@chriscode/hush 4.2.0 → 5.0.0

package/dist/cli.js

@@ -19,6 +19,7 @@ import { resolveCommand } from './commands/resolve.js';
 import { traceCommand } from './commands/trace.js';
 import { templateCommand } from './commands/template.js';
 import { expansionsCommand } from './commands/expansions.js';
+import { migrateCommand } from './commands/migrate.js';
 import { findConfigPath, loadConfig, checkSchemaVersion } from './config/loader.js';
 import { checkForUpdate } from './utils/version-check.js';
 const require = createRequire(import.meta.url);
@@ -32,7 +33,7 @@ ${pc.bold('Usage:')}
 
 ${pc.bold('Commands:')}
   init              Initialize hush.yaml config
-  encrypt           Encrypt source .env files
+  encrypt           Encrypt source .hush files
   run -- <cmd>      Run command with secrets in memory (AI-safe)
   set <KEY>         Set a single secret interactively (AI-safe)
   edit [file]       Edit all secrets in $EDITOR
@@ -44,6 +45,7 @@ ${pc.bold('Commands:')}
   status            Show configuration and status
   skill             Install Claude Code / OpenCode skill
   keys <cmd>        Manage SOPS age keys (setup, generate, pull, push, list)
+  migrate           Migrate from v4 (.env.encrypted) to v5 (.hush.encrypted)
 
 ${pc.bold('Debugging Commands:')}
   resolve <target>  Show what variables a target receives (AI-safe)
@@ -72,7 +74,7 @@ ${pc.bold('Options:')}
   -h, --help        Show this help message
   -v, --version     Show version number
 
-${pc.bold('Variable Expansion (v4+):')}
+${pc.bold('Variable Expansion (v5+):')}
   Subdirectory .env files can reference root secrets:
   
     \${VAR}           Pull VAR from root secrets
@@ -90,9 +92,20 @@ ${pc.bold('Variable Expansion (v4+):')}
   
   Subdirectory templates are safe to commit - they contain no secrets.
 
+${pc.bold('File Naming (v5+):')}
+  Hush uses .hush files instead of .env to avoid conflicts with other tools:
+  
+    .hush                  Shared secrets (source file)
+    .hush.development      Development secrets (source file)
+    .hush.encrypted        Encrypted shared secrets (committed)
+    .hush.development.encrypted  Encrypted dev secrets (committed)
+  
+  The .env files are reserved for other tools (Wrangler, Metro, etc.).
+
 ${pc.bold('Examples:')}
   hush init                     Initialize config + generate keys
-  hush encrypt                  Encrypt .env files
+  hush migrate                  Migrate v4 .env.encrypted to v5 .hush.encrypted
+  hush encrypt                  Encrypt .hush files
   hush run -- npm start         Run with secrets in memory (AI-safe!)
   hush run -e prod -- npm build Run with production secrets
   hush run -t api -- wrangler dev  Run filtered for 'api' target (root secrets only)
@@ -282,7 +295,7 @@ function parseArgs(args) {
     return { command, subcommand, env, envExplicit, root, dryRun, verbose, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, target, cmdArgs };
 }
 function checkMigrationNeeded(root, command) {
-    const skipCommands = ['', 'help', 'version', 'init', 'skill'];
+    const skipCommands = ['', 'help', 'version', 'init', 'skill', 'migrate'];
     if (skipCommands.includes(command))
         return;
     const configPath = findConfigPath(root);
@@ -403,6 +416,9 @@ async function main() {
             case 'expansions':
                 await expansionsCommand({ root, env });
                 break;
+            case 'migrate':
+                await migrateCommand({ root, dryRun });
+                break;
             default:
                 if (command) {
                     console.error(pc.red(`Unknown command: ${command}`));

package/dist/commands/check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAmB,WAAW,EAAmC,MAAM,aAAa,CAAC;AAkF/G,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA+BvE;AAuMD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCvE"}
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAmB,WAAW,EAAmC,MAAM,aAAa,CAAC;AAmF/G,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA+BvE;AAuMD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCvE"}

