@chriscode/hush 1.0.0 → 2.0.0

package/dist/cli.js

@@ -1,107 +1,222 @@
 #!/usr/bin/env node
-import { resolve } from 'node:path';
 import pc from 'picocolors';
 import { decryptCommand } from './commands/decrypt.js';
-import { editCommand } from './commands/edit.js';
 import { encryptCommand } from './commands/encrypt.js';
-import { pushCommand } from './commands/push.js';
+import { editCommand } from './commands/edit.js';
 import { statusCommand } from './commands/status.js';
-const HELP = `
+import { pushCommand } from './commands/push.js';
+import { initCommand } from './commands/init.js';
+import { listCommand } from './commands/list.js';
+import { inspectCommand } from './commands/inspect.js';
+import { hasCommand } from './commands/has.js';
+import { checkCommand } from './commands/check.js';
+const VERSION = '2.0.0';
+function printHelp() {
+    console.log(`
 ${pc.bold('hush')} - SOPS-based secrets management for monorepos
 
 ${pc.bold('Usage:')}
   hush <command> [options]
 
 ${pc.bold('Commands:')}
-  decrypt     Decrypt .env.encrypted and generate env files for all packages
-  encrypt     Encrypt .env to .env.encrypted
-  push        Push production secrets to Cloudflare Workers
-  edit        Open .env.encrypted in editor (SOPS inline edit)
-  status      Show discovered packages and their styles
-  help        Show this help message
+  init              Initialize hush.yaml config
+  encrypt           Encrypt source .env files
+  decrypt           Decrypt and distribute to targets
+  edit [file]       Edit encrypted file in $EDITOR
+  list              List all variables (shows values)
+  inspect           List all variables (masked values, AI-safe)
+  has <key>         Check if a secret exists (exit 0 if set, 1 if not)
+  check             Verify secrets are encrypted (for pre-commit hooks)
+  push              Push secrets to Cloudflare Workers
+  status            Show configuration and status
 
 ${pc.bold('Options:')}
-  --env <dev|prod>   Target environment (default: dev)
-  --dry-run          Don't make changes, just show what would happen
-  --root <path>      Monorepo root directory (default: cwd)
+  -e, --env <env>   Environment: development or production (default: development)
+  -r, --root <dir>  Root directory (default: current directory)
+  -q, --quiet       Suppress output (has/check commands)
+  --dry-run         Preview changes without applying (push only)
+  --warn            Warn but exit 0 on drift (check only)
+  --json            Output machine-readable JSON (check only)
+  --only-changed    Only check git-modified files (check only)
+  --require-source  Fail if source file is missing (check only)
+  -h, --help        Show this help message
+  -v, --version     Show version number
 
