@asafarim/envage 0.1.0

package/dist/cli/commands/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/status.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAYzC,wBAAgB,cAAc,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAgErD"}

package/dist/cli/commands/status.js

@@ -0,0 +1,73 @@
+import path from "path";
+import chalk from "chalk";
+import { loadConfig } from "../../lib/config.js";
+import { getEnvStatus, getFolderStatus } from "../../lib/status.js";
+import { logger } from "../../lib/logger.js";
+export function registerStatus(program) {
+    program
+        .command("status [path]")
+        .description("Show encryption status of env files")
+        .option("-e, --env <env>", "filter by environment name")
+        .action(async (folderArg, opts) => {
+        const config = await loadConfig();
+        let statuses;
+        if (folderArg) {
+            const folder = path.resolve(process.cwd(), folderArg);
+            statuses = await getFolderStatus(folder, config);
+        }
+        else if (config.apps.length > 0) {
+            statuses = await getEnvStatus(config);
+        }
+        else {
+            // Fallback: scan current directory with all configured envs
+            statuses = await getFolderStatus(process.cwd(), config);
+        }
+        // Filter by env if requested
+        if (opts.env) {
+            statuses = statuses.filter((s) => s.env === opts.env);
+        }
+        if (statuses.length === 0) {
+            logger.warn("No env files found. Check your envage.config.json.");
+            return;
+        }
+        // Group by folder
+        const byFolder = new Map();
+        for (const s of statuses) {
+            const existing = byFolder.get(s.folder) ?? [];
+            existing.push(s);
+            byFolder.set(s.folder, existing);
+        }
+        for (const [folder, envStatuses] of byFolder) {
+            // Print relative folder name
+            const rel = path.relative(process.cwd(), folder) || ".";
+            logger.header(rel);
+            for (const s of envStatuses) {
+                const tag = renderStatusTag(s);
+                console.log(`  ${chalk.bold(s.env.padEnd(10))} ${tag}`);
+            }
+        }
+        // Summary
+        const encrypted = statuses.filter((s) => s.encrypted && !s.decrypted).length;
+        const decrypted = statuses.filter((s) => s.decrypted).length;
+        const missing = statuses.filter((s) => !s.encrypted && !s.decrypted).length;
+        logger.raw("");
+        logger.raw(chalk.dim(`${statuses.length} entries — ` +
+            `${chalk.green(encrypted + " encrypted")}  ` +
+            `${chalk.yellow(decrypted + " decrypted")}  ` +
+            (missing > 0 ? chalk.red(missing + " missing") : "")));
+    });
+}
+function renderStatusTag(s) {
+    if (s.decrypted && s.encrypted) {
+        return (chalk.yellow("⚠  both exist") +
+            chalk.dim(" (decrypted + encrypted — consider removing the plaintext file)"));
+    }
+    if (s.encrypted) {
+        return chalk.green("🔒 encrypted");
+    }
+    if (s.decrypted) {
+        return chalk.yellow("🔓 decrypted") + chalk.dim(" (not yet encrypted)");
+    }
+    return chalk.red("✗  missing");
+}
+//# sourceMappingURL=status.js.map

package/dist/cli/commands/status.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.js","sourceRoot":"","sources":["../../../src/cli/commands/status.ts"],"names":[],"mappings":"AASA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACpE,OAAO,EAAE,MAAM,EAAE,MAAM,qBAAqB,CAAC;AAO7C,MAAM,UAAU,cAAc,CAAC,OAAgB;IAC7C,OAAO;SACJ,OAAO,CAAC,eAAe,CAAC;SACxB,WAAW,CAAC,qCAAqC,CAAC;SAClD,MAAM,CAAC,iBAAiB,EAAE,4BAA4B,CAAC;SACvD,MAAM,CAAC,KAAK,EAAE,SAA6B,EAAE,IAAmB,EAAE,EAAE;QACnE,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;QAElC,IAAI,QAAqB,CAAC;QAE1B,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;YACtD,QAAQ,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACnD,CAAC;aAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,QAAQ,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,4DAA4D;YAC5D,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,CAAC;QAC1D,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,CAAC;QACxD,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;YAClE,OAAO;QACT,CAAC;QAED,kBAAkB;QAClB,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;QAChD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACjB,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,KAAK,MAAM,CAAC,MAAM,EAAE,WAAW,CAAC,IAAI,QAAQ,EAAE,CAAC;YAC7C,6BAA6B;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,IAAI,GAAG,CAAC;YACxD,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAEnB,KAAK,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC;gBAC5B,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC,CAAC;YAC1D,CAAC;QACH,CAAC;QAED,UAAU;QACV,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QAC7E,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QAC7D,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QAE5E,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACf,MAAM,CAAC,GAAG,CACR,KAAK,CAAC,GAAG,CACP,GAAG,QAAQ,CAAC,MAAM,aAAa;YAC7B,GAAG,KAAK,CAAC,KAAK,CAAC,SAAS,GAAG,YAAY,CAAC,IAAI;YAC5C,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,YAAY,CAAC,IAAI;YAC7C,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CACvD,CACF,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,eAAe,CAAC,CAAY;IACnC,IAAI,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAC/B,OAAO,CACL,KAAK,CAAC,MAAM,CAAC,eAAe,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAC7E,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACrC,CAAC;IACD,IAAI,CAAC,CAAC,SAAS,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;AACjC,CAAC"}

