@chriscode/hush 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Chris Hasson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,194 @@
+# @chriscode/hush
+
+> SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.
+
+Hush manages secrets across your monorepo using [SOPS](https://github.com/getsops/sops) with [age](https://github.com/FiloSottile/age) encryption. It automatically detects your packages and generates the right env files for each.
+
+## Features
+
+- **Single encrypted file** - One `.env.encrypted` committed to git
+- **Environment prefixes** - `DEV__` and `PROD__` for env-specific values
+- **Auto-detection** - Finds packages, detects Wrangler vs standard
+- **Smart routing** - `EXPO_PUBLIC_*` to apps, other vars to APIs
+- **Cloudflare integration** - Push secrets to Workers with one command
+
+## Installation
+
+```bash
+pnpm add -D @chriscode/hush
+# or
+npm install -D @chriscode/hush
+```
+
+### Prerequisites
+
+```bash
+brew install sops age
+```
+
+Set up your age key:
+
+```bash
+mkdir -p ~/.config/sops/age
+age-keygen -o ~/.config/sops/age/key.txt
+```
+
+## Quick Start
+
+### 1. Create `.sops.yaml` in your repo root
+
+```yaml
+creation_rules:
+  - encrypted_regex: '.*'
+    age: YOUR_AGE_PUBLIC_KEY
+```
+
+Get your public key from `~/.config/sops/age/key.txt`.
+
+### 2. Create `.env` with your secrets
+
+```bash
+# Shared across all environments
+DATABASE_URL=postgres://localhost/mydb
+EXPO_PUBLIC_API_KEY=pk_xxx
+
+# Development only (prefix stripped on decrypt)
+DEV__EXPO_PUBLIC_API_URL=http://localhost:8787
+
+# Production only
+PROD__EXPO_PUBLIC_API_URL=https://api.example.com
+```
+
+### 3. Encrypt and use
+
+```bash
+# Encrypt your secrets
+npx hush encrypt
+
+# Decrypt for local development
+npx hush decrypt
+
+# Check your setup
+npx hush status
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `hush decrypt` | Decrypt and generate env files for all packages |
+| `hush decrypt --env prod` | Decrypt with production values |
+| `hush encrypt` | Encrypt `.env` to `.env.encrypted` |
+| `hush edit` | Edit encrypted file in `$EDITOR` |
+| `hush push` | Push production secrets to Cloudflare Workers |
+| `hush push --dry-run` | Preview what would be pushed |
+| `hush status` | Show setup status and discovered packages |
+
+## Package Scripts
+
+Add to your `package.json`:
+
+```json
+{
+  "scripts": {
+    "secrets": "hush",
+    "secrets:decrypt": "hush decrypt",
+    "secrets:encrypt": "hush encrypt",
+    "secrets:edit": "hush edit",
+    "secrets:push": "hush push",
+    "secrets:status": "hush status"
+  }
+}
+```
+
+## How It Works
+
+### Package Detection
+
+Hush scans for `package.json` files and determines the package type:
+
+| Detection | Type | Output |
+|-----------|------|--------|
+| `wrangler.toml` (Workers) | wrangler | `.dev.vars` |
+| `wrangler.toml` with `pages_build_output_dir` | standard | `.env.development` |
+| No wrangler.toml | standard | `.env.development` |
+
+### Variable Routing
+
+- `EXPO_PUBLIC_*` → Standard packages only (apps, Pages)
+- Other variables → Wrangler packages only (Workers APIs)
+
+This ensures client-side vars go to your app and server secrets go to your API.
+
+### Environment Prefixes
+
+```bash
+# No prefix = shared
+API_KEY=xxx
+
+# DEV__ prefix = development only (stripped to API_KEY)
+DEV__API_KEY=dev_xxx
+
+# PROD__ prefix = production only (stripped to API_KEY)
+PROD__API_KEY=prod_xxx
+```
+
+When you run `hush decrypt`:
+- `--env dev` (default): Uses `DEV__` vars, ignores `PROD__`
+- `--env prod`: Uses `PROD__` vars, ignores `DEV__`
+
+## Local Overrides
+
+Create `.env.local` (gitignored) for personal overrides:
+
+```bash
+# .env.local
+MY_DEBUG_VAR=true
+```
+
+Local overrides are merged last and take precedence.
+
+## Programmatic Usage
+
+```typescript
+import { 
+  discoverPackages, 
+  decrypt, 
+  parseEnvContent,
+  getVarsForEnvironment 
+} from '@chriscode/hush';
+
+const packages = await discoverPackages('/path/to/monorepo');
+const content = decrypt('/path/to/.env.encrypted');
+const vars = parseEnvContent(content);
+const devVars = getVarsForEnvironment(vars, 'dev');
+```
+
+## File Reference
+
+| File | Committed | Purpose |
+|------|-----------|---------|
+| `.env.encrypted` | Yes | Encrypted secrets (source of truth) |
+| `.sops.yaml` | Yes | SOPS config with public key |
+| `.env` | No | Generated root env |
+| `.env.local` | No | Personal overrides |
+| `.env.development` | No | Generated dev env |
+| `.env.production` | No | Generated prod env |
+| `api/.dev.vars` | No | Generated Wrangler secrets |
+
+## Troubleshooting
+
+### "No identity matched"
+Your age key doesn't match. Get the correct key from a team member.
+
+### "SOPS is not installed"
+```bash
+brew install sops
+```
+
+### Package detected as wrong type
+Check for unexpected `wrangler.toml` files. For Cloudflare Pages, ensure it has `pages_build_output_dir` to be treated as standard.
+
+## License
+
+MIT

package/bin/hush.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import('../dist/cli.js');

