@chriscode/hush 2.6.0 → 2.7.0

package/dist/cli.js

@@ -15,7 +15,8 @@ import { checkCommand } from './commands/check.js';
 import { skillCommand } from './commands/skill.js';
 import { keysCommand } from './commands/keys.js';
 import { findConfigPath, loadConfig, checkSchemaVersion } from './config/loader.js';
-const VERSION = '2.3.0';
+import { checkForUpdate } from './utils/version-check.js';
+const VERSION = '2.5.1';
 function printHelp() {
     console.log(`
 ${pc.bold('hush')} - SOPS-based secrets management for monorepos
@@ -269,6 +270,9 @@ async function main() {
         process.exit(0);
     }
     const { command, subcommand, env, envExplicit, root, dryRun, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, target, cmdArgs } = parseArgs(args);
+    if (command !== 'run' && !json && !quiet) {
+        checkForUpdate(VERSION);
+    }
     checkMigrationNeeded(root, command);
     try {
         switch (command) {

package/dist/commands/encrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/commands/encrypt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAElD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAoC3E"}
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../../src/commands/encrypt.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AASlD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAsF3E"}

package/dist/commands/encrypt.js

@@ -1,18 +1,19 @@
-import { existsSync } from 'node:fs';
+import { existsSync, unlinkSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
 import { loadConfig } from '../config/loader.js';
-import { encrypt as sopsEncrypt } from '../core/sops.js';
+import { encrypt as sopsEncrypt, decrypt as sopsDecrypt } from '../core/sops.js';
+import { parseEnvContent } from '../core/parse.js';
 export async function encryptCommand(options) {
     const { root } = options;
     const config = loadConfig(root);
-    console.log(pc.blue('Encrypting secrets...'));
+    console.log(pc.blue('Encrypting secrets...\n'));
     const sourceFiles = [
         { key: 'shared', path: config.sources.shared },
         { key: 'development', path: config.sources.development },
         { key: 'production', path: config.sources.production },
     ];
-    let encryptedCount = 0;
+    const encryptedFiles = [];
     for (const { key, path } of sourceFiles) {
         const sourcePath = join(root, path);
         const encryptedPath = sourcePath + '.encrypted';
@@ -20,15 +21,60 @@ export async function encryptCommand(options) {
             console.log(pc.dim(`  ${path} - not found, skipping`));
             continue;
         }
+        const sourceContent = readFileSync(sourcePath, 'utf-8');
+        const vars = parseEnvContent(sourceContent);
         sopsEncrypt(sourcePath, encryptedPath);
-        encryptedCount++;
-        console.log(pc.green(`  ${path}`) + pc.dim(` -> ${path}.encrypted`));
+        console.log(pc.green(`  ${path}`) + pc.dim(` -> ${path}.encrypted (${vars.length} vars)`));
+        encryptedFiles.push({
+            sourcePath,
+            encryptedPath,
+            displayPath: path,
+            originalKeyCount: vars.length,
+        });
     }
-    if (encryptedCount === 0) {
+    if (encryptedFiles.length === 0) {
         console.error(pc.red('\nNo source files found to encrypt'));
         console.error(pc.dim('Create at least .env with your secrets'));
         process.exit(1);
     }
-    console.log(pc.green(`\nEncrypted ${encryptedCount} file(s)`));
-    console.log(pc.dim('You can now commit the .encrypted files to git'));
+    console.log(pc.blue('\nVerifying encryption...'));
+    let allVerified = true;
+    for (const file of encryptedFiles) {
+        try {
+            const decrypted = sopsDecrypt(file.encryptedPath);
+            const decryptedVars = parseEnvContent(decrypted);
+            if (decryptedVars.length === file.originalKeyCount) {
+                console.log(pc.green(`  ${file.displayPath}.encrypted - verified (${decryptedVars.length} vars)`));
+            }
+            else {
+                console.log(pc.yellow(`  ${file.displayPath}.encrypted - warning: expected ${file.originalKeyCount} vars, got ${decryptedVars.length}`));
+                allVerified = false;
+            }
+        }
+        catch (error) {
+            console.log(pc.red(`  ${file.displayPath}.encrypted - FAILED to decrypt`));
+            console.log(pc.dim(`    ${error.message}`));
+            allVerified = false;
+        }
+    }
+    if (!allVerified) {
+        console.log(pc.yellow('\nEncryption completed but verification failed.'));
+        console.log(pc.yellow('Plaintext files have NOT been deleted. Please check your setup.'));
+        process.exit(1);
+    }
+    console.log(pc.blue('\nCleaning up plaintext files...'));
+    for (const file of encryptedFiles) {
+        try {
+            unlinkSync(file.sourcePath);
+            console.log(pc.green(`  Deleted ${file.displayPath}`));
+        }
+        catch (error) {
+            console.log(pc.yellow(`  Could not delete ${file.displayPath}: ${error.message}`));
+        }
+    }
+    console.log(pc.green(pc.bold(`\n✓ Encrypted ${encryptedFiles.length} file(s) and removed plaintext`)));
+    console.log(pc.dim('\nNext steps:'));
+    console.log(pc.dim('  1. Commit the .encrypted files to git'));
+    console.log(pc.dim('  2. Use "npx hush run -- <command>" to run with secrets'));
+    console.log(pc.dim('  3. Use "npx hush inspect" to see what variables are set'));
 }

