {
+            const folder = folderArg ? path.resolve(process.cwd(), folderArg) : process.cwd();
+            await encryptOne(folder, envName, keyFile, passphrase);
+        }
+    });
+}
+async function encryptOne(folder, env, keyFile, passphrase) {
+    const fromFile = path.join(folder, `.env.${env}`);
+    const toFile = path.join(folder, `.env.${env}.age`);
+    logger.encrypting(fromFile, toFile);
+    try {
+        await encryptEnv({ folder, env, keyFile, passphrase });
+        logger.success("Done");
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        logger.error(msg);
+        process.exit(1);
+    }
+}
+async function encryptAll(env, keyFile, passphrase) {
+    const config = await loadConfig();
+    if (config.apps.length === 0) {
+        logger.warn("No apps defined in envage.config.json. Nothing to encrypt.");
+        return;
+    }
+    let anyFailed = false;
+    for (const app of config.apps) {
+        const folder = path.resolve(process.cwd(), app);
+        const fromFile = path.join(folder, `.env.${env}`);
+        const toFile = path.join(folder, `.env.${env}.age`);
+        logger.encrypting(fromFile, toFile);
+        try {
+            await encryptEnv({ folder, env, keyFile, passphrase });
+            logger.success("Done");
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            logger.error(msg);
+            anyFailed = true;
+        }
+    }
+    if (anyFailed)
+        process.exit(1);
+}
+export async function runEncryptAll(env, keyFile, passphrase) {
+    await encryptAll(env, keyFile, passphrase);
+}
+//# sourceMappingURL=encrypt.js.map

package/dist/cli/commands/encrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../../../src/cli/commands/encrypt.ts"],"names":[],"mappings":"AAQA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,sBAAsB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAC7C,OAAO,EAAW,gBAAgB,EAAE,MAAM,cAAc,CAAC;AASzD,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,OAAO;SACJ,OAAO,CAAC,gBAAgB,CAAC;SACzB,WAAW,CAAC,qCAAqC,CAAC;SAClD,MAAM,CAAC,iBAAiB,EAAE,mCAAmC,EAAE,KAAK,CAAC;SACrE,MAAM,CAAC,qBAAqB,EAAE,qDAAqD,CAAC;SACpF,MAAM,CAAC,yBAAyB,EAAE,4FAA4F,CAAC;SAC/H,MAAM,CAAC,OAAO,EAAE,gDAAgD,CAAC;SACjE,MAAM,CAAC,KAAK,EAAE,SAA6B,EAAE,IAAoB,EAAE,EAAE;QACpE,0CAA0C;QAC1C,MAAM,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAC/D,MAAM,CAAC,KAAK,CAAC,wCAAwC,CAAC,CAAC;YACvD,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,gCAAgC;QAChC,IAAI,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QACjC,IAAI,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC;QAEvB,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,+BAA+B;YAC/B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC;YAClC,IAAI,CAAC;gBACH,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;gBACrE,MAAM,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;gBACpE,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC,CAAC;gBAClD,MAAM,CAAC,MAAM,CAAC,mBAAmB,OAAO,EAAE,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,4CAA4C;gBAC5C,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;gBACrE,UAAU,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACxC,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC;QAElC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YAClF,MAAM,UAAU,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;QACzD,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,GAAW,EACX,OAA2B,EAC3B,UAA8B;IAE9B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;IAEpD,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAEpC,IAAI,CAAC;QACH,MAAM,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;QACvD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,GAAW,EACX,OAA2B,EAC3B,UAA8B;IAE9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO;IACT,CAAC;IAED,IAAI,SAAS,GAAG,KAAK,CAAC;IACtB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,GAAG,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;QACpD,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC;YACvD,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACzB,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAClB,SAAS,GAAG,IAAI,CAAC;QACnB,CAAC;IACH,CAAC;IAED,IAAI,SAAS;QAAE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW,EAAE,OAAgB,EAAE,UAAmB;IACpF,MAAM,UAAU,CAAC,GAAG,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;AAC7C,CAAC"}