package/dist/cli/index.d.ts

@@ -0,0 +1,13 @@
+/**
+ * @asafarim/envage CLI entry point.
+ *
+ * Registered commands:
+ *   encrypt   — Encrypt .env.<env> → .env.<env>.age
+ *   decrypt   — Decrypt .env.<env>.age → .env.<env>
+ *   init-key  — Generate an age keypair
+ *   status    — Show encryption status
+ */
+import { Command } from "commander";
+export declare function createCLI(): Command;
+export declare function runCLI(): Promise<void>;
+//# sourceMappingURL=index.d.ts.map

package/dist/cli/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAWpC,wBAAgB,SAAS,IAAI,OAAO,CA0BnC;AAED,wBAAsB,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC,CAG5C"}

package/dist/cli/index.js

@@ -0,0 +1,44 @@
+/**
+ * @asafarim/envage CLI entry point.
+ *
+ * Registered commands:
+ *   encrypt   — Encrypt .env.<env> → .env.<env>.age
+ *   decrypt   — Decrypt .env.<env>.age → .env.<env>
+ *   init-key  — Generate an age keypair
+ *   status    — Show encryption status
+ */
+import { Command } from "commander";
+import { createRequire } from "module";
+import { registerEncrypt } from "./commands/encrypt.js";
+import { registerDecrypt } from "./commands/decrypt.js";
+import { registerInitKey } from "./commands/init-key.js";
+import { registerStatus } from "./commands/status.js";
+const require = createRequire(import.meta.url);
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+const pkg = require("../../package.json");
+export function createCLI() {
+    const program = new Command();
+    program
+        .name("envage")
+        .version(pkg.version)
+        .description(pkg.description)
+        .addHelpText("after", `
+Examples:
+  $ envage init-key
+  $ envage encrypt apps/web --env dev
+  $ envage encrypt --all --env prod
+  $ envage decrypt apps/web --env dev
+  $ envage decrypt --all --env prod
+  $ envage status
+  $ envage status apps/web`);
+    registerEncrypt(program);
+    registerDecrypt(program);
+    registerInitKey(program);
+    registerStatus(program);
+    return program;
+}
+export async function runCLI() {
+    const program = createCLI();
+    await program.parseAsync(process.argv);
+}
+//# sourceMappingURL=index.js.map

package/dist/cli/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,QAAQ,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,8DAA8D;AAC9D,MAAM,GAAG,GAAG,OAAO,CAAC,oBAAoB,CAA6C,CAAC;AAEtF,MAAM,UAAU,SAAS;IACvB,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAE9B,OAAO;SACJ,IAAI,CAAC,QAAQ,CAAC;SACd,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC;SACpB,WAAW,CAAC,GAAG,CAAC,WAAW,CAAC;SAC5B,WAAW,CACV,OAAO,EACP;;;;;;;;2BAQqB,CACtB,CAAC;IAEJ,eAAe,CAAC,OAAO,CAAC,CAAC;IACzB,eAAe,CAAC,OAAO,CAAC,CAAC;IACzB,eAAe,CAAC,OAAO,CAAC,CAAC;IACzB,cAAc,CAAC,OAAO,CAAC,CAAC;IAExB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM;IAC1B,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;IAC5B,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AACzC,CAAC"}

package/dist/cli/prompt.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Ask a yes/no question. Returns true if the user confirms.
+ */
+export declare function confirm(question: string): Promise<boolean>;
+/**
+ * Prompt for a passphrase (hidden input).
+ */
+export declare function promptPassphrase(prompt?: string): Promise<string>;
+//# sourceMappingURL=prompt.d.ts.map

package/dist/cli/prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/cli/prompt.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW1D;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,SAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAqCzE"}

package/dist/cli/prompt.js

@@ -0,0 +1,62 @@
+/**
+ * Simple interactive prompt helpers using readline (no extra deps).
+ */
+import readline from "readline";
+/**
+ * Ask a yes/no question. Returns true if the user confirms.
+ */
+export function confirm(question) {
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+        rl.question(`${question} [y/N] `, (answer) => {
+            rl.close();
+            resolve(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+        });
+    });
+}
+/**
+ * Prompt for a passphrase (hidden input).
+ */
+export function promptPassphrase(prompt = "Passphrase: ") {
+    return new Promise((resolve) => {
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+        });
+        // Hide input
+        if (process.stdin.isTTY) {
+            process.stdout.write(prompt);
+            process.stdin.setRawMode(true);
+            process.stdin.resume();
+            process.stdin.setEncoding("utf-8");
+            let passphrase = "";
+            const handler = (ch) => {
+                if (ch === "\n" || ch === "\r" || ch === "") {
+                    process.stdin.setRawMode(false);
+                    process.stdin.removeListener("data", handler);
+                    process.stdout.write("\n");
+                    rl.close();
+                    resolve(passphrase);
+                }
+                else if (ch === "") {
+                    passphrase = passphrase.slice(0, -1);
+                }
+                else {
+                    passphrase += ch;
+                }
+            };
+            process.stdin.on("data", handler);
+        }
+        else {
+            // Non-TTY (piped input) — just read normally
+            rl.question(prompt, (answer) => {
+                rl.close();
+                resolve(answer);
+            });
+        }
+    });
+}
+//# sourceMappingURL=prompt.js.map

package/dist/cli/prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.js","sourceRoot":"","sources":["../../src/cli/prompt.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,QAAQ,MAAM,UAAU,CAAC;AAEhC;;GAEG;AACH,MAAM,UAAU,OAAO,CAAC,QAAgB;IACtC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC;YAClC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QACH,EAAE,CAAC,QAAQ,CAAC,GAAG,QAAQ,SAAS,EAAE,CAAC,MAAM,EAAE,EAAE;YAC3C,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;QAC1E,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAM,GAAG,cAAc;IACtD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,MAAM,EAAE,GAAG,QAAQ,CAAC,eAAe,CAAC;YAClC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,OAAO,CAAC,MAAM;SACvB,CAAC,CAAC;QAEH,aAAa;QACb,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YAC/B,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACvB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAEnC,IAAI,UAAU,GAAG,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,CAAC,EAAU,EAAE,EAAE;gBAC7B,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,IAAI,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBAC7C,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;oBAChC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;oBAC9C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAC3B,EAAE,CAAC,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC,UAAU,CAAC,CAAC;gBACtB,CAAC;qBAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBACtB,UAAU,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;gBACvC,CAAC;qBAAM,CAAC;oBACN,UAAU,IAAI,EAAE,CAAC;gBACnB,CAAC;YACH,CAAC,CAAC;YACF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,6CAA6C;YAC7C,EAAE,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,EAAE;gBAC7B,EAAE,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+/**
+ * @asafarim/envage — Public programmatic API
+ *
+ * @example
+ * ```ts
+ * import { encryptEnv, decryptEnv, generateKeyPair, getEnvStatus } from "@asafarim/envage";
+ * ```
+ */
+export { encryptEnv } from "./lib/encrypt.js";
+export { decryptEnv } from "./lib/decrypt.js";
+export { generateKeyPair, generateKeyPairToFolder, readIdentityFromFile, readRecipientFromFile, } from "./lib/keygen.js";
+export { getEnvStatus, getFolderStatus, checkEnvStatus } from "./lib/status.js";
+export { loadConfig, saveConfig, resolveAppPaths, CONFIG_FILENAME } from "./lib/config.js";
+export { ensureGitignore, checkStagedEnvFiles, getGitignoreRules } from "./lib/gitignore.js";
+export type { EnvStatus, EnvageConfig, EnvOptions } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,uBAAuB,EACvB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC7F,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,15 @@
+/**
+ * @asafarim/envage — Public programmatic API
+ *
+ * @example
+ * ```ts
+ * import { encryptEnv, decryptEnv, generateKeyPair, getEnvStatus } from "@asafarim/envage";
+ * ```
+ */
+export { encryptEnv } from "./lib/encrypt.js";
+export { decryptEnv } from "./lib/decrypt.js";
+export { generateKeyPair, generateKeyPairToFolder, readIdentityFromFile, readRecipientFromFile, } from "./lib/keygen.js";
+export { getEnvStatus, getFolderStatus, checkEnvStatus } from "./lib/status.js";
+export { loadConfig, saveConfig, resolveAppPaths, CONFIG_FILENAME } from "./lib/config.js";
+export { ensureGitignore, checkStagedEnvFiles, getGitignoreRules } from "./lib/gitignore.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,uBAAuB,EACvB,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAChF,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC3F,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC"}