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,107 @@
+#!/usr/bin/env node
+import { resolve } from 'node:path';
+import pc from 'picocolors';
+import { decryptCommand } from './commands/decrypt.js';
+import { editCommand } from './commands/edit.js';
+import { encryptCommand } from './commands/encrypt.js';
+import { pushCommand } from './commands/push.js';
+import { statusCommand } from './commands/status.js';
+const HELP = `
+${pc.bold('hush')} - SOPS-based secrets management for monorepos
+
+${pc.bold('Usage:')}
+  hush <command> [options]
+
+${pc.bold('Commands:')}
+  decrypt     Decrypt .env.encrypted and generate env files for all packages
+  encrypt     Encrypt .env to .env.encrypted
+  push        Push production secrets to Cloudflare Workers
+  edit        Open .env.encrypted in editor (SOPS inline edit)
+  status      Show discovered packages and their styles
+  help        Show this help message
+
+${pc.bold('Options:')}
+  --env <dev|prod>   Target environment (default: dev)
+  --dry-run          Don't make changes, just show what would happen
+  --root <path>      Monorepo root directory (default: cwd)
+
+${pc.bold('Examples:')}
+  hush decrypt              Decrypt for development
+  hush decrypt --env prod   Decrypt for production
+  hush encrypt              Encrypt .env file
+  hush push                 Push prod secrets to Wrangler
+  hush push --dry-run       Preview what would be pushed
+  hush edit                 Edit encrypted file in $EDITOR
+  hush status               Show package detection info
+`;
+function parseArgs(args) {
+    const result = {
+        command: 'help',
+        env: 'dev',
+        dryRun: false,
+        root: process.cwd(),
+    };
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--env' && args[i + 1]) {
+            const envArg = args[i + 1];
+            if (envArg === 'dev' || envArg === 'prod') {
+                result.env = envArg;
+            }
+            else {
+                console.error(pc.red(`Invalid environment: ${envArg}`));
+                console.error(pc.dim('Valid values: dev, prod'));
+                process.exit(1);
+            }
+            i++;
+        }
+        else if (arg === '--dry-run') {
+            result.dryRun = true;
+        }
+        else if (arg === '--root' && args[i + 1]) {
+            result.root = resolve(args[i + 1]);
+            i++;
+        }
+        else if (!arg.startsWith('-') && !result.command) {
+            result.command = arg;
+        }
+        else if (!arg.startsWith('-')) {
+            result.command = arg;
+        }
+    }
+    return result;
+}
+async function main() {
+    const args = process.argv.slice(2);
+    const parsed = parseArgs(args);
+    switch (parsed.command) {
+        case 'decrypt':
+            await decryptCommand({ root: parsed.root, env: parsed.env });
+            break;
+        case 'encrypt':
+            await encryptCommand({ root: parsed.root });
+            break;
+        case 'push':
+            await pushCommand({ root: parsed.root, dryRun: parsed.dryRun });
+            break;
+        case 'edit':
+            await editCommand({ root: parsed.root });
+            break;
+        case 'status':
+            await statusCommand({ root: parsed.root });
+            break;
+        case 'help':
+        case '--help':
+        case '-h':
+            console.log(HELP);
+            break;
+        default:
+            console.error(pc.red(`Unknown command: ${parsed.command}`));
+            console.log(HELP);
+            process.exit(1);
+    }
+}
+main().catch((error) => {
+    console.error(pc.red('Fatal error:'), error.message);
+    process.exit(1);
+});

package/dist/commands/decrypt.d.ts

@@ -0,0 +1,11 @@
+import type { Environment } from '../types.js';
+interface DecryptOptions {
+    root: string;
+    env?: Environment;
+}
+/**
+ * Decrypt command - decrypt .env.encrypted and generate env files for all packages
+ */
+export declare function decryptCommand(options: DecryptOptions): Promise<void>;
+export {};
+//# sourceMappingURL=decrypt.d.ts.map

package/dist/commands/decrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,WAAW,EAAmB,MAAM,aAAa,CAAC;AAEhE,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,WAAW,CAAC;CACnB;AAqCD;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAwF3E"}

package/dist/commands/decrypt.js

@@ -0,0 +1,105 @@
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import pc from 'picocolors';
+import { discoverPackages } from '../core/discover.js';
+import { expandVariables, formatEnvFile, getVarsForEnvironment, mergeEnvVars, parseEnvContent, parseEnvFile, } from '../core/parse.js';
+import { decrypt as sopsDecrypt } from '../core/sops.js';
+/**
+ * Get output files for a package based on its style and environment
+ */
+function getOutputFiles(pkg, env) {
+    if (pkg.style === 'wrangler') {
+        // Wrangler always uses .dev.vars (even for "prod" we generate dev vars for local testing)
+        return [{ path: '.dev.vars', env }];
+    }
+    // Standard style outputs environment-specific files
+    if (env === 'dev') {
+        return [{ path: '.env.development', env: 'dev' }];
+    }
+    else {
+        return [{ path: '.env.production', env: 'prod' }];
+    }
+}
+/**
+ * Filter variables for a package based on naming conventions
+ * - EXPO_PUBLIC_* vars only go to non-wrangler packages
+ * - Other vars go to wrangler packages
+ */
+function filterVarsForPackage(vars, pkg) {
+    if (pkg.style === 'wrangler') {
+        // Wrangler gets everything EXCEPT EXPO_PUBLIC_* vars
+        return vars.filter((v) => !v.key.startsWith('EXPO_PUBLIC_'));
+    }
+    // Standard packages get all vars (including EXPO_PUBLIC_*)
+    return vars;
+}
+/**
+ * Decrypt command - decrypt .env.encrypted and generate env files for all packages
+ */
+export async function decryptCommand(options) {
+    const { root, env = 'dev' } = options;
+    const encryptedPath = join(root, '.env.encrypted');
+    const localPath = join(root, '.env.local');
+    // Check encrypted file exists
+    if (!existsSync(encryptedPath)) {
+        console.error(pc.red(`Error: ${encryptedPath} not found`));
+        console.error(pc.dim('Create it with: pnpm secrets encrypt (after creating .env)'));
+        process.exit(1);
+    }
+    console.log(pc.blue('Decrypting secrets...'));
+    // Decrypt the encrypted file
+    let decryptedContent;
+    try {
+        decryptedContent = sopsDecrypt(encryptedPath);
+    }
+    catch (error) {
+        console.error(pc.red(error.message));
+        process.exit(1);
+    }
+    // Parse decrypted content
+    const allVars = parseEnvContent(decryptedContent);
+    console.log(pc.dim(`  Parsed ${allVars.length} variables from .env.encrypted`));
+    // Get vars for the target environment
+    const envVars = getVarsForEnvironment(allVars, env);
+    console.log(pc.dim(`  ${envVars.length} variables for ${env} environment`));
+    // Load local overrides if they exist
+    const localVars = parseEnvFile(localPath);
+    if (localVars.length > 0) {
+        console.log(pc.dim(`  ${localVars.length} local overrides from .env.local`));
+    }
+    // Merge and expand
+    const mergedVars = mergeEnvVars(envVars, localVars);
+    const expandedVars = expandVariables(mergedVars);
+    // Discover packages
+    const packages = await discoverPackages(root);
+    console.log(pc.blue(`\nDiscovered ${packages.length} packages:`));
+    // Generate output files for each package
+    for (const pkg of packages) {
+        const pkgDir = pkg.path ? join(root, pkg.path) : root;
+        const outputFiles = getOutputFiles(pkg, env);
+        const pkgVars = filterVarsForPackage(expandedVars, pkg);
+        if (pkgVars.length === 0) {
+            console.log(pc.dim(`  ${pkg.path || '.'} (${pkg.style}) - no applicable vars, skipped`));
+            continue;
+        }
+        for (const output of outputFiles) {
+            const outputPath = join(pkgDir, output.path);
+            // Ensure directory exists
+            const dir = dirname(outputPath);
+            if (!existsSync(dir)) {
+                mkdirSync(dir, { recursive: true });
+            }
+            // Write the file
+            const content = formatEnvFile(pkgVars);
+            writeFileSync(outputPath, content, 'utf-8');
+            const relativePath = pkg.path ? `${pkg.path}/${output.path}` : output.path;
+            console.log(pc.green(`  ${relativePath}`) +
+                pc.dim(` (${pkg.style}, ${pkgVars.length} vars)`));
+        }
+    }
+    // Also write root .env with shared vars (useful for scripts)
+    const rootEnvPath = join(root, '.env');
+    writeFileSync(rootEnvPath, formatEnvFile(expandedVars), 'utf-8');
+    console.log(pc.green(`  .env`) + pc.dim(` (root, ${expandedVars.length} vars)`));
+    console.log(pc.green('\nDecryption complete'));
+}

package/dist/commands/edit.d.ts

@@ -0,0 +1,9 @@
+interface EditOptions {
+    root: string;
+}
+/**
+ * Edit command - open .env.encrypted in editor via SOPS
+ */
+export declare function editCommand(options: EditOptions): Promise<void>;
+export {};
+//# sourceMappingURL=edit.d.ts.map

package/dist/commands/edit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"edit.d.ts","sourceRoot":"","sources":["../../src/commands/edit.ts"],"names":[],"mappings":"AAKA,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAyBrE"}

package/dist/commands/edit.js

@@ -0,0 +1,28 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { edit as sopsEdit } from '../core/sops.js';
+/**
+ * Edit command - open .env.encrypted in editor via SOPS
+ */
+export async function editCommand(options) {
+    const { root } = options;
+    const encryptedPath = join(root, '.env.encrypted');
+    // Check encrypted file exists
+    if (!existsSync(encryptedPath)) {
+        console.error(pc.red(`Error: ${encryptedPath} not found`));
+        console.error(pc.dim('Create it with: pnpm secrets encrypt (after creating .env)'));
+        process.exit(1);
+    }
+    console.log(pc.blue('Opening encrypted file in editor...'));
+    console.log(pc.dim('  (Changes will be encrypted on save)'));
+    try {
+        sopsEdit(encryptedPath);
+        console.log(pc.green('\nEdit complete'));
+        console.log(pc.dim('  Run "pnpm secrets decrypt" to update local env files.'));
+    }
+    catch (error) {
+        console.error(pc.red(error.message));
+        process.exit(1);
+    }
+}

package/dist/commands/encrypt.d.ts

@@ -0,0 +1,9 @@
+interface EncryptOptions {
+    root: string;
+}
+/**
+ * Encrypt command - encrypt .env to .env.encrypted
+ */
+export declare function encryptCommand(options: EncryptOptions): Promise<void>;
+export {};
+//# sourceMappingURL=encrypt.d.ts.map

package/dist/commands/encrypt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/commands/encrypt.ts"],"names":[],"mappings":"AAKA,UAAU,cAAc;IACtB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAyB3E"}

package/dist/commands/encrypt.js

@@ -0,0 +1,30 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { encrypt as sopsEncrypt } from '../core/sops.js';
+/**
+ * Encrypt command - encrypt .env to .env.encrypted
+ */
+export async function encryptCommand(options) {
+    const { root } = options;
+    const inputPath = join(root, '.env');
+    const outputPath = join(root, '.env.encrypted');
+    // Check input file exists
+    if (!existsSync(inputPath)) {
+        console.error(pc.red(`Error: ${inputPath} not found`));
+        console.error(pc.dim('Create a .env file first, then run encrypt.'));
+        process.exit(1);
+    }
+    console.log(pc.blue('Encrypting secrets...'));
+    console.log(pc.dim(`  Input: .env`));
+    console.log(pc.dim(`  Output: .env.encrypted`));
+    try {
+        sopsEncrypt(inputPath, outputPath);
+        console.log(pc.green('\nEncryption complete'));
+        console.log(pc.dim('  You can now commit .env.encrypted to git.'));
+    }
+    catch (error) {
+        console.error(pc.red(error.message));
+        process.exit(1);
+    }
+}

package/dist/commands/push.d.ts

@@ -0,0 +1,10 @@
+interface PushOptions {
+    root: string;
+    dryRun?: boolean;
+}
+/**
+ * Push command - push production secrets to Cloudflare Workers
+ */
+export declare function pushCommand(options: PushOptions): Promise<void>;
+export {};
+//# sourceMappingURL=push.d.ts.map

package/dist/commands/push.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"push.d.ts","sourceRoot":"","sources":["../../src/commands/push.ts"],"names":[],"mappings":"AAaA,UAAU,WAAW;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA0CD;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqErE"}

package/dist/commands/push.js

@@ -0,0 +1,101 @@
+import { execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { discoverPackages } from '../core/discover.js';
+import { expandVariables, getVarsForEnvironment, parseEnvContent, } from '../core/parse.js';
+import { decrypt as sopsDecrypt } from '../core/sops.js';
+/**
+ * Filter variables that should be pushed to Wrangler
+ * Excludes EXPO_PUBLIC_* vars
+ */
+function getWranglerVars(vars) {
+    return vars.filter((v) => !v.key.startsWith('EXPO_PUBLIC_'));
+}
+/**
+ * Push a secret to Wrangler
+ */
+function pushSecret(key, value, wranglerDir, dryRun) {
+    if (dryRun) {
+        console.log(pc.dim(`  [dry-run] Would push: ${key}`));
+        return true;
+    }
+    try {
+        // Use echo to pipe the value to wrangler secret put
+        // This avoids the interactive prompt
+        execSync(`echo "${value}" | wrangler secret put ${key}`, {
+            cwd: wranglerDir,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            shell: '/bin/bash',
+        });
+        return true;
+    }
+    catch (error) {
+        const err = error;
+        console.error(pc.red(`  Failed to push ${key}: ${err.stderr || err.message}`));
+        return false;
+    }
+}
+/**
+ * Push command - push production secrets to Cloudflare Workers
+ */
+export async function pushCommand(options) {
+    const { root, dryRun = false } = options;
+    const encryptedPath = join(root, '.env.encrypted');
+    // Check encrypted file exists
+    if (!existsSync(encryptedPath)) {
+        console.error(pc.red(`Error: ${encryptedPath} not found`));
+        process.exit(1);
+    }
+    // Find wrangler packages
+    const packages = await discoverPackages(root);
+    const wranglerPackages = packages.filter((p) => p.style === 'wrangler');
+    if (wranglerPackages.length === 0) {
+        console.error(pc.red('Error: No Wrangler packages found'));
+        console.error(pc.dim('A Wrangler package must have a wrangler.toml file.'));
+        process.exit(1);
+    }
+    console.log(pc.blue('Pushing secrets to Cloudflare Workers...'));
+    if (dryRun) {
+        console.log(pc.yellow('  (dry-run mode - no changes will be made)'));
+    }
+    // Decrypt and get production vars
+    let decryptedContent;
+    try {
+        decryptedContent = sopsDecrypt(encryptedPath);
+    }
+    catch (error) {
+        console.error(pc.red(error.message));
+        process.exit(1);
+    }
+    const allVars = parseEnvContent(decryptedContent);
+    const prodVars = getVarsForEnvironment(allVars, 'prod');
+    const expandedVars = expandVariables(prodVars);
+    const wranglerVars = getWranglerVars(expandedVars);
+    console.log(pc.dim(`  ${wranglerVars.length} secrets to push`));
+    // Push to each wrangler package
+    for (const pkg of wranglerPackages) {
+        const pkgDir = pkg.path ? join(root, pkg.path) : root;
+        console.log(pc.blue(`\n${pkg.path || '.'} (${pkg.name}):`));
+        let successCount = 0;
+        let failCount = 0;
+        for (const v of wranglerVars) {
+            const success = pushSecret(v.key, v.value, pkgDir, dryRun);
+            if (success) {
+                console.log(pc.green(`  ${v.key}`));
+                successCount++;
+            }
+            else {
+                failCount++;
+            }
+        }
+        console.log(pc.dim(`  ${successCount} pushed, ${failCount} failed`));
+    }
+    if (dryRun) {
+        console.log(pc.yellow('\n[dry-run] No secrets were actually pushed.'));
+        console.log(pc.dim('Run without --dry-run to push secrets.'));
+    }
+    else {
+        console.log(pc.green('\nPush complete'));
+    }
+}

