@chriscode/hush 4.2.0 → 5.0.1

package/dist/commands/migrate.js

@@ -0,0 +1,117 @@
+import { join } from 'node:path';
+import pc from 'picocolors';
+import { parse as parseYaml, stringify as stringifyYaml } from 'yaml';
+const FILE_MIGRATIONS = [
+    { from: '.env.encrypted', to: '.hush.encrypted' },
+    { from: '.env.development.encrypted', to: '.hush.development.encrypted' },
+    { from: '.env.production.encrypted', to: '.hush.production.encrypted' },
+    { from: '.env.local.encrypted', to: '.hush.local.encrypted' },
+];
+const SOURCE_MIGRATIONS = {
+    '.env': '.hush',
+    '.env.development': '.hush.development',
+    '.env.production': '.hush.production',
+    '.env.local': '.hush.local',
+};
+function getMigrationFiles(ctx, root) {
+    return FILE_MIGRATIONS.map(({ from, to }) => ({
+        from,
+        to,
+        exists: ctx.fs.existsSync(join(root, from)),
+    }));
+}
+function migrateConfig(ctx, root, dryRun) {
+    const projectInfo = ctx.config.findProjectRoot(root);
+    if (!projectInfo)
+        return false;
+    const configPath = projectInfo.configPath;
+    const content = ctx.fs.readFileSync(configPath, 'utf-8');
+    const config = parseYaml(content);
+    let modified = false;
+    const sources = config.sources;
+    if (sources) {
+        for (const [oldValue, newValue] of Object.entries(SOURCE_MIGRATIONS)) {
+            for (const [key, value] of Object.entries(sources)) {
+                if (value === oldValue) {
+                    if (!dryRun) {
+                        sources[key] = newValue;
+                    }
+                    modified = true;
+                }
+            }
+        }
+    }
+    if (modified && !dryRun) {
+        const schemaComment = content.startsWith('#') ? content.split('\n')[0] + '\n' : '';
+        const newContent = schemaComment + stringifyYaml(config, { indent: 2 });
+        ctx.fs.writeFileSync(configPath, newContent, 'utf-8');
+    }
+    return modified;
+}
+export async function migrateCommand(ctx, options) {
+    const { root, dryRun } = options;
+    ctx.logger.log(pc.blue('Hush v4 → v5 Migration\n'));
+    if (dryRun) {
+        ctx.logger.log(pc.yellow('DRY RUN - no changes will be made\n'));
+    }
+    const migrations = getMigrationFiles(ctx, root);
+    const filesToMigrate = migrations.filter(m => m.exists);
+    if (filesToMigrate.length === 0) {
+        ctx.logger.log(pc.dim('No v4 encrypted files found (.env.encrypted, etc.)'));
+        ctx.logger.log(pc.dim('Already on v5 or no encrypted files exist.\n'));
+        const configNeedsMigration = migrateConfig(ctx, root, true);
+        if (configNeedsMigration) {
+            ctx.logger.log(pc.yellow('hush.yaml contains v4 source paths that need updating.\n'));
+            if (!dryRun) {
+                migrateConfig(ctx, root, false);
+                ctx.logger.log(pc.green('Updated hush.yaml source paths to v5 format.\n'));
+            }
+        }
+        return;
+    }
+    ctx.logger.log(pc.bold('Files to migrate:'));
+    for (const { from, to, exists } of migrations) {
+        if (exists) {
+            ctx.logger.log(`  ${pc.yellow(from)} → ${pc.green(to)}`);
+        }
+        else {
+            ctx.logger.log(pc.dim(`  ${from} (not found, skipping)`));
+        }
+    }
+    ctx.logger.log('');
+    if (dryRun) {
+        ctx.logger.log(pc.dim('Run without --dry-run to apply changes.'));
+        return;
+    }
+    let migratedCount = 0;
+    for (const { from, to, exists } of migrations) {
+        if (!exists)
+            continue;
+        const fromPath = join(root, from);
+        const toPath = join(root, to);
+        if (ctx.fs.existsSync(toPath)) {
+            ctx.logger.log(pc.yellow(`  Skipping ${from}: ${to} already exists`));
+            continue;
+        }
+        const content = ctx.fs.readFileSync(fromPath, 'utf-8');
+        ctx.fs.writeFileSync(toPath, content);
+        ctx.fs.unlinkSync(fromPath);
+        ctx.logger.log(pc.green(`  Migrated ${from} → ${to}`));
+        migratedCount++;
+    }
+    const configUpdated = migrateConfig(ctx, root, false);
+    if (configUpdated) {
+        ctx.logger.log(pc.green('  Updated hush.yaml source paths'));
+    }
+    ctx.logger.log('');
+    if (migratedCount > 0 || configUpdated) {
+        ctx.logger.log(pc.green(pc.bold(`Migration complete.`)));
+        ctx.logger.log(pc.dim('\nNext steps:'));
+        ctx.logger.log(pc.dim('  1. git add .hush.encrypted .hush.*.encrypted hush.yaml'));
+        ctx.logger.log(pc.dim('  2. git rm .env.encrypted .env.*.encrypted (if tracked)'));
+        ctx.logger.log(pc.dim('  3. git commit -m "chore: migrate to Hush v5 format"'));
+    }
+    else {
+        ctx.logger.log(pc.dim('No changes made.'));
+    }
+}

