@boltpl/envseal 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 mgrom
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,88 @@
+# envseal
+
+encrypt secrets at rest, inject at runtime. no plaintext on disk.
+
+## install
+
+```bash
+npm install -g envseal
+```
+
+## usage
+
+### passphrase mode (dev/laptop)
+
+```bash
+envseal init
+envseal set DATABASE_URL "postgres://..."
+envseal set STRIPE_KEY "sk_live_..."
+envseal run -- node server.js    # prompts for passphrase, injects env
+```
+
+### keyfile mode (servers)
+
+```bash
+cd ~/projects/myapp
+envseal keygen              # generates ~/.envseal/keys/myapp.key (auto-named after directory)
+envseal init --keyfile
+envseal set DATABASE_URL "postgres://..."   # auto-finds key, no config needed
+envseal run -- node server.js               # just works
+
+# in systemd unit - zero interaction
+# ExecStart=envseal run -- node server.js
+```
+
+key is stored in `~/.envseal/keys/<project-dir>.key`, vault is `.envseal.vault` in project dir. separated by default.
+
+### other commands
+
+```bash
+envseal get KEY              # decrypt single value
+envseal list                 # show key names (not values)
+envseal rm KEY               # remove a secret
+envseal export               # decrypt all as KEY=VALUE on stdout
+envseal import .env          # bulk import from .env file
+envseal keygen --out PATH    # custom key location
+```
+
+## key resolution
+
+in keyfile mode, envseal looks for the key in order:
+
+1. `ENVSEAL_KEY` env var (base64 key directly)
+2. `ENVSEAL_KEY_FILE` env var (path to key file)
+3. `~/.envseal/keys/<project-dir-name>.key` (auto-resolve)
+
+in passphrase mode, same lookup order, then falls back to interactive prompt. `ENVSEAL_PASSPHRASE` env var skips the prompt.
+
+## how it works
+
+secrets are encrypted with AES-256-GCM. in passphrase mode, the encryption key is derived via scrypt. in keyfile mode, the key is a random 256-bit value.
+
+the vault (`.envseal.vault`) stores key names in plaintext, values as encrypted blobs. `envseal run` decrypts everything in memory, passes secrets as env vars to the child process, then exits. nothing plaintext touches disk.
+
+zero dependencies - uses only node's built-in `crypto` module.
+
+## vault format
+
+```json
+{
+  "version": 2,
+  "keyMode": "keyfile",
+  "secrets": {
+    "DATABASE_URL": { "iv": "...", "data": "...", "tag": "..." }
+  }
+}
+```
+
+## security model
+
+protects secrets at rest and from automated exfiltration. scanners grepping for `.env`, `sk-`, `ghp_`, private keys find nothing.
+
+in keyfile mode, key and vault are in different locations with different permissions. attacker needs both.
+
+not a defense against an active attacker with same-UID shell access. they can read `/proc/<pid>/environ` or attach a debugger. no userspace tool prevents that.
+
+## license
+
+MIT

package/bin/envseal

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+require("../dist/cli.js");

package/dist/cli.d.ts

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+export {};

package/dist/cli.js

@@ -0,0 +1,226 @@
+#!/usr/bin/env node
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const vault_1 = require("./vault");
+const prompt_1 = require("./prompt");
+const run_1 = require("./run");
+const crypto_1 = require("./crypto");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+function requireVault() {
+    const vp = (0, vault_1.findVault)();
+    if (!vp) {
+        console.error("no vault found. run `envseal init` first.");
+        process.exit(1);
+    }
+    return vp;
+}
+function keysDir() {
+    return path.join(process.env.HOME || "/root", ".envseal", "keys");
+}
+function projectName() {
+    return path.basename(process.cwd());
+}
+function defaultKeyPath() {
+    return path.join(keysDir(), projectName() + ".key");
+}
+function resolveKeyFile() {
+    // 1. ENVSEAL_KEY — raw base64 key in env
+    const envKey = process.env.ENVSEAL_KEY;
+    if (envKey)
+        return Buffer.from(envKey, "base64");
+    // 2. ENVSEAL_KEY_FILE — path to key file
+    const envKeyFile = process.env.ENVSEAL_KEY_FILE;
+    if (envKeyFile) {
+        if (!fs.existsSync(envKeyFile)) {
+            console.error(`key file not found: ${envKeyFile}`);
+            process.exit(1);
+        }
+        return Buffer.from(fs.readFileSync(envKeyFile, "utf8").trim(), "base64");
+    }
+    // 3. ~/.envseal/keys/<project-dir-name>.key
+    const autoKey = defaultKeyPath();
+    if (fs.existsSync(autoKey)) {
+        return Buffer.from(fs.readFileSync(autoKey, "utf8").trim(), "base64");
+    }
+    return null;
+}
+async function getCredentials(vaultPath) {
+    const mode = (0, vault_1.getVaultMode)(vaultPath);
+    if (mode === "keyfile") {
+        const keyBuf = resolveKeyFile();
+        if (!keyBuf) {
+            console.error("keyfile mode but no key found. set ENVSEAL_KEY, ENVSEAL_KEY_FILE, or place .envseal.key");
+            process.exit(1);
+        }
+        return { keyBuf };
+    }
+    // passphrase mode — check for keyfile first (override), then prompt
+    const keyBuf = resolveKeyFile();
+    if (keyBuf)
+        return { keyBuf };
+    const passphrase = await (0, prompt_1.readPassphrase)();
+    return { passphrase };
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const cmd = args[0];
+    switch (cmd) {
+        case "init": {
+            const useKeyfile = args.includes("--keyfile");
+            const p = (0, vault_1.createVault)(undefined, useKeyfile ? "keyfile" : "passphrase");
+            console.log(`created ${p} (${useKeyfile ? "keyfile" : "passphrase"} mode)`);
+            break;
+        }
+        case "keygen": {
+            const outIdx = args.indexOf("--out");
+            const outPath = outIdx !== -1 ? args[outIdx + 1] : defaultKeyPath();
+            const key = (0, crypto_1.generateKeyFile)();
+            const outDir = path.dirname(outPath);
+            if (outDir && !fs.existsSync(outDir))
+                fs.mkdirSync(outDir, { recursive: true, mode: 0o700 });
+            fs.writeFileSync(outPath, key.toString("base64") + "\n", { mode: 0o400 });
+            console.log(`key written to ${outPath}`);
+            break;
+        }
+        case "set": {
+            const vp = requireVault();
+            const key = args[1];
+            const val = args[2];
+            if (!key || val === undefined) {
+                console.error("usage: envseal set KEY VALUE");
+                process.exit(1);
+            }
+            const creds = await getCredentials(vp);
+            (0, vault_1.setSecret)(vp, key, val, creds.passphrase, creds.keyBuf);
+            console.log(`set ${key}`);
+            break;
+        }
+        case "get": {
+            const vp = requireVault();
+            const key = args[1];
+            if (!key) {
+                console.error("usage: envseal get KEY");
+                process.exit(1);
+            }
+            const creds = await getCredentials(vp);
+            console.log((0, vault_1.getSecret)(vp, key, creds.passphrase, creds.keyBuf));
+            break;
+        }
+        case "list": {
+            const vp = requireVault();
+            for (const k of (0, vault_1.listKeys)(vp))
+                console.log(k);
+            break;
+        }
+        case "rm": {
+            const vp = requireVault();
+            const key = args[1];
+            if (!key) {
+                console.error("usage: envseal rm KEY");
+                process.exit(1);
+            }
+            (0, vault_1.removeKey)(vp, key);
+            console.log(`removed ${key}`);
+            break;
+        }
+        case "export": {
+            const vp = requireVault();
+            const creds = await getCredentials(vp);
+            const secrets = (0, vault_1.getAllSecrets)(vp, creds.passphrase, creds.keyBuf);
+            for (const [k, v] of Object.entries(secrets)) {
+                console.log(`${k}=${v}`);
+            }
+            break;
+        }
+        case "import": {
+            const vp = requireVault();
+            const file = args[1];
+            if (!file) {
+                console.error("usage: envseal import FILE");
+                process.exit(1);
+            }
+            const creds = await getCredentials(vp);
+            const lines = fs.readFileSync(file, "utf8").split("\n");
+            let count = 0;
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith("#"))
+                    continue;
+                const eq = trimmed.indexOf("=");
+                if (eq === -1)
+                    continue;
+                const key = trimmed.slice(0, eq).trim();
+                const val = trimmed.slice(eq + 1).trim();
+                (0, vault_1.setSecret)(vp, key, val, creds.passphrase, creds.keyBuf);
+                count++;
+            }
+            console.log(`imported ${count} secrets`);
+            break;
+        }
+        case "run": {
+            const vp = requireVault();
+            const dashIdx = args.indexOf("--");
+            if (dashIdx === -1 || dashIdx === args.length - 1) {
+                console.error("usage: envseal run -- COMMAND [ARGS...]");
+                process.exit(1);
+            }
+            const creds = await getCredentials(vp);
+            const secrets = (0, vault_1.getAllSecrets)(vp, creds.passphrase, creds.keyBuf);
+            const childArgs = args.slice(dashIdx + 1);
+            const code = await (0, run_1.runCommand)(childArgs, secrets);
+            process.exit(code);
+            break;
+        }
+        default:
+            console.error("usage: envseal <init|keygen|set|get|list|rm|export|import|run>");
+            console.error("");
+            console.error("  init [--keyfile]         create vault (passphrase or keyfile mode)");
+            console.error("  keygen [--out PATH]      generate random key file");
+            console.error("  set KEY VALUE            add or update a secret");
+            console.error("  get KEY                  decrypt and print a secret");
+            console.error("  list                     show secret names");
+            console.error("  rm KEY                   remove a secret");
+            console.error("  export                   decrypt all as KEY=VALUE");
+            console.error("  import FILE              bulk import from .env file");
+            console.error("  run -- CMD [ARGS]        run command with secrets in env");
+            process.exit(1);
+    }
+}
+main().catch((err) => {
+    console.error(err.message);
+    process.exit(1);
+});

package/dist/crypto.d.ts

@@ -0,0 +1,10 @@
+export interface EncryptedValue {
+    iv: string;
+    data: string;
+    tag: string;
+}
+export declare function deriveKey(passphrase: string, salt: Buffer): Buffer;
+export declare function generateKeyFile(): Buffer;
+export declare function generateSalt(): Buffer;
+export declare function encrypt(plaintext: string, key: Buffer): EncryptedValue;
+export declare function decrypt(enc: EncryptedValue, key: Buffer): string;

package/dist/crypto.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveKey = deriveKey;
+exports.generateKeyFile = generateKeyFile;
+exports.generateSalt = generateSalt;
+exports.encrypt = encrypt;
+exports.decrypt = decrypt;
+const crypto_1 = require("crypto");
+const ALGO = "aes-256-gcm";
+const SCRYPT_N = 2 ** 14;
+const SCRYPT_R = 8;
+const SCRYPT_P = 1;
+const KEY_LEN = 32;
+const IV_LEN = 12;
+const SALT_LEN = 16;
+function deriveKey(passphrase, salt) {
+    return (0, crypto_1.scryptSync)(passphrase, salt, KEY_LEN, {
+        N: SCRYPT_N,
+        r: SCRYPT_R,
+        p: SCRYPT_P,
+        maxmem: 64 * 1024 * 1024,
+    });
+}
+function generateKeyFile() {
+    return (0, crypto_1.randomBytes)(KEY_LEN);
+}
+function generateSalt() {
+    return (0, crypto_1.randomBytes)(SALT_LEN);
+}
+function encrypt(plaintext, key) {
+    const iv = (0, crypto_1.randomBytes)(IV_LEN);
+    const cipher = (0, crypto_1.createCipheriv)(ALGO, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        iv: iv.toString("base64"),
+        data: encrypted.toString("base64"),
+        tag: tag.toString("base64"),
+    };
+}
+function decrypt(enc, key) {
+    const iv = Buffer.from(enc.iv, "base64");
+    const data = Buffer.from(enc.data, "base64");
+    const tag = Buffer.from(enc.tag, "base64");
+    const decipher = (0, crypto_1.createDecipheriv)(ALGO, key, iv);
+    decipher.setAuthTag(tag);
+    return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf8");
+}

