@dotenvx/dotenvx 1.9.0 → 1.10.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.9.0...main)
+## [Unreleased](https://github.com/dotenvx/dotenvx/compare/v1.10.0...main)
+
+## 1.10.0
+
+### Removed
+
+* remove `dotenvx ext vault`, replace with [dotenvx-ext-vault](https://github.com/dotenvx/dotenvx-ext-vaut) (install there to continue using `ext vault`) ([#351](https://github.com/dotenvx/dotenvx/pull/351))
+
+## 1.9.1
+
+### Added
+
+* warn if private key is missing or blank ([#349](https://github.com/dotenvx/dotenvx/pull/349))
 
 ## 1.9.0
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.9.0",
+  "version": "1.10.0",
   "name": "@dotenvx/dotenvx",
   "description": "a better dotenv–from the creator of `dotenv`",
   "author": "@motdotla",
@@ -45,8 +45,7 @@
     "object-treeify": "1.1.33",
     "picomatch": "^4.0.2",
     "tinyexec": "^0.2.0",
-    "which": "^4.0.0",
-    "xxhashjs": "^0.2.2"
+    "which": "^4.0.0"
   },
   "devDependencies": {
     "capture-console": "^1.0.2",

package/src/cli/commands/ext.js

@@ -9,6 +9,9 @@ ext
   .description('🔌 extensions')
   .allowUnknownOption()
 
+// list known extensions here you want to display
+ext.addHelpText('after', '  vault                             🔐 manage .env.vault files')
+
 ext
   .argument('[command]', 'dynamic ext command')
   .argument('[args...]', 'dynamic ext command arguments')
@@ -55,6 +58,4 @@ ext.command('scan')
   .description('scan for leaked secrets')
   .action(require('./../actions/ext/scan'))
 
-ext.addCommand(require('./../commands/ext/vault'))
-
 module.exports = ext

package/src/cli/examples.js

@@ -22,32 +22,6 @@ Try it:
   `
 }
 
-const vaultEncrypt = function () {
-  return `
-Examples:
-
-  \`\`\`
-  $ dotenvx ext vault encrypt
-  \`\`\`
-
-Try it:
-
-  \`\`\`
-  $ echo "HELLO=World" > .env
-  $ echo "HELLO=production" > .env.production
-  $ echo "console.log('Hello ' + process.env.HELLO)" > index.js
-
-  $ dotenvx ext vault encrypt
-  encrypted to .env.vault (.env,.env.production)
-  keys added to .env.keys (DOTENV_KEY_PRODUCTION,DOTENV_KEY_PRODUCTION)
-
-  $ DOTENV_KEY='<dotenv_key_production>' dotenvx run -- node index.js
-  [dotenvx] injecting env (1) from encrypted .env.vault
-  Hello production
-  \`\`\`
-  `
-}
-
 const precommit = function () {
   return `
 Examples:
@@ -117,7 +91,6 @@ Examples:
 
 module.exports = {
   run,
-  vaultEncrypt,
   precommit,
   prebuild,
   gitignore,

package/src/lib/helpers/decryptValue.js

@@ -3,35 +3,41 @@ const { decrypt } = require('eciesjs')
 const PREFIX = 'encrypted:'
 
 function decryptValue (value, privateKey) {
+  let decryptedValue
+  let decryptionError
+
   if (!value.startsWith(PREFIX)) {
     return value
   }
 
-  const privateKeys = privateKey.split(',')
-
-  let decryptedValue
-  let decryptionError
-  for (const key of privateKeys) {
-    const secret = Buffer.from(key, 'hex')
-    const encoded = value.substring(PREFIX.length)
-    const ciphertext = Buffer.from(encoded, 'base64')
-
-    try {
-      decryptedValue = decrypt(secret, ciphertext).toString()
-      decryptionError = null // reset to null error (scenario for multiple private keys)
-      break
-    } catch (e) {
-      if (e.message === 'Invalid private key') {
-        decryptionError = new Error('private key looks invalid')
-      } else if (e.message === 'Unsupported state or unable to authenticate data') {
-        decryptionError = new Error('private key looks wrong')
-      } else if (e.message === 'Point of length 65 was invalid. Expected 33 compressed bytes or 65 uncompressed bytes') {
-        decryptionError = new Error('encrypted data looks malformed')
-      } else {
-        decryptionError = new Error(`${e.message}`)
+  privateKey = privateKey || ''
+  if (privateKey.length <= 0) {
+    decryptionError = new Error('private key missing or blank')
+    decryptionError.code = 'DECRYPTION_FAILED'
+  } else {
+    const privateKeys = privateKey.split(',')
+    for (const key of privateKeys) {
+      const secret = Buffer.from(key, 'hex')
+      const encoded = value.substring(PREFIX.length)
+      const ciphertext = Buffer.from(encoded, 'base64')
+
+      try {
+        decryptedValue = decrypt(secret, ciphertext).toString()
+        decryptionError = null // reset to null error (scenario for multiple private keys)
+        break
+      } catch (e) {
+        if (e.message === 'Invalid private key') {
+          decryptionError = new Error('private key looks invalid')
+        } else if (e.message === 'Unsupported state or unable to authenticate data') {
+          decryptionError = new Error('private key looks wrong')
+        } else if (e.message === 'Point of length 65 was invalid. Expected 33 compressed bytes or 65 uncompressed bytes') {
+          decryptionError = new Error('encrypted data looks malformed')
+        } else {
+          decryptionError = new Error(`${e.message}`)
+        }
+
+        decryptionError.code = 'DECRYPTION_FAILED'
       }
-
-      decryptionError.code = 'DECRYPTION_FAILED'
     }
   }
 

