@chriscode/hush 2.0.0 → 2.2.0

package/dist/cli.js

@@ -3,6 +3,8 @@ import pc from 'picocolors';
 import { decryptCommand } from './commands/decrypt.js';
 import { encryptCommand } from './commands/encrypt.js';
 import { editCommand } from './commands/edit.js';
+import { setCommand } from './commands/set.js';
+import { runCommand } from './commands/run.js';
 import { statusCommand } from './commands/status.js';
 import { pushCommand } from './commands/push.js';
 import { initCommand } from './commands/init.js';
@@ -10,7 +12,8 @@ import { listCommand } from './commands/list.js';
 import { inspectCommand } from './commands/inspect.js';
 import { hasCommand } from './commands/has.js';
 import { checkCommand } from './commands/check.js';
-const VERSION = '2.0.0';
+import { skillCommand } from './commands/skill.js';
+const VERSION = '2.1.0';
 function printHelp() {
     console.log(`
 ${pc.bold('hush')} - SOPS-based secrets management for monorepos
@@ -21,43 +24,54 @@ ${pc.bold('Usage:')}
 ${pc.bold('Commands:')}
   init              Initialize hush.yaml config
   encrypt           Encrypt source .env files
-  decrypt           Decrypt and distribute to targets
-  edit [file]       Edit encrypted file in $EDITOR
+  run -- <cmd>      Run command with secrets in memory (AI-safe)
+  set <KEY>         Set a single secret interactively (AI-safe)
+  edit [file]       Edit all secrets in $EDITOR
   list              List all variables (shows values)
   inspect           List all variables (masked values, AI-safe)
   has <key>         Check if a secret exists (exit 0 if set, 1 if not)
   check             Verify secrets are encrypted (for pre-commit hooks)
   push              Push secrets to Cloudflare Workers
   status            Show configuration and status
+  skill             Install Claude Code / OpenCode skill
+  
+${pc.bold('Deprecated Commands:')}
+  decrypt           Write secrets to disk (unsafe - use 'run' instead)
 
 ${pc.bold('Options:')}
   -e, --env <env>   Environment: development or production (default: development)
   -r, --root <dir>  Root directory (default: current directory)
+  -t, --target <t>  Target name from hush.yaml (run only)
   -q, --quiet       Suppress output (has/check commands)
   --dry-run         Preview changes without applying (push only)
   --warn            Warn but exit 0 on drift (check only)
   --json            Output machine-readable JSON (check only)
   --only-changed    Only check git-modified files (check only)
   --require-source  Fail if source file is missing (check only)
+  --global          Install skill to ~/.claude/skills/ (skill only)
+  --local           Install skill to ./.claude/skills/ (skill/set only)
   -h, --help        Show this help message
   -v, --version     Show version number
 
 ${pc.bold('Examples:')}
   hush init                     Initialize hush.yaml config
   hush encrypt                  Encrypt .env files
-  hush decrypt                  Decrypt for development
-  hush decrypt -e production    Decrypt for production
-  hush edit                     Edit shared secrets
-  hush edit development         Edit development secrets
-  hush list                     List all variables (shows values)
+  hush run -- npm start         Run with secrets in memory (AI-safe!)
+  hush run -e prod -- npm build Run with production secrets
+  hush run -t api -- wrangler dev  Run filtered for 'api' target
+  hush set DATABASE_URL         Set a secret interactively (AI-safe)
+  hush set API_KEY -e prod      Set a production secret
+  hush set API_KEY --local      Set a personal local override
+  hush edit                     Edit all shared secrets in $EDITOR
+  hush edit development         Edit development secrets in $EDITOR
+  hush edit local               Edit personal local overrides
   hush inspect                  List all variables (masked, AI-safe)
   hush has DATABASE_URL         Check if DATABASE_URL is set
   hush has API_KEY -q && echo "API_KEY is configured"
   hush check                    Verify secrets are encrypted
-  hush check --warn             Check but don't fail on drift
-  hush check --json             Output JSON for CI
   hush push --dry-run           Preview push to Cloudflare
   hush status                   Show current status
+  hush skill                    Install Claude skill (interactive)
 `);
 }
 function parseEnvironment(value) {
@@ -68,7 +82,7 @@ function parseEnvironment(value) {
     return null;
 }
 function parseFileKey(value) {
-    if (value === 'shared' || value === 'development' || value === 'production')
+    if (value === 'shared' || value === 'development' || value === 'production' || value === 'local')
         return value;
     if (value === 'dev')
         return 'development';
@@ -79,6 +93,7 @@ function parseFileKey(value) {
 function parseArgs(args) {
     let command = '';
     let env = 'development';
+    let envExplicit = false;
     let root = process.cwd();
     let dryRun = false;
     let quiet = false;
@@ -86,8 +101,12 @@ function parseArgs(args) {
     let json = false;
     let onlyChanged = false;
     let requireSource = false;
+    let global = false;
+    let local = false;
     let file;
     let key;
+    let target;
+    let cmdArgs = [];
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
         if (arg === '-h' || arg === '--help') {
@@ -103,6 +122,7 @@ function parseArgs(args) {
             const parsed = parseEnvironment(nextArg);
             if (parsed) {
                 env = parsed;
+                envExplicit = true;
             }
             else {
                 console.error(pc.red(`Invalid environment: ${nextArg}`));
@@ -139,6 +159,22 @@ function parseArgs(args) {
             requireSource = true;
             continue;
         }
+        if (arg === '--global') {
+            global = true;
+            continue;
+        }
+        if (arg === '--local') {
+            local = true;
+            continue;
+        }
+        if (arg === '-t' || arg === '--target') {
+            target = args[++i];
+            continue;
+        }
+        if (arg === '--') {
+            cmdArgs = args.slice(i + 1);
+            break;
+        }
         if (!command && !arg.startsWith('-')) {
             command = arg;
             continue;
@@ -150,17 +186,21 @@ function parseArgs(args) {
             }
             else {
                 console.error(pc.red(`Invalid file: ${arg}`));
-                console.error(pc.dim('Use: shared, development, or production'));
+                console.error(pc.dim('Use: shared, development, production, or local'));
                 process.exit(1);
             }
             continue;
         }
+        if (command === 'set' && !arg.startsWith('-') && !key) {
+            key = arg;
+            continue;
+        }
         if (command === 'has' && !arg.startsWith('-') && !key) {
             key = arg;
             continue;
         }
     }
-    return { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, file, key };
+    return { command, env, envExplicit, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key, target, cmdArgs };
 }
 async function main() {
     const args = process.argv.slice(2);
@@ -168,7 +208,7 @@ async function main() {
         printHelp();
         process.exit(0);
     }
-    const { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, file, key } = parseArgs(args);
+    const { command, env, envExplicit, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key, target, cmdArgs } = parseArgs(args);
     try {
         switch (command) {
             case 'init':
@@ -178,8 +218,32 @@ async function main() {
                 await encryptCommand({ root });
                 break;
             case 'decrypt':
+                console.warn(pc.yellow('⚠️  Warning: "hush decrypt" is deprecated and writes unencrypted secrets to disk.'));
+                console.warn(pc.yellow('   Use "hush run -- <command>" instead for better security.'));
+                console.warn(pc.dim('   To suppress this warning, use "hush unsafe:decrypt"'));
+                console.warn('');
+                await decryptCommand({ root, env });
+                break;
+            case 'unsafe:decrypt':
+                console.warn(pc.red('⚠️  UNSAFE MODE: Writing unencrypted secrets to disk.'));
+                console.warn(pc.red('   These files will be readable by AI assistants and other tools.'));
+                console.warn('');
                 await decryptCommand({ root, env });
                 break;
+            case 'run':
+                await runCommand({ root, env, target, command: cmdArgs });
+                break;
+            case 'set': {
+                let setFile = 'shared';
+                if (local) {
+                    setFile = 'local';
+                }
+                else if (envExplicit) {
+                    setFile = env;
+                }
+                await setCommand({ root, file: setFile, key });
+                break;
+            }
             case 'edit':
                 await editCommand({ root, file });
                 break;
@@ -205,6 +269,9 @@ async function main() {
             case 'status':
                 await statusCommand({ root });
                 break;
+            case 'skill':
+                await skillCommand({ root, global, local });
+                break;
             default:
                 if (command) {
                     console.error(pc.red(`Unknown command: ${command}`));

package/dist/commands/run.d.ts

@@ -0,0 +1,3 @@
+import type { RunOptions } from '../types.js';
+export declare function runCommand(options: RunOptions): Promise<void>;
+//# sourceMappingURL=run.d.ts.map

package/dist/commands/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAoC/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAkDnE"}

package/dist/commands/run.js

@@ -0,0 +1,77 @@
+import { spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { filterVarsForTarget } from '../core/filter.js';
+import { interpolateVars, getUnresolvedVars } from '../core/interpolate.js';
+import { mergeVars } from '../core/merge.js';
+import { parseEnvContent } from '../core/parse.js';
+import { decrypt as sopsDecrypt } from '../core/sops.js';
+function getEncryptedPath(sourcePath) {
+    return sourcePath + '.encrypted';
+}
+function getDecryptedSecrets(root, env, config) {
+    const sharedEncrypted = join(root, getEncryptedPath(config.sources.shared));
+    const envEncrypted = join(root, getEncryptedPath(config.sources[env]));
+    const localEncrypted = join(root, getEncryptedPath(config.sources.local));
+    const varSources = [];
+    if (existsSync(sharedEncrypted)) {
+        const content = sopsDecrypt(sharedEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(envEncrypted)) {
+        const content = sopsDecrypt(envEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(localEncrypted)) {
+        const content = sopsDecrypt(localEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (varSources.length === 0) {
+        throw new Error(`No encrypted files found. Expected: ${sharedEncrypted}`);
+    }
+    const merged = mergeVars(...varSources);
+    return interpolateVars(merged);
+}
+export async function runCommand(options) {
+    const { root, env, target, command } = options;
+    if (!command || command.length === 0) {
+        console.error(pc.red('Usage: hush run -- <command>'));
+        console.error(pc.dim('Example: hush run -- npm start'));
+        console.error(pc.dim('         hush run -e production -- npm run build'));
+        console.error(pc.dim('         hush run --target api -- wrangler dev'));
+        process.exit(1);
+    }
+    const config = loadConfig(root);
+    let vars = getDecryptedSecrets(root, env, config);
+    if (target) {
+        const targetConfig = config.targets.find(t => t.name === target);
+        if (!targetConfig) {
+            console.error(pc.red(`Target "${target}" not found in hush.yaml`));
+            console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
+            process.exit(1);
+        }
+        vars = filterVarsForTarget(vars, targetConfig);
+    }
+    const unresolved = getUnresolvedVars(vars);
+    if (unresolved.length > 0) {
+        console.warn(pc.yellow(`Warning: ${unresolved.length} vars have unresolved references`));
+    }
+    const childEnv = {
+        ...process.env,
+        ...Object.fromEntries(vars.map(v => [v.key, v.value])),
+    };
+    const [cmd, ...args] = command;
+    const result = spawnSync(cmd, args, {
+        stdio: 'inherit',
+        env: childEnv,
+        shell: true,
+        cwd: root,
+    });
+    if (result.error) {
+        console.error(pc.red(`Failed to execute: ${result.error.message}`));
+        process.exit(1);
+    }
+    process.exit(result.status ?? 1);
+}

package/dist/commands/set.d.ts

@@ -0,0 +1,3 @@
+import type { SetOptions } from '../types.js';
+export declare function setCommand(options: SetOptions): Promise<void>;
+//# sourceMappingURL=set.d.ts.map

package/dist/commands/set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../../src/commands/set.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAuD9C,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CnE"}

package/dist/commands/set.js

@@ -0,0 +1,87 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { setKey } from '../core/sops.js';
+function promptForValue(key) {
+    return new Promise((resolve, reject) => {
+        if (!process.stdin.isTTY) {
+            reject(new Error('Interactive input requires a terminal (TTY)'));
+            return;
+        }
+        process.stdout.write(`Enter value for ${pc.cyan(key)}: `);
+        const stdin = process.stdin;
+        stdin.setRawMode(true);
+        stdin.resume();
+        stdin.setEncoding('utf8');
+        let value = '';
+        const onData = (char) => {
+            switch (char) {
+                case '\n':
+                case '\r':
+                case '\u0004': // Ctrl+D
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    resolve(value);
+                    break;
+                case '\u0003': // Ctrl+C
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    reject(new Error('Cancelled'));
+                    break;
+                case '\u007F': // Backspace
+                case '\b':
+                    if (value.length > 0) {
+                        value = value.slice(0, -1);
+                        process.stdout.write('\b \b');
+                    }
+                    break;
+                default:
+                    value += char;
+                    process.stdout.write('\u2022'); // Bullet character for hidden input
+            }
+        };
+        stdin.on('data', onData);
+    });
+}
+export async function setCommand(options) {
+    const { root, file, key } = options;
+    const config = loadConfig(root);
+    const fileKey = file ?? 'shared';
+    const sourcePath = config.sources[fileKey];
+    const encryptedPath = join(root, sourcePath + '.encrypted');
+    if (!key) {
+        console.error(pc.red('Usage: hush set <KEY> [-e environment]'));
+        console.error(pc.dim('Example: hush set DATABASE_URL'));
+        console.error(pc.dim('         hush set API_KEY -e production'));
+        console.error(pc.dim('\nTo edit all secrets in an editor, use: hush edit'));
+        process.exit(1);
+    }
+    if (!existsSync(encryptedPath) && !existsSync(join(root, '.sops.yaml'))) {
+        console.error(pc.red('Hush is not initialized in this directory'));
+        console.error(pc.dim('Run "hush init" first, then "hush encrypt"'));
+        process.exit(1);
+    }
+    try {
+        const value = await promptForValue(key);
+        if (!value) {
+            console.error(pc.yellow('No value entered, aborting'));
+            process.exit(1);
+        }
+        setKey(encryptedPath, key, value);
+        const envLabel = fileKey === 'shared' ? '' : ` in ${fileKey}`;
+        console.log(pc.green(`\n${key} set${envLabel} (${value.length} chars, encrypted)`));
+    }
+    catch (error) {
+        const err = error;
+        if (err.message === 'Cancelled') {
+            console.log(pc.yellow('Cancelled'));
+            process.exit(1);
+        }
+        throw err;
+    }
+}

package/dist/commands/skill.d.ts

@@ -0,0 +1,3 @@
+import type { SkillOptions } from '../types.js';
+export declare function skillCommand(options: SkillOptions): Promise<void>;
+//# sourceMappingURL=skill.d.ts.map

package/dist/commands/skill.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwhChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}