npm - @saasak/tool-env - Versions diffs - 1.3.0 → 1.5.0 - Mend

@saasak/tool-env 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/index.js CHANGED Viewed

@@ -5,8 +5,8 @@ import fs from "fs-extra";
 import path from "path";
 import { execa } from "execa";
-import { encrypt, isEncrypted } from "../src/utils-crypto.js";
-import { buildEnv } from "../src/utils-env.js";
+import { encrypt, decrypt, isEncrypted } from "../src/utils-crypto.js";
+import { buildEnv, walkEnvValues } from "../src/utils-env.js";
 import { findMonorepoPackages } from "../src/utils-pkg.js";
 import {
 	resolveTarget,
@@ -14,121 +14,148 @@ import {
 	verifyCanDecrypt,
 	getOutputName,
 	load,
+	findMonorepoRoot,
 } from "../src/core.js";
-const args = minimist(process.argv.slice(2), { "--": true });
-const __root = process.cwd();
+const args = minimist(process.argv.slice(2), {
+	"--": true,
+	boolean: ["strict", "expose", "help", "h"],
+	string: ["format", "package"],
+});
+const __cwd = process.cwd();
+const envPath = args.env || ".env.json";
+const __root = findMonorepoRoot(__cwd, envPath) || __cwd;
-const command = args._[0] || "write";
+let command = args._[0] || "help";
+if (args.help || args.h) command = "help";
 const secret = resolveSecret(args.secret ? `file://${args.secret}` : '');
-const envPath = args.env || ".env.json";
 const envFile = path.resolve(__root, envPath);
 // Check env file exists for commands that need it
-const commandsRequiringEnvFile = ["write", "show", "encrypt", "besafe", "add"];
+const commandsRequiringEnvFile = ["write", "show", "encrypt", "decrypt", "besafe", "add", "get"];
 if (commandsRequiringEnvFile.includes(command) && !fs.existsSync(envFile)) {
 	console.error("No env file found.");
 	process.exit(1);
 }
-async function showCommand() {
-	if (!secret) {
-		console.log(
-			"Secret not provided. Use --secret flag or WRENV_SECRET env variable.",
-		);
+if (args.strict && commandsRequiringEnvFile.includes(command)) {
+	const env = JSON.parse(fs.readFileSync(envFile, "utf8"));
+	const result = verifyCanDecrypt(env, secret);
+	if (!result.success) {
+		console.error(`Strict mode: ${result.error}`);
+		process.exit(1);
 	}
+}
+function loadWorkspace() {
 	const target = resolveTarget(args.target);
-	const envContent = fs.readFileSync(envFile, "utf8");
-	const env = JSON.parse(envContent);
-	const rootPkgPath = path.resolve(__root, "package.json");
-	const rootPkgContent = fs.readFileSync(rootPkgPath, "utf8");
-	const rootPkg = JSON.parse(rootPkgContent);
+	const env = JSON.parse(fs.readFileSync(envFile, "utf8"));
+	const rootPkg = JSON.parse(
+		fs.readFileSync(path.resolve(__root, "package.json"), "utf8"),
+	);
 	const scope = rootPkg.name.split("/")[0];
 	const [_, ...foundPackages] = findMonorepoPackages(__root, scope);
 	const deps = [
 		...foundPackages.filter(Boolean).map((pkg) => ({
 			name: pkg.name.replace(`${scope}/`, ""),
 			dir: pkg.dir,
 		})),
-		{
-			name: "root",
-			dir: __root,
-		},
+		{ name: "root", dir: __root },
 	];
+	const depsName = deps.map((d) => d.name);
+	const allowedEnvs =
+		env?.envs && Array.isArray(env.envs) ? env.envs : ["dev"];
+	return { env, deps, depsName, allowedEnvs, target };
+}
-	const depsName = deps.map((dep) => dep.name);
+function detectCurrentPackage(deps) {
+	for (const dep of deps) {
+		if (dep.name === "root") continue;
+		const depDir = path.resolve(dep.dir);
+		if (__cwd === depDir || __cwd.startsWith(depDir + path.sep)) {
+			return dep.name;
+		}
+	}
+	return null;
+}
-	const allowedEnvs =
-		env && env.envs && Array.isArray(env.envs) ? env.envs : ["dev"];
-	const targetEnv = allowedEnvs.find((env) => env === target);
-	if (!targetEnv) {
+function validateTarget(target, allowedEnvs) {
+	if (!allowedEnvs.includes(target)) {
 		console.error(`Target env "${target}" is not allowed.`);
 		process.exit(1);
 	}
+	return target;
+}
-	const allEnvs = buildEnv(secret, targetEnv, env, depsName);
+function printJson(allEnvs, deps, isSinglePackage) {
+	if (isSinglePackage) {
+		console.log(JSON.stringify(allEnvs[deps[0].name] || {}, null, 2));
+	} else {
+		const out = {};
+		for (const dep of deps) out[dep.name] = allEnvs[dep.name] || {};