package/src/lib/helpers/executeExtension.js

@@ -22,10 +22,10 @@ function executeExtension (ext, command, rawArgs) {
 
   const result = childProcess.spawnSync(`dotenvx-ext-${command}`, forwardedArgs, { stdio: 'inherit', env })
   if (result.error) {
-    if (command === 'vault') {
-      // when ready, uncomment to deprecate ext vault
-      // logger.warn(`[INSTALLATION_NEEDED] install dotenvx-ext-${command} to use [dotenvx ext ${command}] commands`)
-      // logger.help('? see installation instructions [https://github.com/dotenvx/dotenvx-ext-vault]')
+    // list known extension here for convenience to the user
+    if (['vault', 'hub'].includes(command)) {
+      logger.warn(`[INSTALLATION_NEEDED] install dotenvx-ext-${command} to use [dotenvx ext ${command}] commands`)
+      logger.help('? see installation instructions [https://github.com/dotenvx/dotenvx-ext-vault]')
     } else {
       logger.info(`error: unknown command '${command}'`)
     }

package/src/lib/helpers/parseDecryptEvalExpand.js

@@ -4,8 +4,8 @@ const dotenvExpand = require('./dotenvExpand')
 const decryptValue = require('./decryptValue')
 const truncate = require('./truncate')
 
-function warning (e, key, privateKey) {
-  const warning = new Error(`[${e.code}] could not decrypt ${key} using private key ${truncate(privateKey)}`)
+function warning (e, key, privateKey = null) {
+  const warning = new Error(`[${e.code}] could not decrypt ${key} using private key '${truncate(privateKey)}'`)
   warning.code = e.code
   warning.help = `[${e.code}] ? ${e.message}`
 
@@ -17,14 +17,12 @@ function parseDecryptEvalExpand (src, privateKey = null, processEnv = process.en
 
   // parse
   const parsed = dotenv.parse(src)
-  if (privateKey && privateKey.length > 0) {
-    for (const key in parsed) {
-      try {
-        const decryptedValue = decryptValue(parsed[key], privateKey)
-        parsed[key] = decryptedValue
-      } catch (_e) {
-        // do nothing. warnings tracked further below.
-      }
+  for (const key in parsed) {
+    try {
+      const decryptedValue = decryptValue(parsed[key], privateKey)
+      parsed[key] = decryptedValue
+    } catch (_e) {
+      // do nothing. warnings tracked further below.
     }
   }
 
@@ -41,22 +39,20 @@ function parseDecryptEvalExpand (src, privateKey = null, processEnv = process.en
     parsed: evaled
   }
   const expanded = dotenvExpand.expand(inputEvaled)
-  if (privateKey && privateKey.length > 0) {
-    for (const key in expanded.parsed) {
-      try {
-        const decryptedValue = decryptValue(expanded.parsed[key], privateKey)
-        expanded.parsed[key] = decryptedValue
-      } catch (e) {
-        warnings.push(warning(e, key, privateKey))
-      }
+  for (const key in expanded.parsed) {
+    try {
+      const decryptedValue = decryptValue(expanded.parsed[key], privateKey)
+      expanded.parsed[key] = decryptedValue
+    } catch (e) {
+      warnings.push(warning(e, key, privateKey))
     }
-    for (const key in processEnv) {
-      try {
-        const decryptedValue = decryptValue(processEnv[key], privateKey)
-        processEnv[key] = decryptedValue
-      } catch (e) {
-        warnings.push(warning(e, key, privateKey))
-      }
+  }
+  for (const key in processEnv) {
+    try {
+      const decryptedValue = decryptValue(processEnv[key], privateKey)
+      processEnv[key] = decryptedValue
+    } catch (e) {
+      warnings.push(warning(e, key, privateKey))
     }
   }
 

package/src/lib/helpers/truncate.js

@@ -1,6 +1,10 @@
 function truncate (str, showChar = 7) {
-  const visiblePart = str.slice(0, showChar)
-  return visiblePart + '…'
+  if (str && str.length > 0) {
+    const visiblePart = str.slice(0, showChar)
+    return visiblePart + '…'
+  } else {
+    return ''
+  }
 }
 
 module.exports = truncate

package/src/lib/main.d.ts

@@ -180,18 +180,6 @@ export function encrypt(
   key?: string | string[]
 ): EncryptOutput;
 
