@chriscode/hush 2.1.0 → 2.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Chris Hasson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/cli.js

@@ -3,6 +3,8 @@ import pc from 'picocolors';
 import { decryptCommand } from './commands/decrypt.js';
 import { encryptCommand } from './commands/encrypt.js';
 import { editCommand } from './commands/edit.js';
+import { setCommand } from './commands/set.js';
+import { runCommand } from './commands/run.js';
 import { statusCommand } from './commands/status.js';
 import { pushCommand } from './commands/push.js';
 import { initCommand } from './commands/init.js';
@@ -22,8 +24,9 @@ ${pc.bold('Usage:')}
 ${pc.bold('Commands:')}
   init              Initialize hush.yaml config
   encrypt           Encrypt source .env files
-  decrypt           Decrypt and distribute to targets
-  set [file]        Set/edit secrets in $EDITOR (alias: edit)
+  run -- <cmd>      Run command with secrets in memory (AI-safe)
+  set <KEY>         Set a single secret interactively (AI-safe)
+  edit [file]       Edit all secrets in $EDITOR
   list              List all variables (shows values)
   inspect           List all variables (masked values, AI-safe)
   has <key>         Check if a secret exists (exit 0 if set, 1 if not)
@@ -31,10 +34,14 @@ ${pc.bold('Commands:')}
   push              Push secrets to Cloudflare Workers
   status            Show configuration and status
   skill             Install Claude Code / OpenCode skill
+  
+${pc.bold('Deprecated Commands:')}
+  decrypt           Write secrets to disk (unsafe - use 'run' instead)
 
 ${pc.bold('Options:')}
   -e, --env <env>   Environment: development or production (default: development)
   -r, --root <dir>  Root directory (default: current directory)
+  -t, --target <t>  Target name from hush.yaml (run only)
   -q, --quiet       Suppress output (has/check commands)
   --dry-run         Preview changes without applying (push only)
   --warn            Warn but exit 0 on drift (check only)
@@ -42,29 +49,29 @@ ${pc.bold('Options:')}
   --only-changed    Only check git-modified files (check only)
   --require-source  Fail if source file is missing (check only)
   --global          Install skill to ~/.claude/skills/ (skill only)
-  --local           Install skill to ./.claude/skills/ (skill only)
+  --local           Install skill to ./.claude/skills/ (skill/set only)
   -h, --help        Show this help message
   -v, --version     Show version number
 
 ${pc.bold('Examples:')}
   hush init                     Initialize hush.yaml config
   hush encrypt                  Encrypt .env files
-  hush decrypt                  Decrypt for development
-  hush decrypt -e production    Decrypt for production
-  hush set                      Set/edit shared secrets
-  hush set development          Set/edit development secrets
-  hush list                     List all variables (shows values)
+  hush run -- npm start         Run with secrets in memory (AI-safe!)
+  hush run -e prod -- npm build Run with production secrets
+  hush run -t api -- wrangler dev  Run filtered for 'api' target
+  hush set DATABASE_URL         Set a secret interactively (AI-safe)
+  hush set API_KEY -e prod      Set a production secret
+  hush set API_KEY --local      Set a personal local override
+  hush edit                     Edit all shared secrets in $EDITOR
+  hush edit development         Edit development secrets in $EDITOR
+  hush edit local               Edit personal local overrides
   hush inspect                  List all variables (masked, AI-safe)
   hush has DATABASE_URL         Check if DATABASE_URL is set
   hush has API_KEY -q && echo "API_KEY is configured"
   hush check                    Verify secrets are encrypted
-  hush check --warn             Check but don't fail on drift
-  hush check --json             Output JSON for CI
   hush push --dry-run           Preview push to Cloudflare
   hush status                   Show current status
   hush skill                    Install Claude skill (interactive)
-  hush skill --global           Install skill for all projects
-  hush skill --local            Install skill for this project only
 `);
 }
 function parseEnvironment(value) {
@@ -75,7 +82,7 @@ function parseEnvironment(value) {
     return null;
 }
 function parseFileKey(value) {
-    if (value === 'shared' || value === 'development' || value === 'production')
+    if (value === 'shared' || value === 'development' || value === 'production' || value === 'local')
         return value;
     if (value === 'dev')
         return 'development';
@@ -86,6 +93,7 @@ function parseFileKey(value) {
 function parseArgs(args) {
     let command = '';
     let env = 'development';
+    let envExplicit = false;
     let root = process.cwd();
     let dryRun = false;
     let quiet = false;
@@ -97,6 +105,8 @@ function parseArgs(args) {
     let local = false;
     let file;
     let key;
+    let target;
+    let cmdArgs = [];
     for (let i = 0; i < args.length; i++) {
         const arg = args[i];
         if (arg === '-h' || arg === '--help') {
@@ -112,6 +122,7 @@ function parseArgs(args) {
             const parsed = parseEnvironment(nextArg);
             if (parsed) {
                 env = parsed;
+                envExplicit = true;
             }
             else {
                 console.error(pc.red(`Invalid environment: ${nextArg}`));
@@ -156,28 +167,40 @@ function parseArgs(args) {
             local = true;
             continue;
         }
+        if (arg === '-t' || arg === '--target') {
+            target = args[++i];
+            continue;
+        }
+        if (arg === '--') {
+            cmdArgs = args.slice(i + 1);
+            break;
+        }
         if (!command && !arg.startsWith('-')) {
             command = arg;
             continue;
         }
-        if ((command === 'set' || command === 'edit') && !arg.startsWith('-')) {
+        if (command === 'edit' && !arg.startsWith('-')) {
             const parsed = parseFileKey(arg);
             if (parsed) {
                 file = parsed;
             }
             else {
                 console.error(pc.red(`Invalid file: ${arg}`));
-                console.error(pc.dim('Use: shared, development, or production'));
+                console.error(pc.dim('Use: shared, development, production, or local'));
                 process.exit(1);
             }
             continue;
         }
+        if (command === 'set' && !arg.startsWith('-') && !key) {
+            key = arg;
+            continue;
+        }
         if (command === 'has' && !arg.startsWith('-') && !key) {
             key = arg;
             continue;
         }
     }
-    return { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key };
+    return { command, env, envExplicit, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key, target, cmdArgs };
 }
 async function main() {
     const args = process.argv.slice(2);
@@ -185,7 +208,7 @@ async function main() {
         printHelp();
         process.exit(0);
     }
-    const { command, env, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key } = parseArgs(args);
+    const { command, env, envExplicit, root, dryRun, quiet, warn, json, onlyChanged, requireSource, global, local, file, key, target, cmdArgs } = parseArgs(args);
     try {
         switch (command) {
             case 'init':
@@ -195,9 +218,32 @@ async function main() {
                 await encryptCommand({ root });
                 break;
             case 'decrypt':
+                console.warn(pc.yellow('⚠️  Warning: "hush decrypt" is deprecated and writes unencrypted secrets to disk.'));
+                console.warn(pc.yellow('   Use "hush run -- <command>" instead for better security.'));
+                console.warn(pc.dim('   To suppress this warning, use "hush unsafe:decrypt"'));
+                console.warn('');
                 await decryptCommand({ root, env });
                 break;
-            case 'set':
+            case 'unsafe:decrypt':
+                console.warn(pc.red('⚠️  UNSAFE MODE: Writing unencrypted secrets to disk.'));
+                console.warn(pc.red('   These files will be readable by AI assistants and other tools.'));
+                console.warn('');
+                await decryptCommand({ root, env });
+                break;
+            case 'run':
+                await runCommand({ root, env, target, command: cmdArgs });
+                break;
+            case 'set': {
+                let setFile = 'shared';
+                if (local) {
+                    setFile = 'local';
+                }
+                else if (envExplicit) {
+                    setFile = env;
+                }
+                await setCommand({ root, file: setFile, key });
+                break;
+            }
             case 'edit':
                 await editCommand({ root, file });
                 break;