package/dist/commands/status.d.ts

@@ -0,0 +1,9 @@
+interface StatusOptions {
+    root: string;
+}
+/**
+ * Status command - show discovered packages and their styles
+ */
+export declare function statusCommand(options: StatusOptions): Promise<void>;
+export {};
+//# sourceMappingURL=status.d.ts.map

package/dist/commands/status.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAMA,UAAU,aAAa;IACrB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CA6EzE"}

package/dist/commands/status.js

@@ -0,0 +1,58 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { discoverPackages } from '../core/discover.js';
+import { isSopsInstalled } from '../core/sops.js';
+/**
+ * Status command - show discovered packages and their styles
+ */
+export async function statusCommand(options) {
+    const { root } = options;
+    console.log(pc.blue('Secrets Status\n'));
+    // Check prerequisites
+    console.log(pc.bold('Prerequisites:'));
+    const sopsInstalled = isSopsInstalled();
+    console.log(sopsInstalled
+        ? pc.green('  SOPS installed')
+        : pc.red('  SOPS not installed (brew install sops)'));
+    const ageKeyPath = join(process.env.HOME || '~', '.config/sops/age/key.txt');
+    const ageKeyExists = existsSync(ageKeyPath);
+    console.log(ageKeyExists
+        ? pc.green('  age key found')
+        : pc.yellow('  age key not found at ~/.config/sops/age/key.txt'));
+    // Check files
+    console.log(pc.bold('\nFiles:'));
+    const encryptedPath = join(root, '.env.encrypted');
+    const encryptedExists = existsSync(encryptedPath);
+    console.log(encryptedExists
+        ? pc.green('  .env.encrypted exists')
+        : pc.yellow('  .env.encrypted not found'));
+    const localPath = join(root, '.env.local');
+    const localExists = existsSync(localPath);
+    console.log(localExists
+        ? pc.green('  .env.local exists (local overrides)')
+        : pc.dim('  - .env.local not found (optional)'));
+    const sopsConfigPath = join(root, '.sops.yaml');
+    const sopsConfigExists = existsSync(sopsConfigPath);
+    console.log(sopsConfigExists
+        ? pc.green('  .sops.yaml exists')
+        : pc.yellow('  .sops.yaml not found (SOPS config)'));
+    // Discover packages
+    console.log(pc.bold('\nDiscovered Packages:'));
+    const packages = await discoverPackages(root);
+    if (packages.length === 0) {
+        console.log(pc.dim('  No packages found'));
+    }
+    else {
+        for (const pkg of packages) {
+            const styleColor = pkg.style === 'wrangler' ? pc.cyan : pc.magenta;
+            const output = pkg.style === 'wrangler'
+                ? '.dev.vars'
+                : '.env.development, .env.production';
+            console.log(`  ${pkg.path || '.'} ` +
+                styleColor(`(${pkg.style})`) +
+                pc.dim(` -> ${output}`));
+        }
+    }
+    console.log('');
+}

package/dist/core/discover.d.ts

@@ -0,0 +1,6 @@
+import type { Package } from '../types.js';
+/**
+ * Discover all packages in the monorepo
+ */
+export declare function discoverPackages(root: string): Promise<Package[]>;
+//# sourceMappingURL=discover.d.ts.map

package/dist/core/discover.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discover.d.ts","sourceRoot":"","sources":["../../src/core/discover.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,OAAO,EAAgB,MAAM,aAAa,CAAC;AAkDzD;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAmCvE"}

