@dotenc/cli 0.4.3 → 0.4.5

package/README.md

@@ -3,6 +3,7 @@
 [![NPM Version][npm-image]][npm-url]
 [![Github License][license-image]](LICENSE)
 [![NPM Downloads][downloads-image]][npm-url]
+[![Codecov][codecov-image]][codecov-url]
 
 🔐 Git-native encrypted environments powered by your SSH keys
 
@@ -103,7 +104,7 @@ Your SSH private keys never leave `~/.ssh/`. dotenc reads them in place - nothin
 
 After setup, your project will look like:
 
-```
+```plaintext
 .
 ├── .dotenc/
 │   ├── alice.pub
@@ -332,7 +333,7 @@ Copy the **entire** contents of the private key file and store it as a secret en
 cat ci_key
 ```
 
-```
+```plaintext
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbm...
 -----END OPENSSH PRIVATE KEY-----
@@ -446,7 +447,6 @@ Alternatively, the `DOTENC_ENV` variable can be used to set the environment, so
   dotenc run node app.js
 ```
 
-> **Note:** `dotenc textconv` is an internal command used by the git diff driver. It is set up automatically during `dotenc init` and allows `git diff` to show decrypted content of `.env.*.enc` files.
 
 ## How dotenc compares
 
@@ -478,3 +478,5 @@ It does not aim to replace centralized secret managers like Vault or Doppler —
 [license-image]: https://img.shields.io/github/license/ivanfilhoz/dotenc.svg
 [downloads-image]: https://img.shields.io/npm/dm/@dotenc/cli.svg
 [npm-url]: https://npmjs.org/package/@dotenc/cli
+[codecov-image]: https://codecov.io/gh/ivanfilhoz/dotenc/graph/badge.svg?token=U2MKXVGBA0
+[codecov-url]: https://codecov.io/gh/ivanfilhoz/dotenc

package/dist/cli.js

@@ -7,7 +7,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@dotenc/cli",
-    version: "0.4.3",
+    version: "0.4.5",
     description: "🔐 Git-native encrypted environments powered by your SSH keys",
     author: "Ivan Filho <i@ivanfilho.com>",
     license: "MIT",
@@ -579,8 +579,8 @@ var init_getPrivateKeys = __esm(() => {
 
 // src/helpers/decryptEnvironment.ts
 import chalk2 from "chalk";
-var decryptEnvironmentData = async (environment) => {
-  const { keys: availablePrivateKeys, passphraseProtectedKeys } = await getPrivateKeys();
+var defaultDecryptEnvironmentDataDeps, decryptEnvironmentData = async (environment, deps = defaultDecryptEnvironmentDataDeps) => {
+  const { keys: availablePrivateKeys, passphraseProtectedKeys } = await deps.getPrivateKeys();
   if (!availablePrivateKeys.length) {
     if (passphraseProtectedKeys.length > 0) {
       throw new Error(passphraseProtectedKeyError(passphraseProtectedKeys));
@@ -603,20 +603,20 @@ var decryptEnvironmentData = async (environment) => {
   }
   let dataKey;
   try {
-    dataKey = decryptDataKey(selectedPrivateKey, Buffer.from(grantedKey.encryptedDataKey, "base64"));
+    dataKey = deps.decryptDataKey(selectedPrivateKey, Buffer.from(grantedKey.encryptedDataKey, "base64"));
   } catch (error) {
     throw new Error("Failed to decrypt the data key.", { cause: error });
   }
-  const decryptedContent = await decryptData(dataKey, Buffer.from(environment.encryptedContent, "base64"));
+  const decryptedContent = await deps.decryptData(dataKey, Buffer.from(environment.encryptedContent, "base64"));
   return decryptedContent;
-}, decryptEnvironment = async (name) => {
-  const { keys: availablePrivateKeys } = await getPrivateKeys();
-  const environmentJson = await getEnvironmentByName(name);
+}, defaultDecryptEnvironmentDeps, decryptEnvironment = async (name, deps = defaultDecryptEnvironmentDeps) => {
+  const { keys: availablePrivateKeys } = await deps.getPrivateKeys();
+  const environmentJson = await deps.getEnvironmentByName(name);
   try {
-    return await decryptEnvironmentData(environmentJson);
+    return await decryptEnvironmentData(environmentJson, deps);
   } catch (error) {
     if (error instanceof Error && error.message === "Access denied to the environment.") {
-      console.error(`You do not have access to this environment.
+      deps.logError(`You do not have access to this environment.
 
       These are your available private keys:
 
@@ -630,7 +630,7 @@ var decryptEnvironmentData = async (environment) => {
 `);
     }
     if (error instanceof Error && error.message === "Failed to decrypt the data key.") {
-      console.error(`${chalk2.red("Error:")} failed to decrypt the data key. Please ensure you have the correct private key.`);
+      deps.logError(`${chalk2.red("Error:")} failed to decrypt the data key. Please ensure you have the correct private key.`);
     }
     throw error;
   }
@@ -641,6 +641,16 @@ var init_decryptEnvironment = __esm(() => {
   init_errors();
   init_getEnvironmentByName();
   init_getPrivateKeys();
+  defaultDecryptEnvironmentDataDeps = {
+    getPrivateKeys,
+    decryptDataKey,
+    decryptData
+  };
+  defaultDecryptEnvironmentDeps = {
+    ...defaultDecryptEnvironmentDataDeps,
+    getEnvironmentByName,
+    logError: (message) => console.error(message)
+  };
 });
 
 // src/helpers/encryptDataKey.ts
@@ -1000,10 +1010,12 @@ import fs7 from "node:fs/promises";
 import os2 from "node:os";
 import path6 from "node:path";
 import { z as z2 } from "zod";
-var homeConfigSchema, configPath, setHomeConfig = async (config) => {
+var homeConfigSchema, getConfigPath = () => path6.join(os2.homedir(), ".dotenc", "config.json"), setHomeConfig = async (config) => {
   const parsedConfig = homeConfigSchema.parse(config);
+  const configPath = getConfigPath();
   await fs7.writeFile(configPath, JSON.stringify(parsedConfig, null, 2), "utf-8");
 }, getHomeConfig = async () => {
+  const configPath = getConfigPath();
   if (existsSync3(configPath)) {
     const config = JSON.parse(await fs7.readFile(configPath, "utf-8"));
     return homeConfigSchema.parse(config);
@@ -1014,7 +1026,6 @@ var init_homeConfig = __esm(() => {
   homeConfigSchema = z2.object({
     editor: z2.string().nullish()
   });
-  configPath = path6.join(os2.homedir(), ".dotenc", "config.json");
 });
 
 // src/commands/config.ts
@@ -1077,66 +1088,69 @@ var init_parseEnv = __esm(() => {
 // src/commands/run.ts
 import { spawn } from "node:child_process";
 import chalk7 from "chalk";
-var runCommand = async (command, args, options) => {
+var defaultRunCommandDeps, runCommand = async (command, args, options, _command, deps = defaultRunCommandDeps) => {
   const environmentName = options.env || process.env.DOTENC_ENV;
   if (!environmentName) {
-    console.error(`No environment provided. Use -e or set DOTENC_ENV to the environment you want to run the command in.
+    deps.logError(`No environment provided. Use -e or set DOTENC_ENV to the environment you want to run the command in.
 To start a new environment, use "dotenc init [environment]".`);
-    process.exit(1);
+    deps.exit(1);
   }
   const environments = environmentName.split(",");
   for (const env of environments) {
-    const validation = validateEnvironmentName(env);
+    const validation = deps.validateEnvironmentName(env);
     if (!validation.valid) {
-      console.error(`${chalk7.red("Error:")} ${validation.reason}`);
-      process.exit(1);
+      deps.logError(`${chalk7.red("Error:")} ${validation.reason}`);
+      deps.exit(1);
     }
   }
   let failureCount = 0;
   const decryptedEnvs = await Promise.all(environments.map(async (environment) => {
     let content;
     try {
-      content = await decryptEnvironment(environment);
+      content = await deps.decryptEnvironment(environment);
     } catch (error) {
-      console.error(error instanceof Error ? error.message : `Unknown error occurred while decrypting the environment ${environment}.`);
+      deps.logError(error instanceof Error ? error.message : `Unknown error occurred while decrypting the environment ${environment}.`);
       failureCount++;
       return {};
     }
-    const decryptedEnv2 = parseEnv(content);
+    const decryptedEnv2 = deps.parseEnv(content);
     return decryptedEnv2;
   }));
   if (failureCount === environments.length) {
-    console.error(`${chalk7.red("Error:")} All environments failed to load.`);
-    process.exit(1);
+    deps.logError(`${chalk7.red("Error:")} All environments failed to load.`);
+    deps.exit(1);
   }
   if (failureCount > 0) {
-    console.error(`${chalk7.yellow("Warning:")} ${failureCount} of ${environments.length} environment(s) failed to load.`);
+    deps.logError(`${chalk7.yellow("Warning:")} ${failureCount} of ${environments.length} environment(s) failed to load.`);
   }
   const decryptedEnv = decryptedEnvs.reduce((acc, env) => {
     return { ...acc, ...env };
   }, {});
   const mergedEnv = { ...process.env, ...decryptedEnv };
-  const child = spawn(command, args, {
+  const child = deps.spawn(command, args, {
     env: mergedEnv,
     stdio: "inherit"
   });
   child.on("exit", (code) => {
-    process.exit(code);
+    deps.exit(code ?? 0);
   });
 };
 var init_run = __esm(() => {
   init_decryptEnvironment();
   init_parseEnv();
+  defaultRunCommandDeps = {
+    decryptEnvironment,
+    parseEnv,
+    validateEnvironmentName,
+    spawn,
+    logError: (message) => console.error(message),
+    exit: (code) => process.exit(code)
+  };
 });
 
 // src/commands/dev.ts
 import chalk8 from "chalk";
-var devCommand = async (command, args, deps = {
-  getCurrentKeyName,
-  runCommand,
-  logError: (message) => console.error(message),
-  exit: (code) => process.exit(code)
-}) => {
+var defaultDevCommandDeps, devCommand = async (command, args, deps = defaultDevCommandDeps) => {
   const keyName = await deps.getCurrentKeyName();
   if (!keyName) {
     deps.logError(`${chalk8.red("Error:")} could not resolve your identity. Run ${chalk8.gray("dotenc init")} first.`);
@@ -1147,6 +1161,12 @@ var devCommand = async (command, args, deps = {
 var init_dev = __esm(() => {
   init_getCurrentKeyName();
   init_run();
+  defaultDevCommandDeps = {
+    getCurrentKeyName,
+    runCommand,
+    logError: console.error,
+    exit: process.exit
+  };
 });
 
 // src/helpers/environmentExists.ts
@@ -1172,9 +1192,9 @@ import { existsSync as existsSync5 } from "node:fs";
 import fs8 from "node:fs/promises";
 import path8 from "node:path";
 import { z as z3 } from "zod";
-var projectConfigSchema, configPath2, getProjectConfig = async () => {
-  if (existsSync5(configPath2)) {
-    const config = JSON.parse(await fs8.readFile(configPath2, "utf-8"));
+var projectConfigSchema, configPath, getProjectConfig = async () => {
+  if (existsSync5(configPath)) {
+    const config = JSON.parse(await fs8.readFile(configPath, "utf-8"));
     return projectConfigSchema.parse(config);
   }
   return {};
@@ -1183,7 +1203,7 @@ var init_projectConfig = __esm(() => {
   projectConfigSchema = z3.object({
     projectId: z3.string()
   });
-  configPath2 = path8.join(process.cwd(), "dotenc.json");
+  configPath = path8.join(process.cwd(), "dotenc.json");
 });
 
 // src/prompts/createEnvironment.ts
@@ -1278,6 +1298,77 @@ var init_create = __esm(() => {
   init_createEnvironment();
 });
 
+// src/commands/env/decrypt.ts
+var defaultDecryptCommandDeps, ansiPattern, stripAnsi = (value) => value.replace(ansiPattern, ""), mapErrorCode = (message) => {
+  if (message.includes("Environment file not found")) {
+    return "ENVIRONMENT_NOT_FOUND";
+  }
+  if (message === "Access denied to the environment.") {
+    return "ACCESS_DENIED";
+  }
+  if (message.includes("No private keys found")) {
+    return "NO_PRIVATE_KEYS";
+  }
+  if (message.toLowerCase().includes("passphrase-protected")) {
+    return "PASSPHRASE_PROTECTED_KEYS";
+  }
+  return "UNKNOWN";
+}, writeJson = (message, deps) => {
+  deps.writeStdout(`${JSON.stringify(message)}
+`);
+}, decryptCommand = async (environmentName, options, _command, deps = defaultDecryptCommandDeps) => {
+  const validation = deps.validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    if (options.json) {
+      writeJson({
+        ok: false,
+        error: {
+          code: "INVALID_ENVIRONMENT_NAME",
+          message: validation.reason
+        }
+      }, deps);
+    } else {
+      deps.logError(validation.reason);
+    }
+    deps.exit(1);
+  }
+  try {
+    const environment = await deps.getEnvironmentByName(environmentName);
+    const plaintext = await deps.decryptEnvironmentData(environment);
+    if (options.json) {
+      writeJson({ ok: true, content: plaintext }, deps);
+    } else {
+      deps.writeStdout(plaintext);
+    }
+  } catch (error) {
+    const rawMessage = error instanceof Error ? error.message : "Unknown error occurred while decrypting the environment.";
+    const message = stripAnsi(rawMessage);
+    const code = mapErrorCode(message);
+    if (options.json) {
+      writeJson({
+        ok: false,
+        error: { code, message }
+      }, deps);
+    } else {
+      deps.logError(message);
+    }
+    deps.exit(1);
+  }
+};
+var init_decrypt = __esm(() => {
+  init_decryptEnvironment();
+  init_getEnvironmentByName();
+  defaultDecryptCommandDeps = {
+    validateEnvironmentName,
+    getEnvironmentByName,
+    decryptEnvironmentData,
+    writeStdout: (message) => process.stdout.write(message),
+    logError: (message) => console.error(message),
+    exit: (code) => process.exit(code)
+  };
+  ansiPattern = new RegExp(`${String.fromCharCode(27)}\\[[0-9;]*m`, "g");
+});
+
 // src/helpers/createHash.ts
 import crypto9 from "node:crypto";
 var createHash = (input) => {
@@ -1287,7 +1378,14 @@ var init_createHash = () => {};
 
 // src/helpers/getDefaultEditor.ts
 import { execSync } from "node:child_process";
-var defaultGetDefaultEditorDeps, getDefaultEditor = async (deps = defaultGetDefaultEditorDeps) => {
+var commandExists = (command) => {
+  try {
+    execSync(`command -v ${command}`, { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}, defaultGetDefaultEditorDeps, getDefaultEditor = async (deps = defaultGetDefaultEditorDeps) => {
   const config = await deps.getHomeConfig();
   if (config.editor) {
     return config.editor;
@@ -1314,14 +1412,7 @@ var init_getDefaultEditor = __esm(() => {
   init_homeConfig();
   defaultGetDefaultEditorDeps = {
     getHomeConfig,
-    commandExists: (command) => {
-      try {
-        execSync(`command -v ${command}`, { stdio: "ignore" });
-        return true;
-      } catch {
-        return false;
-      }
-    },
+    commandExists,
     platform: process.platform
   };
 });
@@ -1423,6 +1514,117 @@ var init_edit = __esm(() => {
   init_chooseEnvironment();
 });
 
+// src/commands/env/encrypt.ts
+var defaultEncryptCommandDeps, ansiPattern2, stripAnsi2 = (value) => value.replace(ansiPattern2, ""), mapErrorCode2 = (message) => {
+  if (message.includes("Environment file not found")) {
+    return "ENVIRONMENT_NOT_FOUND";
+  }
+  if (message === "Access denied to the environment.") {
+    return "ACCESS_DENIED";
+  }
+  if (message.includes("No private keys found")) {
+    return "NO_PRIVATE_KEYS";
+  }
+  if (message.includes("No public keys found")) {
+    return "NO_PUBLIC_KEYS";
+  }
+  if (message.toLowerCase().includes("passphrase-protected")) {
+    return "PASSPHRASE_PROTECTED_KEYS";
+  }
+  return "UNKNOWN";
+}, writeJson2 = (message, deps) => {
+  deps.writeStdout(`${JSON.stringify(message)}
+`);
+}, runWithoutConsoleNoise = async (fn) => {
+  const originalLog = console.log;
+  const originalError = console.error;
+  try {
+    console.log = () => {};
+    console.error = () => {};
+    await fn();
+  } finally {
+    console.log = originalLog;
+    console.error = originalError;
+  }
+}, encryptCommand = async (environmentName, options, _command, deps = defaultEncryptCommandDeps) => {
+  const validation = deps.validateEnvironmentName(environmentName);
+  if (!validation.valid) {
+    if (options.json) {
+      writeJson2({
+        ok: false,
+        error: {
+          code: "INVALID_ENVIRONMENT_NAME",
+          message: validation.reason
+        }
+      }, deps);
+    } else {
+      deps.logError(validation.reason);
+    }
+    deps.exit(1);
+  }
+  if (!options.stdin) {
+    const message = 'No input source provided. Use "--stdin" and pipe the plaintext content.';
+    if (options.json) {
+      writeJson2({
+        ok: false,
+        error: {
+          code: "MISSING_STDIN",
+          message
+        }
+      }, deps);
+    } else {
+      deps.logError(message);
+    }
+    deps.exit(1);
+  }
+  try {
+    const content = await deps.readStdin();
+    if (options.json) {
+      await runWithoutConsoleNoise(async () => {
+        await deps.encryptEnvironment(environmentName, content);
+      });
+      writeJson2({ ok: true }, deps);
+      return;
+    }
+    await deps.encryptEnvironment(environmentName, content);
+  } catch (error) {
+    const rawMessage = error instanceof Error ? error.message : "Unknown error occurred while encrypting the environment.";
+    const message = stripAnsi2(rawMessage);
+    const code = mapErrorCode2(message);
+    if (options.json) {
+      writeJson2({
+        ok: false,
+        error: { code, message }
+      }, deps);
+    } else {
+      deps.logError(message);
+    }
+    deps.exit(1);
+  }
+};
+var init_encrypt = __esm(() => {
+  init_encryptEnvironment();
+  defaultEncryptCommandDeps = {
+    validateEnvironmentName,
+    encryptEnvironment,
+    readStdin: () => new Promise((resolve, reject) => {
+      let input = "";
+      process.stdin.setEncoding("utf-8");
+      process.stdin.on("data", (chunk) => {
+        input += chunk;
+      });
+      process.stdin.on("end", () => {
+        resolve(input);
+      });
+      process.stdin.on("error", reject);
+    }),
+    writeStdout: (message) => process.stdout.write(message),
+    logError: (message) => console.error(message),
+    exit: (code) => process.exit(code)
+  };
+  ansiPattern2 = new RegExp(`${String.fromCharCode(27)}\\[[0-9;]*m`, "g");
+});
+
 // src/commands/env/list.ts
 var envListCommand = async () => {
   const environments = await getEnvironments();
@@ -2049,7 +2251,9 @@ var init_program = __esm(() => {
   init_config();
   init_dev();
   init_create();
+  init_decrypt();
   init_edit();
+  init_encrypt();
   init_list2();
   init_rotate();
   init_init();
@@ -2065,6 +2269,8 @@ var init_program = __esm(() => {
   env = program.command("env").description("manage environments");
   env.command("create").argument("[environment]", "the name of the new environment").argument("[publicKey]", "the name of the public key to grant access to the environment").description("create a new environment").action((env2, pubKey) => createCommand(env2, pubKey));
   env.command("edit").argument("[environment]", "the environment to edit").description("edit an environment").action(editCommand);
+  env.command("decrypt", { hidden: true }).argument("<environment>", "the environment to decrypt").addOption(new Option("--json", "output machine-readable JSON")).description("decrypt an environment and print plaintext to stdout").action(decryptCommand);
+  env.command("encrypt", { hidden: true }).argument("<environment>", "the environment to encrypt").addOption(new Option("--stdin", "read plaintext content from stdin")).addOption(new Option("--json", "output machine-readable JSON")).description("encrypt plaintext content and write it to an environment file").action(encryptCommand);
   env.command("rotate").argument("[environment]", "the environment to rotate the data key for").description("rotate the data key for an environment").action(rotateCommand);
   env.command("list").description("list all environments").action(envListCommand);
   auth = program.command("auth").description("manage environment access");
@@ -2077,7 +2283,7 @@ var init_program = __esm(() => {
   key.command("add").argument("[name]", "the name of the public key in the project").addOption(new Option("--from-ssh <path>", "add a public key derived from an SSH key file")).addOption(new Option("-f, --from-file <file>", "add the key from a PEM file")).addOption(new Option("-s, --from-string <string>", "add a public key from a string")).description("add a public key to the project").action(keyAddCommand);
   key.command("list").description("list all public keys in the project").action(keyListCommand);
   key.command("remove").argument("[name]", "the name of the public key to remove").description("remove a public key from the project").action(keyRemoveCommand);
-  program.command("textconv").argument("<filepath>", "path to the encrypted environment file").description("decrypt an environment file for git diff").action(textconvCommand);
+  program.command("textconv", { hidden: true }).argument("<filepath>", "path to the encrypted environment file").description("decrypt an environment file for git diff").action(textconvCommand);
   program.command("whoami").description("show your identity in this project").action(whoamiCommand);
   program.command("config").argument("<key>", "the key to get or set").argument("[value]", "the value to set the key to").addOption(new Option("-r, --remove", "remove a configuration key")).description("manage global configuration").action(configCommand);
   program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dotenc/cli",
-  "version": "0.4.3",
+  "version": "0.4.5",
   "description": "🔐 Git-native encrypted environments powered by your SSH keys",
   "author": "Ivan Filho <i@ivanfilho.com>",
   "license": "MIT",