@chriscode/hush 5.0.6 → 5.0.7

package/dist/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAc,WAAW,EAAE,WAAW,EAAU,MAAM,aAAa,CAAC;AAsKhF,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqFvF"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAc,WAAW,EAAE,WAAW,EAAU,MAAM,aAAa,CAAC;AAsKhF,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAmGvF"}

package/dist/commands/init.js

@@ -145,8 +145,20 @@ export async function initCommand(ctx, options) {
     const { root } = options;
     const existingConfig = ctx.config.findProjectRoot(root);
     if (existingConfig) {
-        ctx.logger.error(pc.red(`Config already exists: ${existingConfig.configPath}`));
-        ctx.process.exit(1);
+        const sopsPath = ctx.path.join(root, '.sops.yaml');
+        if (ctx.fs.existsSync(sopsPath)) {
+            ctx.logger.error(pc.red(`Config already exists: ${existingConfig.configPath}`));
+            ctx.process.exit(1);
+        }
+        ctx.logger.log(pc.yellow(`hush.yaml already exists. Completing setup (creating .sops.yaml)...\n`));
+        const existingHushConfig = ctx.config.loadConfig(root);
+        const project = existingHushConfig.project ?? getProjectFromPackageJson(ctx, root);
+        const keyResult = await setupKey(ctx, root, project ?? null);
+        if (keyResult) {
+            createSopsConfig(ctx, root, keyResult.publicKey);
+            ctx.logger.log(pc.green('\nSetup complete. Run "hush encrypt" to encrypt your secrets.'));
+        }
+        return;
     }
     ctx.logger.log(pc.blue('Initializing hush...\n'));
     const existingEncryptedFiles = findExistingEncryptedFiles(ctx, root);

package/dist/commands/skill.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAkvC7D,wBAAsB,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CzF"}
+{"version":3,"file":"skill.d.ts","sourceRoot":"","sources":["../../src/commands/skill.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAg2C7D,wBAAsB,YAAY,CAAC,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA0CzF"}

package/dist/commands/skill.js

@@ -37,6 +37,7 @@ This tells you:
 | \`No hush.yaml found\` | Hush not initialized | Run \`npx hush init\` |
 | \`SOPS not installed\` | Missing prerequisite | \`brew install sops\` |
 | \`age key not found\` | Missing encryption key | \`npx hush keys setup\` |
+| \`age key configured\` but decrypt fails | direnv not loaded | Run \`direnv allow\` in project directory |
 | \`Project: not set\` | Key management limited | Add \`project:\` to hush.yaml |
 
 **Note:** Any \`.env\` file is suspect - Hush uses \`.hush\` files everywhere. Subdirectory \`.hush\` files are templates (safe to commit).
@@ -344,6 +345,39 @@ The dialog shows the pasted value for easy verification.
 
 ---
 
+## Troubleshooting
+
+### Decrypt fails with "no identity matched any of the recipients"
+
+This is the most common issue - SOPS can't find the decryption key.
+
+**Cause:** Hush uses per-project keys at \`~/.config/sops/age/keys/{project}.txt\`, but SOPS needs the \`SOPS_AGE_KEY_FILE\` env var to find them.
+
+**Fix:**
+\`\`\`bash
+# 1. Verify the key exists
+npx hush keys list
+
+# 2. Ensure direnv is set up
+brew install direnv
+echo 'eval "$(direnv hook zsh)"' >> ~/.zshrc  # or bash
+
+# 3. Allow direnv in the project (loads .envrc)
+cd /path/to/project
+direnv allow
+
+# 4. Verify
+npx hush status   # Should show "age key configured"
+npx hush inspect  # Should now work
+\`\`\`
+
+### Key listed but wrong project
+
+If \`npx hush keys list\` shows a key but for the wrong project:
+\`\`\`bash
+npx hush keys setup   # Will pull correct key from 1Password or prompt
+\`\`\`
+
 ## Additional Resources
 
 - **First-time setup**: [SETUP.md](SETUP.md)
@@ -604,12 +638,49 @@ git commit -m "chore: add Hush secrets management"
 
 When a new team member joins:
 
+### With 1Password (Recommended)
+
+\`\`\`bash
+npx hush keys setup   # Auto-pulls key from 1Password
+\`\`\`
+
+### Without 1Password
+
 1. **Get the age private key** from an existing team member
-2. **Save it** to \`~/.config/sops/age/key.txt\`
-3. **Run** \`npx hush run -- npm install\` to verify decryption works
-4. **Start developing** with \`npx hush run -- npm run dev\`
+2. **Save it** to \`~/.config/sops/age/keys/{project}.txt\` (check \`npx hush status\` for exact path)
+3. **Set up direnv** to load the key (see below)
+4. **Verify** with \`npx hush status\` and \`npx hush inspect\`
+
+### Critical: Set Up direnv
+
+Hush uses per-project keys. SOPS needs to know where to find them via \`SOPS_AGE_KEY_FILE\`.
+
+**1. Install direnv:**
+\`\`\`bash
+brew install direnv                    # macOS
+# Add to ~/.zshrc or ~/.bashrc:
+eval "$(direnv hook zsh)"              # or bash
+\`\`\`
+
+**2. Create/verify .envrc in the project:**
+\`\`\`bash
+# .envrc (should already exist if project is set up)
+export SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys/{project-slug}.txt"
+\`\`\`
 
-The private key should be shared securely (password manager, encrypted channel, etc.)
+**3. Allow direnv:**
+\`\`\`bash
+cd /path/to/project
+direnv allow
+\`\`\`
+
+**4. Verify setup:**
+\`\`\`bash
+npx hush status    # Should show "age key configured"
+npx hush inspect   # Should decrypt and show masked secrets
+\`\`\`
+
+The private key should be shared securely (1Password is ideal, or password manager, encrypted channel)
 
 ---
 
@@ -637,8 +708,47 @@ brew install age  # macOS
 brew install sops  # macOS
 \`\`\`
 
-### "Error: no matching keys found"
-Your age key doesn't match. Get the correct private key from a team member.
+### "no identity matched any of the recipients" or "Error: no matching keys found"
+
+This error means SOPS can't find the decryption key. **Most common cause: direnv not loaded.**
+
+**Step 1: Check if the key file exists**
+\`\`\`bash
+npx hush keys list   # Shows local and 1Password keys
+\`\`\`
+
+If the key is listed but decryption fails, the issue is that SOPS doesn't know where to find it.
+
+**Step 2: Set up direnv (CRITICAL for per-project keys)**
+
+Hush uses per-project keys at \`~/.config/sops/age/keys/{project}.txt\`. SOPS needs the \`SOPS_AGE_KEY_FILE\` environment variable set to find it.
+
+\`\`\`bash
+# Install direnv (if not already installed)
+brew install direnv
+
+# Add to your shell (add to ~/.zshrc or ~/.bashrc)
+eval "$(direnv hook zsh)"   # or bash
+\`\`\`
+
+**Step 3: Create .envrc in the project root**
+\`\`\`bash
+# .envrc
+export SOPS_AGE_KEY_FILE="$HOME/.config/sops/age/keys/{project-slug}.txt"
+\`\`\`
+
+Replace \`{project-slug}\` with your project identifier (e.g., \`myorg-myrepo\`). Check \`npx hush status\` to see the expected filename.
+
+**Step 4: Allow direnv**
+\`\`\`bash
+direnv allow
+\`\`\`
+
+**Step 5: Verify**
+\`\`\`bash
+npx hush status   # Should show "age key configured"
+npx hush inspect  # Should decrypt and show masked secrets
+\`\`\`
 
 ### "hush.yaml not found"
 Run \`npx hush init\` to generate configuration.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chriscode/hush",
-  "version": "5.0.6",
+  "version": "5.0.7",
   "description": "SOPS-based secrets management for monorepos. Encrypt once, decrypt everywhere.",
   "type": "module",
   "bin": {