@chriscode/hush 4.1.0 → 4.1.2

package/dist/cli.js

@@ -79,6 +79,11 @@ ${pc.bold('Variable Expansion (v4+):')}
     \${VAR:-default}  Pull VAR, use default if missing
     \${env:VAR}       Read from system environment (CI, etc.)
   
+  Behavior:
+    - Template vars are merged with target filters (additive)
+    - Template vars take precedence over target filters
+    - Subdirectory templates are safe to commit
+  
   Example subdirectory template (apps/mobile/.env):
     EXPO_PUBLIC_API_URL=\${API_URL}
     PORT=\${PORT:-3000}
@@ -90,8 +95,8 @@ ${pc.bold('Examples:')}
   hush encrypt                  Encrypt .env files
   hush run -- npm start         Run with secrets in memory (AI-safe!)
   hush run -e prod -- npm build Run with production secrets
-  hush run -t api -- wrangler dev  Run filtered for 'api' target
-  cd apps/mobile && hush run -- expo start  Run from subdirectory with templates
+  hush run -t api -- wrangler dev  Run filtered for 'api' target (root secrets only)
+  cd apps/mobile && hush run -- expo start  Run from subdirectory (applies template + target filters)
   hush set DATABASE_URL         Set a secret interactively (AI-safe)
   hush set API_KEY --gui        Set secret via macOS dialog (for AI agents)
   hush set API_KEY -e prod      Set a production secret

package/dist/commands/resolve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/commands/resolve.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAU,WAAW,EAAU,MAAM,aAAa,CAAC;AAG/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6BD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAmG3E"}
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/commands/resolve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAU,WAAW,EAAU,MAAM,aAAa,CAAC;AAG/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6BD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAmI3E"}

package/dist/commands/resolve.js

@@ -6,6 +6,7 @@ import { interpolateVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
 import { decrypt as sopsDecrypt } from '../core/sops.js';
+import { loadLocalTemplates } from '../core/template.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
 function matchesPattern(key, pattern) {
     const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
@@ -87,7 +88,7 @@ export async function resolveCommand(options) {
     console.log(`Path: ${pc.dim(target.path + '/')}`);
     console.log(`Format: ${pc.dim(target.format)} ${pc.dim(`(${outputFile})`)}`);
     console.log(`Environment: ${pc.dim(env)}`);
-    console.log(pc.green(`\n✅ INCLUDED VARIABLES (${included.length}):`));
+    console.log(pc.green(`\n✅ ROOT SECRETS (Matched Filters) (${included.length}):`));
     if (included.length === 0) {
         console.log(pc.dim('  (none)'));
     }
@@ -107,5 +108,33 @@ export async function resolveCommand(options) {
             console.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`(matches: ${v.pattern})`)}`);
         }
     }
+    const targetAbsPath = join(root, target.path);
+    const localTemplate = loadLocalTemplates(targetAbsPath, env);
+    if (localTemplate.hasTemplate) {
+        console.log(pc.blue(`\n📄 TEMPLATE EXPANSIONS (${pc.dim(join(target.path, '.env'))}):`));
+        const maxKeyLen = Math.max(...localTemplate.vars.map(v => v.key.length));
+        for (const v of localTemplate.vars) {
+            console.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`← ${v.value}`)}`);
+        }
+        // Calculate final merged list for clarity
+        const finalKeys = new Set([
+            ...included.map(v => v.key),
+            ...localTemplate.vars.map(v => v.key)
+        ]);
+        console.log(pc.magenta(`\n📦 FINAL INJECTION (${finalKeys.size} total):`));
+        const sortedKeys = Array.from(finalKeys).sort();
+        for (const key of sortedKeys) {
+            const isTemplate = localTemplate.vars.some(v => v.key === key);
+            const isRoot = included.some(v => v.key === key);
+            let sourceInfo = '';
+            if (isTemplate && isRoot)
+                sourceInfo = pc.dim('(template overrides root)');
+            else if (isTemplate)
+                sourceInfo = pc.dim('(template)');
+            else if (isRoot)
+                sourceInfo = pc.dim('(root)');
+            console.log(`  ${key}  ${sourceInfo}`);
+        }
+    }
     console.log('');
 }

