npm - @saasak/tool-env - Versions diffs - 1.0.2 → 1.2.0 - Mend

@saasak/tool-env 1.0.2 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/README.md CHANGED Viewed

@@ -14,10 +14,11 @@
 ## TODOs
-[] Handle encryption
-[] Handle variable composition everywhere (not just in overrides)
-[] Create runtime library to read vars (even encrypted)
-[] Handle env.local files
+- [x] Handle encryption
+- [ ] Fix not scoped package detection (if one package is not scope, it fails with pkg.name something)
+- [ ] Handle variable composition everywhere (not just in overrides)
+- [x] Create runtime library to read vars (even encrypted)
+- [x] Handle env.local files
 ## Open questions
@@ -46,6 +47,26 @@ or
 WRENV_TARGET=staging bun run env:update
 ```
+### Writing all environments
+Use `--target all` to write environment files for all configured environments at once.
+This creates suffixed files using conventional names (`.env.development`, `.env.staging`, `.env.production`) instead of a single `.env` file.
+Internal names are mapped to conventional output names:
+- `dev` → `.env.development`
+- `preprod` → `.env.staging`
+- `production` → `.env.production`
+```bash
+wrenv --secret ~/.big-secret write --target all
+```
+This is useful for:
+- CI/CD pipelines that need all environment configurations
+- Docker builds that copy environment-specific files
+- Pre-generating all env files for deployment
+- Compatibility with Next.js, Vite, and other frameworks that use conventional env file names
 you can also pass the secret via an env variable (Even though it is not really encouraged)
 ```bash
 WRENV_SECRET=super-secret WRENV_TARGET=prod npm run env:update

package/bin/index.js CHANGED Viewed

@@ -1,71 +1,72 @@
 #!/usr/bin/env node
-import minimist from 'minimist';
-import fs from 'fs-extra';
-import path from 'path';
-import { execa } from 'execa';
-import { buildEnv } from '../src/utils-env.js';
-import { findMonorepoPackages } from '../src/utils-pkg.js';
-import { encrypt, isEncrypted } from '../src/utils-crypto.js';
-const args = minimist(process.argv.slice(2));
+import minimist from "minimist";
+import fs from "fs-extra";
+import path from "path";
+import { execa } from "execa";
+import { encrypt, isEncrypted } from "../src/utils-crypto.js";
+import { buildEnv } from "../src/utils-env.js";
+import { findMonorepoPackages } from "../src/utils-pkg.js";
+import {
+	resolveTarget,
+	resolveSecret,
+	verifyCanDecrypt,
+	getOutputName,
+	load,
+} from "../src/core.js";
+const args = minimist(process.argv.slice(2), { "--": true });
 const __root = process.cwd();
-const command = args._[0] || 'write';
+const command = args._[0] || "write";
-const secret = args.secret
-	? (args.secret === 'stdin' ? fs.readFileSync(0, 'utf8') : fs.readFileSync(args.secret, 'utf8'))
-	: process.env.WRENV_SECRET || process.env.TARGET_SECRET || '';
+const secret = resolveSecret(args.secret);
-const envPath = args.env || '.env.json';
+const envPath = args.env || ".env.json";
 const envFile = path.resolve(__root, envPath);
-if (!fs.existsSync(envFile)) {
-	console.error('No env file found.');
+// Check env file exists for commands that need it
+const commandsRequiringEnvFile = ["write", "show", "encrypt", "besafe", "add"];
+if (commandsRequiringEnvFile.includes(command) && !fs.existsSync(envFile)) {
+	console.error("No env file found.");
 	process.exit(1);
 }
-const DEFAULT_ENV = 'dev';
-const targets = {
-	"development": "dev",
-	"dev": "dev",
-	"staging": "preprod",
-	"pp": "preprod",
-	"preprod": "preprod",
-	"prod": "production",
-	"production": "production",
-}
 async function showCommand() {
 	if (!secret) {
-		console.log('Secret not provided. Use --secret flag or WRENV_SECRET env variable.');
+		console.log(
+			"Secret not provided. Use --secret flag or WRENV_SECRET env variable.",