 ${pc.bold('Examples:')}
-  hush decrypt              Decrypt for development
-  hush decrypt --env prod   Decrypt for production
-  hush encrypt              Encrypt .env file
-  hush push                 Push prod secrets to Wrangler
-  hush push --dry-run       Preview what would be pushed
-  hush edit                 Edit encrypted file in $EDITOR
-  hush status               Show package detection info
-`;
+  hush init                     Initialize hush.yaml config
+  hush encrypt                  Encrypt .env files
+  hush decrypt                  Decrypt for development
+  hush decrypt -e production    Decrypt for production
+  hush edit                     Edit shared secrets
+  hush edit development         Edit development secrets
+  hush list                     List all variables (shows values)
+  hush inspect                  List all variables (masked, AI-safe)
+  hush has DATABASE_URL         Check if DATABASE_URL is set
+  hush has API_KEY -q && echo "API_KEY is configured"
+  hush check                    Verify secrets are encrypted
+  hush check --warn             Check but don't fail on drift
+  hush check --json             Output JSON for CI
+  hush push --dry-run           Preview push to Cloudflare
+  hush status                   Show current status
+`);
+}
+function parseEnvironment(value) {
+    if (value === 'development' || value === 'dev')
+        return 'development';
+    if (value === 'production' || value === 'prod')
+        return 'production';
+    return null;
+}
+function parseFileKey(value) {
+    if (value === 'shared' || value === 'development' || value === 'production')
+        return value;
+    if (value === 'dev')
+        return 'development';
+    if (value === 'prod')
+        return 'production';
+    return null;
+}
 function parseArgs(args) {
-    const result = {
-        command: 'help',
-        env: 'dev',
-        dryRun: false,
-        root: process.cwd(),
-    };
+    let command = '';
+    let env = 'development';
+    let root = process.cwd();
+    let dryRun = false;
+    let quiet = false;
+    let warn = false;
+    let json = false;
+    let onlyChanged = false;
+    let requireSource = false;
+    let file;
+    let key;
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
-        if (arg === '--env' && args[i + 1]) {
-            const envArg = args[i + 1];
-            if (envArg === 'dev' || envArg === 'prod') {
-                result.env = envArg;
+        if (arg === '-h' || arg === '--help') {
+            printHelp();
+            process.exit(0);
+        }
+        if (arg === '-v' || arg === '--version') {
+            console.log(VERSION);
+            process.exit(0);
+        }
+        if (arg === '-e' || arg === '--env') {
+            const nextArg = args[++i];
+            const parsed = parseEnvironment(nextArg);
+            if (parsed) {
+                env = parsed;
             }
             else {
-                console.error(pc.red(`Invalid environment: ${envArg}`));
-                console.error(pc.dim('Valid values: dev, prod'));
+                console.error(pc.red(`Invalid environment: ${nextArg}`));
+                console.error(pc.dim('Use: development, dev, production, or prod'));
                 process.exit(1);
             }
-            i++;
+            continue;
+        }
+        if (arg === '-r' || arg === '--root') {
+            root = args[++i];
+            continue;
+        }
+        if (arg === '--dry-run') {
+            dryRun = true;
+            continue;
+        }
+        if (arg === '-q' || arg === '--quiet') {
+            quiet = true;
+            continue;
         }
-        else if (arg === '--dry-run') {
-            result.dryRun = true;
+        if (arg === '--warn') {
+            warn = true;
+            continue;
         }
-        else if (arg === '--root' && args[i + 1]) {
-            result.root = resolve(args[i + 1]);
-            i++;
+        if (arg === '--json') {
+            json = true;
+            continue;
         }
-        else if (!arg.startsWith('-') && !result.command) {
-            result.command = arg;
+        if (arg === '--only-changed') {
+            onlyChanged = true;
+            continue;
         }
-        else if (!arg.startsWith('-')) {
-            result.command = arg;
+        if (arg === '--require-source') {
+            requireSource = true;
+            continue;
+        }
+        if (!command && !arg.startsWith('-')) {
+            command = arg;
+            continue;
+        }
+        if (command === 'edit' && !arg.startsWith('-')) {
+            const parsed = parseFileKey(arg);
+            if (parsed) {
+                file = parsed;
+            }
+            else {
+                console.error(pc.red(`Invalid file: ${arg}`));
+                console.error(pc.dim('Use: shared, development, or production'));
+                process.exit(1);
+            }
+            continue;
+        }
+        if (command === 'has' && !arg.startsWith('-') && !key) {
+            key = arg;
+            continue;
         }
     }
-    return result;
+    return { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, file, key };
 }
 async function main() {
     const args = process.argv.slice(2);
-    const parsed = parseArgs(args);
-    switch (parsed.command) {
-        case 'decrypt':
-            await decryptCommand({ root: parsed.root, env: parsed.env });
-            break;
-        case 'encrypt':
-            await encryptCommand({ root: parsed.root });
-            break;
-        case 'push':
-            await pushCommand({ root: parsed.root, dryRun: parsed.dryRun });
-            break;
-        case 'edit':
-            await editCommand({ root: parsed.root });
-            break;
-        case 'status':
-            await statusCommand({ root: parsed.root });
-            break;
-        case 'help':
-        case '--help':
-        case '-h':
-            console.log(HELP);
-            break;
-        default:
-            console.error(pc.red(`Unknown command: ${parsed.command}`));
-            console.log(HELP);
-            process.exit(1);
+    if (args.length === 0) {
+        printHelp();
+        process.exit(0);
+    }
+    const { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, file, key } = parseArgs(args);
+    try {
+        switch (command) {
+            case 'init':
+                await initCommand({ root });
+                break;
+            case 'encrypt':
+                await encryptCommand({ root });
+                break;
+            case 'decrypt':
+                await decryptCommand({ root, env });
+                break;
+            case 'edit':
+                await editCommand({ root, file });
+                break;
+            case 'list':
+                await listCommand({ root, env });
+                break;
+            case 'inspect':
+                await inspectCommand({ root, env });
+                break;
+            case 'has':
+                if (!key) {
+                    console.error(pc.red('Usage: hush has <KEY>'));
+                    process.exit(1);
+                }
+                await hasCommand({ root, env, key, quiet });
+                break;
+            case 'check':
+                await checkCommand({ root, warn, json, quiet, onlyChanged, requireSource });
+                break;
+            case 'push':
+                await pushCommand({ root, dryRun });
+                break;
+            case 'status':
+                await statusCommand({ root });
+                break;
+            default:
+                if (command) {
+                    console.error(pc.red(`Unknown command: ${command}`));
+                }
+                printHelp();
+                process.exit(1);
+        }
+    }
+    catch (error) {
+        const err = error;
+        console.error(pc.red(`Error: ${err.message}`));
+        process.exit(1);
     }
 }
-main().catch((error) => {
-    console.error(pc.red('Fatal error:'), error.message);
-    process.exit(1);
-});
+main();

package/dist/commands/check.d.ts

@@ -0,0 +1,4 @@
+import type { CheckOptions, CheckResult } from '../types.js';
+export declare function check(options: CheckOptions): Promise<CheckResult>;
+export declare function checkCommand(options: CheckOptions): Promise<void>;
+//# sourceMappingURL=check.d.ts.map

package/dist/commands/check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAmB,WAAW,EAAc,MAAM,aAAa,CAAC;AA+C1F,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA4BvE;AAmLD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA6BvE"}

package/dist/commands/check.js

@@ -0,0 +1,249 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { execSync } from 'node:child_process';
+import pc from 'picocolors';
+import { loadConfig, findConfigPath } from '../config/loader.js';
+import { parseEnvContent } from '../core/parse.js';
+import { decrypt as sopsDecrypt, isSopsInstalled } from '../core/sops.js';
+import { computeDiff, isInSync } from '../lib/diff.js';
+function getSourceEncryptedPairs(config) {
+    const pairs = [];
+    if (config.sources.shared) {
+        pairs.push({
+            source: config.sources.shared,
+            encrypted: config.sources.shared + '.encrypted',
+            sourceKey: 'shared',
+        });
+    }
+    if (config.sources.development) {
+        pairs.push({
+            source: config.sources.development,
+            encrypted: config.sources.development + '.encrypted',
+            sourceKey: 'development',
+        });
+    }
+    if (config.sources.production) {
+        pairs.push({
+            source: config.sources.production,
+            encrypted: config.sources.production + '.encrypted',
+            sourceKey: 'production',
+        });
+    }
+    return pairs;
+}
+function getGitChangedFiles(root) {
+    try {
+        const staged = execSync('git diff --cached --name-only', { cwd: root, encoding: 'utf-8' });
+        const unstaged = execSync('git diff --name-only', { cwd: root, encoding: 'utf-8' });
+        const files = [...staged.split('\n'), ...unstaged.split('\n')].filter(Boolean);
+        return new Set(files);
+    }
+    catch {
+        return new Set();
+    }
+}
+export async function check(options) {
+    const { root, requireSource, onlyChanged } = options;
+    if (!isSopsInstalled()) {
+        return {
+            status: 'error',
+            files: [{
+                    source: '',
+                    encrypted: '',
+                    inSync: false,
+                    added: [],
+                    removed: [],
+                    changed: [],
+                    error: 'SOPS_NOT_INSTALLED',
+                }],
+        };
+    }
+    const configPath = findConfigPath(root);
+    if (!configPath) {
+        const config = loadConfig(root);
+        const pairs = getSourceEncryptedPairs(config);
+        return checkPairs(root, pairs, requireSource, onlyChanged);
+    }
+    const config = loadConfig(root);
+    const pairs = getSourceEncryptedPairs(config);
+    return checkPairs(root, pairs, requireSource, onlyChanged);
+}
+function checkPairs(root, pairs, requireSource, onlyChanged) {
+    const changedFiles = onlyChanged ? getGitChangedFiles(root) : null;
+    const results = [];
+    for (const { source, encrypted } of pairs) {
+        const sourcePath = join(root, source);
+        const encryptedPath = join(root, encrypted);
+        if (onlyChanged && changedFiles) {
+            const isSourceChanged = changedFiles.has(source);
+            const isEncryptedChanged = changedFiles.has(encrypted);
+            if (!isSourceChanged && !isEncryptedChanged) {
+                continue;
+            }
+        }
+        if (!existsSync(sourcePath)) {
+            if (requireSource) {
+                results.push({
+                    source,
+                    encrypted,
+                    inSync: false,
+                    added: [],
+                    removed: [],
+                    changed: [],
+                    error: 'SOURCE_MISSING',
+                });
+            }
+            continue;
+        }
+        if (!existsSync(encryptedPath)) {
+            const sourceContent = readFileSync(sourcePath, 'utf-8');
+            const sourceVars = parseEnvContent(sourceContent);
+            const allKeys = sourceVars.map(v => v.key);
+            results.push({
+                source,
+                encrypted,
+                inSync: false,
+                added: allKeys,
+                removed: [],
+                changed: [],
+                error: 'ENCRYPTED_MISSING',
+            });
+            continue;
+        }
+        try {
+            const decryptedContent = sopsDecrypt(encryptedPath);
+            const sourceContent = readFileSync(sourcePath, 'utf-8');
+            const sourceVars = parseEnvContent(sourceContent);
+            const encryptedVars = parseEnvContent(decryptedContent);
+            const diff = computeDiff(sourceVars, encryptedVars);
+            results.push({
+                source,
+                encrypted,
+                inSync: isInSync(diff),
+                added: diff.added,
+                removed: diff.removed,
+                changed: diff.changed,
+            });
+        }
+        catch (error) {
+            const err = error;
+            if (err.message.includes('No matching age key')) {
+                results.push({
+                    source,
+                    encrypted,
+                    inSync: false,
+                    added: [],
+                    removed: [],
+                    changed: [],
+                    error: 'DECRYPT_FAILED',
+                });
+            }
+            else {
+                throw error;
+            }
+        }
+    }
+    const hasError = results.some(r => r.error === 'SOPS_NOT_INSTALLED' || r.error === 'DECRYPT_FAILED');
+    const hasDrift = results.some(r => !r.inSync);
+    let status;
+    if (hasError) {
+        status = 'error';
+    }
+    else if (hasDrift) {
+        status = 'drift';
+    }
+    else {
+        status = 'ok';
+    }
+    return { status, files: results };
+}
+function formatTextOutput(result) {
+    const lines = [];
+    lines.push('Checking secrets...\n');
+    for (const file of result.files) {
+        if (file.error === 'SOPS_NOT_INSTALLED') {
+            lines.push(pc.red('Error: SOPS is not installed'));
+            lines.push(pc.dim('Run: brew install sops'));
+            continue;
+        }
+        if (file.error === 'SOURCE_MISSING') {
+            lines.push(pc.yellow(`Warning: ${file.source} not found (--require-source)`));
+            continue;
+        }
+        lines.push(`${file.source} ${pc.dim('->')} ${file.encrypted}`);
+        if (file.error === 'ENCRYPTED_MISSING') {
+            lines.push(pc.yellow(`  Warning: ${file.encrypted} not found`));
+            if (file.added.length > 0) {
+                lines.push(`  ${pc.yellow('All keys need encryption:')} ${file.added.join(', ')}`);
+            }
+            continue;
+        }
+        if (file.error === 'DECRYPT_FAILED') {
+            lines.push(pc.red(`  Error: Failed to decrypt ${file.encrypted}`));
+            lines.push(pc.dim("  This usually means your age key doesn't match."));
+            lines.push(pc.dim('  Check: ~/.config/sops/age/key.txt'));
+            continue;
+        }
+        if (file.inSync) {
+            lines.push(pc.green('  ✓ In sync'));
+        }
+        else {
+            if (file.added.length > 0) {
+                lines.push(`  ${pc.yellow('Added keys:')}   ${file.added.join(', ')}`);
+            }
+            if (file.removed.length > 0) {
+                lines.push(`  ${pc.yellow('Removed keys:')} ${file.removed.join(', ')}`);
+            }
+            if (file.changed.length > 0) {
+                lines.push(`  ${pc.yellow('Changed keys:')} ${file.changed.join(', ')}`);
+            }
+        }
+        lines.push('');
+    }
+    const driftCount = result.files.filter(f => !f.inSync && !f.error).length;
+    const errorCount = result.files.filter(f => f.error === 'ENCRYPTED_MISSING').length;
+    const totalDrift = driftCount + errorCount;
+    if (result.status === 'error') {
+        const sopsError = result.files.find(f => f.error === 'SOPS_NOT_INSTALLED');
+        if (sopsError) {
+            return lines.join('\n');
+        }
+        lines.push(pc.red('✗ Errors occurred during check'));
+    }
+    else if (totalDrift > 0) {
+        lines.push(pc.yellow(`✗ Drift detected in ${totalDrift} file(s)`));
+        lines.push(pc.dim('Run: hush encrypt'));
+    }
+    else if (result.files.length > 0) {
+        lines.push(pc.green('✓ All secrets in sync'));
+    }
+    return lines.join('\n');
+}
+function formatJsonOutput(result) {
+    return JSON.stringify(result, null, 2);
+}
+export async function checkCommand(options) {
+    const result = await check(options);
+    if (!options.quiet) {
+        if (options.json) {
+            console.log(formatJsonOutput(result));
+        }
+        else {
+            console.log(formatTextOutput(result));
+        }
+    }
+    if (result.status === 'error') {
+        const hasSopsError = result.files.some(f => f.error === 'SOPS_NOT_INSTALLED');
+        const hasDecryptError = result.files.some(f => f.error === 'DECRYPT_FAILED');
+        if (hasSopsError || hasDecryptError) {
+            process.exit(3);
+        }
+        if (result.files.some(f => f.error === 'SOURCE_MISSING')) {
+            process.exit(2);
+        }
+    }
+    if (result.status === 'drift' && !options.warn) {
+        process.exit(1);
+    }
+    process.exit(0);
+}

package/dist/commands/decrypt.d.ts

@@ -1,11 +1,3 @@
-import type { Environment } from '../types.js';
-interface DecryptOptions {
-    root: string;
-    env?: Environment;
-}
-/**
- * Decrypt command - decrypt .env.encrypted and generate env files for all packages
- */
+import type { DecryptOptions } from '../types.js';
 export declare function decryptCommand(options: DecryptOptions): Promise<void>;
-export {};
 //# sourceMappingURL=decrypt.d.ts.map

package/dist/commands/decrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAEhE,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,WAAW,CAAC;CACnB;AAqCD;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAwF3E"}
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,cAAc,EAAU,MAAM,aAAa,CAAC;AAO1D,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA2E3E"}