package/dist/commands/run.d.ts

@@ -0,0 +1,3 @@
+import type { RunOptions } from '../types.js';
+export declare function runCommand(options: RunOptions): Promise<void>;
+//# sourceMappingURL=run.d.ts.map

package/dist/commands/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAoC/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAkDnE"}

package/dist/commands/run.js

@@ -0,0 +1,77 @@
+import { spawnSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { filterVarsForTarget } from '../core/filter.js';
+import { interpolateVars, getUnresolvedVars } from '../core/interpolate.js';
+import { mergeVars } from '../core/merge.js';
+import { parseEnvContent } from '../core/parse.js';
+import { decrypt as sopsDecrypt } from '../core/sops.js';
+function getEncryptedPath(sourcePath) {
+    return sourcePath + '.encrypted';
+}
+function getDecryptedSecrets(root, env, config) {
+    const sharedEncrypted = join(root, getEncryptedPath(config.sources.shared));
+    const envEncrypted = join(root, getEncryptedPath(config.sources[env]));
+    const localEncrypted = join(root, getEncryptedPath(config.sources.local));
+    const varSources = [];
+    if (existsSync(sharedEncrypted)) {
+        const content = sopsDecrypt(sharedEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(envEncrypted)) {
+        const content = sopsDecrypt(envEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (existsSync(localEncrypted)) {
+        const content = sopsDecrypt(localEncrypted);
+        varSources.push(parseEnvContent(content));
+    }
+    if (varSources.length === 0) {
+        throw new Error(`No encrypted files found. Expected: ${sharedEncrypted}`);
+    }
+    const merged = mergeVars(...varSources);
+    return interpolateVars(merged);
+}
+export async function runCommand(options) {
+    const { root, env, target, command } = options;
+    if (!command || command.length === 0) {
+        console.error(pc.red('Usage: hush run -- <command>'));
+        console.error(pc.dim('Example: hush run -- npm start'));
+        console.error(pc.dim('         hush run -e production -- npm run build'));
+        console.error(pc.dim('         hush run --target api -- wrangler dev'));
+        process.exit(1);
+    }
+    const config = loadConfig(root);
+    let vars = getDecryptedSecrets(root, env, config);
+    if (target) {
+        const targetConfig = config.targets.find(t => t.name === target);
+        if (!targetConfig) {
+            console.error(pc.red(`Target "${target}" not found in hush.yaml`));
+            console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
+            process.exit(1);
+        }
+        vars = filterVarsForTarget(vars, targetConfig);
+    }
+    const unresolved = getUnresolvedVars(vars);
+    if (unresolved.length > 0) {
+        console.warn(pc.yellow(`Warning: ${unresolved.length} vars have unresolved references`));
+    }
+    const childEnv = {
+        ...process.env,
+        ...Object.fromEntries(vars.map(v => [v.key, v.value])),
+    };
+    const [cmd, ...args] = command;
+    const result = spawnSync(cmd, args, {
+        stdio: 'inherit',
+        env: childEnv,
+        shell: true,
+        cwd: root,
+    });
+    if (result.error) {
+        console.error(pc.red(`Failed to execute: ${result.error.message}`));
+        process.exit(1);
+    }
+    process.exit(result.status ?? 1);
+}

package/dist/commands/set.d.ts

@@ -0,0 +1,3 @@
+import type { SetOptions } from '../types.js';
+export declare function setCommand(options: SetOptions): Promise<void>;
+//# sourceMappingURL=set.d.ts.map

package/dist/commands/set.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../../src/commands/set.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAuD9C,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CnE"}

package/dist/commands/set.js

@@ -0,0 +1,87 @@
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { loadConfig } from '../config/loader.js';
+import { setKey } from '../core/sops.js';
+function promptForValue(key) {
+    return new Promise((resolve, reject) => {
+        if (!process.stdin.isTTY) {
+            reject(new Error('Interactive input requires a terminal (TTY)'));
+            return;
+        }
+        process.stdout.write(`Enter value for ${pc.cyan(key)}: `);
+        const stdin = process.stdin;
+        stdin.setRawMode(true);
+        stdin.resume();
+        stdin.setEncoding('utf8');
+        let value = '';
+        const onData = (char) => {
+            switch (char) {
+                case '\n':
+                case '\r':
+                case '\u0004': // Ctrl+D
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    resolve(value);
+                    break;
+                case '\u0003': // Ctrl+C
+                    stdin.setRawMode(false);
+                    stdin.pause();
+                    stdin.removeListener('data', onData);
+                    process.stdout.write('\n');
+                    reject(new Error('Cancelled'));
+                    break;
+                case '\u007F': // Backspace
+                case '\b':
+                    if (value.length > 0) {
+                        value = value.slice(0, -1);
+                        process.stdout.write('\b \b');
+                    }
+                    break;
+                default:
+                    value += char;
+                    process.stdout.write('\u2022'); // Bullet character for hidden input
+            }
+        };
+        stdin.on('data', onData);
+    });
+}
+export async function setCommand(options) {
+    const { root, file, key } = options;
+    const config = loadConfig(root);
+    const fileKey = file ?? 'shared';
+    const sourcePath = config.sources[fileKey];
+    const encryptedPath = join(root, sourcePath + '.encrypted');
+    if (!key) {
+        console.error(pc.red('Usage: hush set <KEY> [-e environment]'));
+        console.error(pc.dim('Example: hush set DATABASE_URL'));
+        console.error(pc.dim('         hush set API_KEY -e production'));
+        console.error(pc.dim('\nTo edit all secrets in an editor, use: hush edit'));
+        process.exit(1);
+    }
+    if (!existsSync(encryptedPath) && !existsSync(join(root, '.sops.yaml'))) {
+        console.error(pc.red('Hush is not initialized in this directory'));
+        console.error(pc.dim('Run "hush init" first, then "hush encrypt"'));
+        process.exit(1);
+    }
+    try {
+        const value = await promptForValue(key);
+        if (!value) {
+            console.error(pc.yellow('No value entered, aborting'));
+            process.exit(1);
+        }
+        setKey(encryptedPath, key, value);
+        const envLabel = fileKey === 'shared' ? '' : ` in ${fileKey}`;
+        console.log(pc.green(`\n${key} set${envLabel} (${value.length} chars, encrypted)`));
+    }
+    catch (error) {
+        const err = error;
+        if (err.message === 'Cancelled') {
+            console.log(pc.yellow('Cancelled'));
+            process.exit(1);
+        }
+        throw err;
+    }
+}

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAg9BhD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwhChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}

package/dist/commands/skill.js

@@ -6,51 +6,81 @@ import pc from 'picocolors';
 const SKILL_FILES = {
     'SKILL.md': `---
 name: hush-secrets
-description: Manage secrets safely using Hush CLI. Use when working with .env files, environment variables, secrets, API keys, database URLs, credentials, or configuration. NEVER read .env files directly - always use hush commands instead to prevent exposing secrets to the LLM.
-allowed-tools: Bash(hush:*), Bash(npx hush:*), Bash(brew:*), Bash(npm:*), Bash(pnpm:*), Bash(age-keygen:*), Read, Grep, Glob, Write
+description: Manage secrets safely using Hush CLI. Use when working with .env files, environment variables, secrets, API keys, database URLs, credentials, or configuration. Secrets are always encrypted at rest - .env files contain only encrypted data.
+allowed-tools: Bash(hush:*), Bash(npx hush:*), Bash(brew:*), Bash(npm:*), Bash(pnpm:*), Bash(age-keygen:*), Read, Grep, Glob, Write, Bash(cat:*), Bash(grep:*)
 ---
 
 # Hush - AI-Native Secrets Management
 
-Hush encrypts secrets so they can be committed to git, and provides AI-safe commands that let you work with secrets without exposing values to LLMs.
+Hush keeps secrets **encrypted at rest**. All \`.env\` files contain encrypted data only—you can freely read them with \`cat\` or \`grep\` and you'll only see encrypted gibberish, never actual secrets.
 
-## CRITICAL RULES
+## How It Works
 
-### NEVER do these things:
-- Read \`.env\`, \`.env.*\`, \`.env.local\`, or \`.dev.vars\` files directly
-- Use \`cat\`, \`grep\`, \`head\`, \`tail\`, \`less\`, \`more\` on env files
-- Echo or print environment variable values like \`echo $SECRET\`
-- Include actual secret values in your responses
-- Write secrets directly to \`.env\` files
+Secrets are stored encrypted on disk. When you need to use them:
+- \`hush run -- <command>\` decrypts to memory and runs your command
+- \`hush set <KEY>\` adds secrets interactively (you invoke, user enters value)
+- \`hush inspect\` shows what exists with masked values
+- \`hush edit\` opens encrypted file in editor, re-encrypts on save
 
-### ALWAYS use Hush commands instead:
-- \`npx hush inspect\` to see what variables exist (values are masked)
-- \`npx hush has <KEY>\` to check if a specific variable is set
-- \`npx hush set\` to add or modify secrets (opens secure editor)
-- \`npx hush status\` to view configuration
+## Safe to Read (Always Encrypted)
 
-## Quick Check: Is Hush Set Up?
+You CAN freely read these files—they only contain encrypted data:
+- \`.env.encrypted\`, \`.env.*.encrypted\` - encrypted secrets
+- \`.env\`, \`.env.*\` - if they exist, they're encrypted too (Hush doesn't create plaintext files)
+
+Feel free to use \`cat\`, \`grep\`, \`Read\` on any \`.env\` file. You'll see encrypted content like:
+\`\`\`
+DATABASE_URL=ENC[AES256_GCM,data:abc123...,type:str]
+\`\`\`
+
+## Commands Reference
+
+### Primary Commands:
+- \`npx hush run -- <command>\` - Run programs with secrets (decrypts to memory only!)
+- \`npx hush set <KEY>\` - Add a secret interactively (you invoke, user enters value)
+- \`npx hush edit\` - Let user edit all secrets in $EDITOR
+- \`npx hush inspect\` - See what variables exist (values are masked)
+- \`npx hush has <KEY>\` - Check if a specific variable is set
+- \`npx hush status\` - View configuration
 
-Run this first to check if Hush is configured:
+### Avoid These (Deprecated):
+- \`hush decrypt\` / \`hush unsafe:decrypt\` - Writes unencrypted secrets to disk (defeats the purpose!)
+
+## Quick Check: Is Hush Set Up?
 
 \`\`\`bash
 npx hush status
 \`\`\`
 
-**If this fails or shows errors**, see [SETUP.md](SETUP.md) for first-time setup instructions.
+**If this fails**, see [SETUP.md](SETUP.md) for first-time setup instructions.
 
 ---
 
-## Daily Usage (AI-Safe Commands)
+## Running Programs with Secrets
 
-### See what variables exist
+**This is the primary way to use secrets - they never touch disk!**
+
+\`\`\`bash
+npx hush run -- npm start              # Run with development secrets
+npx hush run -e production -- npm build   # Run with production secrets
+npx hush run -t api -- wrangler dev       # Run filtered for 'api' target
+\`\`\`
+
+The secrets are decrypted to memory and injected as environment variables.
+The child process inherits them. No plaintext files are written.
+
+---
+
+## Checking Secrets
+
+### See what variables exist (human-readable)
 
 \`\`\`bash
 npx hush inspect                    # Development
 npx hush inspect -e production      # Production
 \`\`\`
 
-Output shows **masked values** - safe for AI to read:
+Output shows **masked values**:
 
 \`\`\`
 Secrets for development:
@@ -69,73 +99,66 @@ npx hush has DATABASE_URL           # Verbose output
 npx hush has API_KEY -q             # Quiet: exit code only (0=set, 1=missing)
 \`\`\`
 
-### View configuration
+### Read encrypted files directly
 
+You can also just read the encrypted files:
 \`\`\`bash
-npx hush status
+cat .env.encrypted                  # See encrypted content (safe!)
+grep DATABASE .env.encrypted        # Search for keys in encrypted file
 \`\`\`
 
-### Set/modify secrets (requires user interaction)
+---
 
-\`\`\`bash
-npx hush set                        # Set shared secrets
-npx hush set development            # Set dev secrets  
-npx hush set production             # Set prod secrets
-\`\`\`
+## Adding/Modifying Secrets
 
-After setting, encrypt:
+### Add a single secret interactively
 
 \`\`\`bash
-npx hush encrypt
+npx hush set DATABASE_URL           # You invoke this, user types value
+npx hush set API_KEY -e production  # Set in production secrets
+npx hush set DEBUG --local          # Set personal local override
 \`\`\`
 
-### Decrypt to targets
+The user will be prompted to enter the value (hidden input).
+You never see the actual secret - just invoke the command!
+
+### Edit all secrets in editor
 
 \`\`\`bash
-npx hush decrypt                    # Development
-npx hush decrypt -e production      # Production
+npx hush edit                       # Edit shared secrets
+npx hush edit development           # Edit development secrets
+npx hush edit local                 # Edit personal overrides
 \`\`\`
 
 ---
 
 ## Common Workflows
 
-### "What secrets are configured?"
-\`\`\`bash
-npx hush inspect
-\`\`\`
-
-### "Is DATABASE_URL set?"
+### "Help user add DATABASE_URL"
 \`\`\`bash
-npx hush has DATABASE_URL
+npx hush set DATABASE_URL
 \`\`\`
-
-### "Help user add a new secret"
-1. Tell user to run: \`npx hush set\`
-2. They add the variable in their editor
-3. They save and close
-4. Tell them to run: \`npx hush encrypt\`
-5. Verify: \`npx hush inspect\`
+Tell user: "Enter your database URL when prompted"
 
 ### "Check all required secrets"
 \`\`\`bash
 npx hush has DATABASE_URL -q && npx hush has API_KEY -q && echo "All configured" || echo "Some missing"
 \`\`\`
 
----
-
-## Files You Must NOT Read
-
-These contain plaintext secrets - NEVER read them:
-- \`.env\`, \`.env.local\`, \`.env.development\`, \`.env.production\`
-- \`.dev.vars\`
-- Any \`*/.env\` or \`*/.env.*\` files
+### "Run the development server"
+\`\`\`bash
+npx hush run -- npm run dev
+\`\`\`
 
-## Files That Are Safe to Read
+### "Build for production"
+\`\`\`bash
+npx hush run -e production -- npm run build
+\`\`\`
 
-- \`hush.yaml\` - Configuration (no secrets)
-- \`.sops.yaml\` - SOPS config (public key only)
-- \`.env.encrypted\`, \`.env.*.encrypted\` - Encrypted files
+### "See what's in the encrypted file"
+\`\`\`bash
+cat .env.encrypted                  # Safe! Shows encrypted data only
+\`\`\`
 
 ---
 
@@ -351,8 +374,8 @@ When a new team member joins:
 
 1. **Get the age private key** from an existing team member
 2. **Save it** to \`~/.config/sops/age/key.txt\`
-3. **Run** \`npx hush decrypt\` to generate local env files
-4. **Start developing**
+3. **Run** \`npx hush run -- npm install\` to verify decryption works
+4. **Start developing** with \`npx hush run -- npm run dev\`
 
 The private key should be shared securely (password manager, encrypted channel, etc.)
 
@@ -364,7 +387,7 @@ After setup, verify everything works:
 
 - [ ] \`npx hush status\` shows configuration
 - [ ] \`npx hush inspect\` shows masked variables
-- [ ] \`npx hush decrypt\` creates local env files
+- [ ] \`npx hush run -- env\` can decrypt and run (secrets stay in memory!)
 - [ ] \`.env.encrypted\` files are committed to git
 - [ ] Plaintext \`.env\` files are in \`.gitignore\`
 
@@ -395,91 +418,166 @@ Edit \`hush.yaml\` and add your source files under \`sources:\`.
 
 Complete reference for all Hush CLI commands with flags, options, and examples.
 
-## Global Options
+## Security Model: Encrypted at Rest
+
+All secrets are stored encrypted on disk. You can safely read any \`.env\` file—they contain only encrypted data. No special precautions needed for file reading.
 
-These options work with most commands:
+## Global Options
 
 | Option | Description |
 |--------|-------------|
-| \`-e, --env <env>\` | Environment: \`development\` (or \`dev\`) / \`production\` (or \`prod\`). Default: \`development\` |
+| \`-e, --env <env>\` | Environment: \`development\` / \`production\`. Default: \`development\` |
 | \`-r, --root <dir>\` | Root directory containing \`hush.yaml\`. Default: current directory |
+| \`-t, --target <name>\` | Target name from hush.yaml (for \`run\` command) |
+| \`--local\` | Use local overrides (for \`set\` command) |
 | \`-h, --help\` | Show help message |
 | \`-v, --version\` | Show version number |
 
-## Commands
+---
 
-### hush init
+## Primary Commands
 
-Generate a \`hush.yaml\` configuration file with auto-detected targets.
+### hush run -- <command> ⭐
+
+**The recommended way to run programs with secrets!**
+
+Decrypts secrets to memory and runs a command with them as environment variables.
+Secrets never touch the disk as plaintext.
 
 \`\`\`bash
-hush init
+hush run -- npm start              # Run with development secrets
+hush run -e production -- npm build   # Run with production secrets
+hush run -t api -- wrangler dev       # Run filtered for 'api' target
 \`\`\`
 
-Scans for \`package.json\` and \`wrangler.toml\` files to auto-detect targets.
+**Options:**
+| Option | Description |
+|--------|-------------|
+| \`-e, --env\` | Environment (development/production) |
+| \`-t, --target\` | Filter secrets for a specific target from hush.yaml |
 
 ---
 
-### hush encrypt
+### hush set <KEY> ⭐
 
-Encrypt source \`.env\` files to \`.env.encrypted\` files.
+Add or update a single secret interactively. You invoke this, user enters the value.
 
 \`\`\`bash
-hush encrypt
+hush set DATABASE_URL              # Set in shared secrets
+hush set API_KEY -e production     # Set in production secrets
+hush set DEBUG --local             # Set personal local override
 \`\`\`
 
-**What gets encrypted** (based on \`hush.yaml\` sources):
-- \`.env\` -> \`.env.encrypted\`
-- \`.env.development\` -> \`.env.development.encrypted\`
-- \`.env.production\` -> \`.env.production.encrypted\`
+User will be prompted with hidden input - the value is never visible.
 
 ---
 
-### hush decrypt
+### hush edit [file]
 
-Decrypt and distribute secrets to all configured targets.
+Open all secrets in \`$EDITOR\` for bulk editing.
 
 \`\`\`bash
-hush decrypt                    # Development (default)
-hush decrypt -e production      # Production
-hush decrypt -e prod            # Short form
+hush edit                          # Edit shared secrets
+hush edit development              # Edit development secrets
+hush edit production               # Edit production secrets
+hush edit local                    # Edit personal local overrides
 \`\`\`
 
-**Process:**
-1. Decrypts encrypted source files
-2. Merges: shared -> environment -> local overrides
-3. Interpolates variable references (\`\${VAR}\`)
-4. Filters per target using \`include\`/\`exclude\` patterns
-5. Writes to each target in configured format
+---
+
+### hush inspect
+
+List all variables with **masked values** (human-readable format).
+
+\`\`\`bash
+hush inspect                       # Development
+hush inspect -e production         # Production
+\`\`\`
 
 ---
 
-### hush set (alias: edit)
+### hush has <KEY>
 
-Set or modify secrets. Opens encrypted file in your \`$EDITOR\`.
+Check if a specific secret exists.
 
 \`\`\`bash
-hush set                        # Set shared secrets
-hush set development            # Set development secrets
-hush set production             # Set production secrets
+hush has DATABASE_URL              # Verbose output
+hush has API_KEY -q                # Quiet: exit code only (0=set, 1=missing)
 \`\`\`
 
-Opens a temporary decrypted file, re-encrypts on save.
+---
+
+## Setup Commands
+
+### hush init
+
+Generate \`hush.yaml\` configuration with auto-detected targets.
+
+\`\`\`bash
+hush init
+\`\`\`
+
+---
+
+### hush encrypt
+
+Encrypt source \`.env\` files to \`.env.encrypted\` files.
+
+\`\`\`bash
+hush encrypt
+\`\`\`
+
+---
+
+### hush status
+
+Show configuration and file status.
+
+\`\`\`bash
+hush status
+\`\`\`
+
+---
+
+## Deployment Commands
+
+### hush push
+
+Push production secrets to Cloudflare Workers.
 
-**Tip:** Set your editor with \`export EDITOR=vim\` or use \`code --wait\` for VS Code.
+\`\`\`bash
+hush push                          # Push secrets
+hush push --dry-run                # Preview without pushing
+\`\`\`
 
 ---
 
-### hush list
+## Deprecated Commands (Avoid)
+
+### hush decrypt / hush unsafe:decrypt ⚠️
 
-List all variables with their **actual values**.
+**DEPRECATED:** Writes unencrypted secrets to disk, defeating the "encrypted at rest" model.
 
 \`\`\`bash
-hush list                       # Development
-hush list -e production         # Production
+hush decrypt                       # Writes plaintext .env files (avoid!)
+hush unsafe:decrypt                # Same, explicit unsafe mode
 \`\`\`
 
-**WARNING:** This shows real secret values. Use \`hush inspect\` for AI-safe output.
+Use \`hush run -- <command>\` instead.
+
+---
+
+## Quick Reference
+
+| Command | Purpose |
+|---------|---------|
+| \`hush run -- <cmd>\` | Run with secrets (memory only) |
+| \`hush set <KEY>\` | Add secret interactively |
+| \`hush edit\` | Edit secrets in $EDITOR |
+| \`hush inspect\` | See variables (masked) |
+| \`hush has <KEY>\` | Check if variable exists |
+| \`hush status\` | View configuration |
+| \`cat .env.encrypted\` | Read encrypted file (safe!) |
 
 ---
 
@@ -696,162 +794,136 @@ targets:
 `,
     'examples/workflows.md': `# Hush Workflow Examples
 
-Step-by-step examples for common AI assistant workflows when working with secrets.
+Step-by-step examples for common workflows when working with secrets.
 
-## Checking Configuration
+**Remember:** All \`.env\` files are encrypted at rest. You can freely read them with \`cat\` or \`grep\`—you'll only see encrypted data, never actual secrets.
 
-### "What environment variables does this project use?"
+## Running Programs (Most Common)
+
+### "Start the development server"
 
 \`\`\`bash
-hush inspect
+hush run -- npm run dev
 \`\`\`
 
-Read the output to see all configured variables, their approximate lengths, and which targets receive them.
+### "Build for production"
 
-### "Is the database configured?"
+\`\`\`bash
+hush run -e production -- npm run build
+\`\`\`
+
+### "Run tests with secrets"
 
 \`\`\`bash
-hush has DATABASE_URL
+hush run -- npm test
 \`\`\`
 
-If the output says "not found", guide the user to add it.
+### "Run Wrangler for Cloudflare Worker"
+
+\`\`\`bash
+hush run -t api -- wrangler dev
+\`\`\`
+
+---
+
+## Checking Secrets
+
+### "What environment variables does this project use?"
+
+\`\`\`bash
+hush inspect                    # Human-readable masked output
+# or
+cat .env.encrypted              # Raw encrypted file (safe!)
+\`\`\`
 
-### "Are all required secrets set?"
+### "Is the database configured?"
 
 \`\`\`bash
-# Check each required secret
-hush has DATABASE_URL -q || echo "Missing: DATABASE_URL"
-hush has API_KEY -q || echo "Missing: API_KEY"
-hush has STRIPE_SECRET_KEY -q || echo "Missing: STRIPE_SECRET_KEY"
+hush has DATABASE_URL
 \`\`\`
 
-Or check all at once:
+If "not found", help user add it with \`hush set DATABASE_URL\`.
+
+### "Check all required secrets"
+
 \`\`\`bash
 hush has DATABASE_URL -q && \\
 hush has API_KEY -q && \\
-hush has STRIPE_SECRET_KEY -q && \\
-echo "All secrets configured" || \\
-echo "Some secrets missing"
+echo "All configured" || \\
+echo "Some missing"
+\`\`\`
+
+### "Search for a key in encrypted files"
+
+\`\`\`bash
+grep DATABASE .env.encrypted    # Safe! Shows encrypted line
 \`\`\`
 
 ---
 
-## Helping Users Add Secrets
+## Adding Secrets
 
-### "Help me add a new API key"
+### "Help me add DATABASE_URL"
 
-1. **Check if it already exists:**
-   \`\`\`bash
-   hush has NEW_API_KEY
-   \`\`\`
+\`\`\`bash
+hush set DATABASE_URL
+\`\`\`
 
-2. **If not set, guide the user:**
-   > To add \`NEW_API_KEY\`, run:
-   > \`\`\`bash
-   > hush set
-   > \`\`\`
-   > Add a line like: \`NEW_API_KEY=your_actual_key_here\`
-   > Save and close the editor, then run:
-   > \`\`\`bash
-   > hush encrypt
-   > \`\`\`
-
-3. **Verify it was added:**
-   \`\`\`bash
-   hush has NEW_API_KEY
-   \`\`\`
+Tell user: "Enter your database URL when prompted (input will be hidden)"
+
+### "Add a production-only secret"
 
-### "I need to add secrets for production"
+\`\`\`bash
+hush set STRIPE_SECRET_KEY -e production
+\`\`\`
 
-Guide the user:
-> Run \`hush set production\` to set production secrets.
-> After saving, run \`hush encrypt\` to encrypt the changes.
-> To deploy, run \`hush decrypt -e production\`.
+### "Add a personal local override"
+
+\`\`\`bash
+hush set DEBUG --local
+\`\`\`
+
+### "Edit multiple secrets at once"
+
+\`\`\`bash
+hush edit
+\`\`\`
+
+Tell user: "Your editor will open. Add or modify secrets, then save and close."
 
 ---
 
-## Debugging Issues
+## Debugging
 
 ### "My app can't find DATABASE_URL"
 
-1. **Check if the variable exists:**
+1. Check if it exists:
    \`\`\`bash
    hush has DATABASE_URL
    \`\`\`
 
-2. **If it exists, check target distribution:**
+2. Check target distribution:
    \`\`\`bash
    hush inspect
    \`\`\`
-   Look at the "Target distribution" section to see which targets receive it.
 
-3. **Check if it's filtered out:**
+3. Check hush.yaml for filtering:
    \`\`\`bash
    cat hush.yaml
    \`\`\`
-   Look for \`include\`/\`exclude\` patterns that might filter the variable.
 
-4. **Regenerate env files:**
+4. Look at the encrypted file:
    \`\`\`bash
-   hush decrypt
+   grep DATABASE .env.encrypted    # Safe to read!
    \`\`\`
 
-### "Secrets aren't reaching my API folder"
-
-1. **Check target configuration:**
+5. Try running directly:
    \`\`\`bash
-   hush status
-   \`\`\`
-   Verify the API target path and format are correct.
-
-2. **Check filters:**
-   \`\`\`bash
-   cat hush.yaml
-   \`\`\`
-   If there's an \`exclude: EXPO_PUBLIC_*\` pattern, that's intentional.
-   If there's an \`include\` pattern, only matching variables are sent.
-
-3. **Run inspect to see distribution:**
-   \`\`\`bash
-   hush inspect
+   hush run -- env | grep DATABASE
    \`\`\`
 
 ---
 
-## Deployment Workflows
-
-### "Deploy to production"
-
-\`\`\`bash
-# Decrypt production secrets to all targets
-hush decrypt -e production
-\`\`\`
-
-### "Push secrets to Cloudflare Workers"
-
-\`\`\`bash
-# Preview what would be pushed
-hush push --dry-run
-
-# Actually push (requires wrangler auth)
-hush push
-\`\`\`
-
-### "Verify before deploying"
-
-\`\`\`bash
-# Check all encrypted files are up to date
-hush check
-
-# If drift detected, encrypt first
-hush encrypt
-
-# Then decrypt for production
-hush decrypt -e production
-\`\`\`
-
----
-
 ## Team Workflows
 
 ### "New team member setup"
@@ -859,30 +931,32 @@ hush decrypt -e production
 Guide them:
 > 1. Get the age private key from a team member
 > 2. Save it to \`~/.config/sops/age/key.txt\`
-> 3. Run \`hush decrypt\` to generate local env files
-> 4. Start developing!
+> 3. Run \`hush run -- npm install\` to verify setup
+> 4. Start developing with \`hush run -- npm run dev\`
 
-### "Someone added new secrets, my app is broken"
+### "Someone added new secrets"
 
 \`\`\`bash
-# Pull latest changes
 git pull
-
-# Regenerate env files
-hush decrypt
+hush inspect   # See what's new
 \`\`\`
 
-### "Check if I forgot to encrypt changes"
+---
+
+## Deployment
+
+### "Push to Cloudflare Workers"
 
 \`\`\`bash
-hush check
+hush push --dry-run   # Preview first
+hush push             # Actually push
 \`\`\`
 
-If drift detected:
+### "Build and deploy"
+
 \`\`\`bash
-hush encrypt
-git add .env*.encrypted
-git commit -m "chore: encrypt new secrets"
+hush run -e production -- npm run build
+hush push
 \`\`\`
 
 ---
@@ -916,17 +990,15 @@ Target distribution:
 - The \`app\` folder only gets \`EXPO_PUBLIC_*\` variables
 - The \`api\` folder gets everything except \`EXPO_PUBLIC_*\`
 
-### hush has output explained
+### Reading encrypted files directly
 
 \`\`\`bash
-$ hush has DATABASE_URL
-DATABASE_URL is set (45 chars)
-
-$ hush has MISSING_VAR
-MISSING_VAR not found
+$ cat .env.encrypted
+DATABASE_URL=ENC[AES256_GCM,data:7xH2kL9...,iv:abc...,tag:xyz...,type:str]
+STRIPE_SECRET_KEY=ENC[AES256_GCM,data:mN3pQ8...,iv:def...,tag:uvw...,type:str]
 \`\`\`
 
