@dotenvx/dotenvx 1.60.0 → 1.60.2

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.60.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.60.2...main)
+
+## [1.60.2](https://github.com/dotenvx/dotenvx/compare/v1.60.1...v1.60.2) (2026-04-07)
+
+### Changed
+
+* Communicate `local key` and `armored key` (for Ops stored keys) ([#778](https://github.com/dotenvx/dotenvx/pull/778))
+
+## [1.60.1](https://github.com/dotenvx/dotenvx/compare/v1.60.0...v1.60.1) (2026-04-06)
+
+### Added
+
+* Added missing `+ key ⛨` for Ops stored keys ([#777](https://github.com/dotenvx/dotenvx/pull/777))
 
 ## [1.60.0](https://github.com/dotenvx/dotenvx/compare/v1.59.1...v1.60.0) (2026-04-04)
 

package/README.md

@@ -1572,7 +1572,7 @@ Encrypt the contents of a `.env` file to an encrypted `.env` file.
 $ echo "HELLO=Dotenvx" > .env
 
 $ dotenvx encrypt
-◈ encrypted (.env) + key (.env.keys)
+◈ encrypted (.env) + local key (.env.keys)
 ⮕  next run [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys
 ⮕  next run [DOTENV_PRIVATE_KEY='122...0b8' dotenvx run -- yourcommand] to test decryption locally
 ```
@@ -1587,7 +1587,7 @@ $ echo "HELLO=Dotenvx" > .env
 $ echo "HELLO=Production" > .env.production
 
 $ dotenvx encrypt -f .env.production
-◈ encrypted (.env.production) + key (.env.keys)
+◈ encrypted (.env.production) + local key (.env.keys)
 ⮕  next run [dotenvx ext gitignore --pattern .env.keys] to gitignore .env.keys
 ⮕  next run [DOTENV_PRIVATE_KEY='bff...bc4' dotenvx run -- yourcommand] to test decryption locally
 ```

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.60.0",
+  "version": "1.60.2",
   "name": "@dotenvx/dotenvx",
   "description": "secrets for agents–from the creator of `dotenv`",
   "author": "@motdotla",

package/src/cli/actions/encrypt.js

@@ -52,11 +52,15 @@ async function encrypt () {
 
       if (spinner) spinner.stop()
       if (changedFilepaths.length > 0) {
-        const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+        const localKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.localPrivateKeyAdded)
+        const remoteKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.remotePrivateKeyAdded)
         let msg = `◈ encrypted (${changedFilepaths.join(',')})`
-        if (keyAddedEnv) {
-          const envKeysFilepath = localDisplayPath(keyAddedEnv.envKeysFilepath)
-          msg += ` + key (${envKeysFilepath})`
+        if (localKeyAddedEnv) {
+          const envKeysFilepath = localDisplayPath(localKeyAddedEnv.envKeysFilepath)
+          msg += ` + local key (${envKeysFilepath})`
+        }
+        if (remoteKeyAddedEnv) {
+          msg += ' + armored key ⛨'
         }
         logger.success(msg)
       } else if (unchangedFilepaths.length > 0) {
@@ -64,12 +68,6 @@ async function encrypt () {
       } else {
         // do nothing - scenario when no .env files found
       }
-
-      for (const processedEnv of processedEnvs) {
-        if (processedEnv.privateKeyAdded) {
-          // intentionally quiet: success line already communicates key creation
-        }
-      }
     } catch (error) {
       if (spinner) spinner.stop()
       catchAndLog(error)

package/src/cli/actions/rotate.js

@@ -26,7 +26,7 @@ async function rotate () {
     if (spinner) spinner.stop()
     for (const processedEnv of processedEnvs) {
       console.log(processedEnv.envSrc)
-      if (processedEnv.privateKeyAdded) {
+      if (processedEnv.localPrivateKeyAdded) {
         console.log('')
         console.log(processedEnv.envKeysSrc)
       }
@@ -46,7 +46,7 @@ async function rotate () {
           logger.warn(processedEnv.error.messageWithHelp)
         } else if (processedEnv.changed) {
           await fsx.writeFileX(processedEnv.filepath, processedEnv.envSrc)
-          if (processedEnv.privateKeyAdded) {
+          if (processedEnv.localPrivateKeyAdded) {
             await fsx.writeFileX(processedEnv.envKeysFilepath, processedEnv.envKeysSrc)
           }
 
@@ -58,11 +58,16 @@ async function rotate () {
 
       if (spinner) spinner.stop()
       if (changedFilepaths.length > 0) {
-        const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
+        const localKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.localPrivateKeyAdded)
+        const remoteKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.remotePrivateKeyAdded)
+
         let msg = `⟳ rotated (${changedFilepaths.join(',')})`
-        if (keyAddedEnv) {
-          const envKeysFilepath = localDisplayPath(keyAddedEnv.envKeysFilepath)
-          msg += ` + key (${envKeysFilepath})`
+        if (localKeyAddedEnv) {
+          const envKeysFilepath = localDisplayPath(localKeyAddedEnv.envKeysFilepath)
+          msg += ` + local key (${envKeysFilepath})`
+        }
+        if (remoteKeyAddedEnv) {
+          msg += ' + armored key ⛨'
         }
         logger.success(msg)
       } else if (unchangedFilepaths.length > 0) {

package/src/cli/actions/set.js

@@ -55,8 +55,15 @@ async function set (key, value) {
       }
     }
 
-    const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
-    const keyAddedSuffix = keyAddedEnv ? ` + key (${localDisplayPath(keyAddedEnv.envKeysFilepath)})` : ''
+    const localKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.localPrivateKeyAdded)
+    const remoteKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.remotePrivateKeyAdded)
+    let keyAddedSuffix = ''
+    if (localKeyAddedEnv) {
+      keyAddedSuffix = ` + local key (${localDisplayPath(localKeyAddedEnv.envKeysFilepath)})`
+    }
+    if (remoteKeyAddedEnv) {
+      keyAddedSuffix = ' + armored key ⛨'
+    }
 
     if (spinner) spinner.stop()
     if (changedFilepaths.length > 0) {
@@ -65,9 +72,9 @@ async function set (key, value) {
       } else {
         logger.success(`◇ set ${key} (${changedFilepaths.join(',')})`)
       }
-    } else if (encrypt && keyAddedEnv) {
-      const keyAddedEnvFilepath = keyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
-      logger.success(`◈ encrypted ${key} (${keyAddedEnvFilepath})${keyAddedSuffix}`)
+    } else if (encrypt && localKeyAddedEnv) { // TODO: this needs to take into account remoteKeyAddedEnv
+      const localKeyAddedEnvFilepath = localKeyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
+      logger.success(`◈ encrypted ${key} (${localKeyAddedEnvFilepath})${keyAddedSuffix}`)
     } else if (unchangedFilepaths.length > 0) {
       logger.info(`○ no change (${unchangedFilepaths})`)
     } else {

package/src/lib/helpers/cryptography/provision.js

@@ -12,7 +12,8 @@ async function provision ({ envSrc, envFilepath, keysFilepath, noOps }) {
   let privateKey
   let keysSrc
   let envKeysFilepath
-  let privateKeyAdded = false
+  let localPrivateKeyAdded = false
+  let remotePrivateKeyAdded = false
 
   if (noOps) {
     const kp = localKeypair()
@@ -31,7 +32,9 @@ async function provision ({ envSrc, envFilepath, keysFilepath, noOps }) {
     const mutated = await mutateKeysSrc({ envFilepath, keysFilepath, privateKeyName, privateKeyValue: privateKey })
     keysSrc = mutated.keysSrc
     envKeysFilepath = mutated.envKeysFilepath
-    privateKeyAdded = true
+    localPrivateKeyAdded = true
+  } else {
+    remotePrivateKeyAdded = true
   }
 
   return {
@@ -39,8 +42,9 @@ async function provision ({ envSrc, envFilepath, keysFilepath, noOps }) {
     keysSrc,
     publicKey,
     privateKey,
-    privateKeyAdded,
-    envKeysFilepath
+    envKeysFilepath,
+    localPrivateKeyAdded,
+    remotePrivateKeyAdded
   }
 }
 

package/src/lib/helpers/cryptography/provisionSync.js

@@ -12,7 +12,8 @@ function provisionSync ({ envSrc, envFilepath, keysFilepath, noOps }) {
   let privateKey
   let keysSrc
   let envKeysFilepath
-  let privateKeyAdded = false
+  let localPrivateKeyAdded = false
+  let remotePrivateKeyAdded = false
 
   if (noOps) {
     const kp = localKeypair()
@@ -31,7 +32,9 @@ function provisionSync ({ envSrc, envFilepath, keysFilepath, noOps }) {
     const mutated = mutateKeysSrcSync({ envFilepath, keysFilepath, privateKeyName, privateKeyValue: privateKey })
     keysSrc = mutated.keysSrc
     envKeysFilepath = mutated.envKeysFilepath
-    privateKeyAdded = true
+    localPrivateKeyAdded = true
+  } else {
+    remotePrivateKeyAdded = true
   }
 
   return {
@@ -39,8 +42,9 @@ function provisionSync ({ envSrc, envFilepath, keysFilepath, noOps }) {
     keysSrc,
     publicKey,
     privateKey,
-    privateKeyAdded,
-    envKeysFilepath
+    envKeysFilepath,
+    localPrivateKeyAdded,
+    remotePrivateKeyAdded
   }
 }
 

package/src/lib/main.d.ts

@@ -235,7 +235,8 @@ export type SetProcessedEnv = {
   encryptedValue?: string;
   publicKey?: string;
   privateKey?: string;
-  privateKeyAdded?: boolean;
+  localPrivateKeyAdded?: boolean;
+  remotePrivateKeyAdded?: boolean;
   privateKeyName?: string;
   error?: Error;
 };

package/src/lib/main.js

@@ -194,8 +194,16 @@ const set = function (key, value, options = {}) {
     }
   }
 
-  const keyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.privateKeyAdded)
-  const keyAddedSuffix = keyAddedEnv ? ` + key (${localDisplayPath(keyAddedEnv.envKeysFilepath)})` : ''
+  let keyAddedSuffix = ''
+  const localKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.localPrivateKeyAdded)
+  const remoteKeyAddedEnv = processedEnvs.find((processedEnv) => processedEnv.remotePrivateKeyAdded)
+
+  if (localKeyAddedEnv) {
+    keyAddedSuffix = ` + local key (${localDisplayPath(localKeyAddedEnv.envKeysFilepath)})`
+  }
+  if (remoteKeyAddedEnv) {
+    keyAddedSuffix = ' + armored key ⛨'
+  }
 
   if (changedFilepaths.length > 0) {
     if (encrypt) {
@@ -203,8 +211,8 @@ const set = function (key, value, options = {}) {
     } else {
       logger.success(`◇ set ${key} (${changedFilepaths.join(',')})`)
     }
-  } else if (encrypt && keyAddedEnv) {
-    const keyAddedEnvFilepath = keyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
+  } else if (encrypt && localKeyAddedEnv) {
+    const keyAddedEnvFilepath = localKeyAddedEnv.envFilepath || changedFilepaths[0] || '.env'
     logger.success(`◈ encrypted ${key} (${keyAddedEnvFilepath})${keyAddedSuffix}`)
   } else if (unchangedFilepaths.length > 0) {
     logger.info(`○ no change (${unchangedFilepaths})`)

package/src/lib/services/encrypt.js

@@ -105,7 +105,8 @@ class Encrypt {
         envSrc = prov.envSrc
         publicKey = prov.publicKey
         privateKey = prov.privateKey
-        row.privateKeyAdded = prov.privateKeyAdded
+        row.localPrivateKeyAdded = prov.localPrivateKeyAdded
+        row.remotePrivateKeyAdded = prov.remotePrivateKeyAdded
         row.envKeysFilepath = prov.envKeysFilepath
       } else if (privateKeyValue) {
         const prov = provisionWithPrivateKey({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, privateKeyValue, publicKeyValue, publicKeyName })

package/src/lib/services/rotate.js

@@ -95,7 +95,8 @@ class Rotate {
         newPublicKey = kp.publicKey
         newPrivateKey = kp.privateKey
 
-        row.privateKeyAdded = false // TODO: change to localPrivateKeyAdded
+        row.localPrivateKeyAdded = false
+        row.remotePrivateKeyAdded = true
       } else {
         row.envKeysFilepath = this.envKeysFilepath || path.join(path.dirname(envFilepath), '.env.keys')
         envKeysFilepath = path.resolve(row.envKeysFilepath)
@@ -107,7 +108,8 @@ class Rotate {
         newPublicKey = kp.publicKey
         newPrivateKey = kp.privateKey
 
-        row.privateKeyAdded = true
+        row.localPrivateKeyAdded = true
+        row.remotePrivateKeyAdded = false
       }
 
       // .env

package/src/lib/services/sets.js

@@ -135,8 +135,9 @@ class Sets {
           envSrc = prov.envSrc
           publicKey = prov.publicKey
           privateKey = prov.privateKey
-          row.privateKeyAdded = prov.privateKeyAdded
           row.envKeysFilepath = prov.envKeysFilepath
+          row.localPrivateKeyAdded = prov.localPrivateKeyAdded
+          row.remotePrivateKeyAdded = prov.remotePrivateKeyAdded
         } else if (privateKeyValue) {
           const prov = provisionWithPrivateKey({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, privateKeyValue, publicKeyValue, publicKeyName })
           publicKey = prov.publicKey
@@ -240,8 +241,9 @@ class Sets {
           envSrc = prov.envSrc
           publicKey = prov.publicKey
           privateKey = prov.privateKey
-          row.privateKeyAdded = prov.privateKeyAdded
           row.envKeysFilepath = prov.envKeysFilepath
+          row.localPrivateKeyAdded = prov.localPrivateKeyAdded
+          row.remotePrivateKeyAdded = prov.remotePrivateKeyAdded
         } else if (privateKeyValue) {
           const prov = provisionWithPrivateKey({ envSrc, envFilepath, keysFilepath: this.envKeysFilepath, privateKeyValue, publicKeyValue, publicKeyName })
           publicKey = prov.publicKey