@dotenvx/dotenvx 0.16.1 → 0.17.1

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.16.1",
+  "version": "0.17.1",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -25,14 +25,14 @@
     "prerelease": "npm test",
     "release": "standard-version"
   },
-  "funding": "Have you seen dotenvx.com? run anywhere, cross-platform, and encrypted envs.",
+  "funding": "https://dotenvx.com",
   "dependencies": {
     "@inquirer/prompts": "^3.3.0",
     "chalk": "^4.1.2",
     "clipboardy": "^2.3.0",
     "commander": "^11.1.0",
     "conf": "^10.2.0",
-    "dotenv": "^16.4.5",
+    "dotenv": "16.4.5",
     "dotenv-expand": "^11.0.6",
     "execa": "^5.1.1",
     "glob": "^10.3.10",

package/src/cli/actions/decrypt.js

@@ -4,6 +4,7 @@ const main = require('./../../lib/main')
 const logger = require('./../../shared/logger')
 const helpers = require('./../helpers')
 const createSpinner = require('./../../shared/createSpinner')
+const parseEncryptionKeyFromDotenvKey = require('./../../lib/helpers/parseEncryptionKeyFromDotenvKey')
 
 const spinner = createSpinner('decrypting')
 
@@ -50,7 +51,7 @@ async function decrypt () {
 
     // give warning if not found
     if (ciphertext && ciphertext.length >= 1) {
-      const key = helpers._parseEncryptionKeyFromDotenvKey(value.trim())
+      const key = parseEncryptionKeyFromDotenvKey(value.trim())
 
       // Decrypt
       const decrypted = main.decrypt(ciphertext, key)

package/src/cli/actions/encrypt.js

@@ -1,155 +1,96 @@
 const fs = require('fs')
+const path = require('path')
 
 const main = require('./../../lib/main')
 const logger = require('./../../shared/logger')
 const helpers = require('./../helpers')
 const createSpinner = require('./../../shared/createSpinner')
-
 const spinner = createSpinner('encrypting')
 
-// constants
-const ENCODING = 'utf8'
+const RESERVED_ENV_FILES = ['.env.vault', '.env.project', '.env.keys', '.env.me', '.env.x']
+
+const findEnvFiles = function (directory) {
+  const files = fs.readdirSync(directory)
+
+  const envFiles = files.filter(file =>
+    file.startsWith('.env') &&
+    !file.endsWith('.previous') &&
+    !RESERVED_ENV_FILES.includes(file)
+  )
 
-async function encrypt () {
+  return envFiles
+}
+
+async function encrypt (directory) {
   spinner.start()
   await helpers.sleep(500) // better dx
 
+  logger.debug(`directory: ${directory}`)
+
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
-  let optionEnvFile = options.envFile
-  if (!Array.isArray(optionEnvFile)) {
-    optionEnvFile = [optionEnvFile]
-  }
-
-  const addedKeys = new Set()
-  const addedVaults = new Set()
-  const addedEnvFilepaths = new Set()
-
-  // must be at least one .env* file
-  if (optionEnvFile.length < 1) {
-    spinner.fail('no .env* files found')
-    logger.help('? add one with [echo "HELLO=World" > .env] and then run [dotenvx encrypt]')
-    process.exit(1)
-  }
+  const optionEnvFile = options.envFile || findEnvFiles(directory)
 
   try {
-    logger.verbose(`generating .env.keys from ${optionEnvFile}`)
+    const {
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys,
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    } = main.encrypt(directory, optionEnvFile)
 
-    const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
-
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
-      if (!fs.existsSync(filepath)) {
-        spinner.fail(`file does not exist at [${filepath}]`)
-        logger.help(`? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx encrypt]`)
-        process.exit(1)
-      }
-
-      const environment = helpers.guessEnvironment(filepath)
-      const key = `DOTENV_KEY_${environment.toUpperCase()}`
-
-      let value = dotenvKeys[key]
+    logger.verbose(`generating .env.keys from ${optionEnvFile}`)
+    if (addedKeys.length > 0) {
+      logger.verbose(`generated ${addedKeys}`)
+    }
+    if (existingKeys.length > 0) {
+      logger.verbose(`existing ${existingKeys}`)
+    }
+    fs.writeFileSync(path.resolve(directory, '.env.keys'), dotenvKeysFile)
 
-      // first time seeing new DOTENV_KEY_${environment}
-      if (!value || value.length === 0) {
-        logger.verbose(`generating ${key}`)
-        value = helpers.generateDotenvKey(environment)
-        logger.debug(`generating ${key} as ${value}`)
+    logger.verbose(`generating .env.vault from ${optionEnvFile}`)
+    if (addedVaults.length > 0) {
+      logger.verbose(`encrypting ${addedVaults}`)
+    }
+    if (existingVaults.length > 0) {
+      logger.verbose(`existing ${existingVaults}`)
+    }
+    fs.writeFileSync(path.resolve(directory, '.env.vault'), dotenvVaultFile)
 
-        dotenvKeys[key] = value
+    if (addedDotenvFilenames.length > 0) {
+      spinner.succeed(`encrypted to .env.vault (${addedDotenvFilenames})`)
+      logger.help2('ℹ commit .env.vault to code: [git commit -am ".env.vault"]')
+    } else {
+      spinner.done(`no changes (${optionEnvFile})`)
+    }
 
-        addedKeys.add(key) // for info logging to user
-      } else {
-        logger.verbose(`existing ${key}`)
-        logger.debug(`existing ${key} as ${value}`)
-      }
+    if (addedKeys.length > 0) {
+      spinner.succeed(`${helpers.pluralize('key', addedKeys.length)} added to .env.keys (${addedKeys})`)
+      logger.help2('ℹ push .env.keys up to hub: [dotenvx hub push]')
     }
 
-    let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
-#/   DOTENV_KEYs. DO NOT commit to source control   /
-#/   [how it works](https://dotenvx.com/env-keys)   /
-#/--------------------------------------------------/\n`
+    if (addedVaults.length > 0) {
+      const DOTENV_VAULT_X = addedVaults[addedVaults.length - 1]
+      const DOTENV_KEY_X = DOTENV_VAULT_X.replace('_VAULT_', '_KEY_')
+      const tryKey = dotenvKeys[DOTENV_KEY_X]
 
-    for (const key in dotenvKeys) {
-      const value = dotenvKeys[key]
-      keysData += `${key}="${value}"\n`
+      logger.help2(`ℹ run [DOTENV_KEY='${tryKey}' dotenvx run -- yourcommand] to test decryption locally`)
     }
-
-    fs.writeFileSync('.env.keys', keysData)
   } catch (error) {
     spinner.fail(error.message)
-    process.exit(1)
-  }
-
-  // used later in logging to user
-  const dotenvKeys = (main.configDotenv({ path: '.env.keys' }).parsed || {})
-
-  try {
-    logger.verbose(`generating .env.vault from ${optionEnvFile}`)
-
-    const dotenvVaults = (main.configDotenv({ path: '.env.vault' }).parsed || {})
-
-    for (const envFilepath of optionEnvFile) {
-      const filepath = helpers.resolvePath(envFilepath)
-      const environment = helpers.guessEnvironment(filepath)
-      const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
-
-      let ciphertext = dotenvVaults[vault]
-      const dotenvKey = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
-
-      if (!ciphertext || ciphertext.length === 0 || helpers.changed(ciphertext, dotenvKey, filepath, ENCODING)) {
-        logger.verbose(`encrypting ${vault}`)
-        ciphertext = helpers.encryptFile(filepath, dotenvKey, ENCODING)
-        logger.verbose(`encrypting ${vault} as ${ciphertext}`)
-
-        dotenvVaults[vault] = ciphertext
-
-        addedVaults.add(vault) // for info logging to user
-        addedEnvFilepaths.add(envFilepath) // for info logging to user
-      } else {
-        logger.verbose(`existing ${vault}`)
-        logger.debug(`existing ${vault} as ${ciphertext}`)
-      }
+    if (error.help) {
+      logger.help(error.help)
     }
-
-    let vaultData = `#/-------------------.env.vault---------------------/
-#/         cloud-agnostic vaulting standard         /
-#/   [how it works](https://dotenvx.com/env-vault)  /
-#/--------------------------------------------------/\n\n`
-
-    for (const vault in dotenvVaults) {
-      const value = dotenvVaults[vault]
-      const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
-      vaultData += `# ${environment}\n`
-      vaultData += `${vault}="${value}"\n\n`
+    if (error.code) {
+      logger.debug(`ERROR_CODE: ${error.code}`)
     }
-
-    fs.writeFileSync('.env.vault', vaultData)
-  } catch (e) {
-    spinner.fail(e.message)
     process.exit(1)
   }
-
-  if (addedEnvFilepaths.size > 0) {
-    spinner.succeed(`encrypted to .env.vault (${[...addedEnvFilepaths]})`)
-    logger.help2('ℹ commit .env.vault to code: [git commit -am ".env.vault"]')
-  } else {
-    spinner.done(`no changes (${optionEnvFile})`)
-  }
-
-  if (addedKeys.size > 0) {
-    spinner.succeed(`${helpers.pluralize('key', addedKeys.size)} added to .env.keys (${[...addedKeys]})`)
-    logger.help2('ℹ push .env.keys up to hub: [dotenvx hub push]')
-  }
-
-  if (addedVaults.size > 0) {
-    const DOTENV_VAULT_X = [...addedVaults][addedVaults.size - 1]
-    const DOTENV_KEY_X = DOTENV_VAULT_X.replace('_VAULT_', '_KEY_')
-    const tryKey = dotenvKeys[DOTENV_KEY_X] || '<dotenv_key_environment>'
-
-    logger.help2(`ℹ run [DOTENV_KEY='${tryKey}' dotenvx run -- yourcommand] to test decryption locally`)
-  }
 }
 
 module.exports = encrypt

package/src/cli/actions/hub/login.js

@@ -6,12 +6,21 @@ const { confirm } = require('@inquirer/prompts')
 const createSpinner = require('./../../../shared/createSpinner')
 const store = require('./../../../shared/store')
 const logger = require('./../../../shared/logger')
-const helpers = require('./../../helpers')
 
 const OAUTH_CLIENT_ID = 'oac_dotenvxcli'
 
 const spinner = createSpinner('waiting on user authorization')
 
+const formatCode = function (str) {
+  const parts = []
+
+  for (let i = 0; i < str.length; i += 4) {
+    parts.push(str.substring(i, i + 4))
+  }
+
+  return parts.join('-')
+}
+
 async function pollTokenUrl (tokenUrl, deviceCode, interval) {
   logger.http(`POST ${tokenUrl} with deviceCode ${deviceCode} at interval ${interval}`)
 
@@ -100,7 +109,7 @@ async function login () {
     pollTokenUrl(tokenUrl, deviceCode, interval)
 
     // optionally allow user to open browser
-    const answer = await confirm({ message: `press Enter to open [${verificationUri}] and enter code [${helpers.formatCode(userCode)}]...` })
+    const answer = await confirm({ message: `press Enter to open [${verificationUri}] and enter code [${formatCode(userCode)}]...` })
 
     if (answer) {
       await open(verificationUri)

package/src/cli/actions/run.js

@@ -1,9 +1,102 @@
 const fs = require('fs')
+const execa = require('execa')
 const logger = require('./../../shared/logger')
 const helpers = require('./../helpers')
 const main = require('./../../lib/main')
+const parseEncryptionKeyFromDotenvKey = require('./../../lib/helpers/parseEncryptionKeyFromDotenvKey')
 
 const ENCODING = 'utf8'
+const REPORT_ISSUE_LINK = 'https://github.com/dotenvx/dotenvx/issues/new'
+
+const executeCommand = async function (commandArgs, env) {
+  const signals = [
+    'SIGHUP', 'SIGQUIT', 'SIGILL', 'SIGTRAP', 'SIGABRT',
+    'SIGBUS', 'SIGFPE', 'SIGUSR1', 'SIGSEGV', 'SIGUSR2', 'SIGTERM'
+  ]
+
+  logger.debug(`executing process command [${commandArgs.join(' ')}]`)
+
+  // handler for SIGINT
+  let commandProcess
+  const sigintHandler = () => {
+    logger.debug('received SIGINT')
+    logger.debug('checking command process')
+    logger.debug(commandProcess)
+
+    if (commandProcess) {
+      logger.debug('sending SIGINT to command process')
+      commandProcess.kill('SIGINT') // Send SIGINT to the command process
+    } else {
+      logger.debug('no command process to send SIGINT to')
+    }
+  }
+
+  const handleOtherSignal = (signal) => {
+    logger.debug(`received ${signal}`)
+  }
+
+  try {
+    commandProcess = execa(commandArgs[0], commandArgs.slice(1), {
+      stdio: 'inherit',
+      env: { ...process.env, ...env }
+    })
+
+    process.on('SIGINT', sigintHandler)
+
+    signals.forEach(signal => {
+      process.on(signal, () => handleOtherSignal(signal))
+    })
+
+    // Wait for the command process to finish
+    const { exitCode } = await commandProcess
+
+    if (exitCode !== 0) {
+      logger.debug(`received exitCode ${exitCode}`)
+      throw new Error(`Command failed with exit code ${exitCode}`)
+    }
+  } catch (error) {
+    if (error.signal !== 'SIGINT') {
+      logger.error(error.message)
+      logger.error(`command [${commandArgs.join(' ')}] failed`)
+      logger.error('')
+      logger.error(`  try without dotenvx: [${commandArgs.join(' ')}]`)
+      logger.error('')
+      logger.error('if that succeeds, then dotenvx is the culprit. report issue:')
+      logger.error(`<${REPORT_ISSUE_LINK}>`)
+    }
+
+    // Exit with the error code from the command process, or 1 if unavailable
+    process.exit(error.exitCode || 1)
+  } finally {
+    // Clean up: Remove the SIGINT handler
+    process.removeListener('SIGINT', sigintHandler)
+  }
+}
+
+const _parseCipherTextFromDotenvKeyAndParsedVault = function (dotenvKey, parsedVault) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
+
+  // Get environment
+  const environment = uri.searchParams.get('environment')
+  if (!environment) {
+    throw new Error('INVALID_DOTENV_KEY: Missing environment part')
+  }
+
+  // Get ciphertext payload
+  const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
+  const ciphertext = parsedVault[environmentKey] // DOTENV_VAULT_PRODUCTION
+  if (!ciphertext) {
+    throw new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: cannot locate environment ${environmentKey} in your .env.vault file`)
+  }
+
+  return ciphertext
+}
 
 async function run () {
   const commandArgs = this.args
@@ -38,8 +131,8 @@ async function run () {
             // Get full dotenvKey
             const dotenvKey = dotenvKeys[i].trim()
 
-            const key = helpers._parseEncryptionKeyFromDotenvKey(dotenvKey)
-            const ciphertext = helpers._parseCipherTextFromDotenvKeyAndParsedVault(dotenvKey, parsedVault)
+            const key = parseEncryptionKeyFromDotenvKey(dotenvKey)
+            const ciphertext = _parseCipherTextFromDotenvKeyAndParsedVault(dotenvKey, parsedVault)
 
             // Decrypt
             decrypted = main.decrypt(ciphertext, key)
@@ -124,7 +217,7 @@ async function run () {
     process.exit(1)
   } else {
     // const commandArgs = process.argv.slice(commandIndex + 1)
-    await helpers.executeCommand(commandArgs, process.env)
+    await executeCommand(commandArgs, process.env)
   }
 }
 

package/src/cli/dotenvx.js

@@ -5,7 +5,6 @@ const { Command } = require('commander')
 const program = new Command()
 
 const logger = require('./../shared/logger')
-const helpers = require('./helpers')
 const examples = require('./examples')
 const packageJson = require('./../shared/packageJson')
 
@@ -64,7 +63,8 @@ program.command('run')
 program.command('encrypt')
   .description('encrypt .env.* to .env.vault')
   .addHelpText('after', examples.encrypt)
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', helpers.findEnvFiles('./'))
+  .argument('[directory]', 'directory to encrypt', '.')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .action(require('./actions/encrypt'))
 
 // dotenvx decrypt

package/src/cli/helpers.js

@@ -1,18 +1,5 @@
-const fs = require('fs')
 const path = require('path')
-const execa = require('execa')
-const crypto = require('crypto')
-const { execSync } = require('child_process')
-const xxhash = require('xxhashjs')
-
-const XXHASH_SEED = 0xABCD
-const NONCE_BYTES = 12
-
-const main = require('./../lib/main')
-const logger = require('./../shared/logger')
-
-const RESERVED_ENV_FILES = ['.env.vault', '.env.projects', '.env.keys', '.env.me', '.env.x']
-const REPORT_ISSUE_LINK = 'https://github.com/dotenvx/dotenvx/issues/new'
+const childProcess = require('child_process')
 
 const sleep = function (ms) {
   return new Promise(resolve => setTimeout(resolve, ms))
@@ -23,71 +10,6 @@ const resolvePath = function (filepath) {
   return path.resolve(process.cwd(), filepath)
 }
 
-const executeCommand = async function (commandArgs, env) {
-  const signals = [
-    'SIGHUP', 'SIGQUIT', 'SIGILL', 'SIGTRAP', 'SIGABRT',
-    'SIGBUS', 'SIGFPE', 'SIGUSR1', 'SIGSEGV', 'SIGUSR2', 'SIGTERM'
-  ]
-
-  logger.debug(`executing process command [${commandArgs.join(' ')}]`)
-
-  // handler for SIGINT
-  let commandProcess
-  const sigintHandler = () => {
-    logger.debug('received SIGINT')
-    logger.debug('checking command process')
-    logger.debug(commandProcess)
-
-    if (commandProcess) {
-      logger.debug('sending SIGINT to command process')
-      commandProcess.kill('SIGINT') // Send SIGINT to the command process
-    } else {
-      logger.debug('no command process to send SIGINT to')
-    }
-  }
-
-  const handleOtherSignal = (signal) => {
-    logger.debug(`received ${signal}`)
-  }
-
-  try {
-    commandProcess = execa(commandArgs[0], commandArgs.slice(1), {
-      stdio: 'inherit',
-      env: { ...process.env, ...env }
-    })
-
-    process.on('SIGINT', sigintHandler)
-
-    signals.forEach(signal => {
-      process.on(signal, () => handleOtherSignal(signal))
-    })
-
-    // Wait for the command process to finish
-    const { exitCode } = await commandProcess
-
-    if (exitCode !== 0) {
-      logger.debug(`received exitCode ${exitCode}`)
-      throw new Error(`Command failed with exit code ${exitCode}`)
-    }
-  } catch (error) {
-    if (error.signal !== 'SIGINT') {
-      logger.error(error.message)
-      logger.error(`command [${commandArgs.join(' ')}] failed`)
-      logger.error('')
-      logger.error(`  try without dotenvx: [${commandArgs.join(' ')}]`)
-      logger.error('')
-      logger.error('if that succeeds, then dotenvx is the culprit. report issue:')
-      logger.error(`<${REPORT_ISSUE_LINK}>`)
-    }
-
-    // Exit with the error code from the command process, or 1 if unavailable
-    process.exit(error.exitCode || 1)
-  } finally {
-    // Clean up: Remove the SIGINT handler
-    process.removeListener('SIGINT', sigintHandler)
-  }
-}
-
 const pluralize = function (word, count) {
   // simple pluralization: add 's' at the end
   if (count === 0 || count > 1) {
@@ -97,133 +19,9 @@ const pluralize = function (word, count) {
   }
 }
 
-const findEnvFiles = function (directory) {
-  const files = fs.readdirSync(directory)
-
-  const envFiles = files.filter(file =>
-    file.startsWith('.env') &&
-    !file.endsWith('.previous') &&
-    !RESERVED_ENV_FILES.includes(file)
-  )
-
-  return envFiles
-}
-
-const guessEnvironment = function (filepath) {
-  const filename = path.basename(filepath)
-  const parts = filename.split('.')
-  const possibleEnvironment = parts[2] // ['', 'env', environment', 'previous']
-
-  if (!possibleEnvironment || possibleEnvironment.length === 0) {
-    return 'development'
-  }
-
-  return possibleEnvironment
-}
-
-const generateDotenvKey = function (environment) {
-  const rand = crypto.randomBytes(32).toString('hex')
-
-  return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
-}
-
-const encryptFile = function (filepath, dotenvKey, encoding) {
-  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
-  const message = fs.readFileSync(filepath, encoding)
-
-  const ciphertext = encrypt(key, message)
-
-  return ciphertext
-}
-
-const encrypt = function (key, message) {
-  // set up nonce
-  const nonce = crypto.randomBytes(NONCE_BYTES)
-
-  // set up cipher
-  const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
-
-  // generate ciphertext
-  let ciphertext = ''
-  ciphertext += cipher.update(message, 'utf8', 'hex')
-  ciphertext += cipher.final('hex')
-  ciphertext += cipher.getAuthTag().toString('hex')
-
-  // prepend nonce
-  ciphertext = nonce.toString('hex') + ciphertext
-
-  // base64 encode output
-  return Buffer.from(ciphertext, 'hex').toString('base64')
-}
-
-const changed = function (ciphertext, dotenvKey, filepath, encoding) {
-  const key = _parseEncryptionKeyFromDotenvKey(dotenvKey)
-  const decrypted = main.decrypt(ciphertext, key)
-  const raw = fs.readFileSync(filepath, encoding)
-
-  return hash(decrypted) !== hash(raw)
-}
-
-const hash = function (str) {
-  return xxhash.h32(str, XXHASH_SEED).toString(16)
-}
-
-const _parseEncryptionKeyFromDotenvKey = function (dotenvKey) {
-  // Parse DOTENV_KEY. Format is a URI
-  let uri
-  try {
-    uri = new URL(dotenvKey)
-  } catch (e) {
-    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
-  }
-
-  // Get decrypt key
-  const key = uri.password
-  if (!key) {
-    throw new Error('INVALID_DOTENV_KEY: Missing key part')
-  }
-
-  return Buffer.from(key.slice(-64), 'hex')
-}
-
-const _parseCipherTextFromDotenvKeyAndParsedVault = function (dotenvKey, parsedVault) {
-  // Parse DOTENV_KEY. Format is a URI
-  let uri
-  try {
-    uri = new URL(dotenvKey)
-  } catch (e) {
-    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
-  }
-
-  // Get environment
-  const environment = uri.searchParams.get('environment')
-  if (!environment) {
-    throw new Error('INVALID_DOTENV_KEY: Missing environment part')
-  }
-
-  // Get ciphertext payload
-  const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
-  const ciphertext = parsedVault[environmentKey] // DOTENV_VAULT_PRODUCTION
-  if (!ciphertext) {
-    throw new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: cannot locate environment ${environmentKey} in your .env.vault file`)
-  }
-
-  return ciphertext
-}
-
-const formatCode = function (str) {
-  const parts = []
-
-  for (let i = 0; i < str.length; i += 4) {
-    parts.push(str.substring(i, i + 4))
-  }
-
-  return parts.join('-')
-}
-
 const getRemoteOriginUrl = function () {
   try {
-    const url = execSync('git remote get-url origin 2> /dev/null').toString().trim()
+    const url = childProcess.execSync('git remote get-url origin 2> /dev/null').toString().trim()
     return url
   } catch (_error) {
     return null
@@ -242,18 +40,7 @@ const extractUsernameName = function (url) {
 module.exports = {
   sleep,
   resolvePath,
-  executeCommand,
   pluralize,
-  findEnvFiles,
-  guessEnvironment,
-  generateDotenvKey,
-  encryptFile,
-  encrypt,
-  changed,
-  hash,
-  formatCode,
   getRemoteOriginUrl,
-  extractUsernameName,
-  _parseEncryptionKeyFromDotenvKey,
-  _parseCipherTextFromDotenvKeyAndParsedVault
+  extractUsernameName
 }

package/src/lib/helpers/dotenvKeys.js

@@ -0,0 +1,68 @@
+const path = require('path')
+const crypto = require('crypto')
+
+class DotenvKeys {
+  constructor (envFilepaths = [], dotenvKeys = {}) {
+    this.envFilepaths = envFilepaths // pass .env* filepaths to be encrypted
+    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys file
+  }
+
+  run () {
+    const addedKeys = new Set()
+    const existingKeys = new Set()
+
+    for (const filepath of this.envFilepaths) {
+      const environment = this._guessEnvironment(filepath)
+      const key = `DOTENV_KEY_${environment.toUpperCase()}`
+
+      let value = this.dotenvKeys[key]
+
+      // first time seeing new DOTENV_KEY_${environment}
+      if (!value || value.length === 0) {
+        value = this._generateDotenvKey(environment)
+
+        this.dotenvKeys[key] = value
+
+        addedKeys.add(key) // for info logging to user
+      } else {
+        existingKeys.add(key) // for info logging to user
+      }
+    }
+
+    let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
+#/   DOTENV_KEYs. DO NOT commit to source control   /
+#/   [how it works](https://dotenvx.com/env-keys)   /
+#/--------------------------------------------------/\n`
+
+    for (const [key, value] of Object.entries(this.dotenvKeys)) {
+      keysData += `${key}="${value}"\n`
+    }
+
+    return {
+      dotenvKeys: this.dotenvKeys,
+      dotenvKeysFile: keysData,
+      addedKeys: [...addedKeys], // return set as array
+      existingKeys: [...existingKeys] // return set as array
+    }
+  }
+
+  _guessEnvironment (filepath) {
+    const filename = path.basename(filepath)
+    const parts = filename.split('.')
+    const possibleEnvironment = parts[2] // ['', 'env', environment', 'previous']
+
+    if (!possibleEnvironment || possibleEnvironment.length === 0) {
+      return 'development'
+    }
+
+    return possibleEnvironment
+  }
+
+  _generateDotenvKey (environment) {
+    const rand = crypto.randomBytes(32).toString('hex')
+
+    return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
+  }
+}
+
+module.exports = DotenvKeys

package/src/lib/helpers/dotenvVault.js

@@ -0,0 +1,151 @@
+const path = require('path')
+const crypto = require('crypto')
+const xxhash = require('xxhashjs')
+const dotenv = require('dotenv')
+
+const XXHASH_SEED = 0xABCD
+const NONCE_BYTES = 12
+
+class DotenvVault {
+  constructor (dotenvFiles = {}, dotenvKeys = {}, dotenvVaults = {}) {
+    this.dotenvFiles = dotenvFiles // key: filepath and value: filecontent
+    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys
+    this.dotenvVaults = dotenvVaults // pass current parsed dotenv vaults from .env.vault
+  }
+
+  run () {
+    const addedVaults = new Set()
+    const existingVaults = new Set()
+    const addedDotenvFilenames = new Set()
+
+    for (const [filepath, raw] of Object.entries(this.dotenvFiles)) {
+      const environment = this._guessEnvironment(filepath)
+      const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
+
+      let ciphertext = this.dotenvVaults[vault]
+      const dotenvKey = this.dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
+
+      if (!ciphertext || ciphertext.length === 0 || this._changed(dotenvKey, ciphertext, raw)) {
+        ciphertext = this._encrypt(dotenvKey, raw)
+        this.dotenvVaults[vault] = ciphertext
+        addedVaults.add(vault) // for info logging to user
+
+        addedDotenvFilenames.add(path.basename(filepath)) // for info logging to user
+      } else {
+        existingVaults.add(vault) // for info logging to user
+      }
+    }
+
+    let vaultData = `#/-------------------.env.vault---------------------/
+#/         cloud-agnostic vaulting standard         /
+#/   [how it works](https://dotenvx.com/env-vault)  /
+#/--------------------------------------------------/\n\n`
+
+    for (const [vault, value] of Object.entries(this.dotenvVaults)) {
+      const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
+      vaultData += `# ${environment}\n`
+      vaultData += `${vault}="${value}"\n\n`
+    }
+
+    return {
+      dotenvVaultFile: vaultData,
+      addedVaults: [...addedVaults], // return set as array
+      existingVaults: [...existingVaults], // return set as array
+      addedDotenvFilenames: [...addedDotenvFilenames] // return set as array
+    }
+  }
+
+  _guessEnvironment (filepath) {
+    const filename = path.basename(filepath)
+    const parts = filename.split('.')
+    const possibleEnvironment = parts[2] // ['', 'env', environment', 'previous']
+
+    if (!possibleEnvironment || possibleEnvironment.length === 0) {
+      return 'development'
+    }
+
+    return possibleEnvironment
+  }
+
+  _changed (dotenvKey, ciphertext, raw) {
+    const decrypted = this._decrypt(dotenvKey, ciphertext)
+
+    return this._hash(decrypted) !== this._hash(raw)
+  }
+
+  _encrypt (dotenvKey, raw) {
+    const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+
+    // set up nonce
+    const nonce = crypto.randomBytes(NONCE_BYTES)
+
+    // set up cipher
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, nonce)
+
+    // generate ciphertext
+    let ciphertext = ''
+    ciphertext += cipher.update(raw, 'utf8', 'hex')
+    ciphertext += cipher.final('hex')
+    ciphertext += cipher.getAuthTag().toString('hex')
+
+    // prepend nonce
+    ciphertext = nonce.toString('hex') + ciphertext
+
+    // base64 encode output
+    return Buffer.from(ciphertext, 'hex').toString('base64')
+  }
+
+  _decrypt (dotenvKey, ciphertext) {
+    const key = this._parseEncryptionKeyFromDotenvKey(dotenvKey)
+
+    try {
+      return dotenv.decrypt(ciphertext, key)
+    } catch (e) {
+      const decryptionFailedError = new Error('[DECRYPTION_FAILED] Unable to decrypt .env.vault with DOTENV_KEY.')
+      decryptionFailedError.code = 'DECRYPTION_FAILED'
+      decryptionFailedError.help = '[DECRYPTION_FAILED] Run with debug flag [dotenvx run --debug -- yourcommand] or manually run [echo $DOTENV_KEY] to compare it to the one in .env.keys.'
+      decryptionFailedError.debug = `[DECRYPTION_FAILED] DOTENV_KEY is ${dotenvKey}`
+
+      switch (e.code) {
+        case 'DECRYPTION_FAILED':
+          throw decryptionFailedError
+        default:
+          throw e
+      }
+    }
+  }
+
+  _parseEncryptionKeyFromDotenvKey (dotenvKey) {
+    // Parse DOTENV_KEY. Format is a URI
+    let uri
+    try {
+      uri = new URL(dotenvKey)
+    } catch (e) {
+      const code = 'INVALID_DOTENV_KEY'
+      const message = `INVALID_DOTENV_KEY: ${e.message}`
+      const error = new Error(message)
+      error.code = code
+
+      throw error
+    }
+
+    // Get decrypt key
+    const key = uri.password
+    if (!key) {
+      const code = 'INVALID_DOTENV_KEY'
+      const message = 'INVALID_DOTENV_KEY: Missing key part'
+      const error = new Error(message)
+      error.code = code
+
+      throw error
+    }
+
+    return Buffer.from(key.slice(-64), 'hex')
+  }
+
+  _hash (str) {
+    return xxhash.h32(str, XXHASH_SEED).toString(16)
+  }
+}
+
+module.exports = DotenvVault

package/src/lib/helpers/parseEncryptionKeyFromDotenvKey.js

@@ -0,0 +1,19 @@
+function parseEncryptionKeyFromDotenvKey (dotenvKey) {
+  // Parse DOTENV_KEY. Format is a URI
+  let uri
+  try {
+    uri = new URL(dotenvKey)
+  } catch (e) {
+    throw new Error(`INVALID_DOTENV_KEY: ${e.message}`)
+  }
+
+  // Get decrypt key
+  const key = uri.password
+  if (!key) {
+    throw new Error('INVALID_DOTENV_KEY: Missing key part')
+  }
+
+  return Buffer.from(key.slice(-64), 'hex')
+}
+
+module.exports = parseEncryptionKeyFromDotenvKey

package/src/lib/main.js

@@ -3,6 +3,7 @@ const dotenv = require('dotenv')
 const dotenvExpand = require('dotenv-expand')
 
 // services
+const Encrypt = require('./services/encrypt')
 const Ls = require('./services/ls')
 
 const config = function (options) {
@@ -105,6 +106,10 @@ const inject = function (processEnv = {}, parsed = {}, overload = false) {
   }
 }
 
+const encrypt = function (directory, envFile) {
+  return new Encrypt(directory, envFile).run()
+}
+
 const ls = function (directory, envFile) {
   return new Ls(directory, envFile).run()
 }
@@ -116,5 +121,6 @@ module.exports = {
   parse,
   parseExpand,
   inject,
-  ls
+  ls,
+  encrypt
 }

package/src/lib/services/encrypt.js

@@ -0,0 +1,115 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+
+const DotenvKeys = require('./../helpers/dotenvKeys')
+const DotenvVault = require('./../helpers/dotenvVault')
+
+const ENCODING = 'utf8'
+
+class Encrypt {
+  constructor (directory = '.', envFile = '.env') {
+    this.directory = directory
+    this.envFile = envFile
+    // calculated
+    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
+    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
+  }
+
+  run () {
+    if (this.envFile.length < 1) {
+      const code = 'MISSING_ENV_FILES'
+      const message = 'no .env* files found'
+      const help = '? add one with [echo "HELLO=World" > .env] and then run [dotenvx encrypt]'
+
+      const error = new Error(message)
+      error.code = code
+      error.help = help
+      throw error
+    }
+
+    const parsedDotenvKeys = this._parsedDotenvKeys()
+    const parsedDotenvVaults = this._parsedDotenvVault()
+    const envFilepaths = this._envFilepaths()
+
+    // build filepaths to be passed to DotenvKeys
+    const uniqueEnvFilepaths = new Set()
+    for (const envFilepath of envFilepaths) {
+      const filepath = path.resolve(this.directory, envFilepath)
+      if (!fs.existsSync(filepath)) {
+        const code = 'MISSING_ENV_FILE'
+        const message = `file does not exist at [${filepath}]`
+        const help = `? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx encrypt]`
+
+        const error = new Error(message)
+        error.code = code
+        error.help = help
+        throw error
+      }
+
+      uniqueEnvFilepaths.add(filepath)
+    }
+
+    // generate .env.keys string
+    const {
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys
+    } = new DotenvKeys([...uniqueEnvFilepaths], parsedDotenvKeys).run()
+
+    // build look up of .env filepaths and their raw content
+    const dotenvFiles = {}
+    for (const filepath of [...uniqueEnvFilepaths]) {
+      const raw = fs.readFileSync(filepath, ENCODING)
+      dotenvFiles[filepath] = raw
+    }
+
+    // generate .env.vault string
+    const {
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    } = new DotenvVault(dotenvFiles, dotenvKeys, parsedDotenvVaults).run()
+
+    return {
+      // from DotenvKeys
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys,
+      // from DotenvVault
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    }
+  }
+
+  _envFilepaths () {
+    if (!Array.isArray(this.envFile)) {
+      return [this.envFile]
+    }
+
+    return this.envFile
+  }
+
+  _parsedDotenvKeys () {
+    const options = {
+      path: this.envKeysFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+
+  _parsedDotenvVault () {
+    const options = {
+      path: this.envVaultFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+}
+
+module.exports = Encrypt