-The character count helps identify if the value looks reasonable (e.g., a 45-char DATABASE_URL is plausible, a 3-char one might be wrong).
+This is safe to view—the actual values are encrypted. You can see what keys exist without exposing secrets.
 `,
 };
 function getSkillPath(location, root) {

package/dist/core/sops.d.ts

@@ -3,4 +3,9 @@ export declare function isAgeKeyConfigured(): boolean;
 export declare function decrypt(filePath: string): string;
 export declare function encrypt(inputPath: string, outputPath: string): void;
 export declare function edit(filePath: string): void;
+/**
+ * Set a single key in an encrypted file.
+ * Decrypts to memory, updates the key, re-encrypts.
+ */
+export declare function setKey(filePath: string, key: string, value: string): void;
 //# sourceMappingURL=sops.d.ts.map

package/dist/core/sops.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sops.d.ts","sourceRoot":"","sources":["../../src/core/sops.ts"],"names":[],"mappings":"AAyBA,wBAAgB,eAAe,IAAI,OAAO,CAOzC;AAED,wBAAgB,kBAAkB,IAAI,OAAO,CAE5C;AAED,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA6BhD;AAED,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAuBnE;AAED,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAqB3C"}
+{"version":3,"file":"sops.d.ts","sourceRoot":"","sources":["../../src/core/sops.ts"],"names":[],"mappings":"AA0BA,wBAAgB,eAAe,IAAI,OAAO,CAOzC;AAED,wBAAgB,kBAAkB,IAAI,OAAO,CAE5C;AAED,wBAAgB,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CA6BhD;AAED,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAuBnE;AAED,wBAAgB,IAAI,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAqB3C;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAqDzE"}

package/dist/core/sops.js

@@ -1,6 +1,7 @@
 import { execSync, spawnSync } from 'node:child_process';
-import { existsSync } from 'node:fs';
+import { existsSync, writeFileSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
+import { tmpdir } from 'node:os';
 function getAgeKeyFile() {
     if (process.env.SOPS_AGE_KEY_FILE) {
         return process.env.SOPS_AGE_KEY_FILE;
@@ -89,3 +90,50 @@ export function edit(filePath) {
         throw new Error(`SOPS edit failed with exit code ${result.status}`);
     }
 }
+/**
+ * Set a single key in an encrypted file.
+ * Decrypts to memory, updates the key, re-encrypts.
+ */
+export function setKey(filePath, key, value) {
+    if (!isSopsInstalled()) {
+        throw new Error('SOPS is not installed. Install with: brew install sops');
+    }
+    let content = '';
+    // If file exists, decrypt it first
+    if (existsSync(filePath)) {
+        content = decrypt(filePath);
+    }
+    // Parse existing content into lines
+    const lines = content.split('\n').filter(line => line.trim() !== '');
+    // Find and update or add the key
+    let found = false;
+    const updatedLines = lines.map(line => {
+        const match = line.match(/^([^=]+)=/);
+        if (match && match[1] === key) {
+            found = true;
+            return `${key}=${value}`;
+        }
+        return line;
+    });
+    if (!found) {
+        updatedLines.push(`${key}=${value}`);
+    }
+    const newContent = updatedLines.join('\n') + '\n';
+    const tempFile = join(tmpdir(), `hush-temp-${Date.now()}.env`);
+    try {
+        writeFileSync(tempFile, newContent, 'utf-8');
+        // Encrypt temp file to the target
+        execSync(`sops --input-type dotenv --output-type dotenv --encrypt "${tempFile}" > "${filePath}"`, {
+            encoding: 'utf-8',
+            shell: '/bin/bash',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: getSopsEnv(),
+        });
+    }
+    finally {
+        // Always clean up temp file
+        if (existsSync(tempFile)) {
+            unlinkSync(tempFile);
+        }
+    }
+}

package/dist/types.d.ts

@@ -11,6 +11,7 @@ export interface SourceFiles {
     shared: string;
     development: string;
     production: string;
+    local: string;
 }
 export interface HushConfig {
     sources: SourceFiles;
@@ -29,7 +30,18 @@ export interface EncryptOptions {
 }
 export interface EditOptions {
     root: string;
-    file?: 'shared' | 'development' | 'production';
+    file?: 'shared' | 'development' | 'production' | 'local';
+}
+export interface SetOptions {
+    root: string;
+    file?: 'shared' | 'development' | 'production' | 'local';
+    key?: string;
+}
+export interface RunOptions {
+    root: string;
+    env: Environment;
+    target?: string;
+    command: string[];
 }
 export interface PushOptions {
     root: string;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAC7E,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,YAAY,CAAC;AAEvD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,WAAW,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,QAAQ,GAAG,aAAa,GAAG,YAAY,CAAC;CAChD;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,mBAAmB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;AAE9G,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;IACjC,KAAK,EAAE,eAAe,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,eAAO,MAAM,eAAe,EAAE,WAI7B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAqBjF,CAAC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAC7E,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,YAAY,CAAC;AAEvD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,WAAW,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,QAAQ,GAAG,aAAa,GAAG,YAAY,GAAG,OAAO,CAAC;CAC1D;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,QAAQ,GAAG,aAAa,GAAG,YAAY,GAAG,OAAO,CAAC;IACzD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,mBAAmB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;AAE9G,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,IAAI,GAAG,OAAO,GAAG,OAAO,CAAC;IACjC,KAAK,EAAE,eAAe,EAAE,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,eAAO,MAAM,eAAe,EAAE,WAK7B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAqBjF,CAAC"}

package/dist/types.js

@@ -2,6 +2,7 @@ export const DEFAULT_SOURCES = {
     shared: '.env',
     development: '.env.development',
     production: '.env.production',
+    local: '.env.local',
 };
 export const FORMAT_OUTPUT_FILES = {
     dotenv: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {
@@ -12,14 +12,6 @@
       "types": "./dist/index.d.ts"
     }
   },
-  "scripts": {
-    "build": "tsc",
-    "dev": "tsc --watch",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "prepublishOnly": "pnpm build && pnpm test",
-    "type-check": "tsc --noEmit"
-  },
   "keywords": [
     "secrets",
     "sops",
@@ -61,5 +53,12 @@
   ],
   "publishConfig": {
     "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "type-check": "tsc --noEmit"
   }
-}
+}