@rowlabs/ev 0.4.5 → 0.5.1

package/dist/index.js

@@ -6735,7 +6735,7 @@ var init_auth = __esm({
 
 // src/index.ts
 init_dist();
-import { Command as Command20 } from "commander";
+import { Command as Command22 } from "commander";
 
 // src/commands/login.ts
 init_dist();
@@ -7573,7 +7573,7 @@ envCommand.command("create <name>").description("Create a new environment").acti
     async ({ context, spinner }) => {
       const client = await createApiClient();
       const project = await client.getProject(context.project);
-      const app = context.app ? project.apps.find((a2) => a2.name.toLowerCase() === context.app.toLowerCase()) : project.apps.find((a2) => a2.name === "default") ?? project.apps[0];
+      const app = context.app ? project.apps.find((a2) => a2.name.toLowerCase() === context.app?.toLowerCase()) : project.apps.find((a2) => a2.name === "default") ?? project.apps[0];
       if (!app) {
         spinner.fail(chalk10.red("App not found"));
         process.exit(1);
@@ -7605,7 +7605,7 @@ envCommand.command("delete <name>").description("Delete an environment").action(
     async ({ context, spinner }) => {
       const client = await createApiClient();
       const project = await client.getProject(context.project);
-      const app = context.app ? project.apps.find((a2) => a2.name.toLowerCase() === context.app.toLowerCase()) : project.apps.find((a2) => a2.name === "default") ?? project.apps[0];
+      const app = context.app ? project.apps.find((a2) => a2.name.toLowerCase() === context.app?.toLowerCase()) : project.apps.find((a2) => a2.name === "default") ?? project.apps[0];
       if (!app) {
         spinner.fail(chalk10.red("App not found"));
         process.exit(1);
@@ -8642,12 +8642,16 @@ var completionsCommand = new Command16("completions").description("Generate shel
 });
 
 // src/commands/scan.ts
-init_dist();
 init_api_client();
 init_config();
 import { Command as Command17 } from "commander";
 import chalk19 from "chalk";
 import ora11 from "ora";
+import { stat as stat2 } from "fs/promises";
+import { join as join9 } from "path";
+
+// src/lib/scanner.ts
+init_dist();
 import { readdir, readFile as readFile6, stat } from "fs/promises";
 import { existsSync as existsSync6 } from "fs";
 import { join as join8, extname } from "path";
@@ -8729,7 +8733,7 @@ async function scanDir(dir) {
             const varName = match[1];
             if (IGNORE_VARS.has(varName)) continue;
             if (!results.has(varName)) results.set(varName, /* @__PURE__ */ new Set());
-            results.get(varName).add(fullPath);
+            results.get(varName)?.add(fullPath);
           }
         }
       }
@@ -8752,6 +8756,8 @@ async function getLocalEnvKeys(dir, configEnvFiles) {
   }
   return keys;
 }
+
+// src/commands/scan.ts
 function printTable(label, refs, envData, repoRoot, showFiles, localKeys) {
   const varNames = [...refs.keys()].sort();
   if (varNames.length === 0) return 0;
@@ -8787,7 +8793,7 @@ function printTable(label, refs, envData, repoRoot, showFiles, localKeys) {
     if (!allPresent) missingCount++;
     console.log(row);
     if (showFiles) {
-      const files = refs.get(varName);
+      const files = refs.get(varName) ?? [];
       for (const file of files) {
         const relative = file.replace(repoRoot + "/", "");
         console.log(chalk19.dim(`    \u2192 ${relative}`));
@@ -8831,9 +8837,9 @@ var scanCommand = new Command17("scan").description("Scan codebase for env var r
       let totalMissing = 0;
       let totalVars = 0;
       for (const [appName, appConfig] of Object.entries(config.apps)) {
-        const appDir = join8(repoRoot, appConfig.path);
+        const appDir = join9(repoRoot, appConfig.path);
         try {
-          await stat(appDir);
+          await stat2(appDir);
         } catch {
           continue;
         }
@@ -8885,7 +8891,7 @@ var scanCommand = new Command17("scan").description("Scan codebase for env var r
       }
       console.log();
     } else {
-      const scanRoot = context.app && config.apps?.[context.app] ? join8(repoRoot, config.apps[context.app].path) : cwd;