package/dist/commands/check.js

@@ -44,6 +44,7 @@ function getGitChangedFiles(root) {
 }
 function findPlaintextEnvFiles(root) {
     const results = [];
+    // Only warn about .env files (legacy/output files), NOT .hush files (Hush's source files)
     const plaintextPatterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     const skipDirs = new Set(['node_modules', '.git', 'dist', 'build', '.next', '.nuxt']);
     function scanDir(dir, relativePath = '') {
@@ -206,8 +207,8 @@ function formatTextOutput(result) {
         lines.push(pc.yellow('These files contain plaintext secrets that could be exposed to AI assistants.'));
         lines.push('');
         lines.push(pc.bold('To fix:'));
-        lines.push(pc.dim('  1. Run: hush encrypt'));
-        lines.push(pc.dim('  2. Delete the plaintext files (the .encrypted versions are your source of truth)'));
+        lines.push(pc.dim('  1. Run: hush migrate (if upgrading from v4)'));
+        lines.push(pc.dim('  2. Delete or gitignore these .env files'));
         lines.push(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars'));
         lines.push('');
         lines.push(pc.dim('To allow plaintext files (not recommended): --allow-plaintext'));

package/dist/commands/encrypt.js

@@ -34,7 +34,7 @@ export async function encryptCommand(options) {
     }
     if (encryptedFiles.length === 0) {
         console.error(pc.red('\nNo source files found to encrypt'));
-        console.error(pc.dim('Create at least .env with your secrets'));
+        console.error(pc.dim('Create at least .hush with your secrets'));
         process.exit(1);
     }
     console.log(pc.blue('\nVerifying encryption...'));

package/dist/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAc,WAAW,EAAU,MAAM,aAAa,CAAC;AAyJnE,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAsErE"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAc,WAAW,EAAU,MAAM,aAAa,CAAC;AAyKnE,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqFrE"}

package/dist/commands/init.js

@@ -126,6 +126,7 @@ function detectTargets(root) {
     return targets;
 }
 function findExistingPlaintextEnvFiles(root) {
+    // Look for legacy .env files that may need migration
     const patterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     const found = [];
     for (const pattern of patterns) {
@@ -136,6 +137,18 @@ function findExistingPlaintextEnvFiles(root) {
     }
     return found;
 }
+function findExistingEncryptedFiles(root) {
+    // Look for v4 encrypted files that need migration to v5 (.hush.encrypted)
+    const patterns = ['.env.encrypted', '.env.development.encrypted', '.env.production.encrypted', '.env.local.encrypted'];
+    const found = [];
+    for (const pattern of patterns) {
+        const filePath = join(root, pattern);
+        if (existsSync(filePath)) {
+            found.push(pattern);
+        }
+    }
+    return found;
+}
 export async function initCommand(options) {
     const { root } = options;
     const existingConfig = findConfigPath(root);
@@ -144,14 +157,24 @@ export async function initCommand(options) {
         process.exit(1);
     }
     console.log(pc.blue('Initializing hush...\n'));
+    const existingEncryptedFiles = findExistingEncryptedFiles(root);
+    if (existingEncryptedFiles.length > 0) {
+        console.log(pc.bgYellow(pc.black(' V4 ENCRYPTED FILES DETECTED ')));
+        console.log(pc.yellow('\nFound existing v4 encrypted files:'));
+        for (const file of existingEncryptedFiles) {
+            console.log(pc.yellow(`  ${file}`));
+        }
+        console.log(pc.dim('\nRun "npx hush migrate" to convert to v5 format (.hush.encrypted).\n'));
+    }
     const existingEnvFiles = findExistingPlaintextEnvFiles(root);
     if (existingEnvFiles.length > 0) {
-        console.log(pc.bgYellow(pc.black(' EXISTING SECRETS DETECTED ')));
+        console.log(pc.bgYellow(pc.black(' PLAINTEXT .ENV FILES DETECTED ')));
         console.log(pc.yellow('\nFound existing .env files:'));
         for (const file of existingEnvFiles) {
             console.log(pc.yellow(`  ${file}`));
         }
-        console.log(pc.dim('\nThese will be encrypted after setup. Run "npx hush encrypt" when ready.\n'));
+        console.log(pc.dim('\nRename these to .hush files, then run "npx hush encrypt".\n'));
+        console.log(pc.dim('Example: mv .env .hush && mv .env.development .hush.development\n'));
     }
     const project = getProjectFromPackageJson(root);
     if (!project) {
@@ -179,14 +202,19 @@ export async function initCommand(options) {
         console.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path)} ${pc.magenta(target.format)}`);
     }
     console.log(pc.bold('\nNext steps:'));
-    if (existingEnvFiles.length > 0) {
-        console.log(pc.green('  1. npx hush encrypt') + pc.dim('     # Encrypt existing .env files (deletes plaintext)'));
-        console.log(pc.dim('  2. npx hush inspect') + pc.dim('      # Verify your secrets'));
-        console.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+    if (existingEncryptedFiles.length > 0) {
+        console.log(pc.green('  1. npx hush migrate') + pc.dim('      # Convert v4 .env.encrypted to v5 .hush.encrypted'));
+        console.log(pc.dim('  2. npx hush inspect') + pc.dim('       # Verify your secrets'));
+        console.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
+    }
+    else if (existingEnvFiles.length > 0) {
+        console.log(pc.green('  1. Rename .env files to .hush') + pc.dim(' # mv .env .hush'));
+        console.log(pc.dim('  2. npx hush encrypt') + pc.dim('      # Encrypt .hush files'));
+        console.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
     }
     else {
-        console.log(pc.dim('  1. npx hush set <KEY>') + pc.dim('    # Add secrets interactively'));
-        console.log(pc.dim('  2. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+        console.log(pc.dim('  1. npx hush set <KEY>') + pc.dim('     # Add secrets interactively'));
+        console.log(pc.dim('  2. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
     }
     console.log(pc.dim('\nGit setup:'));
     console.log(pc.dim('  git add hush.yaml .sops.yaml'));

package/dist/commands/migrate.d.ts

@@ -0,0 +1,6 @@
+export interface MigrateOptions {
+    root: string;
+    dryRun: boolean;
+}
+export declare function migrateCommand(options: MigrateOptions): Promise<void>;
+//# sourceMappingURL=migrate.d.ts.map

package/dist/commands/migrate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/commands/migrate.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AA8DD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA0E3E"}

package/dist/commands/migrate.js

@@ -0,0 +1,116 @@
+import { existsSync, renameSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+import { findConfigPath } from '../config/loader.js';
+const FILE_MIGRATIONS = [
+    { from: '.env.encrypted', to: '.hush.encrypted' },
+    { from: '.env.development.encrypted', to: '.hush.development.encrypted' },
+    { from: '.env.production.encrypted', to: '.hush.production.encrypted' },
+    { from: '.env.local.encrypted', to: '.hush.local.encrypted' },
+];
+const SOURCE_MIGRATIONS = {
+    '.env': '.hush',
+    '.env.development': '.hush.development',
+    '.env.production': '.hush.production',
+    '.env.local': '.hush.local',
+};
+function getMigrationFiles(root) {
+    return FILE_MIGRATIONS.map(({ from, to }) => ({
+        from,
+        to,
+        exists: existsSync(join(root, from)),
+    }));
+}
+function migrateConfig(root, dryRun) {
+    const configPath = findConfigPath(root);
+    if (!configPath)
+        return false;
+    const content = readFileSync(configPath, 'utf-8');
+    const config = parseYaml(content);
+    let modified = false;
+    const sources = config.sources;
+    if (sources) {
+        for (const [oldValue, newValue] of Object.entries(SOURCE_MIGRATIONS)) {
+            for (const [key, value] of Object.entries(sources)) {
+                if (value === oldValue) {
+                    if (!dryRun) {
+                        sources[key] = newValue;
+                    }
+                    modified = true;
+                }
+            }
+        }
+    }
+    if (modified && !dryRun) {
+        const schemaComment = content.startsWith('#') ? content.split('\n')[0] + '\n' : '';
+        const newContent = schemaComment + stringifyYaml(config, { indent: 2 });
+        writeFileSync(configPath, newContent, 'utf-8');
+    }
+    return modified;
+}
+export async function migrateCommand(options) {
+    const { root, dryRun } = options;
+    console.log(pc.blue('Hush v4 → v5 Migration\n'));
+    if (dryRun) {
+        console.log(pc.yellow('DRY RUN - no changes will be made\n'));
+    }
+    const migrations = getMigrationFiles(root);
+    const filesToMigrate = migrations.filter(m => m.exists);
+    if (filesToMigrate.length === 0) {
+        console.log(pc.dim('No v4 encrypted files found (.env.encrypted, etc.)'));
+        console.log(pc.dim('Already on v5 or no encrypted files exist.\n'));
+        const configNeedsMigration = migrateConfig(root, true);
+        if (configNeedsMigration) {
+            console.log(pc.yellow('hush.yaml contains v4 source paths that need updating.\n'));
+            if (!dryRun) {
+                migrateConfig(root, false);
+                console.log(pc.green('Updated hush.yaml source paths to v5 format.\n'));
+            }
+        }
+        return;
+    }
+    console.log(pc.bold('Files to migrate:'));
+    for (const { from, to, exists } of migrations) {
+        if (exists) {
+            console.log(`  ${pc.yellow(from)} → ${pc.green(to)}`);
+        }
+        else {
+            console.log(pc.dim(`  ${from} (not found, skipping)`));
+        }
+    }
+    console.log('');
+    if (dryRun) {
+        console.log(pc.dim('Run without --dry-run to apply changes.'));
+        return;
+    }
+    let migratedCount = 0;
+    for (const { from, to, exists } of migrations) {
+        if (!exists)
+            continue;
+        const fromPath = join(root, from);
+        const toPath = join(root, to);
+        if (existsSync(toPath)) {
+            console.log(pc.yellow(`  Skipping ${from}: ${to} already exists`));
+            continue;
+        }
+        renameSync(fromPath, toPath);
+        console.log(pc.green(`  Migrated ${from} → ${to}`));
+        migratedCount++;
+    }
+    const configUpdated = migrateConfig(root, false);
+    if (configUpdated) {
+        console.log(pc.green('  Updated hush.yaml source paths'));
+    }
+    console.log('');
+    if (migratedCount > 0 || configUpdated) {
+        console.log(pc.green(pc.bold(`Migration complete.`)));
+        console.log(pc.dim('\nNext steps:'));
+        console.log(pc.dim('  1. git add .hush.encrypted .hush.*.encrypted hush.yaml'));
+        console.log(pc.dim('  2. git rm .env.encrypted .env.*.encrypted (if tracked)'));
+        console.log(pc.dim('  3. git commit -m "chore: migrate to Hush v5 format"'));
+    }
+    else {
+        console.log(pc.dim('No changes made.'));
+    }
+}

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA8hDhD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAuiDhD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CvE"}

package/dist/commands/skill.js

@@ -6,15 +6,15 @@ import pc from 'picocolors';
 const SKILL_FILES = {
     'SKILL.md': `---
 name: hush-secrets
-description: Manage secrets safely using Hush CLI. Use when working with .env files, environment variables, secrets, API keys, database URLs, credentials, or configuration. NEVER read .env files directly - always use hush commands instead to prevent exposing secrets to the LLM.
+description: Manage secrets safely using Hush CLI. Use when working with .hush files, environment variables, secrets, API keys, database URLs, credentials, or configuration. NEVER read .hush files directly - always use hush commands instead to prevent exposing secrets to the LLM.
 allowed-tools: Bash(hush:*), Bash(npx hush:*), Bash(brew:*), Bash(npm:*), Bash(pnpm:*), Bash(age-keygen:*), Read, Grep, Glob, Write, Bash(cat:*), Bash(grep:*)
 ---
 
 # Hush - AI-Native Secrets Management
 
-**CRITICAL: NEVER read root .env files directly.** Always use \`npx hush status\`, \`npx hush inspect\`, or \`npx hush has\` to check secrets.
+**CRITICAL: NEVER read .hush files directly.** Always use \`npx hush status\`, \`npx hush inspect\`, or \`npx hush has\` to check secrets.
 
-Hush keeps secrets **encrypted at rest** at the project root. Subdirectory \`.env\` files are **templates** (safe to commit and read) that reference root secrets via \`\${VAR}\` syntax.
+Hush keeps secrets **encrypted at rest** at the project root using \`.hush.encrypted\` files. Subdirectory \`.env\` files are **templates** (safe to commit and read) that reference root secrets via \`\${VAR}\` syntax.
 
 ## First Step: Investigate Current State
 
@@ -35,7 +35,7 @@ This tells you:
 
 | You See | What It Means | Action |
 |---------|---------------|--------|
-| \`SECURITY WARNING: Unencrypted .env files\` | Plaintext secrets at project root! | Run \`npx hush encrypt\` immediately |
+| \`SECURITY WARNING: Unencrypted .env files\` | Plaintext .env files found (legacy or output) | Run \`npx hush migrate\` or delete them |
 | \`No hush.yaml found\` | Hush not initialized | Run \`npx hush init\` |
 | \`SOPS not installed\` | Missing prerequisite | \`brew install sops\` |
 | \`age key not found\` | Missing encryption key | \`npx hush keys setup\` |
@@ -53,12 +53,12 @@ npx hush encrypt       # Encrypts any existing .env files, deletes plaintext
 npx hush inspect       # Verify setup
 \`\`\`
 
-### Scenario 2: Existing .env Files Found
+### Scenario 2: Existing .env Files Found (Migration from v4)
 
 \`\`\`bash
 npx hush status        # Check what's there
-npx hush encrypt       # Encrypt them (auto-deletes plaintext after verification)
-npx hush inspect       # Confirm everything is encrypted
+npx hush migrate       # Migrate .env.encrypted to .hush.encrypted
+npx hush inspect       # Confirm everything is migrated
 \`\`\`
 
 ### Scenario 3: Hush Already Set Up (Team Member Joining)
@@ -423,9 +423,9 @@ The generated config looks like:
 
 \`\`\`yaml
 sources:
-  shared: .env
-  development: .env.development
-  production: .env.production
+  shared: .hush
+  development: .hush.development
+  production: .hush.production
 
 targets:
   - name: root
@@ -461,29 +461,29 @@ Customize targets for your monorepo. Common patterns:
   format: yaml
 \`\`\`
 
-### Step 5: Create initial \`.env\` files
+### Step 5: Create initial \`.hush\` files
 
-Create \`.env\` with shared secrets:
+Create \`.hush\` with shared secrets:
 
 \`\`\`bash
-# .env
+# .hush
 DATABASE_URL=postgres://localhost/mydb
 API_KEY=your_api_key_here
 NEXT_PUBLIC_API_URL=http://localhost:3000
 \`\`\`
 
-Create \`.env.development\` for dev-specific values:
+Create \`.hush.development\` for dev-specific values:
 
 \`\`\`bash
-# .env.development  
+# .hush.development  
 DEBUG=true
 LOG_LEVEL=debug
 \`\`\`
 
-Create \`.env.production\` for production values:
+Create \`.hush.production\` for production values:
 
 \`\`\`bash
-# .env.production
+# .hush.production
 DEBUG=false
 LOG_LEVEL=error
 \`\`\`
@@ -495,9 +495,9 @@ npx hush encrypt
 \`\`\`
 
 This creates:
-- \`.env.encrypted\`
-- \`.env.development.encrypted\`
-- \`.env.production.encrypted\`
+- \`.hush.encrypted\`
+- \`.hush.development.encrypted\`
+- \`.hush.production.encrypted\`
 
 ### Step 7: Verify setup
 
@@ -511,22 +511,26 @@ npx hush inspect
 Add these lines to \`.gitignore\`:
 
 \`\`\`gitignore
-# Hush - plaintext env files (generated, not committed)
+# Hush - plaintext source files (encrypted versions are committed)
+.hush
+.hush.local
+.hush.development
+.hush.production
+
+# Output files (generated by hush decrypt, not committed)
 .env
-.env.local
-.env.development
-.env.production
+.env.*
 .dev.vars
 
 # Keep encrypted files (these ARE committed)
-!.env.encrypted
-!.env.*.encrypted
+!.hush.encrypted
+!.hush.*.encrypted
 \`\`\`
 
 ### Step 9: Commit encrypted files
 
 \`\`\`bash
-git add .sops.yaml hush.yaml .env*.encrypted .gitignore
+git add .sops.yaml hush.yaml .hush*.encrypted .gitignore
 git commit -m "chore: add Hush secrets management"
 \`\`\`
 
@@ -552,8 +556,8 @@ After setup, verify everything works:
 - [ ] \`npx hush status\` shows configuration
 - [ ] \`npx hush inspect\` shows masked variables
 - [ ] \`npx hush run -- env\` can decrypt and run (secrets stay in memory!)
-- [ ] \`.env.encrypted\` files are committed to git
-- [ ] Plaintext \`.env\` files are in \`.gitignore\`
+- [ ] \`.hush.encrypted\` files are committed to git
+- [ ] Plaintext \`.hush\` and \`.env\` files are in \`.gitignore\`
 
 ---
 
@@ -701,7 +705,7 @@ hush init
 
 ### hush encrypt
 
-Encrypt source \`.env\` files to \`.env.encrypted\` files.
+Encrypt source \`.hush\` files to \`.hush.encrypted\` files.
 
 \`\`\`bash
 hush encrypt
@@ -989,9 +993,9 @@ hush skill --local              # Install to ./.claude/skills/
 
 \`\`\`yaml
 sources:
-  shared: .env
-  development: .env.development
-  production: .env.production
+  shared: .hush
+  development: .hush.development
+  production: .hush.production
 
 targets:
   - name: root
@@ -1046,7 +1050,7 @@ targets:
 | Expo | \`EXPO_PUBLIC_*\` | \`include: [EXPO_PUBLIC_*]\` |
 | Gatsby | \`GATSBY_*\` | \`include: [GATSBY_*]\` |
 
-### Variable Interpolation (v4+)
+### Variable Interpolation (v5+)
 
 Reference other variables using \`\${VAR}\` syntax:
 
@@ -1112,8 +1116,13 @@ This will show:
 
 #### Path A: "SECURITY WARNING: Unencrypted .env files detected"
 \`\`\`bash
+# If migrating from v4 (has .env.encrypted files):
+npx hush migrate       # Converts to .hush.encrypted format
+
+# If new setup with plaintext .env files:
+mv .env .hush          # Rename to .hush
 npx hush init          # If no hush.yaml exists
-npx hush encrypt       # Encrypts files and DELETES plaintext automatically
+npx hush encrypt       # Encrypts .hush files
 npx hush status        # Verify the warning is gone
 \`\`\`
 
@@ -1495,11 +1504,11 @@ Key Status:
 \`\`\`
 
 **Reading this:**
-- There's a security issue - plaintext files exist
+- There are .env files present (legacy or output from decrypt)
 - The project is configured with key management
 - Keys are properly set up and backed up
 
-**To fix:** Run \`npx hush encrypt\`
+**To fix:** Run \`npx hush migrate\` (if v4) or delete/gitignore these .env files
 
 ### npx hush inspect output explained
 

package/dist/commands/status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAwCjD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAmHzE"}
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAyCjD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAmHzE"}

package/dist/commands/status.js

@@ -9,6 +9,7 @@ import { opInstalled } from '../lib/onepassword.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
 function findRootPlaintextEnvFiles(root) {
     const results = [];
+    // Only warn about .env files (legacy/output), not .hush files (Hush's source files)
     const plaintextPatterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     for (const pattern of plaintextPatterns) {
         const filePath = join(root, pattern);
@@ -58,8 +59,8 @@ export async function statusCommand(options) {
         console.log('');
         console.log(pc.yellow('These files may expose secrets to AI assistants and version control.'));
         console.log(pc.bold('\nTo fix:'));
-        console.log(pc.dim('  1. Run: npx hush encrypt'));
-        console.log(pc.dim('  2. The plaintext files will be automatically deleted after encryption'));
+        console.log(pc.dim('  1. Run: npx hush migrate (if upgrading from v4)'));
+        console.log(pc.dim('  2. Delete or gitignore these .env files'));
         console.log(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars\n'));
     }
     console.log(pc.bold('Config:'));
@@ -118,10 +119,10 @@ export async function statusCommand(options) {
             ? pc.green(`  ${label}`)
             : pc.dim(`  ${label} (not found)`));
     }
-    const localPath = join(root, '.env.local');
-    console.log(existsSync(localPath)
-        ? pc.green('  .env.local (overrides)')
-        : pc.dim('  .env.local (optional, not found)'));
+    const localEncryptedPath = join(root, config.sources.local + '.encrypted');
+    console.log(existsSync(localEncryptedPath)
+        ? pc.green(`  ${config.sources.local}.encrypted (overrides)`)
+        : pc.dim(`  ${config.sources.local}.encrypted (optional, not found)`));
     console.log(pc.bold('\nTargets:'));
     for (const target of config.targets) {
         const filter = describeFilter(target);

package/dist/types.js

@@ -1,9 +1,9 @@
 export const CURRENT_SCHEMA_VERSION = 2;
 export const DEFAULT_SOURCES = {
-    shared: '.env',
-    development: '.env.development',
-    production: '.env.production',
-    local: '.env.local',
+    shared: '.hush',
+    development: '.hush.development',
+    production: '.hush.production',
+    local: '.hush.local',
 };
 export const FORMAT_OUTPUT_FILES = {
     dotenv: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "4.2.0",
+  "version": "5.0.0",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {