@dotenvx/dotenvx 1.55.1 → 1.56.0

package/CHANGELOG.md

@@ -2,7 +2,18 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.55.1...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.56.0...main)
+
+## [1.56.0](https://github.com/dotenvx/dotenvx/compare/v1.55.1...v1.56.0) (2026-03-19)
+
+### Changed
+
+- `ops off` flag — now respected by `get`, `keypair`, `rotate`, and `encrypt` ([#750](https://github.com/dotenvx/dotenvx/pull/750))
+- `--pp` alias — added as shorthand for `--pretty-print`; toward sunsetting `-pp` ([#750](https://github.com/dotenvx/dotenvx/pull/750))
+
+### Removed
+
+* Remove support for `.env.vault` files ([#750](https://github.com/dotenvx/dotenvx/pull/750))
 
 ## [1.55.1](https://github.com/dotenvx/dotenvx/compare/v1.55.0...v1.55.1) (2026-03-13)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.55.1",
+  "version": "1.56.0",
   "name": "@dotenvx/dotenvx",
   "description": "a secure dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -35,8 +35,8 @@
   "scripts": {
     "standard": "standard",
     "standard:fix": "standard --fix",
-    "test": "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
-    "test-coverage": "tap run --show-full-coverage --timeout=60000",
+    "test": "tap run --test-env=DOTENVX_OPS_OFF=true --allow-empty-coverage --disable-coverage --timeout=60000",
+    "test-coverage": "tap run --test-env=DOTENVX_OPS_OFF=true --show-full-coverage --timeout=60000",
     "testshell": "bash shellspec",
     "prerelease": "npm test && npm run testshell",
     "release": "standard-version"

package/src/cli/actions/encrypt.js

@@ -62,9 +62,6 @@ function encrypt () {
 
       for (const processedEnv of processedEnvs) {
         if (processedEnv.privateKeyAdded) {
-          // Ops hook point (first-time key created for this env file):
-          // gate with `opsOn` and an Ops-installed check before calling your
-          // Ops service (for example: backup/register processedEnv.privateKey).
           logger.success(`✔ key added to .env.keys (${processedEnv.privateKeyName})`)
           // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 

package/src/cli/actions/get.js

@@ -12,6 +12,7 @@ function get (key) {
 
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
+  const prettyPrint = options.prettyPrint || options.pp
 
   const ignore = options.ignore || []
 
@@ -24,7 +25,8 @@ function get (key) {
   }
 
   try {
-    const { parsed, errors } = new Get(key, envs, options.overload, process.env.DOTENV_KEY, options.all, options.envKeysFile).run()
+    const opsOn = options.opsOff !== true
+    const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, opsOn).run()
 
     for (const error of errors || []) {
       if (options.strict) throw error // throw immediately if strict
@@ -65,7 +67,7 @@ function get (key) {
         console.log(inline)
       } else {
         let space = 0
-        if (options.prettyPrint) {
+        if (prettyPrint) {
           space = 2
         }
 

package/src/cli/actions/keypair.js

@@ -9,8 +9,9 @@ function keypair (key) {
 
   const options = this.opts()
   logger.debug(`options: ${JSON.stringify(options)}`)
+  const prettyPrint = options.prettyPrint || options.pp
 
-  const results = main.keypair(options.envFile, key, options.envKeysFile)
+  const results = main.keypair(options.envFile, key, options.envKeysFile, options.opsOff)
 
   if (typeof results === 'object' && results !== null) {
     // inline shell format - env $(dotenvx keypair --format=shell) your-command
@@ -25,7 +26,7 @@ function keypair (key) {
     // json format
     } else {
       let space = 0
-      if (options.prettyPrint) {
+      if (prettyPrint) {
         space = 2
       }
 

package/src/cli/actions/rotate.js

@@ -11,17 +11,20 @@ function rotate () {
   logger.debug(`options: ${JSON.stringify(options)}`)
 
   const envs = this.envs
+  const opsOn = options.opsOff !== true
 
   // stdout - should not have a try so that exit codes can surface to stdout
   if (options.stdout) {
     const {
       processedEnvs
-    } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile).run()
+    } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
       console.log(processedEnv.envSrc)
-      console.log('')
-      console.log(processedEnv.envKeysSrc)
+      if (processedEnv.privateKeyAdded) {
+        console.log('')
+        console.log(processedEnv.envKeysSrc)
+      }
     }
     process.exit(0) // exit early
   } else {
@@ -30,7 +33,7 @@ function rotate () {
         processedEnvs,
         changedFilepaths,
         unchangedFilepaths
-      } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile).run()
+      } = new Rotate(envs, options.key, options.excludeKey, options.envKeysFile, opsOn).run()
 
       for (const processedEnv of processedEnvs) {
         logger.verbose(`rotating ${processedEnv.envFilepath} (${processedEnv.filepath})`)
@@ -46,7 +49,9 @@ function rotate () {
           }
         } else if (processedEnv.changed) {
           fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
-          fsx.writeFileX(processedEnv.envKeysFilepath, processedEnv.envKeysSrc)
+          if (processedEnv.privateKeyAdded) {
+            fsx.writeFileX(processedEnv.envKeysFilepath, processedEnv.envKeysSrc)
+          }
 
           logger.verbose(`rotated ${processedEnv.envFilepath} (${processedEnv.filepath})`)
         } else {

package/src/cli/actions/run.js

@@ -5,7 +5,6 @@ const executeCommand = require('./../../lib/helpers/executeCommand')
 const Run = require('./../../lib/services/run')
 
 const conventions = require('./../../lib/helpers/conventions')
-const DeprecationNotice = require('./../../lib/helpers/deprecationNotice')
 
 async function run () {
   const commandArgs = this.args
@@ -41,26 +40,14 @@ async function run () {
       envs = this.envs
     }
 
-    new DeprecationNotice().dotenvKey() // DEPRECATION NOTICE
-
     const {
       processedEnvs,
       readableStrings,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, options.overload, process.env.DOTENV_KEY, process.env, options.envKeysFile, opsOn).run()
-
-    if (opsOn) {
-      // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
-      // try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
-    }
+    } = new Run(envs, options.overload, process.env, options.envKeysFile, opsOn).run()
 
     for (const processedEnv of processedEnvs) {
-      if (processedEnv.type === 'envVaultFile') {
-        logger.verbose(`loading env from encrypted ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-        logger.debug(`decrypting encrypted env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
-      }
-
       if (processedEnv.type === 'envFile') {
         logger.verbose(`loading env from ${processedEnv.filepath} (${path.resolve(processedEnv.filepath)})`)
       }

package/src/cli/actions/set.js

@@ -22,12 +22,13 @@ function set (key, value) {
   try {
     const envs = this.envs
     const envKeysFilepath = options.envKeysFile
+    const opsOn = options.opsOff !== true
 
     const {
       processedEnvs,
       changedFilepaths,
       unchangedFilepaths
-    } = new Sets(key, value, envs, encrypt, envKeysFilepath).run()
+    } = new Sets(key, value, envs, encrypt, envKeysFilepath, opsOn).run()
 
     let withEncryption = ''
 
@@ -65,7 +66,7 @@ function set (key, value) {
     }
 
     for (const processedEnv of processedEnvs) {
-      if (processedEnv.privateKeyAdded) {
+      if (processedEnv.privateKeyAdded) { // TODO: change to localPrivateKeyAdded
         logger.success(`✔ key added to ${processedEnv.envKeysFilepath} (${processedEnv.privateKeyName})`)
         // logger.help('⮕  optional: [dotenvx ops backup] to securely backup private key')
 

package/src/cli/commands/ext.js

@@ -10,9 +10,6 @@ ext
   .description('🔌 extensions')
   .allowUnknownOption()
 
-// list known extensions here you want to display
-ext.addHelpText('after', '  vault                             🔐 manage .env.vault files')
-
 ext
   .argument('[command]', 'dynamic ext command')
   .argument('[args...]', 'dynamic ext command arguments')

package/src/cli/dotenvx.js

@@ -13,6 +13,9 @@ const executeDynamic = require('./../lib/helpers/executeDynamic')
 const removeDynamicHelpSection = require('./../lib/helpers/removeDynamicHelpSection')
 const removeOptionsHelpParts = require('./../lib/helpers/removeOptionsHelpParts')
 
+const Session = require('./../db/session')
+const sesh = new Session()
+
 // for use with run
 const envs = []
 function collectEnvs (type) {
@@ -68,12 +71,11 @@ program.command('run')
   .option('-e, --env <strings...>', 'environment variable(s) set as string (example: "HELLO=World")', collectEnvs('env'), [])
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
-  .option('-fv, --env-vault-file <paths...>', 'path(s) to your .env.vault file(s)', collectEnvs('envVaultFile'), [])
   .option('-o, --overload', 'override existing env variables (by default, existing env vars take precedence over .env files)')
   .option('--strict', 'process.exit(1) on any errors', false)
   .option('--convention <name>', 'load a .env convention (available conventions: [\'nextjs\', \'flow\'])')
   .option('--ignore <errorCodes...>', 'error code(s) to ignore (example: --ignore=MISSING_ENV_FILE)')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .action(function (...args) {
     this.envs = envs
     runAction.apply(this, args)
@@ -88,15 +90,15 @@ program.command('get')
   .option('-e, --env <strings...>', 'environment variable(s) set as string (example: "HELLO=World")', collectEnvs('env'), [])
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)', collectEnvs('envFile'), [])
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
-  .option('-fv, --env-vault-file <paths...>', 'path(s) to your .env.vault file(s)', collectEnvs('envVaultFile'), [])
   .option('-o, --overload', 'override existing env variables (by default, existing env vars take precedence over .env files)')
   .option('--strict', 'process.exit(1) on any errors', false)
   .option('--convention <name>', 'load a .env convention (available conventions: [\'nextjs\', \'flow\'])')
   .option('--ignore <errorCodes...>', 'error code(s) to ignore (example: --ignore=MISSING_ENV_FILE)')
   .option('-a, --all', 'include all machine envs as well')
   .option('-pp, --pretty-print', 'pretty print output')
+  .option('--pp', 'pretty print output (alias)')
   .option('--format <type>', 'format of the output (json, shell, eval)', 'json')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .action(function (...args) {
     this.envs = envs
     getAction.apply(this, args)
@@ -115,7 +117,7 @@ program.command('set')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-c, --encrypt', 'encrypt value', true)
   .option('-p, --plain', 'store value as plain text', false)
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .action(function (...args) {
     this.envs = envs
     setAction.apply(this, args)
@@ -129,7 +131,7 @@ program.command('encrypt')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs
@@ -144,7 +146,7 @@ program.command('decrypt')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to decrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from decryption (default: none)')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs
@@ -159,8 +161,9 @@ program.command('keypair')
   .argument('[KEY]', 'environment variable key name')
   .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .option('-pp, --pretty-print', 'pretty print output')
+  .option('--pp', 'pretty print output (alias)')
   .option('--format <type>', 'format of the output (json, shell)', 'json')
   .action(keypairAction)
 
@@ -181,7 +184,7 @@ program.command('rotate')
   .option('-fk, --env-keys-file <path>', 'path to your .env.keys file (default: same path as your env file)')
   .option('-k, --key <keys...>', 'keys(s) to encrypt (default: all keys in file)')
   .option('-ek, --exclude-key <excludeKeys...>', 'keys(s) to exclude from encryption (default: none)')
-  .option('--ops-off', 'disable dotenvx-ops features', false)
+  .option('--ops-off', 'disable dotenvx-ops features', sesh.opsOff())
   .option('--stdout', 'send to stdout')
   .action(function (...args) {
     this.envs = envs

package/src/db/session.js

@@ -0,0 +1,21 @@
+const Ops = require('./../lib/extensions/ops')
+
+class Session {
+  constructor () {
+    this.ops = new Ops()
+    this.opsStatus = this.ops.status()
+  }
+
+  //
+  // opsOff/On
+  //
+  opsOn () {
+    return this.opsStatus === 'on'
+  }
+
+  opsOff () {
+    return !this.opsOn()
+  }
+}
+
+module.exports = Session

package/src/lib/extensions/ops.js

@@ -0,0 +1,98 @@
+const path = require('path')
+const childProcess = require('child_process')
+
+// const { logger } = require('./../../shared/logger')
+
+class Ops {
+  constructor () {
+    this.opsLib = null
+
+    if (this._isForcedOff()) {
+      return
+    }
+
+    // check npm lib
+    try { this.opsLib = this._opsNpm() } catch (_e) {}
+
+    // check binary cli
+    if (!this.opsLib) {
+      try { this.opsLib = this._opsCli() } catch (_e) {}
+    }
+
+    if (this.opsLib) {
+      // logger.successv(`🛡️ ops: ${this.opsLib.status()}`)
+    }
+  }
+
+  status () {
+    if (this._isForcedOff() || !this.opsLib) {
+      return 'off'
+    }
+
+    return this.opsLib.status()
+  }
+
+  keypair (publicKey) {
+    if (this._isForcedOff() || !this.opsLib) {
+      return {}
+    }
+
+    return this.opsLib.keypair(publicKey)
+  }
+
+  observe (payload) {
+    if (!this._isForcedOff() && this.opsLib && this.opsLib.status() !== 'off') {
+      const encoded = Buffer.from(JSON.stringify(payload)).toString('base64')
+      this.opsLib.observe(encoded)
+    }
+  }
+
+  //
+  // private
+  //
+  _opsNpm () {
+    const npmBin = path.resolve(process.cwd(), 'node_modules/.bin/dotenvx-ops')
+    return this._opsLib(npmBin)
+  }
+
+  _opsCli () {
+    return this._opsLib('dotenvx-ops')
+  }
+
+  _opsLib (binary) {
+    childProcess.execFileSync(binary, ['--version'], { stdio: ['pipe', 'pipe', 'ignore'] })
+
+    return {
+      status: () => {
+        return childProcess.execFileSync(binary, ['status'], { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
+      },
+      keypair: (publicKey) => {
+        const args = ['keypair']
+        if (publicKey) {
+          args.push(publicKey)
+        }
+        const output = childProcess.execFileSync(binary, args, { stdio: ['pipe', 'pipe', 'ignore'] }).toString().trim()
+        const parsed = JSON.parse(output.toString())
+        return parsed
+      },
+      observe: (encoded) => {
+        try {
+          const subprocess = childProcess.spawn(binary, ['observe', encoded], {
+            stdio: 'ignore',
+            detached: true
+          })
+
+          subprocess.unref() // let it run independently
+        } catch (e) {
+          // noop
+        }
+      }
+    }
+  }
+
+  _isForcedOff () {
+    return process.env.DOTENVX_OPS_OFF === 'true'
+  }
+}
+
+module.exports = Ops

package/src/lib/helpers/buildEnvs.js

@@ -1,10 +1,7 @@
-const path = require('path')
-
 const conventions = require('./conventions')
 const dotenvOptionPaths = require('./dotenvOptionPaths')
-const DeprecationNotice = require('./deprecationNotice')
 
-function buildEnvs (options, DOTENV_KEY = undefined) {
+function buildEnvs (options) {
   // build envs using user set option.path
   const optionPaths = dotenvOptionPaths(options) // [ '.env' ]
 
@@ -13,18 +10,8 @@ function buildEnvs (options, DOTENV_KEY = undefined) {
     envs = conventions(options.convention).concat(envs)
   }
 
-  new DeprecationNotice({ DOTENV_KEY }).dotenvKey() // DEPRECATION NOTICE
-
   for (const optionPath of optionPaths) {
-    // if DOTENV_KEY is set then assume we are checking envVaultFile
-    if (DOTENV_KEY) {
-      envs.push({
-        type: 'envVaultFile',
-        value: path.join(path.dirname(optionPath), '.env.vault')
-      })
-    } else {
-      envs.push({ type: 'envFile', value: optionPath })
-    }
+    envs.push({ type: 'envFile', value: optionPath })
   }
 
   return envs

package/src/lib/helpers/{decryptKeyValue.js → cryptography/decryptKeyValue.js}

@@ -1,6 +1,6 @@
 const { decrypt } = require('eciesjs')
 
-const Errors = require('./errors')
+const Errors = require('./../errors')
 
 const PREFIX = 'encrypted:'
 

package/src/lib/helpers/cryptography/index.js

@@ -0,0 +1,14 @@
+module.exports = {
+  opsKeypair: require('./opsKeypair'),
+  localKeypair: require('./localKeypair'),
+  encryptValue: require('./encryptValue'),
+  decryptKeyValue: require('./decryptKeyValue'),
+  isEncrypted: require('./isEncrypted'),
+  isPublicKey: require('./isPublicKey'),
+  provision: require('./provision'),
+  provisionWithPrivateKey: require('./provisionWithPrivateKey'),
+  mutateSrc: require('./mutateSrc'),
+
+  // other
+  isFullyEncrypted: require('./../isFullyEncrypted')
+}

package/src/lib/helpers/{isPublicKey.js → cryptography/isPublicKey.js}

@@ -1,6 +1,6 @@
 const PUBLIC_KEY_PATTERN = /^DOTENV_PUBLIC_KEY/
 
-function isPublicKey (key, value) {
+function isPublicKey (key) {
   return PUBLIC_KEY_PATTERN.test(key)
 }
 

package/src/lib/helpers/{keypair.js → cryptography/localKeypair.js}

@@ -1,6 +1,6 @@
 const { PrivateKey } = require('eciesjs')
 
-function keypair (existingPrivateKey) {
+function localKeypair (existingPrivateKey) {
   let kp
 
   if (existingPrivateKey) {
@@ -18,4 +18,4 @@ function keypair (existingPrivateKey) {
   }
 }
 
-module.exports = keypair
+module.exports = localKeypair

package/src/lib/helpers/cryptography/mutateKeysSrc.js

@@ -0,0 +1,38 @@
+const FIRST_TIME_KEYS_SRC = [
+  '#/------------------!DOTENV_PRIVATE_KEYS!-------------------/',
+  '#/ private decryption keys. DO NOT commit to source control /',
+  '#/     [how it works](https://dotenvx.com/encryption)       /',
+  // '#/           backup with: `dotenvx ops backup`              /',
+  '#/----------------------------------------------------------/'
+].join('\n')
+
+const path = require('path')
+const fsx = require('./../fsx')
+
+function mutateKeysSrc ({ envFilepath, keysFilepath, privateKeyName, privateKeyValue }) {
+  const filename = path.basename(envFilepath)
+  const filepath = path.resolve(envFilepath)
+  let resolvedKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+  if (keysFilepath) {
+    resolvedKeysFilepath = path.resolve(keysFilepath)
+  }
+  const appendPrivateKey = [`# ${filename}`, `${privateKeyName}=${privateKeyValue}`, ''].join('\n')
+
+  let keysSrc = ''
+  if (fsx.existsSync(resolvedKeysFilepath)) {
+    keysSrc = fsx.readFileX(resolvedKeysFilepath)
+  }
+  keysSrc = keysSrc.length > 1 ? keysSrc : `${FIRST_TIME_KEYS_SRC}\n`
+  keysSrc = `${keysSrc}\n${appendPrivateKey}`
+
+  fsx.writeFileX(resolvedKeysFilepath, keysSrc) // TODO: don't write if ops
+
+  const envKeysFilepath = keysFilepath || path.join(path.dirname(envFilepath), path.basename(resolvedKeysFilepath))
+
+  return {
+    keysSrc,
+    envKeysFilepath
+  }
+}
+
+module.exports = mutateKeysSrc

package/src/lib/helpers/cryptography/mutateSrc.js

@@ -0,0 +1,24 @@
+const path = require('path')
+const preserveShebang = require('./../preserveShebang')
+const prependPublicKey = require('./../prependPublicKey')
+
+function mutateSrc ({ envSrc, envFilepath, keysFilepath, publicKeyName, publicKeyValue }) {
+  const filename = path.basename(envFilepath)
+  const filepath = path.resolve(envFilepath)
+  let resolvedKeysFilepath = path.join(path.dirname(filepath), '.env.keys')
+  if (keysFilepath) {
+    resolvedKeysFilepath = path.resolve(keysFilepath)
+  }
+  const relativeFilepath = path.relative(path.dirname(filepath), resolvedKeysFilepath)
+
+  const ps = preserveShebang(envSrc)
+  const prependedPublicKey = prependPublicKey(publicKeyName, publicKeyValue, filename, relativeFilepath)
+
+  envSrc = `${ps.firstLinePreserved}${prependedPublicKey}\n${ps.envSrc}`
+
+  return {
+    envSrc
+  }
+}
+
+module.exports = mutateSrc

package/src/lib/helpers/cryptography/opsKeypair.js

@@ -0,0 +1,14 @@
+const Ops = require('../../extensions/ops')
+
+function opsKeypair (existingPublicKey) {
+  const kp = new Ops().keypair(existingPublicKey)
+  const publicKey = kp.public_key
+  const privateKey = kp.private_key
+
+  return {
+    publicKey,
+    privateKey
+  }
+}
+
+module.exports = opsKeypair

package/src/lib/helpers/cryptography/provision.js

@@ -0,0 +1,47 @@
+const mutateSrc = require('./mutateSrc')
+const mutateKeysSrc = require('./mutateKeysSrc')
+const opsKeypair = require('./opsKeypair')
+const localKeypair = require('./localKeypair')
+const { keyNames } = require('../keyResolution')
+
+function provision ({ envSrc, envFilepath, keysFilepath, opsOn }) {
+  opsOn = opsOn === true
+  const { publicKeyName, privateKeyName } = keyNames(envFilepath)
+
+  let publicKey
+  let privateKey
+  let keysSrc
+  let envKeysFilepath
+  let privateKeyAdded = false
+
+  if (opsOn) {
+    const kp = opsKeypair()
+    publicKey = kp.publicKey
+    privateKey = kp.privateKey
+  } else {
+    const kp = localKeypair()
+    publicKey = kp.publicKey
+    privateKey = kp.privateKey
+  }
+
+  const mutated = mutateSrc({ envSrc, envFilepath, keysFilepath, publicKeyName, publicKeyValue: publicKey })
+  envSrc = mutated.envSrc
+
+  if (!opsOn) {
+    const mutated = mutateKeysSrc({ envFilepath, keysFilepath, privateKeyName, privateKeyValue: privateKey })
+    keysSrc = mutated.keysSrc
+    envKeysFilepath = mutated.envKeysFilepath
+    privateKeyAdded = true
+  }
+
+  return {
+    envSrc,
+    keysSrc,
+    publicKey,
+    privateKey,
+    privateKeyAdded,
+    envKeysFilepath
+  }
+}
+
+module.exports = provision

package/src/lib/helpers/cryptography/provisionWithPrivateKey.js

@@ -0,0 +1,26 @@
+const Errors = require('./../errors')
+const mutateSrc = require('./mutateSrc')
+const localKeypair = require('./localKeypair')
+
+function provisionWithPrivateKey ({ envSrc, envFilepath, keysFilepath, privateKeyValue, publicKeyValue, publicKeyName }) {
+  const { publicKey, privateKey } = localKeypair(privateKeyValue) // opsOn doesn't matter here since privateKeyValue was already discovered prior (via ops and local) and passed as privateKeyValue
+
+  // if derivation doesn't match what's in the file (or preset in env)
+  if (publicKeyValue && publicKeyValue !== publicKey) {
+    throw new Errors({ publicKey, publicKeyExisting: publicKeyValue }).mispairedPrivateKey()
+  }
+
+  // scenario when encrypting a monorepo second .env file from a prior generated -fk .env.keys file
+  if (!publicKeyValue) {
+    const mutated = mutateSrc({ envSrc, envFilepath, keysFilepath, publicKeyName, publicKeyValue: publicKey })
+    envSrc = mutated.envSrc
+  }
+
+  return {
+    envSrc,
+    publicKey,
+    privateKey
+  }
+}
+
+module.exports = provisionWithPrivateKey