package/dist/commands/push.d.ts

@@ -1,3 +1,3 @@
-import type { PushOptions } from '../types.js';
-export declare function pushCommand(options: PushOptions): Promise<void>;
+import type { PushOptions, HushContext } from '../types.js';
+export declare function pushCommand(ctx: HushContext, options: PushOptions): Promise<void>;
 //# sourceMappingURL=push.d.ts.map

package/dist/commands/push.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"push.d.ts","sourceRoot":"","sources":["../../src/commands/push.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAU,WAAW,EAAqC,MAAM,aAAa,CAAC;AAgH1F,wBAAsB,WAAW,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA6GrE"}
+{"version":3,"file":"push.d.ts","sourceRoot":"","sources":["../../src/commands/push.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAU,WAAW,EAAqC,WAAW,EAAE,MAAM,aAAa,CAAC;AAiHvG,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CA6GvF"}

package/dist/commands/push.js

@@ -1,26 +1,22 @@
-import { execSync } from 'node:child_process';
-import { existsSync, writeFileSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { filterVarsForTarget } from '../core/filter.js';
 import { interpolateVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 import { loadLocalTemplates, resolveTemplateVars } from '../core/template.js';
-function pushWorkerSecret(key, value, targetDir, dryRun, verbose) {
+function pushWorkerSecret(ctx, key, value, targetDir, dryRun, verbose) {
     if (dryRun) {
         if (verbose) {
-            console.log(pc.green(`    + ${key}`));
+            ctx.logger.log(pc.green(`    + ${key}`));
         }
         else {
-            console.log(pc.dim(`    [dry-run] ${key}`));
+            ctx.logger.log(pc.dim(`    [dry-run] ${key}`));
         }
         return true;
     }
     try {
-        execSync(`echo "${value}" | wrangler secret put ${key}`, {
+        ctx.exec.execSync(`echo "${value}" | wrangler secret put ${key}`, {
             cwd: targetDir,
             stdio: ['pipe', 'pipe', 'pipe'],
             shell: '/bin/bash',
@@ -29,18 +25,18 @@ function pushWorkerSecret(key, value, targetDir, dryRun, verbose) {
     }
     catch (error) {
         const err = error;
-        console.error(pc.red(`    Failed: ${key} - ${err.stderr || err.message}`));
+        ctx.logger.error(pc.red(`    Failed: ${key} - ${err.stderr || err.message}`));
         return false;
     }
 }
-function pushPagesSecrets(vars, projectName, targetDir, dryRun, verbose) {
+function pushPagesSecrets(ctx, vars, projectName, targetDir, dryRun, verbose) {
     if (dryRun) {
         for (const { key } of vars) {
             if (verbose) {
-                console.log(pc.green(`    + ${key}`));
+                ctx.logger.log(pc.green(`    + ${key}`));
             }
             else {
-                console.log(pc.dim(`    [dry-run] ${key}`));
+                ctx.logger.log(pc.dim(`    [dry-run] ${key}`));
             }
         }
         return { success: vars.length, failed: 0 };
@@ -51,26 +47,26 @@ function pushPagesSecrets(vars, projectName, targetDir, dryRun, verbose) {
     }
     const tempFile = join(targetDir, '.hush-secrets-temp.json');
     try {
-        writeFileSync(tempFile, JSON.stringify(secretsJson, null, 2));
-        execSync(`wrangler pages secret bulk "${tempFile}" --project-name "${projectName}"`, {
+        ctx.fs.writeFileSync(tempFile, JSON.stringify(secretsJson, null, 2));
+        ctx.exec.execSync(`wrangler pages secret bulk "${tempFile}" --project-name "${projectName}"`, {
             cwd: targetDir,
             stdio: ['pipe', 'pipe', 'pipe'],
             shell: '/bin/bash',
         });
         for (const { key } of vars) {
-            console.log(pc.green(`    ${key}`));
+            ctx.logger.log(pc.green(`    ${key}`));
         }
         return { success: vars.length, failed: 0 };
     }
     catch (error) {
         const err = error;
         const stderrStr = err.stderr instanceof Buffer ? err.stderr.toString() : (err.stderr || err.message || 'Unknown error');
-        console.error(pc.red(`    Failed to push secrets: ${stderrStr}`));
+        ctx.logger.error(pc.red(`    Failed to push secrets: ${stderrStr}`));
         return { success: 0, failed: vars.length };
     }
     finally {
-        if (existsSync(tempFile)) {
-            unlinkSync(tempFile);
+        if (ctx.fs.existsSync(tempFile)) {
+            ctx.fs.unlinkSync(tempFile);
         }
     }
 }
@@ -103,30 +99,30 @@ function getPagesProject(target) {
     }
     throw new Error(`Target "${target.name}" is not configured for Cloudflare Pages`);
 }
-export async function pushCommand(options) {
+export async function pushCommand(ctx, options) {
     const { root, dryRun, verbose, target: targetFilter } = options;
-    const config = loadConfig(root);
-    console.log(pc.blue('Pushing production secrets to Cloudflare...'));
+    const config = ctx.config.loadConfig(root);