-export type VaultEncryptOutput = {
-  dotenvKeys: Record<string, string>;
-  dotenvKeysFile: string;
-  addedKeys: string[];
-  existingKeys: string[];
-  dotenvVaultFile: string;
-  addedVaults: string[];
-  existingVaults: string[];
-  addedDotenvFilenames: string[];
-  envFile: string | string[];
-};
-
 /**
  * List all env files in the current working directory
  *
@@ -288,22 +276,3 @@ export function genexample(
   directory: string,
   envFile: string
 ): GenExampleOutput;
-
-/**
- * Decrypt ciphertext
- * @param encrypted - the encrypted ciphertext string
- * @param keyStr - the decryption key string
- */
-export function vaultDecrypt(encrypted: string, keyStr: string): string;
-
-/**
- * Encrypt plaintext
- *
- * @see https://dotenvx.com/docs
- * @param directory - current working directory
- * @param envFile - path to the .env file(s)
- */
-export function vaultEncrypt(
-  directory?: string,
-  envFile?: string | string[]
-): VaultEncryptOutput;

package/src/lib/main.js

@@ -8,11 +8,9 @@ const Ls = require('./services/ls')
 const Get = require('./services/get')
 const Run = require('./services/run')
 const Sets = require('./services/sets')
-const Status = require('./services/status')
 const Encrypt = require('./services/encrypt')
 const Decrypt = require('./services/decrypt')
 const Genexample = require('./services/genexample')
-const VaultEncrypt = require('./services/vaultEncrypt')
 
 // helpers
 const dotenvOptionPaths = require('./helpers/dotenvOptionPaths')
@@ -198,43 +196,6 @@ const decrypt = function (envFile, key, excludeKey) {
   return new Decrypt(envFile, key, excludeKey).run()
 }
 
-/** @type {import('./main').status} */
-const status = function (directory) {
-  return new Status(directory).run()
-}
-
-// misc/cleanup
-
-/** @type {import('./main').vaultDecrypt} */
-const vaultDecrypt = function (encrypted, keyStr) {
-  try {
-    return dotenv.decrypt(encrypted, keyStr)
-  } catch (e) {
-    switch (e.code) {
-      case 'DECRYPTION_FAILED':
-        // more helpful error when decryption fails
-        logger.error(
-          '[DECRYPTION_FAILED] Unable to decrypt .env.vault with DOTENV_KEY.'
-        )
-        logger.help(
-          '[DECRYPTION_FAILED] Run with debug flag [dotenvx run --debug -- yourcommand] or manually run [echo $DOTENV_KEY] to compare it to the one in .env.keys.'
-        )
-        logger.debug(
-          `[DECRYPTION_FAILED] DOTENV_KEY is ${process.env.DOTENV_KEY}`
-        )
-        process.exit(1)
-        break
-      default:
-        throw e
-    }
-  }
-}
-
-/** @type {import('./main').vaultEncrypt} */
-const vaultEncrypt = function (directory, envFile) {
-  return new VaultEncrypt(directory, envFile).run()
-}
-
 module.exports = {
   // dotenv proxies
   config,
@@ -246,9 +207,5 @@ module.exports = {
   ls,
   get,
   set,
-  status,
-  genexample,
-  // misc/cleanup
-  vaultEncrypt,
-  vaultDecrypt
+  genexample
 }

package/src/cli/actions/ext/vault/decrypt.js

@@ -1,64 +0,0 @@
-const fs = require('fs')
-
-const { logger } = require('./../../../../shared/logger')
-
-const VaultDecrypt = require('./../../../../lib/services/vaultDecrypt')
-
-function decrypt (directory) {
-  logger.debug(`directory: ${directory}`)
-
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-
-  try {
-    const {
-      processedEnvs,
-      changedFilenames,
-      unchangedFilenames
-    } = new VaultDecrypt(directory, options.environment).run()
-
-    for (const env of processedEnvs) {
-      if (env.warning) {
-        const warning = env.warning
-        logger.warn(warning.message)
-      } else {
-        if (env.shouldWrite) {
-          logger.debug(`writing ${env.filepath}`)
-          fs.writeFileSync(env.filepath, env.decrypted)
-        } else {
-          logger.debug(`no changes for ${env.filename}`)
-        }
-      }
-    }
-
-    let changedMsg = ''
-    if (changedFilenames.length > 0) {
-      changedMsg = `decrypted (${changedFilenames.join(', ')})`
-    }
-
-    let unchangedMsg = ''
-    if (unchangedFilenames.length > 0) {
-      unchangedMsg = `no changes (${unchangedFilenames.join(', ')})`
-    }
-
-    if (changedMsg.length > 0) {
-      logger.success(`${changedMsg} ${unchangedMsg}`)
-    } else {
-      logger.blank(`${unchangedMsg}`)
-    }
-  } catch (error) {
-    logger.error(error.message)
-    if (error.help) {
-      logger.help(error.help)
-    }
-    if (error.debug) {
-      logger.debug(error.debug)
-    }
-    if (error.code) {
-      logger.debug(`ERROR_CODE: ${error.code}`)
-    }
-    process.exit(1)
-  }
-}
-
-module.exports = decrypt