+      const scanRoot = context.app && config.apps?.[context.app] ? join9(repoRoot, config.apps[context.app].path) : cwd;
       const refs = await scanDir(scanRoot);
       if (refs.size === 0) {
         spinner.succeed(
@@ -8934,7 +8940,7 @@ var updateCommand = new Command18("update").description("Update ev to the latest
   const spinner = ora12("Checking for updates...").start();
   try {
     const latest = execSync2("npm view @rowlabs/ev version", { encoding: "utf-8" }).trim();
-    const current = "0.4.5";
+    const current = "0.5.1";
     if (current === latest) {
       spinner.succeed(chalk20.green(`Already on the latest version (${current})`));
       return;
@@ -9029,9 +9035,369 @@ function prompt2(question) {
   });
 }
 
+// src/commands/audit.ts
+init_api_client();
+init_config();
+import { Command as Command20 } from "commander";
+import chalk22 from "chalk";
+import ora14 from "ora";
+import { stat as stat3 } from "fs/promises";
+import { join as join10 } from "path";
+var isTTY = process.stdout.isTTY && !process.env.NO_COLOR;
+function stripAnsi(str) {
+  const ESC = String.fromCharCode(27);
+  return str.replace(new RegExp(`${ESC}\\[[0-9;]*m`, "g"), "");
+}
+function log(msg) {
+  console.log(isTTY ? msg : stripAnsi(msg));
+}
+async function auditApp(appName, envName, scanPath, projectId) {
+  const client = await createApiClient();
+  const project = await client.getProject(projectId);
+  const serverApp = project.apps.find((a2) => a2.name.toLowerCase() === appName.toLowerCase());
+  if (!serverApp) {
+    log(isTTY ? chalk22.red(`  App "${appName}" not found on server`) : `ERROR: App "${appName}" not found on server`);
+    process.exit(1);
+  }
+  const envs = await client.listEnvironments(serverApp.id);
+  const serverEnv = envs.find((e) => e.name.toLowerCase() === envName.toLowerCase());
+  if (!serverEnv) {
+    log(isTTY ? chalk22.red(`  Environment "${envName}" not found for app "${appName}"`) : `ERROR: Environment "${envName}" not found for app "${appName}"`);
+    process.exit(1);
+  }
+  const response = await client.pullSecrets(serverEnv.id);
+  const remoteKeys = new Set(response.secrets.map((s2) => s2.key));
+  const refs = await scanDir(scanPath);
+  const referencedVars = [...refs.keys()];
+  const missingVars = referencedVars.filter((v2) => !remoteKeys.has(v2));
+  return {
+    label: `${appName}:${envName}`,
+    total: referencedVars.length,
+    missing: missingVars
+  };
+}
+function printResult(result) {
+  if (result.missing.length === 0) {
+    const msg = `  ${result.label} \u2014 ${result.total} variable${result.total === 1 ? "" : "s"}, all present \u2714`;
+    log(isTTY ? chalk22.green(msg) : msg);
+  } else {
+    const header = `  ${result.label} \u2014 ${result.missing.length} missing`;
+    log(isTTY ? chalk22.yellow(header) : header);
+    log("");
+    for (const v2 of result.missing) {
+      log(isTTY ? `  ${chalk22.red(v2)}` : `  ${v2}`);
+    }
+  }
+}
+var auditCommand = new Command20("audit").description("Check that all env vars referenced in code exist in a remote environment").argument("[target]", "Target environment name (defaults to defaultEnv from ev.yaml)").action(async (target) => {
+  const spinner = isTTY ? ora14("Resolving context...").start() : null;
+  try {
+    const resolved = await resolveCurrentContext(target);
+    if (!resolved) {
+      if (spinner) spinner.fail(chalk22.red("No ev.yaml found. Run `ev init` first."));
+      else log("ERROR: No ev.yaml found. Run `ev init` first.");
+      process.exit(1);
+    }
+    const { context, repoRoot } = resolved;
+    const envName = target ?? context.env;
+    const config = await loadEvConfig(process.cwd());
+    if (!config) {
+      if (spinner) spinner.fail(chalk22.red("Could not load ev.yaml"));
+      else log("ERROR: Could not load ev.yaml");
+      process.exit(1);
+    }
+    const cwd = process.cwd();
+    const isAtRoot = cwd === repoRoot;
+    const hasApps = config.apps && Object.keys(config.apps).length > 0;
+    const results = [];
+    if (isAtRoot && hasApps) {
+      if (spinner) spinner.text = "Auditing all apps...";
+      for (const [appName, appConfig] of Object.entries(config.apps ?? {})) {
+        const appDir = join10(repoRoot, appConfig.path);
+        try {
+          await stat3(appDir);
+        } catch {
+          continue;
+        }
+        if (spinner) spinner.text = `Auditing ${appName}:${envName}...`;
+        const result = await auditApp(appName, envName, appDir, context.project);
+        results.push(result);
+      }
+    } else {
+      const appName = context.app ?? "default";
+      const scanPath = context.app && config.apps?.[context.app] ? join10(repoRoot, config.apps[context.app].path) : cwd;
+      if (spinner) spinner.text = `Auditing ${appName}:${envName}...`;
+      const result = await auditApp(appName, envName, scanPath, context.project);
+      results.push(result);
+    }
+    if (spinner) spinner.stop();
+    const totalVars = results.reduce((sum, r2) => sum + r2.total, 0);
+    if (totalVars === 0) {
+      log(isTTY ? chalk22.green("  No environment variable references found in code.") : "No environment variable references found in code.");
+      process.exit(0);
+    }
+    log("");
+    for (const result of results) {
+      printResult(result);
+      log("");
+    }
+    const anyMissing = results.some((r2) => r2.missing.length > 0);
+    if (anyMissing) {
+      log(isTTY ? chalk22.red("  \u2717 Audit failed") : "FAIL");
+      process.exit(1);
+    } else {
+      process.exit(0);
+    }
+  } catch (err) {
+    if (spinner) spinner.fail(chalk22.red(`Audit failed: ${err.message}`));
+    else log(`ERROR: Audit failed: ${err.message}`);
+    process.exit(1);
+  }
+});
+
+// src/commands/clean.ts
+init_dist();
+init_api_client();
+init_config();
+init_auth();
+import { Command as Command21 } from "commander";
+import chalk23 from "chalk";
+import ora15 from "ora";
+import { join as join11 } from "path";
+import { readFile as readFile7, writeFile as writeFile6, stat as stat4 } from "fs/promises";
+import { existsSync as existsSync7 } from "fs";
+var isTTY2 = process.stdout.isTTY && !process.env.NO_COLOR;
+function stripAnsi2(str) {
+  const ESC = String.fromCharCode(27);
+  return str.replace(new RegExp(`${ESC}\\[[0-9;]*m`, "g"), "");
+}
+function log2(msg) {
+  console.log(isTTY2 ? msg : stripAnsi2(msg));
+}
+async function findDeadSecrets(appName, envName, envDir, repoRoot, projectId, envFiles) {
+  const client = await createApiClient();
+  const project = await client.getProject(projectId);
+  const serverApp = project.apps.find((a2) => a2.name.toLowerCase() === appName.toLowerCase());
+  if (!serverApp) {
+    log2(
+      isTTY2 ? chalk23.red(`  App "${appName}" not found on server`) : `ERROR: App "${appName}" not found on server`
+    );
+    process.exit(1);
+  }
+  const envs = await client.listEnvironments(serverApp.id);
+  const serverEnv = envs.find((e) => e.name.toLowerCase() === envName.toLowerCase());
+  if (!serverEnv) {
+    log2(
+      isTTY2 ? chalk23.red(`  Environment "${envName}" not found for app "${appName}"`) : `ERROR: Environment "${envName}" not found for app "${appName}"`
+    );
+    process.exit(1);
+  }
+  const refs = await scanDir(repoRoot);
+  const referencedKeys = new Set(refs.keys());
+  const localKeyFiles = /* @__PURE__ */ new Map();
+  for (const envFile of envFiles) {
+    const filePath = join11(envDir, envFile);
+    if (existsSync7(filePath)) {
+      const content = await readFile7(filePath, "utf-8");
+      const parsed = parseEnvFile(content);
+      for (const key of Object.keys(parsed)) {
+        if (!localKeyFiles.has(key)) localKeyFiles.set(key, []);
+        localKeyFiles.get(key)?.push(filePath);
+      }
+    }
+  }
+  const response = await client.pullSecrets(serverEnv.id);
+  const remoteKeys = new Set(response.secrets.map((s2) => s2.key));
+  const allKeys = /* @__PURE__ */ new Set([...localKeyFiles.keys(), ...remoteKeys]);
+  const dead = [];
+  for (const key of allKeys) {
+    if (!referencedKeys.has(key)) {
+      dead.push({
+        key,
+        inLocal: localKeyFiles.has(key),
+        inRemote: remoteKeys.has(key)
+      });
+    }
+  }
+  const affectedFiles = /* @__PURE__ */ new Set();
+  for (const d2 of dead) {
+    if (d2.inLocal) {
+      for (const f2 of localKeyFiles.get(d2.key) ?? []) {
+        affectedFiles.add(f2);
+      }
+    }
+  }
+  return {
+    label: `${appName}:${envName}`,
+    dead,
+    localFiles: [...affectedFiles],
+    envName: serverEnv.id,
+    projectId,
+    appName,
+    codeRefCount: referencedKeys.size
+  };
+}
+function printDeadTable(result) {
+  const { label, dead } = result;
+  const count = dead.length;
+  if (count === 0) {
+    const msg = `  ${label} \u2014 no unused secrets found`;
+    log2(isTTY2 ? chalk23.green(msg) : msg);
+    return;
+  }
+  const header = `  ${label} \u2014 ${count} unused secret${count === 1 ? "" : "s"} found`;
+  log2(isTTY2 ? chalk23.yellow(header) : header);
+  log2("");
+  const maxKeyLen = Math.max(8, ...dead.map((d2) => d2.key.length));
+  const keyCol = maxKeyLen + 2;
+  const headerLine = "  " + "Variable".padEnd(keyCol) + "local     remote";
+  log2(isTTY2 ? chalk23.dim(headerLine) : headerLine);
+  const divider = "  " + "\u2500".repeat(keyCol + 16);
+  log2(isTTY2 ? chalk23.dim(divider) : divider);
+  for (const d2 of dead) {
+    const localMark = d2.inLocal ? isTTY2 ? chalk23.green("\u2713") : "\u2713" : isTTY2 ? chalk23.dim("\u2013") : "\u2013";
+    const remoteMark = d2.inRemote ? isTTY2 ? chalk23.green("\u2713") : "\u2713" : isTTY2 ? chalk23.dim("\u2013") : "\u2013";
+    const paddedKey = d2.key.padEnd(keyCol);
+    log2(`  ${isTTY2 ? chalk23.red(d2.key) + " ".repeat(keyCol - d2.key.length) : paddedKey}${localMark}         ${remoteMark}`);
+  }
+  log2("");
+}
+async function cleanApp(result, deadSet, envFiles, scanPath, backendConfig) {
+  const isEvBackend = !backendConfig || backendConfig.type === "ev";
+  for (const envFile of envFiles) {
+    const filePath = join11(scanPath, envFile);
+    if (!existsSync7(filePath)) continue;
+    const content = await readFile7(filePath, "utf-8");
+    const parsed = parseEnvFile(content);
+    const filtered = {};
+    for (const [k2, v2] of Object.entries(parsed)) {
+      if (!deadSet.has(k2)) filtered[k2] = v2;
+    }
+    if (Object.keys(filtered).length < Object.keys(parsed).length) {
+      await writeFile6(filePath, serializeEnv(filtered), "utf-8");
+      log2(isTTY2 ? `  ${chalk23.green("\u2713")} Cleaned ${envFile}` : `  \u2713 Cleaned ${envFile}`);
+    }
+  }
+  const deadRemoteKeys = result.dead.filter((d2) => d2.inRemote).map((d2) => d2.key);
+  if (deadRemoteKeys.length > 0) {
+    const client = await createApiClient();
+    const pullResponse = await client.pullSecrets(result.envName);
+    const kept = pullResponse.secrets.filter((s2) => !deadSet.has(s2.key));
+    let secrets;
+    if (isEvBackend) {
+      const projectKey = await getDecryptedProjectKey(result.projectId);
+      secrets = kept.map((s2) => {
+        const decrypted = decryptSecret(s2.encryptedValue, projectKey);
+        const reEncrypted = encryptSecret(decrypted, projectKey);
+        return { key: s2.key, encryptedValue: reEncrypted };
+      });
+    } else {
+      secrets = kept.map((s2) => ({ key: s2.key, encryptedValue: s2.encryptedValue }));
+    }
+    await client.pushSecrets(result.envName, {
+      secrets,
+      prune: true,
+      message: "ev clean: removed unused secrets"
+    });
+    log2(
+      isTTY2 ? `  ${chalk23.green("\u2713")} Removed ${deadRemoteKeys.length} from ${result.label} remote` : `  \u2713 Removed ${deadRemoteKeys.length} from ${result.label} remote`
+    );
+  }
+}
+var cleanCommand = new Command21("clean").description("Find and remove unused secrets from local env files and remote environments").argument("[target]", "Target environment name (defaults to defaultEnv from ev.yaml)").action(async (target) => {
+  const spinner = isTTY2 ? ora15("Resolving context...").start() : null;
+  try {
+    const resolved = await resolveCurrentContext(target);
+    if (!resolved) {
