@dotenvx/dotenvx 0.39.0 → 0.41.0

package/README.md

@@ -624,6 +624,16 @@ More examples
   DATABASE_URL postgres://yourusername@localhost/my_database
   ```
 
+  </details>
+* <details><summary>`run` - Shell Expansion</summary><br>
+
+  Prevent your shell from expanding inline `$VARIABLES` before dotenvx has a chance to inject it. Use a subshell.
+
+  ```sh
+  $ dotenvx run --env="HELLO=World" -- sh -c 'echo Hello $HELLO'
+  Hello World
+  ```
+
   </details>
 * <details><summary>`run` - multiple `-f` flags</summary><br>
 
@@ -668,6 +678,82 @@ More examples
   Hello World
   ```
 
+  </details>
+* <details><summary>`DOTENV_PRIVATE_KEY=key run`</summary><br>
+  
+  Decrypt your encrypted `.env` by setting `DOTENV_PRIVATE_KEY` before `dotenvx run`.
+
+  ```sh
+  $ touch .env
+  $ dotenvx set HELLO encrypted --encrypt
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
+
+  # check your .env.keys files for your privateKey
+  $ DOTENV_PRIVATE_KEY="122...0b8" dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env
+  Hello encrypted
+  ```
+
+  </details>
+* <details><summary>`DOTENV_PRIVATE_KEY_PRODUCTION=key run`</summary><br>
+
+  Decrypt your encrypted `.env.production` by setting `DOTENV_PRIVATE_KEY_PRODUCTION` before `dotenvx run`. Alternatively, this can be already set on your server or cloud provider.
+
+  ```sh
+  $ touch .env.production
+  $ dotenvx set HELLO "production encrypted" -f .env.production --encrypt
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
+
+  # check .env.keys for your privateKey
+  $ DOTENV_PRIVATE_KEY_PRODUCTION="122...0b8" dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env.production
+  Hello production encrypted
+  ```
+
+  Note the `DOTENV_PRIVATE_KEY_PRODUCTION` ends with `_PRODUCTION`. This instructs dotenvx run to load the `.env.production` file.
+
+  </details>
+* <details><summary>`DOTENV_PRIVATE_KEY_CI=key dotenvx run`</summary><br>
+
+  Decrypt your encrypted `.env.ci` by setting `DOTENV_PRIVATE_KEY_CI` before `dotenvx run`. Alternatively, this can be already set on your server or cloud provider.
+
+  ```sh
+  $ touch .env.ci
+  $ dotenvx set HELLO "ci encrypted" -f .env.production --encrypt
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
+
+  # check .env.keys for your privateKey
+  $ DOTENV_PRIVATE_KEY_CI="122...0b8" dotenvx run -- node index.js
+  [dotenvx] injecting env (2) from .env.ci
+  Hello ci encrypted
+  ```
+
+  Note the `DOTENV_PRIVATE_KEY_CI` ends with `_CI`. This instructs dotenvx run to load the `.env.ci` file. See the pattern?
+
+  </details>
+* <details><summary>`DOTENV_PRIVATE_KEY=key DOTENV_PRIVATE_KEY_PRODUCTION=key run` - Combine Multiple</summary><br>
+
+  Decrypt your encrypted `.env` and `.env.production` files by setting `DOTENV_PRIVATE_KEY` and `DOTENV_PRIVATE_KEY_PRODUCTION` before `dotenvx run`. 
+
+  ```sh
+  $ touch .env
+  $ touch .env.production
+  $ dotenvx set HELLO encrypted --encrypt
+  $ dotenvx set HELLO "production encrypted" -f .env.production --encrypt
+  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
+
+  # check .env.keys for your privateKeys
+  $ DOTENV_PRIVATE_KEY="122...0b8" DOTENV_PRIVATE_KEY_PRODUCTION="122...0b8" dotenvx run -- node index.js
+  [dotenvx] injecting env (3) from .env, .env.production
+  Hello encrypted
+
+  $ DOTENV_PRIVATE_KEY_PRODUCTION="122...0b8" DOTENV_PRIVATE_KEY="122...0b8" dotenvx run -- node index.js
+  [dotenvx] injecting env (3) from .env.production, .env
+  Hello production encrypted
+  ```
+
+  Compose any encrypted files you want this way. As long as a `DOTENV_PRIVATE_KEY_${environment}` is set, the values from `.env.${environment}` will be decrypted at runtime.
+
   </details>
 * <details><summary>`run --verbose`</summary><br>
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.39.0",
+  "version": "0.41.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/actions/convert.js

@@ -0,0 +1,73 @@
+const fs = require('fs')
+const logger = require('./../../shared/logger')
+
+const main = require('./../../lib/main')
+
+const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
+
+const ENCODING = 'utf8'
+
+async function convert () {
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  try {
+    const {
+      processedEnvFiles,
+      changedFilepaths,
+      unchangedFilepaths
+    } = main.convert(options.envFile)
+
+    for (const processedEnvFile of processedEnvFiles) {
+      logger.verbose(`encrypting ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+      if (processedEnvFile.error) {
+        if (processedEnvFile.error.code === 'MISSING_ENV_FILE') {
+          logger.warn(processedEnvFile.error)
+          logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.envFilepath}] and re-run [dotenvx convert]`)
+        } else {
+          logger.warn(processedEnvFile.error)
+        }
+      } else if (processedEnvFile.changed) {
+        fs.writeFileSync(processedEnvFile.filepath, processedEnvFile.envSrc, ENCODING)
+
+        logger.verbose(`encrypted ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+      } else {
+        logger.verbose(`no changes ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+      }
+    }
+
+    if (changedFilepaths.length > 0) {
+      logger.success(`✔ encrypted (${changedFilepaths.join(',')})`)
+    } else if (unchangedFilepaths.length > 0) {
+      logger.info(`no changes (${unchangedFilepaths})`)
+    } else {
+      // do nothing - scenario when no .env files found
+    }
+
+    for (const processedEnvFile of processedEnvFiles) {
+      if (processedEnvFile.privateKeyAdded) {
+        logger.success(`✔ key added to .env.keys (${processedEnvFile.privateKeyName})`)
+
+        if (!isIgnoringDotenvKeys()) {
+          logger.help2('ℹ add .env.keys to .gitignore: [echo ".env.keys" >> .gitignore]')
+        }
+
+        logger.help2(`ℹ run [${processedEnvFile.privateKeyName}='${processedEnvFile.privateKey}' dotenvx run -- yourcommand] to test decryption locally`)
+      }
+    }
+  } catch (error) {
+    logger.error(error.message)
+    if (error.help) {
+      logger.help(error.help)
+    }
+    if (error.debug) {
+      logger.debug(error.debug)
+    }
+    if (error.code) {
+      logger.debug(`ERROR_CODE: ${error.code}`)
+    }
+    process.exit(1)
+  }
+}
+
+module.exports = convert

package/src/cli/actions/run.js

@@ -136,8 +136,11 @@ async function run () {
 
       if (processedEnv.error) {
         if (processedEnv.error.code === 'MISSING_ENV_FILE') {
-          logger.warnv(processedEnv.error)
-          logger.help(`? in development: add one with [echo "HELLO=World" > ${processedEnv.filepath}] and re-run [dotenvx run -- ${commandArgs.join(' ')}]`)
+          // do not warn for conventions (too noisy)
+          if (!options.convention) {
+            logger.warnv(processedEnv.error)
+            logger.help(`? add one with [echo "HELLO=World" > ${processedEnv.filepath}] and re-run [dotenvx run -- ${commandArgs.join(' ')}]`)
+          }
         } else {
           logger.warnv(processedEnv.error)
         }

package/src/cli/actions/set.js

@@ -1,7 +1,12 @@
+const fs = require('fs')
 const logger = require('./../../shared/logger')
 
 const main = require('./../../lib/main')
 
+const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
+
+const ENCODING = 'utf8'
+
 function set (key, value) {
   logger.debug(`key: ${key}`)
   logger.debug(`value: ${value}`)
@@ -12,36 +17,65 @@ function set (key, value) {
   try {
     const {
       processedEnvFiles,
-      settableFilepaths
+      changedFilepaths,
+      unchangedFilepaths
     } = main.set(key, value, options.envFile, options.encrypt)
 
-    let atLeastOneSuccess = false
+    let withEncryption = ''
+
+    if (options.encrypt) {
+      withEncryption = ' with encryption'
+    }
 
     for (const processedEnvFile of processedEnvFiles) {
-      logger.verbose(`setting for ${processedEnvFile.filepath}`)
+      logger.verbose(`setting for ${processedEnvFile.envFilepath}`)
 
       if (processedEnvFile.error) {
         if (processedEnvFile.error.code === 'MISSING_ENV_FILE') {
           logger.warn(processedEnvFile.error)
-          logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.filepath}] and re-run [dotenvx set]`)
+          logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.envFilepath}] and re-run [dotenvx set]`)
         } else {
           logger.warn(processedEnvFile.error)
         }
       } else {
-        atLeastOneSuccess = true
-        logger.verbose(`${processedEnvFile.key} set`)
-        logger.debug(`${processedEnvFile.key} set to ${processedEnvFile.value}`)
+        fs.writeFileSync(processedEnvFile.filepath, processedEnvFile.envSrc, ENCODING)
+
+        logger.verbose(`${processedEnvFile.key} set${withEncryption} (${processedEnvFile.envFilepath})`)
+        logger.debug(`${processedEnvFile.key} set${withEncryption} to ${processedEnvFile.value} (${processedEnvFile.envFilepath})`)
       }
     }
 
-    if (atLeastOneSuccess) {
-      logger.success(`set ${key} (${settableFilepaths.join(', ')})`)
+    if (changedFilepaths.length > 0) {
+      logger.success(`✔ set ${key}${withEncryption} (${changedFilepaths.join(',')})`)
+    } else if (unchangedFilepaths.length > 0) {
+      logger.info(`no changes (${unchangedFilepaths})`)
+    } else {
+      // do nothing
+    }
+
+    for (const processedEnvFile of processedEnvFiles) {
+      if (processedEnvFile.privateKeyAdded) {
+        logger.success(`✔ key added to .env.keys (${processedEnvFile.privateKeyName})`)
+
+        if (!isIgnoringDotenvKeys()) {
+          logger.help2('ℹ add .env.keys to .gitignore: [echo ".env.keys" >> .gitignore]')
+        }
+
+        logger.help2(`ℹ run [${processedEnvFile.privateKeyName}='${processedEnvFile.privateKey}' dotenvx get ${key}] to test decryption locally`)
+      }
     }
   } catch (error) {
     logger.error(error.message)
     if (error.help) {
       logger.help(error.help)
     }
+    if (error.debug) {
+      logger.debug(error.debug)
+    }
+    if (error.code) {
+      logger.debug(`ERROR_CODE: ${error.code}`)
+    }
+    process.exit(1)
   }
 }
 

package/src/cli/actions/vault/convert.js

@@ -0,0 +1,47 @@
+const logger = require('./../../../shared/logger')
+
+function convert (directory) {
+  // debug args
+  logger.debug(`directory: ${directory}`)
+
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  try {
+    logger.help2('To convert your .env.vault file to encrypted .env file(s):')
+    logger.help('')
+    logger.help('  1. Run [dotenvx vault decrypt]')
+    logger.help('  2. Run [ls -a .env*]')
+    logger.help('')
+    logger.help2('Lastly, convert each .env(.environment) file:')
+    logger.help('')
+    logger.help('  3. Run [dotenvx convert -f .env.production]')
+    logger.help2('')
+    logger.help2('For example:')
+    logger.help2('')
+    logger.help2('  $ dotenvx convert -f .env')
+    logger.help2('  $ dotenvx convert -f .env.ci')
+    logger.help2('  $ dotenvx convert -f .env.production')
+    logger.help2('')
+    logger.help2('Afterward:')
+    logger.help2('')
+    logger.help2('Update production with your new DOTENV_PRIVATE_KEY_PRODUCTION located in .env.keys')
+    logger.help2('')
+    logger.success('Learn more at [https://dotenvx.com/docs/quickstart#add-encryption]')
+    logger.help2('')
+  } catch (error) {
+    logger.error(error.message)
+    if (error.help) {
+      logger.help(error.help)
+    }
+    if (error.debug) {
+      logger.debug(error.debug)
+    }
+    if (error.code) {
+      logger.debug(`ERROR_CODE: ${error.code}`)
+    }
+    process.exit(1)
+  }
+}
+
+module.exports = convert

package/src/cli/actions/vault/encrypt.js

@@ -58,7 +58,6 @@ async function encrypt (directory) {
 
     if (addedKeys.length > 0) {
       spinner.succeed(`${pluralize('key', addedKeys.length)} added to .env.keys (${addedKeys})`)
-      logger.help2('ℹ push .env.keys up to hub: [dotenvx hub push]')
     }
 
     if (addedVaults.length > 0) {

package/src/cli/commands/hub.js

@@ -14,7 +14,7 @@ hub
   .description('authenticate to dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub login] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub login] will be removed in 1.0.0 release soon')
 
     loginAction.apply(this, args)
   })
@@ -26,7 +26,7 @@ hub
   .argument('[directory]', 'directory to push', '.')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub push] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub push] will be removed in 1.0.0 release soon')
 
     pushAction.apply(this, args)
   })
@@ -38,7 +38,7 @@ hub
   .argument('[directory]', 'directory to pull', '.')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub pull] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub pull] will be removed in 1.0.0 release soon')
 
     pullAction.apply(this, args)
   })
@@ -49,7 +49,7 @@ hub
   .description('view repository on dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub open] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub open] will be removed in 1.0.0 release soon')
 
     openAction.apply(this, args)
   })
@@ -60,7 +60,7 @@ hub
   .description('print the auth token dotenvx hub is configured to use')
   .option('-h, --hostname <url>', 'set hostname', 'https://hub.dotenvx.com')
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub token] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub token] will be removed in 1.0.0 release soon')
 
     tokenAction.apply(this, args)
   })
@@ -70,7 +70,7 @@ hub
   .command('status')
   .description('display logged in user')
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub status] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub status] will be removed in 1.0.0 release soon')
 
     statusAction.apply(this, args)
   })
@@ -81,7 +81,7 @@ hub
   .description('log out this machine from dotenvx hub')
   .option('-h, --hostname <url>', 'set hostname', store.getHostname())
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx hub logout] will be removed in 1.0.0 release soon')
+    logger.warn('DEPRECATION NOTICE: [dotenvx hub logout] will be removed in 1.0.0 release soon')
 
     logoutAction.apply(this, args)
   })

package/src/cli/commands/vault.js

@@ -7,6 +7,11 @@ const vault = new Command('vault')
 vault
   .description('manage .env.vault files')
 
+// dotenvx vault convert
+vault.command('convert')
+  .description('instructions for converting .env.vault to encrypted env file(s)')
+  .action(require('./../actions/vault/convert'))
+
 // dotenvx vault encrypt
 vault.command('encrypt')
   .description('encrypt .env.* to .env.vault')

package/src/cli/dotenvx.js

@@ -103,6 +103,12 @@ program.command('set')
   .option('-c, --encrypt', 'encrypt value')
   .action(require('./actions/set'))
 
+// dotenvx convert
+program.command('convert')
+  .description('convert env file(s) to encrypted env file(s)')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .action(require('./actions/convert'))
+
 // dotenvx ls
 program.command('ls')
   .description('print all .env files in a tree structure')
@@ -160,6 +166,7 @@ program.command('encrypt')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .action(function (...args) {
     logger.warn('DEPRECATION NOTICE: [dotenvx encrypt] has moved. change your command to [dotenvx vault encrypt]')
+    logger.warn('DEPRECATION NOTICE: [dotenvx encryptme] will become [dotenvx encrypt] in a 1.0.0 release scheduled for middle of June 2024.')
 
     encryptAction.apply(this, args)
   })
@@ -171,7 +178,7 @@ program.command('decrypt')
   .argument('[directory]', 'directory to decrypt', '.')
   .option('-e, --environment <environments...>', 'environment(s) to decrypt')
   .action(function (...args) {
-    logger.warn('DEPRECATION NOTECE: [dotenvx decrypt] has moved. change your command to [dotenvx vault decrypt]')
+    logger.warn('DEPRECATION NOTICE: [dotenvx decrypt] has moved. change your command to [dotenvx vault decrypt]')
 
     decryptAction.apply(this, args)
   })

package/src/lib/helpers/findOrCreatePublicKey.js

@@ -31,7 +31,8 @@ function findOrCreatePublicKey (envFilepath, envKeysFilepath) {
       envSrc,
       keysSrc,
       publicKey: envParsed[publicKeyName],
-      privateKey: keysParsed[privateKeyName]
+      privateKey: keysParsed[privateKeyName],
+      privateKeyAdded: false
     }
   }
 
@@ -73,7 +74,8 @@ function findOrCreatePublicKey (envFilepath, envKeysFilepath) {
     envSrc,
     keysSrc,
     publicKey,
-    privateKey
+    privateKey,
+    privateKeyAdded: true
   }
 }
 

package/src/lib/helpers/isEncrypted.js

@@ -0,0 +1,8 @@
+const ENCRYPTION_PATTERN = /^encrypted:.+/
+const PUBLIC_KEY_PATTERN = /^DOTENV_PUBLIC_KEY/
+
+function isEncrypted (key, value) {
+  return PUBLIC_KEY_PATTERN.test(key) || ENCRYPTION_PATTERN.test(value)
+}
+
+module.exports = isEncrypted

package/src/lib/helpers/isFullyEncrypted.js

@@ -0,0 +1,18 @@
+const dotenv = require('dotenv')
+
+const isEncrypted = require('./isEncrypted')
+
+function isFullyEncrypted (src) {
+  const parsed = dotenv.parse(src)
+
+  for (const [key, value] of Object.entries(parsed)) {
+    const result = isEncrypted(key, value)
+    if (!result) {
+      return false
+    }
+  }
+
+  return true
+}
+
+module.exports = isFullyEncrypted

package/src/lib/helpers/isIgnoringDotenvKeys.js

@@ -0,0 +1,19 @@
+const fs = require('fs')
+const ignore = require('ignore')
+
+function isIgnoringDotenvKeys () {
+  if (!fs.existsSync('.gitignore')) {
+    return false
+  }
+
+  const gitignore = fs.readFileSync('.gitignore').toString()
+  const ig = ignore(gitignore).add(gitignore)
+
+  if (!ig.ignores('.env.keys')) {
+    return false
+  }
+
+  return false
+}
+
+module.exports = isIgnoringDotenvKeys

package/src/lib/helpers/replace.js

@@ -7,7 +7,7 @@ function replace (src, key, value) {
   const parsed = dotenv.parse(src)
   if (Object.prototype.hasOwnProperty.call(parsed, key)) {
     // replace
-    const regex = new RegExp(`^${key}=.*$`, 'm') // Regular expression to find the key and replace its value
+    const regex = new RegExp(`^${key}=(?:(["'\`])[^\\1]*\\1|[^\\n]*)(\\n[^A-Z0-9_].*)*`, 'm')
     output = src.replace(regex, formatted)
   } else {
     // append

package/src/lib/main.js

@@ -3,13 +3,14 @@ const dotenv = require('dotenv')
 const dotenvExpand = require('dotenv-expand')
 
 // services
-const Encrypt = require('./services/encrypt')
 const Ls = require('./services/ls')
 const Get = require('./services/get')
 const Sets = require('./services/sets')
 const Status = require('./services/status')
+const Encrypt = require('./services/encrypt')
 const Genexample = require('./services/genexample')
 const Settings = require('./services/settings')
+const VaultEncrypt = require('./services/vaultEncrypt')
 
 // helpers
 const dotenvEval = require('./helpers/dotenvEval')
@@ -41,9 +42,13 @@ const parse = function (src) {
   return dotenv.parse(src)
 }
 
-// actions related
+// DEPRECATED: will became the same function as convert
 const encrypt = function (directory, envFile) {
-  return new Encrypt(directory, envFile).run()
+  return new VaultEncrypt(directory, envFile).run()
+}
+
+const vaultEncrypt = function (directory, envFile) {
+  return new VaultEncrypt(directory, envFile).run()
 }
 
 const ls = function (directory, envFile) {
@@ -62,6 +67,10 @@ const set = function (key, value, envFile, encrypt) {
   return new Sets(key, value, envFile, encrypt).run()
 }
 
+const convert = function (envFile) {
+  return new Encrypt(envFile).run()
+}
+
 const status = function (directory) {
   return new Status(directory).run()
 }
@@ -96,9 +105,11 @@ module.exports = {
   parse,
   // actions related
   encrypt,
+  vaultEncrypt,
   ls,
   get,
   set,
+  convert,
   status,
   genexample,
   // settings

package/src/lib/services/encrypt.js

@@ -2,91 +2,93 @@ const fs = require('fs')
 const path = require('path')
 const dotenv = require('dotenv')
 
-const DotenvKeys = require('./../helpers/dotenvKeys')
-const DotenvVault = require('./../helpers/dotenvVault')
+const findOrCreatePublicKey = require('./../helpers/findOrCreatePublicKey')
+const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
+const encryptValue = require('./../helpers/encryptValue')
+const isEncrypted = require('./../helpers/isEncrypted')
+const replace = require('./../helpers/replace')
 
 const ENCODING = 'utf8'
 
-const findEnvFiles = require('../helpers/findEnvFiles')
-
 class Encrypt {
-  constructor (directory = '.', envFile) {
-    this.directory = directory
-    this.envFile = envFile || findEnvFiles(directory)
-    // calculated
-    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
-    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
+  constructor (envFile = '.env') {
+    this.envFile = envFile
+    this.processedEnvFiles = []
+    this.changedFilepaths = new Set()
+    this.unchangedFilepaths = new Set()
   }
 
   run () {
-    if (this.envFile.length < 1) {
-      const code = 'MISSING_ENV_FILES'
-      const message = 'no .env* files found'
-      const help = '? add one with [echo "HELLO=World" > .env] and then run [dotenvx encrypt]'
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    const parsedDotenvKeys = this._parsedDotenvKeys()
-    const parsedDotenvVaults = this._parsedDotenvVault()
     const envFilepaths = this._envFilepaths()
-
-    // build filepaths to be passed to DotenvKeys
-    const uniqueEnvFilepaths = new Set()
     for (const envFilepath of envFilepaths) {
-      const filepath = path.resolve(this.directory, envFilepath)
-      if (!fs.existsSync(filepath)) {
-        const code = 'MISSING_ENV_FILE'
-        const message = `file does not exist at [${filepath}]`
-        const help = `? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx encrypt]`
-
-        const error = new Error(message)
-        error.code = code
-        error.help = help
-        throw error
+      const filepath = path.resolve(envFilepath)
+
+      const row = {}
+      row.keys = []
+      row.filepath = filepath
+      row.envFilepath = envFilepath
+
+      try {
+        // get the original src
+        let src = fs.readFileSync(filepath, { encoding: ENCODING })
+        // get/generate the public key
+        const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+        const {
+          envSrc,
+          publicKey,
+          privateKey,
+          privateKeyAdded
+        } = findOrCreatePublicKey(filepath, envKeysFilepath)
+        row.publicKey = publicKey
+        row.privateKey = privateKey
+        row.privateKeyName = guessPrivateKeyName(filepath)
+        row.privateKeyAdded = privateKeyAdded
+
+        src = envSrc // src was potentially changed by findOrCreatePublicKey so we set it again here
+
+        // track possible changes
+        row.changed = false
+
+        // iterate over all non-encrypted values and encrypt them
+        const parsed = dotenv.parse(src)
+        for (const [key, value] of Object.entries(parsed)) {
+          const encrypted = isEncrypted(key, value)
+          if (!encrypted) {
+            row.keys.push(key) // track key(s)
+
+            const encryptedValue = encryptValue(value, publicKey)
+            // once newSrc is built write it out
+            src = replace(src, key, encryptedValue)
+
+            row.changed = true // track change
+          }
+        }
+
+        if (row.changed) {
+          row.envSrc = src
+          this.changedFilepaths.add(envFilepath)
+        } else {
+          row.envSrc = src
+          this.unchangedFilepaths.add(envFilepath)
+        }
+      } catch (e) {
+        if (e.code === 'ENOENT') {
+          const error = new Error(`missing ${envFilepath} file (${filepath})`)
+          error.code = 'MISSING_ENV_FILE'
+
+          row.error = error
+        } else {
+          row.error = e
+        }
       }
 
-      uniqueEnvFilepaths.add(filepath)
+      this.processedEnvFiles.push(row)
     }
 
-    // generate .env.keys string
-    const {
-      dotenvKeys,
-      dotenvKeysFile,
-      addedKeys,
-      existingKeys
-    } = new DotenvKeys([...uniqueEnvFilepaths], parsedDotenvKeys).run()
-
-    // build look up of .env filepaths and their raw content
-    const dotenvFiles = {}
-    for (const filepath of [...uniqueEnvFilepaths]) {
-      const raw = fs.readFileSync(filepath, ENCODING)
-      dotenvFiles[filepath] = raw
-    }
-
-    // generate .env.vault string
-    const {
-      dotenvVaultFile,
-      addedVaults,
-      existingVaults,
-      addedDotenvFilenames
-    } = new DotenvVault(dotenvFiles, dotenvKeys, parsedDotenvVaults).run()
-
     return {
-      // from DotenvKeys
-      dotenvKeys,
-      dotenvKeysFile,
-      addedKeys,
-      existingKeys,
-      // from DotenvVault
-      dotenvVaultFile,
-      addedVaults,
-      existingVaults,
-      addedDotenvFilenames,
-      envFile: this.envFile
+      processedEnvFiles: this.processedEnvFiles,
+      changedFilepaths: [...this.changedFilepaths],
+      unchangedFilepaths: [...this.unchangedFilepaths]
     }
   }
 
@@ -97,22 +99,6 @@ class Encrypt {
 
     return this.envFile
   }
-
-  _parsedDotenvKeys () {
-    const options = {
-      path: this.envKeysFilepath
-    }
-
-    return dotenv.configDotenv(options).parsed
-  }
-
-  _parsedDotenvVault () {
-    const options = {
-      path: this.envVaultFilepath
-    }
-
-    return dotenv.configDotenv(options).parsed
-  }
 }
 
 module.exports = Encrypt

package/src/lib/services/precommit.js

@@ -3,7 +3,9 @@ const fs = require('fs')
 const ignore = require('ignore')
 
 const pluralize = require('./../helpers/pluralize')
+const isFullyEncrypted = require('./../helpers/isFullyEncrypted')
 const InstallPrecommitHook = require('./../helpers/installPrecommitHook')
+const MISSING_GITIGNORE = '.env.keys' // by default only ignore .env.keys. all other .env* files COULD be included - as long as they are encrypted
 
 class Precommit {
   constructor (options = {}) {
@@ -22,16 +24,20 @@ class Precommit {
       }
     } else {
       const warnings = []
+      let successMessage = 'success'
+      let gitignore = MISSING_GITIGNORE
 
       // 1. check for .gitignore file
       if (!fs.existsSync('.gitignore')) {
-        const error = new Error('.gitignore missing')
-        error.help = '? add it with [touch .gitignore]'
-        throw error
+        const warning = new Error('.gitignore missing')
+        warning.help = '? add it with [touch .gitignore]'
+        warnings.push(warning)
+      } else {
+        gitignore = fs.readFileSync('.gitignore').toString()
       }
 
       // 2. check .env* files against .gitignore file
-      const ig = ignore().add(fs.readFileSync('.gitignore').toString())
+      const ig = ignore().add(gitignore)
       const files = fs.readdirSync(process.cwd())
       const dotenvFiles = files.filter(file => file.match(/^\.env(\..+)?$/))
       dotenvFiles.forEach(file => {
@@ -44,14 +50,19 @@ class Precommit {
           }
         } else {
           if (file !== '.env.example' && file !== '.env.vault') {
-            const error = new Error(`${file} not properly gitignored`)
-            error.help = `? add ${file} to .gitignore with [echo ".env*" >> .gitignore]`
-            throw error
+            const src = fs.readFileSync(file).toString()
+            const encrypted = isFullyEncrypted(src)
+
+            // if contents are encrypted don't raise an error
+            if (!encrypted) {
+              const error = new Error(`${file} not encrypted (or not gitignored)`)
+              error.help = `? encrypt it with [dotenvx protect -f ${file}] or add ${file} to .gitignore with [echo ".env*" >> .gitignore]`
+              throw error
+            }
           }
         }
       })
 
-      let successMessage = 'success'
       if (warnings.length > 0) {
         successMessage = `success (with ${pluralize('warning', warnings.length)})`
       }

package/src/lib/services/sets.js

@@ -1,7 +1,10 @@
 const fs = require('fs')
 const path = require('path')
 
+const dotenv = require('dotenv')
+
 const findOrCreatePublicKey = require('./../helpers/findOrCreatePublicKey')
+const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
 const encryptValue = require('./../helpers/encryptValue')
 const replace = require('./../helpers/replace')
 
@@ -14,39 +17,57 @@ class Sets {
     this.envFile = envFile
     this.encrypt = encrypt
 
-    this.publicKey = null
     this.processedEnvFiles = []
-    this.settableFilepaths = new Set()
+    this.changedFilepaths = new Set()
+    this.unchangedFilepaths = new Set()
   }
 
   run () {
     const envFilepaths = this._envFilepaths()
     for (const envFilepath of envFilepaths) {
+      const filepath = path.resolve(envFilepath)
+
       const row = {}
       row.key = this.key
-      row.filepath = envFilepath
       row.value = this.value
+      row.filepath = filepath
+      row.envFilepath = envFilepath
+      row.changed = false
 
-      const filepath = path.resolve(envFilepath)
       try {
         let value = this.value
         let src = fs.readFileSync(filepath, { encoding: ENCODING })
+        row.originalValue = dotenv.parse(src)[row.key] || null
+
         if (this.encrypt) {
           const envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
           const {
+            envSrc,
             publicKey,
-            envSrc
+            privateKey,
+            privateKeyAdded
           } = findOrCreatePublicKey(filepath, envKeysFilepath)
           src = envSrc // overwrite the original read (because findOrCreatePublicKey) rewrite to it
           value = encryptValue(value, publicKey)
-          row.encryptedValue = value // useful
+
+          row.changed = true // track change
+          row.encryptedValue = value
           row.publicKey = publicKey
+          row.privateKey = privateKey
+          row.privateKeyAdded = privateKeyAdded
+          row.privateKeyName = guessPrivateKeyName(filepath)
         }
 
-        const newSrc = replace(src, this.key, value)
-        fs.writeFileSync(filepath, newSrc)
+        if (value !== row.originalValue) {
+          row.envSrc = replace(src, this.key, value)
+
+          this.changedFilepaths.add(envFilepath)
+          row.changed = true
+        } else {
+          row.envSrc = src
 
-        this.settableFilepaths.add(envFilepath)
+          this.unchangedFilepaths.add(envFilepath)
+        }
       } catch (e) {
         if (e.code === 'ENOENT') {
           const error = new Error(`missing ${envFilepath} file (${filepath})`)
@@ -63,7 +84,8 @@ class Sets {
 
     return {
       processedEnvFiles: this.processedEnvFiles,
-      settableFilepaths: [...this.settableFilepaths]
+      changedFilepaths: [...this.changedFilepaths],
+      unchangedFilepaths: [...this.unchangedFilepaths]
     }
   }
 

package/src/lib/services/vaultEncrypt.js

@@ -0,0 +1,118 @@
+const fs = require('fs')
+const path = require('path')
+const dotenv = require('dotenv')
+
+const DotenvKeys = require('./../helpers/dotenvKeys')
+const DotenvVault = require('./../helpers/dotenvVault')
+
+const ENCODING = 'utf8'
+
+const findEnvFiles = require('../helpers/findEnvFiles')
+
+class VaultEncrypt {
+  constructor (directory = '.', envFile) {
+    this.directory = directory
+    this.envFile = envFile || findEnvFiles(directory)
+    // calculated
+    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
+    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
+  }
+
+  run () {
+    if (this.envFile.length < 1) {
+      const code = 'MISSING_ENV_FILES'
+      const message = 'no .env* files found'
+      const help = '? add one with [echo "HELLO=World" > .env] and then run [dotenvx vault encrypt]'
+
+      const error = new Error(message)
+      error.code = code
+      error.help = help
+      throw error
+    }
+
+    const parsedDotenvKeys = this._parsedDotenvKeys()
+    const parsedDotenvVaults = this._parsedDotenvVault()
+    const envFilepaths = this._envFilepaths()
+
+    // build filepaths to be passed to DotenvKeys
+    const uniqueEnvFilepaths = new Set()
+    for (const envFilepath of envFilepaths) {
+      const filepath = path.resolve(this.directory, envFilepath)
+      if (!fs.existsSync(filepath)) {
+        const code = 'MISSING_ENV_FILE'
+        const message = `file does not exist at [${filepath}]`
+        const help = `? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx vault encrypt]`
+
+        const error = new Error(message)
+        error.code = code
+        error.help = help
+        throw error
+      }
+
+      uniqueEnvFilepaths.add(filepath)
+    }
+
+    // generate .env.keys string
+    const {
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys
+    } = new DotenvKeys([...uniqueEnvFilepaths], parsedDotenvKeys).run()
+
+    // build look up of .env filepaths and their raw content
+    const dotenvFiles = {}
+    for (const filepath of [...uniqueEnvFilepaths]) {
+      const raw = fs.readFileSync(filepath, ENCODING)
+      dotenvFiles[filepath] = raw
+    }
+
+    // generate .env.vault string
+    const {
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames
+    } = new DotenvVault(dotenvFiles, dotenvKeys, parsedDotenvVaults).run()
+
+    return {
+      // from DotenvKeys
+      dotenvKeys,
+      dotenvKeysFile,
+      addedKeys,
+      existingKeys,
+      // from DotenvVault
+      dotenvVaultFile,
+      addedVaults,
+      existingVaults,
+      addedDotenvFilenames,
+      envFile: this.envFile
+    }
+  }
+
+  _envFilepaths () {
+    if (!Array.isArray(this.envFile)) {
+      return [this.envFile]
+    }
+
+    return this.envFile
+  }
+
+  _parsedDotenvKeys () {
+    const options = {
+      path: this.envKeysFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+
+  _parsedDotenvVault () {
+    const options = {
+      path: this.envVaultFilepath
+    }
+
+    return dotenv.configDotenv(options).parsed
+  }
+}
+
+module.exports = VaultEncrypt