+    ctx.logger.log(pc.blue('Pushing production secrets to Cloudflare...'));
     if (dryRun) {
-        console.log(pc.yellow('(dry-run mode)'));
+        ctx.logger.log(pc.yellow('(dry-run mode)'));
         if (verbose) {
-            console.log(pc.dim('(verbose output enabled)'));
+            ctx.logger.log(pc.dim('(verbose output enabled)'));
         }
     }
     const sharedEncrypted = join(root, config.sources.shared + '.encrypted');
     const prodEncrypted = join(root, config.sources.production + '.encrypted');
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (ctx.fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(prodEncrypted)) {
-        const content = sopsDecrypt(prodEncrypted);
+    if (ctx.fs.existsSync(prodEncrypted)) {
+        const content = ctx.sops.decrypt(prodEncrypted);
         varSources.push(parseEnvContent(content));
     }
     if (varSources.length === 0) {
-        console.error(pc.red('No encrypted files found'));
-        process.exit(1);
+        ctx.logger.error(pc.red('No encrypted files found'));
+        ctx.process.exit(1);
     }
     const merged = mergeVars(...varSources);
     const interpolated = interpolateVars(merged);
@@ -139,47 +135,47 @@ export async function pushCommand(options) {
         pushableTargets = getTargetsWithPush(config, targetFilter);
     }
     catch (error) {
-        console.error(pc.red(error.message));
-        process.exit(1);
+        ctx.logger.error(pc.red(error.message));
+        ctx.process.exit(1);
     }
     if (pushableTargets.length === 0) {
-        console.error(pc.red('No targets configured for push'));
-        console.error(pc.dim('Add format: wrangler or push_to: { type: cloudflare-pages, project: ... } to a target'));
-        process.exit(1);
+        ctx.logger.error(pc.red('No targets configured for push'));
+        ctx.logger.error(pc.dim('Add format: wrangler or push_to: { type: cloudflare-pages, project: ... } to a target'));
+        ctx.process.exit(1);
     }
     for (const target of pushableTargets) {
         const targetDir = join(root, target.path);
         const pushType = getPushType(target);
         let filtered = filterVarsForTarget(interpolated, target);
-        const localTemplate = loadLocalTemplates(targetDir, 'production');
+        const localTemplate = loadLocalTemplates(targetDir, 'production', ctx.fs);
         if (localTemplate.hasTemplate) {
-            const templateVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: process.env });
+            const templateVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: ctx.process.env });
             filtered = mergeVars(filtered, templateVars);
         }
         if (filtered.length === 0) {
-            console.log(pc.dim(`\n${target.name} - no matching vars, skipped`));
+            ctx.logger.log(pc.dim(`\n${target.name} - no matching vars, skipped`));
             continue;
         }
         const typeLabel = pushType === 'cloudflare-pages' ? 'Pages' : 'Workers';
         if (dryRun && verbose) {
-            console.log(pc.blue(`\n[DRY RUN] Would push to ${target.name} (${typeLabel}, ${target.path}/):`));
+            ctx.logger.log(pc.blue(`\n[DRY RUN] Would push to ${target.name} (${typeLabel}, ${target.path}/):`));
         }
         else {
-            console.log(pc.blue(`\n${target.name} (${typeLabel}, ${target.path}/)`));
+            ctx.logger.log(pc.blue(`\n${target.name} (${typeLabel}, ${target.path}/)`));
         }
         let success = 0;
         let failed = 0;
         if (pushType === 'cloudflare-pages') {
             const projectName = getPagesProject(target);
-            const result = pushPagesSecrets(filtered, projectName, targetDir, dryRun, verbose);
+            const result = pushPagesSecrets(ctx, filtered, projectName, targetDir, dryRun, verbose);
             success = result.success;
             failed = result.failed;
         }
         else {
             for (const { key, value } of filtered) {
-                if (pushWorkerSecret(key, value, targetDir, dryRun, verbose)) {
+                if (pushWorkerSecret(ctx, key, value, targetDir, dryRun, verbose)) {
                     if (!dryRun)
-                        console.log(pc.green(`    ${key}`));
+                        ctx.logger.log(pc.green(`    ${key}`));
                     success++;
                 }
                 else {
@@ -187,12 +183,12 @@ export async function pushCommand(options) {
                 }
             }
         }
-        console.log(pc.dim(`  ${success} pushed, ${failed} failed`));
+        ctx.logger.log(pc.dim(`  ${success} pushed, ${failed} failed`));
     }
     if (dryRun) {
-        console.log(pc.yellow('\n[dry-run] No secrets were pushed'));
+        ctx.logger.log(pc.yellow('\n[dry-run] No secrets were pushed'));
     }
     else {
-        console.log(pc.green('\nPush complete'));
+        ctx.logger.log(pc.green('\nPush complete'));
     }
 }

