@dotenvx/dotenvx 1.59.0 → 1.60.0

package/src/lib/helpers/keyResolution/keyValues.js

@@ -7,15 +7,15 @@ const readProcessKey = require('./readProcessKey')
 const readFileKey = require('./readFileKey')
 const opsKeypair = require('../cryptography/opsKeypair')
 
-function invertForPrivateKeyName (filepath) {
+async function invertForPrivateKeyName (filepath) {
   const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
   const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
 
-  if (!fsx.existsSync(filepath)) {
+  if (!(await fsx.exists(filepath))) {
     return null
   }
 
-  const envSrc = fsx.readFileX(filepath)
+  const envSrc = await fsx.readFileX(filepath)
   const envParsed = dotenvParse(envSrc)
 
   let publicKeyName
@@ -32,9 +32,9 @@ function invertForPrivateKeyName (filepath) {
   return null
 }
 
-function keyValues (filepath, opts = {}) {
+async function keyValues (filepath, opts = {}) {
   let keysFilepath = opts.keysFilepath || null
-  const opsOn = opts.opsOn === true
+  const noOps = opts.noOps === true
   const names = keyNames(filepath)
   const publicKeyName = names.publicKeyName // DOTENV_PUBLIC_KEY_${ENVIRONMENT}
   let privateKeyName = names.privateKeyName // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
@@ -45,7 +45,7 @@ function keyValues (filepath, opts = {}) {
   // public key: process.env first, then .env*
   publicKey = readProcessKey(publicKeyName)
   if (!publicKey) {
-    publicKey = readFileKey(publicKeyName, filepath) || null
+    publicKey = await readFileKey(publicKeyName, filepath) || null
   }
 
   // private key: process.env first, then .env.keys, then invert public key
@@ -57,28 +57,28 @@ function keyValues (filepath, opts = {}) {
       keysFilepath = path.resolve(path.dirname(filepath), '.env.keys') // typical scenario
     }
 
-    privateKey = readFileKey(privateKeyName, keysFilepath)
+    privateKey = await readFileKey(privateKeyName, keysFilepath)
   }
   // invert
   if (!privateKey) {
-    privateKeyName = invertForPrivateKeyName(filepath)
+    privateKeyName = await invertForPrivateKeyName(filepath)
     if (privateKeyName) {
       privateKey = readProcessKey(privateKeyName)
       if (!privateKey) {
-        privateKey = readFileKey(privateKeyName, keysFilepath)
+        privateKey = await readFileKey(privateKeyName, keysFilepath)
       }
     }
   }
 
   // ops
-  if (opsOn && !privateKey && publicKey && publicKey.length > 0) {
-    const kp = opsKeypair(publicKey)
+  if (!noOps && !privateKey && publicKey && publicKey.length > 0) {
+    const kp = await opsKeypair(publicKey)
     privateKey = kp.privateKey
   }
 
   return {
     publicKeyValue: publicKey || null, // important to make sure name is rendered
-    privateKeyValue: privateKey || null // importan to make sure name is rendered
+    privateKeyValue: privateKey || null // important to make sure name is rendered
   }
 }
 

package/src/lib/helpers/keyResolution/keyValuesSync.js

@@ -0,0 +1,85 @@
+const path = require('path')
+
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+const keyNames = require('./keyNames')
+const readProcessKey = require('./readProcessKey')
+const readFileKeySync = require('./readFileKeySync')
+const opsKeypairSync = require('../cryptography/opsKeypairSync')
+
+function invertForPrivateKeyName (filepath) {
+  const PUBLIC_KEY_SCHEMA = 'DOTENV_PUBLIC_KEY'
+  const PRIVATE_KEY_SCHEMA = 'DOTENV_PRIVATE_KEY'
+
+  if (!fsx.existsSync(filepath)) {
+    return null
+  }
+
+  const envSrc = fsx.readFileXSync(filepath)
+  const envParsed = dotenvParse(envSrc)
+
+  let publicKeyName
+  for (const keyName of Object.keys(envParsed)) {
+    if (keyName === PUBLIC_KEY_SCHEMA || keyName.startsWith(PUBLIC_KEY_SCHEMA)) {
+      publicKeyName = keyName // find DOTENV_PUBLIC_KEY* in filename
+    }
+  }
+
+  if (publicKeyName) {
+    return publicKeyName.replace(PUBLIC_KEY_SCHEMA, PRIVATE_KEY_SCHEMA) // return inverted (DOTENV_PUBLIC_KEY* -> DOTENV_PRIVATE_KEY*) if found
+  }
+
+  return null
+}
+
+function keyValuesSync (filepath, opts = {}) {
+  let keysFilepath = opts.keysFilepath || null
+  const noOps = opts.noOps === true
+  const names = keyNames(filepath)
+  const publicKeyName = names.publicKeyName // DOTENV_PUBLIC_KEY_${ENVIRONMENT}
+  let privateKeyName = names.privateKeyName // DOTENV_PRIVATE_KEY_${ENVIRONMENT}
+
+  let publicKey = null
+  let privateKey = null
+
+  // public key: process.env first, then .env*
+  publicKey = readProcessKey(publicKeyName)
+  if (!publicKey) {
+    publicKey = readFileKeySync(publicKeyName, filepath) || null
+  }
+
+  // private key: process.env first, then .env.keys, then invert public key
+  privateKey = readProcessKey(privateKeyName)
+  if (!privateKey) {
+    if (keysFilepath) { // user specified -fk flag
+      keysFilepath = path.resolve(keysFilepath)
+    } else {
+      keysFilepath = path.resolve(path.dirname(filepath), '.env.keys') // typical scenario
+    }
+
+    privateKey = readFileKeySync(privateKeyName, keysFilepath)
+  }
+  // invert
+  if (!privateKey) {
+    privateKeyName = invertForPrivateKeyName(filepath)
+    if (privateKeyName) {
+      privateKey = readProcessKey(privateKeyName)
+      if (!privateKey) {
+        privateKey = readFileKeySync(privateKeyName, keysFilepath)
+      }
+    }
+  }
+
+  // ops
+  if (!noOps && !privateKey && publicKey && publicKey.length > 0) {
+    const kp = opsKeypairSync(publicKey)
+    privateKey = kp.privateKey
+  }
+
+  return {
+    publicKeyValue: publicKey || null, // important to make sure name is rendered
+    privateKeyValue: privateKey || null // important to make sure name is rendered
+  }
+}
+
+module.exports = keyValuesSync

package/src/lib/helpers/keyResolution/readFileKey.js

@@ -1,14 +1,16 @@
 const fsx = require('./../fsx')
 const dotenvParse = require('./../dotenvParse')
 
-function readFileKey (keyName, filepath) {
-  if (fsx.existsSync(filepath)) {
-    const src = fsx.readFileX(filepath)
-    const parsed = dotenvParse(src)
-
-    if (parsed[keyName] && parsed[keyName].length > 0) {
-      return parsed[keyName]
-    }
+async function readFileKey (keyName, filepath) {
+  if (!(await fsx.exists(filepath))) {
+    return undefined
+  }
+
+  const src = await fsx.readFileX(filepath)
+  const parsed = dotenvParse(src)
+
+  if (parsed[keyName] && parsed[keyName].length > 0) {
+    return parsed[keyName]
   }
 }
 

package/src/lib/helpers/keyResolution/readFileKeySync.js

@@ -0,0 +1,15 @@
+const fsx = require('./../fsx')
+const dotenvParse = require('./../dotenvParse')
+
+function readFileKeySync (keyName, filepath) {
+  if (fsx.existsSync(filepath)) {
+    const src = fsx.readFileXSync(filepath)
+    const parsed = dotenvParse(src)
+
+    if (parsed[keyName] && parsed[keyName].length > 0) {
+      return parsed[keyName]
+    }
+  }
+}
+
+module.exports = readFileKeySync

package/src/lib/helpers/kits/sample.js

@@ -1,33 +1,23 @@
 const SAMPLE_ENV_KIT = `
-# ── Database ─────────────────────────────────────
-DATABASE_URL="postgresql://postgres:pass@db.ref.supabase.co:5432/postgres"
+HELLO="Dotenvx"
 
-# ── Auth ─────────────────────────────────────────
-AUTH0_CLIENT_ID="xxxx"
-AUTH0_CLIENT_SECRET="xxxx"
+# ── Hosting ──────────────────────────────────────
+AWS_ACCESS_KEY_ID="xxxx"
+AWS_SECRET_ACCESS_KEY="xxxx"
+DATABASE_URL="postgresql://postgres:pass@db.ref.supabase.co:5432/postgres"
+VERCEL_TOKEN="vcp_xxxx"
 
-# ── AI / LLM ────────────────────────────────────
+# ── AI ───────────────────────────────────────────
 OPENAI_API_KEY="sk-xxxx"
 ANTHROPIC_API_KEY="sk-ant-xxxx"
 
-# ── Email ────────────────────────────────────────
+# ── Infrastructure ───────────────────────────────
+AUTH0_CLIENT_ID="xxxx"
+AUTH0_CLIENT_SECRET="xxxx"
 RESEND_API_KEY="re_xxxx"
-
-# ── Cloud Storage ────────────────────────────────
-AWS_ACCESS_KEY_ID="xxxx"
-AWS_SECRET_ACCESS_KEY="xxxx"
-
-# ── Analytics / Monitoring ───────────────────────
-SENTRY_DSN="https://hex@o1234.ingest.us.sentry.io/1234567"
-
-# ── Payments ─────────────────────────────────────
 STRIPE_API_KEY="sk_test_xxxx"
-
-# ── Feature Flags ────────────────────────────────
 FLAGSMITH_ENV_ID="xxxx"
-
-# ── CI/CD / Deployment ──────────────────────────
-VERCEL_TOKEN="vcp_xxxx"
+SENTRY_DSN="https://hex@o1234.ingest.us.sentry.io/1234567"
 `.trimStart()
 
 module.exports = SAMPLE_ENV_KIT

package/src/lib/main.d.ts

@@ -151,7 +151,12 @@ export interface DotenvConfigOptions {
    * Turn off Dotenvx Ops features - https://dotenvx.com/ops
    *
    * @default false
-   * @example require('@dotenvx/dotenvx').config({ opsOff: true })
+   * @example require('@dotenvx/dotenvx').config({ noOps: true })
+   */
+  noOps?: boolean;
+
+  /**
+   * @deprecated use `noOps` instead.
    */
   opsOff?: boolean;
 }
@@ -210,7 +215,12 @@ export interface SetOptions {
    * Turn off Dotenvx Ops features - https://dotenvx.com/ops
    *
    * @default false
-   * @example require('@dotenvx/dotenvx').set(key, value, { opsOff: true })
+   * @example require('@dotenvx/dotenvx').set(key, value, { noOps: true })
+   */
+  noOps?: boolean;
+
+  /**
+   * @deprecated use `noOps` instead.
    */
   opsOff?: boolean;
 }
@@ -285,7 +295,12 @@ export interface GetOptions {
    * Turn off Dotenvx Ops features - https://dotenvx.com/ops
    *
    * @default false
-   * @example require('@dotenvx/dotenvx').get('KEY', { opsOff: true })
+   * @example require('@dotenvx/dotenvx').get('KEY', { noOps: true })
+   */
+  noOps?: boolean;
+
+  /**
+   * @deprecated use `noOps` instead.
    */
   opsOff?: boolean;
 }

package/src/lib/main.js

@@ -12,6 +12,7 @@ const Sets = require('./services/sets')
 const Get = require('./services/get')
 const Keypair = require('./services/keypair')
 const Genexample = require('./services/genexample')
+const Session = require('./../db/session')
 
 // helpers
 const buildEnvs = require('./helpers/buildEnvs')
@@ -39,27 +40,22 @@ const config = function (options = {}) {
   // envKeysFile
   const envKeysFile = options.envKeysFile
 
-  // dotenvx-ops related
-  const opsOn = options.opsOff !== true
-
   if (options) {
     setLogLevel(options)
     setLogName(options)
     setLogVersion(options)
   }
 
+  // dotenvx-ops related
+  const noOps = resolveNoOps(options)
+
   try {
     const envs = buildEnvs(options)
     const {
       processedEnvs,
       readableFilepaths,
       uniqueInjectedKeys
-    } = new Run(envs, overload, processEnv, envKeysFile, opsOn).run()
-
-    if (opsOn) {
-      // removed radar feature for now. contact me at mot@dotenvx.com if still needed for your organization.
-      // try { new Ops().observe({ beforeEnv, processedEnvs, afterEnv }) } catch {}
-    }
+    } = new Run(envs, overload, processEnv, envKeysFile, noOps).runSync()
 
     let lastError
     /** @type {Record<string, string>} */
@@ -169,13 +165,13 @@ const set = function (key, value, options = {}) {
 
   const envs = buildEnvs(options)
   const envKeysFilepath = options.envKeysFile
-  const opsOn = options.opsOff !== true
+  const noOps = resolveNoOps(options)
 
   const {
     processedEnvs,
     changedFilepaths,
     unchangedFilepaths
-  } = new Sets(key, value, envs, encrypt, envKeysFilepath, opsOn).run()
+  } = new Sets(key, value, envs, encrypt, envKeysFilepath, noOps).runSync()
 
   let withEncryption = ''
 
@@ -191,7 +187,7 @@ const set = function (key, value, options = {}) {
       const message = error.messageWithHelp || (error.help ? `${error.message}. ${error.help}` : error.message)
       logger.warn(message)
     } else {
-      fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
+      fsx.writeFileXSync(processedEnv.filepath, processedEnv.envSrc)
 
       logger.verbose(`${processedEnv.key} set${withEncryption} (${processedEnv.envFilepath})`)
       logger.debug(`${processedEnv.key} set${withEncryption} to ${processedEnv.value} (${processedEnv.envFilepath})`)
@@ -211,7 +207,7 @@ const set = function (key, value, options = {}) {
     const keyAddedEnvFilepath = keyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
     logger.success(`◈ encrypted ${key} (${keyAddedEnvFilepath})${keyAddedSuffix}`)
   } else if (unchangedFilepaths.length > 0) {
-    logger.info(`○ no changes (${unchangedFilepaths})`)
+    logger.info(`○ no change (${unchangedFilepaths})`)
   } else {
     // do nothing
   }
@@ -228,12 +224,12 @@ const set = function (key, value, options = {}) {
 /* @type {import('./main').get} */
 const get = function (key, options = {}) {
   const envs = buildEnvs(options)
-  const opsOn = options.opsOff !== true
+  const noOps = resolveNoOps(options)
 
   // ignore
   const ignore = options.ignore || []
 
-  const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, opsOn).run()
+  const { parsed, errors } = new Get(key, envs, options.overload, options.all, options.envKeysFile, noOps).runSync()
 
   for (const error of errors || []) {
     if (ignore.includes(error.code)) {
@@ -286,9 +282,8 @@ const genexample = function (directory, envFile) {
 }
 
 /** @type {import('./main').keypair} */
-const keypair = function (envFile, key, envKeysFile = null, opsOff = false) {
-  const opsOn = opsOff !== true
-  const keypairs = new Keypair(envFile, envKeysFile, opsOn).run()
+const keypair = function (envFile, key, envKeysFile = null, noOps = false) {
+  const keypairs = new Keypair(envFile, envKeysFile, noOps).runSync()
   if (key) {
     return keypairs[key]
   } else {
@@ -296,6 +291,11 @@ const keypair = function (envFile, key, envKeysFile = null, opsOff = false) {
   }
 }
 
+function resolveNoOps (options = {}) {
+  const sesh = new Session()
+  return options.noOps === true || options.opsOff === true || sesh.noOpsSync()
+}
+
 module.exports = {
   // dotenv proxies
   config,

package/src/lib/services/decrypt.js

@@ -25,19 +25,19 @@ const dotenvParse = require('./../helpers/dotenvParse')
 const detectEncoding = require('./../helpers/detectEncoding')
 
 class Decrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, noOps = false) {
     this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
-    this.opsOn = opsOn
+    this.noOps = noOps
 
     this.processedEnvs = []
     this.changedFilepaths = new Set()
     this.unchangedFilepaths = new Set()
   }
 
-  run () {
+  async run () {
     // example
     // envs [
     //   { type: 'envFile', value: '.env' }
@@ -51,7 +51,7 @@ class Decrypt {
 
     for (const env of this.envs) {
       if (env.type === TYPE_ENV_FILE) {
-        this._decryptEnvFile(env.value)
+        await this._decryptEnvFile(env.value)
       }
     }
 
@@ -62,7 +62,7 @@ class Decrypt {
     }
   }
 
-  _decryptEnvFile (envFilepath) {
+  async _decryptEnvFile (envFilepath) {
     const row = {}
     row.keys = []
     row.type = TYPE_ENV_FILE
@@ -72,12 +72,12 @@ class Decrypt {
     row.envFilepath = envFilepath
 
     try {
-      const encoding = detectEncoding(filepath)
-      let envSrc = fsx.readFileX(filepath, { encoding })
+      const encoding = await detectEncoding(filepath)
+      let envSrc = await fsx.readFileX(filepath, { encoding })
       const envParsed = dotenvParse(envSrc)
 
       const { privateKeyName } = keyNames(envFilepath)
-      const { privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+      const { privateKeyValue } = await keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, noOps: this.noOps })
 
       row.privateKey = privateKeyValue
       row.privateKeyName = privateKeyName

package/src/lib/services/encrypt.js

@@ -29,12 +29,12 @@ const detectEncoding = require('./../helpers/detectEncoding')
 const SAMPLE_ENV_KIT = require('./../helpers/kits/sample')
 
 class Encrypt {
-  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, opsOn = false, noCreate = false) {
+  constructor (envs = [], key = [], excludeKey = [], envKeysFilepath = null, noOps = false, noCreate = false) {
     this.envs = determine(envs, process.env)
     this.key = key
     this.excludeKey = excludeKey
     this.envKeysFilepath = envKeysFilepath
-    this.opsOn = opsOn
+    this.noOps = noOps
     this.noCreate = noCreate
 
     this.processedEnvs = []
@@ -42,7 +42,7 @@ class Encrypt {
     this.unchangedFilepaths = new Set()
   }
 
-  run () {
+  async run () {
     // example
     // envs [
     //   { type: 'envFile', value: '.env' }
@@ -56,7 +56,7 @@ class Encrypt {
 
     for (const env of this.envs) {
       if (env.type === TYPE_ENV_FILE) {
-        this._encryptEnvFile(env.value)
+        await this._encryptEnvFile(env.value)
       }
     }
 
@@ -67,10 +67,11 @@ class Encrypt {
     }
   }
 
-  _encryptEnvFile (envFilepath) {
+  async _encryptEnvFile (envFilepath) {
     const row = {}
     row.keys = []
     row.type = TYPE_ENV_FILE
+    let fileCreated = false
 
     const filepath = path.resolve(envFilepath)
     row.filepath = filepath
@@ -79,14 +80,16 @@ class Encrypt {
     try {
       // if noCreate is on then detectEncoding will throw and we'll halt the calls
       // but if noCreate is false then create the file if it doesn't exist
-      if (!fsx.existsSync(filepath) && !this.noCreate) {
-        fsx.writeFileX(filepath, SAMPLE_ENV_KIT)
+      if (!(await fsx.exists(filepath)) && !this.noCreate) {
+        await fsx.writeFileX(filepath, SAMPLE_ENV_KIT)
+        fileCreated = true
       }
-      const encoding = detectEncoding(filepath)
-      let envSrc = fsx.readFileX(filepath, { encoding })
+      const encoding = await detectEncoding(filepath)
+      let envSrc = await fsx.readFileX(filepath, { encoding })
       if (envSrc.trim().length === 0) {
         envSrc = SAMPLE_ENV_KIT
         row.kitCreated = 'sample'
+        row.changed = true
       }
       const envParsed = dotenvParse(envSrc)
 
@@ -94,11 +97,11 @@ class Encrypt {
       let privateKey
 
       const { publicKeyName, privateKeyName } = keyNames(envFilepath)
-      const { publicKeyValue, privateKeyValue } = keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+      const { publicKeyValue, privateKeyValue } = await keyValues(envFilepath, { keysFilepath: this.envKeysFilepath, noOps: this.noOps })
 
       // first pass - provision
       if (!privateKeyValue && !publicKeyValue) {
-        const prov = provision({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, opsOn: this.opsOn })
+        const prov = await provision({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, noOps: this.noOps })
         envSrc = prov.envSrc
         publicKey = prov.publicKey
         privateKey = prov.privateKey
@@ -148,6 +151,9 @@ class Encrypt {
       }
 
       row.envSrc = envSrc
+      if (fileCreated) {
+        row.changed = true
+      }
       if (row.changed) {
         this.changedFilepaths.add(envFilepath)
       } else {

package/src/lib/services/genexample.js

@@ -39,7 +39,7 @@ class Genexample {
       }
 
       // get the original src
-      let src = fsx.readFileX(filepath)
+      let src = fsx.readFileXSync(filepath)
       const parsed = dotenvParse(src)
       for (const key in parsed) {
         // used later
@@ -63,7 +63,7 @@ class Genexample {
       }
     } else {
       // it already exists (which means the user might have it modified a way in which they prefer, so replace exampleSrc with their existing .env.example)
-      exampleSrc = fsx.readFileX(this.exampleFilepath)
+      exampleSrc = fsx.readFileXSync(this.exampleFilepath)
 
       const parsed = dotenvParse(exampleSrc)
       for (const key of [...keys]) {

package/src/lib/services/get.js

@@ -2,19 +2,28 @@ const Run = require('./run')
 const Errors = require('./../helpers/errors')
 
 class Get {
-  constructor (key, envs = [], overload = false, all = false, envKeysFilepath = null, opsOn = true) {
+  constructor (key, envs = [], overload = false, all = false, envKeysFilepath = null, noOps = false) {
     this.key = key
     this.envs = envs
     this.overload = overload
     this.all = all
     this.envKeysFilepath = envKeysFilepath
-    this.opsOn = opsOn
+    this.noOps = noOps
   }
 
-  run () {
+  runSync () {
     const processEnv = { ...process.env }
-    const { processedEnvs } = new Run(this.envs, this.overload, processEnv, this.envKeysFilepath, this.opsOn).run()
+    const { processedEnvs } = new Run(this.envs, this.overload, processEnv, this.envKeysFilepath, this.noOps).runSync()
+    return this._result(processedEnvs, processEnv)
+  }
+
+  async run () {
+    const processEnv = { ...process.env }
+    const { processedEnvs } = await new Run(this.envs, this.overload, processEnv, this.envKeysFilepath, this.noOps).run()
+    return this._result(processedEnvs, processEnv)
+  }
 
+  _result (processedEnvs, processEnv) {
     const errors = []
     for (const processedEnv of processedEnvs) {
       for (const error of processedEnv.errors) {
@@ -32,27 +41,27 @@ class Get {
       }
 
       return { parsed, errors }
-    } else {
-      // if user wants to return ALL envs (even prior set on machine)
-      if (this.all) {
-        return { parsed: processEnv, errors }
-      }
+    }
 
-      // typical scenario - return only envs that were identified in the .env file
-      // iterate over all processedEnvs.parsed and grab from processEnv
-      /** @type {Record<string, string>} */
-      const parsed = {}
-      for (const processedEnv of processedEnvs) {
-        // parsed means we saw the key in a file or --env flag. this effectively filters out any preset machine envs - while still respecting complex evaluating, expansion, and overload. in other words, the value might be the machine value because the key was displayed in a .env file
-        if (processedEnv.parsed) {
-          for (const key of Object.keys(processedEnv.parsed)) {
-            parsed[key] = processEnv[key]
-          }
+    // if user wants to return ALL envs (even prior set on machine)
+    if (this.all) {
+      return { parsed: processEnv, errors }
+    }
+
+    // typical scenario - return only envs that were identified in the .env file
+    // iterate over all processedEnvs.parsed and grab from processEnv
+    /** @type {Record<string, string>} */
+    const parsed = {}
+    for (const processedEnv of processedEnvs) {
+      // parsed means we saw the key in a file or --env flag. this effectively filters out any preset machine envs - while still respecting complex evaluating, expansion, and overload. in other words, the value might be the machine value because the key was displayed in a .env file
+      if (processedEnv.parsed) {
+        for (const key of Object.keys(processedEnv.parsed)) {
+          parsed[key] = processEnv[key]
         }
       }
-
-      return { parsed, errors }
     }
+
+    return { parsed, errors }
   }
 }