package/dist/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAc,WAAW,EAAU,MAAM,aAAa,CAAC;AA2InE,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAyCrE"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAc,WAAW,EAAU,MAAM,aAAa,CAAC;AAyJnE,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAoErE"}

package/dist/commands/init.js

@@ -125,6 +125,17 @@ function detectTargets(root) {
     }
     return targets;
 }
+function findExistingPlaintextEnvFiles(root) {
+    const patterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
+    const found = [];
+    for (const pattern of patterns) {
+        const filePath = join(root, pattern);
+        if (existsSync(filePath)) {
+            found.push(pattern);
+        }
+    }
+    return found;
+}
 export async function initCommand(options) {
     const { root } = options;
     const existingConfig = findConfigPath(root);
@@ -132,8 +143,21 @@ export async function initCommand(options) {
         console.error(pc.red(`Config already exists: ${existingConfig}`));
         process.exit(1);
     }
-    console.log(pc.blue('Initializing hush...'));
+    console.log(pc.blue('Initializing hush...\n'));
+    const existingEnvFiles = findExistingPlaintextEnvFiles(root);
+    if (existingEnvFiles.length > 0) {
+        console.log(pc.bgYellow(pc.black(' EXISTING SECRETS DETECTED ')));
+        console.log(pc.yellow('\nFound existing .env files:'));
+        for (const file of existingEnvFiles) {
+            console.log(pc.yellow(`  ${file}`));
+        }
+        console.log(pc.dim('\nThese will be encrypted after setup. Run "npx hush encrypt" when ready.\n'));
+    }
     const project = getProjectFromPackageJson(root);
+    if (!project) {
+        console.log(pc.yellow('No project identifier found in package.json.'));
+        console.log(pc.dim('Tip: Add "project: my-org/my-repo" to hush.yaml after creation for key management.\n'));
+    }
     const keyResult = await setupKey(root, project);
     if (keyResult) {
         createSopsConfig(root, keyResult.publicKey);
@@ -152,7 +176,17 @@ export async function initCommand(options) {
     for (const target of targets) {
         console.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path)} ${pc.magenta(target.format)}`);
     }
-    console.log(pc.dim('\nNext steps:'));
-    console.log('  1. Run "hush set <KEY>" to add secrets');
-    console.log('  2. Run "hush run -- <command>" to run with secrets in memory');
+    console.log(pc.bold('\nNext steps:'));
+    if (existingEnvFiles.length > 0) {
+        console.log(pc.green('  1. npx hush encrypt') + pc.dim('     # Encrypt existing .env files (deletes plaintext)'));
+        console.log(pc.dim('  2. npx hush inspect') + pc.dim('      # Verify your secrets'));
+        console.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+    }
+    else {
+        console.log(pc.dim('  1. npx hush set <KEY>') + pc.dim('    # Add secrets interactively'));
+        console.log(pc.dim('  2. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+    }
+    console.log(pc.dim('\nGit setup:'));
+    console.log(pc.dim('  git add hush.yaml .sops.yaml'));
+    console.log(pc.dim('  git commit -m "chore: add Hush secrets management"'));
 }