package/dist/lib/config.d.ts

@@ -0,0 +1,16 @@
+import type { EnvageConfig } from "../types.js";
+export declare const CONFIG_FILENAME = "envage.config.json";
+/**
+ * Load config from a given root directory.
+ * Falls back to DEFAULT_CONFIG if the file does not exist.
+ */
+export declare function loadConfig(cwd?: string): Promise<EnvageConfig>;
+/**
+ * Save config to the given root directory.
+ */
+export declare function saveConfig(config: EnvageConfig, cwd?: string): Promise<void>;
+/**
+ * Resolve all app folder paths as absolute paths.
+ */
+export declare function resolveAppPaths(config: EnvageConfig, cwd?: string): string[];
+//# sourceMappingURL=config.d.ts.map

package/dist/lib/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAGhD,eAAO,MAAM,eAAe,uBAAuB,CAAC;AAEpD;;;GAGG;AACH,wBAAsB,UAAU,CAAC,GAAG,SAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAc3E;AAED;;GAEG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,YAAY,EACpB,GAAG,SAAgB,GAClB,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;GAEG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,YAAY,EACpB,GAAG,SAAgB,GAClB,MAAM,EAAE,CAIV"}

package/dist/lib/config.js

@@ -0,0 +1,41 @@
+/**
+ * Loads, saves, and validates envage.config.json.
+ */
+import fs from "fs/promises";
+import path from "path";
+import { DEFAULT_CONFIG } from "../types.js";
+export const CONFIG_FILENAME = "envage.config.json";
+/**
+ * Load config from a given root directory.
+ * Falls back to DEFAULT_CONFIG if the file does not exist.
+ */
+export async function loadConfig(cwd = process.cwd()) {
+    const configPath = path.join(cwd, CONFIG_FILENAME);
+    try {
+        const raw = await fs.readFile(configPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        return {
+            apps: parsed.apps ?? DEFAULT_CONFIG.apps,
+            envs: parsed.envs ?? DEFAULT_CONFIG.envs,
+            keyFile: parsed.keyFile ?? DEFAULT_CONFIG.keyFile,
+            keyPubFile: parsed.keyPubFile ?? DEFAULT_CONFIG.keyPubFile,
+        };
+    }
+    catch {
+        return { ...DEFAULT_CONFIG };
+    }
+}
+/**
+ * Save config to the given root directory.
+ */
+export async function saveConfig(config, cwd = process.cwd()) {
+    const configPath = path.join(cwd, CONFIG_FILENAME);
+    await fs.writeFile(configPath, JSON.stringify(config, null, 2) + "\n", "utf-8");
+}
+/**
+ * Resolve all app folder paths as absolute paths.
+ */
+export function resolveAppPaths(config, cwd = process.cwd()) {
+    return config.apps.map((app) => path.isAbsolute(app) ? app : path.resolve(cwd, app));
+}
+//# sourceMappingURL=config.js.map

package/dist/lib/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/lib/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,CAAC,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAEpD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IACnD,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAA0B,CAAC;QACxD,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,cAAc,CAAC,IAAI;YACxC,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,cAAc,CAAC,IAAI;YACxC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,cAAc,CAAC,OAAO;YACjD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,cAAc,CAAC,UAAU;SAC3D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,GAAG,cAAc,EAAE,CAAC;IAC/B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAoB,EACpB,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAEnB,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IACnD,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;AAClF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAoB,EACpB,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE;IAEnB,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAC7B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CACpD,CAAC;AACJ,CAAC"}

package/dist/lib/decrypt.d.ts

@@ -0,0 +1,10 @@
+import type { EnvOptions } from "../types.js";
+/**
+ * Decrypt a .env.<env>.age file into .env.<env>.
+ *
+ * Either `keyFile` (path to private key .age/key.txt) or `passphrase` must be supplied.
+ *
+ * @returns The path to the written plaintext file
+ */
+export declare function decryptEnv(options: EnvOptions): Promise<string>;
+//# sourceMappingURL=decrypt.d.ts.map

package/dist/lib/decrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/lib/decrypt.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CA+CrE"}

package/dist/lib/decrypt.js

@@ -0,0 +1,60 @@
+/**
+ * Decrypts a .env.<env>.age file into .env.<env> using age encryption.
+ *
+ * Supports both:
+ *  - Private key decryption (via keyFile)
+ *  - Passphrase-based decryption
+ *
+ * SECURITY: decrypted content is never logged.
+ */
+import * as age from "age-encryption";
+import fs from "fs/promises";
+import path from "path";
+import { readIdentityFromFile } from "./keygen.js";
+/**
+ * Decrypt a .env.<env>.age file into .env.<env>.
+ *
+ * Either `keyFile` (path to private key .age/key.txt) or `passphrase` must be supplied.
+ *
+ * @returns The path to the written plaintext file
+ */
+export async function decryptEnv(options) {
+    const { folder, env, keyFile, passphrase } = options;
+    const cipherPath = path.join(folder, `.env.${env}.age`);
+    const plainPath = path.join(folder, `.env.${env}`);
+    // Read the ciphertext
+    let ciphertext;
+    try {
+        const buf = await fs.readFile(cipherPath);
+        ciphertext = new Uint8Array(buf);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Cannot read ${cipherPath}: ${msg}\n` +
+            `Make sure the encrypted file exists before decrypting.`);
+    }
+    const decrypter = new age.Decrypter();
+    if (passphrase) {
+        decrypter.addPassphrase(passphrase);
+    }
+    else if (keyFile) {
+        const identity = await readIdentityFromFile(keyFile);
+        decrypter.addIdentity(identity);
+    }
+    else {
+        throw new Error("Either --key (key file path) or --passphrase must be provided for decryption.");
+    }
+    let plaintext;
+    try {
+        plaintext = await decrypter.decrypt(ciphertext, "uint8array");
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Decryption failed for ${cipherPath}: ${msg}\n` +
+            `Check that you are using the correct key or passphrase.`);
+    }
+    // Write decrypted content — never log it
+    await fs.writeFile(plainPath, plaintext);
+    return plainPath;
+}
+//# sourceMappingURL=decrypt.js.map

package/dist/lib/decrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.js","sourceRoot":"","sources":["../../src/lib/decrypt.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGnD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAmB;IAClD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAErD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;IACxD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;IAEnD,sBAAsB;IACtB,IAAI,UAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC1C,UAAU,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,eAAe,UAAU,KAAK,GAAG,IAAI;YACnC,wDAAwD,CAC3D,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;IAEtC,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACrD,SAAS,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAChE,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,yBAAyB,UAAU,KAAK,GAAG,IAAI;YAC7C,yDAAyD,CAC5D,CAAC;IACJ,CAAC;IAED,yCAAyC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IAEzC,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/lib/encrypt.d.ts

@@ -0,0 +1,20 @@
+import type { EnvOptions } from "../types.js";
+/**
+ * Encrypt a .env.<env> file into .env.<env>.age.
+ *
+ * Either `keyFile` (path to a .age/key.pub) or `passphrase` must be supplied.
+ * If `keyFile` points to a private key (key.txt), the corresponding public key
+ * is derived automatically if key.pub lives alongside it.
+ *
+ * @returns The path to the written .age file
+ */
+export declare function encryptEnv(options: EnvOptions): Promise<string>;
+/**
+ * Build the encrypted file path for a given folder + env.
+ */
+export declare function encryptedPath(folder: string, env: string): string;
+/**
+ * Build the plaintext file path for a given folder + env.
+ */
+export declare function plaintextPath(folder: string, env: string): string;
+//# sourceMappingURL=encrypt.d.ts.map

package/dist/lib/encrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/lib/encrypt.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAgDrE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAEjE"}

package/dist/lib/encrypt.js

@@ -0,0 +1,75 @@
+/**
+ * Encrypts a .env.<env> file into .env.<env>.age using age encryption.
+ *
+ * Supports both:
+ *  - Public key encryption (via keyFile / pubFile)
+ *  - Passphrase-based encryption
+ */
+import * as age from "age-encryption";
+import fs from "fs/promises";
+import path from "path";
+import { readRecipientFromFile } from "./keygen.js";
+/**
+ * Encrypt a .env.<env> file into .env.<env>.age.
+ *
+ * Either `keyFile` (path to a .age/key.pub) or `passphrase` must be supplied.
+ * If `keyFile` points to a private key (key.txt), the corresponding public key
+ * is derived automatically if key.pub lives alongside it.
+ *
+ * @returns The path to the written .age file
+ */
+export async function encryptEnv(options) {
+    const { folder, env, keyFile, passphrase } = options;
+    const plainPath = path.join(folder, `.env.${env}`);
+    const cipherPath = path.join(folder, `.env.${env}.age`);
+    // Read the plaintext env file
+    let plaintext;
+    try {
+        const buf = await fs.readFile(plainPath);
+        plaintext = new Uint8Array(buf);
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        throw new Error(`Cannot read ${plainPath}: ${msg}\n` +
+            `Make sure the file exists before encrypting.`);
+    }
+    const encrypter = new age.Encrypter();
+    if (passphrase) {
+        encrypter.setPassphrase(passphrase);
+    }
+    else if (keyFile) {
+        // Determine the pub file: prefer key.pub alongside the key file
+        const pubFile = keyFile.replace(/key\.txt$/, "key.pub");
+        let recipient;
+        try {
+            recipient = await readRecipientFromFile(pubFile);
+        }
+        catch {
+            // If no .pub, try reading the keyFile as a private key and deriving the recipient
+            const { readIdentityFromFile } = await import("./keygen.js");
+            const { identityToRecipient } = await import("age-encryption");
+            const identity = await readIdentityFromFile(keyFile);
+            recipient = await identityToRecipient(identity);
+        }
+        encrypter.addRecipient(recipient);
+    }
+    else {
+        throw new Error("Either --key (key file path) or --passphrase must be provided for encryption.");
+    }
+    const ciphertext = await encrypter.encrypt(plaintext);
+    await fs.writeFile(cipherPath, ciphertext);
+    return cipherPath;
+}
+/**
+ * Build the encrypted file path for a given folder + env.
+ */
+export function encryptedPath(folder, env) {
+    return path.join(folder, `.env.${env}.age`);
+}
+/**
+ * Build the plaintext file path for a given folder + env.
+ */
+export function plaintextPath(folder, env) {
+    return path.join(folder, `.env.${env}`);
+}
+//# sourceMappingURL=encrypt.js.map

package/dist/lib/encrypt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.js","sourceRoot":"","sources":["../../src/lib/encrypt.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,KAAK,GAAG,MAAM,gBAAgB,CAAC;AACtC,OAAO,EAAE,MAAM,aAAa,CAAC;AAC7B,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAmB;IAClD,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAErD,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;IACnD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;IAExD,8BAA8B;IAC9B,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QACzC,SAAS,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,eAAe,SAAS,KAAK,GAAG,IAAI;YAClC,8CAA8C,CACjD,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;IAEtC,IAAI,UAAU,EAAE,CAAC;QACf,SAAS,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACtC,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,gEAAgE;QAChE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;QACxD,IAAI,SAAiB,CAAC;QACtB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,qBAAqB,CAAC,OAAO,CAAC,CAAC;QACnD,CAAC;QAAC,MAAM,CAAC;YACP,kFAAkF;YAClF,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YAC7D,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,gBAAgB,CAAC,CAAC;YAC/D,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,CAAC;YACrD,SAAS,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAClD,CAAC;QACD,SAAS,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,+EAA+E,CAChF,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEtD,MAAM,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,GAAW;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,MAAM,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,GAAW;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC,CAAC;AAC1C,CAAC"}

