@scuton/dotenv-guard 1.0.0

package/dist/cli.js

@@ -0,0 +1,466 @@
+#!/usr/bin/env node
+"use strict";
+
+// src/cli.ts
+var import_fs4 = require("fs");
+
+// src/core/sync.ts
+var import_fs = require("fs");
+
+// src/core/parser.ts
+function parseEnvFile(content) {
+  const entries = [];
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const raw = lines[i];
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const match = trimmed.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)/);
+    if (!match) continue;
+    const key = match[1];
+    let value = match[2];
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    const commentMatch = value.match(/\s+#\s/);
+    let comment;
+    if (commentMatch && !match[2].startsWith('"') && !match[2].startsWith("'")) {
+      comment = value.slice(commentMatch.index + commentMatch[0].length);
+      value = value.slice(0, commentMatch.index);
+    }
+    entries.push({ key, value, line: i + 1, comment, raw });
+  }
+  return entries;
+}
+function parseEnvFileToMap(content) {
+  const entries = parseEnvFile(content);
+  return new Map(entries.map((e) => [e.key, e.value]));
+}
+
+// src/core/sync.ts
+function syncCheck(envPath2 = ".env", examplePath2 = ".env.example") {
+  if (!(0, import_fs.existsSync)(examplePath2)) {
+    throw new Error(`${examplePath2} not found. Run "dotenv-guard init" to create one.`);
+  }
+  const exampleContent = (0, import_fs.readFileSync)(examplePath2, "utf-8");
+  const exampleKeys = new Set(parseEnvFile(exampleContent).map((e) => e.key));
+  let envKeys = /* @__PURE__ */ new Set();
+  if ((0, import_fs.existsSync)(envPath2)) {
+    const envContent = (0, import_fs.readFileSync)(envPath2, "utf-8");
+    envKeys = new Set(parseEnvFile(envContent).map((e) => e.key));
+  }
+  const missing = [...exampleKeys].filter((k) => !envKeys.has(k));
+  const extra = [...envKeys].filter((k) => !exampleKeys.has(k));
+  const synced = [...exampleKeys].filter((k) => envKeys.has(k));
+  return { missing, extra, synced, examplePath: examplePath2, envPath: envPath2 };
+}
+
+// src/core/validator.ts
+function validate(env, rules) {
+  const errors = [];
+  for (const rule of rules) {
+    const value = env[rule.key];
+    if (rule.required !== false && (value === void 0 || value === "")) {
+      errors.push({ key: rule.key, message: "is required but missing or empty" });
+      continue;
+    }
+    if (value === void 0 || value === "") continue;
+    switch (rule.type) {
+      case "number": {
+        const num = Number(value);
+        if (isNaN(num)) {
+          errors.push({ key: rule.key, value, message: `must be a number, got "${value}"` });
+        } else {
+          if (rule.min !== void 0 && num < rule.min)
+            errors.push({ key: rule.key, value, message: `must be >= ${rule.min}` });
+          if (rule.max !== void 0 && num > rule.max)
+            errors.push({ key: rule.key, value, message: `must be <= ${rule.max}` });
+        }
+        break;
+      }
+      case "boolean":
+        if (!["true", "false", "1", "0", "yes", "no"].includes(value.toLowerCase()))
+          errors.push({ key: rule.key, value, message: "must be a boolean (true/false/1/0/yes/no)" });
+        break;
+      case "url":
+        try {
+          new URL(value);
+        } catch {
+          errors.push({ key: rule.key, value, message: "must be a valid URL" });
+        }
+        break;
+      case "email":
+        if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(value))
+          errors.push({ key: rule.key, value, message: "must be a valid email" });
+        break;
+      case "port": {
+        const port = Number(value);
+        if (isNaN(port) || port < 1 || port > 65535)
+          errors.push({ key: rule.key, value, message: "must be a valid port (1-65535)" });
+        break;
+      }
+      case "enum":
+        if (rule.enum && !rule.enum.includes(value))
+          errors.push({ key: rule.key, value, message: `must be one of: ${rule.enum.join(", ")}` });
+        break;
+    }
+    if (rule.pattern && !rule.pattern.test(value))
+      errors.push({ key: rule.key, value, message: `does not match required pattern` });
+  }
+  return errors;
+}
+function inferRules(exampleContent) {
+  const lines = exampleContent.split("\n");
+  const rules = [];
+  for (const line of lines) {
+    const match = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)/);
+    if (!match) continue;
+    const key = match[1];
+    const rest = match[2];
+    const rule = { key, required: true };
+    const commentMatch = rest.match(/#\s*type:\s*(\w+)/i);
+    if (commentMatch) {
+      rule.type = commentMatch[1].toLowerCase();
+    }
+    if (rest.match(/#.*optional/i)) {
+      rule.required = false;
+    }
+    const enumMatch = rest.match(/#\s*enum:\s*([^\s]+)/i);
+    if (enumMatch) {
+      rule.type = "enum";
+      rule.enum = enumMatch[1].split(",");
+    }
+    if (!rule.type) {
+      const value = rest.split("#")[0].trim().replace(/^["']|["']$/g, "");
+      if (value.match(/^https?:\/\//)) rule.type = "url";
+      else if (value.match(/^\d+$/) && key.match(/PORT/i)) rule.type = "port";
+      else if (value.match(/^(true|false)$/i)) rule.type = "boolean";
+      else if (value.match(/^\d+$/)) rule.type = "number";
+    }
+    rules.push(rule);
+  }
+  return rules;
+}
+
+// src/core/leak.ts
+var import_child_process = require("child_process");
+var import_fs2 = require("fs");
+var SENSITIVE_PATTERNS = [
+  /API[_-]?KEY/i,
+  /SECRET/i,
+  /PASSWORD/i,
+  /TOKEN/i,
+  /PRIVATE[_-]?KEY/i,
+  /DATABASE[_-]?URL/i,
+  /MONGO[_-]?URI/i,
+  /REDIS[_-]?URL/i,
+  /AWS[_-]?ACCESS/i,
+  /STRIPE/i,
+  /SENDGRID/i,
+  /TWILIO/i,
+  /ANTHROPIC/i,
+  /OPENAI/i
+];
+function checkLeaks(dir = ".") {
+  const leaks = [];
+  let gitignoreHasEnv = false;
+  const gitignorePath = `${dir}/.gitignore`;
+  if ((0, import_fs2.existsSync)(gitignorePath)) {
+    const content = (0, import_fs2.readFileSync)(gitignorePath, "utf-8");
+    gitignoreHasEnv = content.split("\n").some(
+      (line) => line.trim() === ".env" || line.trim() === ".env*" || line.trim() === ".env.local"
+    );
+  }
+  try {
+    const tracked = (0, import_child_process.execSync)("git ls-files", { cwd: dir, encoding: "utf-8" });
+    const envFiles = tracked.split("\n").filter(
+      (f) => f.match(/^\.env($|\.)/) && !f.endsWith(".example") && !f.endsWith(".template")
+    );
+    for (const file of envFiles) {
+      const content = (0, import_fs2.readFileSync)(`${dir}/${file}`, "utf-8");
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const match = lines[i].match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.+)/);
+        if (match && match[2].trim().length > 0) {
+          const key = match[1];
+          const severity = SENSITIVE_PATTERNS.some((p) => p.test(key)) ? "high" : "medium";
+          leaks.push({ file, line: i + 1, key, severity });
+        }
+      }
+    }
+  } catch {
+  }
+  let preCommitHookInstalled = false;
+  const hookPath = `${dir}/.git/hooks/pre-commit`;
+  if ((0, import_fs2.existsSync)(hookPath)) {
+    const hookContent = (0, import_fs2.readFileSync)(hookPath, "utf-8");
+    preCommitHookInstalled = hookContent.includes("dotenv-guard");
+  }
+  return { leaks, gitignoreHasEnv, preCommitHookInstalled };
+}
+function installPreCommitHook(dir = ".") {
