@chriscode/hush 4.2.0 → 5.0.1

package/dist/commands/init.js

@@ -1,17 +1,12 @@
-import { existsSync, readdirSync, readFileSync, writeFileSync } from 'node:fs';
-import { join } from 'node:path';
 import pc from 'picocolors';
 import { stringify as stringifyYaml } from 'yaml';
-import { findConfigPath } from '../config/loader.js';
-import { ageAvailable, ageGenerate, keyExists, keySave, keyPath } from '../lib/age.js';
-import { opAvailable, opGetKey, opStoreKey } from '../lib/onepassword.js';
 import { DEFAULT_SOURCES } from '../types.js';
-function getProjectFromPackageJson(root) {
-    const pkgPath = join(root, 'package.json');
-    if (!existsSync(pkgPath))
+function getProjectFromPackageJson(ctx, root) {
+    const pkgPath = ctx.path.join(root, 'package.json');
+    if (!ctx.fs.existsSync(pkgPath))
         return null;
     try {
-        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+        const pkg = JSON.parse(ctx.fs.readFileSync(pkgPath, 'utf-8'));
         if (typeof pkg.repository === 'string') {
             const match = pkg.repository.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
             if (match)
@@ -28,86 +23,85 @@ function getProjectFromPackageJson(root) {
     }
     return null;
 }
-async function tryExistingLocalKey(project) {
-    if (!keyExists(project))
+async function tryExistingLocalKey(ctx, project) {
+    if (!ctx.age.keyExists(project))
         return null;
-    const existing = await import('../lib/age.js').then(m => m.keyLoad(project));
+    const existing = await ctx.age.keyLoad(project);
     if (!existing)
         return null;
-    console.log(pc.green(`Using existing key for ${pc.cyan(project)}`));
+    ctx.logger.log(pc.green(`Using existing key for ${pc.cyan(project)}`));
     return { publicKey: existing.public, source: 'existing' };
 }
-async function tryPullFrom1Password(project) {
-    if (!opAvailable())
+async function tryPullFrom1Password(ctx, project) {
+    if (!ctx.onepassword.opAvailable())
         return null;
-    console.log(pc.dim('Checking 1Password for existing key...'));
-    const priv = opGetKey(project);
+    ctx.logger.log(pc.dim('Checking 1Password for existing key...'));
+    const priv = ctx.onepassword.opGetKey(project);
     if (!priv)
         return null;
-    const { agePublicFromPrivate } = await import('../lib/age.js');
-    const pub = agePublicFromPrivate(priv);
-    keySave(project, { private: priv, public: pub });
-    console.log(pc.green(`Pulled key from 1Password for ${pc.cyan(project)}`));
+    const pub = ctx.age.agePublicFromPrivate(priv);
+    ctx.age.keySave(project, { private: priv, public: pub });
+    ctx.logger.log(pc.green(`Pulled key from 1Password for ${pc.cyan(project)}`));
     return { publicKey: pub, source: '1password' };
 }
-function generateAndBackupKey(project) {
-    if (!ageAvailable()) {
-        console.log(pc.yellow('age not installed. Run: brew install age'));
+function generateAndBackupKey(ctx, project) {
+    if (!ctx.age.ageAvailable()) {
+        ctx.logger.log(pc.yellow('age not installed. Run: brew install age'));
         return null;
     }
-    console.log(pc.blue(`Generating new key for ${pc.cyan(project)}...`));
-    const key = ageGenerate();
-    keySave(project, key);
-    console.log(pc.green(`Saved to ${keyPath(project)}`));
-    console.log(pc.dim(`Public: ${key.public}`));
-    if (opAvailable()) {
+    ctx.logger.log(pc.blue(`Generating new key for ${pc.cyan(project)}...`));
+    const key = ctx.age.ageGenerate();
+    ctx.age.keySave(project, key);
+    ctx.logger.log(pc.green(`Saved to ${ctx.age.keyPath(project)}`));
+    ctx.logger.log(pc.dim(`Public: ${key.public}`));
+    if (ctx.onepassword.opAvailable()) {
         try {
-            opStoreKey(project, key.private, key.public);
-            console.log(pc.green('Backed up to 1Password.'));
+            ctx.onepassword.opStoreKey(project, key.private, key.public);
+            ctx.logger.log(pc.green('Backed up to 1Password.'));
         }
         catch (e) {
-            console.warn(pc.yellow(`Could not backup to 1Password: ${e.message}`));
+            ctx.logger.warn(pc.yellow(`Could not backup to 1Password: ${e.message}`));
         }
     }
     return { publicKey: key.public, source: 'generated' };
 }
-async function setupKey(root, project) {
+async function setupKey(ctx, root, project) {
     if (!project) {
-        console.log(pc.yellow('No project identifier found. Skipping key setup.'));
-        console.log(pc.dim('Add "project: my-project" to hush.yaml or set repository in package.json'));
+        ctx.logger.log(pc.yellow('No project identifier found. Skipping key setup.'));
+        ctx.logger.log(pc.dim('Add "project: my-org/my-repo" to hush.yaml or set repository in package.json'));
         return null;
     }
-    return ((await tryExistingLocalKey(project)) ||
-        (await tryPullFrom1Password(project)) ||
-        generateAndBackupKey(project));
+    return ((await tryExistingLocalKey(ctx, project)) ||
+        (await tryPullFrom1Password(ctx, project)) ||
+        generateAndBackupKey(ctx, project));
 }
-function createSopsConfig(root, publicKey) {
-    const sopsPath = join(root, '.sops.yaml');
-    if (existsSync(sopsPath)) {
-        console.log(pc.yellow('.sops.yaml already exists. Add this public key if needed:'));
-        console.log(`  ${publicKey}`);
+function createSopsConfig(ctx, root, publicKey) {
+    const sopsPath = ctx.path.join(root, '.sops.yaml');
+    if (ctx.fs.existsSync(sopsPath)) {
+        ctx.logger.log(pc.yellow('.sops.yaml already exists. Add this public key if needed:'));
+        ctx.logger.log(`  ${publicKey}`);
         return;
     }
     const sopsConfig = stringifyYaml({
         creation_rules: [{ encrypted_regex: '.*', age: publicKey }]
     });
-    writeFileSync(sopsPath, sopsConfig, 'utf-8');
-    console.log(pc.green('Created .sops.yaml'));
+    ctx.fs.writeFileSync(sopsPath, sopsConfig, 'utf-8');
+    ctx.logger.log(pc.green('Created .sops.yaml'));
 }
-function detectTargets(root) {
+function detectTargets(ctx, root) {
     const targets = [{ name: 'root', path: '.', format: 'dotenv' }];
-    const entries = readdirSync(root, { withFileTypes: true });
+    const entries = ctx.fs.readdirSync(root, { withFileTypes: true });
     for (const entry of entries) {
         if (!entry.isDirectory())
             continue;
         if (entry.name.startsWith('.') || entry.name === 'node_modules')
             continue;
-        const dirPath = join(root, entry.name);
-        const packageJsonPath = join(dirPath, 'package.json');
-        const wranglerPath = join(dirPath, 'wrangler.toml');
-        if (!existsSync(packageJsonPath))
+        const dirPath = ctx.path.join(root, entry.name);
+        const packageJsonPath = ctx.path.join(dirPath, 'package.json');
+        const wranglerPath = ctx.path.join(dirPath, 'wrangler.toml');
+        if (!ctx.fs.existsSync(packageJsonPath))
             continue;
-        if (existsSync(wranglerPath)) {
+        if (ctx.fs.existsSync(wranglerPath)) {
             targets.push({
                 name: entry.name,
                 path: `./${entry.name}`,
@@ -125,44 +119,65 @@ function detectTargets(root) {
     }
     return targets;
 }
-function findExistingPlaintextEnvFiles(root) {
+function findExistingPlaintextEnvFiles(ctx, root) {
     const patterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     const found = [];
     for (const pattern of patterns) {
-        const filePath = join(root, pattern);
-        if (existsSync(filePath)) {
+        const filePath = ctx.path.join(root, pattern);
+        if (ctx.fs.existsSync(filePath)) {
             found.push(pattern);
         }
     }
     return found;
 }
-export async function initCommand(options) {
+function findExistingEncryptedFiles(ctx, root) {
+    const patterns = ['.env.encrypted', '.env.development.encrypted', '.env.production.encrypted', '.env.local.encrypted'];
+    const found = [];
+    for (const pattern of patterns) {
+        const filePath = ctx.path.join(root, pattern);
+        if (ctx.fs.existsSync(filePath)) {
+            found.push(pattern);
+        }
+    }
+    return found;
+}
+export async function initCommand(ctx, options) {
     const { root } = options;
-    const existingConfig = findConfigPath(root);
+    const existingConfig = ctx.config.findProjectRoot(root);
     if (existingConfig) {
-        console.error(pc.red(`Config already exists: ${existingConfig}`));
-        process.exit(1);
+        ctx.logger.error(pc.red(`Config already exists: ${existingConfig.configPath}`));
+        ctx.process.exit(1);
+    }
+    ctx.logger.log(pc.blue('Initializing hush...\n'));
+    const existingEncryptedFiles = findExistingEncryptedFiles(ctx, root);
+    if (existingEncryptedFiles.length > 0) {
+        ctx.logger.log(pc.bgYellow(pc.black(' V4 ENCRYPTED FILES DETECTED ')));
+        ctx.logger.log(pc.yellow('\nFound existing v4 encrypted files:'));
+        for (const file of existingEncryptedFiles) {
+            ctx.logger.log(pc.yellow(`  ${file}`));
+        }
+        ctx.logger.log(pc.dim('\nRun "npx hush migrate" to convert to v5 format (.hush.encrypted).\n'));
     }
-    console.log(pc.blue('Initializing hush...\n'));
-    const existingEnvFiles = findExistingPlaintextEnvFiles(root);
+    const existingEnvFiles = findExistingPlaintextEnvFiles(ctx, root);
     if (existingEnvFiles.length > 0) {
-        console.log(pc.bgYellow(pc.black(' EXISTING SECRETS DETECTED ')));
-        console.log(pc.yellow('\nFound existing .env files:'));
+        ctx.logger.log(pc.bgYellow(pc.black(' PLAINTEXT .ENV FILES DETECTED ')));
+        ctx.logger.log(pc.yellow('\nFound existing .env files:'));
         for (const file of existingEnvFiles) {
-            console.log(pc.yellow(`  ${file}`));
+            ctx.logger.log(pc.yellow(`  ${file}`));
         }
-        console.log(pc.dim('\nThese will be encrypted after setup. Run "npx hush encrypt" when ready.\n'));
+        ctx.logger.log(pc.dim('\nRename these to .hush files, then run "npx hush encrypt".\n'));
+        ctx.logger.log(pc.dim('Example: mv .env .hush && mv .env.development .hush.development\n'));
     }
-    const project = getProjectFromPackageJson(root);
+    const project = getProjectFromPackageJson(ctx, root);
     if (!project) {
-        console.log(pc.yellow('No project identifier found in package.json.'));
-        console.log(pc.dim('Tip: Add "project: my-org/my-repo" to hush.yaml after creation for key management.\n'));
+        ctx.logger.log(pc.yellow('No project identifier found in package.json.'));
+        ctx.logger.log(pc.dim('Tip: Add "project: my-org/my-repo" to hush.yaml after creation for key management.\n'));
     }
-    const keyResult = await setupKey(root, project);
+    const keyResult = await setupKey(ctx, root, project);
     if (keyResult) {
-        createSopsConfig(root, keyResult.publicKey);
+        createSopsConfig(ctx, root, keyResult.publicKey);
     }
-    const targets = detectTargets(root);
+    const targets = detectTargets(ctx, root);
     const config = {
         version: 2,
         sources: DEFAULT_SOURCES,
@@ -171,24 +186,29 @@ export async function initCommand(options) {
     };
     const yaml = stringifyYaml(config, { indent: 2 });
     const schemaComment = '# yaml-language-server: $schema=https://unpkg.com/@chriscode/hush/schema.json\n';
-    const configPath = join(root, 'hush.yaml');
-    writeFileSync(configPath, schemaComment + yaml, 'utf-8');
-    console.log(pc.green(`\nCreated ${configPath}`));
-    console.log(pc.dim('\nDetected targets:'));
+    const configPath = ctx.path.join(root, 'hush.yaml');
+    ctx.fs.writeFileSync(configPath, schemaComment + yaml, 'utf-8');
+    ctx.logger.log(pc.green(`\nCreated ${configPath}`));
+    ctx.logger.log(pc.dim('\nDetected targets:'));
     for (const target of targets) {
-        console.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path)} ${pc.magenta(target.format)}`);
+        ctx.logger.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path)} ${pc.magenta(target.format)}`);
     }
-    console.log(pc.bold('\nNext steps:'));
-    if (existingEnvFiles.length > 0) {
-        console.log(pc.green('  1. npx hush encrypt') + pc.dim('     # Encrypt existing .env files (deletes plaintext)'));
-        console.log(pc.dim('  2. npx hush inspect') + pc.dim('      # Verify your secrets'));
-        console.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+    ctx.logger.log(pc.bold('\nNext steps:'));
+    if (existingEncryptedFiles.length > 0) {
+        ctx.logger.log(pc.green('  1. npx hush migrate') + pc.dim('      # Convert v4 .env.encrypted to v5 .hush.encrypted'));
+        ctx.logger.log(pc.dim('  2. npx hush inspect') + pc.dim('       # Verify your secrets'));
+        ctx.logger.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
+    }
+    else if (existingEnvFiles.length > 0) {
+        ctx.logger.log(pc.green('  1. Rename .env files to .hush') + pc.dim(' # mv .env .hush'));
+        ctx.logger.log(pc.dim('  2. npx hush encrypt') + pc.dim('      # Encrypt .hush files'));
+        ctx.logger.log(pc.dim('  3. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
     }
     else {
-        console.log(pc.dim('  1. npx hush set <KEY>') + pc.dim('    # Add secrets interactively'));
-        console.log(pc.dim('  2. npx hush run -- <cmd>') + pc.dim(' # Run with secrets in memory'));
+        ctx.logger.log(pc.dim('  1. npx hush set <KEY>') + pc.dim('     # Add secrets interactively'));
+        ctx.logger.log(pc.dim('  2. npx hush run -- <cmd>') + pc.dim('  # Run with secrets in memory'));
     }
-    console.log(pc.dim('\nGit setup:'));
-    console.log(pc.dim('  git add hush.yaml .sops.yaml'));
-    console.log(pc.dim('  git commit -m "chore: add Hush secrets management"'));
+    ctx.logger.log(pc.dim('\nGit setup:'));
+    ctx.logger.log(pc.dim('  git add hush.yaml .sops.yaml'));
+    ctx.logger.log(pc.dim('  git commit -m "chore: add Hush secrets management"'));
 }

package/dist/commands/inspect.d.ts

@@ -1,7 +1,7 @@
-import type { Environment } from '../types.js';
+import type { Environment, HushContext } from '../types.js';
 export interface InspectOptions {
     root: string;
     env: Environment;
 }
-export declare function inspectCommand(options: InspectOptions): Promise<void>;
+export declare function inspectCommand(ctx: HushContext, options: InspectOptions): Promise<void>;
 //# sourceMappingURL=inspect.d.ts.map

package/dist/commands/inspect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"inspect.d.ts","sourceRoot":"","sources":["../../src/commands/inspect.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAEvD,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AAED,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAqD3E"}
+{"version":3,"file":"inspect.d.ts","sourceRoot":"","sources":["../../src/commands/inspect.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAU,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEpE,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAqD7F"}

package/dist/commands/inspect.js

@@ -1,25 +1,23 @@
-import { existsSync } from 'node:fs';
+import { fs } from '../lib/fs.js';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { filterVarsForTarget, describeFilter } from '../core/filter.js';
 import { interpolateVars } from '../core/interpolate.js';
 import { maskVars, formatMaskedVar } from '../core/mask.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
-export async function inspectCommand(options) {
+export async function inspectCommand(ctx, options) {
     const { root, env } = options;
-    const config = loadConfig(root);
+    const config = ctx.config.loadConfig(root);
     const sharedEncrypted = join(root, config.sources.shared + '.encrypted');
     const envEncrypted = join(root, config.sources[env] + '.encrypted');
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(envEncrypted)) {
-        const content = sopsDecrypt(envEncrypted);
+    if (fs.existsSync(envEncrypted)) {
+        const content = ctx.sops.decrypt(envEncrypted);
         varSources.push(parseEnvContent(content));
     }
     if (varSources.length === 0) {
@@ -31,20 +29,20 @@ export async function inspectCommand(options) {
     const interpolated = interpolateVars(merged);
     const masked = maskVars(interpolated);
     const maxKeyLen = Math.max(...masked.map(v => v.key.length));
-    console.log(pc.blue(`\nSecrets for ${env}:\n`));
+    ctx.logger.log(pc.blue(`\nSecrets for ${env}:\n`));
     for (const v of masked) {
         const line = formatMaskedVar(v, maxKeyLen);
-        console.log(`  ${v.isSet ? pc.green(v.key.padEnd(maxKeyLen)) : pc.yellow(v.key.padEnd(maxKeyLen))} = ${v.isSet ? pc.dim(v.masked + ` (${v.length} chars)`) : pc.yellow('(not set)')}`);
+        ctx.logger.log(`  ${v.isSet ? pc.green(v.key.padEnd(maxKeyLen)) : pc.yellow(v.key.padEnd(maxKeyLen))} = ${v.isSet ? pc.dim(v.masked + ` (${v.length} chars)`) : pc.yellow('(not set)')}`);
     }
-    console.log(pc.dim(`\nTotal: ${masked.length} variables\n`));
-    console.log(pc.blue('Target distribution:\n'));
+    ctx.logger.log(pc.dim(`\nTotal: ${masked.length} variables\n`));
+    ctx.logger.log(pc.blue('Target distribution:\n'));
     for (const target of config.targets) {
         const filtered = filterVarsForTarget(interpolated, target);
         const filter = describeFilter(target);
-        console.log(`  ${pc.cyan(target.name)} ${pc.dim(`(${target.path}/)`)} - ${filtered.length} vars`);
+        ctx.logger.log(`  ${pc.cyan(target.name)} ${pc.dim(`(${target.path}/)`)} - ${filtered.length} vars`);
         if (filter !== 'all vars') {
-            console.log(`    ${pc.dim(filter)}`);
+            ctx.logger.log(`    ${pc.dim(filter)}`);
         }
     }
-    console.log('');
+    ctx.logger.log('');
 }

package/dist/commands/keys.d.ts

@@ -1,8 +1,9 @@
+import { HushContext } from '../types.js';
 export interface KeysOptions {
     root: string;
     subcommand: string;
     vault?: string;
     force?: boolean;
 }
-export declare function keysCommand(options: KeysOptions): Promise<void>;
+export declare function keysCommand(ctx: HushContext, options: KeysOptions): Promise<void>;
 //# sourceMappingURL=keys.d.ts.map

package/dist/commands/keys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAwBD,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA6HrE"}
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../src/commands/keys.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAI1C,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAwBD,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA6HvF"}

package/dist/commands/keys.js

@@ -1,17 +1,15 @@
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
 import { stringify as yamlStringify } from 'yaml';
-import { loadConfig } from '../config/loader.js';
 import { opAvailable, opGetKey, opStoreKey, opListKeys } from '../lib/onepassword.js';
 import { ageAvailable, ageGenerate, agePublicFromPrivate, keyExists, keySave, keyLoad, keysList, keyPath } from '../lib/age.js';
-function getProject(root) {
-    const config = loadConfig(root);
+function getProject(ctx, root) {
+    const config = ctx.config.loadConfig(root);
     if (config.project)
         return config.project;
     const pkgPath = join(root, 'package.json');
-    if (existsSync(pkgPath)) {
-        const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    if (ctx.fs.existsSync(pkgPath)) {
+        const pkg = JSON.parse(ctx.fs.readFileSync(pkgPath, 'utf-8'));
         if (typeof pkg.repository === 'string') {
             const match = pkg.repository.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
             if (match)
@@ -23,18 +21,18 @@ function getProject(root) {
                 return match[1];
         }
     }
-    console.error(pc.red('No project identifier found.'));
-    console.error(pc.dim('Add "project: my-project" to hush.yaml'));
-    process.exit(1);
+    ctx.logger.error(pc.red('No project identifier found.'));
+    ctx.logger.error(pc.dim('Add "project: my-project" to hush.yaml'));
+    ctx.process.exit(1);
 }
-export async function keysCommand(options) {
+export async function keysCommand(ctx, options) {
     const { root, subcommand, vault, force } = options;
     switch (subcommand) {
         case 'setup': {
-            const project = getProject(root);
-            console.log(pc.blue(`Setting up keys for ${pc.cyan(project)}...`));
+            const project = getProject(ctx, root);
+            ctx.logger.log(pc.blue(`Setting up keys for ${pc.cyan(project)}...`));
             if (keyExists(project)) {
-                console.log(pc.green('Key already exists locally.'));
+                ctx.logger.log(pc.green('Key already exists locally.'));
                 return;
             }
             if (opAvailable()) {
@@ -42,95 +40,95 @@ export async function keysCommand(options) {
                 if (priv) {
                     const pub = agePublicFromPrivate(priv);
                     keySave(project, { private: priv, public: pub });
-                    console.log(pc.green('Pulled key from 1Password.'));
+                    ctx.logger.log(pc.green('Pulled key from 1Password.'));
                     return;
                 }
             }
-            console.log(pc.yellow('No key found. Run "hush keys generate" to create one.'));
+            ctx.logger.log(pc.yellow('No key found. Run "hush keys generate" to create one.'));
             break;
         }
         case 'generate': {
             if (!ageAvailable()) {
-                console.error(pc.red('age not installed. Run: brew install age'));
-                process.exit(1);
+                ctx.logger.error(pc.red('age not installed. Run: brew install age'));
+                ctx.process.exit(1);
             }
-            const project = getProject(root);
+            const project = getProject(ctx, root);
             if (keyExists(project) && !force) {
-                console.error(pc.yellow(`Key exists for ${project}. Use --force to overwrite.`));
-                process.exit(1);
+                ctx.logger.error(pc.yellow(`Key exists for ${project}. Use --force to overwrite.`));
+                ctx.process.exit(1);
             }
-            console.log(pc.blue(`Generating key for ${pc.cyan(project)}...`));
+            ctx.logger.log(pc.blue(`Generating key for ${pc.cyan(project)}...`));
             const key = ageGenerate();
             keySave(project, key);
-            console.log(pc.green(`Saved to ${keyPath(project)}`));