+		console.log(JSON.stringify(out, null, 2));
+	}
+}
-	for await (const dep of deps) {
+function printKeyValue(allEnvs, deps, targetEnv) {
+	for (const dep of deps) {
 		const pkgEnv = Object.entries(allEnvs[dep.name] || {})
 			.map(([key, value]) => `${key}=${value}`)
 			.join("\n");
-		console.log("~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
+		console.log("# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
 		console.log(
-			`=== ENV for ${dep.name} in ${dep.dir} with target ${targetEnv}`,
+			`# ===> ${dep.name} : in ${dep.dir} with target ${targetEnv}`,
 		);
+		console.log("# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
 		console.log(pkgEnv);
 	}
 }
-async function writeCommand() {
+async function showCommand() {
 	if (!secret) {
-		console.log(
+		console.error(
 			"Secret not provided. Use --secret flag or WRENV_SECRET env variable.",
 		);
 	}
-	const target = resolveTarget(args.target);
+	const { env, deps, depsName, allowedEnvs, target } = loadWorkspace();
+	const targetEnv = validateTarget(target, allowedEnvs);
-	const envContent = fs.readFileSync(envFile, "utf8");
-	const env = JSON.parse(envContent);
+	const selectedPkg = args.package || detectCurrentPackage(deps);
+	const filteredDeps = selectedPkg
+		? deps.filter((d) => d.name === selectedPkg)
+		: deps;
+	if (selectedPkg && filteredDeps.length === 0) {
+		console.error(`Package "${selectedPkg}" not found.`);
+		process.exit(1);
+	}
-	const rootPkgPath = path.resolve(__root, "package.json");
-	const rootPkgContent = fs.readFileSync(rootPkgPath, "utf8");
-	const rootPkg = JSON.parse(rootPkgContent);
-	const scope = rootPkg.name.split("/")[0];
+	const allEnvs = buildEnv(secret, targetEnv, env, depsName);
-	const [_, ...foundPackages] = await findMonorepoPackages(__root, scope);
-	const deps = [
-		...foundPackages.map((pkg) => ({
-			name: pkg.name.replace(`${scope}/`, ""),
-			dir: pkg.dir,
-		})),
-		{
-			name: "root",
-			dir: __root,
-		},
-	];
-	const depsName = deps.map((dep) => dep.name);
+	if (args.format === "json") {
+		printJson(allEnvs, filteredDeps, !!selectedPkg);
+	} else {
+		printKeyValue(allEnvs, filteredDeps, targetEnv);
+	}
+}
-	const allowedEnvs =
-		env && env.envs && Array.isArray(env.envs) ? env.envs : ["dev"];
+async function writeCommand() {
+	if (!secret) {
+		console.log(
+			"Secret not provided. Use --secret flag or WRENV_SECRET env variable.",
+		);
+	}
+	const { env, deps, depsName, allowedEnvs, target } = loadWorkspace();
 	// Handle 'all' target: write all environments with suffixed filenames
 	const isAllTarget = target === "all";
 	const targetEnvs = isAllTarget ? allowedEnvs : [target];
 	for (const targetEnv of targetEnvs) {
-		if (!allowedEnvs.includes(targetEnv)) {
-			console.error(`Target env "${targetEnv}" is not allowed.`);
-			process.exit(1);
-		}
+		validateTarget(targetEnv, allowedEnvs);
 		const allEnvs = buildEnv(secret, targetEnv, env, depsName);
@@ -147,8 +174,7 @@ async function writeCommand() {
 }
 async function encryptCommand() {
-	const envContent = fs.readFileSync(envFile, "utf8");
-	const env = JSON.parse(envContent);
+	const env = JSON.parse(fs.readFileSync(envFile, "utf8"));
 	if (!secret) {
 		console.error(
@@ -172,31 +198,65 @@ async function encryptCommand() {
 		process.exit(1);
 	}
-	if (env.variables) {
-		for (const [varName, varValue] of Object.entries(env.variables)) {
-			for (const [envKey, envVal] of Object.entries(varValue)) {
-				if (typeof envVal === "string" && !isEncrypted(envVal)) {
-					env.variables[varName][envKey] = encrypt(envVal, secret);
-				}
-			}
-		}
+	walkEnvValues(
+		env,
+		(v) => typeof v === "string" && !isEncrypted(v),
+		(v) => encrypt(v, secret),
+	);
+	await fs.writeFile(envFile, JSON.stringify(env, null, 2));
+}
+async function decryptCommand() {
+	const env = JSON.parse(fs.readFileSync(envFile, "utf8"));
+	if (!secret) {
+		console.error(
+			"Cannot decrypt env file: secret not provided. Doing nothing",
+		);
+		return;
 	}
-	if (env.overrides) {
-		for (const [pkgName, pkgOverrides] of Object.entries(env.overrides)) {
-			for (const [varName, varValue] of Object.entries(pkgOverrides)) {
-				for (const [envKey, envVal] of Object.entries(varValue)) {
-					if (typeof envVal === "string" && !isEncrypted(envVal)) {
-						env.overrides[pkgName][varName][envKey] = encrypt(envVal, secret);
-					}
-				}
-			}
-		}
+	const verification = verifyCanDecrypt(env, secret);
+	if (!verification.success) {
+		console.error(
+			`Cannot decrypt: the provided secret cannot decrypt encrypted value at "${verification.path}".`,
+		);
+		process.exit(1);
 	}
+	walkEnvValues(env, isEncrypted, (v) => decrypt(v, secret));
 	await fs.writeFile(envFile, JSON.stringify(env, null, 2));
 }
+async function getCommand() {
+	const varName = args._[1];
+	if (!varName) {
+		console.error("Variable name is required.");
+		process.exit(1);
+	}
+	const { env, deps, depsName, allowedEnvs, target } = loadWorkspace();
+	const targetEnv = validateTarget(target, allowedEnvs);
+	const selectedPkg = args.package || detectCurrentPackage(deps) || "root";
+	if (!depsName.includes(selectedPkg)) {
+		console.error(`Package "${selectedPkg}" not found.`);
+		process.exit(1);
+	}
+	const allEnvs = buildEnv(secret, targetEnv, env, depsName);
+	const pkgEnv = allEnvs[selectedPkg] || {};
+	if (!Object.prototype.hasOwnProperty.call(pkgEnv, varName)) {
+		console.error(`Variable "${varName}" not found.`);
+		process.exit(1);
+	}
+	process.stdout.write(pkgEnv[varName]);
+}
 async function besafeCommand() {
 	// Find git root to ensure we're in a repository and use correct base path
 	const { stdout: gitRoot, exitCode: gitCheck } = await execa(
@@ -295,7 +355,8 @@ async function runCommand() {
 			targetEnv: args.target,
 			envPath: args.env,
 			applyToProcess: false,
-			expose
+			expose,
+			strict: !!args.strict
 		});
 	} catch (error) {
 		console.error(`wrenv: ${error.message}`);
@@ -322,7 +383,7 @@ async function runCommand() {
 function helpCommand() {
 	console.log("Usage: wrenv [command] [options]\n");
 	console.log("Commands:");
-	console.log("  write          Write .env files for all packages (default)");
+	console.log("  write          Write .env files for all packages");
 	console.log(
 		"  show           Show environment variables without writing files",
 	);
@@ -332,10 +393,16 @@ function helpCommand() {
 	console.log(
 		"  encrypt        Encrypt all unencrypted variables in .env.json",
 	);
+	console.log(
+		"  decrypt        Decrypt all encrypted variables in .env.json",
+	);
 	console.log("  besafe         Encrypt and stage .env.json if it has changes");
 	console.log(
 		"  add <var>      Add a new variable with environment-specific values",
 	);
+	console.log(
+		"  get <var>      Get the value of a specific variable",
+	);
 	console.log("  help           Show this help message\n");
 	console.log("Options:");
 	console.log(
@@ -345,7 +412,16 @@ function helpCommand() {
 		"  --target <env>         Target environment (dev, staging, prod, all)",
 	);
 	console.log(
-		"  --env <path>           Path to env file (default: .env.json)\n",
+		"  --env <path>           Path to env file (default: .env.json)",
+	);
+	console.log(
+		"  --strict               Error if encrypted values cannot be decrypted",
+	);
+	console.log(
+		"  --format <fmt>         Output format for show (json)",
+	);
+	console.log(
+		"  --package <name>       Show/get variables for a specific package\n",
 	);
 	console.log("Environment Variables:");
 	console.log("  WRENV_SECRET           Secret for encryption/decryption");
@@ -356,6 +432,8 @@ function helpCommand() {
 	console.log("  wrenv --secret ~/.big-secret write --target dev");
 	console.log("  wrenv --secret stdin write < ~/.big-secret");
 	console.log("  wrenv show --target prod");
+	console.log("  wrenv show --format json --package root");
+	console.log("  wrenv get API_URL --target prod --package pkg-a");
 	console.log("  wrenv run --target prod -- node server.js");
 	console.log("  wrenv run -- npm test --coverage");
 	console.log(
@@ -371,7 +449,9 @@ const commands = {
 	show: showCommand,
 	besafe: besafeCommand,
 	encrypt: encryptCommand,
+	decrypt: decryptCommand,
 	add: addCommand,
+	get: getCommand,
 	run: runCommand,
 	help: helpCommand,
 };

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@saasak/tool-env",
   "license": "MIT",
-  "version": "1.3.0",
+  "version": "1.5.0",
   "author": "dev@saasak.studio",
   "description": "A small util to manage environment variables for your monorepo",
   "keywords": [

package/src/core.js CHANGED Viewed

@@ -17,6 +17,7 @@ import { findMonorepoPackages } from "./utils-pkg.js";
  * @property {string} [cwd] - Working directory (default: process.cwd())
  * @property {boolean} [applyToProcess] - Whether to apply to process.env (default: true)
  * @property {boolean} [expose] - wether to expose the secret or not
+ * @property {boolean} [strict] - Error if encrypted values cannot be decrypted
  */
 /**
@@ -26,6 +27,7 @@ import { findMonorepoPackages } from "./utils-pkg.js";
  * @property {string} [envPath] - Path to env.json file (default: '.env.json')
  * @property {string} [cwd] - Working directory (default: process.cwd())
  * @property {boolean} [expose] - wether to expose the secret or not
+ * @property {boolean} [strict] - Error if encrypted values cannot be decrypted
  */
 /**
@@ -263,7 +265,7 @@ export function loadLocalOverrides(cwd = process.cwd()) {
  * @param {string} envPath - Name of the env file (e.g. '.env.json')
  * @returns {string|null} - Path to monorepo root, or null if not found
  */
-function findMonorepoRoot(cwd, envPath) {
+export function findMonorepoRoot(cwd, envPath) {
 	let currentDir = cwd;
 	while (currentDir !== path.dirname(currentDir)) {
@@ -290,7 +292,8 @@ export function loadEnvJson(options = {}) {
 		secret: secretParam,
 		envPath = ".env.json",
 		cwd = process.cwd(),
-		expose = false
+		expose = false,
+		strict = false
 	} = options;
 	const secret = resolveSecret(secretParam);
@@ -306,6 +309,13 @@ export function loadEnvJson(options = {}) {
 	const envContent = fs.readFileSync(envFile, "utf8");
 	const env = JSON.parse(envContent);
+	if (strict) {
+		const result = verifyCanDecrypt(env, secret);
+		if (!result.success) {
+			throw new Error(`Strict mode: ${result.error}`);
+		}
+	}
 	const allowedEnvs =
 		env && env.envs && Array.isArray(env.envs) ? env.envs : [DEFAULT_ENV];
 	const resolvedTarget = allowedEnvs.find((e) => e === targetEnv);
@@ -328,7 +338,7 @@ export function loadEnvJson(options = {}) {
 			const rootPkg = JSON.parse(rootPkgContent);
 			scope = rootPkg.name.split("/")[0];
-			const foundPackages = findMonorepoPackages(monorepoRoot, scope);
+			const [, ...foundPackages] = findMonorepoPackages(monorepoRoot, scope);
 			depsName = [
 				...foundPackages.map((pkg) => pkg.name.replace(`${scope}/`, "")),
 				"root",
@@ -378,7 +388,8 @@ export function load(options = {}) {
 		envPath,
 		cwd = process.cwd(),
 		applyToProcess = true,
-		expose = false
+		expose = false,
+		strict = false
 	} = options;