package/src/cli/actions/ext/vault/encrypt.js

@@ -1,78 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-
-const main = require('./../../../../lib/main')
-const { logger } = require('./../../../../shared/logger')
-const pluralize = require('./../../../../lib/helpers/pluralize')
-
-function encrypt (directory) {
-  logger.debug(`directory: ${directory}`)
-
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-
-  try {
-    const {
-      dotenvKeys,
-      dotenvKeysFile,
-      addedKeys,
-      existingKeys,
-      dotenvVaultFile,
-      addedVaults,
-      existingVaults,
-      addedDotenvFilenames,
-      envFile
-    } = main.vaultEncrypt(directory, options.envFile)
-
-    logger.verbose(`generating .env.keys from ${envFile}`)
-    if (addedKeys.length > 0) {
-      logger.verbose(`generated ${addedKeys}`)
-    }
-    if (existingKeys.length > 0) {
-      logger.verbose(`existing ${existingKeys}`)
-    }
-    fs.writeFileSync(path.resolve(directory, '.env.keys'), dotenvKeysFile)
-
-    logger.verbose(`generating .env.vault from ${envFile}`)
-    if (addedVaults.length > 0) {
-      logger.verbose(`encrypting ${addedVaults}`)
-    }
-    if (existingVaults.length > 0) {
-      logger.verbose(`existing ${existingVaults}`)
-    }
-    fs.writeFileSync(path.resolve(directory, '.env.vault'), dotenvVaultFile)
-
-    if (addedDotenvFilenames.length > 0) {
-      logger.success(`encrypted to .env.vault (${addedDotenvFilenames})`)
-      logger.help2('ℹ commit .env.vault to code: [git commit -am ".env.vault"]')
-    } else {
-      logger.blank(`no changes (${envFile})`)
-    }
-
-    if (addedKeys.length > 0) {
-      logger.success(`${pluralize('key', addedKeys.length)} added to .env.keys (${addedKeys})`)
-    }
-
-    if (addedVaults.length > 0) {
-      const DOTENV_VAULT_X = addedVaults[addedVaults.length - 1]
-      const DOTENV_KEY_X = DOTENV_VAULT_X.replace('_VAULT_', '_KEY_')
-      const tryKey = dotenvKeys[DOTENV_KEY_X]
-
-      logger.help2(`ℹ run [DOTENV_KEY='${tryKey}' dotenvx run -- yourcommand] to test decryption locally`)
-    }
-  } catch (error) {
-    logger.error(error.message)
-    if (error.help) {
-      logger.help(error.help)
-    }
-    if (error.debug) {
-      logger.debug(error.debug)
-    }
-    if (error.code) {
-      logger.debug(`ERROR_CODE: ${error.code}`)
-    }
-    process.exit(1)
-  }
-}
-
-module.exports = encrypt

package/src/cli/actions/ext/vault/migrate.js

@@ -1,30 +0,0 @@
-const { logger } = require('./../../../../shared/logger')
-
-function migrate () {
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-
-  logger.help2('To migrate your .env.vault file to encrypted .env file(s):')
-  logger.help('')
-  logger.help('  1. Run [dotenvx ext vault decrypt]')
-  logger.help('  2. Run [ls -a .env*]')
-  logger.help('')
-  logger.help2('Lastly, encrypt each .env(.environment) file:')
-  logger.help('')
-  logger.help('  3. Run [dotenvx encrypt -f .env.production]')
-  logger.help2('')
-  logger.help2('For example:')
-  logger.help2('')
-  logger.help2('  $ dotenvx encrypt -f .env')
-  logger.help2('  $ dotenvx encrypt -f .env.ci')
-  logger.help2('  $ dotenvx encrypt -f .env.production')
-  logger.help2('')
-  logger.help2('Afterward:')
-  logger.help2('')
-  logger.help2('Update production with your new DOTENV_PRIVATE_KEY_PRODUCTION located in .env.keys')
-  logger.help2('')
-  logger.success('Learn more at [https://dotenvx.com/docs/quickstart#add-encryption]')
-  logger.help2('')
-}
-
-module.exports = migrate

package/src/cli/actions/ext/vault/status.js

@@ -1,78 +0,0 @@
-const { logger } = require('./../../../../shared/logger')
-
-const main = require('./../../../../lib/main')
-
-function status (directory) {
-  // debug args
-  logger.debug(`directory: ${directory}`)
-
-  const options = this.opts()
-  logger.debug(`options: ${JSON.stringify(options)}`)
-
-  try {
-    const { changes, nochanges, untracked } = main.status(directory)
-
-    const changeFilenames = []
-    const nochangeFilenames = []
-    const untrackedFilenames = []
-
-    for (const row of nochanges) {
-      nochangeFilenames.push(row.filename)
-    }
-
-    if (nochangeFilenames.length > 0) {
-      logger.blank(`no changes (${nochangeFilenames.join(', ')})`)
-    }
-
-    for (const row of changes) {
-      changeFilenames.push(row.filename)
-    }
-
-    if (changeFilenames.length > 0) {
-      logger.warn(`changes (${changeFilenames.join(', ')})`)
-    }
-
-    for (const row of changes) {
-      logger.blank('')
-      const padding = '    '
-      logger.blank(`${padding}\`\`\`${row.filename}`)
-      const paddedResult = row.coloredDiff.split('\n').map(line => padding + line).join('\n')
-      console.log(paddedResult)
-      logger.blank(`${padding}\`\`\``)
-    }
-
-    if (changeFilenames.length > 0) {
-      logger.blank('')
-      const optionalDirectory = directory === '.' ? '' : ` ${directory}`
-      logger.blank(`run [dotenvx encrypt${optionalDirectory}] to apply changes to .env.vault`)
-    }
-
-    if (nochangeFilenames.length < 1 && changeFilenames.length < 1) {
-      logger.warn('no .env* files.')
-      logger.help('? add one with [echo "HELLO=World" > .env] and then run [dotenvx status]')
-    }
-
-    for (const row of untracked) {
-      untrackedFilenames.push(row.filename)
-    }
-
-    if (untrackedFilenames.length > 0) {
-      logger.warn(`untracked (${untrackedFilenames.join(', ')})`)
-      logger.help(`? track them with [dotenvx ext vault encrypt ${directory}]`)
-    }
-  } catch (error) {
-    logger.error(error.message)
-    if (error.help) {
-      logger.help(error.help)
-    }
-    if (error.debug) {
-      logger.debug(error.debug)
-    }
-    if (error.code) {
-      logger.debug(`ERROR_CODE: ${error.code}`)
-    }
-    process.exit(1)
-  }
-}
-
-module.exports = status

package/src/cli/commands/ext/vault.js

@@ -1,36 +0,0 @@
-const { Command } = require('commander')
-
-const examples = require('./../../examples')
-
-const vault = new Command('vault')
-
-vault
-  .description('🔐 manage .env.vault files')
-
-// dotenvx ext vault migrate
-vault.command('migrate')
-  .description('instructions for migrating .env.vault to encrypted env file(s)')
-  .action(require('./../../actions/ext/vault/migrate'))
-
-// dotenvx ext vault encrypt
-vault.command('encrypt')
-  .description('encrypt .env.* to .env.vault')
-  .addHelpText('after', examples.vaultEncrypt)
-  .argument('[directory]', 'directory to encrypt', '.')
-  .option('-f, --env-file <paths...>', 'path(s) to your env file(s)')
-  .action(require('./../../actions/ext/vault/encrypt'))
-
-// dotenvx ext vault decrypt
-vault.command('decrypt')
-  .description('decrypt .env.vault to .env*')
-  .argument('[directory]', 'directory to decrypt', '.')
-  .option('-e, --environment <environments...>', 'environment(s) to decrypt')
-  .action(require('./../../actions/ext/vault/decrypt'))
-
-// dotenvx ext vault status
-vault.command('status')
-  .description('compare your .env* content(s) to your .env.vault decrypted content(s)')
-  .argument('[directory]', 'directory to check status against', '.')
-  .action(require('./../../actions/ext/vault/status'))
-
-module.exports = vault

package/src/lib/helpers/changed.js

@@ -1,10 +0,0 @@
-const decrypt = require('./decrypt')
-const hash = require('./hash')
-
-function changed (ciphertext, raw, dotenvKey) {
-  const decrypted = decrypt(ciphertext, dotenvKey)
-
-  return hash(decrypted) !== hash(raw)
-}
-
-module.exports = changed

package/src/lib/helpers/containsDirectory.js

@@ -1,7 +0,0 @@
-const path = require('path')
-
-function containsDirectory (filepath) {
-  return filepath.includes(path.sep)
-}
-
-module.exports = containsDirectory

package/src/lib/helpers/dotenvKeys.js

@@ -1,57 +0,0 @@
-const crypto = require('crypto')
-
-const guessEnvironment = require('./guessEnvironment')
-
-class DotenvKeys {
-  constructor (envFilepaths = [], dotenvKeys = {}) {
-    this.envFilepaths = envFilepaths // pass .env* filepaths to be encrypted
-    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys file
-  }
-
-  run () {
-    const addedKeys = new Set()
-    const existingKeys = new Set()
-
-    for (const filepath of this.envFilepaths) {
-      const environment = guessEnvironment(filepath)
-      const key = `DOTENV_KEY_${environment.toUpperCase()}`
-
-      let value = this.dotenvKeys[key]
-
-      // first time seeing new DOTENV_KEY_${environment}
-      if (!value || value.length === 0) {
-        value = this._generateDotenvKey(environment)
-
-        this.dotenvKeys[key] = value
-
-        addedKeys.add(key) // for info logging to user
-      } else {
-        existingKeys.add(key) // for info logging to user
-      }
-    }
-
-    let keysData = `#/!!!!!!!!!!!!!!!!!!!.env.keys!!!!!!!!!!!!!!!!!!!!!!/
-#/   DOTENV_KEYs. DO NOT commit to source control   /
-#/   [how it works](https://dotenvx.com/env-keys)   /
-#/--------------------------------------------------/\n`
-
-    for (const [key, value] of Object.entries(this.dotenvKeys)) {
-      keysData += `${key}="${value}"\n`
-    }
-
-    return {
-      dotenvKeys: this.dotenvKeys,
-      dotenvKeysFile: keysData,
-      addedKeys: [...addedKeys], // return set as array
-      existingKeys: [...existingKeys] // return set as array
-    }
-  }
-
-  _generateDotenvKey (environment) {
-    const rand = crypto.randomBytes(32).toString('hex')
-
-    return `dotenv://:key_${rand}@dotenvx.com/vault/.env.vault?environment=${environment.toLowerCase()}`
-  }
-}
-
-module.exports = DotenvKeys

package/src/lib/helpers/dotenvVault.js

@@ -1,60 +0,0 @@
-const path = require('path')
-
-const encrypt = require('./encrypt')
-const changed = require('./changed')
-const guessEnvironment = require('./guessEnvironment')
-const removePersonal = require('./removePersonal')
-
-class DotenvVault {
-  constructor (dotenvFiles = {}, dotenvKeys = {}, dotenvVaults = {}) {
-    this.dotenvFiles = dotenvFiles // key: filepath and value: filecontent
-    this.dotenvKeys = dotenvKeys // pass current parsed dotenv keys from .env.keys
-    this.dotenvVaults = dotenvVaults // pass current parsed dotenv vaults from .env.vault
-  }
-
-  run () {
-    const addedVaults = new Set()
-    const existingVaults = new Set()
-    const addedDotenvFilenames = new Set()
-
-    for (const [filepath, raw] of Object.entries(this.dotenvFiles)) {
-      const environment = guessEnvironment(filepath)
-      const vault = `DOTENV_VAULT_${environment.toUpperCase()}`
-
-      let ciphertext = this.dotenvVaults[vault]
-      const dotenvKey = this.dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
-
-      const cleanRaw = removePersonal(raw)
-
-      if (!ciphertext || ciphertext.length === 0 || changed(ciphertext, cleanRaw, dotenvKey)) {
-        ciphertext = encrypt(cleanRaw, dotenvKey)
-        this.dotenvVaults[vault] = ciphertext
-        addedVaults.add(vault) // for info logging to user
-
-        addedDotenvFilenames.add(path.basename(filepath)) // for info logging to user
-      } else {
-        existingVaults.add(vault) // for info logging to user
-      }
-    }
-
-    let vaultData = `#/-------------------.env.vault---------------------/
-#/         cloud-agnostic vaulting standard         /
-#/   [how it works](https://dotenvx.com/env-vault)  /
-#/--------------------------------------------------/\n\n`
-
-    for (const [vault, value] of Object.entries(this.dotenvVaults)) {
-      const environment = vault.replace('DOTENV_VAULT_', '').toLowerCase()
-      vaultData += `# ${environment}\n`
-      vaultData += `${vault}="${value}"\n\n`
-    }
-
-    return {
-      dotenvVaultFile: vaultData,
-      addedVaults: [...addedVaults], // return set as array
-      existingVaults: [...existingVaults], // return set as array
-      addedDotenvFilenames: [...addedDotenvFilenames] // return set as array
-    }
-  }
-}
-
-module.exports = DotenvVault

package/src/lib/helpers/hash.js

@@ -1,9 +0,0 @@
-const xxhash = require('xxhashjs')
-
-const XXHASH_SEED = 0xABCD // DO NOT CHANGE
-
-function hash (str) {
-  return xxhash.h32(str, XXHASH_SEED).toString(16)
-}
-
-module.exports = hash

package/src/lib/helpers/removePersonal.js

@@ -1,9 +0,0 @@
-const SPLIT_REGEX = /#\s*personal\.dotenv\s*/i
-
-function removePersonal (raw) {
-  const parts = raw.split(SPLIT_REGEX)
-
-  return parts[0]
-}
-
-module.exports = removePersonal