package/dist/commands/run.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAkD/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CAuFnE"}
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAkD/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA8GnE"}

package/dist/commands/run.js

@@ -1,6 +1,6 @@
 import { spawnSync } from 'node:child_process';
 import { existsSync } from 'node:fs';
-import { join } from 'node:path';
+import { join, resolve } from 'node:path';
 import pc from 'picocolors';
 import { loadConfig, findProjectRoot } from '../config/loader.js';
 import { filterVarsForTarget } from '../core/filter.js';
@@ -67,20 +67,26 @@ export async function runCommand(options) {
     const rootSecrets = getDecryptedSecrets(projectRoot, env, config);
     const rootSecretsRecord = getRootSecretsAsRecord(rootSecrets);
     const localTemplate = loadLocalTemplates(contextDir, env);
-    let vars;
+    // 1. Resolve Template Vars
+    let templateVars = [];
     if (localTemplate.hasTemplate) {
-        vars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: process.env });
+        templateVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: process.env });
     }
-    else if (target) {
-        const targetConfig = config.targets.find(t => t.name === target);
-        if (!targetConfig) {
-            console.error(pc.red(`Target "${target}" not found in hush.yaml`));
-            console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
-            process.exit(1);
-        }
-        vars = filterVarsForTarget(rootSecrets, targetConfig);
+    // 2. Resolve Target Vars
+    let targetVars = [];
+    // Find target config: either explicit by name, or implicit by directory matching
+    const targetConfig = target
+        ? config.targets.find(t => t.name === target)
+        : config.targets.find(t => resolve(projectRoot, t.path) === resolve(contextDir));
+    if (target && !targetConfig) {
+        console.error(pc.red(`Target "${target}" not found in hush.yaml`));
+        console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
+        process.exit(1);
+    }
+    if (targetConfig) {
+        targetVars = filterVarsForTarget(rootSecrets, targetConfig);
         if (targetConfig.format === 'wrangler') {
-            vars.push({ key: 'CLOUDFLARE_INCLUDE_PROCESS_ENV', value: 'true' });
+            targetVars.push({ key: 'CLOUDFLARE_INCLUDE_PROCESS_ENV', value: 'true' });
             const devVarsPath = join(targetConfig.path, '.dev.vars');
             const absDevVarsPath = join(projectRoot, devVarsPath);
             if (existsSync(absDevVarsPath)) {
@@ -91,8 +97,21 @@ export async function runCommand(options) {
             }
         }
     }
+    else if (!localTemplate.hasTemplate && !target) {
+        // If no template and no target matched (and not running explicit target), fallback to all secrets
+        // This maintains backward compatibility for running in root or non-target dirs without templates
+        targetVars = rootSecrets;
+    }
+    // 3. Merge (Template overrides Target)
+    let vars;
+    if (localTemplate.hasTemplate) {
+        // Merge target vars with template vars. 
+        // Template vars take precedence over target vars.
+        // This allows "additive" behavior: get target vars + template vars.
+        vars = mergeVars(targetVars, templateVars);
+    }
     else {
-        vars = rootSecrets;
+        vars = targetVars;
     }
     const unresolved = getUnresolvedVars(vars);
     if (unresolved.length > 0) {

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAu+ChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAy+ChD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}

package/dist/commands/skill.js

@@ -155,7 +155,9 @@ Hush automatically:
 2. Decrypts root secrets
 3. Loads the local \`.env\` template
 4. Resolves \`\${VAR}\` references against root secrets
-5. Injects the result into your command
+5. **Filters root secrets based on target config (include/exclude)**
+6. **Merges them (Template overrides Target)**
+7. Injects the result into your command
 
 ### Variable Expansion Syntax
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "4.1.0",
+  "version": "4.1.2",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {