@dotenc/cli 0.3.4 → 0.4.2

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@dotenc/cli",
-  "version": "0.3.4",
-  "description": "🔐 Secure, encrypted environment variables that live in your codebase",
+  "version": "0.4.2",
+  "description": "🔐 Git-native encrypted environments powered by your SSH keys",
   "author": "Ivan Filho <i@ivanfilho.com>",
   "license": "MIT",
   "type": "module",
@@ -11,18 +11,29 @@
   "files": [
     "dist"
   ],
+  "scripts": {
+    "dev": "bun src/cli.ts",
+    "start": "node dist/cli.js",
+    "build": "bun build src/cli.ts --outdir dist --target node --packages external && { echo '#!/usr/bin/env node'; cat dist/cli.js; } > dist/cli.tmp && mv dist/cli.tmp dist/cli.js",
+    "build:binary": "bun run build:binary:darwin-arm64 && bun run build:binary:darwin-x64 && bun run build:binary:linux-x64 && bun run build:binary:linux-arm64 && bun run build:binary:windows-x64",
+    "build:binary:darwin-arm64": "bun build src/cli.ts --compile --target=bun-darwin-arm64 --outfile dist/dotenc-darwin-arm64",
+    "build:binary:darwin-x64": "bun build src/cli.ts --compile --target=bun-darwin-x64 --outfile dist/dotenc-darwin-x64",
+    "build:binary:linux-x64": "bun build src/cli.ts --compile --target=bun-linux-x64 --outfile dist/dotenc-linux-x64",
+    "build:binary:linux-arm64": "bun build src/cli.ts --compile --target=bun-linux-arm64 --outfile dist/dotenc-linux-arm64",
+    "build:binary:windows-x64": "bun build src/cli.ts --compile --target=bun-windows-x64 --outfile dist/dotenc-windows-x64",
+    "test": "bun test",
+    "test:e2e": "docker build -t dotenc-e2e -f e2e/Dockerfile .. && docker run --rm dotenc-e2e"
+  },
   "devDependencies": {
-    "@biomejs/biome": "^1.9.4",
-    "@types/node": "^22.13.7",
-    "tsc-alias": "^1.8.11",
-    "tsx": "^4.19.3",
-    "typescript": "^5.8.2",
-    "vitest": "^3.0.9"
+    "@biomejs/biome": "^2.1.2",
+    "@types/bun": "^1.3.9",
+    "typescript": "^5.8.2"
   },
   "dependencies": {
     "@paralleldrive/cuid2": "^2.2.2",
     "chalk": "^5.4.1",
     "commander": "^13.1.0",
+    "eciesjs": "^0.4.15",
     "inquirer": "^12.4.2",
     "zod": "^3.24.2"
   },
@@ -35,26 +46,25 @@
   },
   "homepage": "https://github.com/ivanfilhoz/dotenc#readme",
   "keywords": [
+    "dotenv",
+    "env",
     "environment",
     "variables",
-    "safe",
-    "secure",
-    "codebase",
-    "cli",
-    "command",
-    "line",
-    "tool",
-    "utility",
-    "env",
-    "box",
-    "dotenv",
+    "secrets",
     "encrypted",
-    "codebase"
-  ],
-  "scripts": {
-    "dev": "tsx src/cli.ts",
-    "start": "node dist/cli.js",
-    "build": "tsc && tsc-alias",
-    "test": "vitest"
-  }
-}
+    "encryption",
+    "aes-256-gcm",
+    "ssh",
+    "ssh-keys",
+    "ed25519",
+    "rsa",
+    "git",
+    "cli",
+    "secure",
+    "security",
+    "devops",
+    "cicd",
+    "configuration",
+    "config"
+  ]
+}

package/dist/commands/config.js

@@ -1,15 +0,0 @@
-import { getHomeConfig, setHomeConfig } from "../helpers/homeConfig.js";
-export const configCommand = async (key, value, options) => {
-    const config = await getHomeConfig();
-    if (options.remove) {
-        delete config[key];
-        await setHomeConfig(config);
-        return;
-    }
-    if (value) {
-        config[key] = value;
-        await setHomeConfig(config);
-        return;
-    }
-    console.log(config[key]);
-};

package/dist/commands/debug.js

@@ -1,16 +0,0 @@
-import crypto from "node:crypto";
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { decrypt, encrypt } from "../helpers/crypto.js";
-export const debugCommand = async () => {
-    const key = crypto.randomBytes(32).toString("base64");
-    const encryptedFilePath = path.join(os.tmpdir(), "dotenc.enc");
-    await encrypt(key, "Test", encryptedFilePath);
-    const content = await decrypt(key, encryptedFilePath);
-    await fs.unlink(encryptedFilePath);
-    if (content !== "Test") {
-        throw new Error("Decrypted content is not equal to the original content");
-    }
-    console.log("Decryption successful");
-};

package/dist/commands/edit.js

@@ -1,51 +0,0 @@
-import chalk from "chalk";
-import { execSync } from "node:child_process";
-import { existsSync } from "node:fs";
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { createHash } from "../helpers/createHash.js";
-import { decrypt, encrypt } from "../helpers/crypto.js";
-import { getDefaultEditor } from "../helpers/getDefaultEditor.js";
-import { getKey } from "../helpers/key.js";
-import { chooseEnvironmentPrompt } from "../prompts/chooseEnvironment.js";
-export const editCommand = async (environmentArg) => {
-    let environment = environmentArg;
-    if (!environment) {
-        environment = await chooseEnvironmentPrompt("What environment do you want to edit?");
-    }
-    const environmentFile = `.env.${environment}.enc`;
-    const environmentFilePath = path.join(process.cwd(), environmentFile);
-    if (!existsSync(environmentFilePath)) {
-        console.error(`Environment file not found: ${environmentFilePath}`);
-        return;
-    }
-    const key = await getKey(environment);
-    if (!key) {
-        console.error(`\n${chalk.red("Error:")} no key found for the ${chalk.cyan(environment)} environment.`);
-        return;
-    }
-    const tempFilePath = path.join(os.tmpdir(), `.env.${environment}`);
-    const content = await decrypt(key, environmentFilePath);
-    await fs.writeFile(tempFilePath, content);
-    const initialHash = createHash(content);
-    const editor = await getDefaultEditor();
-    try {
-        // This will block until the editor process is closed
-        execSync(`${editor} ${tempFilePath}`, { stdio: "inherit" });
-    }
-    catch (error) {
-        console.error(`\nFailed to open editor: ${editor}`);
-        return;
-    }
-    const newContent = await fs.readFile(tempFilePath, "utf-8");
-    const finalHash = createHash(newContent);
-    if (initialHash === finalHash) {
-        console.log(`\nNo changes were made to the ${chalk.cyan(environment)} environment.`);
-    }
-    else {
-        await encrypt(key, newContent, environmentFilePath);
-        console.log(`\nEncrypted ${chalk.cyan(environment)} environment and saved it to ${chalk.gray(environmentFile)}.`);
-    }
-    await fs.unlink(tempFilePath);
-};

package/dist/commands/init.js

@@ -1,44 +0,0 @@
-import chalk from "chalk";
-import crypto from "node:crypto";
-import { createEnvironment } from "../helpers/createEnvironment.js";
-import { createLocalEnvironment } from "../helpers/createLocalEnvironment.js";
-import { createProject } from "../helpers/createProject.js";
-import { environmentExists } from "../helpers/environmentExists.js";
-import { getEnvironmentNameSuggestion } from "../helpers/getEnvironmentNameSuggestion.js";
-import { addKey } from "../helpers/key.js";
-import { createEnvironmentPrompt } from "../prompts/createEnvironment.js";
-export const initCommand = async (environmentArg) => {
-    // Generate a unique project ID
-    const { projectId } = await createProject();
-    // Setup local environment
-    await createLocalEnvironment();
-    // Generate a random key
-    const key = crypto.randomBytes(32).toString("base64");
-    // Prompt for the environment name
-    let environment = environmentArg;
-    if (!environment) {
-        environment = await createEnvironmentPrompt("What should the environment be named?", getEnvironmentNameSuggestion());
-    }
-    if (!environment) {
-        console.log(`${chalk.red("Error:")} no environment name provided`);
-        return;
-    }
-    if (environmentExists(environment)) {
-        console.log(`${chalk.red("Error:")} environment ${environment} already exists. To edit it, use ${chalk.gray(`dotenc edit ${environment}`)}`);
-        return;
-    }
-    await createEnvironment(environment, key);
-    // Store the key
-    await addKey(projectId, environment, key);
-    // Output success message
-    console.log(`${chalk.green("✔")} Initialization complete!`);
-    console.log("\nSome useful tips:");
-    const editCommand = chalk.gray(`dotenc edit ${environment}`);
-    console.log(`\n- To securely edit your environment:\t${editCommand}`);
-    const runCommand = chalk.gray(`dotenc run -e ${environment} <command> [args...]`);
-    const runCommandWithEnv = chalk.gray(`DOTENC_ENV=${environment} dotenc run <command> [args...]`);
-    console.log(`- To run your application:\t\t${runCommand} or ${runCommandWithEnv}`);
-    const initCommand = chalk.gray("dotenc init [environment]");
-    console.log(`- To initialize a new environment:\t${initCommand}`);
-    console.log(`- Use the git-ignored ${chalk.gray(".env")} file for local development. It will have priority over any encrypted environments.`);
-};

package/dist/commands/key/export.js

@@ -1,21 +0,0 @@
-import chalk from "chalk";
-import { getKey } from "../../helpers/key.js";
-import { getProjectConfig } from "../../helpers/projectConfig.js";
-import { chooseEnvironmentPrompt } from "../../prompts/chooseEnvironment.js";
-export const keyExportCommand = async (environmentArg) => {
-    const { projectId } = await getProjectConfig();
-    if (!projectId) {
-        console.error('No project found. Run "dotenc init" to create one.');
-        return;
-    }
-    let environment = environmentArg;
-    if (!environment) {
-        environment = await chooseEnvironmentPrompt("What environment do you want to export the key from?");
-    }
-    const key = await getKey(environment);
-    if (!key) {
-        console.error(`\nNo key found for the ${chalk.cyan(environment)} environment.`);
-        return;
-    }
-    console.log(`\nKey for the ${chalk.cyan(environment)} environment: ${chalk.gray(key)}`);
-};

package/dist/commands/key/import.js

@@ -1,22 +0,0 @@
-import chalk from "chalk";
-import { addKey } from "../../helpers/key.js";
-import { getProjectConfig } from "../../helpers/projectConfig.js";
-import { chooseEnvironmentPrompt } from "../../prompts/chooseEnvironment.js";
-import { inputKeyPrompt } from "../../prompts/inputKey.js";
-export const keyImportCommand = async (environmentArg, keyArg) => {
-    const { projectId } = await getProjectConfig();
-    if (!projectId) {
-        console.error('No project found. Run "dotenc init" to create one.');
-        return;
-    }
-    let environment = environmentArg;
-    if (!environment) {
-        environment = await chooseEnvironmentPrompt("What environment do you want to import the key to?");
-    }
-    let key = keyArg;
-    if (!key) {
-        key = await inputKeyPrompt("Paste the key here:");
-    }
-    await addKey(projectId, environment, key);
-    console.log(`\nKey imported to the ${chalk.cyan(environment)} environment.`);
-};

package/dist/commands/key/rotate.js

@@ -1,35 +0,0 @@
-import chalk from "chalk";
-import crypto from "node:crypto";
-import { existsSync } from "node:fs";
-import path from "node:path";
-import { decrypt, encrypt } from "../../helpers/crypto.js";
-import { addKey, getKey } from "../../helpers/key.js";
-import { getProjectConfig } from "../../helpers/projectConfig.js";
-import { chooseEnvironmentPrompt } from "../../prompts/chooseEnvironment.js";
-export const keyRotateCommand = async (environmentArg) => {
-    const { projectId } = await getProjectConfig();
-    if (!projectId) {
-        console.error('No project found. Run "dotenc init" to create one.');
-        return;
-    }
-    let environment = environmentArg;
-    if (!environment) {
-        environment = await chooseEnvironmentPrompt("What environment do you want to rotate the key for?");
-    }
-    const environmentFile = `.env.${environment}.enc`;
-    const environmentFilePath = path.join(process.cwd(), environmentFile);
-    if (!existsSync(environmentFilePath)) {
-        console.error(`Environment file not found: ${environmentFilePath}`);
-        return;
-    }
-    const key = await getKey(environment);
-    if (!key) {
-        console.error(`\nNo key found for the ${chalk.cyan(environment)} environment.`);
-        return;
-    }
-    const content = await decrypt(key, environmentFilePath);
-    const newKey = crypto.randomBytes(32).toString("base64");
-    await encrypt(newKey, content, environmentFilePath);
-    await addKey(projectId, environment, newKey);
-    console.log(`\nKey rotated for the ${chalk.cyan(environment)} environment.`);
-};

package/dist/commands/run.js

@@ -1,46 +0,0 @@
-import { spawn } from "node:child_process";
-import { existsSync } from "node:fs";
-import fs from "node:fs/promises";
-import path from "node:path";
-import { decrypt } from "../helpers/crypto.js";
-import { getKey } from "../helpers/key.js";
-import { parseEnv } from "../helpers/parseEnv.js";
-export const runCommand = async (command, args, options) => {
-    // Get the environment
-    const environmentArg = options.env || process.env.DOTENC_ENV;
-    if (!environmentArg) {
-        console.error('No environment provided. Use -e or set DOTENC_ENV to the environment you want to run the command in.\nTo start a new environment, use "dotenc init [environment]".');
-        return;
-    }
-    const environments = environmentArg.split(",");
-    const decryptedEnvs = await Promise.all(environments.map(async (environment, index) => {
-        const environmentFilePath = path.join(process.cwd(), `.env.${environment}.enc`);
-        if (!existsSync(environmentFilePath)) {
-            console.error(`Environment file not found: ${environmentFilePath}`);
-            return;
-        }
-        const key = await getKey(environment, index);
-        const content = await decrypt(key, environmentFilePath);
-        const decryptedEnv = parseEnv(content);
-        return decryptedEnv;
-    }));
-    const decryptedEnv = decryptedEnvs.reduce((acc, env) => {
-        return { ...acc, ...env };
-    }, {});
-    // Get the local environment
-    let localEnv = {};
-    const localEnvironmentFilePath = path.join(process.cwd(), ".env");
-    if (existsSync(localEnvironmentFilePath)) {
-        const localEnvContent = await fs.readFile(localEnvironmentFilePath, "utf-8");
-        localEnv = parseEnv(localEnvContent);
-    }
-    // Merge the environment variables and run the command
-    const mergedEnv = { ...process.env, ...decryptedEnv, ...localEnv };
-    const child = spawn(command, args, {
-        env: mergedEnv,
-        stdio: "inherit",
-    });
-    child.on("exit", (code) => {
-        process.exit(code);
-    });
-};

package/dist/helpers/createEnvironment.js

@@ -1,10 +0,0 @@
-import { existsSync } from "node:fs";
-import path from "node:path";
-import { encrypt } from "./crypto.js";
-export const createEnvironment = async (name, key) => {
-    const filePath = path.join(process.cwd(), `.env.${name}.enc`);
-    if (existsSync(filePath)) {
-        throw new Error(`Environment "${name}" already exists.`);
-    }
-    await encrypt(key, `# ${name} environment\n`, filePath);
-};

package/dist/helpers/createHash.js

@@ -1,7 +0,0 @@
-import crypto from "node:crypto";
-/**
- * Computes a hash of the input string.
- */
-export const createHash = (input) => {
-    return crypto.createHash("sha256").update(input).digest("hex");
-};

package/dist/helpers/createLocalEnvironment.js

@@ -1,21 +0,0 @@
-import { existsSync } from "node:fs";
-import fs from "node:fs/promises";
-import path from "node:path";
-export const createLocalEnvironment = async () => {
-    const gitignorePath = path.join(process.cwd(), ".gitignore");
-    const envEntry = ".env";
-    let gitignoreContent = [];
-    if (existsSync(gitignorePath)) {
-        gitignoreContent = (await fs.readFile(gitignorePath, "utf8")).split("\n");
-    }
-    // Check if the .env entry already exists (ignoring comments and whitespace)
-    const isEnvIgnored = gitignoreContent.some((line) => line.trim() === envEntry);
-    if (!isEnvIgnored) {
-        // Append the .env entry to the .gitignore file
-        await fs.appendFile(gitignorePath, `\n# Ignore local environment file\n${envEntry}\n`);
-    }
-    const envPath = path.join(process.cwd(), ".env");
-    if (!existsSync(envPath)) {
-        await fs.writeFile(envPath, "# Local environment variables\n");
-    }
-};

package/dist/helpers/createProject.js

@@ -1,13 +0,0 @@
-import { createId } from "@paralleldrive/cuid2";
-import { getProjectConfig, setProjectConfig } from "./projectConfig.js";
-export const createProject = async () => {
-    const config = await getProjectConfig();
-    if (config.projectId) {
-        return config;
-    }
-    const newConfig = {
-        projectId: createId(),
-    };
-    await setProjectConfig(newConfig);
-    return newConfig;
-};

package/dist/helpers/crypto.js

@@ -1,70 +0,0 @@
-import crypto from "node:crypto";
-import fs from "node:fs/promises";
-// AES-256-GCM constants
-const ALGORITHM = "aes-256-gcm";
-const IV_LENGTH = 12; // 96 bits, recommended for GCM
-const AUTH_TAG_LENGTH = 16; // 128 bits, standard for GCM
-/**
- * Encrypts a file using AES-256-GCM.
- * @param {string} key - The encryption key (must be 32 bytes for AES-256).
- * @param {string} input - The input string to encrypt.
- * @param {string} outputFile - Path to the output encrypted file.
- */
-export async function encrypt(key, input, outputFile) {
-    const keyBuffer = Buffer.from(key, "base64");
-    if (keyBuffer.length !== 32) {
-        throw new Error("Key must be 32 bytes (256 bits) for AES-256-GCM.");
-    }
-    // Generate a random IV
-    const iv = crypto.randomBytes(IV_LENGTH);
-    // Create the cipher
-    const cipher = crypto.createCipheriv(ALGORITHM, keyBuffer, iv);
-    // Encrypt the data
-    const encrypted = Buffer.concat([cipher.update(input), cipher.final()]);
-    // Get the auth tag
-    const authTag = cipher.getAuthTag();
-    // Combine IV + encrypted content + auth tag
-    const result = Buffer.concat([iv, encrypted, authTag]);
-    // Write the encrypted file
-    await fs.writeFile(outputFile, result);
-}
-/**
- * Decrypts a file using AES-256-GCM.
- * @param {string} key - The decryption key (must be 32 bytes for AES-256).
- * @param {string} inputFile - The input file to decrypt.
- */
-export async function decrypt(key, inputFile) {
-    const keyBuffer = Buffer.from(key, "base64");
-    if (keyBuffer.length !== 32) {
-        throw new Error("Key must be 32 bytes (256 bits) for AES-256-GCM.");
-    }
-    // Read the encrypted file
-    const encryptedData = await fs.readFile(inputFile);
-    // Extract the IV from the start of the file
-    const iv = encryptedData.subarray(0, IV_LENGTH);
-    // Extract the auth tag from the end of the file
-    const authTag = encryptedData.subarray(encryptedData.length - AUTH_TAG_LENGTH);
-    // Extract the ciphertext (everything between IV and auth tag)
-    const ciphertext = encryptedData.subarray(IV_LENGTH, encryptedData.length - AUTH_TAG_LENGTH);
-    try {
-        // Create the decipher
-        const decipher = crypto.createDecipheriv(ALGORITHM, keyBuffer, iv);
-        decipher.setAuthTag(authTag);
-        // Decrypt the ciphertext
-        const decrypted = Buffer.concat([
-            decipher.update(ciphertext),
-            decipher.final(),
-        ]);
-        return decrypted.toString();
-    }
-    catch (error) {
-        if (error instanceof Error &&
-            error.message.includes("unable to authenticate")) {
-            throw new Error("Failed to decrypt file. This could be because:\n" +
-                "1. The encryption key may be incorrect\n" +
-                "2. The encrypted file may be corrupted\n" +
-                "3. The encrypted file may have been tampered with");
-        }
-        throw error;
-    }
-}

package/dist/helpers/environmentExists.js

@@ -1,6 +0,0 @@
-import { existsSync } from "node:fs";
-import path from "node:path";
-export const environmentExists = (environment) => {
-    const envPath = path.join(process.cwd(), `.env.${environment}.enc`);
-    return existsSync(envPath);
-};

package/dist/helpers/getDefaultEditor.js

@@ -1,41 +0,0 @@
-import { execSync } from "node:child_process";
-import { getHomeConfig } from "./homeConfig.js";
-/**
- * Determines the default text editor for the system.
- * @returns {string} The command to launch the default text editor.
- */
-export const getDefaultEditor = async () => {
-    const config = await getHomeConfig();
-    // Check the editor field in the config file
-    if (config.editor) {
-        return config.editor;
-    }
-    // Check the EDITOR environment variable
-    if (process.env.EDITOR) {
-        return process.env.EDITOR;
-    }
-    // Check the VISUAL environment variable
-    if (process.env.VISUAL) {
-        return process.env.VISUAL;
-    }
-    // Platform-specific defaults
-    const platform = process.platform;
-    if (platform === "win32") {
-        // Windows: Use notepad as the fallback editor
-        return "notepad";
-    }
-    // Linux/macOS: Try nano, vim, or vi
-    const editors = ["nano", "vim", "vi"];
-    for (const editor of editors) {
-        try {
-            // Check if the editor is available
-            execSync(`command -v ${editor}`, { stdio: "ignore" });
-            return editor; // Return the first available editor
-        }
-        catch {
-            // Ignore errors and try the next editor
-        }
-    }
-    // If no editor is found, throw an error
-    throw new Error('No text editor found. Please set the EDITOR environment variable, configure an editor using "dotenc config editor <command>", or install a text editor (e.g., nano, vim, or notepad).');
-};

package/dist/helpers/getEnvironmentNameSuggestion.js

@@ -1,5 +0,0 @@
-import { environmentExists } from "./environmentExists.js";
-export const getEnvironmentNameSuggestion = () => {
-    const suggestions = ["development", "staging", "production", "test"].find((env) => !environmentExists(env)) ?? "";
-    return suggestions;
-};

package/dist/helpers/homeConfig.js

@@ -1,22 +0,0 @@
-import { existsSync } from "node:fs";
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { z } from "zod";
-const homeConfigSchema = z.object({
-    editor: z.string().nullish(),
-});
-const configPath = path.join(os.homedir(), ".dotenc", "config.json");
-export const setHomeConfig = async (config) => {
-    const parsedConfig = homeConfigSchema.parse(config);
-    await fs.writeFile(configPath, JSON.stringify(parsedConfig, null, 2), {
-        mode: 0o600,
-    });
-};
-export const getHomeConfig = async () => {
-    if (existsSync(configPath)) {
-        const config = JSON.parse(await fs.readFile(configPath, "utf-8"));
-        return homeConfigSchema.parse(config);
-    }
-    return {};
-};

package/dist/helpers/key.js

@@ -1,39 +0,0 @@
-import { existsSync } from "node:fs";
-import fs from "node:fs/promises";
-import os from "node:os";
-import path from "node:path";
-import { getProjectConfig } from "./projectConfig.js";
-const keysFile = path.join(os.homedir(), ".dotenc", "keys.json");
-export const getKey = async (environment, index = 0) => {
-    if (process.env.DOTENC_KEY) {
-        const keys = process.env.DOTENC_KEY.split(",");
-        return keys[index];
-    }
-    const { projectId } = await getProjectConfig();
-    if (existsSync(keysFile)) {
-        const keys = JSON.parse(await fs.readFile(keysFile, "utf-8"));
-        return keys[projectId][environment];
-    }
-    throw new Error("No key found. Please set the DOTENC_KEY environment variable or import the key using `dotenc key import <environment> <key>`.");
-};
-/**
- * Adds or updates a key for a specific project and environment.
- */
-export const addKey = async (projectId, environment, key) => {
-    // Ensure the keys file exists
-    if (!existsSync(keysFile)) {
-        await fs.mkdir(path.dirname(keysFile), { recursive: true });
-        await fs.writeFile(keysFile, "{}", { mode: 0o600 }); // Create an empty JSON file with secure permissions
-    }
-    // Read the existing keys
-    const keys = JSON.parse(await fs.readFile(keysFile, "utf8"));
-    // Add or update the key
-    if (!keys[projectId]) {
-        keys[projectId] = {};
-    }
-    keys[projectId][environment] = key;
-    // Write the updated keys back to the file
-    await fs.writeFile(keysFile, JSON.stringify(keys, null, 2), {
-        mode: 0o600,
-    });
-};