+		);
 	}
-	const target = targets[args.target || process.env.WRENV_TARGET || process.env.TARGET_ENV] || DEFAULT_ENV;
+	const target = resolveTarget(args.target);
-	const envContent = fs.readFileSync(envFile, 'utf8');
+	const envContent = fs.readFileSync(envFile, "utf8");
 	const env = JSON.parse(envContent);
-	const rootPkgPath = path.resolve(__root, 'package.json');
-	const rootPkgContent = fs.readFileSync(rootPkgPath, 'utf8');
+	const rootPkgPath = path.resolve(__root, "package.json");
+	const rootPkgContent = fs.readFileSync(rootPkgPath, "utf8");
 	const rootPkg = JSON.parse(rootPkgContent);
-	const scope = rootPkg.name.split('/')[0];
-	const [_, ...foundPackages] = await findMonorepoPackages(__root, scope);
+	const scope = rootPkg.name.split("/")[0];
+	const [_, ...foundPackages] = findMonorepoPackages(__root, scope);
 	const deps = [
-		...foundPackages.map((pkg) => ({
-			name: pkg.name.replace(`${scope}/`, ''),
+		...foundPackages.filter(Boolean).map((pkg) => ({
+			name: pkg.name.replace(`${scope}/`, ""),
 			dir: pkg.dir,
 		})),
 		{
-			name: 'root',
+			name: "root",
 			dir: __root,
 		},
 	];
 	const depsName = deps.map((dep) => dep.name);
-	const allowedEnvs = env && env.envs && Array.isArray(env.envs) ? env.envs : [DEFAULT_ENV];
+	const allowedEnvs =
+		env && env.envs && Array.isArray(env.envs) ? env.envs : ["dev"];
 	const targetEnv = allowedEnvs.find((env) => env === target);
 	if (!targetEnv) {
 		console.error(`Target env "${target}" is not allowed.`);
@@ -77,73 +78,104 @@ async function showCommand() {
 	for await (const dep of deps) {
 		const pkgEnv = Object.entries(allEnvs[dep.name] || {})
 			.map(([key, value]) => `${key}=${value}`)
-			.join('\n')
-		console.log('~~~~~~~~~~~~~~~~~~~~~~~~~~~~');
-		console.log(`=== ENV for ${dep.name} in ${dep.dir} with target ${targetEnv}`);
+			.join("\n");
+		console.log("~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
+		console.log(
+			`=== ENV for ${dep.name} in ${dep.dir} with target ${targetEnv}`,
+		);
 		console.log(pkgEnv);
 	}
 }
 async function writeCommand() {
 	if (!secret) {
-		console.log('Secret not provided. Use --secret flag or WRENV_SECRET env variable.');
+		console.log(
+			"Secret not provided. Use --secret flag or WRENV_SECRET env variable.",
+		);
 	}
-	const target = targets[args.target || process.env.WRENV_TARGET || process.env.TARGET_ENV] || DEFAULT_ENV;
+	const target = resolveTarget(args.target);
-	const envContent = fs.readFileSync(envFile, 'utf8');
+	const envContent = fs.readFileSync(envFile, "utf8");
 	const env = JSON.parse(envContent);
-	const rootPkgPath = path.resolve(__root, 'package.json');
-	const rootPkgContent = fs.readFileSync(rootPkgPath, 'utf8');
+	const rootPkgPath = path.resolve(__root, "package.json");
+	const rootPkgContent = fs.readFileSync(rootPkgPath, "utf8");
 	const rootPkg = JSON.parse(rootPkgContent);
-	const scope = rootPkg.name.split('/')[0];
+	const scope = rootPkg.name.split("/")[0];
 	const [_, ...foundPackages] = await findMonorepoPackages(__root, scope);
 	const deps = [
 		...foundPackages.map((pkg) => ({
-			name: pkg.name.replace(`${scope}/`, ''),
+			name: pkg.name.replace(`${scope}/`, ""),
 			dir: pkg.dir,
 		})),
 		{
-			name: 'root',
+			name: "root",
 			dir: __root,
 		},
 	];
 	const depsName = deps.map((dep) => dep.name);
-	const allowedEnvs = env && env.envs && Array.isArray(env.envs) ? env.envs : [DEFAULT_ENV];
-	const targetEnv = allowedEnvs.find((env) => env === target);
-	if (!targetEnv) {
-		console.error(`Target env "${target}" is not allowed.`);
-		process.exit(1);
-	}
+	const allowedEnvs =
+		env && env.envs && Array.isArray(env.envs) ? env.envs : ["dev"];
-	const allEnvs = buildEnv(secret, targetEnv, env, depsName);
+	// Handle 'all' target: write all environments with suffixed filenames
+	const isAllTarget = target === "all";
+	const targetEnvs = isAllTarget ? allowedEnvs : [target];
-	for await (const dep of deps) {
-		const pkgEnv = Object.entries(allEnvs[dep.name] || {})
-			.map(([key, value]) => `${key}=${value}`)
-			.join('\n')
-		console.log(`Writing env file for ${dep.name} in ${dep.dir} with target ${targetEnv}`);
-		await fs.writeFile(path.join(dep.dir, '.env'), pkgEnv);
+	for (const targetEnv of targetEnvs) {
+		if (!allowedEnvs.includes(targetEnv)) {
+			console.error(`Target env "${targetEnv}" is not allowed.`);
+			process.exit(1);
+		}
+		const allEnvs = buildEnv(secret, targetEnv, env, depsName);
+		for await (const dep of deps) {
+			const pkgEnv = Object.entries(allEnvs[dep.name] || {})
+				.map(([key, value]) => `${key}=${value}`)
+				.join("\n");
+			// Use suffixed filename (.env.{outputName}) for 'all', plain .env otherwise
+			const filename = isAllTarget
+				? `.env.${getOutputName(targetEnv)}`
+				: ".env";
+			console.log(`Writing ${filename} for ${dep.name} in ${dep.dir}`);
+			await fs.writeFile(path.join(dep.dir, filename), pkgEnv);
+		}
 	}
 }
 async function encryptCommand() {
-	const envContent = fs.readFileSync(envFile, 'utf8');
+	const envContent = fs.readFileSync(envFile, "utf8");
 	const env = JSON.parse(envContent);
 	if (!secret) {
-		console.error('Cannot encrypt env file: secret not provided. Doing nothing');
+		console.error(
+			"Cannot encrypt env file: secret not provided. Doing nothing",
+		);
 		return;
 	}
+	// Verify we can decrypt all existing encrypted values before encrypting new ones
+	const verification = verifyCanDecrypt(env, secret);
+	if (!verification.success) {
+		console.error(
+			`Cannot encrypt: the provided secret cannot decrypt existing encrypted value at "${verification.path}".`,
+		);
+		console.error(
+			"This would result in a file with mixed encryption passwords.",
+		);
+		console.error(
+			"Please provide the correct secret that was used for existing encrypted values.",
+		);
+		process.exit(1);
+	}
 	if (env.variables) {
 		for (const [varName, varValue] of Object.entries(env.variables)) {
 			for (const [envKey, envVal] of Object.entries(varValue)) {
-				if (typeof envVal === 'string' && !isEncrypted(envVal)) {
+				if (typeof envVal === "string" && !isEncrypted(envVal)) {
 					env.variables[varName][envKey] = encrypt(envVal, secret);
 				}
 			}
@@ -154,7 +186,7 @@ async function encryptCommand() {
 		for (const [pkgName, pkgOverrides] of Object.entries(env.overrides)) {
 			for (const [varName, varValue] of Object.entries(pkgOverrides)) {
 				for (const [envKey, envVal] of Object.entries(varValue)) {
-					if (typeof envVal === 'string' && !isEncrypted(envVal)) {
+					if (typeof envVal === "string" && !isEncrypted(envVal)) {
 						env.overrides[pkgName][varName][envKey] = encrypt(envVal, secret);
 					}
 				}
@@ -167,7 +199,11 @@ async function encryptCommand() {
 async function besafeCommand() {
 	// Find git root to ensure we're in a repository and use correct base path
-	const { stdout: gitRoot, exitCode: gitCheck } = await execa('git', ['rev-parse', '--show-toplevel'], { cwd: __root, reject: false });
+	const { stdout: gitRoot, exitCode: gitCheck } = await execa(
+		"git",
+		["rev-parse", "--show-toplevel"],
+		{ cwd: __root, reject: false },
+	);
 	if (gitCheck !== 0) {
 		return;
 	}
@@ -175,9 +211,21 @@ async function besafeCommand() {
 	const relativeEnvPath = path.relative(gitRoot, envFile);
 	// Check if file has any changes (staged, unstaged, or untracked)
-	const { stdout: staged } = await execa('git', ['diff', '--cached', '--name-only', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
-	const { stdout: unstaged } = await execa('git', ['diff', '--name-only', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
-	const { stdout: untracked } = await execa('git', ['ls-files', '--others', '--exclude-standard', '--', relativeEnvPath], { cwd: gitRoot, reject: false });
+	const { stdout: staged } = await execa(
+		"git",
+		["diff", "--cached", "--name-only", "--", relativeEnvPath],
+		{ cwd: gitRoot, reject: false },
+	);
+	const { stdout: unstaged } = await execa(
+		"git",
+		["diff", "--name-only", "--", relativeEnvPath],
+		{ cwd: gitRoot, reject: false },
+	);
+	const { stdout: untracked } = await execa(
+		"git",
+		["ls-files", "--others", "--exclude-standard", "--", relativeEnvPath],
+		{ cwd: gitRoot, reject: false },
+	);
 	if (!staged?.trim() && !unstaged?.trim() && !untracked?.trim()) {
 		return;
@@ -186,24 +234,28 @@ async function besafeCommand() {
 	await encryptCommand();
 	if (!secret) {
-		console.error('Warning: potential security risk: secret not provided. Variables WERE NOT encrypted.');
+		console.error(
+			"Warning: potential security risk: secret not provided. Variables WERE NOT encrypted.",
+		);
 	}
-	await execa('git', ['add', relativeEnvPath], { cwd: gitRoot });
+	await execa("git", ["add", relativeEnvPath], { cwd: gitRoot });
 }
 async function addCommand() {
 	const varName = args._[1];
 	if (!varName) {
-		console.error('Variable name is required.');
+		console.error("Variable name is required.");
 		process.exit(1);
 	}
 	if (!secret) {
-		console.error('Warning: potential security risk: secret not provided. Variable WILL NOT be encrypted.');
+		console.error(
+			"Warning: potential security risk: secret not provided. Variable WILL NOT be encrypted.",
+		);
 	}
-	const envContent = fs.readFileSync(envFile, 'utf8');
+	const envContent = fs.readFileSync(envFile, "utf8");
 	const env = JSON.parse(envContent);
 	if (!env.variables) {
@@ -215,39 +267,101 @@ async function addCommand() {
 	}
 	for (const arg of args._.slice(2)) {
-		if (!arg.startsWith('+')) continue;
-		const [key, ...valueParts] = arg.slice(1).split('=');
-		const value = valueParts.join('=');
-		const envKey = key === 'fallback' ? '@@' : key;
+		if (!arg.startsWith("+")) continue;
+		const [key, ...valueParts] = arg.slice(1).split("=");
+		const value = valueParts.join("=");
+		const envKey = key === "fallback" ? "@@" : key;
 		env.variables[varName][envKey] = secret ? encrypt(value, secret) : value;
 	}
 	await fs.writeFile(envFile, JSON.stringify(env, null, 2));
 }
+async function runCommand() {
+	const commandParts = args["--"] || [];
+	const [cmd, ...cmdArgs] = commandParts;
+	if (!cmd) {
+		console.error("Usage: wrenv run [options] -- <command> [args...]");
+		process.exit(1);
+	}
+	// Load environment variables (without applying to current process.env)
+	let envVars = {};
+	try {
+		envVars = load({
+			secret: resolveSecret(args.secret),
+			targetEnv: args.target,
+			envPath: args.env,
+			applyToProcess: false,
+		});
+	} catch (error) {
+		console.error(`wrenv: ${error.message}`);
+		process.exit(1);
+	}
+	// Use execa for cross-platform compatibility with minimal overhead
+	const subprocess = execa(cmd, cmdArgs, {
+		stdio: "inherit",
+		env: { ...process.env, ...envVars },
+		reject: false,
+	});
+	// Forward signals to child process
+	const forwardSignal = (signal) => subprocess.kill(signal);
+	process.on("SIGTERM", () => forwardSignal("SIGTERM"));
+	process.on("SIGINT", () => forwardSignal("SIGINT"));
+	process.on("SIGHUP", () => forwardSignal("SIGHUP"));
+	const result = await subprocess;
+	process.exit(result.exitCode ?? 0);
+}
 function helpCommand() {
-	console.log('Usage: wrenv [command] [options]\n');
-	console.log('Commands:');
-	console.log('  write          Write .env files for all packages (default)');
-	console.log('  show           Show environment variables without writing files');
-	console.log('  encrypt        Encrypt all unencrypted variables in .env.json');
