@chriscode/hush 2.9.1 → 3.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -1
- package/dist/cli.js +5 -15
- package/dist/commands/decrypt.d.ts.map +1 -1
- package/dist/commands/decrypt.js +63 -5
- package/dist/commands/edit.js +1 -1
- package/dist/commands/skill.d.ts.map +1 -1
- package/dist/commands/skill.js +2 -16
- package/dist/types.d.ts +4 -3
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -193,7 +193,6 @@ targets:
|
|
|
193
193
|
| `hush skill` | Install AI skill | ✅ |
|
|
194
194
|
| `hush check` | Verify encryption sync | ✅ |
|
|
195
195
|
| `hush list` | List variables (shows values!) | ⚠️ |
|
|
196
|
-
| `hush decrypt` | Write secrets to disk (deprecated) | ⚠️ |
|
|
197
196
|
|
|
198
197
|
## AI-Native Design
|
|
199
198
|
|
package/dist/cli.js
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
#!/usr/bin/env node
|
|
2
2
|
import { createRequire } from 'node:module';
|
|
3
3
|
import pc from 'picocolors';
|
|
4
|
-
import { decryptCommand } from './commands/decrypt.js';
|
|
5
4
|
import { encryptCommand } from './commands/encrypt.js';
|
|
5
|
+
import { decryptCommand } from './commands/decrypt.js';
|
|
6
6
|
import { editCommand } from './commands/edit.js';
|
|
7
7
|
import { setCommand } from './commands/set.js';
|
|
8
8
|
import { runCommand } from './commands/run.js';
|
|
@@ -46,9 +46,9 @@ ${pc.bold('Commands:')}
|
|
|
46
46
|
${pc.bold('Debugging Commands:')}
|
|
47
47
|
resolve <target> Show what variables a target receives (AI-safe)
|
|
48
48
|
trace <key> Trace a variable through sources and targets (AI-safe)
|
|
49
|
-
|
|
50
|
-
${pc.bold('
|
|
51
|
-
decrypt
|
|
49
|
+
|
|
50
|
+
${pc.bold('Advanced Commands:')}
|
|
51
|
+
decrypt --force Write secrets to disk (requires confirmation, last resort)
|
|
52
52
|
|
|
53
53
|
${pc.bold('Options:')}
|
|
54
54
|
-e, --env <env> Environment: development or production (default: development)
|
|
@@ -305,17 +305,7 @@ async function main() {
|
|
|
305
305
|
await encryptCommand({ root });
|
|
306
306
|
break;
|
|
307
307
|
case 'decrypt':
|
|
308
|
-
|
|
309
|
-
console.warn(pc.yellow(' Use "hush run -- <command>" instead for better security.'));
|
|
310
|
-
console.warn(pc.dim(' To suppress this warning, use "hush unsafe:decrypt"'));
|
|
311
|
-
console.warn('');
|
|
312
|
-
await decryptCommand({ root, env });
|
|
313
|
-
break;
|
|
314
|
-
case 'unsafe:decrypt':
|
|
315
|
-
console.warn(pc.red('⚠️ UNSAFE MODE: Writing unencrypted secrets to disk.'));
|
|
316
|
-
console.warn(pc.red(' These files will be readable by AI assistants and other tools.'));
|
|
317
|
-
console.warn('');
|
|
318
|
-
await decryptCommand({ root, env });
|
|
308
|
+
await decryptCommand({ root, env, force });
|
|
319
309
|
break;
|
|
320
310
|
case 'run':
|
|
321
311
|
await runCommand({ root, env, target, command: cmdArgs });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,cAAc,EAAU,MAAM,aAAa,CAAC;AAmD1D,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA8F3E"}
|
package/dist/commands/decrypt.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { createInterface } from 'node:readline';
|
|
1
2
|
import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
|
|
2
3
|
import { join } from 'node:path';
|
|
3
4
|
import pc from 'picocolors';
|
|
@@ -12,10 +13,65 @@ import { FORMAT_OUTPUT_FILES } from '../types.js';
|
|
|
12
13
|
function getEncryptedPath(sourcePath) {
|
|
13
14
|
return sourcePath + '.encrypted';
|
|
14
15
|
}
|
|
16
|
+
async function confirmDangerousOperation() {
|
|
17
|
+
if (!process.stdin.isTTY) {
|
|
18
|
+
console.error(pc.red('\nError: decrypt --force requires interactive confirmation.'));
|
|
19
|
+
console.error(pc.dim('This command cannot be run in non-interactive environments.'));
|
|
20
|
+
console.error(pc.dim('\nUse "hush run -- <command>" instead to inject secrets into memory.'));
|
|
21
|
+
return false;
|
|
22
|
+
}
|
|
23
|
+
console.log('');
|
|
24
|
+
console.log(pc.red('━'.repeat(70)));
|
|
25
|
+
console.log(pc.red(pc.bold(' ⚠️ WARNING: WRITING PLAINTEXT SECRETS TO DISK')));
|
|
26
|
+
console.log(pc.red('━'.repeat(70)));
|
|
27
|
+
console.log('');
|
|
28
|
+
console.log(pc.yellow(' This will create unencrypted .env files that:'));
|
|
29
|
+
console.log(pc.dim(' • Can be read by AI assistants, scripts, and other tools'));
|
|
30
|
+
console.log(pc.dim(' • May accidentally be committed to git'));
|
|
31
|
+
console.log(pc.dim(' • Defeat the "encrypted at rest" security model'));
|
|
32
|
+
console.log('');
|
|
33
|
+
console.log(pc.green(' Recommended alternative:'));
|
|
34
|
+
console.log(pc.cyan(' hush run -- <your-command>'));
|
|
35
|
+
console.log(pc.dim(' Decrypts to memory only, secrets never touch disk.'));
|
|
36
|
+
console.log('');
|
|
37
|
+
console.log(pc.red('━'.repeat(70)));
|
|
38
|
+
console.log('');
|
|
39
|
+
const rl = createInterface({
|
|
40
|
+
input: process.stdin,
|
|
41
|
+
output: process.stdout,
|
|
42
|
+
});
|
|
43
|
+
return new Promise((resolve) => {
|
|
44
|
+
rl.question(`${pc.bold('Type "yes" to proceed:')} `, (answer) => {
|
|
45
|
+
rl.close();
|
|
46
|
+
if (answer.toLowerCase() === 'yes') {
|
|
47
|
+
console.log('');
|
|
48
|
+
resolve(true);
|
|
49
|
+
}
|
|
50
|
+
else {
|
|
51
|
+
console.log(pc.dim('\nAborted. No files were written.'));
|
|
52
|
+
resolve(false);
|
|
53
|
+
}
|
|
54
|
+
});
|
|
55
|
+
});
|
|
56
|
+
}
|
|
15
57
|
export async function decryptCommand(options) {
|
|
16
|
-
const { root, env } = options;
|
|
58
|
+
const { root, env, force } = options;
|
|
59
|
+
if (!force) {
|
|
60
|
+
console.error(pc.red('Error: decrypt requires --force flag'));
|
|
61
|
+
console.error('');
|
|
62
|
+
console.error(pc.dim('This command writes plaintext secrets to disk, which is generally unsafe.'));
|
|
63
|
+
console.error(pc.dim('Use "hush run -- <command>" instead for memory-only decryption.'));
|
|
64
|
+
console.error('');
|
|
65
|
+
console.error(pc.dim('If you really need plaintext files:'));
|
|
66
|
+
console.error(pc.cyan(' hush decrypt --force'));
|
|
67
|
+
process.exit(1);
|
|
68
|
+
}
|
|
69
|
+
const confirmed = await confirmDangerousOperation();
|
|
70
|
+
if (!confirmed) {
|
|
71
|
+
process.exit(0);
|
|
72
|
+
}
|
|
17
73
|
const config = loadConfig(root);
|
|
18
|
-
console.log(pc.
|
|
74
|
+
console.log(pc.yellow(`⚠️ Writing unencrypted secrets for ${env}...`));
|
|
19
75
|
const sharedEncrypted = join(root, getEncryptedPath(config.sources.shared));
|
|
20
76
|
const envEncrypted = join(root, getEncryptedPath(config.sources[env]));
|
|
21
77
|
const localPath = join(root, '.env.local');
|
|
@@ -48,7 +104,7 @@ export async function decryptCommand(options) {
|
|
|
48
104
|
if (unresolved.length > 0) {
|
|
49
105
|
console.warn(pc.yellow(` Warning: ${unresolved.length} vars have unresolved references`));
|
|
50
106
|
}
|
|
51
|
-
console.log(pc.
|
|
107
|
+
console.log(pc.yellow(`\n⚠️ Writing to ${config.targets.length} targets:`));
|
|
52
108
|
for (const target of config.targets) {
|
|
53
109
|
const targetDir = join(root, target.path);
|
|
54
110
|
const filtered = filterVarsForTarget(interpolated, target);
|
|
@@ -64,8 +120,10 @@ export async function decryptCommand(options) {
|
|
|
64
120
|
const content = formatVars(filtered, target.format);
|
|
65
121
|
writeFileSync(outputPath, content, 'utf-8');
|
|
66
122
|
const relativePath = target.path === '.' ? outputFilename : `${target.path}/${outputFilename}`;
|
|
67
|
-
console.log(pc.