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAwhChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA2jChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}

package/dist/commands/skill.js

@@ -6,53 +6,102 @@ import pc from 'picocolors';
 const SKILL_FILES = {
     'SKILL.md': `---
 name: hush-secrets
-description: Manage secrets safely using Hush CLI. Use when working with .env files, environment variables, secrets, API keys, database URLs, credentials, or configuration. Secrets are always encrypted at rest - .env files contain only encrypted data.
+description: Manage secrets safely using Hush CLI. Use when working with .env files, environment variables, secrets, API keys, database URLs, credentials, or configuration. NEVER read .env files directly - always use hush commands instead to prevent exposing secrets to the LLM.
 allowed-tools: Bash(hush:*), Bash(npx hush:*), Bash(brew:*), Bash(npm:*), Bash(pnpm:*), Bash(age-keygen:*), Read, Grep, Glob, Write, Bash(cat:*), Bash(grep:*)
 ---
 
 # Hush - AI-Native Secrets Management
 
-Hush keeps secrets **encrypted at rest**. All \`.env\` files contain encrypted data only—you can freely read them with \`cat\` or \`grep\` and you'll only see encrypted gibberish, never actual secrets.
+**CRITICAL: NEVER read .env files directly.** Always use \`npx hush status\`, \`npx hush inspect\`, or \`npx hush has\` to check secrets.
 
-## How It Works
+Hush keeps secrets **encrypted at rest**. When properly set up, all secrets are stored in \`.env.encrypted\` files and plaintext \`.env\` files should NOT exist.
 
-Secrets are stored encrypted on disk. When you need to use them:
-- \`hush run -- <command>\` decrypts to memory and runs your command
-- \`hush set <KEY>\` adds secrets interactively (you invoke, user enters value)
-- \`hush inspect\` shows what exists with masked values
-- \`hush edit\` opens encrypted file in editor, re-encrypts on save
+## First Step: Investigate Current State
 
-## Safe to Read (Always Encrypted)
+**ALWAYS run this first when working with a new repo:**
 
-You CAN freely read these files—they only contain encrypted data:
-- \`.env.encrypted\`, \`.env.*.encrypted\` - encrypted secrets
-- \`.env\`, \`.env.*\` - if they exist, they're encrypted too (Hush doesn't create plaintext files)
+\`\`\`bash
+npx hush status
+\`\`\`
+
+This tells you:
+- Whether Hush is configured (\`hush.yaml\` exists)
+- If SOPS/age are installed
+- If encryption keys are set up
+- **CRITICAL: If unencrypted .env files exist (security risk!)**
+- What source files are configured
+
+### Interpreting Status Output
 
-Feel free to use \`cat\`, \`grep\`, \`Read\` on any \`.env\` file. You'll see encrypted content like:
+| You See | What It Means | Action |
+|---------|---------------|--------|
+| \`SECURITY WARNING: Unencrypted .env files\` | Plaintext secrets exist! | Run \`npx hush encrypt\` immediately |
+| \`No hush.yaml found\` | Hush not initialized | Run \`npx hush init\` |
+| \`SOPS not installed\` | Missing prerequisite | \`brew install sops\` |
+| \`age key not found\` | Missing encryption key | \`npx hush keys setup\` |
+| \`Project: not set\` | Key management limited | Add \`project:\` to hush.yaml |
+| \`1Password backup: not synced\` | Key not backed up | \`npx hush keys push\` |
+
+## Decision Tree: What Do I Do?
+
+### Scenario 1: Fresh Repo (No Hush Setup)
+
+\`\`\`bash
+npx hush init          # Creates hush.yaml and .sops.yaml
+npx hush encrypt       # Encrypts any existing .env files, deletes plaintext
+npx hush inspect       # Verify setup
 \`\`\`
-DATABASE_URL=ENC[AES256_GCM,data:abc123...,type:str]
+
+### Scenario 2: Existing .env Files Found
+
+\`\`\`bash
+npx hush status        # Check what's there
+npx hush encrypt       # Encrypt them (auto-deletes plaintext after verification)
+npx hush inspect       # Confirm everything is encrypted
 \`\`\`
 
-## Commands Reference
+### Scenario 3: Hush Already Set Up (Team Member Joining)
 
-### Primary Commands:
-- \`npx hush run -- <command>\` - Run programs with secrets (decrypts to memory only!)
-- \`npx hush set <KEY>\` - Add a secret interactively (you invoke, user enters value)
-- \`npx hush edit\` - Let user edit all secrets in $EDITOR
-- \`npx hush inspect\` - See what variables exist (values are masked)
-- \`npx hush has <KEY>\` - Check if a specific variable is set
-- \`npx hush status\` - View configuration
+\`\`\`bash
+npx hush keys setup    # Pull key from 1Password or prompt for setup
+npx hush status        # Verify everything works
+npx hush inspect       # See what secrets exist
+\`\`\`
 
