@dotenc/cli 0.3.4 → 0.4.2

package/dist/cli.js

@@ -1,3 +1,2071 @@
 #!/usr/bin/env node
-"use strict";
-import("./program.js");
+#!/usr/bin/env node
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// package.json
+var package_default;
+var init_package = __esm(() => {
+  package_default = {
+    name: "@dotenc/cli",
+    version: "0.4.2",
+    description: "🔐 Git-native encrypted environments powered by your SSH keys",
+    author: "Ivan Filho <i@ivanfilho.com>",
+    license: "MIT",
+    type: "module",
+    bin: {
+      dotenc: "./dist/cli.js"
+    },
+    files: [
+      "dist"
+    ],
+    scripts: {
+      dev: "bun src/cli.ts",
+      start: "node dist/cli.js",
+      build: "bun build src/cli.ts --outdir dist --target node --packages external && { echo '#!/usr/bin/env node'; cat dist/cli.js; } > dist/cli.tmp && mv dist/cli.tmp dist/cli.js",
+      "build:binary": "bun run build:binary:darwin-arm64 && bun run build:binary:darwin-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64 && bun run build:binary:windows-x64",
+      "build:binary:darwin-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/dotenc-darwin-arm64",
+      "build:binary:darwin-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/dotenc-darwin-x64",
+      "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/dotenc-linux-x64",
+      "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/dotenc-linux-arm64",
+      "build:binary:windows-x64": "bun build src/cli.ts --compile --target=bun-windows-x64 --outfile dist/dotenc-windows-x64",
+      test: "bun test",
+      "test:e2e": "docker build -t dotenc-e2e -f e2e/Dockerfile .. && docker run --rm dotenc-e2e"
+    },
+    devDependencies: {
+      "@biomejs/biome": "^2.1.2",
+      "@types/bun": "^1.3.9",
+      typescript: "^5.8.2"
+    },
+    dependencies: {
+      "@paralleldrive/cuid2": "^2.2.2",
+      chalk: "^5.4.1",
+      commander: "^13.1.0",
+      eciesjs: "^0.4.15",
+      inquirer: "^12.4.2",
+      zod: "^3.24.2"
+    },
+    repository: {
+      type: "git",
+      url: "git+https://github.com/ivanfilhoz/dotenc.git"
+    },
+    bugs: {
+      url: "https://github.com/ivanfilhoz/dotenc/issues"
+    },
+    homepage: "https://github.com/ivanfilhoz/dotenc#readme",
+    keywords: [
+      "dotenv",
+      "env",
+      "environment",
+      "variables",
+      "secrets",
+      "encrypted",
+      "encryption",
+      "aes-256-gcm",
+      "ssh",
+      "ssh-keys",
+      "ed25519",
+      "rsa",
+      "git",
+      "cli",
+      "secure",
+      "security",
+      "devops",
+      "cicd",
+      "configuration",
+      "config"
+    ]
+  };
+});
+
+// src/helpers/crypto.ts
+import crypto from "node:crypto";
+async function encryptData(key, input) {
+  if (key.length !== 32) {
+    throw new Error("Key must be 32 bytes (256 bits) for AES-256-GCM.");
+  }
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([cipher.update(input), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return Buffer.concat([iv, encrypted, authTag]);
+}
+async function decryptData(key, input) {
+  if (key.length !== 32) {
+    throw new Error("Key must be 32 bytes (256 bits) for AES-256-GCM.");
+  }
+  if (input.length < IV_LENGTH + AUTH_TAG_LENGTH) {
+    throw new Error(`Encrypted input is too short (${input.length} bytes). Expected at least ${IV_LENGTH + AUTH_TAG_LENGTH} bytes.`);
+  }
+  const iv = input.subarray(0, IV_LENGTH);
+  const authTag = input.subarray(input.length - AUTH_TAG_LENGTH);
+  const ciphertext = input.subarray(IV_LENGTH, input.length - AUTH_TAG_LENGTH);
+  try {
+    const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return decrypted.toString();
+  } catch (error) {
+    if (error instanceof Error && error.message.includes("unable to authenticate")) {
+      throw new Error(`Failed to decrypt file. This could be because:
+` + `1. The encryption key may be incorrect
+` + `2. The encrypted file may be corrupted
+` + "3. The encrypted file may have been tampered with");
+    }
+    throw error;
+  }
+}
+var createDataKey = () => crypto.randomBytes(32), ALGORITHM = "aes-256-gcm", IV_LENGTH = 12, AUTH_TAG_LENGTH = 16;
+var init_crypto = () => {};
+
+// src/helpers/decryptDataKey.ts
+import crypto2 from "node:crypto";
+import { decrypt, ECIES_CONFIG } from "eciesjs";
+var decryptDataKey = (keyInfo, encryptedDataKey) => {
+  if (keyInfo.algorithm === "rsa") {
+    return crypto2.privateDecrypt({
+      key: keyInfo.privateKey,
+      padding: crypto2.constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    }, encryptedDataKey);
+  }
+  if (!keyInfo.rawSeed) {
+    throw new Error("Raw seed bytes are required for Ed25519 decryption.");
+  }
+  return Buffer.from(decrypt(keyInfo.rawSeed, encryptedDataKey));
+};
+var init_decryptDataKey = __esm(() => {
+  ECIES_CONFIG.ellipticCurve = "ed25519";
+});
+
+// src/helpers/errors.ts
+import chalk from "chalk";
+var passphraseProtectedKeyError = (keys) => `${chalk.red("Error:")} your SSH keys are passphrase-protected, which is not currently supported by dotenc.
+
+Passphrase-protected keys found:
+${keys.map((k) => `  - ${k}`).join(`
+`)}
+
+To generate a key without a passphrase:
+  ${chalk.gray('ssh-keygen -t ed25519 -N ""')}
+
+Or use an existing key without a passphrase.`;
+var init_errors = () => {};
+
+// src/schemas/environment.ts
+import { z } from "zod";
+var environmentSchema;
+var init_environment = __esm(() => {
+  environmentSchema = z.object({
+    keys: z.array(z.object({
+      name: z.string(),
+      fingerprint: z.string(),
+      encryptedDataKey: z.string(),
+      algorithm: z.enum(["rsa", "ed25519"])
+    })),
+    encryptedContent: z.string()
+  });
+});
+
+// src/helpers/getEnvironmentByPath.ts
+import fs from "node:fs/promises";
+var getEnvironmentByPath = async (filePath) => {
+  let environmentInput;
+  try {
+    environmentInput = await fs.readFile(filePath, "utf-8");
+  } catch (_error) {
+    throw new Error(`Environment file not found: ${filePath}`);
+  }
+  let environmentJson;
+  try {
+    const rawJson = JSON.parse(environmentInput);
+    environmentJson = environmentSchema.parse(rawJson);
+  } catch (_error) {
+    throw new Error("Failed to parse the environment file. Please ensure it is a valid JSON file.");
+  }
+  return environmentJson;
+};
+var init_getEnvironmentByPath = __esm(() => {
+  init_environment();
+});
+
+// src/helpers/getEnvironmentByName.ts
+import path from "node:path";
+var getEnvironmentByName = async (name) => {
+  return getEnvironmentByPath(path.join(process.cwd(), `.env.${name}.enc`));
+};
+var init_getEnvironmentByName = __esm(() => {
+  init_getEnvironmentByPath();
+});
+
+// src/helpers/getKeyFingerprint.ts
+import crypto3 from "node:crypto";
+var getKeyFingerprint = (keyInput) => {
+  const publicKey = keyInput instanceof crypto3.KeyObject && keyInput.type === "public" ? keyInput : crypto3.createPublicKey(keyInput);
+  const der = publicKey.export({ type: "spki", format: "der" });
+  const hash = crypto3.createHash("sha256").update(der).digest("hex");
+  return hash;
+};
+var init_getKeyFingerprint = () => {};
+
+// src/helpers/isPassphraseProtected.ts
+function isPassphraseProtected(keyContent) {
+  if (keyContent.includes("BEGIN ENCRYPTED PRIVATE KEY")) {
+    return true;
+  }
+  if (keyContent.includes("Proc-Type: 4,ENCRYPTED")) {
+    return true;
+  }
+  if (keyContent.includes("BEGIN OPENSSH PRIVATE KEY")) {
+    return isOpenSSHKeyEncrypted(keyContent);
+  }
+  return false;
+}
+function isOpenSSHKeyEncrypted(content) {
+  const lines = content.split(`
+`);
+  const startIdx = lines.findIndex((l) => l.trim().startsWith("-----BEGIN OPENSSH PRIVATE KEY-----"));
+  const endIdx = lines.findIndex((l) => l.trim().startsWith("-----END OPENSSH PRIVATE KEY-----"));
+  if (startIdx === -1 || endIdx === -1)
+    return false;
+  const base64 = lines.slice(startIdx + 1, endIdx).map((l) => l.trim()).join("");
+  let buf;
+  try {
+    buf = Buffer.from(base64, "base64");
+  } catch {
+    return false;
+  }
+  let offset = 0;
+  const MAGIC = "openssh-key-v1\x00";
+  if (buf.length < MAGIC.length)
+    return false;
+  const magic = buf.subarray(0, MAGIC.length).toString("ascii");
+  if (magic !== MAGIC)
+    return false;
+  offset += MAGIC.length;
+  if (offset + 4 > buf.length)
+    return false;
+  const cipherLen = buf.readUInt32BE(offset);
+  offset += 4;
+  if (offset + cipherLen > buf.length)
+    return false;
+  const ciphername = buf.subarray(offset, offset + cipherLen).toString("ascii");
+  return ciphername !== "none";
+}
+
+// src/helpers/parseOpenSSHKey.ts
+import crypto4 from "node:crypto";
+function parseOpenSSHPrivateKey(content) {
+  const lines = content.split(`
+`);
+  const startIdx = lines.findIndex((l) => l.trim().startsWith("-----BEGIN OPENSSH PRIVATE KEY-----"));
+  const endIdx = lines.findIndex((l) => l.trim().startsWith("-----END OPENSSH PRIVATE KEY-----"));
+  if (startIdx === -1 || endIdx === -1)
+    return null;
+  const base64 = lines.slice(startIdx + 1, endIdx).map((l) => l.trim()).join("");
+  const buf = Buffer.from(base64, "base64");
+  let offset = 0;
+  const MAGIC = "openssh-key-v1\x00";
+  const magic = buf.subarray(0, MAGIC.length).toString("ascii");
+  if (magic !== MAGIC)
+    return null;
+  offset += MAGIC.length;
+  const ciphername = readString(buf, offset);
+  if (!ciphername)
+    return null;
+  offset = ciphername.nextOffset;
+  if (ciphername.value !== "none")
+    return null;
+  const kdfname = readString(buf, offset);
+  if (!kdfname)
+    return null;
+  offset = kdfname.nextOffset;
+  const kdfoptions = readString(buf, offset);
+  if (!kdfoptions)
+    return null;
+  offset = kdfoptions.nextOffset;
+  if (offset + 4 > buf.length)
+    return null;
+  const numKeys = buf.readUInt32BE(offset);
+  offset += 4;
+  if (numKeys !== 1)
+    return null;
+  const pubKeyBlob = readString(buf, offset);
+  if (!pubKeyBlob)
+    return null;
+  offset = pubKeyBlob.nextOffset;
+  const privBlob = readBytes(buf, offset);
+  if (!privBlob)
+    return null;
+  const priv = privBlob.value;
+  let pOffset = 0;
+  if (pOffset + 8 > priv.length)
+    return null;
+  const check1 = priv.readUInt32BE(pOffset);
+  pOffset += 4;
+  const check2 = priv.readUInt32BE(pOffset);
+  pOffset += 4;
+  if (check1 !== check2)
+    return null;
+  const keyType = readString(priv, pOffset);
+  if (!keyType)
+    return null;
+  pOffset = keyType.nextOffset;
+  if (keyType.value === "ssh-ed25519") {
+    return parseEd25519(priv, pOffset);
+  }
+  if (keyType.value === "ssh-rsa") {
+    return parseRSA(priv, pOffset);
+  }
+  return null;
+}
+function parseEd25519(priv, offset) {
+  const pubKey = readBytes(priv, offset);
+  if (!pubKey || pubKey.value.length !== 32)
+    return null;
+  offset = pubKey.nextOffset;
+  const privKey = readBytes(priv, offset);
+  if (!privKey || privKey.value.length !== 64)
+    return null;
+  const seed = privKey.value.subarray(0, 32);
+  const pkcs8Prefix = Buffer.from([
+    48,
+    46,
+    2,
+    1,
+    0,
+    48,
+    5,
+    6,
+    3,
+    43,
+    101,
+    112,
+    4,
+    34,
+    4,
+    32
+  ]);
+  const der = Buffer.concat([pkcs8Prefix, seed]);
+  try {
+    return crypto4.createPrivateKey({ key: der, format: "der", type: "pkcs8" });
+  } catch {
+    return null;
+  }
+}
+function parseRSA(priv, offset) {
+  const n = readMpint(priv, offset);
+  if (!n)
+    return null;
+  offset = n.nextOffset;
+  const e = readMpint(priv, offset);
+  if (!e)
+    return null;
+  offset = e.nextOffset;
+  const d = readMpint(priv, offset);
+  if (!d)
+    return null;
+  offset = d.nextOffset;
+  const iqmp = readMpint(priv, offset);
+  if (!iqmp)
+    return null;
+  offset = iqmp.nextOffset;
+  const p = readMpint(priv, offset);
+  if (!p)
+    return null;
+  offset = p.nextOffset;
+  const q = readMpint(priv, offset);
+  if (!q)
+    return null;
+  const dBig = bufToBigInt(d.value);
+  const pBig = bufToBigInt(p.value);
+  const qBig = bufToBigInt(q.value);
+  const dp = dBig % (pBig - 1n);
+  const dq = dBig % (qBig - 1n);
+  const jwk = {
+    kty: "RSA",
+    n: bufToBase64Url(n.value),
+    e: bufToBase64Url(e.value),
+    d: bufToBase64Url(d.value),
+    p: bufToBase64Url(p.value),
+    q: bufToBase64Url(q.value),
+    dp: bigIntToBase64Url(dp),
+    dq: bigIntToBase64Url(dq),
+    qi: bufToBase64Url(iqmp.value)
+  };
+  try {
+    return crypto4.createPrivateKey({ key: jwk, format: "jwk" });
+  } catch {
+    return null;
+  }
+}
+function readUint32(buf, offset) {
+  if (offset + 4 > buf.length)
+    return null;
+  return { value: buf.readUInt32BE(offset), nextOffset: offset + 4 };
+}
+function readBytes(buf, offset) {
+  const len = readUint32(buf, offset);
+  if (!len)
+    return null;
+  const end = len.nextOffset + len.value;
+  if (end > buf.length)
+    return null;
+  return {
+    value: buf.subarray(len.nextOffset, end),
+    nextOffset: end
+  };
+}
+function readString(buf, offset) {
+  const bytes = readBytes(buf, offset);
+  if (!bytes)
+    return null;
+  return {
+    value: bytes.value.toString("ascii"),
+    nextOffset: bytes.nextOffset
+  };
+}
+function readMpint(buf, offset) {
+  const bytes = readBytes(buf, offset);
+  if (!bytes)
+    return null;
+  let value = bytes.value;
+  if (value.length > 1 && value[0] === 0) {
+    value = value.subarray(1);
+  }
+  return { value, nextOffset: bytes.nextOffset };
+}
+function bufToBase64Url(buf) {
+  return Buffer.from(buf).toString("base64url");
+}
+function bufToBigInt(buf) {
+  let result = 0n;
+  for (const byte of buf) {
+    result = result << 8n | BigInt(byte);
+  }
+  return result;
+}
+function bigIntToBase64Url(n) {
+  if (n === 0n)
+    return "AA";
+  const hex = n.toString(16);
+  const padded = hex.length % 2 ? `0${hex}` : hex;
+  return Buffer.from(padded, "hex").toString("base64url");
+}
+var init_parseOpenSSHKey = () => {};
+
+// src/helpers/getPrivateKeys.ts
+import crypto5 from "node:crypto";
+import { existsSync } from "node:fs";
+import fs2 from "node:fs/promises";
+import os from "node:os";
+import path2 from "node:path";
+function extractEd25519RawKeys(privateKey) {
+  const privDer = privateKey.export({ type: "pkcs8", format: "der" });
+  const rawSeed = Buffer.from(privDer.subarray(privDer.length - 32));
+  const publicKey = crypto5.createPublicKey(privateKey);
+  const pubDer = publicKey.export({ type: "spki", format: "der" });
+  const rawPublicKey = Buffer.from(pubDer.subarray(pubDer.length - 32));
+  return { rawSeed, rawPublicKey };
+}
+function detectAlgorithm(privateKey) {
+  const keyType = privateKey.asymmetricKeyType;
+  if (keyType === "rsa")
+    return "rsa";
+  if (keyType === "ed25519")
+    return "ed25519";
+  return null;
+}
+function tryParsePrivateKey(keyContent) {
+  try {
+    return crypto5.createPrivateKey(keyContent);
+  } catch {
+    return parseOpenSSHPrivateKey(keyContent);
+  }
+}
+var SSH_KEY_FILES, getPrivateKeys = async () => {
+  const privateKeys = [];
+  const passphraseProtectedKeys = [];
+  if (process.env.DOTENC_PRIVATE_KEY) {
+    let privateKey = null;
+    try {
+      privateKey = crypto5.createPrivateKey(process.env.DOTENC_PRIVATE_KEY);
+    } catch {
+      privateKey = parseOpenSSHPrivateKey(process.env.DOTENC_PRIVATE_KEY);
+    }
+    if (privateKey) {
+      const algorithm = detectAlgorithm(privateKey);
+      if (algorithm) {
+        const entry = {
+          name: "env.DOTENC_PRIVATE_KEY",
+          privateKey,
+          fingerprint: getKeyFingerprint(privateKey),
+          algorithm
+        };
+        if (algorithm === "ed25519") {
+          const { rawSeed, rawPublicKey } = extractEd25519RawKeys(privateKey);
+          entry.rawSeed = rawSeed;
+          entry.rawPublicKey = rawPublicKey;
+        }
+        privateKeys.push(entry);
+      } else {
+        console.error(`Unsupported key type in DOTENC_PRIVATE_KEY: ${privateKey.asymmetricKeyType}. Only RSA and Ed25519 are supported.`);
+      }
+    } else {
+      if (isPassphraseProtected(process.env.DOTENC_PRIVATE_KEY)) {
+        console.error("Error: the key in DOTENC_PRIVATE_KEY is passphrase-protected, which is not currently supported by dotenc.");
+        process.exit(1);
+      }
+      console.error("Invalid private key format in DOTENC_PRIVATE_KEY environment variable. Please provide a valid private key (PEM or OpenSSH format).");
+    }
+  }
+  const sshDir = path2.join(os.homedir(), ".ssh");
+  if (!existsSync(sshDir)) {
+    return { keys: privateKeys, passphraseProtectedKeys };
+  }
+  const files = await fs2.readdir(sshDir);
+  const knownFiles = SSH_KEY_FILES.filter((f) => files.includes(f));
+  const otherFiles = files.filter((f) => !SSH_KEY_FILES.includes(f) && !f.endsWith(".pub") && !f.startsWith("known_hosts") && !f.startsWith("authorized_keys") && f !== "config");
+  for (const fileName of [...knownFiles, ...otherFiles]) {
+    const filePath = path2.join(sshDir, fileName);
+    let stat;
+    try {
+      stat = await fs2.stat(filePath);
+    } catch {
+      continue;
+    }
+    if (!stat.isFile())
+      continue;
+    let keyContent;
+    try {
+      keyContent = await fs2.readFile(filePath, "utf-8");
+    } catch {
+      continue;
+    }
+    if (!keyContent.includes("PRIVATE KEY"))
+      continue;
+    const privateKey = tryParsePrivateKey(keyContent);
+    if (!privateKey) {
+      if (isPassphraseProtected(keyContent)) {
+        passphraseProtectedKeys.push(fileName);
+      }
+      continue;
+    }
+    const algorithm = detectAlgorithm(privateKey);
+    if (!algorithm)
+      continue;
+    const entry = {
+      name: fileName,
+      privateKey,
+      fingerprint: getKeyFingerprint(privateKey),
+      algorithm
+    };
+    if (algorithm === "ed25519") {
+      const { rawSeed, rawPublicKey } = extractEd25519RawKeys(privateKey);
+      entry.rawSeed = rawSeed;
+      entry.rawPublicKey = rawPublicKey;
+    }
+    privateKeys.push(entry);
+  }
+  return { keys: privateKeys, passphraseProtectedKeys };
+};
+var init_getPrivateKeys = __esm(() => {
+  init_getKeyFingerprint();
+  init_parseOpenSSHKey();
+  SSH_KEY_FILES = ["id_ed25519", "id_rsa", "id_ecdsa", "id_dsa"];
+});
+
+// src/helpers/decryptEnvironment.ts
+import chalk2 from "chalk";
+var decryptEnvironmentData = async (environment) => {
+  const { keys: availablePrivateKeys, passphraseProtectedKeys } = await getPrivateKeys();
+  if (!availablePrivateKeys.length) {
+    if (passphraseProtectedKeys.length > 0) {
+      throw new Error(passphraseProtectedKeyError(passphraseProtectedKeys));
+    }
+    throw new Error("No private keys found. Please ensure you have SSH keys in ~/.ssh/ or set the DOTENC_PRIVATE_KEY environment variable.");
+  }
+  let grantedKey;
+  let selectedPrivateKey;
+  for (const privateKeyEntry of availablePrivateKeys) {
+    grantedKey = environment.keys.find((key) => {
+      return key.fingerprint === privateKeyEntry.fingerprint;
+    });
+    if (grantedKey) {
+      selectedPrivateKey = privateKeyEntry;
+      break;
+    }
+  }
+  if (!grantedKey || !selectedPrivateKey) {
+    throw new Error("Access denied to the environment.");
+  }
+  let dataKey;
+  try {
+    dataKey = decryptDataKey(selectedPrivateKey, Buffer.from(grantedKey.encryptedDataKey, "base64"));
+  } catch (error) {
+    throw new Error("Failed to decrypt the data key.", { cause: error });
+  }
+  const decryptedContent = await decryptData(dataKey, Buffer.from(environment.encryptedContent, "base64"));
+  return decryptedContent;
+}, decryptEnvironment = async (name) => {
+  const { keys: availablePrivateKeys } = await getPrivateKeys();
+  const environmentJson = await getEnvironmentByName(name);
+  try {
+    return await decryptEnvironmentData(environmentJson);
+  } catch (error) {
+    if (error instanceof Error && error.message === "Access denied to the environment.") {
+      console.error(`You do not have access to this environment.
+
+      These are your available private keys:
+
+      ${availablePrivateKeys.map((key) => `- ${chalk2.green(key.name)}`).join(`
+`)}
+
+      Please ask the owners of any of the following keys to grant you access:
+
+      ${environmentJson.keys.map((key) => `- ${chalk2.green(key.name)}`).join(`
+`)}
+`);
+    }
+    if (error instanceof Error && error.message === "Failed to decrypt the data key.") {
+      console.error(`${chalk2.red("Error:")} failed to decrypt the data key. Please ensure you have the correct private key.`);
+    }
+    throw error;
+  }
+};
+var init_decryptEnvironment = __esm(() => {
+  init_crypto();
+  init_decryptDataKey();
+  init_errors();
+  init_getEnvironmentByName();
+  init_getPrivateKeys();
+});
+
+// src/helpers/encryptDataKey.ts
+import crypto6 from "node:crypto";
+import { ECIES_CONFIG as ECIES_CONFIG2, encrypt } from "eciesjs";
+var encryptDataKey = (keyInfo, dataKey) => {
+  if (keyInfo.algorithm === "rsa") {
+    return crypto6.publicEncrypt({
+      key: keyInfo.publicKey,
+      padding: crypto6.constants.RSA_PKCS1_OAEP_PADDING,
+      oaepHash: "sha256"
+    }, dataKey);
+  }
+  if (!keyInfo.rawPublicKey) {
+    throw new Error("Raw public key bytes are required for Ed25519 encryption.");
+  }
+  return Buffer.from(encrypt(keyInfo.rawPublicKey, dataKey));
+};
+var init_encryptDataKey = __esm(() => {
+  ECIES_CONFIG2.ellipticCurve = "ed25519";
+});
+
+// src/helpers/getPublicKeys.ts
+import crypto7 from "node:crypto";
+import { existsSync as existsSync2 } from "node:fs";
+import fs3 from "node:fs/promises";
+import path3 from "node:path";
+function detectAlgorithm2(publicKey) {
+  const keyType = publicKey.asymmetricKeyType;
+  if (keyType === "rsa")
+    return "rsa";
+  if (keyType === "ed25519")
+    return "ed25519";
+  return null;
+}
+function extractEd25519RawPublicKey(publicKey) {
+  const pubDer = publicKey.export({ type: "spki", format: "der" });
+  return Buffer.from(pubDer.subarray(pubDer.length - 32));
+}
+var getPublicKeys = async () => {
+  if (!existsSync2(path3.join(process.cwd(), ".dotenc"))) {
+    return [];
+  }
+  const files = await fs3.readdir(path3.join(process.cwd(), ".dotenc"));
+  const publicKeys = [];
+  for (const fileName of files) {
+    if (!fileName.endsWith(".pub")) {
+      continue;
+    }
+    const keyInput = await fs3.readFile(path3.join(process.cwd(), ".dotenc", fileName), "utf-8");
+    let publicKey;
+    try {
+      publicKey = crypto7.createPublicKey(keyInput);
+    } catch (error) {
+      console.error(`Invalid public key format in ${fileName}. Please provide a valid PEM formatted public key.`);
+      console.error(`Details: ${error instanceof Error ? error.message : error}`);
+      continue;
+    }
+    const algorithm = detectAlgorithm2(publicKey);
+    if (!algorithm) {
+      console.error(`Unsupported key type in ${fileName}: ${publicKey.asymmetricKeyType}. Only RSA and Ed25519 are supported.`);
+      continue;
+    }
+    const entry = {
+      name: fileName.replace(".pub", ""),
+      publicKey,
+      fingerprint: getKeyFingerprint(publicKey),
+      algorithm
+    };
+    if (algorithm === "ed25519") {
+      entry.rawPublicKey = extractEd25519RawPublicKey(publicKey);
+    }
+    publicKeys.push(entry);
+  }
+  return publicKeys;
+};
+var init_getPublicKeys = __esm(() => {
+  init_getKeyFingerprint();
+});
+
+// src/helpers/encryptEnvironment.ts
+import fs4 from "node:fs/promises";
+import path4 from "node:path";
+import chalk3 from "chalk";
+var encryptEnvironment = async (name, newContent, options) => {
+  const availablePublicKeys = await getPublicKeys();
+  if (!availablePublicKeys.length) {
+    throw new Error("No public keys found. Please add a public key using 'dotenc key add'.");
+  }
+  const environmentJson = await getEnvironmentByName(name);
+  const removedKeys = environmentJson.keys.filter((key) => !availablePublicKeys.find((pk) => pk.fingerprint === key.fingerprint));
+  if (removedKeys.length) {
+    console.log(`The following keys were removed from the environment: ${removedKeys.map((key) => chalk3.red(key.name)).join(", ")}. They will not have access to the new content.`);
+  }
+  const dataKey = createDataKey();
+  const keys = [];
+  for (const key of environmentJson.keys) {
+    const availableKey = availablePublicKeys.find((pk) => pk.fingerprint === key.fingerprint);
+    if (!availableKey) {
+      continue;
+    }
+    if (options?.revokePublicKeys?.includes(availableKey.name)) {
+      console.log(`Public key ${chalk3.green(availableKey.name)} has been revoked from the environment.`);
+      continue;
+    }
+    if (key.name !== availableKey.name) {
+      console.log(`Public key ${chalk3.red(key.name)} renamed to ${chalk3.green(availableKey.name)}.`);
+    }
+    const encrypted = encryptDataKey(availableKey, dataKey);
+    keys.push({
+      name: availableKey.name,
+      fingerprint: availableKey.fingerprint,
+      encryptedDataKey: encrypted.toString("base64"),
+      algorithm: availableKey.algorithm
+    });
+  }
+  if (options?.grantPublicKeys) {
+    for (const publicKeyName of options.grantPublicKeys) {
+      const publicKey = availablePublicKeys.find((key) => key.name === publicKeyName);
+      if (!publicKey) {
+        console.error(`${chalk3.red("Error:")} public key ${chalk3.green(publicKeyName)} not found.`);
+        continue;
+      }
+      const existingPublicKey = keys.find((key) => key.fingerprint === publicKey.fingerprint);
+      if (existingPublicKey) {
+        if (existingPublicKey.name === publicKey.name) {
+          console.log(`Public key ${chalk3.green(publicKey.name)} already has access to the environment.`);
+        } else {
+          console.log(`Public key ${chalk3.red(existingPublicKey.name)} renamed to ${chalk3.green(publicKey.name)}.`);
+        }
+        continue;
+      }
+      const encrypted = encryptDataKey(publicKey, dataKey);
+      keys.push({
+        name: publicKey.name,
+        fingerprint: publicKey.fingerprint,
+        encryptedDataKey: encrypted.toString("base64"),
+        algorithm: publicKey.algorithm
+      });
+      console.log(`Public key ${chalk3.green(publicKey.name)} has been granted access to the environment.`);
+    }
+  }
+  if (!keys.length) {
+    throw new Error("No valid public keys are left to encrypt the environment. Please ensure you have valid public keys added. Operation aborted.");
+  }
+  const encryptedContent = await encryptData(dataKey, newContent);
+  const newEnvironmentJson = {
+    keys,
+    encryptedContent: encryptedContent.toString("base64")
+  };
+  await fs4.writeFile(path4.join(process.cwd(), `.env.${name}.enc`), JSON.stringify(newEnvironmentJson, null, 2), "utf-8");
+};
+var init_encryptEnvironment = __esm(() => {
+  init_crypto();
+  init_encryptDataKey();
+  init_getEnvironmentByName();
+  init_getPublicKeys();
+});
+
+// src/helpers/getPublicKeyByName.ts
+import crypto8 from "node:crypto";
+import fs5 from "node:fs/promises";
+import path5 from "node:path";
+var getPublicKeyByName = async (name) => {
+  const filePath = path5.join(process.cwd(), ".dotenc", `${name}.pub`);
+  let publicKeyInput;
+  try {
+    await fs5.access(filePath);
+    publicKeyInput = await fs5.readFile(filePath, "utf-8");
+  } catch (error) {
+    throw new Error(`No public key found with name ${name}.`, {
+      cause: error
+    });
+  }
+  try {
+    return crypto8.createPublicKey(publicKeyInput);
+  } catch (error) {
+    throw new Error(`Invalid public key format for ${name}. Please provide a valid PEM formatted public key.`, { cause: error });
+  }
+};
+var init_getPublicKeyByName = () => {};
+
+// src/helpers/validateEnvironmentName.ts
+var validateEnvironmentName = (name) => {
+  if (!name) {
+    return { valid: false, reason: "Environment name must not be empty." };
+  }
+  if (!/^[a-zA-Z0-9._-]+$/.test(name)) {
+    return {
+      valid: false,
+      reason: `Invalid environment name "${name}". Only letters, numbers, dots, hyphens, and underscores are allowed.`
+    };
+  }
+  return { valid: true };
+};
+
+// src/helpers/getEnvironments.ts
+import fs6 from "node:fs/promises";
+var getEnvironments = async () => {
+  const files = await fs6.readdir(process.cwd());
+  const envFiles = files.filter((file) => file.startsWith(".env.") && file.endsWith(".enc"));
+  return envFiles.map((file) => file.slice(5, -4));
+};
+var init_getEnvironments = () => {};
+
+// src/prompts/chooseEnvironment.ts
+import inquirer from "inquirer";
+var chooseEnvironmentPrompt = async (message) => {
+  const environments = await getEnvironments();
+  if (!environments.length) {
+    console.log('No environment files found. To create a new environment, run "dotenc env create"');
+  }
+  const result = await inquirer.prompt([
+    {
+      type: "list",
+      name: "environment",
+      message,
+      choices: environments
+    }
+  ]);
+  return result.environment;
+};
+var init_chooseEnvironment = __esm(() => {
+  init_getEnvironments();
+});
+
+// src/prompts/choosePublicKey.ts
+import inquirer2 from "inquirer";
+var choosePublicKeyPrompt = async (message, multiple) => {
+  const publicKeys = await getPublicKeys();
+  const result = await inquirer2.prompt([
+    {
+      type: multiple ? "list" : "checkbox",
+      name: "key",
+      message,
+      choices: publicKeys.map((key) => key.name.replace(".pub", ""))
+    }
+  ]);
+  return result.key;
+};
+var init_choosePublicKey = __esm(() => {
+  init_getPublicKeys();
+});
+
+// src/commands/auth/grant.ts
+import chalk4 from "chalk";
+var grantCommand = async (environmentNameArg, publicKeyNameArg) => {
+  const environmentName = environmentNameArg || await chooseEnvironmentPrompt("What environment do you want to grant access to?");
+  const validation = validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    console.error(`${chalk4.red("Error:")} ${validation.reason}`);
+    process.exit(1);
+  }
+  let currentContent;
+  try {
+    currentContent = await decryptEnvironment(environmentName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while decrypting the environment.");
+    process.exit(1);
+  }
+  let publicKeyName = publicKeyNameArg;
+  if (!publicKeyName) {
+    publicKeyName = await choosePublicKeyPrompt("Which public key do you want to grant access to this environment?");
+  }
+  try {
+    await getPublicKeyByName(publicKeyName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while retrieving the public key.");
+    process.exit(1);
+  }
+  try {
+    await encryptEnvironment(environmentName, currentContent, {
+      grantPublicKeys: [publicKeyName]
+    });
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while encrypting the environment.");
+    process.exit(1);
+  }
+};
+var init_grant = __esm(() => {
+  init_decryptEnvironment();
+  init_encryptEnvironment();
+  init_getPublicKeyByName();
+  init_chooseEnvironment();
+  init_choosePublicKey();
+});
+
+// src/commands/auth/list.ts
+import chalk5 from "chalk";
+var authListCommand = async (environmentNameArg) => {
+  const environmentName = environmentNameArg || await chooseEnvironmentPrompt("What environment do you want to list access for?");
+  const validation = validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    console.error(`${chalk5.red("Error:")} ${validation.reason}`);
+    return;
+  }
+  const environment = await getEnvironmentByName(environmentName);
+  if (!environment.keys.length) {
+    console.log(`No keys have access to ${environmentName}.`);
+    return;
+  }
+  for (const key of environment.keys) {
+    console.log(key.name);
+  }
+};
+var init_list = __esm(() => {
+  init_getEnvironmentByName();
+  init_chooseEnvironment();
+});
+
+// src/commands/auth/revoke.ts
+import chalk6 from "chalk";
+var revokeCommand = async (environmentNameArg, publicKeyNameArg) => {
+  const environmentName = environmentNameArg || await chooseEnvironmentPrompt("What environment do you want to revoke access from?");
+  const validation = validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    console.error(`${chalk6.red("Error:")} ${validation.reason}`);
+    process.exit(1);
+  }
+  let currentContent;
+  try {
+    currentContent = await decryptEnvironment(environmentName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while decrypting the environment.");
+    process.exit(1);
+  }
+  let publicKeyName = publicKeyNameArg;
+  if (!publicKeyName) {
+    publicKeyName = await choosePublicKeyPrompt("Which public key do you want to revoke access to this environment?");
+  }
+  try {
+    await getPublicKeyByName(publicKeyName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while retrieving the public key.");
+    process.exit(1);
+  }
+  try {
+    await encryptEnvironment(environmentName, currentContent, {
+      revokePublicKeys: [publicKeyName]
+    });
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while encrypting the environment.");
+    process.exit(1);
+  }
+};
+var init_revoke = __esm(() => {
+  init_decryptEnvironment();
+  init_encryptEnvironment();
+  init_getPublicKeyByName();
+  init_chooseEnvironment();
+  init_choosePublicKey();
+});
+
+// src/helpers/homeConfig.ts
+import { existsSync as existsSync3 } from "node:fs";
+import fs7 from "node:fs/promises";
+import os2 from "node:os";
+import path6 from "node:path";
+import { z as z2 } from "zod";
+var homeConfigSchema, configPath, setHomeConfig = async (config) => {
+  const parsedConfig = homeConfigSchema.parse(config);
+  await fs7.writeFile(configPath, JSON.stringify(parsedConfig, null, 2), "utf-8");
+}, getHomeConfig = async () => {
+  if (existsSync3(configPath)) {
+    const config = JSON.parse(await fs7.readFile(configPath, "utf-8"));
+    return homeConfigSchema.parse(config);
+  }
+  return {};
+};
+var init_homeConfig = __esm(() => {
+  homeConfigSchema = z2.object({
+    editor: z2.string().nullish()
+  });
+  configPath = path6.join(os2.homedir(), ".dotenc", "config.json");
+});
+
+// src/commands/config.ts
+var configCommand = async (key, value, options) => {
+  const config = await getHomeConfig();
+  if (options.remove) {
+    delete config[key];
+    await setHomeConfig(config);
+    return;
+  }
+  if (value) {
+    config[key] = value;
+    await setHomeConfig(config);
+    return;
+  }
+  console.log(config[key]);
+};
+var init_config = __esm(() => {
+  init_homeConfig();
+});
+
+// src/helpers/getCurrentKeyName.ts
+var getCurrentKeyName = async () => {
+  const { keys: privateKeys } = await getPrivateKeys();
+  const publicKeys = await getPublicKeys();
+  const privateFingerprints = new Set(privateKeys.map((k) => k.fingerprint));
+  const match = publicKeys.find((pub) => privateFingerprints.has(pub.fingerprint));
+  return match?.name;
+};
+var init_getCurrentKeyName = __esm(() => {
+  init_getPrivateKeys();
+  init_getPublicKeys();
+});
+
+// src/helpers/parseEnv.ts
+var LINE, parseEnv = (lines) => {
+  const obj = {};
+  lines = lines.replace(/\r\n?/gm, `
+`);
+  let match;
+  while ((match = LINE.exec(lines)) != null) {
+    const key = match[1];
+    let value = match[2] || "";
+    value = value.trim();
+    const maybeQuote = value[0];
+    value = value.replace(/^(['"`])([\s\S]*)\1$/gm, "$2");
+    if (maybeQuote === '"') {
+      value = value.replace(/\\n/g, `
+`);
+      value = value.replace(/\\r/g, "\r");
+    }
+    obj[key] = value;
+  }
+  return obj;
+};
+var init_parseEnv = __esm(() => {
+  LINE = /(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/gm;
+});
+
+// src/commands/run.ts
+import { spawn } from "node:child_process";
+import chalk7 from "chalk";
+var runCommand = async (command, args, options) => {
+  const environmentName = options.env || process.env.DOTENC_ENV;
+  if (!environmentName) {
+    console.error(`No environment provided. Use -e or set DOTENC_ENV to the environment you want to run the command in.
+To start a new environment, use "dotenc init [environment]".`);
+    process.exit(1);
+  }
+  const environments = environmentName.split(",");
+  for (const env of environments) {
+    const validation = validateEnvironmentName(env);
+    if (!validation.valid) {
+      console.error(`${chalk7.red("Error:")} ${validation.reason}`);
+      process.exit(1);
+    }
+  }
+  let failureCount = 0;
+  const decryptedEnvs = await Promise.all(environments.map(async (environment) => {
+    let content;
+    try {
+      content = await decryptEnvironment(environment);
+    } catch (error) {
+      console.error(error instanceof Error ? error.message : `Unknown error occurred while decrypting the environment ${environment}.`);
+      failureCount++;
+      return {};
+    }
+    const decryptedEnv2 = parseEnv(content);
+    return decryptedEnv2;
+  }));
+  if (failureCount === environments.length) {
+    console.error(`${chalk7.red("Error:")} All environments failed to load.`);
+    process.exit(1);
+  }
+  if (failureCount > 0) {
+    console.error(`${chalk7.yellow("Warning:")} ${failureCount} of ${environments.length} environment(s) failed to load.`);
+  }
+  const decryptedEnv = decryptedEnvs.reduce((acc, env) => {
+    return { ...acc, ...env };
+  }, {});
+  const mergedEnv = { ...process.env, ...decryptedEnv };
+  const child = spawn(command, args, {
+    env: mergedEnv,
+    stdio: "inherit"
+  });
+  child.on("exit", (code) => {
+    process.exit(code);
+  });
+};
+var init_run = __esm(() => {
+  init_decryptEnvironment();
+  init_parseEnv();
+});
+
+// src/commands/dev.ts
+import chalk8 from "chalk";
+var devCommand = async (command, args) => {
+  const keyName = await getCurrentKeyName();
+  if (!keyName) {
+    console.error(`${chalk8.red("Error:")} could not resolve your identity. Run ${chalk8.gray("dotenc init")} first.`);
+    process.exit(1);
+  }
+  await runCommand(command, args, { env: `development,${keyName}` });
+};
+var init_dev = __esm(() => {
+  init_getCurrentKeyName();
+  init_run();
+});
+
+// src/helpers/environmentExists.ts
+import { existsSync as existsSync4 } from "node:fs";
+import path7 from "node:path";
+var environmentExists = (environment) => {
+  const envPath = path7.join(process.cwd(), `.env.${environment}.enc`);
+  return existsSync4(envPath);
+};
+var init_environmentExists = () => {};
+
+// src/helpers/getEnvironmentNameSuggestion.ts
+var getEnvironmentNameSuggestion = () => {
+  const suggestions = ["development", "staging", "production", "test"].find((env) => !environmentExists(env)) ?? "";
+  return suggestions;
+};
+var init_getEnvironmentNameSuggestion = __esm(() => {
+  init_environmentExists();
+});
+
+// src/helpers/projectConfig.ts
+import { existsSync as existsSync5 } from "node:fs";
+import fs8 from "node:fs/promises";
+import path8 from "node:path";
+import { z as z3 } from "zod";
+var projectConfigSchema, configPath2, getProjectConfig = async () => {
+  if (existsSync5(configPath2)) {
+    const config = JSON.parse(await fs8.readFile(configPath2, "utf-8"));
+    return projectConfigSchema.parse(config);
+  }
+  return {};
+};
+var init_projectConfig = __esm(() => {
+  projectConfigSchema = z3.object({
+    projectId: z3.string()
+  });
+  configPath2 = path8.join(process.cwd(), "dotenc.json");
+});
+
+// src/prompts/createEnvironment.ts
+import inquirer3 from "inquirer";
+var createEnvironmentPrompt = async (message, defaultValue) => {
+  const result = await inquirer3.prompt([
+    {
+      type: "input",
+      name: "environment",
+      message,
+      default: defaultValue
+    }
+  ]);
+  return result.environment;
+};
+var init_createEnvironment = () => {};
+
+// src/commands/env/create.ts
+import fs9 from "node:fs/promises";
+import path9 from "node:path";
+import chalk9 from "chalk";
+var createCommand = async (environmentNameArg, publicKeyNameArg, initialContent) => {
+  const { projectId } = await getProjectConfig();
+  if (!projectId) {
+    console.error('No project found. Run "dotenc init" to create one.');
+    process.exit(1);
+  }
+  let environmentName = environmentNameArg;
+  if (!environmentName) {
+    environmentName = await createEnvironmentPrompt("What should the environment be named?", getEnvironmentNameSuggestion());
+  }
+  if (!environmentName) {
+    console.error(`${chalk9.red("Error:")} no environment name provided`);
+    process.exit(1);
+  }
+  const validation = validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    console.error(`${chalk9.red("Error:")} ${validation.reason}`);
+    process.exit(1);
+  }
+  if (environmentExists(environmentName)) {
+    console.error(`${chalk9.red("Error:")} environment ${environmentName} already exists. To edit it, use ${chalk9.gray(`dotenc env edit ${environmentName}`)}`);
+    process.exit(1);
+  }
+  const availablePublicKeys = await getPublicKeys();
+  if (!availablePublicKeys.length) {
+    console.error(`${chalk9.red("Error:")} no public keys found. Please add a public key using ${chalk9.gray("dotenc key add")}.`);
+    process.exit(1);
+  }
+  const publicKeys = publicKeyNameArg ? [publicKeyNameArg] : await choosePublicKeyPrompt("Which public key(s) do you want to grant access for this environment?", true);
+  const dataKey = createDataKey();
+  const content = initialContent ?? `# ${environmentName} environment
+`;
+  const encryptedContent = await encryptData(dataKey, content);
+  const environmentJson = {
+    keys: [],
+    encryptedContent: encryptedContent.toString("base64")
+  };
+  for (const publicKeyName of publicKeys) {
+    const publicKey = availablePublicKeys.find((key) => key.name === publicKeyName);
+    if (!publicKey) {
+      console.error(`Public key ${chalk9.cyan(publicKeyName)} not found or invalid.`);
+      continue;
+    }
+    const encrypted = encryptDataKey(publicKey, dataKey);
+    environmentJson.keys.push({
+      name: publicKeyName,
+      fingerprint: publicKey.fingerprint,
+      encryptedDataKey: encrypted.toString("base64"),
+      algorithm: publicKey.algorithm
+    });
+  }
+  await fs9.writeFile(path9.join(process.cwd(), `.env.${environmentName}.enc`), JSON.stringify(environmentJson, null, 2), "utf-8");
+  console.log(`${chalk9.green("✔")} Environment ${chalk9.cyan(environmentName)} created!`);
+  console.log(`
+Some useful tips:`);
+  const editCommand = chalk9.gray(`dotenc env edit ${environmentName}`);
+  console.log(`
+- To securely edit your environment:	${editCommand}`);
+  const runCommand2 = chalk9.gray(`dotenc run -e ${environmentName} <command> [args...]`);
+  const runCommandWithEnv = chalk9.gray(`DOTENC_ENV=${environmentName} dotenc run <command> [args...]`);
+  console.log(`- To run your application:		${runCommand2} or ${runCommandWithEnv}`);
+};
+var init_create = __esm(() => {
+  init_crypto();
+  init_encryptDataKey();
+  init_environmentExists();
+  init_getEnvironmentNameSuggestion();
+  init_getPublicKeys();
+  init_projectConfig();
+  init_choosePublicKey();
+  init_createEnvironment();
+});
+
+// src/helpers/createHash.ts
+import crypto9 from "node:crypto";
+var createHash = (input) => {
+  return crypto9.createHash("sha256").update(input).digest("hex");
+};
+var init_createHash = () => {};
+
+// src/helpers/getDefaultEditor.ts
+import { execSync } from "node:child_process";
+var getDefaultEditor = async () => {
+  const config = await getHomeConfig();
+  if (config.editor) {
+    return config.editor;
+  }
+  if (process.env.EDITOR) {
+    return process.env.EDITOR;
+  }
+  if (process.env.VISUAL) {
+    return process.env.VISUAL;
+  }
+  const platform = process.platform;
+  if (platform === "win32") {
+    return "notepad";
+  }
+  const editors = ["nano", "vim", "vi"];
+  for (const editor of editors) {
+    try {
+      execSync(`command -v ${editor}`, { stdio: "ignore" });
+      return editor;
+    } catch {}
+  }
+  throw new Error('No text editor found. Please set the EDITOR environment variable, configure an editor using "dotenc config editor <command>", or install a text editor (e.g., nano, vim, or notepad).');
+};
+var init_getDefaultEditor = __esm(() => {
+  init_homeConfig();
+});
+
+// src/commands/env/edit.ts
+import { spawnSync } from "node:child_process";
+import { existsSync as existsSync6 } from "node:fs";
+import fs10 from "node:fs/promises";
+import os3 from "node:os";
+import path10 from "node:path";
+import chalk10 from "chalk";
+var editCommand = async (environmentNameArg) => {
+  const environmentName = environmentNameArg || await chooseEnvironmentPrompt("What environment do you want to edit?");
+  const nameValidation = validateEnvironmentName(environmentName);
+  if (!nameValidation.valid) {
+    console.error(`${chalk10.red("Error:")} ${nameValidation.reason}`);
+    process.exit(1);
+  }
+  const environmentFile = `.env.${environmentName}.enc`;
+  const environmentFilePath = path10.join(process.cwd(), environmentFile);
+  if (!existsSync6(environmentFilePath)) {
+    console.error(`Environment file not found: ${environmentFilePath}`);
+    process.exit(1);
+  }
+  let environment;
+  let content;
+  try {
+    environment = await getEnvironmentByName(environmentName);
+    content = await decryptEnvironment(environmentName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while decrypting the environment.");
+    process.exit(1);
+  }
+  const separator = `# ---
+`;
+  content = `# Editing environment: ${environmentName}
+# This file is encrypted. Do not share it.
+# Any changes made here will be encrypted and saved back to the environment file.
+# The following public keys have access to this environment:
+${environment.keys.map((key) => `# - ${key.name}`).join(`
+`)}
+# Use 'dotenc auth grant' and/or 'dotenc auth revoke' to manage access.
+# Make sure to save your changes before closing the editor.
+${separator}${content}`;
+  const tempDir = await fs10.mkdtemp(path10.join(os3.tmpdir(), "dotenc-"));
+  const tempFilePath = path10.join(tempDir, `.env.${environmentName}`);
+  await fs10.writeFile(tempFilePath, content, { encoding: "utf-8", mode: 384 });
+  const initialHash = createHash(content);
+  const cleanup = async () => {
+    await fs10.rm(tempDir, { recursive: true, force: true }).catch(() => {});
+  };
+  const onSignal = () => {
+    fs10.rm(tempDir, { recursive: true, force: true }).catch(() => {}).finally(() => process.exit(130));
+  };
+  process.on("SIGINT", onSignal);
+  process.on("SIGTERM", onSignal);
+  const editor = await getDefaultEditor();
+  try {
+    const result = spawnSync(editor, [tempFilePath], { stdio: "inherit" });
+    if (result.error) {
+      throw result.error;
+    }
+    if (result.status !== 0) {
+      console.error(`
+Editor exited with code ${result.status}`);
+      process.exit(1);
+    }
+    let newContent = await fs10.readFile(tempFilePath, "utf-8");
+    const finalHash = createHash(newContent);
+    if (initialHash === finalHash) {
+      console.log(`
+No changes were made to the ${chalk10.cyan(environmentName)} environment.`);
+    } else {
+      const separatorIndex = newContent.indexOf(separator);
+      if (separatorIndex !== -1) {
+        const headerEndIndex = newContent.indexOf(separator) + separator.length;
+        newContent = newContent.slice(headerEndIndex).trim();
+      }
+      await encryptEnvironment(environmentName, newContent);
+      console.log(`
+Encrypted ${chalk10.cyan(environmentName)} environment and saved it to ${chalk10.gray(environmentFile)}.`);
+    }
+  } catch (error) {
+    console.error(`
+Failed to open editor: ${editor}`);
+    console.error(error instanceof Error ? error.message : error);
+  } finally {
+    process.removeListener("SIGINT", onSignal);
+    process.removeListener("SIGTERM", onSignal);
+    await cleanup();
+  }
+};
+var init_edit = __esm(() => {
+  init_createHash();
+  init_decryptEnvironment();
+  init_encryptEnvironment();
+  init_getDefaultEditor();
+  init_getEnvironmentByName();
+  init_chooseEnvironment();
+});
+
+// src/commands/env/list.ts
+var envListCommand = async () => {
+  const environments = await getEnvironments();
+  if (!environments.length) {
+    console.log("No environments found.");
+    return;
+  }
+  for (const name of environments) {
+    console.log(name);
+  }
+};
+var init_list2 = __esm(() => {
+  init_getEnvironments();
+});
+
+// src/commands/env/rotate.ts
+import chalk11 from "chalk";
+var rotateCommand = async (environmentNameArg) => {
+  const environmentName = environmentNameArg || await chooseEnvironmentPrompt("What environment do you want to rotate the data key for?");
+  const validation = validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    console.error(`${chalk11.red("Error:")} ${validation.reason}`);
+    process.exit(1);
+  }
+  let currentContent;
+  try {
+    currentContent = await decryptEnvironment(environmentName);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while decrypting the environment.");
+    process.exit(1);
+  }
+  try {
+    await encryptEnvironment(environmentName, currentContent);
+  } catch (error) {
+    console.error(error instanceof Error ? error.message : "Unknown error occurred while encrypting the environment.");
+    process.exit(1);
+  }
+  console.log(`Data key for ${environmentName} has been rotated.`);
+};
+var init_rotate = __esm(() => {
+  init_decryptEnvironment();
+  init_encryptEnvironment();
+  init_chooseEnvironment();
+});
+
+// src/helpers/createProject.ts
+import { createId } from "@paralleldrive/cuid2";
+var createProject = async () => {
+  return {
+    projectId: createId()
+  };
+};
+var init_createProject = () => {};
+
+// src/helpers/setupGitDiff.ts
+import { spawnSync as spawnSync2 } from "node:child_process";
+import fs11 from "node:fs";
+import path11 from "node:path";
+var setupGitDiff = () => {
+  const gitattributesPath = path11.join(process.cwd(), ".gitattributes");
+  const marker = "*.enc diff=dotenc";
+  let content = "";
+  if (fs11.existsSync(gitattributesPath)) {
+    content = fs11.readFileSync(gitattributesPath, "utf-8");
+  }
+  if (!content.includes(marker)) {
+    const newline = content.length > 0 && !content.endsWith(`
+`) ? `
+` : "";
+    fs11.writeFileSync(gitattributesPath, `${content}${newline}${marker}
+`);
+  }
+  spawnSync2("git", ["config", "--local", "diff.dotenc.textconv", "dotenc textconv"], {
+    stdio: "ignore"
+  });
+};
+var init_setupGitDiff = () => {};
+
+// src/prompts/inputName.ts
+import inquirer4 from "inquirer";
+var inputNamePrompt = async (message, defaultValue) => {
+  const result = await inquirer4.prompt([
+    {
+      type: "input",
+      name: "name",
+      message,
+      default: defaultValue,
+      filter: (input) => input.replace(/[^a-zA-Z0-9_-]/g, "").trim().toLocaleLowerCase()
+    }
+  ]);
+  return result.name;
+};
+var init_inputName = () => {};
+
+// src/helpers/validatePublicKey.ts
+function getRsaModulusLength(key) {
+  const der = key.export({ type: "spki", format: "der" });
+  let i = 0;
+  i += 1;
+  i += der[i] & 128 ? (der[i] & 127) + 1 : 1;
+  i += 1;
+  let algLen = 0;
+  if (der[i] & 128) {
+    const n = der[i] & 127;
+    for (let j = 1;j <= n; j++)
+      algLen = algLen << 8 | der[i + j];
+    i += n + 1;
+  } else {
+    algLen = der[i];
+    i += 1;
+  }
+  i += algLen;
+  i += 1;
+  i += der[i] & 128 ? (der[i] & 127) + 1 : 1;
+  i += 1;
+  i += 1;
+  i += der[i] & 128 ? (der[i] & 127) + 1 : 1;
+  i += 1;
+  let modLen = 0;
+  if (der[i] & 128) {
+    const n = der[i] & 127;
+    for (let j = 1;j <= n; j++)
+      modLen = modLen << 8 | der[i + j];
+    i += n + 1;
+  } else {
+    modLen = der[i];
+    i += 1;
+  }
+  if (der[i] === 0)
+    modLen -= 1;
+  return modLen * 8;
+}
+function validatePublicKey(key) {
+  const keyType = key.asymmetricKeyType;
+  switch (keyType) {
+    case "rsa": {
+      const modulusLength = getRsaModulusLength(key);
+      if (modulusLength < 2048) {
+        return {
+          valid: false,
+          reason: `RSA key is ${modulusLength} bits, minimum is 2048 bits.`
+        };
+      }
+      return { valid: true };
+    }
+    case "ed25519":
+      return { valid: true };
+    case "dsa":
+      return {
+        valid: false,
+        reason: "DSA keys are not supported. Use Ed25519 or RSA (2048+ bits)."
+      };
+    case "ec":
+      return {
+        valid: false,
+        reason: "ECDSA keys are not supported. Use Ed25519 or RSA (2048+ bits)."
+      };
+    default:
+      return {
+        valid: false,
+        reason: `Unsupported key type: ${keyType}. Use Ed25519 or RSA (2048+ bits).`
+      };
+  }
+}
+
+// src/prompts/inputKey.ts
+import inquirer5 from "inquirer";
+var inputKeyPrompt = async (message, defaultValue) => {
+  const result = await inquirer5.prompt([
+    {
+      type: "password",
+      name: "key",
+      mask: "*",
+      message,
+      default: defaultValue
+    }
+  ]);
+  return result.key;
+};
+var init_inputKey = () => {};
+
+// src/commands/key/add.ts
+import crypto10 from "node:crypto";
+import { existsSync as existsSync7 } from "node:fs";
+import fs12 from "node:fs/promises";
+import os4 from "node:os";
+import path12 from "node:path";
+import chalk12 from "chalk";
+import inquirer6 from "inquirer";
+var keyAddCommand = async (nameArg, options) => {
+  const { projectId } = await getProjectConfig();
+  if (!projectId) {
+    console.error('No project found. Run "dotenc init" to create one.');
+    process.exit(1);
+  }
+  let publicKey;
+  if (options?.fromSsh) {
+    const sshPath = options.fromSsh.startsWith("~") ? path12.join(os4.homedir(), options.fromSsh.slice(1)) : options.fromSsh;
+    if (!existsSync7(sshPath)) {
+      console.error(`File ${chalk12.cyan(sshPath)} does not exist. Please provide a valid SSH key path.`);
+      process.exit(1);
+    }
+    const keyContent = await fs12.readFile(sshPath, "utf-8");
+    if (isPassphraseProtected(keyContent)) {
+      console.error(`${chalk12.red("Error:")} the provided key is passphrase-protected, which is not currently supported by dotenc.`);
+      process.exit(1);
+    }
+    try {
+      const privateKey = crypto10.createPrivateKey(keyContent);
+      publicKey = crypto10.createPublicKey(privateKey);
+    } catch {
+      const parsed = parseOpenSSHPrivateKey(keyContent);
+      if (parsed) {
+        publicKey = crypto10.createPublicKey(parsed);
+      } else {
+        try {
+          publicKey = crypto10.createPublicKey(keyContent);
+        } catch (error) {
+          console.error("Invalid SSH key format. Please provide a valid SSH key file.");
+          console.error(`Details: ${error instanceof Error ? error.message : error}`);
+          process.exit(1);
+        }
+      }
+    }
+  }
+  if (options?.fromFile) {
+    if (!existsSync7(options.fromFile)) {
+      console.error(`File ${chalk12.cyan(options.fromFile)} does not exist. Please provide a valid file path.`);
+      process.exit(1);
+    }
+    const keyContent = await fs12.readFile(options.fromFile, "utf-8");
+    if (isPassphraseProtected(keyContent)) {
+      console.error(`${chalk12.red("Error:")} the provided key is passphrase-protected, which is not currently supported by dotenc.`);
+      process.exit(1);
+    }
+    try {
+      publicKey = crypto10.createPublicKey(keyContent);
+    } catch {
+      try {
+        const privateKey = crypto10.createPrivateKey(keyContent);
+        publicKey = crypto10.createPublicKey(privateKey);
+      } catch {
+        const parsed = parseOpenSSHPrivateKey(keyContent);
+        if (parsed) {
+          publicKey = crypto10.createPublicKey(parsed);
+        } else {
+          console.error("Invalid key format. Please provide a valid PEM formatted public or private key.");
+          process.exit(1);
+        }
+      }
+    }
+  }
+  if (options?.fromString) {
+    if (isPassphraseProtected(options.fromString)) {
+      console.error(`${chalk12.red("Error:")} the provided key is passphrase-protected, which is not currently supported by dotenc.`);
+      process.exit(1);
+    }
+    try {
+      publicKey = crypto10.createPublicKey(options.fromString);
+    } catch {
+      try {
+        const privateKey = crypto10.createPrivateKey(options.fromString);
+        publicKey = crypto10.createPublicKey(privateKey);
+      } catch {
+        const parsed = parseOpenSSHPrivateKey(options.fromString);
+        if (parsed) {
+          publicKey = crypto10.createPublicKey(parsed);
+        } else {
+          console.error("Invalid key format. Please provide a valid PEM formatted public or private key.");
+          process.exit(1);
+        }
+      }
+    }
+  }
+  if (!publicKey) {
+    const { keys: sshKeys, passphraseProtectedKeys } = await getPrivateKeys();
+    if (sshKeys.length === 0 && passphraseProtectedKeys.length > 0) {
+      console.warn(`${chalk12.yellow("Warning:")} SSH keys were found but are passphrase-protected (not supported by dotenc):
+${passphraseProtectedKeys.map((k) => `  - ${k}`).join(`
+`)}
+`);
+    }
+    const choices = sshKeys.map((key) => ({
+      name: `${key.name} (${key.algorithm})`,
+      value: key.name
+    }));
+    const modePrompt = await inquirer6.prompt({
+      type: "list",
+      name: "mode",
+      message: "Would you like to add one of your SSH keys or paste a public key?",
+      choices: [
+        ...choices.length ? [{ name: "Choose from my SSH keys", value: "choose" }] : [],
+        { name: "Paste a public key (PEM format)", value: "paste" }
+      ]
+    });
+    if (modePrompt.mode === "paste") {
+      const publicKeyInput = await inputKeyPrompt("Please paste your public key (PEM format):");
+      if (!publicKeyInput) {
+        console.error("No public key provided. Add operation cancelled.");
+        process.exit(1);
+      }
+      try {
+        publicKey = crypto10.createPublicKey(publicKeyInput);
+      } catch (error) {
+        console.error("Invalid public key format. Please provide a valid PEM formatted public key.");
+        console.error(`Details: ${error instanceof Error ? error.message : error}`);
+        process.exit(1);
+      }
+    } else {
+      const keyPrompt = await inquirer6.prompt({
+        type: "list",
+        name: "key",
+        message: "Which SSH key do you want to add?",
+        choices
+      });
+      const selectedKey = sshKeys.find((k) => k.name === keyPrompt.key);
+      if (!selectedKey) {
+        console.error("SSH key not found.");
+        process.exit(1);
+      }
+      publicKey = crypto10.createPublicKey(selectedKey.privateKey);
+      if (!nameArg) {
+        nameArg = selectedKey.name;
+      }
+    }
+  }
+  if (!publicKey) {
+    console.error("An unexpected error occurred. No public key was inferred from the provided input.");
+    process.exit(1);
+  }
+  const validation = validatePublicKey(publicKey);
+  if (!validation.valid) {
+    console.error(validation.reason);
+    process.exit(1);
+  }
+  const publicKeyOutput = publicKey.export({
+    type: "spki",
+    format: "pem"
+  });
+  if (!existsSync7(path12.join(process.cwd(), ".dotenc"))) {
+    await fs12.mkdir(path12.join(process.cwd(), ".dotenc"));
+  }
+  let name = nameArg;
+  if (!name) {
+    name = await inputNamePrompt("What name do you want to give to the new public key?");
+    if (existsSync7(path12.join(process.cwd(), ".dotenc", `${name}.pub`))) {
+      console.error(`A public key with name ${chalk12.cyan(name)} already exists. Please choose a different name.`);
+      process.exit(1);
+    }
+  }
+  await fs12.writeFile(path12.join(process.cwd(), ".dotenc", `${name}.pub`), publicKeyOutput, "utf-8");
+  console.log(`
+Public key ${chalk12.cyan(name)} added successfully!`);
+};
+var init_add = __esm(() => {
+  init_getPrivateKeys();
+  init_parseOpenSSHKey();
+  init_projectConfig();
+  init_inputKey();
+  init_inputName();
+});
+
+// src/commands/init.ts
+import crypto11 from "node:crypto";
+import { existsSync as existsSync8 } from "node:fs";
+import fs13 from "node:fs/promises";
+import os5 from "node:os";
+import path13 from "node:path";
+import chalk13 from "chalk";
+import inquirer7 from "inquirer";
+var initCommand = async (options) => {
+  const { keys: privateKeys, passphraseProtectedKeys } = await getPrivateKeys();
+  if (!privateKeys.length) {
+    if (passphraseProtectedKeys.length > 0) {
+      console.error(passphraseProtectedKeyError(passphraseProtectedKeys));
+    } else {
+      console.error(`${chalk13.red("Error:")} no SSH keys found in ~/.ssh/. Please generate one first using ${chalk13.gray("ssh-keygen")}.`);
+    }
+    process.exit(1);
+  }
+  const username = options.name || await inputNamePrompt("What's your name?", os5.userInfo().username);
+  if (!username) {
+    console.error(`${chalk13.red("Error:")} no name provided.`);
+    process.exit(1);
+  }
+  if (!existsSync8(path13.join(process.cwd(), "dotenc.json"))) {
+    console.log("No project found. Let's create a new one.");
+    try {
+      const { projectId } = await createProject();
+      await fs13.writeFile(path13.join(process.cwd(), "dotenc.json"), JSON.stringify({ projectId }, null, 2), "utf-8");
+    } catch (error) {
+      console.error(`${chalk13.red("Error:")} failed to create the project.`);
+      console.error(`${chalk13.red("Details:")} ${error instanceof Error ? error.message : error}`);
+      process.exit(1);
+    }
+  }
+  let keyToAdd;
+  if (privateKeys.length === 1) {
+    keyToAdd = privateKeys[0].name;
+  } else {
+    const result = await inquirer7.prompt([
+      {
+        type: "list",
+        name: "key",
+        message: "Which SSH key would you like to use?",
+        choices: privateKeys.map((key) => ({
+          name: `${key.name} (${key.algorithm})`,
+          value: key.name
+        }))
+      }
+    ]);
+    keyToAdd = result.key;
+  }
+  if (!keyToAdd) {
+    console.error(`${chalk13.red("Error:")} no SSH key selected. Please select a key.`);
+    process.exit(1);
+  }
+  const keyEntry = privateKeys.find((k) => k.name === keyToAdd);
+  if (!keyEntry)
+    process.exit(1);
+  console.log(`Adding key: ${chalk13.cyan(username)} (${keyEntry.algorithm})`);
+  const publicKey = crypto11.createPublicKey(keyEntry.privateKey);
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" }).toString();
+  await keyAddCommand(username, {
+    fromString: publicKeyPem
+  });
+  try {
+    setupGitDiff();
+  } catch (_error) {
+    console.warn(`${chalk13.yellow("Warning:")} could not set up git diff driver. You can run ${chalk13.gray("dotenc init")} again inside a git repository.`);
+  }
+  let initialContent;
+  const envPath = path13.join(process.cwd(), ".env");
+  if (existsSync8(envPath)) {
+    initialContent = await fs13.readFile(envPath, "utf-8");
+    await fs13.unlink(envPath);
+    console.log(`Migrated ${chalk13.gray(".env")} contents to ${chalk13.cyan(username)} environment.`);
+  }
+  await createCommand(username, username, initialContent);
+  console.log(`
+${chalk13.green("✔")} Initialization complete!`);
+  console.log(`
+Some useful tips:`);
+  const editCmd = chalk13.gray(`dotenc env edit ${username}`);
+  console.log(`- To edit your personal environment:	${editCmd}`);
+  const devCmd = chalk13.gray("dotenc dev <command>");
+  console.log(`- To run with your encrypted env:	${devCmd}`);
+};
+var init_init = __esm(() => {
+  init_createProject();
+  init_errors();
+  init_getPrivateKeys();
+  init_setupGitDiff();
+  init_inputName();
+  init_create();
+  init_add();
+});
+
+// src/commands/key/list.ts
+var keyListCommand = async () => {
+  const publicKeys = await getPublicKeys();
+  if (!publicKeys.length) {
+    console.log("No public keys found.");
+    return;
+  }
+  for (const key of publicKeys) {
+    console.log(`${key.name} (${key.algorithm})`);
+  }
+};
+var init_list3 = __esm(() => {
+  init_getPublicKeys();
+});
+
+// src/prompts/confirm.ts
+import inquirer8 from "inquirer";
+var confirmPrompt = async (message) => {
+  const result = await inquirer8.prompt([
+    {
+      type: "confirm",
+      name: "confirm",
+      message
+    }
+  ]);
+  return result.confirm;
+};
+var init_confirm = () => {};
+
+// src/commands/key/remove.ts
+import { existsSync as existsSync9 } from "node:fs";
+import fs14 from "node:fs/promises";
+import path14 from "node:path";
+import chalk14 from "chalk";
+var keyRemoveCommand = async (nameArg) => {
+  let name = nameArg;
+  if (!name) {
+    name = await choosePublicKeyPrompt("Which public key do you want to remove?");
+  }
+  const filePath = path14.join(process.cwd(), ".dotenc", `${name}.pub`);
+  if (!existsSync9(filePath)) {
+    console.error(`Public key ${chalk14.cyan(name)} not found.`);
+    process.exit(1);
+  }
+  const allEnvironments = await getEnvironments();
+  const affectedEnvironments = [];
+  for (const envName of allEnvironments) {
+    try {
+      const env = await getEnvironmentByName(envName);
+      if (env.keys.some((key) => key.name === name)) {
+        affectedEnvironments.push(envName);
+      }
+    } catch {}
+  }
+  if (affectedEnvironments.length > 0) {
+    console.log(`Key ${chalk14.cyan(name)} has access to the following environments:`);
+    for (const env of affectedEnvironments) {
+      console.log(`  - ${env}`);
+    }
+    console.log(`
+Access will be revoked from these environments automatically.`);
+  }
+  const confirmed = await confirmPrompt(`Are you sure you want to remove key ${name}?`);
+  if (!confirmed) {
+    console.log("Operation cancelled.");
+    return;
+  }
+  await fs14.unlink(filePath);
+  console.log(`Public key ${chalk14.cyan(name)} removed successfully.`);
+  for (const envName of affectedEnvironments) {
+    try {
+      const envJson = await getEnvironmentByName(envName);
+      const content = await decryptEnvironmentData(envJson);
+      await encryptEnvironment(envName, content, {
+        revokePublicKeys: [name]
+      });
+      console.log(`Revoked access from ${chalk14.cyan(envName)} environment.`);
+    } catch {
+      console.warn(`${chalk14.yellow("Warning:")} could not revoke access from ${chalk14.cyan(envName)}. You may need to run ${chalk14.gray(`dotenc auth revoke ${envName} ${name}`)} manually or rotate the environment.`);
+    }
+  }
+};
+var init_remove = __esm(() => {
+  init_decryptEnvironment();
+  init_encryptEnvironment();
+  init_getEnvironmentByName();
+  init_getEnvironments();
+  init_choosePublicKey();
+  init_confirm();
+});
+
+// src/commands/textconv.ts
+import fs15 from "node:fs/promises";
+import path15 from "node:path";
+var textconvCommand = async (filePath) => {
+  const absolutePath = path15.isAbsolute(filePath) ? filePath : path15.join(process.cwd(), filePath);
+  try {
+    const environment = await getEnvironmentByPath(absolutePath);
+    const plaintext = await decryptEnvironmentData(environment);
+    process.stdout.write(plaintext);
+  } catch {
+    const raw = await fs15.readFile(absolutePath, "utf-8");
+    process.stdout.write(raw);
+  }
+};
+var init_textconv = __esm(() => {
+  init_decryptEnvironment();
+  init_getEnvironmentByPath();
+});
+
+// src/commands/whoami.ts
+var whoamiCommand = async () => {
+  const { keys: privateKeys, passphraseProtectedKeys } = await getPrivateKeys();
+  const publicKeys = await getPublicKeys();
+  const privateFingerprints = new Set(privateKeys.map((k) => k.fingerprint));
+  const matchingPublicKey = publicKeys.find((pub) => privateFingerprints.has(pub.fingerprint));
+  if (!matchingPublicKey) {
+    if (privateKeys.length === 0 && passphraseProtectedKeys.length > 0) {
+      console.error(passphraseProtectedKeyError(passphraseProtectedKeys));
+    } else {
+      console.error('No matching key found in this project. Run "dotenc init" to set up your identity.');
+    }
+    process.exit(1);
+  }
+  const matchingPrivateKey = privateKeys.find((pk) => pk.fingerprint === matchingPublicKey.fingerprint);
+  console.log(`Name: ${matchingPublicKey.name}`);
+  console.log(`Active SSH key: ${matchingPrivateKey?.name ?? "unknown"}`);
+  console.log(`Fingerprint: ${matchingPublicKey.fingerprint}`);
+  const environments = await getEnvironments();
+  const authorizedEnvironments = [];
+  for (const envName of environments) {
+    try {
+      const environment = await getEnvironmentByName(envName);
+      const hasAccess = environment.keys.some((key) => key.fingerprint === matchingPublicKey.fingerprint);
+      if (hasAccess) {
+        authorizedEnvironments.push(envName);
+      }
+    } catch {}
+  }
+  if (authorizedEnvironments.length > 0) {
+    console.log("Authorized environments:");
+    for (const env of authorizedEnvironments) {
+      console.log(`  - ${env}`);
+    }
+  } else {
+    console.log("Authorized environments: none");
+  }
+};
+var init_whoami = __esm(() => {
+  init_errors();
+  init_getEnvironmentByName();
+  init_getEnvironments();
+  init_getPrivateKeys();
+  init_getPublicKeys();
+});
+
+// src/program.ts
+var exports_program = {};
+import { Command, Option } from "commander";
+var program, env, auth, key;
+var init_program = __esm(() => {
+  init_package();
+  init_grant();
+  init_list();
+  init_revoke();
+  init_config();
+  init_dev();
+  init_create();
+  init_edit();
+  init_list2();
+  init_rotate();
+  init_init();
+  init_add();
+  init_list3();
+  init_remove();
+  init_run();
+  init_textconv();
+  init_whoami();
+  program = new Command;
+  program.name("dotenc").description(package_default.description).version(package_default.version);
+  program.command("init").addOption(new Option("-n, --name <name>", "your username for the project")).description("initialize a dotenc project in the current directory").action(initCommand);
+  env = program.command("env").description("manage environments");
+  env.command("create").argument("[environment]", "the name of the new environment").argument("[publicKey]", "the name of the public key to grant access to the environment").description("create a new environment").action((env2, pubKey) => createCommand(env2, pubKey));
+  env.command("edit").argument("[environment]", "the environment to edit").description("edit an environment").action(editCommand);
+  env.command("rotate").argument("[environment]", "the environment to rotate the data key for").description("rotate the data key for an environment").action(rotateCommand);
+  env.command("list").description("list all environments").action(envListCommand);
+  auth = program.command("auth").description("manage environment access");
+  auth.command("grant").argument("[environment]", "the environment to grant access to").argument("[publicKey]", "the name of the public key to grant access to the environment").description("grant access to an environment").action(grantCommand);
+  auth.command("revoke").argument("[environment]", "the environment to revoke access from").argument("[publicKey]", "the name of the public key to revoke access from the environment").description("revoke access from an environment").action(revokeCommand);
+  auth.command("list").argument("[environment]", "the environment to list access for").description("list keys with access to an environment").action(authListCommand);
+  program.command("run").argument("<command>", "the command to run").argument("[args...]", "the arguments to pass to the command").addOption(new Option("-e, --env <env1>[,env2[,...]]", "the environments to run the command in")).description("run a command in an environment").action(runCommand);
+  program.command("dev").argument("<command>", "the command to run").argument("[args...]", "the arguments to pass to the command").description("shortcut for 'run -e development,<yourname> <command>'").action(devCommand);
+  key = program.command("key").description("manage keys");
+  key.command("add").argument("[name]", "the name of the public key in the project").addOption(new Option("--from-ssh <path>", "add a public key derived from an SSH key file")).addOption(new Option("-f, --from-file <file>", "add the key from a PEM file")).addOption(new Option("-s, --from-string <string>", "add a public key from a string")).description("add a public key to the project").action(keyAddCommand);
+  key.command("list").description("list all public keys in the project").action(keyListCommand);
+  key.command("remove").argument("[name]", "the name of the public key to remove").description("remove a public key from the project").action(keyRemoveCommand);
+  program.command("textconv").argument("<filepath>", "path to the encrypted environment file").description("decrypt an environment file for git diff").action(textconvCommand);
+  program.command("whoami").description("show your identity in this project").action(whoamiCommand);
+  program.command("config").argument("<key>", "the key to get or set").argument("[value]", "the value to set the key to").addOption(new Option("-r, --remove", "remove a configuration key")).description("manage global configuration").action(configCommand);
+  program.parse();
+});
+
+// src/cli.ts
+Promise.resolve().then(() => init_program());