@chriscode/hush 4.2.0 → 5.0.1

package/dist/commands/status.d.ts

@@ -1,3 +1,3 @@
-import type { StatusOptions } from '../types.js';
-export declare function statusCommand(options: StatusOptions): Promise<void>;
+import type { HushContext, StatusOptions } from '../types.js';
+export declare function statusCommand(ctx: HushContext, options: StatusOptions): Promise<void>;
 //# sourceMappingURL=status.d.ts.map

package/dist/commands/status.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAwCjD,wBAAsB,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAmHzE"}
+{"version":3,"file":"status.d.ts","sourceRoot":"","sources":["../../src/commands/status.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAyC9D,wBAAsB,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAoH3F"}

package/dist/commands/status.js

@@ -1,31 +1,27 @@
-import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { findConfigPath, loadConfig } from '../config/loader.js';
 import { describeFilter } from '../core/filter.js';
-import { isAgeKeyConfigured, isSopsInstalled } from '../core/sops.js';
-import { keyExists } from '../lib/age.js';
-import { opInstalled } from '../lib/onepassword.js';
 import { FORMAT_OUTPUT_FILES } from '../types.js';
-function findRootPlaintextEnvFiles(root) {
+function findRootPlaintextEnvFiles(ctx, root) {
     const results = [];
+    // Only warn about .env files (legacy/output), not .hush files (Hush's source files)
     const plaintextPatterns = ['.env', '.env.development', '.env.production', '.env.local', '.env.staging', '.env.test', '.dev.vars'];
     for (const pattern of plaintextPatterns) {
         const filePath = join(root, pattern);
-        if (existsSync(filePath)) {
+        if (ctx.fs.existsSync(filePath)) {
             results.push(pattern);
         }
     }
     return results;
 }
-function getProjectFromConfig(root) {
-    const config = loadConfig(root);
+function getProjectFromConfig(ctx, root) {
+    const config = ctx.config.loadConfig(root);
     if (config.project)
         return config.project;
     const pkgPath = join(root, 'package.json');
-    if (existsSync(pkgPath)) {
+    if (ctx.fs.existsSync(pkgPath)) {
         try {
-            const pkg = JSON.parse(require('fs').readFileSync(pkgPath, 'utf-8'));
+            const pkg = JSON.parse(ctx.fs.readFileSync(pkgPath, 'utf-8'));
             if (typeof pkg.repository === 'string') {
                 const match = pkg.repository.match(/github\.com[/:]([\w-]+\/[\w-]+)/);
                 if (match)
@@ -43,68 +39,69 @@ function getProjectFromConfig(root) {
     }
     return null;
 }
-export async function statusCommand(options) {
+export async function statusCommand(ctx, options) {
     const { root } = options;
-    const config = loadConfig(root);
-    const configPath = findConfigPath(root);
-    console.log(pc.blue('Hush Status\n'));
-    const plaintextFiles = findRootPlaintextEnvFiles(root);
+    const config = ctx.config.loadConfig(root);
+    const projectRootResult = ctx.config.findProjectRoot(root);
+    const configPath = projectRootResult ? projectRootResult.configPath : null;
+    ctx.logger.log(pc.blue('Hush Status\n'));
+    const plaintextFiles = findRootPlaintextEnvFiles(ctx, root);
     if (plaintextFiles.length > 0) {
-        console.log(pc.bgRed(pc.white(pc.bold(' SECURITY WARNING '))));
-        console.log(pc.red(pc.bold('\nUnencrypted .env files detected at project root!\n')));
+        ctx.logger.log(pc.bgRed(pc.white(pc.bold(' SECURITY WARNING '))));
+        ctx.logger.log(pc.red(pc.bold('\nUnencrypted .env files detected at project root!\n')));
         for (const file of plaintextFiles) {
-            console.log(pc.red(`  ${file}`));
+            ctx.logger.log(pc.red(`  ${file}`));
         }
-        console.log('');
-        console.log(pc.yellow('These files may expose secrets to AI assistants and version control.'));
-        console.log(pc.bold('\nTo fix:'));
-        console.log(pc.dim('  1. Run: npx hush encrypt'));
-        console.log(pc.dim('  2. The plaintext files will be automatically deleted after encryption'));
-        console.log(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars\n'));
+        ctx.logger.log('');
+        ctx.logger.log(pc.yellow('These files may expose secrets to AI assistants and version control.'));
+        ctx.logger.log(pc.bold('\nTo fix:'));
+        ctx.logger.log(pc.dim('  1. Run: npx hush migrate (if upgrading from v4)'));
+        ctx.logger.log(pc.dim('  2. Delete or gitignore these .env files'));
+        ctx.logger.log(pc.dim('  3. Add to .gitignore: .env, .env.*, .dev.vars\n'));
     }
-    console.log(pc.bold('Config:'));
+    ctx.logger.log(pc.bold('Config:'));
     if (configPath) {
-        console.log(pc.green(`  ${configPath.replace(root + '/', '')}`));
+        ctx.logger.log(pc.green(`  ${configPath.replace(root + '/', '')}`));
     }
     else {
-        console.log(pc.dim('  No hush.yaml found (using defaults)'));
+        ctx.logger.log(pc.dim('  No hush.yaml found (using defaults)'));
     }
-    const project = getProjectFromConfig(root);
+    const project = getProjectFromConfig(ctx, root);
     if (configPath) {
         if (project) {
-            console.log(pc.green(`  Project: ${project}`));
+            ctx.logger.log(pc.green(`  Project: ${project}`));
         }
         else {
-            console.log(pc.yellow('  Project: not set'));
-            console.log(pc.dim('    Add "project: my-org/my-repo" to hush.yaml for key management'));
+            ctx.logger.log(pc.yellow('  Project: not set'));
+            ctx.logger.log(pc.dim('    Add "project: my-org/my-repo" to hush.yaml for key management'));
         }
     }
-    console.log(pc.bold('\nPrerequisites:'));
-    console.log(isSopsInstalled()
+    ctx.logger.log(pc.bold('\nPrerequisites:'));
+    ctx.logger.log(ctx.sops.isSopsInstalled()
         ? pc.green('  SOPS installed')
         : pc.red('  SOPS not installed (brew install sops)'));
-    console.log(isAgeKeyConfigured()
+    ctx.logger.log(ctx.age.ageAvailable()
         ? pc.green('  age key configured')
         : pc.yellow('  age key not found at ~/.config/sops/age/key.txt'));
     if (project) {
-        const hasLocalKey = keyExists(project);
-        console.log(pc.bold('\nKey Status:'));
-        console.log(hasLocalKey
+        const hasLocalKey = ctx.age.keyExists(project);
+        ctx.logger.log(pc.bold('\nKey Status:'));
+        ctx.logger.log(hasLocalKey
             ? pc.green(`  Local key: ~/.config/sops/age/keys/${project.replace(/\//g, '-')}.txt`)
             : pc.yellow('  Local key: not found'));
-        if (opInstalled()) {
-            console.log(pc.dim('  1Password CLI: installed'));
-            console.log(pc.dim('    Run "npx hush keys list" to check backup status'));
+        if (ctx.onepassword.opAvailable()) {
+            ctx.logger.log(pc.dim('  1Password CLI: installed'));
+            ctx.logger.log(pc.dim('    Run "npx hush keys list" to check backup status'));
         }
         else {
-            console.log(pc.dim('  1Password CLI: not installed'));
+            ctx.logger.log(pc.dim('  1Password CLI: not installed'));
         }
         if (!hasLocalKey) {
-            console.log(pc.bold('\n  To set up keys:'));
-            console.log(pc.dim('    npx hush keys setup   # Pull from 1Password or generate'));
+            ctx.logger.log(pc.bold('\n  To set up keys:'));
+            ctx.logger.log(pc.dim('    npx hush keys setup   # Pull from 1Password or generate'));
         }
     }
-    console.log(pc.bold('\nSource Files:'));
+    ctx.logger.log(pc.bold('\nSource Files:'));
     const sources = [
         { key: 'shared', path: config.sources.shared },
         { key: 'development', path: config.sources.development },
@@ -112,25 +109,25 @@ export async function statusCommand(options) {
     ];
     for (const { key, path } of sources) {
         const encryptedPath = join(root, path + '.encrypted');
-        const exists = existsSync(encryptedPath);
+        const exists = ctx.fs.existsSync(encryptedPath);
         const label = `${path}.encrypted`;
-        console.log(exists
+        ctx.logger.log(exists
             ? pc.green(`  ${label}`)
             : pc.dim(`  ${label} (not found)`));
     }
-    const localPath = join(root, '.env.local');
-    console.log(existsSync(localPath)
-        ? pc.green('  .env.local (overrides)')
-        : pc.dim('  .env.local (optional, not found)'));
-    console.log(pc.bold('\nTargets:'));
+    const localEncryptedPath = join(root, config.sources.local + '.encrypted');
+    ctx.logger.log(ctx.fs.existsSync(localEncryptedPath)
+        ? pc.green(`  ${config.sources.local}.encrypted (overrides)`)
+        : pc.dim(`  ${config.sources.local}.encrypted (optional, not found)`));
+    ctx.logger.log(pc.bold('\nTargets:'));
     for (const target of config.targets) {
         const filter = describeFilter(target);
         const devOutput = FORMAT_OUTPUT_FILES[target.format].development;
-        console.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path + '/')} ` +
+        ctx.logger.log(`  ${pc.cyan(target.name)} ${pc.dim(target.path + '/')} ` +
             `${pc.magenta(target.format)} -> ${devOutput}`);
         if (filter !== 'all vars') {
-            console.log(pc.dim(`    ${filter}`));
+            ctx.logger.log(pc.dim(`    ${filter}`));
         }
     }
-    console.log('');
+    ctx.logger.log('');
 }

package/dist/commands/template.d.ts

@@ -1,7 +1,7 @@
-import type { Environment } from '../types.js';
+import type { Environment, HushContext } from '../types.js';
 export interface TemplateOptions {
     root: string;
     env: Environment;
 }
-export declare function templateCommand(options: TemplateOptions): Promise<void>;
+export declare function templateCommand(ctx: HushContext, options: TemplateOptions): Promise<void>;
 //# sourceMappingURL=template.d.ts.map

package/dist/commands/template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../../src/commands/template.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAAE,WAAW,EAAsB,MAAM,aAAa,CAAC;AAEnE,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AA4CD,wBAAsB,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAuF7E"}
+{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../../src/commands/template.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAsB,WAAW,EAAE,MAAM,aAAa,CAAC;AAEhF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;CAClB;AA4CD,wBAAsB,eAAe,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CAuF/F"}

package/dist/commands/template.js

@@ -1,31 +1,28 @@
-import { existsSync } from 'node:fs';
 import { join, relative } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig, findProjectRoot } from '../config/loader.js';
 import { interpolateVars } from '../core/interpolate.js';
 import { mergeVars } from '../core/merge.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 import { maskValue } from '../core/mask.js';
 import { loadLocalTemplates, resolveTemplateVars } from '../core/template.js';
 function getEncryptedPath(sourcePath) {
     return sourcePath + '.encrypted';
 }
-function getDecryptedSecrets(projectRoot, env, config) {
+function getDecryptedSecrets(ctx, projectRoot, env, config) {
     const sharedEncrypted = join(projectRoot, getEncryptedPath(config.sources.shared));
     const envEncrypted = join(projectRoot, getEncryptedPath(config.sources[env]));
     const localEncrypted = join(projectRoot, getEncryptedPath(config.sources.local));
     const varSources = [];
-    if (existsSync(sharedEncrypted)) {
-        const content = sopsDecrypt(sharedEncrypted);
+    if (ctx.fs.existsSync(sharedEncrypted)) {
+        const content = ctx.sops.decrypt(sharedEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(envEncrypted)) {
-        const content = sopsDecrypt(envEncrypted);
+    if (ctx.fs.existsSync(envEncrypted)) {
+        const content = ctx.sops.decrypt(envEncrypted);
         varSources.push(parseEnvContent(content));
     }
-    if (existsSync(localEncrypted)) {
-        const content = sopsDecrypt(localEncrypted);
+    if (ctx.fs.existsSync(localEncrypted)) {
+        const content = ctx.sops.decrypt(localEncrypted);
         varSources.push(parseEnvContent(content));
     }
     if (varSources.length === 0) {
@@ -41,42 +38,42 @@ function getRootSecretsAsRecord(vars) {
     }
     return record;
 }
-export async function templateCommand(options) {
+export async function templateCommand(ctx, options) {
     const { root, env } = options;
     const contextDir = root;
-    const projectInfo = findProjectRoot(contextDir);
+    const projectInfo = ctx.config.findProjectRoot(contextDir);
     if (!projectInfo) {
-        console.error(pc.red('No hush.yaml found in current directory or any parent directory.'));
-        console.error(pc.dim('Run: npx hush init'));
-        process.exit(1);
+        ctx.logger.error('No hush.yaml found in current directory or any parent directory.');
+        ctx.logger.error(pc.dim('Run: npx hush init'));
+        ctx.process.exit(1);
     }
     const { projectRoot } = projectInfo;
-    const config = loadConfig(projectRoot);
-    const localTemplate = loadLocalTemplates(contextDir, env);
+    const config = ctx.config.loadConfig(projectRoot);
+    const localTemplate = loadLocalTemplates(contextDir, env, ctx.fs);
     if (!localTemplate.hasTemplate) {
-        console.log(pc.yellow('No local template found in current directory.'));
-        console.log(pc.dim(`Looked for: .env, .env.${env}, .env.local`));
-        console.log('');
-        console.log(pc.dim('Without a local template, hush run will inject all root secrets.'));
-        console.log(pc.dim('Create a .env file to define which variables this directory needs.'));
+        ctx.logger.log(pc.yellow('No local template found in current directory.'));
+        ctx.logger.log(pc.dim(`Looked for: .hush, .hush.${env}, .hush.local`));
+        ctx.logger.log('');
+        ctx.logger.log(pc.dim('Without a local template, hush run will inject all root secrets.'));
+        ctx.logger.log(pc.dim('Create a .hush file to define which variables this directory needs.'));
         return;
     }
-    const rootSecrets = getDecryptedSecrets(projectRoot, env, config);
+    const rootSecrets = getDecryptedSecrets(ctx, projectRoot, env, config);
     const rootSecretsRecord = getRootSecretsAsRecord(rootSecrets);
-    const resolvedVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: process.env });
+    const resolvedVars = resolveTemplateVars(localTemplate.vars, rootSecretsRecord, { processEnv: ctx.process.env });
     const relPath = relative(projectRoot, contextDir) || '.';
-    console.log('');
-    console.log(pc.bold(`Template: ${relPath}/`));
-    console.log(pc.dim(`Project root: ${projectRoot}`));
-    console.log(pc.dim(`Environment: ${env}`));
-    console.log(pc.dim(`Files: ${localTemplate.files.join(', ')}`));
-    console.log('');
+    ctx.logger.log('');
+    ctx.logger.log(pc.bold(`Template: ${relPath}/`));
+    ctx.logger.log(pc.dim(`Project root: ${projectRoot}`));
+    ctx.logger.log(pc.dim(`Environment: ${env}`));
+    ctx.logger.log(pc.dim(`Files: ${localTemplate.files.join(', ')}`));
+    ctx.logger.log('');
     const templateVarKeys = new Set(localTemplate.vars.map(v => v.key));
     const rootSecretKeys = new Set(Object.keys(rootSecretsRecord));
     let fromRoot = 0;
     let fromLocal = 0;
-    console.log(pc.bold('Variables:'));
-    console.log('');
+    ctx.logger.log(pc.bold('Variables:'));
+    ctx.logger.log('');
     const maxKeyLen = Math.max(...resolvedVars.map(v => v.key.length), 20);
     for (const resolved of resolvedVars) {
         const original = localTemplate.vars.find(v => v.key === resolved.key);
@@ -89,23 +86,23 @@ export async function templateCommand(options) {
             const refName = refMatch ? refMatch[1] : '';
             const isEnvRef = refName.startsWith('env:');
             if (isEnvRef) {
-                console.log(`  ${pc.cyan(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${masked}`);
+                ctx.logger.log(`  ${pc.cyan(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${masked}`);
                 fromLocal++;
             }
             else if (rootSecretKeys.has(refName)) {
-                console.log(`  ${pc.green(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${masked}`);
+                ctx.logger.log(`  ${pc.green(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${masked}`);
                 fromRoot++;
             }
             else {
-                console.log(`  ${pc.yellow(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${pc.yellow('(unresolved)')}`);
+                ctx.logger.log(`  ${pc.yellow(keyPadded)} = ${pc.dim(originalValue)} ${pc.dim('→')} ${pc.yellow('(unresolved)')}`);
             }
         }
         else {
-            console.log(`  ${pc.white(keyPadded)} = ${masked} ${pc.dim('(literal)')}`);
+            ctx.logger.log(`  ${pc.white(keyPadded)} = ${masked} ${pc.dim('(literal)')}`);
             fromLocal++;
         }
     }
-    console.log('');
-    console.log(pc.dim(`Total: ${resolvedVars.length} variables (${fromRoot} from root, ${fromLocal} local/literal)`));
-    console.log('');
+    ctx.logger.log('');
+    ctx.logger.log(pc.dim(`Total: ${resolvedVars.length} variables (${fromRoot} from root, ${fromLocal} local/literal)`));
+    ctx.logger.log('');
 }

package/dist/commands/trace.d.ts

@@ -1,8 +1,8 @@
-import type { Environment } from '../types.js';
+import type { Environment, HushContext } from '../types.js';
 export interface TraceOptions {
     root: string;
     env: Environment;
     key: string;
 }
-export declare function traceCommand(options: TraceOptions): Promise<void>;
+export declare function traceCommand(ctx: HushContext, options: TraceOptions): Promise<void>;
 //# sourceMappingURL=trace.d.ts.map

package/dist/commands/trace.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"trace.d.ts","sourceRoot":"","sources":["../../src/commands/trace.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,WAAW,EAAU,MAAM,aAAa,CAAC;AAEvD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AAuCD,wBAAsB,YAAY,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8DvE"}
+{"version":3,"file":"trace.d.ts","sourceRoot":"","sources":["../../src/commands/trace.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAU,WAAW,EAAE,MAAM,aAAa,CAAC;AAEpE,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,WAAW,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AAuCD,wBAAsB,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA8DzF"}

package/dist/commands/trace.js

@@ -1,9 +1,6 @@
-import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import pc from 'picocolors';
-import { loadConfig } from '../config/loader.js';
 import { parseEnvContent } from '../core/parse.js';
-import { decrypt as sopsDecrypt } from '../core/sops.js';
 function matchesPattern(key, pattern) {
     const regex = new RegExp('^' + pattern.replace(/\*/g, '.*') + '$');
     return regex.test(key);
@@ -31,11 +28,11 @@ function getTargetDisposition(key, target) {
     }
     return { status: 'included' };
 }
-export async function traceCommand(options) {
+export async function traceCommand(ctx, options) {
     const { root, env, key } = options;
-    const config = loadConfig(root);
-    console.log(pc.bold(`\nTracing variable: ${pc.cyan(key)}\n`));
-    console.log(pc.blue('Source Status:'));
+    const config = ctx.config.loadConfig(root);
+    ctx.logger.log(pc.bold(`\nTracing variable: ${pc.cyan(key)}\n`));
+    ctx.logger.log(pc.blue('Source Status:'));
     const sources = [
         { name: config.sources.shared, path: join(root, config.sources.shared + '.encrypted'), found: false },
         { name: config.sources.development, path: join(root, config.sources.development + '.encrypted'), found: false },
@@ -44,44 +41,44 @@ export async function traceCommand(options) {
     ];
     const maxSourceLen = Math.max(...sources.map(s => s.name.length));
     for (const source of sources) {
-        if (!existsSync(source.path)) {
-            console.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.dim('(file not found)')}`);
+        if (!ctx.fs.existsSync(source.path)) {
+            ctx.logger.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.dim('(file not found)')}`);
             continue;
         }
         try {
-            const content = sopsDecrypt(source.path);
+            const content = ctx.sops.decrypt(source.path);
             const vars = parseEnvContent(content);
             const found = vars.some(v => v.key === key);
             source.found = found;
             if (found) {
-                console.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.green('✅ Present')}`);
+                ctx.logger.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.green('✅ Present')}`);
             }
             else {
-                console.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.dim('❌ Not found')}`);
+                ctx.logger.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.dim('❌ Not found')}`);
             }
         }
         catch {
-            console.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.red('⚠️  Decrypt failed')}`);
+            ctx.logger.log(`  ${source.name.padEnd(maxSourceLen)} : ${pc.red('⚠️  Decrypt failed')}`);
         }
     }
     const foundInAnySource = sources.some(s => s.found);
-    console.log(pc.blue(`\nTarget Disposition (Environment: ${env}):`));
+    ctx.logger.log(pc.blue(`\nTarget Disposition (Environment: ${env}):`));
     const maxTargetLen = Math.max(...config.targets.map(t => t.name.length));
     for (const target of config.targets) {
         const disposition = getTargetDisposition(key, target);
         const targetLabel = `[${target.name}]`.padEnd(maxTargetLen + 2);
         if (!foundInAnySource) {
-            console.log(`  ${targetLabel} : ${pc.yellow('⚠️  Variable not in any source')}`);
+            ctx.logger.log(`  ${targetLabel} : ${pc.yellow('⚠️  Variable not in any source')}`);
         }
         else if (disposition.status === 'included') {
-            console.log(`  ${targetLabel} : ${pc.green('✅ Included')}`);
+            ctx.logger.log(`  ${targetLabel} : ${pc.green('✅ Included')}`);
         }
         else if (disposition.status === 'excluded') {
-            console.log(`  ${targetLabel} : ${pc.red(`🚫 Excluded`)} ${pc.dim(`(${disposition.reason})`)}`);
+            ctx.logger.log(`  ${targetLabel} : ${pc.red(`🚫 Excluded`)} ${pc.dim(`(${disposition.reason})`)}`);
         }
         else {
-            console.log(`  ${targetLabel} : ${pc.red(`🚫 Not included`)} ${pc.dim(`(${disposition.reason})`)}`);
+            ctx.logger.log(`  ${targetLabel} : ${pc.red(`🚫 Not included`)} ${pc.dim(`(${disposition.reason})`)}`);
         }
     }
-    console.log('');
+    ctx.logger.log('');
 }

package/dist/config/loader.js

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync } from 'node:fs';
+import { fs } from '../lib/fs.js';
 import { join, dirname, resolve } from 'node:path';
 import { parse as parseYaml } from 'yaml';
 import { DEFAULT_SOURCES, CURRENT_SCHEMA_VERSION } from '../types.js';
@@ -6,7 +6,7 @@ const CONFIG_FILENAMES = ['hush.yaml', 'hush.yml'];
 export function findConfigPath(root) {
     for (const filename of CONFIG_FILENAMES) {
         const configPath = join(root, filename);
-        if (existsSync(configPath)) {
+        if (fs.existsSync(configPath)) {
             return configPath;
         }
     }
@@ -34,7 +34,7 @@ export function loadConfig(root) {
             targets: [{ name: 'root', path: '.', format: 'dotenv' }],
         };
     }
-    const content = readFileSync(configPath, 'utf-8');
+    const content = fs.readFileSync(configPath, 'utf-8');
     const parsed = parseYaml(content);
     return {
         // Support both 'version' and 'schema_version' (prefer schema_version)

package/dist/context.d.ts

@@ -0,0 +1,3 @@
+import type { HushContext } from './types.js';
+export declare const defaultContext: HushContext;
+//# sourceMappingURL=context.d.ts.map

package/dist/context.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.d.ts","sourceRoot":"","sources":["../src/context.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,eAAO,MAAM,cAAc,EAAE,WAkD5B,CAAC"}

package/dist/context.js

@@ -0,0 +1,59 @@
+import { fs } from './lib/fs.js';
+import { spawnSync, execSync } from 'node:child_process';
+import { join } from 'node:path';
+import { loadConfig, findProjectRoot } from './config/loader.js';
+import { decrypt, isSopsInstalled } from './core/sops.js';
+import { ageAvailable, ageGenerate, agePublicFromPrivate, keyExists, keySave, keyLoad, keyPath } from './lib/age.js';
+import { opAvailable, opGetKey, opStoreKey } from './lib/onepassword.js';
+import pc from 'picocolors';
+export const defaultContext = {
+    fs,
+    path: {
+        join,
+    },
+    exec: {
+        spawnSync: (command, args, options) => {
+            // @ts-ignore - types are compatible at runtime
+            return spawnSync(command, args, options);
+        },
+        execSync: (command, options) => {
+            // @ts-ignore - types are compatible at runtime
+            return execSync(command, options);
+        },
+    },
+    logger: {
+        log: (message) => console.log(message),
+        error: (message) => console.error(pc.red(message)),
+        warn: (message) => console.warn(pc.yellow(message)),
+        info: (message) => console.info(pc.blue(message)),
+    },
+    process: {
+        cwd: () => process.cwd(),
+        exit: (code) => process.exit(code),
+        env: process.env,
+        stdin: process.stdin,
+        stdout: process.stdout,
+    },
+    config: {
+        loadConfig,
+        findProjectRoot,
+    },
+    age: {
+        ageAvailable,
+        ageGenerate,
+        keyExists,
+        keySave,
+        keyPath,
+        keyLoad,
+        agePublicFromPrivate,
+    },
+    onepassword: {
+        opAvailable,
+        opGetKey,
+        opStoreKey,
+    },
+    sops: {
+        decrypt,
+        isSopsInstalled,
+    },
+};

package/dist/core/parse.js

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync } from 'node:fs';
+import { fs } from '../lib/fs.js';
 export function parseEnvContent(content) {
     const vars = [];
     const lines = content.split('\n');
@@ -21,10 +21,10 @@ export function parseEnvContent(content) {
     return vars;
 }
 export function parseEnvFile(filePath) {
-    if (!existsSync(filePath)) {
+    if (!fs.existsSync(filePath)) {
         return [];
     }
-    const content = readFileSync(filePath, 'utf-8');
+    const content = fs.readFileSync(filePath, 'utf-8');
     return parseEnvContent(content);
 }
 export function varsToRecord(vars) {

package/dist/core/sops.js

@@ -1,5 +1,5 @@
 import { execSync, spawnSync } from 'node:child_process';
-import { existsSync, writeFileSync, unlinkSync } from 'node:fs';
+import { fs } from '../lib/fs.js';
 import { join } from 'node:path';
 import { tmpdir, homedir } from 'node:os';
 function getAgeKeyFile() {
@@ -7,7 +7,7 @@ function getAgeKeyFile() {
         return process.env.SOPS_AGE_KEY_FILE;
     }
     const defaultPath = join(homedir(), '.config', 'sops', 'age', 'key.txt');
-    if (existsSync(defaultPath)) {
+    if (fs.existsSync(defaultPath)) {
         return defaultPath;
     }
     return undefined;
@@ -35,7 +35,7 @@ export function isAgeKeyConfigured() {
     return getAgeKeyFile() !== undefined;
 }
 export function decrypt(filePath) {
-    if (!existsSync(filePath)) {
+    if (!fs.existsSync(filePath)) {
         throw new Error(`Encrypted file not found: ${filePath}`);
     }
     if (!isSopsInstalled()) {
@@ -59,7 +59,7 @@ export function decrypt(filePath) {
     }
 }
 export function encrypt(inputPath, outputPath) {
-    if (!existsSync(inputPath)) {
+    if (!fs.existsSync(inputPath)) {
         throw new Error(`Input file not found: ${inputPath}`);
     }
     if (!isSopsInstalled()) {
@@ -78,7 +78,7 @@ export function encrypt(inputPath, outputPath) {
     }
 }
 export function edit(filePath) {
-    if (!existsSync(filePath)) {
+    if (!fs.existsSync(filePath)) {
         throw new Error(`Encrypted file not found: ${filePath}`);
     }
     if (!isSopsInstalled()) {
@@ -98,7 +98,7 @@ export function setKey(filePath, key, value) {
         throw new Error('SOPS is not installed. Install with: brew install sops');
     }
     let content = '';
-    if (existsSync(filePath)) {
+    if (fs.existsSync(filePath)) {
         content = decrypt(filePath);
     }
     const lines = content.split('\n').filter(line => line.trim() !== '');
@@ -117,7 +117,7 @@ export function setKey(filePath, key, value) {
     const newContent = updatedLines.join('\n') + '\n';
     const tempFile = join(tmpdir(), `hush-temp-${Date.now()}.env`);
     try {
-        writeFileSync(tempFile, newContent, 'utf-8');
+        fs.writeFileSync(tempFile, newContent, 'utf-8');
         execSync(`sops --input-type dotenv --output-type dotenv --encrypt "${tempFile}" > "${filePath}"`, {
             encoding: 'utf-8',
             stdio: ['pipe', 'pipe', 'pipe'],
@@ -125,8 +125,8 @@ export function setKey(filePath, key, value) {
         });
     }
     finally {
-        if (existsSync(tempFile)) {
-            unlinkSync(tempFile);
+        if (fs.existsSync(tempFile)) {
+            fs.unlinkSync(tempFile);
         }
     }
 }

package/dist/core/template.d.ts

@@ -1,11 +1,11 @@
 import { type InterpolateOptions } from './interpolate.js';
-import type { EnvVar, Environment } from '../types.js';
+import type { EnvVar, Environment, HushContext } from '../types.js';
 export interface LocalTemplateResult {
     hasTemplate: boolean;
     templateDir: string;
     vars: EnvVar[];
     files: string[];
 }
-export declare function loadLocalTemplates(contextDir: string, env: Environment): LocalTemplateResult;
+export declare function loadLocalTemplates(contextDir: string, env: Environment, fs: HushContext['fs']): LocalTemplateResult;
 export declare function resolveTemplateVars(templateVars: EnvVar[], rootSecrets: Record<string, string>, options?: InterpolateOptions): EnvVar[];
 //# sourceMappingURL=template.d.ts.map