-### Avoid These (Deprecated):
-- \`hush decrypt\` / \`hush unsafe:decrypt\` - Writes unencrypted secrets to disk (defeats the purpose!)
+### Scenario 4: Need to Add/Modify Secrets
 
-## Quick Check: Is Hush Set Up?
+\`\`\`bash
+npx hush set <KEY>         # Add interactively (you invoke, user types value)
+npx hush edit              # Edit all secrets in $EDITOR
+npx hush inspect           # Verify changes
+\`\`\`
+
+### Scenario 5: Run Application with Secrets
 
 \`\`\`bash
-npx hush status
+npx hush run -- npm start              # Development
+npx hush run -e production -- npm build   # Production
 \`\`\`
 
-**If this fails**, see [SETUP.md](SETUP.md) for first-time setup instructions.
+---
+
+## Commands Quick Reference
+
+| Command | Purpose | When to Use |
+|---------|---------|-------------|
+| \`npx hush status\` | **Full diagnostic** | First step, always |
+| \`npx hush inspect\` | See variables (masked) | Check what's configured |
+| \`npx hush has <KEY>\` | Check specific variable | Verify a secret exists |
+| \`npx hush set <KEY>\` | Add secret interactively | User needs to enter a value |
+| \`npx hush edit\` | Edit all secrets | Bulk editing |
+| \`npx hush run -- <cmd>\` | Run with secrets in memory | Actually use the secrets |
+| \`npx hush init\` | Initialize Hush | First-time setup |
+| \`npx hush encrypt\` | Encrypt .env files | After creating/modifying plaintext |
+| \`npx hush keys setup\` | Set up encryption keys | New team member |
+
+### Commands to AVOID:
+- \`hush decrypt\` - Writes plaintext to disk (security risk!)
+- \`cat .env\` - Never read plaintext .env files directly
 
 ---
 
@@ -66,14 +115,11 @@ npx hush run -e production -- npm build   # Run with production secrets
 npx hush run -t api -- wrangler dev       # Run filtered for 'api' target
 \`\`\`
 
-The secrets are decrypted to memory and injected as environment variables.
-The child process inherits them. No plaintext files are written.
-
 ---
 
 ## Checking Secrets
 
-### See what variables exist (human-readable)
+### See what variables exist
 
 \`\`\`bash
 npx hush inspect                    # Development
@@ -99,14 +145,6 @@ npx hush has DATABASE_URL           # Verbose output
 npx hush has API_KEY -q             # Quiet: exit code only (0=set, 1=missing)
 \`\`\`
 
-### Read encrypted files directly
-
-You can also just read the encrypted files:
-\`\`\`bash
-cat .env.encrypted                  # See encrypted content (safe!)
-grep DATABASE .env.encrypted        # Search for keys in encrypted file
-\`\`\`
-
 ---
 
 ## Adding/Modifying Secrets
@@ -120,45 +158,7 @@ npx hush set DEBUG --local          # Set personal local override
 \`\`\`
 
 The user will be prompted to enter the value (hidden input).
-You never see the actual secret - just invoke the command!
-
-### Edit all secrets in editor
-
-\`\`\`bash
-npx hush edit                       # Edit shared secrets
-npx hush edit development           # Edit development secrets
-npx hush edit local                 # Edit personal overrides
-\`\`\`
-
----
-
-## Common Workflows
-
-### "Help user add DATABASE_URL"
-\`\`\`bash
-npx hush set DATABASE_URL
-\`\`\`
-Tell user: "Enter your database URL when prompted"
-
-### "Check all required secrets"
-\`\`\`bash
-npx hush has DATABASE_URL -q && npx hush has API_KEY -q && echo "All configured" || echo "Some missing"
-\`\`\`
-
-### "Run the development server"
-\`\`\`bash
-npx hush run -- npm run dev
-\`\`\`
-
-### "Build for production"
-\`\`\`bash
-npx hush run -e production -- npm run build
-\`\`\`
-
-### "See what's in the encrypted file"
-\`\`\`bash
-cat .env.encrypted                  # Safe! Shows encrypted data only
-\`\`\`
+**You never see the actual secret - just invoke the command!**
 
 ---
 
@@ -796,32 +796,71 @@ targets:
 
 Step-by-step examples for common workflows when working with secrets.
 