|
|
123
|
+
console.log(pc.yellow(` ⚠️ ${relativePath}`) +
|
|
68
124
|
pc.dim(` (${target.format}, ${filtered.length} vars)`));
|
|
69
125
|
}
|
|
70
|
-
console.log(
|
|
126
|
+
console.log('');
|
|
127
|
+
console.log(pc.yellow('⚠️ Decryption complete - plaintext secrets on disk'));
|
|
128
|
+
console.log(pc.dim(' Delete these files when done, or use "hush run" next time.'));
|
|
71
129
|
}
|
package/dist/commands/edit.js
CHANGED
|
@@ -18,5 +18,5 @@ export async function editCommand(options) {
|
|
|
18
18
|
console.log(pc.dim('Changes will be encrypted on save'));
|
|
19
19
|
sopsEdit(encryptedPath);
|
|
20
20
|
console.log(pc.green('\nEdit complete'));
|
|
21
|
-
console.log(pc.dim('Run "hush
|
|
21
|
+
console.log(pc.dim('Run "hush run -- <command>" to use updated secrets'));
|
|
22
22
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAopChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
|
package/dist/commands/skill.js
CHANGED
|
@@ -100,8 +100,9 @@ npx hush run -e production -- npm build # Production
|
|
|
100
100
|
| \`npx hush keys setup\` | Set up encryption keys | New team member |
|
|
101
101
|
|
|
102
102
|
### Commands to AVOID:
|
|
103
|
-
- \`hush decrypt\` - Writes plaintext to disk (security risk!)
|
|
104
103
|
- \`cat .env\` - Never read plaintext .env files directly
|
|
104
|
+
- \`hush list\` - Shows actual secret values (use \`hush inspect\` instead)
|
|
105
|
+
- \`hush decrypt --force\` - Writes plaintext to disk (use \`hush run\` instead)
|
|
105
106
|
|
|
106
107
|
---
|
|
107
108
|
|
|
@@ -634,21 +635,6 @@ hush trace STRIPE_SECRET_KEY # Trace another variable
|
|
|
634
635
|
|
|
635
636
|
---
|
|
636
637
|
|
|
637
|
-
## Deprecated Commands (Avoid)
|
|
638
|
-
|
|
639
|
-
### hush decrypt / hush unsafe:decrypt ⚠️
|
|
640
|
-
|
|
641
|
-
**DEPRECATED:** Writes unencrypted secrets to disk, defeating the "encrypted at rest" model.
|
|
642
|
-
|
|
643
|
-
\`\`\`bash
|
|
644
|
-
hush decrypt # Writes plaintext .env files (avoid!)
|
|
645
|
-
hush unsafe:decrypt # Same, explicit unsafe mode
|
|
646
|
-
\`\`\`
|
|
647
|
-
|
|
648
|
-
Use \`hush run -- <command>\` instead.
|
|
649
|
-
|
|
650
|
-
---
|
|
651
|
-
|
|
652
638
|
## Quick Reference
|
|
653
639
|
|
|
654
640
|
| Command | Purpose |
|
package/dist/types.d.ts
CHANGED
|
@@ -24,12 +24,13 @@ export interface EnvVar {
|
|
|
24
24
|
key: string;
|
|
25
25
|
value: string;
|
|
26
26
|
}
|
|
27
|
-
export interface
|
|
28
|
-
env: Environment;
|
|
27
|
+
export interface EncryptOptions {
|
|
29
28
|
root: string;
|
|
30
29
|
}
|
|
31
|
-
export interface
|
|
30
|
+
export interface DecryptOptions {
|
|
32
31
|
root: string;
|
|
32
|
+
env: Environment;
|
|
33
|
+
force: boolean;
|
|
33
34
|
}
|
|
34
35
|
export interface EditOptions {
|
|
35
36
|
root: string;
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAC7E,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,YAAY,CAAC;AAEvD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAExC,MAAM,WAAW,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAC7E,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,YAAY,CAAC;AAEvD,MAAM,WAAW,MAAM;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,YAAY,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,WAAW,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,eAAO,MAAM,sBAAsB,IAAI,CAAC;AAExC,MAAM,WAAW,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,QAAQ,GAAG,aAAa,GAAG,YAAY,GAAG,OAAO,CAAC;CAC1D;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,QAAQ,GAAG,aAAa,GAAG,YAAY,GAAG,OAAO,CAAC;IACzD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,WAAW,EAAE,OAAO,CAAC;IACrB,aAAa,EAAE,OAAO,CAAC;IACvB,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED,MAAM,MAAM,cAAc,GAAG,gBAAgB,GAAG,mBAAmB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;AAE9G,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,CAAC,EAAE,cAAc,CAAC;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,IAAI,GAAG,OAAO,GAAG,OAAO,GAAG,WAAW,CAAC;IAC/C,KAAK,EAAE,eAAe,EAAE,CAAC;IACzB,cAAc,CAAC,EAAE,mBAAmB,EAAE,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,eAAO,MAAM,eAAe,EAAE,WAK7B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAqBjF,CAAC"}
|