@chriscode/hush 4.2.0 → 5.0.1

package/dist/cli.js

@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 import { createRequire } from 'node:module';
 import pc from 'picocolors';
+import { defaultContext } from './context.js';
 import { encryptCommand } from './commands/encrypt.js';
 import { decryptCommand } from './commands/decrypt.js';
 import { editCommand } from './commands/edit.js';
@@ -19,6 +20,7 @@ import { resolveCommand } from './commands/resolve.js';
 import { traceCommand } from './commands/trace.js';
 import { templateCommand } from './commands/template.js';
 import { expansionsCommand } from './commands/expansions.js';
+import { migrateCommand } from './commands/migrate.js';
 import { findConfigPath, loadConfig, checkSchemaVersion } from './config/loader.js';
 import { checkForUpdate } from './utils/version-check.js';
 const require = createRequire(import.meta.url);
@@ -32,9 +34,9 @@ ${pc.bold('Usage:')}
 
 ${pc.bold('Commands:')}
   init              Initialize hush.yaml config
-  encrypt           Encrypt source .env files
+  encrypt           Encrypt source .hush files
   run -- <cmd>      Run command with secrets in memory (AI-safe)
-  set <KEY>         Set a single secret interactively (AI-safe)
+  set [VALUE] <KEY> Set a single secret (AI-safe, prompts if no value)
   edit [file]       Edit all secrets in $EDITOR
   list              List all variables (shows values)
   inspect           List all variables (masked values, AI-safe)
@@ -44,6 +46,7 @@ ${pc.bold('Commands:')}
   status            Show configuration and status
   skill             Install Claude Code / OpenCode skill
   keys <cmd>        Manage SOPS age keys (setup, generate, pull, push, list)
+  migrate           Migrate from v4 (.env.encrypted) to v5 (.hush.encrypted)
 
 ${pc.bold('Debugging Commands:')}
   resolve <target>  Show what variables a target receives (AI-safe)
@@ -72,7 +75,7 @@ ${pc.bold('Options:')}
   -h, --help        Show this help message
   -v, --version     Show version number
 
-${pc.bold('Variable Expansion (v4+):')}
+${pc.bold('Variable Expansion (v5+):')}
   Subdirectory .env files can reference root secrets:
   
     \${VAR}           Pull VAR from root secrets
@@ -90,15 +93,29 @@ ${pc.bold('Variable Expansion (v4+):')}
   
   Subdirectory templates are safe to commit - they contain no secrets.
 
+${pc.bold('File Naming (v5+):')}
+  Hush uses .hush files instead of .env to avoid conflicts with other tools:
+  
+    .hush                  Shared secrets (source file)
+    .hush.development      Development secrets (source file)
+    .hush.encrypted        Encrypted shared secrets (committed)
+    .hush.development.encrypted  Encrypted dev secrets (committed)
+    
+    Subdirectories support templates (e.g. apps/web/.hush.development)
+  
+  The .env files are reserved for other tools (Wrangler, Metro, etc.).
+
 ${pc.bold('Examples:')}
   hush init                     Initialize config + generate keys
-  hush encrypt                  Encrypt .env files
+  hush migrate                  Migrate v4 .env.encrypted to v5 .hush.encrypted
+  hush encrypt                  Encrypt .hush files
   hush run -- npm start         Run with secrets in memory (AI-safe!)
   hush run -e prod -- npm build Run with production secrets
   hush run -t api -- wrangler dev  Run filtered for 'api' target (root secrets only)
   cd apps/mobile && hush run -- expo start  Run from subdirectory (applies template + target filters)
-  hush set DATABASE_URL         Set a secret interactively (AI-safe)
-  hush set API_KEY --gui        Set secret via macOS dialog (for AI agents)
+  hush set DATABASE_URL         Set a secret interactively (prompts for value)
+  hush set "myvalue" API_KEY    Set a secret inline (no prompt)
+  hush set API_KEY --gui        Set secret via GUI dialog (for AI agents)
   hush set API_KEY -e prod      Set a production secret
   hush keys setup               Pull key from 1Password or verify local
   hush keys generate            Generate new key + backup to 1Password
@@ -152,6 +169,7 @@ function parseArgs(args) {
     let vault;
     let file;
     let key;
+    let value;
     let target;
     let cmdArgs = [];
     for (let i = 0; i < args.length; i++) {
@@ -258,8 +276,16 @@ function parseArgs(args) {
             }
             continue;
         }
-        if (command === 'set' && !arg.startsWith('-') && !key) {
-            key = arg;
+        if (command === 'set' && !arg.startsWith('-')) {
+            if (!key) {
+                key = arg;
+            }
+            else if (!value) {
+                // Second positional arg: shift key to value, this arg is the key
+                // Syntax: hush set <VALUE> <KEY>
+                value = key;
+                key = arg;
+            }
             continue;
         }
         if (command === 'has' && !arg.startsWith('-') && !key) {
@@ -279,10 +305,10 @@ function parseArgs(args) {
             continue;
         }
     }
-    return { command, subcommand, env, envExplicit, root, dryRun, verbose, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, target, cmdArgs };
+    return { command, subcommand, env, envExplicit, root, dryRun, verbose, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, value, target, cmdArgs };
 }
 function checkMigrationNeeded(root, command) {
-    const skipCommands = ['', 'help', 'version', 'init', 'skill'];
+    const skipCommands = ['', 'help', 'version', 'init', 'skill', 'migrate'];
     if (skipCommands.includes(command))
         return;
     const configPath = findConfigPath(root);
@@ -315,7 +341,7 @@ async function main() {
         printHelp();
         process.exit(0);
     }
-    const { command, subcommand, env, envExplicit, root, dryRun, verbose, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, target, cmdArgs } = parseArgs(args);
+    const { command, subcommand, env, envExplicit, root, dryRun, verbose, quiet, warn, json, onlyChanged, requireSource, allowPlaintext, global, local, force, gui, vault, file, key, value, target, cmdArgs } = parseArgs(args);
     if (command !== 'run' && !json && !quiet) {
         checkForUpdate(VERSION);
     }
@@ -323,16 +349,16 @@ async function main() {
     try {
         switch (command) {
             case 'init':
-                await initCommand({ root });
+                await initCommand(defaultContext, { root });
                 break;
             case 'encrypt':
-                await encryptCommand({ root });
+                await encryptCommand(defaultContext, { root });
                 break;
             case 'decrypt':
-                await decryptCommand({ root, env, force });
+                await decryptCommand(defaultContext, { root, env, force });
                 break;
             case 'run':
-                await runCommand({ root, env, target, command: cmdArgs });
+                await runCommand(defaultContext, { root, env, target, command: cmdArgs });
                 break;
             case 'set': {
                 let setFile = 'shared';
@@ -342,36 +368,36 @@ async function main() {
                 else if (envExplicit) {
                     setFile = env;
                 }
-                await setCommand({ root, file: setFile, key, gui });
+                await setCommand(defaultContext, { root, file: setFile, key, value, gui });
                 break;
             }
             case 'edit':
-                await editCommand({ root, file });
+                await editCommand(defaultContext, { root, file });
                 break;
             case 'list':
-                await listCommand({ root, env });
+                await listCommand(defaultContext, { root, env });
                 break;
             case 'inspect':
-                await inspectCommand({ root, env });
+                await inspectCommand(defaultContext, { root, env });
                 break;
             case 'has':
                 if (!key) {
                     console.error(pc.red('Usage: hush has <KEY>'));
                     process.exit(1);
                 }
-                await hasCommand({ root, env, key, quiet });
+                await hasCommand(defaultContext, { root, env, key, quiet });
                 break;
             case 'check':
-                await checkCommand({ root, warn, json, quiet, onlyChanged, requireSource, allowPlaintext });
+                await checkCommand(defaultContext, { root, warn, json, quiet, onlyChanged, requireSource, allowPlaintext });
                 break;
             case 'push':
-                await pushCommand({ root, dryRun, verbose, target });
+                await pushCommand(defaultContext, { root, dryRun, verbose, target });
                 break;
             case 'status':
-                await statusCommand({ root });
+                await statusCommand(defaultContext, { root });
                 break;
             case 'skill':
-                await skillCommand({ root, global, local });
+                await skillCommand(defaultContext, { root, global, local });
                 break;
             case 'keys':
                 if (!subcommand) {
@@ -379,7 +405,7 @@ async function main() {
                     console.error(pc.dim('Commands: setup, generate, pull, push, list'));
                     process.exit(1);
                 }
-                await keysCommand({ root, subcommand, vault, force });
+                await keysCommand(defaultContext, { root, subcommand, vault, force });
                 break;
             case 'resolve':
                 if (!target) {
@@ -387,7 +413,7 @@ async function main() {
                     console.error(pc.dim('Example: hush resolve api-workers'));
                     process.exit(1);
                 }
-                await resolveCommand({ root, env, target });
+                await resolveCommand(defaultContext, { root, env, target });
                 break;
             case 'trace':
                 if (!key) {
@@ -395,13 +421,16 @@ async function main() {
                     console.error(pc.dim('Example: hush trace DATABASE_URL'));
                     process.exit(1);
                 }
-                await traceCommand({ root, env, key });
+                await traceCommand(defaultContext, { root, env, key });
                 break;
             case 'template':
-                await templateCommand({ root, env });
+                await templateCommand(defaultContext, { root, env });
                 break;
             case 'expansions':
-                await expansionsCommand({ root, env });
+                await expansionsCommand(defaultContext, { root, env });
+                break;
+            case 'migrate':
+                await migrateCommand(defaultContext, { root, dryRun });
                 break;
             default:
                 if (command) {

package/dist/commands/check.d.ts

@@ -1,4 +1,4 @@
-import type { CheckOptions, CheckResult } from '../types.js';
-export declare function check(options: CheckOptions): Promise<CheckResult>;
-export declare function checkCommand(options: CheckOptions): Promise<void>;
+import type { CheckOptions, CheckResult, HushContext } from '../types.js';
+export declare function check(ctx: HushContext, options: CheckOptions): Promise<CheckResult>;
+export declare function checkCommand(ctx: HushContext, options: CheckOptions): Promise<void>;
 //# sourceMappingURL=check.d.ts.map

package/dist/commands/check.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,YAAY,EAAmB,WAAW,EAAmC,MAAM,aAAa,CAAC;AAkF/G,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA+BvE;AAuMD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCvE"}
+{"version":3,"file":"check.d.ts","sourceRoot":"","sources":["../../src/commands/check.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,YAAY,EAAmB,WAAW,EAAmC,WAAW,EAAE,MAAM,aAAa,CAAC;AAmF5H,wBAAsB,KAAK,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA+BzF;AAwMD,wBAAsB,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAiCzF"}

package/dist/commands/check.js

@@ -1,10 +1,6 @@
-import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
-import { execSync } from 'node:child_process';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt, isSopsInstalled } from '../core/sops.js';
 import { computeDiff, isInSync } from '../lib/diff.js';
 function getSourceEncryptedPairs(config) {
     const pairs = [];
@@ -31,10 +27,10 @@ function getSourceEncryptedPairs(config) {
     }
     return pairs;
 }
-function getGitChangedFiles(root) {
+function getGitChangedFiles(ctx, root) {
     try {
-        const staged = execSync('git diff --cached --name-only', { cwd: root, encoding: 'utf-8' });
-        const unstaged = execSync('git diff --name-only', { cwd: root, encoding: 'utf-8' });
+        const staged = ctx.exec.execSync('git diff --cached --name-only', { cwd: root, encoding: 'utf-8' });
+        const unstaged = ctx.exec.execSync('git diff --name-only', { cwd: root, encoding: 'utf-8' });
         const files = [...staged.split('\n'), ...unstaged.split('\n')].filter(Boolean);
         return new Set(files);
     }
@@ -42,14 +38,15 @@ function getGitChangedFiles(root) {
         return new Set();
     }
 }
-function findPlaintextEnvFiles(root) {
+function findPlaintextEnvFiles(ctx, root) {
     const results = [];
+    // Only warn about .env files (legacy/output files), NOT .hush files (Hush's source files)
     const plaintextPatterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     const skipDirs = new Set(['node_modules', '.git', 'dist', 'build', '.next', '.nuxt']);
     function scanDir(dir, relativePath = '') {
         let entries;
         try {
-            entries = readdirSync(dir);
+            entries = ctx.fs.readdirSync(dir);
         }
         catch {
             return;
@@ -60,7 +57,7 @@ function findPlaintextEnvFiles(root) {
             const fullPath = join(dir, entry);
             const relPath = relativePath ? `${relativePath}/${entry}` : entry;
             try {
-                if (statSync(fullPath).isDirectory()) {
+                if (ctx.fs.statSync(fullPath).isDirectory()) {
                     scanDir(fullPath, relPath);
                 }
                 else if (plaintextPatterns.includes(entry)) {
@@ -75,9 +72,9 @@ function findPlaintextEnvFiles(root) {
     scanDir(root);
     return results;
 }
-export async function check(options) {
+export async function check(ctx, options) {
     const { root, requireSource, onlyChanged, allowPlaintext } = options;
-    if (!isSopsInstalled()) {
+    if (!ctx.sops.isSopsInstalled()) {
         return {
             status: 'error',
             files: [{
@@ -91,11 +88,11 @@ export async function check(options) {
                 }],
         };
     }
-    const config = loadConfig(root);
+    const config = ctx.config.loadConfig(root);
     const pairs = getSourceEncryptedPairs(config);
-    const result = checkPairs(root, pairs, requireSource, onlyChanged);
+    const result = checkPairs(ctx, root, pairs, requireSource, onlyChanged);
     if (!allowPlaintext) {
-        const plaintextFiles = findPlaintextEnvFiles(root);
+        const plaintextFiles = findPlaintextEnvFiles(ctx, root);
         if (plaintextFiles.length > 0) {
             result.plaintextFiles = plaintextFiles;
             result.status = 'plaintext';
@@ -103,8 +100,8 @@ export async function check(options) {
     }
     return result;
 }
-function checkPairs(root, pairs, requireSource, onlyChanged) {
-    const changedFiles = onlyChanged ? getGitChangedFiles(root) : null;
+function checkPairs(ctx, root, pairs, requireSource, onlyChanged) {
+    const changedFiles = onlyChanged ? getGitChangedFiles(ctx, root) : null;
     const results = [];
     for (const { source, encrypted } of pairs) {
         const sourcePath = join(root, source);
@@ -116,7 +113,7 @@ function checkPairs(root, pairs, requireSource, onlyChanged) {
                 continue;
             }
         }
-        if (!existsSync(sourcePath)) {
+        if (!ctx.fs.existsSync(sourcePath)) {
             if (requireSource) {
                 results.push({
                     source,
@@ -130,8 +127,8 @@ function checkPairs(root, pairs, requireSource, onlyChanged) {
             }
             continue;
         }
-        if (!existsSync(encryptedPath)) {
-            const sourceContent = readFileSync(sourcePath, 'utf-8');
+        if (!ctx.fs.existsSync(encryptedPath)) {
+            const sourceContent = ctx.fs.readFileSync(sourcePath, 'utf-8');
             const sourceVars = parseEnvContent(sourceContent);
             const allKeys = sourceVars.map(v => v.key);
             results.push({
@@ -146,8 +143,8 @@ function checkPairs(root, pairs, requireSource, onlyChanged) {
             continue;
         }
         try {
-            const decryptedContent = sopsDecrypt(encryptedPath);
-            const sourceContent = readFileSync(sourcePath, 'utf-8');
+            const decryptedContent = ctx.sops.decrypt(encryptedPath);
+            const sourceContent = ctx.fs.readFileSync(sourcePath, 'utf-8');
             const sourceVars = parseEnvContent(sourceContent);
             const encryptedVars = parseEnvContent(decryptedContent);
             const diff = computeDiff(sourceVars, encryptedVars);
@@ -206,8 +203,8 @@ function formatTextOutput(result) {
         lines.push(pc.yellow('These files contain plaintext secrets that could be exposed to AI assistants.'));
         lines.push('');
         lines.push(pc.bold('To fix:'));
-        lines.push(pc.dim('  1. Run: hush encrypt'));
-        lines.push(pc.dim('  2. Delete the plaintext files (the .encrypted versions are your source of truth)'));
+        lines.push(pc.dim('  1. Run: hush migrate (if upgrading from v4)'));
+        lines.push(pc.dim('  2. Delete or gitignore these .env files'));
         lines.push(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars'));
         lines.push('');
         lines.push(pc.dim('To allow plaintext files (not recommended): --allow-plaintext'));
@@ -276,31 +273,31 @@ function formatTextOutput(result) {
 function formatJsonOutput(result) {
     return JSON.stringify(result, null, 2);
 }
-export async function checkCommand(options) {
-    const result = await check(options);
+export async function checkCommand(ctx, options) {
+    const result = await check(ctx, options);
     if (!options.quiet) {
         if (options.json) {
-            console.log(formatJsonOutput(result));
+            ctx.logger.log(formatJsonOutput(result));
         }
         else {
-            console.log(formatTextOutput(result));
+            ctx.logger.log(formatTextOutput(result));
         }
     }
     if (result.status === 'plaintext' && !options.warn) {
-        process.exit(4);
+        ctx.process.exit(4);
     }
     if (result.status === 'error') {
         const hasSopsError = result.files.some(f => f.error === 'SOPS_NOT_INSTALLED');
         const hasDecryptError = result.files.some(f => f.error === 'DECRYPT_FAILED');
         if (hasSopsError || hasDecryptError) {
-            process.exit(3);
+            ctx.process.exit(3);
         }
         if (result.files.some(f => f.error === 'SOURCE_MISSING')) {
-            process.exit(2);
+            ctx.process.exit(2);
         }
     }
     if (result.status === 'drift' && !options.warn) {
-        process.exit(1);
+        ctx.process.exit(1);
     }
-    process.exit(0);
+    ctx.process.exit(0);
 }

package/dist/commands/decrypt.d.ts

@@ -1,3 +1,3 @@
-import type { DecryptOptions } from '../types.js';
-export declare function decryptCommand(options: DecryptOptions): Promise<void>;
+import type { DecryptOptions, HushContext } from '../types.js';
+export declare function decryptCommand(ctx: HushContext, options: DecryptOptions): Promise<void>;
 //# sourceMappingURL=decrypt.d.ts.map

package/dist/commands/decrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,cAAc,EAAU,MAAM,aAAa,CAAC;AAmD1D,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA8F3E"}
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../../src/commands/decrypt.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,cAAc,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAmDvE,wBAAsB,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA8F7F"}

package/dist/commands/decrypt.js

@@ -1,60 +1,57 @@
 import { createInterface } from 'node:readline';
-import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { filterVarsForTarget } from '../core/filter.js';
 import { interpolateVars, getUnresolvedVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent, parseEnvFile } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 import { formatVars } from '../formats/index.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
 function getEncryptedPath(sourcePath) {
     return sourcePath + '.encrypted';
 }
-async function confirmDangerousOperation() {
-    if (!process.stdin.isTTY) {
-        console.error(pc.red('\nError: decrypt --force requires interactive confirmation.'));
-        console.error(pc.dim('This command cannot be run in non-interactive environments.'));
-        console.error(pc.dim('\nUse "hush run -- <command>" instead to inject secrets into memory.'));
+async function confirmDangerousOperation(ctx) {
+    if (!ctx.process.stdin.isTTY) {
+        ctx.logger.error('\nError: decrypt --force requires interactive confirmation.');
+        ctx.logger.error('This command cannot be run in non-interactive environments.');
+        ctx.logger.error('\nUse "hush run -- <command>" instead to inject secrets into memory.');
         return false;
     }
-    console.log('');
-    console.log(pc.red('━'.repeat(70)));
-    console.log(pc.red(pc.bold('  ⚠️  WARNING: WRITING PLAINTEXT SECRETS TO DISK')));
-    console.log(pc.red('━'.repeat(70)));
-    console.log('');
-    console.log(pc.yellow('  This will create unencrypted .env files that:'));
-    console.log(pc.dim('    • Can be read by AI assistants, scripts, and other tools'));
-    console.log(pc.dim('    • May accidentally be committed to git'));
-    console.log(pc.dim('    • Defeat the "encrypted at rest" security model'));
-    console.log('');
-    console.log(pc.green('  Recommended alternative:'));
-    console.log(pc.cyan('    hush run -- <your-command>'));
-    console.log(pc.dim('    Decrypts to memory only, secrets never touch disk.'));
-    console.log('');
-    console.log(pc.red('━'.repeat(70)));
-    console.log('');
+    ctx.logger.log('');
+    ctx.logger.log(pc.red('━'.repeat(70)));
+    ctx.logger.log(pc.red(pc.bold('  ⚠️  WARNING: WRITING PLAINTEXT SECRETS TO DISK')));
+    ctx.logger.log(pc.red('━'.repeat(70)));
+    ctx.logger.log('');
+    ctx.logger.log(pc.yellow('  This will create unencrypted .env files that:'));
+    ctx.logger.log(pc.dim('    • Can be read by AI assistants, scripts, and other tools'));
+    ctx.logger.log(pc.dim('    • May accidentally be committed to git'));
+    ctx.logger.log(pc.dim('    • Defeat the "encrypted at rest" security model'));
+    ctx.logger.log('');
+    ctx.logger.log(pc.green('  Recommended alternative:'));
+    ctx.logger.log(pc.cyan('    hush run -- <command>'));
+    ctx.logger.log(pc.dim('    Decrypts to memory only, secrets never touch disk.'));
+    ctx.logger.log('');
+    ctx.logger.log(pc.red('━'.repeat(70)));
+    ctx.logger.log('');
     const rl = createInterface({
-        input: process.stdin,
-        output: process.stdout,
+        input: ctx.process.stdin,
+        output: ctx.process.stdout,
     });
     return new Promise((resolve) => {
         rl.question(`${pc.bold('Type "yes" to proceed:')} `, (answer) => {
             rl.close();
             if (answer.toLowerCase() === 'yes') {
-                console.log('');
+                ctx.logger.log('');
                 resolve(true);
             }
             else {
-                console.log(pc.dim('\nAborted. No files were written.'));
+                ctx.logger.log(pc.dim('\nAborted. No files were written.'));
                 resolve(false);
             }
         });
     });
 }
-export async function decryptCommand(options) {
+export async function decryptCommand(ctx, options) {
     const { root, env, force } = options;
     if (!force) {
         console.error(pc.red('Error: decrypt requires --force flag'));
@@ -66,64 +63,64 @@ export async function decryptCommand(options) {
         console.error(pc.cyan('  hush decrypt --force'));
         process.exit(1);
     }
-    const confirmed = await confirmDangerousOperation();
+    const confirmed = await confirmDangerousOperation(ctx);
     if (!confirmed) {
-        process.exit(0);
+        ctx.process.exit(0);
     }
-    const config = loadConfig(root);
-    console.log(pc.yellow(`⚠️  Writing unencrypted secrets for ${env}...`));
+    const config = ctx.config.loadConfig(root);
+    ctx.logger.log(pc.yellow(`⚠️  Writing unencrypted secrets for ${env}...`));
     const sharedEncrypted = join(root, getEncryptedPath(config.sources.shared));
     const envEncrypted = join(root, getEncryptedPath(config.sources[env]));
-    const localPath = join(root, '.env.local');
+    const localPath = join(root, config.sources.local);
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (ctx.fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         const vars = parseEnvContent(content);
         varSources.push(vars);
-        console.log(pc.dim(`  ${config.sources.shared}.encrypted: ${vars.length} vars`));
+        ctx.logger.log(pc.dim(`  ${config.sources.shared}.encrypted: ${vars.length} vars`));
     }
-    if (existsSync(envEncrypted)) {
-        const content = sopsDecrypt(envEncrypted);
+    if (ctx.fs.existsSync(envEncrypted)) {
+        const content = ctx.sops.decrypt(envEncrypted);
         const vars = parseEnvContent(content);
         varSources.push(vars);
-        console.log(pc.dim(`  ${config.sources[env]}.encrypted: ${vars.length} vars`));
+        ctx.logger.log(pc.dim(`  ${config.sources[env]}.encrypted: ${vars.length} vars`));
     }
-    if (existsSync(localPath)) {
+    if (ctx.fs.existsSync(localPath)) {
         const vars = parseEnvFile(localPath);
         varSources.push(vars);
-        console.log(pc.dim(`  .env.local: ${vars.length} vars (overrides)`));
+        ctx.logger.log(pc.dim(`  ${config.sources.local}: ${vars.length} vars (overrides)`));
     }
     if (varSources.length === 0) {
-        console.error(pc.red('No encrypted files found'));
-        console.error(pc.dim(`Expected: ${sharedEncrypted}`));
-        process.exit(1);
+        ctx.logger.error(pc.red('No encrypted files found'));
+        ctx.logger.error(pc.dim(`Expected: ${sharedEncrypted}`));
+        ctx.process.exit(1);
     }
     const merged = mergeVars(...varSources);
     const interpolated = interpolateVars(merged);
     const unresolved = getUnresolvedVars(interpolated);
     if (unresolved.length > 0) {
-        console.warn(pc.yellow(`  Warning: ${unresolved.length} vars have unresolved references`));
+        ctx.logger.warn(pc.yellow(`  Warning: ${unresolved.length} vars have unresolved references`));
     }
-    console.log(pc.yellow(`\n⚠️  Writing to ${config.targets.length} targets:`));
+    ctx.logger.log(pc.yellow(`\n⚠️  Writing to ${config.targets.length} targets:`));
     for (const target of config.targets) {
         const targetDir = join(root, target.path);
         const filtered = filterVarsForTarget(interpolated, target);
         if (filtered.length === 0) {
-            console.log(pc.dim(`  ${target.path}/ - no matching vars, skipped`));
+            ctx.logger.log(pc.dim(`  ${target.path}/ - no matching vars, skipped`));
             continue;
         }
         const outputFilename = FORMAT_OUTPUT_FILES[target.format][env];
         const outputPath = join(targetDir, outputFilename);
-        if (!existsSync(targetDir)) {
-            mkdirSync(targetDir, { recursive: true });
+        if (!ctx.fs.existsSync(targetDir)) {
+            ctx.fs.mkdirSync(targetDir, { recursive: true });
         }
         const content = formatVars(filtered, target.format);
-        writeFileSync(outputPath, content, 'utf-8');
+        ctx.fs.writeFileSync(outputPath, content, 'utf-8');
         const relativePath = target.path === '.' ? outputFilename : `${target.path}/${outputFilename}`;
-        console.log(pc.yellow(`  ⚠️  ${relativePath}`) +
+        ctx.logger.log(pc.yellow(`  ⚠️  ${relativePath}`) +
             pc.dim(` (${target.format}, ${filtered.length} vars)`));
     }
-    console.log('');
-    console.log(pc.yellow('⚠️  Decryption complete - plaintext secrets on disk'));
-    console.log(pc.dim('   Delete these files when done, or use "hush run" next time.'));
+    ctx.logger.log('');
+    ctx.logger.log(pc.yellow('⚠️  Decryption complete - plaintext secrets on disk'));
+    ctx.logger.log(pc.dim('   Delete these files when done, or use "hush run" next time.'));
 }

package/dist/commands/edit.d.ts

@@ -1,3 +1,3 @@
-import type { EditOptions } from '../types.js';
-export declare function editCommand(options: EditOptions): Promise<void>;
+import type { EditOptions, HushContext } from '../types.js';
+export declare function editCommand(ctx: HushContext, options: EditOptions): Promise<void>;
 //# sourceMappingURL=edit.d.ts.map

package/dist/commands/edit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"edit.d.ts","sourceRoot":"","sources":["../../src/commands/edit.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI/C,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBrE"}
+{"version":3,"file":"edit.d.ts","sourceRoot":"","sources":["../../src/commands/edit.ts"],"names":[],"mappings":"AAGC,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI7D,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBvF"}

package/dist/commands/edit.js

@@ -1,22 +1,20 @@
-import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { edit as sopsEdit } from '../core/sops.js';
-export async function editCommand(options) {
+export async function editCommand(ctx, options) {
     const { root, file } = options;
-    const config = loadConfig(root);
+    const config = ctx.config.loadConfig(root);
     const fileKey = file ?? 'shared';
     const sourcePath = config.sources[fileKey];
     const encryptedPath = join(root, sourcePath + '.encrypted');
-    if (!existsSync(encryptedPath)) {
-        console.error(pc.red(`Encrypted file not found: ${sourcePath}.encrypted`));
-        console.error(pc.dim('Run "hush encrypt" first to create encrypted files'));
-        process.exit(1);
+    if (!ctx.fs.existsSync(encryptedPath)) {
+        ctx.logger.error(pc.red(`Encrypted file not found: ${sourcePath}.encrypted`));
+        ctx.logger.error(pc.dim('Run "hush encrypt" first to create encrypted files'));
+        ctx.process.exit(1);
     }
-    console.log(pc.blue(`Editing ${sourcePath}.encrypted...`));
-    console.log(pc.dim('Changes will be encrypted on save'));
+    ctx.logger.log(pc.blue(`Editing ${sourcePath}.encrypted...`));
+    ctx.logger.log(pc.dim('Changes will be encrypted on save'));
     sopsEdit(encryptedPath);
-    console.log(pc.green('\nEdit complete'));
-    console.log(pc.dim('Run "hush run -- <command>" to use updated secrets'));
+    ctx.logger.log(pc.green('\nEdit complete'));
+    ctx.logger.log(pc.dim('Run "hush run -- <command>" to use updated secrets'));
 }