@dotenvx/dotenvx 1.19.3 → 1.20.1

package/CHANGELOG.md

@@ -2,7 +2,25 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.19.3...main)
+## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.20.0...main)
+
+### Changed
+
+* update [eciesjs](https://github.com/ecies/js/issues/802) ([#421](https://github.com/dotenvx/dotenvx/pull/421))
+* remove default values for ts interface - no longer permitted by latest ts ([#419](https://github.com/dotenvx/dotenvx/pull/419))
+
+## 1.20.0
+
+### Changed
+
+* respect `process.env.DOTENV_PRIVATE_KEY` and/or `process.env.DOTENV_PUBLIC_KEY` on `set` ([#401](https://github.com/dotenvx/dotenvx/pull/401))
+* respect `process.env.DOTENV_PRIVATE_KEY` and/or `process.env.DOTENV_PUBLIC_KEY` on `encrypt` ([#411](https://github.com/dotenvx/dotenvx/pull/411))
+* respect `process.env.DOTENV_PRIVATE_KEY` on `decrypt` ([#412](https://github.com/dotenvx/dotenvx/pull/412))
+* change `logger.help` to use brighter blue ([#414](https://github.com/dotenvx/dotenvx/pull/414))
+
+### Removed
+
+* remove `main.decrypt,encrypt,set` ([#410](https://github.com/dotenvx/dotenvx/pull/410))
 
 ## 1.19.3
 

package/README.md

@@ -1790,7 +1790,7 @@ That said, the `.env.vault` tooling will still stick around for at least 1 year
 
 #### How do I migrate my `.env.vault` file(s) to encrypted `.env` files?
 
-Run `$ dotenvx vault migrate` and follow the instructions.
+Run `$ dotenvx ext vault migrate` and follow the instructions.
 
  
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.19.3",
+  "version": "1.20.1",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -38,7 +38,7 @@
   "dependencies": {
     "commander": "^11.1.0",
     "dotenv": "^16.4.5",
-    "eciesjs": "^0.4.6",
+    "eciesjs": "^0.4.10",
     "execa": "^5.1.1",
     "fdir": "^6.2.0",
     "ignore": "^5.3.0",

package/src/cli/actions/decrypt.js

@@ -1,26 +1,30 @@
 const fsx = require('./../../lib/helpers/fsx')
 const { logger } = require('./../../shared/logger')
 
-const main = require('./../../lib/main')
+const Decrypt = require('./../../lib/services/decrypt')
+
+const catchAndLog = require('../../lib/helpers/catchAndLog')
 
 function decrypt () {
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
+  const envs = this.envs
+
   let errorCount = 0
 
   // stdout - should not have a try so that exit codes can surface to stdout
   if (options.stdout) {
     const {
-      processedEnvFiles
-    } = main.decrypt(options.envFile, options.key, options.excludeKey)
+      processedEnvs
+    } = new Decrypt(envs, options.key, options.excludeKey).run()
 
-    for (const processedEnvFile of processedEnvFiles) {
-      if (processedEnvFile.error) {
+    for (const processedEnv of processedEnvs) {
+      if (processedEnv.error) {
         errorCount += 1
-        console.error(processedEnvFile.error.message)
+        console.error(processedEnv.error.message)
       } else {
-        console.log(processedEnvFile.envSrc)
+        console.log(processedEnv.envSrc)
       }
     }
 
@@ -32,29 +36,29 @@ function decrypt () {
   } else {
     try {
       const {
-        processedEnvFiles,
+        processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = main.decrypt(options.envFile, options.key, options.excludeKey)
+      } = new Decrypt(envs, options.key, options.excludeKey).run()
 
-      for (const processedEnvFile of processedEnvFiles) {
-        logger.verbose(`decrypting ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+      for (const processedEnv of processedEnvs) {
+        logger.verbose(`decrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)
 
-        if (processedEnvFile.error) {
+        if (processedEnv.error) {
           errorCount += 1
 
-          if (processedEnvFile.error.code === 'MISSING_ENV_FILE') {
-            logger.error(processedEnvFile.error.message)
-            logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.envFilepath}] and re-run [dotenvx decrypt]`)
+          if (processedEnv.error.code === 'MISSING_ENV_FILE') {
+            logger.error(processedEnv.error.message)
+            logger.help(`? add one with [echo "HELLO=World" > ${processedEnv.envFilepath}] and re-run [dotenvx decrypt]`)
           } else {
-            logger.error(processedEnvFile.error.message)
+            logger.error(processedEnv.error.message)
           }
-        } else if (processedEnvFile.changed) {
-          fsx.writeFileX(processedEnvFile.filepath, processedEnvFile.envSrc)
+        } else if (processedEnv.changed) {
+          fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
 
-          logger.verbose(`decrypted ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+          logger.verbose(`decrypted ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         } else {
-          logger.verbose(`no changes ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+          logger.verbose(`no changes ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         }
       }
 
@@ -70,16 +74,7 @@ function decrypt () {
         process.exit(1)
       }
     } catch (error) {
-      logger.error(error.message)
-      if (error.help) {
-        logger.help(error.help)
-      }
-      if (error.debug) {
-        logger.debug(error.debug)
-      }
-      if (error.code) {
-        logger.debug(`ERROR_CODE: ${error.code}`)
-      }
+      catchAndLog(error)
       process.exit(1)
     }
   }

package/src/cli/actions/encrypt.js

@@ -1,47 +1,53 @@
 const fsx = require('./../../lib/helpers/fsx')
 const { logger } = require('./../../shared/logger')
 
-const main = require('./../../lib/main')
+const Encrypt = require('./../../lib/services/encrypt')
 
+const catchAndLog = require('../../lib/helpers/catchAndLog')
 const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
 
 function encrypt () {
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
 
+  const envs = this.envs
+
   // stdout - should not have a try so that exit codes can surface to stdout
   if (options.stdout) {
     const {
-      processedEnvFiles
-    } = main.encrypt(options.envFile, options.key, options.excludeKey)
+      processedEnvs
+    } = new Encrypt(envs, options.key, options.excludeKey).run()
 
-    for (const processedEnvFile of processedEnvFiles) {
-      console.log(processedEnvFile.envSrc)
+    for (const processedEnv of processedEnvs) {
+      console.log(processedEnv.envSrc)
     }
     process.exit(0) // exit early
   } else {
     try {
       const {
-        processedEnvFiles,
+        processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = main.encrypt(options.envFile, options.key, options.excludeKey)
+      } = new Encrypt(envs, options.key, options.excludeKey).run()
 
-      for (const processedEnvFile of processedEnvFiles) {
-        logger.verbose(`encrypting ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
-        if (processedEnvFile.error) {
-          if (processedEnvFile.error.code === 'MISSING_ENV_FILE') {
-            logger.warn(processedEnvFile.error.message)
-            logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.envFilepath}] and re-run [dotenvx encrypt]`)
+      for (const processedEnv of processedEnvs) {
+        logger.verbose(`encrypting ${processedEnv.envFilepath} (${processedEnv.filepath})`)
+        if (processedEnv.error) {
+          if (processedEnv.error.code === 'MISSING_ENV_FILE') {
+            logger.warn(processedEnv.error.message)
+            logger.help(`? add one with [echo "HELLO=World" > ${processedEnv.envFilepath}] and re-run [dotenvx encrypt]`)
           } else {
-            logger.warn(processedEnvFile.error.message)
+            logger.warn(processedEnv.error.message)
+            if (processedEnv.error.help) {
+              logger.help(processedEnv.error.help)
+            }
           }
-        } else if (processedEnvFile.changed) {
-          fsx.writeFileX(processedEnvFile.filepath, processedEnvFile.envSrc)
+        } else if (processedEnv.changed) {
+          fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
 
-          logger.verbose(`encrypted ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+          logger.verbose(`encrypted ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         } else {
-          logger.verbose(`no changes ${processedEnvFile.envFilepath} (${processedEnvFile.filepath})`)
+          logger.verbose(`no changes ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         }
       }
 
@@ -53,28 +59,19 @@ function encrypt () {
         // do nothing - scenario when no .env files found
       }
 
-      for (const processedEnvFile of processedEnvFiles) {
-        if (processedEnvFile.privateKeyAdded) {
-          logger.success(`✔ key added to .env.keys (${processedEnvFile.privateKeyName})`)
+      for (const processedEnv of processedEnvs) {
+        if (processedEnv.privateKeyAdded) {
+          logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
 
           if (!isIgnoringDotenvKeys()) {
             logger.help2('ℹ add .env.keys to .gitignore: [echo ".env.keys" >> .gitignore]')
           }
 
-          logger.help2(`ℹ run [${processedEnvFile.privateKeyName}='${processedEnvFile.privateKey}' dotenvx run -- yourcommand] to test decryption locally`)
+          logger.help2(`ℹ run [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx run -- yourcommand] to test decryption locally`)
         }
       }
     } catch (error) {
-      logger.error(error.message)
-      if (error.help) {
-        logger.help(error.help)
-      }
-      if (error.debug) {
-        logger.debug(error.debug)
-      }
-      if (error.code) {
-        logger.debug(`ERROR_CODE: ${error.code}`)
-      }
+      catchAndLog(error)
       process.exit(1)
     }
   }

package/src/cli/actions/set.js

@@ -1,8 +1,9 @@
 const fsx = require('./../../lib/helpers/fsx')
 const { logger } = require('./../../shared/logger')
 
-const main = require('./../../lib/main')
+const Sets = require('./../../lib/services/sets')
 
+const catchAndLog = require('../../lib/helpers/catchAndLog')
 const isIgnoringDotenvKeys = require('../../lib/helpers/isIgnoringDotenvKeys')
 
 function set (key, value) {
@@ -19,11 +20,13 @@ function set (key, value) {
   }
 
   try {
+    const envs = this.envs
+
     const {
-      processedEnvFiles,
+      processedEnvs,
       changedFilepaths,
       unchangedFilepaths
-    } = main.set(key, value, options.envFile, encrypt)
+    } = new Sets(key, value, envs, encrypt).run()
 
     let withEncryption = ''
 
@@ -31,21 +34,24 @@ function set (key, value) {
       withEncryption = ' with encryption'
     }
 
-    for (const processedEnvFile of processedEnvFiles) {
-      logger.verbose(`setting for ${processedEnvFile.envFilepath}`)
+    for (const processedEnv of processedEnvs) {
+      logger.verbose(`setting for ${processedEnv.envFilepath}`)
 
-      if (processedEnvFile.error) {
-        if (processedEnvFile.error.code === 'MISSING_ENV_FILE') {
-          logger.warn(processedEnvFile.error.message)
-          logger.help(`? add one with [echo "HELLO=World" > ${processedEnvFile.envFilepath}] and re-run [dotenvx set]`)
+      if (processedEnv.error) {
+        if (processedEnv.error.code === 'MISSING_ENV_FILE') {
+          logger.warn(processedEnv.error.message)
+          logger.help(`? add one with [echo "HELLO=World" > ${processedEnv.envFilepath}] and re-run [dotenvx set]`)
         } else {
-          logger.warn(processedEnvFile.error.message)
+          logger.warn(processedEnv.error.message)
+          if (processedEnv.error.help) {
+            logger.help(processedEnv.error.help)
+          }
         }
       } else {
-        fsx.writeFileX(processedEnvFile.filepath, processedEnvFile.envSrc)
+        fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
 
-        logger.verbose(`${processedEnvFile.key} set${withEncryption} (${processedEnvFile.envFilepath})`)
-        logger.debug(`${processedEnvFile.key} set${withEncryption} to ${processedEnvFile.value} (${processedEnvFile.envFilepath})`)
+        logger.verbose(`${processedEnv.key} set${withEncryption} (${processedEnv.envFilepath})`)
+        logger.debug(`${processedEnv.key} set${withEncryption} to ${processedEnv.value} (${processedEnv.envFilepath})`)
       }
     }
 
@@ -57,28 +63,19 @@ function set (key, value) {
       // do nothing
     }
 
-    for (const processedEnvFile of processedEnvFiles) {
-      if (processedEnvFile.privateKeyAdded) {
-        logger.success(`✔ key added to .env.keys (${processedEnvFile.privateKeyName})`)
+    for (const processedEnv of processedEnvs) {
+      if (processedEnv.privateKeyAdded) {
+        logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
 
         if (!isIgnoringDotenvKeys()) {
           logger.help2('ℹ add .env.keys to .gitignore: [echo ".env.keys" >> .gitignore]')
         }
 
-        logger.help2(`ℹ run [${processedEnvFile.privateKeyName}='${processedEnvFile.privateKey}' dotenvx get ${key}] to test decryption locally`)
+        logger.help2(`ℹ run [${processedEnv.privateKeyName}='${processedEnv.privateKey}' dotenvx get ${key}] to test decryption locally`)
       }
     }
   } catch (error) {
-    logger.error(error.message)
-    if (error.help) {
-      logger.help(error.help)
-    }
-    if (error.debug) {
-      logger.debug(error.debug)
-    }
-    if (error.code) {
-      logger.debug(`ERROR_CODE: ${error.code}`)
-    }
+    catchAndLog(error)
     process.exit(1)
   }
 }

package/src/cli/dotenvx.js

@@ -59,7 +59,6 @@ program.command('run')
   .option('--convention <name>', 'load a .env convention (available conventions: [\'nextjs\'])')
   .action(function (...args) {
     this.envs = envs
-
     runAction.apply(this, args)
   })
 
@@ -78,7 +77,6 @@ program.command('get')
   .option('--format <type>', 'format of the output (json, shell, eval)', 'json')
   .action(function (...args) {
     this.envs = envs
-
     getAction.apply(this, args)
   })
 
@@ -90,30 +88,39 @@ program.command('set')
   .allowUnknownOption()
   .argument('KEY', 'KEY')
   .argument('value', 'value')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', '.env')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
   .option('-c, --encrypt', 'encrypt value (default: true)', true)
   .option('-p, --plain', 'store value as plain text', false)
-  .action(setAction)
+  .action(function (...args) {
+    this.envs = envs
+    setAction.apply(this, args)
+  })
 
 // dotenvx encrypt
 const encryptAction = require('./actions/encrypt')
 program.command('encrypt')
   .description('convert .env file(s) to encrypted .env file(s)')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
   .option('--stdout', 'send to stdout')
-  .action(encryptAction)
+  .action(function (...args) {
+    this.envs = envs
+    encryptAction.apply(this, args)
+  })
 
 // dotenvx decrypt
 const decryptAction = require('./actions/decrypt')
 program.command('decrypt')
   .description('convert encrypted .env file(s) to plain .env file(s)')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
+  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
   .option('-k, --key <keys...>', 'keys(s) to decrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from decryption (default: none)')
   .option('--stdout', 'send to stdout')
-  .action(decryptAction)
+  .action(function (...args) {
+    this.envs = envs
+    decryptAction.apply(this, args)
+  })
 
 // dotenvx keypair
 const keypairAction = require('./actions/keypair')

package/src/lib/helpers/catchAndLog.js

@@ -0,0 +1,16 @@
+const { logger } = require('./../../shared/logger')
+
+function catchAndLog (error) {
+  logger.error(error.message)
+  if (error.help) {
+    logger.help(error.help)
+  }
+  if (error.debug) {
+    logger.debug(error.debug)
+  }
+  if (error.code) {
+    logger.debug(`ERROR_CODE: ${error.code}`)
+  }
+}
+
+module.exports = catchAndLog

package/src/lib/helpers/decryptValue.js

@@ -1,5 +1,7 @@
 const { decrypt } = require('eciesjs')
 
+const truncate = require('./truncate')
+
 const PREFIX = 'encrypted:'
 
 function decryptValue (value, privateKey) {
@@ -27,9 +29,9 @@ function decryptValue (value, privateKey) {
         break
       } catch (e) {
         if (e.message === 'Invalid private key') {
-          decryptionError = new Error('private key looks invalid')
+          decryptionError = new Error(`private key [${truncate(privateKey)}] looks invalid`)
         } else if (e.message === 'Unsupported state or unable to authenticate data') {
-          decryptionError = new Error('private key looks wrong')
+          decryptionError = new Error(`private key [${truncate(privateKey)}] looks wrong`)
         } else if (e.message === 'Point of length 65 was invalid. Expected 33 compressed bytes or 65 uncompressed bytes') {
           decryptionError = new Error('encrypted data looks malformed')
         } else {

package/src/lib/helpers/determineEnvs.js

@@ -0,0 +1,65 @@
+const dotenvPrivateKeyNames = require('./dotenvPrivateKeyNames')
+const guessPrivateKeyFilename = require('./guessPrivateKeyFilename')
+
+const TYPE_ENV_FILE = 'envFile'
+const TYPE_ENV_VAULT_FILE = 'envVaultFile'
+const DEFAULT_ENVS = [{ type: TYPE_ENV_FILE, value: '.env' }]
+const DEFAULT_ENV_VAULTS = [{ type: TYPE_ENV_VAULT_FILE, value: '.env.vault' }]
+
+function determineEnvsFromDotenvPrivateKey (privateKeyNames) {
+  const envs = []
+
+  for (const privateKeyName of privateKeyNames) {
+    const filename = guessPrivateKeyFilename(privateKeyName)
+    envs.push({ type: TYPE_ENV_FILE, value: filename })
+  }
+
+  return envs
+}
+
+function determineEnvs (envs = [], processEnv, DOTENV_KEY = '') {
+  const privateKeyNames = dotenvPrivateKeyNames(processEnv)
+  if (!envs || envs.length <= 0) {
+    // if process.env.DOTENV_PRIVATE_KEY or process.env.DOTENV_PRIVATE_KEY_${environment} is set, assume inline encryption methodology
+    if (privateKeyNames.length > 0) {
+      return determineEnvsFromDotenvPrivateKey(privateKeyNames)
+    }
+
+    if (DOTENV_KEY.length > 0) {
+      // if DOTENV_KEY is set then default to look for .env.vault file
+      return DEFAULT_ENV_VAULTS
+    } else {
+      return DEFAULT_ENVS // default to .env file expectation
+    }
+  } else {
+    let fileAlreadySpecified = false // can be .env or .env.vault type
+
+    for (const env of envs) {
+      // if DOTENV_KEY set then we are checking if a .env.vault file is already specified
+      if (DOTENV_KEY.length > 0 && env.type === TYPE_ENV_VAULT_FILE) {
+        fileAlreadySpecified = true
+      }
+
+      // if DOTENV_KEY not set then we are checking if a .env file is already specified
+      if (DOTENV_KEY.length <= 0 && env.type === TYPE_ENV_FILE) {
+        fileAlreadySpecified = true
+      }
+    }
+
+    // return early since envs array objects already contain 1 .env.vault or .env file
+    if (fileAlreadySpecified) {
+      return envs
+    }
+
+    // no .env.vault or .env file specified as a flag so we assume either .env.vault (if dotenv key is set) or a .env file
+    if (DOTENV_KEY.length > 0) {
+      // if DOTENV_KEY is set then default to look for .env.vault file
+      return [...DEFAULT_ENV_VAULTS, ...envs]
+    } else {
+      // if no DOTENV_KEY then default to look for .env file
+      return [...DEFAULT_ENVS, ...envs]
+    }
+  }
+}
+
+module.exports = determineEnvs

package/src/lib/helpers/dotenvPrivateKeyNames.js

@@ -0,0 +1,7 @@
+const PRIVATE_KEY_NAME_SCHEMA = 'DOTENV_PRIVATE_KEY'
+
+function dotenvPrivateKeyNames (processEnv) {
+  return Object.keys(processEnv).filter(key => key.startsWith(PRIVATE_KEY_NAME_SCHEMA))
+}
+
+module.exports = dotenvPrivateKeyNames

package/src/lib/helpers/findPrivateKey.js

@@ -0,0 +1,33 @@
+const path = require('path')
+const childProcess = require('child_process')
+
+// helpers
+const guessPrivateKeyName = require('./guessPrivateKeyName')
+
+// services
+const Keypair = require('./../services/keypair')
+
+function findPrivateKey (envFilepath) {
+  const privateKeyName = guessPrivateKeyName(envFilepath)
+
+  let privateKey
+  try {
+    // if installed as sibling module
+    const projectRoot = path.resolve(process.cwd())
+    const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
+    const { keypair } = require(dotenvxProPath)
+    privateKey = keypair(envFilepath, privateKeyName)
+  } catch (_e) {
+    try {
+      // if installed as binary cli
+      privateKey = childProcess.execSync(`dotenvx-pro keypair ${privateKeyName} -f ${envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
+    } catch (_e) {
+      // fallback to local KeyPair - smart enough to handle process.env, .env.keys, etc
+      privateKey = new Keypair(envFilepath, privateKeyName).run()
+    }
+  }
+
+  return privateKey
+}
+
+module.exports = findPrivateKey

package/src/lib/helpers/findPublicKey.js

@@ -0,0 +1,33 @@
+const path = require('path')
+const childProcess = require('child_process')
+
+// helpers
+const guessPublicKeyName = require('./guessPublicKeyName')
+
+// services
+const Keypair = require('./../services/keypair')
+
+function findPublicKey (envFilepath) {
+  const publicKeyName = guessPublicKeyName(envFilepath)
+
+  let publicKey
+  try {
+    // if installed as sibling module
+    const projectRoot = path.resolve(process.cwd())
+    const dotenvxProPath = require.resolve('@dotenvx/dotenvx-pro', { paths: [projectRoot] })
+    const { keypair } = require(dotenvxProPath)
+    publicKey = keypair(envFilepath, publicKeyName)
+  } catch (_e) {
+    try {
+      // if installed as binary cli
+      publicKey = childProcess.execSync(`dotenvx-pro keypair ${publicKeyName} -f ${envFilepath}`, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
+    } catch (_e) {
+      // fallback to local KeyPair - smart enough to handle process.env, .env.keys, etc
+      publicKey = new Keypair(envFilepath, publicKeyName).run()
+    }
+  }
+
+  return publicKey
+}
+
+module.exports = findPublicKey

package/src/lib/helpers/isEncrypted.js

@@ -1,6 +1,6 @@
 const ENCRYPTION_PATTERN = /^encrypted:.+/
 
-function isEncrypted (key, value) {
+function isEncrypted (value) {
   return ENCRYPTION_PATTERN.test(value)
 }
 

package/src/lib/helpers/isFullyEncrypted.js

@@ -7,7 +7,7 @@ function isFullyEncrypted (src) {
   const parsed = dotenv.parse(src)
 
   for (const [key, value] of Object.entries(parsed)) {
-    const result = isEncrypted(key, value) || isPublicKey(key, value)
+    const result = isEncrypted(value) || isPublicKey(key, value)
     if (!result) {
       return false
     }

package/src/lib/main.d.ts

@@ -203,10 +203,10 @@ export function ls(
  */
 export function get(
   key?: string,
-  envs: string[] = [],
-  overload = false,
-  DOTENV_KEY = '',
-  all = false
+  envs?: string[],
+  overload?: boolean,
+  DOTENV_KEY?: string,
+  all?: boolean
 ): Record<string, string | undefined> | string | undefined;
 
 export type SetOutput = {