package/src/lib/services/status.js

@@ -1,114 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const diff = require('diff')
-
-const Ls = require('./ls')
-const VaultDecrypt = require('./vaultDecrypt')
-
-const containsDirectory = require('./../helpers/containsDirectory')
-const guessEnvironment = require('./../helpers/guessEnvironment')
-const { getColor } = require('./../../shared/colors')
-
-const ENCODING = 'utf8'
-
-class Status {
-  constructor (directory = '.') {
-    this.directory = directory
-    this.changes = []
-    this.nochanges = []
-    this.untracked = [] // not tracked in .env.vault
-  }
-
-  run () {
-    // get list of .env files
-    const files = new Ls(this.directory).run()
-    // iterate over each one
-    for (const filename of files) {
-      // skip file if directory
-      if (containsDirectory(filename)) {
-        continue
-      }
-
-      // skip file if .env.keys
-      if (filename.endsWith('.env.keys')) {
-        continue
-      }
-
-      // skip file if .env.vault
-      if (filename.endsWith('.env.vault')) {
-        continue
-      }
-
-      // skip file if .env.example
-      if (filename.endsWith('.env.example')) {
-        continue
-      }
-
-      // skip file if *.previous
-      if (filename.endsWith('.previous')) {
-        continue
-      }
-
-      const filepath = path.resolve(this.directory, filename)
-
-      const row = {}
-      row.filename = filename
-      row.filepath = filepath
-      row.environment = guessEnvironment(filepath)
-
-      // grab raw
-      row.raw = fs.readFileSync(filepath, { encoding: ENCODING })
-
-      // grab decrypted
-      const { processedEnvs } = new VaultDecrypt(this.directory, row.environment).run()
-      const result = processedEnvs[0]
-
-      // handle warnings
-      row.decrypted = result.decrypted
-      if (result.warning) {
-        this.untracked.push(row)
-        continue
-      }
-
-      // differences
-      row.differences = diff.diffWords(row.decrypted, row.raw)
-
-      // any changes?
-      const hasChanges = this._hasChanges(row.differences)
-
-      if (hasChanges) {
-        row.coloredDiff = row.differences.map(this._colorizeDiff).join('')
-        this.changes.push(row)
-      } else {
-        this.nochanges.push(row)
-      }
-    }
-
-    return {
-      changes: this.changes,
-      nochanges: this.nochanges,
-      untracked: this.untracked
-    }
-  }
-
-  _colorizeDiff (part) {
-    // If the part was added, color it green
-    if (part.added) {
-      return getColor('green')(part.value)
-    }
-
-    // If the part was removed, color it red
-    if (part.removed) {
-      return getColor('red')(part.value)
-    }
-
-    // No color for unchanged parts
-    return part.value
-  }
-
-  _hasChanges (differences) {
-    return differences.some(part => part.added || part.removed)
-  }
-}
-
-module.exports = Status

package/src/lib/services/vaultDecrypt.js

@@ -1,126 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const dotenv = require('dotenv')
-
-const ENCODING = 'utf8'
-
-const libDecrypt = require('./../../lib/helpers/decrypt')
-
-class VaultDecrypt {
-  constructor (directory = '.', environment) {
-    this.directory = directory
-    this.environment = environment
-
-    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
-    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
-
-    this.processedEnvs = []
-    this.changedFilenames = new Set()
-    this.unchangedFilenames = new Set()
-  }
-
-  run () {
-    if (!fs.existsSync(this.envVaultFilepath)) {
-      const code = 'MISSING_ENV_VAULT_FILE'
-      const message = `missing .env.vault (${this.envVaultFilepath})`
-      const help = `? generate one with [dotenvx ext vault encrypt ${this.directory}]`
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    if (!fs.existsSync(this.envKeysFilepath)) {
-      const code = 'MISSING_ENV_KEYS_FILE'
-      const message = `missing .env.keys (${this.envKeysFilepath})`
-      const help = '? a .env.keys file must be present in order to decrypt your .env.vault contents to .env file(s)'
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    const dotenvKeys = dotenv.configDotenv({ path: this.envKeysFilepath }).parsed
-    const dotenvVault = dotenv.configDotenv({ path: this.envVaultFilepath }).parsed
-    const environments = this._environments()
-
-    if (environments.length > 0) {
-      // iterate over the environments
-      for (const environment of environments) {
-        const value = dotenvKeys[`DOTENV_KEY_${environment.toUpperCase()}`]
-        const row = this._processRow(value, dotenvVault, environment)
-
-        this.processedEnvs.push(row)
-      }
-    } else {
-      for (const [dotenvKey, value] of Object.entries(dotenvKeys)) {
-        const environment = dotenvKey.replace('DOTENV_KEY_', '').toLowerCase()
-        const row = this._processRow(value, dotenvVault, environment)
-
-        this.processedEnvs.push(row)
-      }
-    }
-
-    return {
-      processedEnvs: this.processedEnvs,
-      changedFilenames: [...this.changedFilenames],
-      unchangedFilenames: [...this.unchangedFilenames]
-    }
-  }
-
-  _processRow (value, dotenvVault, environment) {
-    environment = environment.toLowerCase() // important so we don't later write .env.DEVELOPMENT for example
-    const vaultKey = `DOTENV_VAULT_${environment.toUpperCase()}`
-    const ciphertext = dotenvVault[vaultKey] // attempt to find ciphertext
-
-    const row = {}
-    row.environment = environment
-    row.dotenvKey = value ? value.trim() : value
-    row.ciphertext = ciphertext
-
-    if (ciphertext && ciphertext.length >= 1) {
-      // Decrypt
-      const decrypted = libDecrypt(ciphertext, value.trim())
-      row.decrypted = decrypted
-
-      // envFilename
-      // replace _ with . to support filenames like .env.development.local
-      let envFilename = `.env.${environment.replace('_', '.')}`
-      if (environment === 'development') {
-        envFilename = '.env'
-      }
-      row.filename = envFilename
-      row.filepath = path.resolve(this.directory, envFilename)
-
-      // check if exists and is changing
-      if (fs.existsSync(row.filepath) && (fs.readFileSync(row.filepath, { encoding: ENCODING }).toString() === decrypted)) {
-        this.unchangedFilenames.add(envFilename)
-      } else {
-        row.shouldWrite = true
-        this.changedFilenames.add(envFilename)
-      }
-    } else {
-      const message = `${vaultKey} missing in .env.vault: ${this.envVaultFilepath}`
-      const warning = new Error(message)
-      row.warning = warning
-    }
-
-    return row
-  }
-
-  _environments () {
-    if (this.environment === undefined) {
-      return []
-    }
-
-    if (!Array.isArray(this.environment)) {
-      return [this.environment]
-    }
-
-    return this.environment
-  }
-}
-
-module.exports = VaultDecrypt