package/dist/core/discover.js

@@ -0,0 +1,81 @@
+import { glob } from 'glob';
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+/**
+ * Patterns to ignore when discovering packages
+ */
+const IGNORE_PATTERNS = [
+    '**/node_modules/**',
+    '**/.git/**',
+    '**/dist/**',
+    '**/build/**',
+    '**/.turbo/**',
+    '**/.next/**',
+    '**/coverage/**',
+    '**/.expo/**',
+];
+/**
+ * Detect the style for a package directory
+ * - If wrangler.toml exists -> wrangler
+ * - Otherwise -> standard
+ */
+function detectStyle(packageDir) {
+    const wranglerPath = join(packageDir, 'wrangler.toml');
+    const wranglerDevPath = join(packageDir, 'wrangler.dev.toml');
+    if (existsSync(wranglerPath) || existsSync(wranglerDevPath)) {
+        const configPath = existsSync(wranglerPath) ? wranglerPath : wranglerDevPath;
+        const content = readFileSync(configPath, 'utf-8');
+        if (content.includes('pages_build_output_dir')) {
+            return 'standard';
+        }
+        return 'wrangler';
+    }
+    return 'standard';
+}
+/**
+ * Read package name from package.json
+ */
+function readPackageName(packageJsonPath) {
+    try {
+        const content = readFileSync(packageJsonPath, 'utf-8');
+        const pkg = JSON.parse(content);
+        return pkg.name || dirname(packageJsonPath);
+    }
+    catch {
+        return dirname(packageJsonPath);
+    }
+}
+/**
+ * Discover all packages in the monorepo
+ */
+export async function discoverPackages(root) {
+    // Find all package.json files
+    const packageJsonPaths = await glob('**/package.json', {
+        cwd: root,
+        ignore: IGNORE_PATTERNS,
+    });
+    const packages = [];
+    for (const pkgPath of packageJsonPaths) {
+        const dir = dirname(pkgPath);
+        const fullDir = join(root, dir);
+        const style = detectStyle(fullDir);
+        const name = readPackageName(join(root, pkgPath));
+        if (name === '@chriscode/hush') {
+            continue;
+        }
+        packages.push({
+            name,
+            path: dir === '.' ? '' : dir,
+            style,
+        });
+    }
+    // Sort by path depth (root first, then alphabetically)
+    packages.sort((a, b) => {
+        const depthA = a.path.split('/').length;
+        const depthB = b.path.split('/').length;
+        if (depthA !== depthB)
+            return depthA - depthB;
+        return a.path.localeCompare(b.path);
+    });
+    return packages;
+}

package/dist/core/parse.d.ts

@@ -0,0 +1,30 @@
+import type { EnvVar, Environment } from '../types.js';
+/**
+ * Parse a .env file content into key-value pairs
+ */
+export declare function parseEnvContent(content: string): EnvVar[];
+/**
+ * Parse a .env file from disk
+ */
+export declare function parseEnvFile(filePath: string): EnvVar[];
+/**
+ * Filter and transform variables for a specific environment
+ * - Includes shared vars (no prefix)
+ * - Includes vars with matching prefix (stripped)
+ * - Excludes vars with other prefix
+ */
+export declare function getVarsForEnvironment(vars: EnvVar[], env: Environment): EnvVar[];
+/**
+ * Expand variable references in env vars
+ * e.g., ${OTHER_VAR} gets replaced with its value
+ */
+export declare function expandVariables(vars: EnvVar[]): EnvVar[];
+/**
+ * Merge multiple env var arrays, later arrays override earlier ones
+ */
+export declare function mergeEnvVars(...varArrays: EnvVar[][]): EnvVar[];
+/**
+ * Format env vars as .env file content
+ */
+export declare function formatEnvFile(vars: EnvVar[]): string;
+//# sourceMappingURL=parse.d.ts.map

package/dist/core/parse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse.d.ts","sourceRoot":"","sources":["../../src/core/parse.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAGvD;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CA+BzD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAOvD;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EAAE,EACd,GAAG,EAAE,WAAW,GACf,MAAM,EAAE,CA0BV;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAkBxD;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,SAAS,EAAE,MAAM,EAAE,EAAE,GAAG,MAAM,EAAE,CAU/D;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,MAAM,CAEpD"}

package/dist/core/parse.js

@@ -0,0 +1,108 @@
+import { expand } from 'dotenv-expand';
+import { existsSync, readFileSync } from 'node:fs';
+import { ENV_PREFIXES } from '../types.js';
+/**
+ * Parse a .env file content into key-value pairs
+ */
+export function parseEnvContent(content) {
+    const vars = [];
+    const lines = content.split('\n');
+    for (const line of lines) {
+        const trimmed = line.trim();
+        // Skip empty lines and comments
+        if (!trimmed || trimmed.startsWith('#')) {
+            continue;
+        }
+        // Find the first = sign
+        const eqIndex = trimmed.indexOf('=');
+        if (eqIndex === -1)
+            continue;
+        const key = trimmed.slice(0, eqIndex).trim();
+        let value = trimmed.slice(eqIndex + 1).trim();
+        // Remove surrounding quotes if present
+        if ((value.startsWith('"') && value.endsWith('"')) ||
+            (value.startsWith("'") && value.endsWith("'"))) {
+            value = value.slice(1, -1);
+        }
+        vars.push({ key, value });
+    }
+    return vars;
+}
+/**
+ * Parse a .env file from disk
+ */
+export function parseEnvFile(filePath) {
+    if (!existsSync(filePath)) {
+        return [];
+    }
+    const content = readFileSync(filePath, 'utf-8');
+    return parseEnvContent(content);
+}
+/**
+ * Filter and transform variables for a specific environment
+ * - Includes shared vars (no prefix)
+ * - Includes vars with matching prefix (stripped)
+ * - Excludes vars with other prefix
+ */
+export function getVarsForEnvironment(vars, env) {
+    const prefix = ENV_PREFIXES[env];
+    const otherPrefix = env === 'dev' ? ENV_PREFIXES.prod : ENV_PREFIXES.dev;
+    const result = [];
+    for (const v of vars) {
+        // Skip vars with other environment's prefix
+        if (v.key.startsWith(otherPrefix)) {
+            continue;
+        }
+        // Strip prefix if it matches this environment
+        if (v.key.startsWith(prefix)) {
+            result.push({
+                key: v.key.slice(prefix.length),
+                value: v.value,
+                originalKey: v.key,
+            });
+        }
+        else {
+            // Shared var (no prefix)
+            result.push(v);
+        }
+    }
+    return result;
+}
+/**
+ * Expand variable references in env vars
+ * e.g., ${OTHER_VAR} gets replaced with its value
+ */
+export function expandVariables(vars) {
+    // Create a process.env-like object for expansion
+    const envObject = {};
+    for (const v of vars) {
+        envObject[v.key] = v.value;
+    }
+    // Use dotenv-expand with processEnv set to empty object to avoid mixing with process.env
+    const expanded = expand({ parsed: envObject, processEnv: {} });
+    if (!expanded.parsed) {
+        return vars;
+    }
+    return vars.map((v) => ({
+        ...v,
+        value: expanded.parsed[v.key] ?? v.value,
+    }));
+}
+/**
+ * Merge multiple env var arrays, later arrays override earlier ones
+ */
+export function mergeEnvVars(...varArrays) {
+    const merged = new Map();
+    for (const vars of varArrays) {
+        for (const v of vars) {
+            merged.set(v.key, v);
+        }
+    }
+    return Array.from(merged.values());
+}
+/**
+ * Format env vars as .env file content
+ */
+export function formatEnvFile(vars) {
+    return vars.map((v) => `${v.key}=${v.value}`).join('\n') + '\n';
+}

package/dist/core/sops.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Check if SOPS is installed
+ */
+export declare function isSopsInstalled(): boolean;
+/**
+ * Decrypt a SOPS-encrypted file and return the content
+ */
+export declare function decrypt(filePath: string): string;
+/**
+ * Encrypt content to a SOPS-encrypted file
+ */
+export declare function encrypt(inputPath: string, outputPath: string): void;
+/**
+ * Open encrypted file in editor (SOPS inline edit)
+ */
+export declare function edit(filePath: string): void;
+//# sourceMappingURL=sops.d.ts.map

package/dist/core/sops.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sops.d.ts","sourceRoot":"","sources":["../../src/core/sops.ts"],"names":[],"mappings":"AAgCA;;GAEG;AACH,wBAAgB,eAAe,IAAI,OAAO,CAOzC;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA+BhD;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAwBnE;AAED;;GAEG;AACH,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAuB3C"}

package/dist/core/sops.js

@@ -0,0 +1,112 @@
+import { execSync, spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+/**
+ * Get the SOPS age key file path
+ * Checks SOPS_AGE_KEY_FILE env var, then falls back to default location
+ */
+function getAgeKeyFile() {
+    if (process.env.SOPS_AGE_KEY_FILE) {
+        return process.env.SOPS_AGE_KEY_FILE;
+    }
+    const defaultPath = join(process.env.HOME || '~', '.config/sops/age/key.txt');
+    if (existsSync(defaultPath)) {
+        return defaultPath;
+    }
+    return undefined;
+}
+/**
+ * Get environment variables for SOPS commands
+ */
+function getSopsEnv() {
+    const ageKeyFile = getAgeKeyFile();
+    if (ageKeyFile) {
+        return { ...process.env, SOPS_AGE_KEY_FILE: ageKeyFile };
+    }
+    return process.env;
+}
+/**
+ * Check if SOPS is installed
+ */
+export function isSopsInstalled() {
+    try {
+        execSync('which sops', { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Decrypt a SOPS-encrypted file and return the content
+ */
+export function decrypt(filePath) {
+    if (!existsSync(filePath)) {
+        throw new Error(`Encrypted file not found: ${filePath}`);
+    }
+    if (!isSopsInstalled()) {
+        throw new Error('SOPS is not installed. Install with: brew install sops');
+    }
+    try {
+        // Use --input-type dotenv to handle .env format files
+        const result = execSync(`sops --input-type dotenv --output-type dotenv --decrypt "${filePath}"`, {
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: getSopsEnv(),
+        });
+        return result;
+    }
+    catch (error) {
+        const err = error;
+        if (err.stderr?.includes('No identity matched')) {
+            throw new Error('SOPS decryption failed: No matching age key found.\n' +
+                'Ensure your age key is at ~/.config/sops/age/key.txt\n' +
+                'Or set SOPS_AGE_KEY_FILE environment variable.');
+        }
+        throw new Error(`SOPS decryption failed: ${err.stderr || err.message}`);
+    }
+}
+/**
+ * Encrypt content to a SOPS-encrypted file
+ */
+export function encrypt(inputPath, outputPath) {
+    if (!existsSync(inputPath)) {
+        throw new Error(`Input file not found: ${inputPath}`);
+    }
+    if (!isSopsInstalled()) {
+        throw new Error('SOPS is not installed. Install with: brew install sops');
+    }
+    try {
+        // Use --input-type dotenv to handle .env format files
+        execSync(`sops --input-type dotenv --output-type dotenv --encrypt "${inputPath}" > "${outputPath}"`, {
+            encoding: 'utf-8',
+            shell: '/bin/bash',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: getSopsEnv(),
+        });
+    }
+    catch (error) {
+        const err = error;
+        throw new Error(`SOPS encryption failed: ${err.stderr || err.message}`);
+    }
+}
+/**
+ * Open encrypted file in editor (SOPS inline edit)
+ */
+export function edit(filePath) {
+    if (!existsSync(filePath)) {
+        throw new Error(`Encrypted file not found: ${filePath}`);
+    }
+    if (!isSopsInstalled()) {
+        throw new Error('SOPS is not installed. Install with: brew install sops');
+    }
+    // Use spawnSync with inherit to allow interactive editing
+    // Specify input/output type for dotenv format
+    const result = spawnSync('sops', ['--input-type', 'dotenv', '--output-type', 'dotenv', filePath], {
+        stdio: 'inherit',
+        env: getSopsEnv(),
+    });
+    if (result.status !== 0) {
+        throw new Error(`SOPS edit failed with exit code ${result.status}`);
+    }
+}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export { discoverPackages } from './core/discover.js';
+export { expandVariables, formatEnvFile, getVarsForEnvironment, mergeEnvVars, parseEnvContent, parseEnvFile, } from './core/parse.js';
+export { decrypt, edit, encrypt, isSopsInstalled } from './core/sops.js';
+export { ENV_PREFIXES } from './types.js';
+export type { EnvVar, Environment, Package, PackageStyle } from './types.js';
+export { decryptCommand } from './commands/decrypt.js';
+export { editCommand } from './commands/edit.js';
+export { encryptCommand } from './commands/encrypt.js';
+export { pushCommand } from './commands/push.js';
+export { statusCommand } from './commands/status.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAC;AACtD,OAAO,EACL,eAAe,EACf,aAAa,EACb,qBAAqB,EACrB,YAAY,EACZ,eAAe,EACf,YAAY,GACb,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAGzE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC1C,YAAY,EAAE,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG7E,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/index.js