package/dist/lib/gitignore.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Ensures the envage gitignore rules are present in <cwd>/.gitignore.
+ * If the file doesn't exist, it is created. If the block already exists,
+ * it is updated in place.
+ */
+export declare function ensureGitignore(cwd?: string): Promise<void>;
+/**
+ * Checks whether any staged files in the current git repo are decrypted
+ * .env files (i.e. match .env* but NOT .env*.age).
+ *
+ * Returns an array of offending file paths.
+ * Returns empty array if git is not available or not in a repo.
+ */
+export declare function checkStagedEnvFiles(cwd?: string): string[];
+/**
+ * Returns the recommended gitignore content block as a string (for display).
+ */
+export declare function getGitignoreRules(): string;
+//# sourceMappingURL=gitignore.d.ts.map

package/dist/lib/gitignore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitignore.d.ts","sourceRoot":"","sources":["../../src/lib/gitignore.ts"],"names":[],"mappings":"AAuBA;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,GAAG,SAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8BxE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,SAAgB,GAAG,MAAM,EAAE,CAgBjE;AAED;;GAEG;AACH,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}

package/dist/lib/gitignore.js

@@ -0,0 +1,82 @@
+/**
+ * Git integration helpers:
+ * - generate .gitignore rules for env files
+ * - warn if decrypted env files are staged
+ */
+import fs from "fs/promises";
+import path from "path";
+import { execSync } from "child_process";
+/** The gitignore block managed by envage */
+const ENVAGE_BLOCK_START = "# --- envage managed ---";
+const ENVAGE_BLOCK_END = "# --- end envage ---";
+const ENVAGE_RULES = `${ENVAGE_BLOCK_START}
+# Decrypted env files — never commit
+.env*
+!.env*.age
+!.env.example
+!.env.template
+# Age private key
+.age/key.txt
+${ENVAGE_BLOCK_END}`;
+/**
+ * Ensures the envage gitignore rules are present in <cwd>/.gitignore.
+ * If the file doesn't exist, it is created. If the block already exists,
+ * it is updated in place.
+ */
+export async function ensureGitignore(cwd = process.cwd()) {
+    const gitignorePath = path.join(cwd, ".gitignore");
+    let existing = "";
+    try {
+        existing = await fs.readFile(gitignorePath, "utf-8");
+    }
+    catch {
+        // file doesn't exist — we'll create it
+    }
+    if (existing.includes(ENVAGE_BLOCK_START)) {
+        // Update the block in place
+        const startIdx = existing.indexOf(ENVAGE_BLOCK_START);
+        const endIdx = existing.indexOf(ENVAGE_BLOCK_END);
+        if (endIdx !== -1) {
+            const updated = existing.slice(0, startIdx) +
+                ENVAGE_RULES +
+                existing.slice(endIdx + ENVAGE_BLOCK_END.length);
+            await fs.writeFile(gitignorePath, updated, "utf-8");
+        }
+    }
+    else {
+        // Append the block
+        const separator = existing.endsWith("\n") || existing === "" ? "" : "\n";
+        await fs.writeFile(gitignorePath, existing + separator + "\n" + ENVAGE_RULES + "\n", "utf-8");
+    }
+}
+/**
+ * Checks whether any staged files in the current git repo are decrypted
+ * .env files (i.e. match .env* but NOT .env*.age).
+ *
+ * Returns an array of offending file paths.
+ * Returns empty array if git is not available or not in a repo.
+ */
+export function checkStagedEnvFiles(cwd = process.cwd()) {
+    try {
+        const output = execSync("git diff --cached --name-only", {
+            cwd,
+            encoding: "utf-8",
+            stdio: ["ignore", "pipe", "ignore"],
+        });
+        const staged = output.split("\n").filter(Boolean);
+        return staged.filter((f) => {
+            const base = path.basename(f);
+            return base.match(/^\.env/) && !base.endsWith(".age");
+        });
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Returns the recommended gitignore content block as a string (for display).
+ */
+export function getGitignoreRules() {
+    return ENVAGE_RULES;
+}
+//# sourceMappingURL=gitignore.js.map