-	console.log('  besafe         Encrypt and stage .env.json if it has changes');
-	console.log('  add <var>      Add a new variable with environment-specific values');
-	console.log('  help           Show this help message\n');
-	console.log('Options:');
-	console.log('  --secret <path|stdin>  Path to secret file or "stdin" to read from stdin');
-	console.log('  --target <env>         Target environment (dev, staging, prod, etc.)');
-	console.log('  --env <path>           Path to env file (default: .env.json)\n');
-	console.log('Environment Variables:');
-	console.log('  WRENV_SECRET           Secret for encryption/decryption');
-	console.log('  WRENV_TARGET           Target environment');
-	console.log('  TARGET_SECRET          Alias for WRENV_SECRET');
-	console.log('  TARGET_ENV             Alias for WRENV_TARGET\n');
-	console.log('Examples:');
-	console.log('  wrenv --secret ~/.big-secret write --target dev');
-	console.log('  wrenv --secret stdin write < ~/.big-secret');
-	console.log('  wrenv show --target prod');
-	console.log('  wrenv add NEW_VAR +fallback=value +dev=dev_value +production=prod_value');
+	console.log("Usage: wrenv [command] [options]\n");
+	console.log("Commands:");
+	console.log("  write          Write .env files for all packages (default)");
+	console.log(
+		"  show           Show environment variables without writing files",
+	);
+	console.log(
+		"  run            Run a command with injected environment variables",
+	);
+	console.log(
+		"  encrypt        Encrypt all unencrypted variables in .env.json",
+	);
+	console.log("  besafe         Encrypt and stage .env.json if it has changes");
+	console.log(
+		"  add <var>      Add a new variable with environment-specific values",
+	);
+	console.log("  help           Show this help message\n");
+	console.log("Options:");
+	console.log(
+		'  --secret <path|stdin>  Path to secret file or "stdin" to read from stdin',
+	);
+	console.log(
+		"  --target <env>         Target environment (dev, staging, prod, all)",
+	);
+	console.log(
+		"  --env <path>           Path to env file (default: .env.json)\n",
+	);
+	console.log("Environment Variables:");
+	console.log("  WRENV_SECRET           Secret for encryption/decryption");
+	console.log("  WRENV_TARGET           Target environment");
+	console.log("  TARGET_SECRET          Alias for WRENV_SECRET");
+	console.log("  TARGET_ENV             Alias for WRENV_TARGET\n");
+	console.log("Examples:");
+	console.log("  wrenv --secret ~/.big-secret write --target dev");
+	console.log("  wrenv --secret stdin write < ~/.big-secret");
+	console.log("  wrenv show --target prod");
+	console.log("  wrenv run --target prod -- node server.js");
+	console.log("  wrenv run -- npm test --coverage");
+	console.log(
+		"  wrenv add NEW_VAR +fallback=value +dev=dev_value +production=prod_value",
+	);
+	console.log(
+		"  wrenv write --target all   # writes .env.development, .env.staging, .env.production",
+	);
 }
 const commands = {
@@ -256,6 +370,7 @@ const commands = {
 	besafe: besafeCommand,
 	encrypt: encryptCommand,
 	add: addCommand,
+	run: runCommand,
 	help: helpCommand,
 };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@saasak/tool-env",
   "license": "MIT",
-  "version": "1.0.2",
+  "version": "1.2.0",
   "author": "dev@saasak.studio",
   "description": "A small util to manage environment variables for your monorepo",
   "keywords": [
@@ -10,7 +10,8 @@
     "env"
   ],
   "type": "module",
-  "main": "bin/index.js",
+  "main": "src/index.js",
+  "types": "src/index.d.ts",
   "files": [
     "bin",
     "src"
@@ -22,5 +23,12 @@
     "execa": "8.0.1",
     "fs-extra": "11.2.0",
     "minimist": "1.2.8"
+  },
+  "devDependencies": {
+    "vitest": "^1.6.0"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest"
   }
 }