package/src/lib/services/vaultEncrypt.js

@@ -1,118 +0,0 @@
-const fs = require('fs')
-const path = require('path')
-const dotenv = require('dotenv')
-
-const DotenvKeys = require('./../helpers/dotenvKeys')
-const DotenvVault = require('./../helpers/dotenvVault')
-
-const ENCODING = 'utf8'
-
-const findEnvFiles = require('../helpers/findEnvFiles')
-
-class VaultEncrypt {
-  constructor (directory = '.', envFile) {
-    this.directory = directory
-    this.envFile = envFile || findEnvFiles(directory)
-    // calculated
-    this.envKeysFilepath = path.resolve(this.directory, '.env.keys')
-    this.envVaultFilepath = path.resolve(this.directory, '.env.vault')
-  }
-
-  run () {
-    if (this.envFile.length < 1) {
-      const code = 'MISSING_ENV_FILES'
-      const message = 'no .env* files found'
-      const help = '? add one with [echo "HELLO=World" > .env] and then run [dotenvx ext vault encrypt]'
-
-      const error = new Error(message)
-      error.code = code
-      error.help = help
-      throw error
-    }
-
-    const parsedDotenvKeys = this._parsedDotenvKeys()
-    const parsedDotenvVaults = this._parsedDotenvVault()
-    const envFilepaths = this._envFilepaths()
-
-    // build filepaths to be passed to DotenvKeys
-    const uniqueEnvFilepaths = new Set()
-    for (const envFilepath of envFilepaths) {
-      const filepath = path.resolve(this.directory, envFilepath)
-      if (!fs.existsSync(filepath)) {
-        const code = 'MISSING_ENV_FILE'
-        const message = `file does not exist at [${filepath}]`
-        const help = `? add it with [echo "HELLO=World" > ${envFilepath}] and then run [dotenvx ext vault encrypt]`
-
-        const error = new Error(message)
-        error.code = code
-        error.help = help
-        throw error
-      }
-
-      uniqueEnvFilepaths.add(filepath)
-    }
-
-    // generate .env.keys string
-    const {
-      dotenvKeys,
-      dotenvKeysFile,
-      addedKeys,
-      existingKeys
-    } = new DotenvKeys([...uniqueEnvFilepaths], parsedDotenvKeys).run()
-
-    // build look up of .env filepaths and their raw content
-    const dotenvFiles = {}
-    for (const filepath of [...uniqueEnvFilepaths]) {
-      const raw = fs.readFileSync(filepath, ENCODING)
-      dotenvFiles[filepath] = raw
-    }
-
-    // generate .env.vault string
-    const {
-      dotenvVaultFile,
-      addedVaults,
-      existingVaults,
-      addedDotenvFilenames
-    } = new DotenvVault(dotenvFiles, dotenvKeys, parsedDotenvVaults).run()
-
-    return {
-      // from DotenvKeys
-      dotenvKeys,
-      dotenvKeysFile,
-      addedKeys,
-      existingKeys,
-      // from DotenvVault
-      dotenvVaultFile,
-      addedVaults,
-      existingVaults,
-      addedDotenvFilenames,
-      envFile: this.envFile
-    }
-  }
-
-  _envFilepaths () {
-    if (!Array.isArray(this.envFile)) {
-      return [this.envFile]
-    }
-
-    return this.envFile
-  }
-
-  _parsedDotenvKeys () {
-    const options = {
-      path: this.envKeysFilepath
-    }
-
-    return dotenv.configDotenv(options).parsed
-  }
-
-  _parsedDotenvVault () {
-    const options = {
-      path: this.envVaultFilepath
-    }
-
-    return dotenv.configDotenv(options).parsed
-  }
-}
-
-module.exports = VaultEncrypt