package/dist/commands/resolve.d.ts

@@ -1,8 +1,8 @@
-import type { Environment } from '../types.js';
+import type { Environment, HushContext } from '../types.js';
 export interface ResolveOptions {
     root: string;
     env: Environment;
     target: string;
 }
-export declare function resolveCommand(options: ResolveOptions): Promise<void>;
+export declare function resolveCommand(ctx: HushContext, options: ResolveOptions): Promise<void>;
 //# sourceMappingURL=resolve.d.ts.map

package/dist/commands/resolve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/commands/resolve.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAU,WAAW,EAAU,MAAM,aAAa,CAAC;AAG/D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6BD,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAmI3E"}
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/commands/resolve.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAU,WAAW,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAG5E,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC;CAChB;AA6BD,wBAAsB,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAmI7F"}

package/dist/commands/resolve.js

@@ -1,11 +1,8 @@
-import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { interpolateVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 import { loadLocalTemplates } from '../core/template.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
 function matchesPattern(key, pattern) {
@@ -26,14 +23,14 @@ function getOutputFilename(target, env) {
     }
     return FORMAT_OUTPUT_FILES[target.format][env];
 }
-export async function resolveCommand(options) {
+export async function resolveCommand(ctx, options) {
     const { root, env, target: targetName } = options;
-    const config = loadConfig(root);
+    const config = ctx.config.loadConfig(root);
     const target = config.targets.find(t => t.name === targetName);
     if (!target) {
-        console.error(pc.red(`Target not found: ${targetName}`));
-        console.error(pc.dim('Available targets: ' + config.targets.map(t => t.name).join(', ')));
-        process.exit(1);
+        ctx.logger.error(`Target not found: ${targetName}`);
+        ctx.logger.error(pc.dim('Available targets: ' + config.targets.map(t => t.name).join(', ')));
+        ctx.process.exit(1);
     }
     const sharedEncrypted = join(root, config.sources.shared + '.encrypted');
     const envEncrypted = join(root, config.sources[env] + '.encrypted');
@@ -41,9 +38,9 @@ export async function resolveCommand(options) {
     const varsBySource = new Map();
     const allVars = new Map();
     const loadSource = (path, sourceName) => {
-        if (!existsSync(path))
+        if (!ctx.fs.existsSync(path))
             return;
-        const content = sopsDecrypt(path);
+        const content = ctx.sops.decrypt(path);
         const vars = parseEnvContent(content);
         const sourceVars = [];
         for (const v of vars) {
@@ -57,8 +54,8 @@ export async function resolveCommand(options) {
     loadSource(envEncrypted, config.sources[env]);
     loadSource(localEncrypted, config.sources.local);
     if (allVars.size === 0) {
-        console.error(pc.red('No encrypted files found'));
-        process.exit(1);
+        ctx.logger.error('No encrypted files found');
+        ctx.process.exit(1);
     }
     const merged = mergeVars(...Array.from(varsBySource.values()).map(sources => sources.map(s => ({ key: s.key, value: s.value }))));
     const interpolated = interpolateVars(merged);
@@ -84,44 +81,44 @@ export async function resolveCommand(options) {
         included.push({ key: v.key, source });
     }
     const outputFile = getOutputFilename(target, env);
-    console.log(pc.bold(`\nTarget: ${pc.cyan(target.name)}`));
-    console.log(`Path: ${pc.dim(target.path + '/')}`);
-    console.log(`Format: ${pc.dim(target.format)} ${pc.dim(`(${outputFile})`)}`);
-    console.log(`Environment: ${pc.dim(env)}`);
-    console.log(pc.green(`\n✅ ROOT SECRETS (Matched Filters) (${included.length}):`));
+    ctx.logger.log(pc.bold(`\nTarget: ${pc.cyan(target.name)}`));
+    ctx.logger.log(`Path: ${pc.dim(target.path + '/')}`);
+    ctx.logger.log(`Format: ${pc.dim(target.format)} ${pc.dim(`(${outputFile})`)}`);
+    ctx.logger.log(`Environment: ${pc.dim(env)}`);
+    ctx.logger.log(pc.green(`\n✅ ROOT SECRETS (Matched Filters) (${included.length}):`));
     if (included.length === 0) {
-        console.log(pc.dim('  (none)'));
+        ctx.logger.log(pc.dim('  (none)'));
     }
     else {
         const maxKeyLen = Math.max(...included.map(v => v.key.length));
         for (const v of included) {
-            console.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`(source: ${v.source})`)}`);
+            ctx.logger.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`(source: ${v.source})`)}`);
         }
     }
-    console.log(pc.red(`\n🚫 EXCLUDED VARIABLES (${excluded.length}):`));
+    ctx.logger.log(pc.red(`\n🚫 EXCLUDED VARIABLES (${excluded.length}):`));
     if (excluded.length === 0) {
-        console.log(pc.dim('  (none)'));
+        ctx.logger.log(pc.dim('  (none)'));
     }
     else {
         const maxKeyLen = Math.max(...excluded.map(v => v.key.length));
         for (const v of excluded) {
-            console.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`(matches: ${v.pattern})`)}`);
+            ctx.logger.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`(matches: ${v.pattern})`)}`);
         }
     }
     const targetAbsPath = join(root, target.path);
-    const localTemplate = loadLocalTemplates(targetAbsPath, env);
+    const localTemplate = loadLocalTemplates(targetAbsPath, env, ctx.fs);
     if (localTemplate.hasTemplate) {
-        console.log(pc.blue(`\n📄 TEMPLATE EXPANSIONS (${pc.dim(join(target.path, '.env'))}):`));
+        ctx.logger.log(pc.blue(`\n📄 TEMPLATE EXPANSIONS (${pc.dim(join(target.path, '.hush'))}):`));
         const maxKeyLen = Math.max(...localTemplate.vars.map(v => v.key.length));
         for (const v of localTemplate.vars) {
-            console.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`← ${v.value}`)}`);
+            ctx.logger.log(`  ${v.key.padEnd(maxKeyLen)}  ${pc.dim(`← ${v.value}`)}`);
         }
         // Calculate final merged list for clarity
         const finalKeys = new Set([
             ...included.map(v => v.key),
             ...localTemplate.vars.map(v => v.key)
         ]);
-        console.log(pc.magenta(`\n📦 FINAL INJECTION (${finalKeys.size} total):`));
+        ctx.logger.log(pc.magenta(`\n📦 FINAL INJECTION (${finalKeys.size} total):`));
         const sortedKeys = Array.from(finalKeys).sort();
         for (const key of sortedKeys) {
             const isTemplate = localTemplate.vars.some(v => v.key === key);
@@ -133,8 +130,8 @@ export async function resolveCommand(options) {
                 sourceInfo = pc.dim('(template)');
             else if (isRoot)
                 sourceInfo = pc.dim('(root)');
-            console.log(`  ${key}  ${sourceInfo}`);
+            ctx.logger.log(`  ${key}  ${sourceInfo}`);
         }
     }
-    console.log('');
+    ctx.logger.log('');
 }