-**Remember:** All \`.env\` files are encrypted at rest. You can freely read them with \`cat\` or \`grep\`—you'll only see encrypted data, never actual secrets.
+**CRITICAL: NEVER read .env files directly. Use hush commands instead.**
+
+---
+
+## First-Time Setup (Most Important!)
+
+### "Help me set up Hush for this project"
+
+**Step 1: Check current state**
+\`\`\`bash
+npx hush status
+\`\`\`
+
+This will show:
+- If Hush is already configured
+- If there are unencrypted .env files (security risk!)
+- What prerequisites are missing
+
+**Step 2: Based on the output, follow the appropriate path:**
+
+#### Path A: "SECURITY WARNING: Unencrypted .env files detected"
+\`\`\`bash
+npx hush init          # If no hush.yaml exists
+npx hush encrypt       # Encrypts files and DELETES plaintext automatically
+npx hush status        # Verify the warning is gone
+\`\`\`
+
+#### Path B: "No hush.yaml found"
+\`\`\`bash
+npx hush init          # Creates config and sets up keys
+npx hush set <KEY>     # Add secrets (if none exist yet)
+\`\`\`
+
+#### Path C: "age key not found"
+\`\`\`bash
+npx hush keys setup    # Pull from 1Password or generate new key
+\`\`\`
+
+#### Path D: Everything looks good
+\`\`\`bash
+npx hush inspect       # See what secrets are configured
+\`\`\`
+
+---
 
 ## Running Programs (Most Common)
 
 ### "Start the development server"
-
 \`\`\`bash
-hush run -- npm run dev
+npx hush run -- npm run dev
 \`\`\`
 
 ### "Build for production"
-
 \`\`\`bash
-hush run -e production -- npm run build
+npx hush run -e production -- npm run build
 \`\`\`
 
 ### "Run tests with secrets"
-
 \`\`\`bash
-hush run -- npm test
+npx hush run -- npm test
 \`\`\`
 
 ### "Run Wrangler for Cloudflare Worker"
-
 \`\`\`bash
-hush run -t api -- wrangler dev
+npx hush run -t api -- wrangler dev
 \`\`\`
 
 ---
@@ -829,66 +868,53 @@ hush run -t api -- wrangler dev
 ## Checking Secrets
 
 ### "What environment variables does this project use?"
-
 \`\`\`bash
-hush inspect                    # Human-readable masked output
-# or
-cat .env.encrypted              # Raw encrypted file (safe!)
+npx hush inspect       # Shows all variables with masked values
 \`\`\`
 
 ### "Is the database configured?"
-
 \`\`\`bash
-hush has DATABASE_URL
+npx hush has DATABASE_URL
 \`\`\`
 
-If "not found", help user add it with \`hush set DATABASE_URL\`.
+If "not found", help user add it:
+\`\`\`bash
+npx hush set DATABASE_URL
+\`\`\`
+Tell user: "Enter your database URL when prompted"
 
 ### "Check all required secrets"
-
 \`\`\`bash
-hush has DATABASE_URL -q && \\
-hush has API_KEY -q && \\
+npx hush has DATABASE_URL -q && \\
+npx hush has API_KEY -q && \\
 echo "All configured" || \\
 echo "Some missing"
 \`\`\`
 
-### "Search for a key in encrypted files"
-
-\`\`\`bash
-grep DATABASE .env.encrypted    # Safe! Shows encrypted line
-\`\`\`
-
 ---
 
 ## Adding Secrets
 
 ### "Help me add DATABASE_URL"
-
 \`\`\`bash
-hush set DATABASE_URL
+npx hush set DATABASE_URL
 \`\`\`
-
 Tell user: "Enter your database URL when prompted (input will be hidden)"
 
 ### "Add a production-only secret"
-
 \`\`\`bash
-hush set STRIPE_SECRET_KEY -e production
+npx hush set STRIPE_SECRET_KEY -e production
 \`\`\`
 
 ### "Add a personal local override"
-
 \`\`\`bash
-hush set DEBUG --local
+npx hush set DEBUG --local
 \`\`\`
 
 ### "Edit multiple secrets at once"
-
 \`\`\`bash
-hush edit
+npx hush edit
 \`\`\`
-
 Tell user: "Your editor will open. Add or modify secrets, then save and close."
 
 ---
@@ -899,27 +925,22 @@ Tell user: "Your editor will open. Add or modify secrets, then save and close."
 
 1. Check if it exists:
    \`\`\`bash
-   hush has DATABASE_URL
+   npx hush has DATABASE_URL
    \`\`\`
 
 2. Check target distribution:
    \`\`\`bash
-   hush inspect
+   npx hush inspect
    \`\`\`
 
 3. Check hush.yaml for filtering:
    \`\`\`bash
-   cat hush.yaml
-   \`\`\`
-
-4. Look at the encrypted file:
-   \`\`\`bash
-   grep DATABASE .env.encrypted    # Safe to read!
+   cat hush.yaml        # Safe - this is config, not secrets
    \`\`\`
 
-5. Try running directly:
+4. Try running directly:
    \`\`\`bash
-   hush run -- env | grep DATABASE
+   npx hush run -- env | grep DATABASE
    \`\`\`
 
 ---
@@ -928,17 +949,25 @@ Tell user: "Your editor will open. Add or modify secrets, then save and close."
 
 ### "New team member setup"
 
-Guide them:
-> 1. Get the age private key from a team member
-> 2. Save it to \`~/.config/sops/age/key.txt\`
-> 3. Run \`hush run -- npm install\` to verify setup
-> 4. Start developing with \`hush run -- npm run dev\`
+Guide them through these steps:
+\`\`\`bash
+# 1. Pull key from 1Password (or get from team member)
+npx hush keys setup
 
-### "Someone added new secrets"
+# 2. Verify setup
+npx hush status
+
+# 3. Check secrets are accessible
+npx hush inspect
 
+# 4. Start developing
+npx hush run -- npm run dev
+\`\`\`
+
+### "Someone added new secrets"
 \`\`\`bash
 git pull
-hush inspect   # See what's new
+npx hush inspect   # See what's new
 \`\`\`
 
 ---
@@ -946,24 +975,50 @@ hush inspect   # See what's new
 ## Deployment
 
 ### "Push to Cloudflare Workers"
-
 \`\`\`bash
-hush push --dry-run   # Preview first
-hush push             # Actually push
+npx hush push --dry-run   # Preview first
+npx hush push             # Actually push
 \`\`\`
 
 ### "Build and deploy"
-
 \`\`\`bash
-hush run -e production -- npm run build
-hush push
+npx hush run -e production -- npm run build
+npx hush push
 \`\`\`
 
 ---
 
 ## Understanding the Output
 
-### hush inspect output explained
+### npx hush status output explained
+
+\`\`\`
+SECURITY WARNING
+Unencrypted .env files detected!
+  .env
+  .env.development
+
+Config:
+  hush.yaml
+  Project: my-org/my-repo
+
+Prerequisites:
+  SOPS installed
+  age key configured
+
+Key Status:
+  Local key: ~/.config/sops/age/keys/my-org-my-repo.txt
+  1Password backup: synced
+\`\`\`
+
+**Reading this:**
+- There's a security issue - plaintext files exist
+- The project is configured with key management
+- Keys are properly set up and backed up
+
+**To fix:** Run \`npx hush encrypt\`
+
+### npx hush inspect output explained
 
 \`\`\`
 Secrets for development:
@@ -973,32 +1028,12 @@ Secrets for development:
   API_KEY           = (not set)
 
 Total: 3 variables
-
-Target distribution:
-
-  root (.) - 3 vars
-  app (./app/) - 1 vars
-    include: EXPO_PUBLIC_*
-  api (./api/) - 2 vars
-    exclude: EXPO_PUBLIC_*
 \`\`\`
 
 **Reading this:**
 - \`DATABASE_URL\` is set, starts with "post", is 45 characters (likely a postgres:// URL)
 - \`STRIPE_SECRET_KEY\` starts with "sk_t" (Stripe test key format)
 - \`API_KEY\` is not set - user needs to add it
-- The \`app\` folder only gets \`EXPO_PUBLIC_*\` variables
-- The \`api\` folder gets everything except \`EXPO_PUBLIC_*\`
-
-### Reading encrypted files directly
-
-\`\`\`bash
-$ cat .env.encrypted
-DATABASE_URL=ENC[AES256_GCM,data:7xH2kL9...,iv:abc...,tag:xyz...,type:str]
-STRIPE_SECRET_KEY=ENC[AES256_GCM,data:mN3pQ8...,iv:def...,tag:uvw...,type:str]
-\`\`\`
-
-This is safe to view—the actual values are encrypted. You can see what keys exist without exposing secrets.
 `,
 };
 function getSkillPath(location, root) {

package/dist/commands/status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGjD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAkEzE"}
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AA8DjD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAyHzE"}

package/dist/commands/status.js

@@ -1,15 +1,91 @@
-import { existsSync } from 'node:fs';
+import { existsSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
 import { findConfigPath, loadConfig } from '../config/loader.js';
 import { describeFilter } from '../core/filter.js';
 import { isAgeKeyConfigured, isSopsInstalled } from '../core/sops.js';
+import { keyExists } from '../lib/age.js';
+import { opAvailable, opListKeys } from '../lib/onepassword.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
+function findPlaintextEnvFiles(root) {
+    const results = [];
+    const plaintextPatterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
+    const skipDirs = new Set(['node_modules', '.git', 'dist', 'build', '.next', '.nuxt']);
+    function scanDir(dir, relativePath = '') {
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const entry of entries) {
+            if (skipDirs.has(entry))
+                continue;
+            if (entry.endsWith('.encrypted'))
+                continue;
+            const fullPath = join(dir, entry);
+            const relPath = relativePath ? `${relativePath}/${entry}` : entry;
+            try {
+                if (statSync(fullPath).isDirectory()) {
+                    scanDir(fullPath, relPath);
+                }
+                else if (plaintextPatterns.includes(entry)) {
+                    results.push(relPath);
+                }
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    scanDir(root);
+    return results;
+}
+function getProjectFromConfig(root) {
+    const config = loadConfig(root);
+    if (config.project)
+        return config.project;
+    const pkgPath = join(root, 'package.json');
+    if (existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(require('fs').readFileSync(pkgPath, 'utf-8'));
+            if (typeof pkg.repository === 'string') {
+                const match = pkg.repository.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
+                if (match)
+                    return match[1];
+            }
+            if (pkg.repository?.url) {
+                const match = pkg.repository.url.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
+                if (match)
+                    return match[1];
+            }
+        }
+        catch {
+            return null;
+        }
+    }
+    return null;
+}
 export async function statusCommand(options) {
     const { root } = options;
     const config = loadConfig(root);
     const configPath = findConfigPath(root);
     console.log(pc.blue('Hush Status\n'));
+    const plaintextFiles = findPlaintextEnvFiles(root);
+    if (plaintextFiles.length > 0) {
+        console.log(pc.bgRed(pc.white(pc.bold(' SECURITY WARNING '))));
+        console.log(pc.red(pc.bold('\nUnencrypted .env files detected!\n')));
+        for (const file of plaintextFiles) {
+            console.log(pc.red(`  ${file}`));
+        }
+        console.log('');
+        console.log(pc.yellow('These files may expose secrets to AI assistants and version control.'));
+        console.log(pc.bold('\nTo fix:'));
+        console.log(pc.dim('  1. Run: npx hush encrypt'));
+        console.log(pc.dim('  2. The plaintext files will be automatically deleted after encryption'));
+        console.log(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars\n'));
+    }
     console.log(pc.bold('Config:'));
     if (configPath) {
         console.log(pc.green(`  ${configPath.replace(root + '/', '')}`));
@@ -17,6 +93,16 @@ export async function statusCommand(options) {
     else {
         console.log(pc.dim('  No hush.yaml found (using defaults)'));
     }
+    const project = getProjectFromConfig(root);
+    if (configPath) {
+        if (project) {
+            console.log(pc.green(`  Project: ${project}`));
+        }
+        else {
+            console.log(pc.yellow('  Project: not set'));
+            console.log(pc.dim('    Add "project: my-org/my-repo" to hush.yaml for key management'));
+        }
+    }
     console.log(pc.bold('\nPrerequisites:'));
     console.log(isSopsInstalled()
         ? pc.green('  SOPS installed')
@@ -24,6 +110,29 @@ export async function statusCommand(options) {
     console.log(isAgeKeyConfigured()
         ? pc.green('  age key configured')
         : pc.yellow('  age key not found at ~/.config/sops/age/key.txt'));
+    if (project) {
+        const hasLocalKey = keyExists(project);
+        const has1PasswordBackup = opAvailable() && opListKeys().includes(project);
+        console.log(pc.bold('\nKey Status:'));
+        console.log(hasLocalKey
+            ? pc.green(`  Local key: ~/.config/sops/age/keys/${project.replace(/\//g, '-')}.txt`)
+            : pc.yellow('  Local key: not found'));
+        if (opAvailable()) {
+            console.log(has1PasswordBackup
+                ? pc.green('  1Password backup: synced')
+                : pc.yellow('  1Password backup: not synced'));
+            if (!has1PasswordBackup && hasLocalKey) {
+                console.log(pc.dim('    Run "npx hush keys push" to backup to 1Password'));
+            }
+        }
+        else {
+            console.log(pc.dim('  1Password CLI: not available'));
+        }
+        if (!hasLocalKey) {
+            console.log(pc.bold('\n  To set up keys:'));
+            console.log(pc.dim('    npx hush keys setup   # Pull from 1Password or generate'));
+        }
+    }
     console.log(pc.bold('\nSource Files:'));
     const sources = [
         { key: 'shared', path: config.sources.shared },

package/dist/utils/version-check.d.ts

@@ -0,0 +1,2 @@
+export declare function checkForUpdate(currentVersion: string): void;
+//# sourceMappingURL=version-check.d.ts.map

package/dist/utils/version-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version-check.d.ts","sourceRoot":"","sources":["../../src/utils/version-check.ts"],"names":[],"mappings":"AAeA,wBAAgB,cAAc,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CA6B3D"}

package/dist/utils/version-check.js

@@ -0,0 +1,88 @@
+import { existsSync, mkdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { spawn } from 'node:child_process';
+import pc from 'picocolors';
+const CONFIG_DIR = join(homedir(), '.config', 'hush');
+const CACHE_FILE = join(CONFIG_DIR, 'update-check.json');
+const CHECK_INTERVAL_MS = 1000 * 60 * 60 * 24;
+export function checkForUpdate(currentVersion) {
+    try {
+        if (!existsSync(CONFIG_DIR)) {
+            mkdirSync(CONFIG_DIR, { recursive: true });
+        }
+        let cache = null;
+        if (existsSync(CACHE_FILE)) {
+            try {
+                cache = JSON.parse(readFileSync(CACHE_FILE, 'utf-8'));
+            }
+            catch {
+            }
+        }
+        if (cache && cache.latestVersion && isNewer(cache.latestVersion, currentVersion)) {
+            console.error(pc.bgYellow(pc.black(' UPDATE ')) +
+                pc.yellow(` New version available: ${cache.latestVersion} (current: ${currentVersion})`));
+            console.error(pc.dim(`Run "npm install -D @chriscode/hush@latest" to update`));
+            console.error('');
+        }
+        const now = Date.now();
+        if (!cache || now - cache.lastCheck > CHECK_INTERVAL_MS) {
+            spawnBackgroundCheck();
+        }
+    }
+    catch {
+    }
+}
+function spawnBackgroundCheck() {
+    const script = `
+    const https = require('https');
+    const fs = require('fs');
+    const path = require('path');
+    
+    const cacheFile = '${CACHE_FILE.replace(/\\/g, '\\\\')}';
+    
+    const req = https.get('https://registry.npmjs.org/@chriscode/hush/latest', {
+      timeout: 3000,
+      headers: { 'User-Agent': 'hush-cli' }
+    }, (res) => {
+      if (res.statusCode !== 200) process.exit(0);
+      
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          const json = JSON.parse(data);
+          const content = JSON.stringify({
+            lastCheck: Date.now(),
+            latestVersion: json.version
+          });
+          fs.writeFileSync(cacheFile, content);
+        } catch (e) {}
+      });
+    });
+    
+    req.on('error', () => {});
+    req.end();
+  `;
+    const child = spawn(process.execPath, ['-e', script], {
+        detached: true,
+        stdio: 'ignore',
+        env: { ...process.env, NO_UPDATE_NOTIFIER: '1' }
+    });
+    child.unref();
+}
+function isNewer(latest, current) {
+    const l = latest.split('.').map(Number);
+    const c = current.split('.').map(Number);
+    if (l[0] > c[0])
+        return true;
+    if (l[0] < c[0])
+        return false;
+    if (l[1] > c[1])
+        return true;
+    if (l[1] < c[1])
+        return false;
+    if (l[2] > c[2])
+        return true;
+    return false;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "2.6.0",
+  "version": "2.7.0",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {