@dotenvx/dotenvx 1.55.0 → 1.56.0

package/src/lib/services/encrypt.js

@@ -5,23 +5,31 @@ const picomatch = require('picomatch')
 const TYPE_ENV_FILE = 'envFile'
 
 const Errors = require('./../helpers/errors')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const guessPublicKeyName = require('./../helpers/guessPublicKeyName')
-const encryptValue = require('./../helpers/encryptValue')
-const isEncrypted = require('./../helpers/isEncrypted')
-const dotenvParse = require('./../helpers/dotenvParse')
+
+const {
+  determine
+} = require('./../helpers/envResolution')
+
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+
+const {
+  encryptValue,
+  isEncrypted,
+  isPublicKey,
+  provision,
+  provisionWithPrivateKey
+} = require('./../helpers/cryptography')
+
 const replace = require('./../helpers/replace')
+const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
-const determineEnvs = require('./../helpers/determineEnvs')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const keypair = require('./../helpers/keypair')
-const truncate = require('./../helpers/truncate')
-const isPublicKey = require('./../helpers/isPublicKey')
 
 class Encrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = true) {
-    this.envs = determineEnvs(envs, process.env)
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
@@ -62,105 +70,36 @@ class Encrypt {
     row.keys = []
     row.type = TYPE_ENV_FILE
 
-    const filename = path.basename(envFilepath)
     const filepath = path.resolve(envFilepath)
     row.filepath = filepath
     row.envFilepath = envFilepath
 
     try {
-      const encoding = this._detectEncoding(filepath)
+      const encoding = detectEncoding(filepath)
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
 
       let publicKey
       let privateKey
 
-      const publicKeyName = guessPublicKeyName(envFilepath)
-      const privateKeyName = guessPrivateKeyName(envFilepath)
-      const existingPublicKey = findPublicKey(envFilepath)
-      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, existingPublicKey)
-
-      let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
-      if (this.envKeysFilepath) {
-        envKeysFilepath = path.resolve(this.envKeysFilepath)
-      }
-      const relativeFilepath = path.relative(path.dirname(filepath), envKeysFilepath)
-
-      if (existingPrivateKey) {
-        // throw new Error('implement for remote Ops existingPrivateKey')
-        const kp = keypair(existingPrivateKey)
-        publicKey = kp.publicKey
-        privateKey = kp.privateKey
-
-        // if derivation doesn't match what's in the file (or preset in env)
-        if (existingPublicKey && existingPublicKey !== publicKey) {
-          const error = new Error(`derived public key (${truncate(publicKey)}) does not match the existing public key (${truncate(existingPublicKey)})`)
-          error.code = 'INVALID_DOTENV_PRIVATE_KEY'
-          error.help = `debug info: ${privateKeyName}=${truncate(existingPrivateKey)} (derived ${publicKeyName}=${truncate(publicKey)} vs existing ${publicKeyName}=${truncate(existingPublicKey)})`
-          throw error
-        }
-
-        // typical scenario when encrypting a monorepo second .env file from a prior generated -fk .env.keys file
-        if (!existingPublicKey) {
-          const ps = this._preserveShebang(envSrc)
-          const firstLinePreserved = ps.firstLinePreserved
-          envSrc = ps.envSrc
-
-          const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
-
-          envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
-        }
-      } else if (existingPublicKey) {
-        // throw new Error('implement for remote Ops existingPrivateKey')
-        publicKey = existingPublicKey
-      } else {
-        // .env.keys
-        let keysSrc = ''
-
-        if (fsx.existsSync(envKeysFilepath)) {
-          keysSrc = fsx.readFileX(envKeysFilepath)
-        }
-
-        const ps = this._preserveShebang(envSrc)
-        const firstLinePreserved = ps.firstLinePreserved
-        envSrc = ps.envSrc
-
-        // TODO: instead get this from API
-        const kp = keypair() // generates a fresh keypair in memory
-        publicKey = kp.publicKey
-        privateKey = kp.privateKey
-        // Ops hook point (first-time key generation):
-        // if Ops is installed and opsOff is not set, send privateKey/privateKeyName/envFilepath
-        // to your Ops service before persisting or immediately after writing below.
-
-        const prependPublicKey = this._prependPublicKey(publicKeyName, publicKey, filename, relativeFilepath)
-
-        // privateKey
-        const firstTimeKeysSrc = [
-          '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
-          '#/ private decryption keys. DO NOT commit to source control /',
-          '#/     [how it works](https://dotenvx.com/encryption)       /',
-          // '#/           backup with: `dotenvx ops backup`              /',
-          '#/----------------------------------------------------------/'
-        ].join('\n')
-        const appendPrivateKey = [
-          `# ${filename}`,
-          `${privateKeyName}=${privateKey}`,
-          ''
-        ].join('\n')
-
-        envSrc = `${firstLinePreserved}${prependPublicKey}\n${envSrc}`
-        keysSrc = keysSrc.length > 1 ? keysSrc : `${firstTimeKeysSrc}\n`
-        keysSrc = `${keysSrc}\n${appendPrivateKey}`
-
-        // write to .env.keys
-        fsx.writeFileX(envKeysFilepath, keysSrc)
-        // Ops hook point (after persistence):
-        // if Ops is installed and opsOff is not set, trigger backup/registration now that
-        // .env.keys has been written and row.privateKeyAdded will be true for callers.
-
-        row.privateKeyAdded = true
-        row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), path.basename(envKeysFilepath))
+      const { publicKeyName, privateKeyName } = keyNames(envFilepath)
+      const { publicKeyValue, privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+
+      // first pass - provision
+      if (!privateKeyValue && !publicKeyValue) {
+        const prov = provision({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+        envSrc = prov.envSrc
+        publicKey = prov.publicKey
+        privateKey = prov.privateKey
+        row.privateKeyAdded = prov.privateKeyAdded
+        row.envKeysFilepath = prov.envKeysFilepath
+      } else if (privateKeyValue) {
+        const prov = provisionWithPrivateKey({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, privateKeyValue, publicKeyValue, publicKeyName })
+        publicKey = prov.publicKey
+        privateKey = prov.privateKey
+        envSrc = prov.envSrc
+      } else if (publicKeyValue) {
+        publicKey = publicKeyValue
       }
 
       row.publicKey = publicKey
@@ -179,7 +118,7 @@ class Encrypt {
           continue
         }
 
-        const encrypted = isEncrypted(value) || isPublicKey(key, value)
+        const encrypted = isEncrypted(value) || isPublicKey(key)
         if (!encrypted) {
           row.keys.push(key) // track key(s)
 
@@ -224,40 +163,6 @@ class Encrypt {
 
     return this.excludeKey
   }
-
-  _detectEncoding (filepath) {
-    return detectEncoding(filepath)
-  }
-
-  _prependPublicKey (publicKeyName, publicKey, filename, relativeFilepath = '') {
-    const comment = relativeFilepath === '.env.keys' ? '' : ` # ${relativeFilepath}`
-
-    return [
-      '#/-------------------[DOTENV_PUBLIC_KEY]--------------------/',
-      '#/            public-key encryption for .env files          /',
-      '#/       [how it works](https://dotenvx.com/encryption)     /',
-      '#/----------------------------------------------------------/',
-      `${publicKeyName}="${publicKey}"${comment}`,
-      '',
-      `# ${filename}`
-    ].join('\n')
-  }
-
-  _preserveShebang (envSrc) {
-    // preserve shebang
-    const [firstLine, ...remainingLines] = envSrc.split('\n')
-    let firstLinePreserved = ''
-
-    if (firstLine.startsWith('#!')) {
-      firstLinePreserved = firstLine + '\n'
-      envSrc = remainingLines.join('\n')
-    }
-
-    return {
-      firstLinePreserved,
-      envSrc
-    }
-  }
 }
 
 module.exports = Encrypt

package/src/lib/services/get.js

@@ -2,18 +2,18 @@ const Run = require('./run')
 const Errors = require('./../helpers/errors')
 
 class Get {
-  constructor (key, envs = [], overload = false, DOTENV_KEY = '', all = false, envKeysFilepath = null) {
+  constructor (key, envs = [], overload = false, all = false, envKeysFilepath = null, opsOn = true) {
     this.key = key
     this.envs = envs
     this.overload = overload
-    this.DOTENV_KEY = DOTENV_KEY
     this.all = all
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
   }
 
   run () {
     const processEnv = { ...process.env }
-    const { processedEnvs } = new Run(this.envs, this.overload, this.DOTENV_KEY, processEnv, this.envKeysFilepath).run()
+    const { processedEnvs } = new Run(this.envs, this.overload, processEnv, this.envKeysFilepath, this.opsOn).run()
 
     const errors = []
     for (const processedEnv of processedEnvs) {

package/src/lib/services/keypair.js

@@ -1,35 +1,31 @@
-const guessPublicKeyName = require('./../helpers/guessPublicKeyName')
-const smartDotenvPublicKey = require('./../helpers/smartDotenvPublicKey')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const smartDotenvPrivateKey = require('./../helpers/smartDotenvPrivateKey')
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
 
 class Keypair {
-  constructor (envFile = '.env', envKeysFilepath = null) {
+  constructor (envFile = '.env', envKeysFilepath = null, opsOn = false) {
     this.envFile = envFile
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
   }
 
   run () {
     const out = {}
 
-    const envFilepaths = this._envFilepaths()
-    for (const envFilepath of envFilepaths) {
-      // public key
-      const publicKeyName = guessPublicKeyName(envFilepath)
-      const publicKeyValue = smartDotenvPublicKey(envFilepath)
-      out[publicKeyName] = publicKeyValue
-
-      // private key
-      const privateKeyName = guessPrivateKeyName(envFilepath)
-      const privateKeyValue = smartDotenvPrivateKey(envFilepath, this.envKeysFilepath)
+    const filepaths = this._filepaths()
+    for (const filepath of filepaths) {
+      const { publicKeyName, privateKeyName } = keyNames(filepath)
+      const { publicKeyValue, privateKeyValue } = keyValues(filepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
 
+      out[publicKeyName] = publicKeyValue
       out[privateKeyName] = privateKeyValue
     }
 
     return out
   }
 
-  _envFilepaths () {
+  _filepaths () {
     if (!Array.isArray(this.envFile)) {
       return [this.envFile]
     }

package/src/lib/services/prebuild.js

@@ -41,13 +41,13 @@ class Prebuild {
 
       // check if that file is being ignored
       if (ig.ignores(file)) {
-        if (file === '.env.example' || file === '.env.vault' || file === '.env.x') {
+        if (file === '.env.example' || file === '.env.x') {
           const warning = new Error(`[dotenvx@${packageJson.version}][prebuild] ${file} (currently ignored but should not be)`)
           warning.help = `[dotenvx@${packageJson.version}][prebuild] ⮕  run [dotenvx ext gitignore --pattern !${file}]`
           warnings.push(warning)
         }
       } else {
-        if (file !== '.env.example' && file !== '.env.vault' && file !== '.env.x') {
+        if (file !== '.env.example' && file !== '.env.x') {
           const src = fsx.readFileX(file)
           const encrypted = isFullyEncrypted(src)
 

package/src/lib/services/precommit.js

@@ -57,13 +57,13 @@ class Precommit {
         if (this._isFileToBeCommitted(file)) {
           // check if that file is being ignored
           if (ig.ignores(file)) {
-            if (file === '.env.example' || file === '.env.vault' || file === '.env.x') {
+            if (file === '.env.example' || file === '.env.x') {
               const warning = new Error(`[dotenvx@${packageJson.version}][precommit] ${file} (currently ignored but should not be)`)
               warning.help = `[dotenvx@${packageJson.version}][precommit] ⮕  run [dotenvx ext gitignore --pattern !${file}]`
               warnings.push(warning)
             }
           } else {
-            if (file !== '.env.example' && file !== '.env.vault' && file !== '.env.x') {
+            if (file !== '.env.example' && file !== '.env.x') {
               const src = fsx.readFileX(file)
               const encrypted = isFullyEncrypted(src)
 

package/src/lib/services/rotate.js

@@ -5,26 +5,36 @@ const picomatch = require('picomatch')
 const TYPE_ENV_FILE = 'envFile'
 
 const Errors = require('./../helpers/errors')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const guessPublicKeyName = require('./../helpers/guessPublicKeyName')
-const encryptValue = require('./../helpers/encryptValue')
-const isEncrypted = require('./../helpers/isEncrypted')
-const dotenvParse = require('./../helpers/dotenvParse')
-const replace = require('./../helpers/replace')
+
+const {
+  determine
+} = require('./../helpers/envResolution')
+
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+
+const {
+  opsKeypair,
+  localKeypair,
+  encryptValue,
+  decryptKeyValue,
+  isEncrypted
+} = require('./../helpers/cryptography')
+
 const append = require('./../helpers/append')
+const replace = require('./../helpers/replace')
+const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
-const determineEnvs = require('./../helpers/determineEnvs')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const decryptKeyValue = require('./../helpers/decryptKeyValue')
-const keypair = require('./../helpers/keypair')
 
 class Rotate {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null) {
-    this.envs = determineEnvs(envs, process.env)
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
+    this.opsOn = opsOn
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
@@ -68,33 +78,44 @@ class Rotate {
     row.envFilepath = envFilepath
 
     try {
-      const encoding = this._detectEncoding(filepath)
+      const encoding = detectEncoding(filepath)
       let envSrc = fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
 
-      const publicKeyName = guessPublicKeyName(envFilepath)
-      const privateKeyName = guessPrivateKeyName(envFilepath)
-      const existingPublicKey = findPublicKey(envFilepath)
-      const existingPrivateKey = findPrivateKey(envFilepath, this.envKeysFilepath, false, existingPublicKey)
+      const { publicKeyName, privateKeyName } = keyNames(envFilepath)
+      const { privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
 
-      let envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
-      if (this.envKeysFilepath) {
-        envKeysFilepath = path.resolve(this.envKeysFilepath)
-      }
-      const keysEncoding = this._detectEncoding(envKeysFilepath)
+      let newPublicKey
+      let newPrivateKey
+      let envKeysFilepath
+      let envKeysSrc
 
-      row.envKeysFilepath = envKeysFilepath
-      this.envKeysSources[envKeysFilepath] ||= fsx.readFileX(envKeysFilepath, { encoding: keysEncoding })
-      let envKeysSrc = this.envKeysSources[envKeysFilepath]
+      if (this.opsOn) {
+        const kp = opsKeypair()
+        newPublicKey = kp.publicKey
+        newPrivateKey = kp.privateKey
 
-      // new keypair
-      const nkp = keypair() // generates a fresh keypair in memory
-      const newPublicKey = nkp.publicKey
-      const newPrivateKey = nkp.privateKey
+        row.privateKeyAdded = false // TODO: change to localPrivateKeyAdded
+      } else {
+        envKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+        if (this.envKeysFilepath) {
+          envKeysFilepath = path.resolve(this.envKeysFilepath)
+        }
+        row.envKeysFilepath = envKeysFilepath
+        this.envKeysSources[envKeysFilepath] ||= fsx.readFileX(envKeysFilepath, { encoding: detectEncoding(envKeysFilepath) })
+        envKeysSrc = this.envKeysSources[envKeysFilepath]
+
+        const kp = localKeypair()
+        newPublicKey = kp.publicKey
+        newPrivateKey = kp.privateKey
+
+        row.privateKeyAdded = true
+      }
 
       // .env
       envSrc = replace(envSrc, publicKeyName, newPublicKey) // replace publicKey
       row.changed = true // track change
+
       for (const [key, value] of Object.entries(envParsed)) { // re-encrypt each individual key
         // key excluded - don't re-encrypt it
         if (this.exclude(key)) {
@@ -109,22 +130,22 @@ class Rotate {
         if (isEncrypted(value)) { // only re-encrypt those already encrypted
           row.keys.push(key) // track key(s)
 
-          const decryptedValue = decryptKeyValue(key, value, privateKeyName, existingPrivateKey) // get decrypted value
-
+          const decryptedValue = decryptKeyValue(key, value, privateKeyName, privateKeyValue) // get decrypted value
           const encryptedValue = encryptValue(decryptedValue, newPublicKey) // encrypt with the new publicKey
 
           envSrc = replace(envSrc, key, encryptedValue)
         }
       }
       row.envSrc = envSrc
-
-      // .env.keys - TODO: for dotenvx pro .env.keys file does not exist
-      row.privateKeyAdded = true
       row.privateKeyName = privateKeyName
       row.privateKey = newPrivateKey
-      envKeysSrc = append(envKeysSrc, privateKeyName, newPrivateKey) // append privateKey
-      this.envKeysSources[envKeysFilepath] = envKeysSrc
-      row.envKeysSrc = envKeysSrc
+
+      if (!this.opsOn) {
+        // keys src only for ops
+        envKeysSrc = append(envKeysSrc, privateKeyName, newPrivateKey) // append privateKey
+        this.envKeysSources[envKeysFilepath] = envKeysSrc
+        row.envKeysSrc = envKeysSrc
+      }
 
       this.changedFilepaths.add(envFilepath)
     } catch (e) {
@@ -153,10 +174,6 @@ class Rotate {
 
     return this.excludeKey
   }
-
-  _detectEncoding (filepath) {
-    return detectEncoding(filepath)
-  }
 }
 
 module.exports = Rotate

package/src/lib/services/run.js

@@ -3,24 +3,24 @@ const path = require('path')
 
 const TYPE_ENV = 'env'
 const TYPE_ENV_FILE = 'envFile'
-const TYPE_ENV_VAULT_FILE = 'envVaultFile'
 
-const decrypt = require('./../helpers/decrypt')
 const Parse = require('./../helpers/parse')
 const Errors = require('./../helpers/errors')
-const dotenvParse = require('./../helpers/dotenvParse')
-const parseEnvironmentFromDotenvKey = require('./../helpers/parseEnvironmentFromDotenvKey')
 const detectEncoding = require('./../helpers/detectEncoding')
-const { findPrivateKey } = require('./../helpers/findPrivateKey')
-const findPublicKey = require('./../helpers/findPublicKey')
-const guessPrivateKeyName = require('./../helpers/guessPrivateKeyName')
-const determineEnvs = require('./../helpers/determineEnvs')
+
+const {
+  keyNames,
+  keyValues
+} = require('./../helpers/keyResolution')
+
+const {
+  determine
+} = require('./../helpers/envResolution')
 
 class Run {
-  constructor (envs = [], overload = false, DOTENV_KEY = '', processEnv = process.env, envKeysFilepath = null, opsOn = true) {
-    this.envs = determineEnvs(envs, processEnv, DOTENV_KEY)
+  constructor (envs = [], overload = false, processEnv = process.env, envKeysFilepath = null, opsOn = false) {
+    this.envs = determine(envs, processEnv)
     this.overload = overload
-    this.DOTENV_KEY = DOTENV_KEY
     this.processEnv = processEnv
     this.envKeysFilepath = envKeysFilepath
     this.opsOn = opsOn
@@ -35,16 +35,13 @@ class Run {
   run () {
     // example
     // envs [
-    //   { type: 'envVaultFile', value: '.env.vault' },
     //   { type: 'env', value: 'HELLO=one' },
     //   { type: 'envFile', value: '.env' },
     //   { type: 'env', value: 'HELLO=three' }
     // ]
 
     for (const env of this.envs) {
-      if (env.type === TYPE_ENV_VAULT_FILE) { // deprecate someday - for deprecated .env.vault files
-        this._injectEnvVaultFile(env.value)
-      } else if (env.type === TYPE_ENV_FILE) {
+      if (env.type === TYPE_ENV_FILE) {
         this._injectEnvFile(env.value)
       } else if (env.type === TYPE_ENV) {
         this._injectEnv(env.value)
@@ -67,7 +64,13 @@ class Run {
     row.string = env
 
     try {
-      const { parsed, errors, injected, preExisted } = new Parse(env, null, this.processEnv, this.overload).run()
+      const {
+        parsed,
+        errors,
+        injected,
+        preExisted
+      } = new Parse(env, null, this.processEnv, this.overload).run()
+
       row.parsed = parsed
       row.errors = errors
       row.injected = injected
@@ -98,13 +101,18 @@ class Run {
       const src = fsx.readFileX(filepath, { encoding })
       this.readableFilepaths.add(envFilepath)
 
-      const publicKey = findPublicKey(envFilepath)
-      const privateKey = findPrivateKey(envFilepath, this.envKeysFilepath, this.opsOn, publicKey)
-      const privateKeyName = guessPrivateKeyName(envFilepath)
-      const { parsed, errors, injected, preExisted } = new Parse(src, privateKey, this.processEnv, this.overload, privateKeyName).run()
+      const { privateKeyName } = keyNames(filepath)
+      const { privateKeyValue } = keyValues(filepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+
+      const {
+        parsed,
+        errors,
+        injected,
+        preExisted
+      } = new Parse(src, privateKeyValue, this.processEnv, this.overload, privateKeyName).run()
 
       row.privateKeyName = privateKeyName
-      row.privateKey = privateKey
+      row.privateKey = privateKeyValue
       row.src = src
       row.parsed = parsed
       row.errors = errors
@@ -127,102 +135,11 @@ class Run {
     this.processedEnvs.push(row)
   }
 
-  _injectEnvVaultFile (envVaultFilepath) {
-    const row = {}
-    row.type = TYPE_ENV_VAULT_FILE
-    row.filepath = envVaultFilepath
-
-    const filepath = path.resolve(envVaultFilepath)
-    this.readableFilepaths.add(envVaultFilepath)
-
-    if (!fsx.existsSync(filepath)) {
-      const code = 'MISSING_ENV_VAULT_FILE'
-      const message = `you set DOTENV_KEY but your .env.vault file is missing: ${filepath}`
-      const error = new Error(message)
-      error.code = code
-      throw error
-    }
-
-    if (this.DOTENV_KEY.length < 1) {
-      const code = 'MISSING_DOTENV_KEY'
-      const message = `your DOTENV_KEY appears to be blank: '${this.DOTENV_KEY}'`
-      const error = new Error(message)
-      error.code = code
-      throw error
-    }
-
-    let decrypted
-    const dotenvKeys = this._dotenvKeys()
-    const parsedVault = this._parsedVault(filepath)
-    for (let i = 0; i < dotenvKeys.length; i++) {
-      try {
-        const dotenvKey = dotenvKeys[i].trim() // dotenv://key_1234@...?environment=prod
-
-        decrypted = this._decrypted(dotenvKey, parsedVault)
-
-        break
-      } catch (error) {
-        // last key
-        if (i + 1 >= dotenvKeys.length) {
-          throw error
-        }
-        // try next key
-      }
-    }
-
-    try {
-      // parse this. it's the equivalent of the .env file
-      const { parsed, errors, injected, preExisted } = new Parse(decrypted, null, this.processEnv, this.overload).run()
-      row.parsed = parsed
-      row.errors = errors
-      row.injected = injected
-      row.preExisted = preExisted
-
-      this.inject(row.parsed) // inject
-
-      for (const key of Object.keys(injected)) {
-        this.uniqueInjectedKeys.add(key) // track uniqueInjectedKeys across multiple files
-      }
-    } catch (e) {
-      row.errors = [e]
-    }
-
-    this.processedEnvs.push(row)
-  }
-
   inject (parsed) {
     for (const key of Object.keys(parsed)) {
       this.processEnv[key] = parsed[key] // inject to process.env
     }
   }
-
-  // handle scenario for comma separated keys - for use with key rotation
-  // example: DOTENV_KEY="dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=prod,dotenv://:key_7890@dotenvx.com/vault/.env.vault?environment=prod"
-  _dotenvKeys () {
-    return this.DOTENV_KEY.split(',')
-  }
-
-  // { "DOTENV_VAULT_DEVELOPMENT": "<ciphertext>" }
-  _parsedVault (filepath) {
-    const src = fsx.readFileX(filepath)
-    return dotenvParse(src)
-  }
-
-  _decrypted (dotenvKey, parsedVault) {
-    const environment = parseEnvironmentFromDotenvKey(dotenvKey)
-
-    // DOTENV_KEY_PRODUCTION
-    const environmentKey = `DOTENV_VAULT_${environment.toUpperCase()}`
-    const ciphertext = parsedVault[environmentKey]
-    if (!ciphertext) {
-      const error = new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: cannot locate environment ${environmentKey} in your .env.vault file`)
-      error.code = 'NOT_FOUND_DOTENV_ENVIRONMENT'
-
-      throw error
-    }
-
-    return decrypt(ciphertext, dotenvKey)
-  }
 }
 
 module.exports = Run