-            console.log(pc.dim(`Public: ${key.public}`));
+            ctx.logger.log(pc.green(`Saved to ${keyPath(project)}`));
+            ctx.logger.log(pc.dim(`Public: ${key.public}`));
             if (opAvailable()) {
                 try {
                     opStoreKey(project, key.private, key.public, vault);
-                    console.log(pc.green('Stored in 1Password.'));
+                    ctx.logger.log(pc.green('Stored in 1Password.'));
                 }
                 catch (e) {
-                    console.warn(pc.yellow(`Could not store in 1Password: ${e.message}`));
+                    ctx.logger.warn(pc.yellow(`Could not store in 1Password: ${e.message}`));
                 }
             }
             const sopsPath = join(root, '.sops.yaml');
-            if (!existsSync(sopsPath)) {
-                writeFileSync(sopsPath, yamlStringify({ creation_rules: [{ encrypted_regex: '.*', age: key.public }] }));
-                console.log(pc.green('Created .sops.yaml'));
+            if (!ctx.fs.existsSync(sopsPath)) {
+                ctx.fs.writeFileSync(sopsPath, yamlStringify({ creation_rules: [{ encrypted_regex: '.*', age: key.public }] }));
+                ctx.logger.log(pc.green('Created .sops.yaml'));
             }
             else {
-                console.log(pc.yellow('.sops.yaml exists. Add this public key:'));
-                console.log(`  ${key.public}`);
+                ctx.logger.log(pc.yellow('.sops.yaml exists. Add this public key:'));
+                ctx.logger.log(`  ${key.public}`);
             }
             break;
         }
         case 'pull': {
             if (!opAvailable()) {
-                console.error(pc.red('1Password CLI not available or not signed in.'));
-                process.exit(1);
+                ctx.logger.error(pc.red('1Password CLI not available or not signed in.'));
+                ctx.process.exit(1);
             }
-            const project = getProject(root);
+            const project = getProject(ctx, root);
             const priv = opGetKey(project, vault);
             if (!priv) {
-                console.error(pc.red(`No key in 1Password for ${project}`));
-                process.exit(1);
+                ctx.logger.error(pc.red(`No key in 1Password for ${project}`));
+                ctx.process.exit(1);
             }
             const pub = agePublicFromPrivate(priv);
             keySave(project, { private: priv, public: pub });
-            console.log(pc.green(`Pulled and saved to ${keyPath(project)}`));
+            ctx.logger.log(pc.green(`Pulled and saved to ${keyPath(project)}`));
             break;
         }
         case 'push': {
             if (!opAvailable()) {
-                console.error(pc.red('1Password CLI not available or not signed in.'));
-                process.exit(1);
+                ctx.logger.error(pc.red('1Password CLI not available or not signed in.'));
+                ctx.process.exit(1);
             }
-            const project = getProject(root);
+            const project = getProject(ctx, root);
             const key = keyLoad(project);
             if (!key) {
-                console.error(pc.red(`No local key for ${project}`));
-                process.exit(1);
+                ctx.logger.error(pc.red(`No local key for ${project}`));
+                ctx.process.exit(1);
             }
             opStoreKey(project, key.private, key.public, vault);
-            console.log(pc.green('Pushed to 1Password.'));
+            ctx.logger.log(pc.green('Pushed to 1Password.'));
             break;
         }
         case 'list': {
-            console.log(pc.blue('Local keys:'));
+            ctx.logger.log(pc.blue('Local keys:'));
             for (const k of keysList()) {
-                console.log(`  ${pc.cyan(k.project)} ${pc.dim(k.public.slice(0, 20))}...`);
+                ctx.logger.log(`  ${pc.cyan(k.project)} ${pc.dim(k.public.slice(0, 20))}...`);
             }
             if (opAvailable()) {
-                console.log(pc.blue('\n1Password keys:'));
+                ctx.logger.log(pc.blue('\n1Password keys:'));
                 for (const project of opListKeys(vault)) {
-                    console.log(`  ${pc.cyan(project)}`);
+                    ctx.logger.log(`  ${pc.cyan(project)}`);
                 }
             }
             break;
         }
         default:
-            console.error(pc.red(`Unknown: hush keys ${subcommand}`));
-            console.log(pc.dim('Commands: setup, generate, pull, push, list'));
-            process.exit(1);
+            ctx.logger.error(pc.red(`Unknown: hush keys ${subcommand}`));
+            ctx.logger.log(pc.dim('Commands: setup, generate, pull, push, list'));
+            ctx.process.exit(1);
     }
 }

package/dist/commands/list.d.ts

@@ -1,3 +1,3 @@
-import type { ListOptions } from '../types.js';
-export declare function listCommand(options: ListOptions): Promise<void>;
+import type { ListOptions, HushContext } from '../types.js';
+export declare function listCommand(ctx: HushContext, options: ListOptions): Promise<void>;
 //# sourceMappingURL=list.d.ts.map

package/dist/commands/list.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"list.d.ts","sourceRoot":"","sources":["../../src/commands/list.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAEvD,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAmCrE"}
+{"version":3,"file":"list.d.ts","sourceRoot":"","sources":["../../src/commands/list.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAU,WAAW,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEpE,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAmCvF"}

package/dist/commands/list.js

@@ -1,35 +1,32 @@
-import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { interpolateVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
-export async function listCommand(options) {
+export async function listCommand(ctx, options) {
     const { root, env } = options;
-    const config = loadConfig(root);
-    console.log(pc.blue(`Variables for ${env}:\n`));
+    const config = ctx.config.loadConfig(root);
+    ctx.logger.log(pc.blue(`Variables for ${env}:\n`));
     const sharedEncrypted = join(root, config.sources.shared + '.encrypted');
     const envEncrypted = join(root, config.sources[env] + '.encrypted');
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (ctx.fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(envEncrypted)) {
-        const content = sopsDecrypt(envEncrypted);
+    if (ctx.fs.existsSync(envEncrypted)) {
+        const content = ctx.sops.decrypt(envEncrypted);
         varSources.push(parseEnvContent(content));
     }
     if (varSources.length === 0) {
-        console.error(pc.red('No encrypted files found'));
-        process.exit(1);
+        ctx.logger.error(pc.red('No encrypted files found'));
+        ctx.process.exit(1);
     }
     const merged = mergeVars(...varSources);
     const interpolated = interpolateVars(merged);
     for (const { key, value } of interpolated) {
         const displayValue = value.length > 50 ? value.slice(0, 47) + '...' : value;
-        console.log(`${pc.cyan(key)}=${pc.dim(displayValue)}`);
+        ctx.logger.log(`${pc.cyan(key)}=${pc.dim(displayValue)}`);
     }
-    console.log(pc.dim(`\nTotal: ${interpolated.length} variables`));
+    ctx.logger.log(pc.dim(`\nTotal: ${interpolated.length} variables`));
 }

package/dist/commands/migrate.d.ts

@@ -0,0 +1,7 @@
+import { HushContext } from '../types.js';
+export interface MigrateOptions {
+    root: string;
+    dryRun: boolean;
+}
+export declare function migrateCommand(ctx: HushContext, options: MigrateOptions): Promise<void>;
+//# sourceMappingURL=migrate.d.ts.map

package/dist/commands/migrate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"migrate.d.ts","sourceRoot":"","sources":["../../src/commands/migrate.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE1C,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AA+DD,wBAAsB,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CA4E7F"}