 	// Resolve target first to determine if we're in dev mode
@@ -390,7 +401,8 @@ export function load(options = {}) {
 		targetEnv: resolvedTarget,
 		envPath,
 		cwd,
-		expose
+		expose,
+		strict
 	});
 	// Load .env.local overrides only in dev mode (security: prevent local overrides in production)
@@ -446,10 +458,6 @@ export function verifyCanDecrypt(env, secret) {
 	/** @type {EncryptedValueInfo[]} */
 	const encryptedValues = [];
-	if (!secret) {
-		return { success: false, path: null, error: "No secret provided" };
-	}
 	// Collect all encrypted values from variables
 	if (env.variables) {
 		for (const [varName, varValue] of Object.entries(env.variables)) {
@@ -485,6 +493,10 @@ export function verifyCanDecrypt(env, secret) {
 		return { success: true };
 	}
+	if (!secret) {
+		return { success: false, path: null, error: "No secret provided" };
+	}
 	// Try to decrypt each encrypted value
 	for (const { path, value } of encryptedValues) {
 		try {

package/src/index.d.ts CHANGED Viewed

@@ -12,6 +12,10 @@ export interface LoadOptions {
   cwd?: string;
   /** Whether to apply resolved vars to process.env (default: true) */
   applyToProcess?: boolean;
+  /** Whether to expose WRENV_TARGET and WRENV_SECRET in the output (default: false) */
+  expose?: boolean;
+  /** Error if encrypted values cannot be decrypted (default: false) */
+  strict?: boolean;
 }
 /**
@@ -28,6 +32,10 @@ export function loadEnvJson(options?: {
   targetEnv?: string;
   envPath?: string;
   cwd?: string;
+  /** Whether to expose WRENV_TARGET and WRENV_SECRET in the output (default: false) */
+  expose?: boolean;
+  /** Error if encrypted values cannot be decrypted (default: false) */
+  strict?: boolean;
 }): EnvRecord;
 /** Load .env.local overrides if the file exists */

package/src/utils-env.js CHANGED Viewed

@@ -1,5 +1,23 @@
 import { decrypt, isEncrypted } from "./utils-crypto.js";
+/**
+ * Walk all string values in env.variables and env.overrides,
+ * applying transform when predicate matches. Mutates env in place.
+ * @param {EnvConfig} env
+ * @param {(value: string) => boolean} predicate
+ * @param {(value: string) => string} transform
+ */
+export function walkEnvValues(env, predicate, transform) {
+	for (const varValue of Object.values(env.variables || {}))
+		for (const [envKey, envVal] of Object.entries(varValue))
+			if (predicate(envVal)) varValue[envKey] = transform(envVal);
+	for (const pkgOverrides of Object.values(env.overrides || {}))
+		for (const varValue of Object.values(pkgOverrides))
+			for (const [envKey, envVal] of Object.entries(varValue))
+				if (predicate(envVal)) varValue[envKey] = transform(envVal);
+}
 /**
  * Environment-specific values for a single variable.
  * Keys are environment names (e.g. 'dev', 'production') or '@@' for the fallback.