package/dist/cli/commands/init-key.d.ts

@@ -0,0 +1,13 @@
+/**
+ * CLI `init-key` command.
+ *
+ * Usage:
+ *   envage init-key [--output .age]
+ *
+ * Generates a new age X25519 keypair and writes:
+ *   .age/key.txt  (private key, mode 0600)
+ *   .age/key.pub  (public key)
+ */
+import type { Command } from "commander";
+export declare function registerInitKey(program: Command): void;
+//# sourceMappingURL=init-key.d.ts.map

package/dist/cli/commands/init-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-key.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/init-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASzC,wBAAgB,eAAe,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAkCtD"}

package/dist/cli/commands/init-key.js

@@ -0,0 +1,32 @@
+import { generateKeyPairToFolder } from "../../lib/keygen.js";
+import { ensureGitignore } from "../../lib/gitignore.js";
+import { logger } from "../../lib/logger.js";
+export function registerInitKey(program) {
+    program
+        .command("init-key")
+        .description("Generate a new age keypair (.age/key.txt and .age/key.pub)")
+        .option("-o, --output <folder>", "output folder for the keypair", ".age")
+        .action(async (opts) => {
+        const outputFolder = opts.output ?? ".age";
+        logger.info(`Generating age X25519 keypair in ${outputFolder}/`);
+        try {
+            const { keyFile, pubFile } = await generateKeyPairToFolder(outputFolder);
+            logger.success(`Private key written to: ${keyFile}`);
+            logger.success(`Public key written to:  ${pubFile}`);
+            logger.info("Updating .gitignore to protect the private key…");
+            await ensureGitignore();
+            logger.success(".gitignore updated.");
+            logger.warn("IMPORTANT: Never commit your private key (.age/key.txt).");
+            logger.warn("Share .age/key.pub with teammates who need to encrypt files.");
+            logger.raw("");
+            logger.raw("  To encrypt:  envage encrypt apps/web --env dev");
+            logger.raw("  To decrypt:  envage decrypt apps/web --env dev");
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            logger.error(`Failed to generate keypair: ${msg}`);
+            process.exit(1);
+        }
+    });
+}
+//# sourceMappingURL=init-key.js.map

package/dist/cli/commands/init-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init-key.js","sourceRoot":"","sources":["../../../src/cli/commands/init-key.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAM7C,MAAM,UAAU,eAAe,CAAC,OAAgB;IAC9C,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,uBAAuB,EAAE,+BAA+B,EAAE,MAAM,CAAC;SACxE,MAAM,CAAC,KAAK,EAAE,IAAoB,EAAE,EAAE;QACrC,MAAM,YAAY,GAAG,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC;QAE3C,MAAM,CAAC,IAAI,CAAC,oCAAoC,YAAY,GAAG,CAAC,CAAC;QAEjE,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,MAAM,uBAAuB,CAAC,YAAY,CAAC,CAAC;YACzE,MAAM,CAAC,OAAO,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;YACrD,MAAM,CAAC,OAAO,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;YAErD,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;YAC/D,MAAM,eAAe,EAAE,CAAC;YACxB,MAAM,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;YAEtC,MAAM,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;YACxE,MAAM,CAAC,IAAI,CAAC,8DAA8D,CAAC,CAAC;YAC5E,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACf,MAAM,CAAC,GAAG,CACR,kDAAkD,CACnD,CAAC;YACF,MAAM,CAAC,GAAG,CACR,kDAAkD,CACnD,CAAC;QACJ,CAAC;QAAC,OAAO,GAAY,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,CAAC,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/cli/commands/status.d.ts

@@ -0,0 +1,11 @@
+/**
+ * CLI `status` command.
+ *
+ * Usage:
+ *   envage status [path]
+ *
+ * Shows which env files are encrypted/decrypted for all configured apps.
+ */
+import type { Command } from "commander";
+export declare function registerStatus(program: Command): void;
+//# sourceMappingURL=status.d.ts.map