package/dist/commands/run.d.ts

@@ -1,3 +1,3 @@
-import type { RunOptions } from '../types.js';
-export declare function runCommand(options: RunOptions): Promise<void>;
+import type { RunOptions, HushContext } from '../types.js';
+export declare function runCommand(ctx: HushContext, options: RunOptions): Promise<void>;
 //# sourceMappingURL=run.d.ts.map

package/dist/commands/run.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAmC,MAAM,aAAa,CAAC;AAkD/E,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA8GnE"}
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/commands/run.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAmC,WAAW,EAAE,MAAM,aAAa,CAAC;AAkD5F,wBAAsB,UAAU,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA8GrF"}

package/dist/commands/run.js

@@ -1,32 +1,28 @@
-import { spawnSync } from 'node:child_process';
-import { existsSync } from 'node:fs';
 import { join, resolve } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig, findProjectRoot } from '../config/loader.js';
 import { filterVarsForTarget } from '../core/filter.js';
 import { interpolateVars, getUnresolvedVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 import { loadLocalTemplates, resolveTemplateVars } from '../core/template.js';
 function getEncryptedPath(sourcePath) {
     return sourcePath + '.encrypted';
 }
-function getDecryptedSecrets(projectRoot, env, config) {
+function getDecryptedSecrets(ctx, projectRoot, env, config) {
     const sharedEncrypted = join(projectRoot, getEncryptedPath(config.sources.shared));
     const envEncrypted = join(projectRoot, getEncryptedPath(config.sources[env]));
     const localEncrypted = join(projectRoot, getEncryptedPath(config.sources.local));
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (ctx.fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(envEncrypted)) {
-        const content = sopsDecrypt(envEncrypted);
+    if (ctx.fs.existsSync(envEncrypted)) {
+        const content = ctx.sops.decrypt(envEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(localEncrypted)) {
-        const content = sopsDecrypt(localEncrypted);
+    if (ctx.fs.existsSync(localEncrypted)) {
+        const content = ctx.sops.decrypt(localEncrypted);
         varSources.push(parseEnvContent(content));
     }
     if (varSources.length === 0) {
@@ -46,31 +42,31 @@ function getRootSecretsAsRecord(vars) {
     }
     return record;
 }
-export async function runCommand(options) {
+export async function runCommand(ctx, options) {
     const { root, env, target, command } = options;
     if (!command || command.length === 0) {
-        console.error(pc.red('Usage: hush run -- <command>'));
-        console.error(pc.dim('Example: hush run -- npm start'));
-        console.error(pc.dim('         hush run -e production -- npm run build'));
-        console.error(pc.dim('         hush run --target api -- wrangler dev'));
-        process.exit(1);
+        ctx.logger.error('Usage: hush run -- <command>');
+        ctx.logger.error(pc.dim('Example: hush run -- npm start'));
+        ctx.logger.error(pc.dim('         hush run -e production -- npm run build'));
+        ctx.logger.error(pc.dim('         hush run --target api -- wrangler dev'));
+        ctx.process.exit(1);
     }
     const contextDir = root;
-    const projectInfo = findProjectRoot(contextDir);
+    const projectInfo = ctx.config.findProjectRoot(contextDir);
     if (!projectInfo) {
-        console.error(pc.red('No hush.yaml found in current directory or any parent directory.'));
-        console.error(pc.dim('Run: npx hush init'));
-        process.exit(1);
+        ctx.logger.error('No hush.yaml found in current directory or any parent directory.');
+        ctx.logger.error(pc.dim('Run: npx hush init'));
+        ctx.process.exit(1);
     }
     const { projectRoot } = projectInfo;
-    const config = loadConfig(projectRoot);
-    const rootSecrets = getDecryptedSecrets(projectRoot, env, config);
+    const config = ctx.config.loadConfig(projectRoot);
+    const rootSecrets = getDecryptedSecrets(ctx, projectRoot, env, config);
     const rootSecretsRecord = getRootSecretsAsRecord(rootSecrets);
-    const localTemplate = loadLocalTemplates(contextDir, env);
+    const localTemplate = loadLocalTemplates(contextDir, env, ctx.fs);
     // 1. Resolve Template Vars
     let templateVars = [];
     if (localTemplate.hasTemplate) {
-        templateVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: process.env });
+        templateVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: ctx.process.env });
     }
     // 2. Resolve Target Vars
     let targetVars = [];
@@ -79,9 +75,9 @@ export async function runCommand(options) {
         ? config.targets.find(t => t.name === target)
         : config.targets.find(t => resolve(projectRoot, t.path) === resolve(contextDir));
     if (target && !targetConfig) {
-        console.error(pc.red(`Target "${target}" not found in hush.yaml`));
-        console.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
-        process.exit(1);
+        ctx.logger.error(`Target "${target}" not found in hush.yaml`);
+        ctx.logger.error(pc.dim(`Available targets: ${config.targets.map(t => t.name).join(', ')}`));
+        ctx.process.exit(1);
     }
     if (targetConfig) {
         targetVars = filterVarsForTarget(rootSecrets, targetConfig);
@@ -89,11 +85,11 @@ export async function runCommand(options) {
             targetVars.push({ key: 'CLOUDFLARE_INCLUDE_PROCESS_ENV', value: 'true' });
             const devVarsPath = join(targetConfig.path, '.dev.vars');
             const absDevVarsPath = join(projectRoot, devVarsPath);
-            if (existsSync(absDevVarsPath)) {
-                console.warn(pc.yellow('\n⚠️  Wrangler Conflict Detected'));
-                console.warn(pc.yellow(`   Found .dev.vars in ${targetConfig.path}`));
-                console.warn(pc.yellow('   Wrangler will IGNORE Hush secrets while this file exists.'));
-                console.warn(pc.bold(`   Fix: rm ${devVarsPath}\n`));
+            if (ctx.fs.existsSync(absDevVarsPath)) {
+                ctx.logger.warn('\n⚠️  Wrangler Conflict Detected');
+                ctx.logger.warn(`   Found .dev.vars in ${targetConfig.path}`);
+                ctx.logger.warn('   Wrangler will IGNORE Hush secrets while this file exists.');
+                ctx.logger.warn(pc.bold(`   Fix: rm ${devVarsPath}\n`));
             }
         }
     }
@@ -115,22 +111,22 @@ export async function runCommand(options) {
     }
     const unresolved = getUnresolvedVars(vars);
     if (unresolved.length > 0) {
-        console.warn(pc.yellow(`Warning: ${unresolved.length} vars have unresolved references: ${unresolved.join(', ')}`));
+        ctx.logger.warn(`Warning: ${unresolved.length} vars have unresolved references: ${unresolved.join(', ')}`);
     }
     const childEnv = {
-        ...process.env,
+        ...ctx.process.env,
         ...Object.fromEntries(vars.map(v => [v.key, v.value])),
     };
     const [cmd, ...args] = command;
-    const result = spawnSync(cmd, args, {
+    const result = ctx.exec.spawnSync(cmd, args, {
         stdio: 'inherit',
         env: childEnv,
         shell: true,
         cwd: contextDir,
     });
     if (result.error) {
-        console.error(pc.red(`Failed to execute: ${result.error.message}`));
-        process.exit(1);
+        ctx.logger.error(`Failed to execute: ${result.error.message}`);
+        ctx.process.exit(1);
     }
-    process.exit(result.status ?? 1);
+    ctx.process.exit(result.status ?? 1);
 }

package/dist/commands/set.d.ts

@@ -1,3 +1,3 @@
-import type { SetOptions } from '../types.js';
-export declare function setCommand(options: SetOptions): Promise<void>;
+import type { HushContext, SetOptions } from '../types.js';
+export declare function setCommand(ctx: HushContext, options: SetOptions): Promise<void>;
 //# sourceMappingURL=set.d.ts.map

package/dist/commands/set.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../../src/commands/set.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA2M9C,wBAAsB,UAAU,CAAC,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CnE"}
+{"version":3,"file":"set.d.ts","sourceRoot":"","sources":["../../src/commands/set.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAoM3D,wBAAsB,UAAU,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CrF"}