@@ -0,0 +1,12 @@
+// Core exports for programmatic usage
+export { discoverPackages } from './core/discover.js';
+export { expandVariables, formatEnvFile, getVarsForEnvironment, mergeEnvVars, parseEnvContent, parseEnvFile, } from './core/parse.js';
+export { decrypt, edit, encrypt, isSopsInstalled } from './core/sops.js';
+// Types
+export { ENV_PREFIXES } from './types.js';
+// Commands (for programmatic usage)
+export { decryptCommand } from './commands/decrypt.js';
+export { editCommand } from './commands/edit.js';
+export { encryptCommand } from './commands/encrypt.js';
+export { pushCommand } from './commands/push.js';
+export { statusCommand } from './commands/status.js';

package/dist/types.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Package style for env file output
+ * - wrangler: outputs .dev.vars (for Cloudflare Workers)
+ * - standard: outputs .env, .env.development, .env.production
+ */
+export type PackageStyle = 'wrangler' | 'standard';
+/**
+ * Discovered package in the monorepo
+ */
+export interface Package {
+    /** Package name from package.json */
+    name: string;
+    /** Relative path from monorepo root */
+    path: string;
+    /** Detected style */
+    style: PackageStyle;
+}
+/**
+ * Parsed environment variable
+ */
+export interface EnvVar {
+    key: string;
+    value: string;
+    /** Original key before prefix stripping */
+    originalKey?: string;
+}
+/**
+ * Environment type for prefix handling
+ */
+export type Environment = 'dev' | 'prod';
+/**
+ * Prefix constants
+ */
+export declare const ENV_PREFIXES: {
+    readonly dev: "DEV__";
+    readonly prod: "PROD__";
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,MAAM,YAAY,GAAG,UAAU,GAAG,UAAU,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,KAAK,EAAE,YAAY,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,KAAK,GAAG,MAAM,CAAC;AAEzC;;GAEG;AACH,eAAO,MAAM,YAAY;;;CAGf,CAAC"}

package/dist/types.js

@@ -0,0 +1,7 @@
+/**
+ * Prefix constants
+ */
+export const ENV_PREFIXES = {
+    dev: 'DEV__',
+    prod: 'PROD__',
+};

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@chriscode/hush",
+  "version": "1.0.0",
+  "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
+  "type": "module",
+  "bin": {
+    "hush": "./bin/hush.js"
+  },
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "prepublishOnly": "pnpm build",
+    "type-check": "tsc --noEmit"
+  },
+  "keywords": [
+    "secrets",
+    "sops",
+    "age",
+    "encryption",
+    "env",
+    "dotenv",
+    "monorepo",
+    "cloudflare",
+    "wrangler",
+    "expo"
+  ],
+  "author": "Chris Hasson",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/hassoncs/hush.git"
+  },
+  "bugs": {
+    "url": "https://github.com/hassoncs/hush/issues"
+  },
+  "homepage": "https://github.com/hassoncs/hush#readme",
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "dotenv": "^16.4.5",
+    "dotenv-expand": "^11.0.6",
+    "glob": "^10.3.10",
+    "picocolors": "^1.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.11.0",
+    "typescript": "^5.8.3"
+  },
+  "files": [
+    "dist",
+    "bin"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}