+      if (spinner) spinner.fail(chalk23.red("No ev.yaml found. Run `ev init` first."));
+      else log2("ERROR: No ev.yaml found. Run `ev init` first.");
+      process.exit(1);
+    }
+    const { context, repoRoot, backendConfig, envFiles } = resolved;
+    const envName = target ?? context.env;
+    const config = await loadEvConfig(process.cwd());
+    if (!config) {
+      if (spinner) spinner.fail(chalk23.red("Could not load ev.yaml"));
+      else log2("ERROR: Could not load ev.yaml");
+      process.exit(1);
+    }
+    const cwd = process.cwd();
+    const isAtRoot = cwd === repoRoot;
+    const hasApps = config.apps && Object.keys(config.apps).length > 0;
+    const results = [];
+    const scanPaths = /* @__PURE__ */ new Map();
+    if (isAtRoot && hasApps) {
+      if (spinner) spinner.text = "Scanning all apps...";
+      for (const [appName, appConfig] of Object.entries(config.apps ?? {})) {
+        const appDir = join11(repoRoot, appConfig.path);
+        try {
+          await stat4(appDir);
+        } catch {
+          continue;
+        }
+        if (spinner) spinner.text = `Scanning ${appName}:${envName}...`;
+        const result = await findDeadSecrets(
+          appName,
+          envName,
+          appDir,
+          repoRoot,
+          context.project,
+          envFiles
+        );
+        results.push(result);
+        scanPaths.set(appName, appDir);
+      }
+    } else {
+      const appName = context.app ?? "default";
+      const scanPath = context.app && config.apps?.[context.app] ? join11(repoRoot, config.apps[context.app].path) : cwd;
+      if (spinner) spinner.text = `Scanning ${appName}:${envName}...`;
+      const result = await findDeadSecrets(
+        appName,
+        envName,
+        scanPath,
+        repoRoot,
+        context.project,
+        envFiles
+      );
+      results.push(result);
+      scanPaths.set(appName, scanPath);
+    }
+    if (spinner) spinner.stop();
+    const totalCodeRefs = results.reduce((sum, r2) => sum + r2.codeRefCount, 0);
+    if (totalCodeRefs === 0) {
+      log2(
+        "No env var references found in code \u2014 can't determine what's unused."
+      );
+      process.exit(0);
+    }
+    log2("");
+    for (const result of results) {
+      printDeadTable(result);
+      if (result.dead.length === 0) continue;
+      const deadSet = new Set(result.dead.map((d2) => d2.key));
+      const appScanPath = scanPaths.get(result.appName) ?? repoRoot;
+      const answer = await prompt(
+        isTTY2 ? `  Remove these ${result.dead.length} secret${result.dead.length === 1 ? "" : "s"}? (y/N) ` : `Remove these ${result.dead.length} secrets? (y/N) `
+      );
+      if (answer.toLowerCase() !== "y") {
+        log2(isTTY2 ? chalk23.dim("  Skipped.") : "  Skipped.");
+        log2("");
+        continue;
+      }
+      log2("");
+      await cleanApp(result, deadSet, envFiles, appScanPath, backendConfig);
+      log2("");
+    }
+  } catch (err) {
+    if (spinner) spinner.fail(chalk23.red(`Clean failed: ${err.message}`));
+    else log2(`ERROR: Clean failed: ${err.message}`);
+    process.exit(1);
+  }
+});
+
 // src/index.ts
-var program = new Command20();
-program.name("ev").description("Git for env vars \u2014 sync environment variables across teams securely").version("0.4.5");
+var program = new Command22();
+program.name("ev").description("Git for env vars \u2014 sync environment variables across teams securely").version("0.5.1");
 program.addCommand(loginCommand);
 program.addCommand(initCommand);
 program.addCommand(pushCommand);
@@ -9051,6 +9417,8 @@ program.addCommand(completionsCommand);
 program.addCommand(scanCommand);
 program.addCommand(updateCommand);
 program.addCommand(deleteCommand);
+program.addCommand(auditCommand);
+program.addCommand(cleanCommand);
 async function main() {
   await initCrypto();
   program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@rowlabs/ev",
-	"version": "0.4.5",
+	"version": "0.5.1",
 	"description": "Git for env vars — sync environment variables across teams securely",
 	"type": "module",
 	"bin": {