package/dist/prompt.d.ts

@@ -0,0 +1 @@
+export declare function readPassphrase(prompt?: string): Promise<string>;

package/dist/prompt.js

@@ -0,0 +1,60 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readPassphrase = readPassphrase;
+const fs = __importStar(require("fs"));
+const readline = __importStar(require("readline"));
+function readPassphrase(prompt = "passphrase: ") {
+    const envPass = process.env.ENVSEAL_PASSPHRASE;
+    if (envPass)
+        return Promise.resolve(envPass);
+    return new Promise((resolve, reject) => {
+        let ttyFd;
+        try {
+            ttyFd = fs.openSync("/dev/tty", "r");
+        }
+        catch {
+            reject(new Error("cannot open /dev/tty — set ENVSEAL_PASSPHRASE env var"));
+            return;
+        }
+        const ttyStream = fs.createReadStream("", { fd: ttyFd });
+        const rl = readline.createInterface({ input: ttyStream, output: process.stderr });
+        rl.question(prompt, (answer) => {
+            rl.close();
+            ttyStream.destroy();
+            resolve(answer);
+        });
+    });
+}

package/dist/run.d.ts

@@ -0,0 +1 @@
+export declare function runCommand(command: string[], extraEnv: Record<string, string>): Promise<number>;

package/dist/run.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runCommand = runCommand;
+const child_process_1 = require("child_process");
+function runCommand(command, extraEnv) {
+    return new Promise((resolve, reject) => {
+        const merged = {};
+        for (const [k, v] of Object.entries(process.env)) {
+            if (v !== undefined)
+                merged[k] = v;
+        }
+        Object.assign(merged, extraEnv);
+        const child = (0, child_process_1.spawn)(command[0], command.slice(1), {
+            stdio: "inherit",
+            env: merged,
+        });
+        child.on("error", reject);
+        child.on("close", (code) => resolve(code ?? 1));
+    });
+}

package/dist/vault.d.ts

@@ -0,0 +1,16 @@
+import { EncryptedValue } from "./crypto";
+export interface Vault {
+    version: number;
+    keyMode: "passphrase" | "keyfile";
+    salt?: string;
+    secrets: Record<string, EncryptedValue>;
+}
+export declare function findVault(from?: string): string | null;
+export declare function createVault(dir?: string, keyMode?: "passphrase" | "keyfile"): string;
+export declare function resolveKey(vault: Vault, passphrase?: string, keyBuf?: Buffer): Buffer;
+export declare function getVaultMode(vaultPath: string): "passphrase" | "keyfile";
+export declare function setSecret(vaultPath: string, key: string, value: string, passphrase?: string, keyBuf?: Buffer): void;
+export declare function getSecret(vaultPath: string, key: string, passphrase?: string, keyBuf?: Buffer): string;
+export declare function listKeys(vaultPath: string): string[];
+export declare function removeKey(vaultPath: string, key: string): void;
+export declare function getAllSecrets(vaultPath: string, passphrase?: string, keyBuf?: Buffer): Record<string, string>;

package/dist/vault.js

@@ -0,0 +1,147 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findVault = findVault;
+exports.createVault = createVault;
+exports.resolveKey = resolveKey;
+exports.getVaultMode = getVaultMode;
+exports.setSecret = setSecret;
+exports.getSecret = getSecret;
+exports.listKeys = listKeys;
+exports.removeKey = removeKey;
+exports.getAllSecrets = getAllSecrets;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const crypto_1 = require("./crypto");
+const VAULT_FILE = ".envseal.vault";
+function findVault(from) {
+    let dir;
+    try {
+        dir = from || process.cwd();
+    }
+    catch {
+        return null;
+    }
+    while (true) {
+        const candidate = path.join(dir, VAULT_FILE);
+        if (fs.existsSync(candidate))
+            return candidate;
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            return null;
+        dir = parent;
+    }
+}
+function createVault(dir, keyMode = "passphrase") {
+    const target = path.join(dir || process.cwd(), VAULT_FILE);
+    if (fs.existsSync(target)) {
+        throw new Error("vault already exists at " + target);
+    }
+    const vault = {
+        version: 2,
+        keyMode,
+        secrets: {},
+    };
+    if (keyMode === "passphrase") {
+        vault.salt = (0, crypto_1.generateSalt)().toString("base64");
+    }
+    fs.writeFileSync(target, JSON.stringify(vault, null, 2) + "\n");
+    return target;
+}
+function readVault(vaultPath) {
+    const raw = fs.readFileSync(vaultPath, "utf8");
+    const parsed = JSON.parse(raw);
+    // migrate v1 vaults
+    if (parsed.version === 1) {
+        parsed.version = 2;
+        parsed.keyMode = "passphrase";
+    }
+    if (parsed.version !== 2) {
+        throw new Error("unsupported vault version: " + parsed.version);
+    }
+    return parsed;
+}
+function writeVault(vaultPath, vault) {
+    fs.writeFileSync(vaultPath, JSON.stringify(vault, null, 2) + "\n");
+}
+function resolveKey(vault, passphrase, keyBuf) {
+    if (vault.keyMode === "keyfile") {
+        if (!keyBuf)
+            throw new Error("keyfile required but not provided");
+        return keyBuf;
+    }
+    // passphrase mode
+    if (!passphrase)
+        throw new Error("passphrase required");
+    if (!vault.salt)
+        throw new Error("vault missing salt");
+    return (0, crypto_1.deriveKey)(passphrase, Buffer.from(vault.salt, "base64"));
+}
+function getVaultMode(vaultPath) {
+    return readVault(vaultPath).keyMode;
+}
+function setSecret(vaultPath, key, value, passphrase, keyBuf) {
+    const vault = readVault(vaultPath);
+    const dk = resolveKey(vault, passphrase, keyBuf);
+    vault.secrets[key] = (0, crypto_1.encrypt)(value, dk);
+    writeVault(vaultPath, vault);
+}
+function getSecret(vaultPath, key, passphrase, keyBuf) {
+    const vault = readVault(vaultPath);
+    const enc = vault.secrets[key];
+    if (!enc)
+        throw new Error("secret not found: " + key);
+    const dk = resolveKey(vault, passphrase, keyBuf);
+    return (0, crypto_1.decrypt)(enc, dk);
+}
+function listKeys(vaultPath) {
+    return Object.keys(readVault(vaultPath).secrets);
+}
+function removeKey(vaultPath, key) {
+    const vault = readVault(vaultPath);
+    if (!vault.secrets[key])
+        throw new Error("secret not found: " + key);
+    delete vault.secrets[key];
+    writeVault(vaultPath, vault);
+}
+function getAllSecrets(vaultPath, passphrase, keyBuf) {
+    const vault = readVault(vaultPath);
+    const dk = resolveKey(vault, passphrase, keyBuf);
+    const result = {};
+    for (const [k, enc] of Object.entries(vault.secrets)) {
+        result[k] = (0, crypto_1.decrypt)(enc, dk);
+    }
+    return result;
+}

package/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "@boltpl/envseal",
+  "version": "1.0.0",
+  "description": "encrypt secrets at rest, inject at runtime",
+  "main": "dist/cli.js",
+  "bin": {
+    "envseal": "bin/envseal"
+  },
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "tsc"
+  },
+  "keywords": ["env", "secrets", "encryption", "vault", "dotenv", "security"],
+  "author": "mgrom",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mgrom/envseal.git"
+  },
+  "homepage": "https://github.com/mgrom/envseal",
+  "engines": {
+    "node": ">=18"
+  },
+  "files": ["dist", "bin", "LICENSE", "README.md"],
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.5.0"
+  }
+}