+  const hookDir = `${dir}/.git/hooks`;
+  const hookPath = `${hookDir}/pre-commit`;
+  const hookScript = `#!/bin/sh
+# dotenv-guard pre-commit hook \u2014 prevent .env leaks
+# Installed by: npx dotenv-guard install-hook
+
+ENV_FILES=$(git diff --cached --name-only | grep -E '^\\.env' | grep -v '\\.example$' | grep -v '\\.template$')
+
+if [ -n "$ENV_FILES" ]; then
+  echo ""
+  echo "\\033[31m\u2716 dotenv-guard: Blocked commit \u2014 .env file(s) detected:\\033[0m"
+  echo ""
+  for f in $ENV_FILES; do
+    echo "  \\033[33m\u2192 $f\\033[0m"
+  done
+  echo ""
+  echo "  Remove with: git reset HEAD <file>"
+  echo "  Or force commit: git commit --no-verify"
+  echo ""
+  exit 1
+fi
+`;
+  (0, import_fs2.mkdirSync)(hookDir, { recursive: true });
+  (0, import_fs2.writeFileSync)(hookPath, hookScript, "utf-8");
+  try {
+    (0, import_fs2.chmodSync)(hookPath, "755");
+  } catch {
+  }
+}
+
+// src/core/generator.ts
+var import_fs3 = require("fs");
+function generateExample(envPath2 = ".env", outputPath = ".env.example") {
+  if (!(0, import_fs3.existsSync)(envPath2)) throw new Error(`${envPath2} not found`);
+  const content = (0, import_fs3.readFileSync)(envPath2, "utf-8");
+  const entries = parseEnvFile(content);
+  const lines = ["# Environment Variables", "# Copy this file to .env and fill in the values", ""];
+  for (const entry of entries) {
+    let placeholder = "";
+    if (entry.value.match(/^https?:\/\//)) placeholder = "https://... # type:url";
+    else if (entry.value.match(/^\d+$/)) placeholder = "0 # type:number";
+    else if (entry.value.match(/^(true|false)$/i)) placeholder = "false # type:boolean";
+    else placeholder = "# type:string";
+    lines.push(`${entry.key}=${placeholder}`);
+  }
+  const output = lines.join("\n") + "\n";
+  (0, import_fs3.writeFileSync)(outputPath, output, "utf-8");
+  return output;
+}
+function ensureGitignore(dir = ".") {
+  const gitignorePath = `${dir}/.gitignore`;
+  const envEntries = [".env", ".env.local", ".env.*.local"];
+  let content = "";
+  if ((0, import_fs3.existsSync)(gitignorePath)) {
+    content = (0, import_fs3.readFileSync)(gitignorePath, "utf-8");
+  }
+  const lines = content.split("\n");
+  const toAdd = envEntries.filter((e) => !lines.some((l) => l.trim() === e));
+  if (toAdd.length > 0) {
+    const addition = "\n# Environment variables\n" + toAdd.join("\n") + "\n";
+    (0, import_fs3.appendFileSync)(gitignorePath, addition, "utf-8");
+    return true;
+  }
+  return false;
+}
+
+// src/utils/colors.ts
+var isColorSupported = process.env.NO_COLOR === void 0 && process.stdout.isTTY;
+var wrap = (code, resetCode) => (str) => isColorSupported ? `\x1B[${code}m${str}\x1B[${resetCode}m` : str;
+var red = wrap(31, 39);
+var green = wrap(32, 39);
+var yellow = wrap(33, 39);
+var blue = wrap(34, 39);
+var gray = wrap(90, 39);
+var bold = wrap(1, 22);
+var dim = wrap(2, 22);
+
+// src/cli.ts
+var args = process.argv.slice(2);
+var command = args[0];
+function showHelp() {
+  console.log(`
+  ${bold("dotenv-guard")} \u2014 Validate env vars, sync .env files, prevent leaks
+
+  ${bold("Usage:")}
+    dotenv-guard <command> [options]
+
+  ${bold("Commands:")}
+    sync             Compare .env with .env.example
+    validate         Validate env var types (from .env.example hints)
+    leak-check       Scan for leaked secrets in git
+    init             Create .env.example + update .gitignore
+    install-hook     Install git pre-commit hook to block .env commits
+
+  ${bold("Options:")}
+    --env <path>     Path to .env file (default: .env)
+    --example <path> Path to .env.example (default: .env.example)
+    -h, --help       Show help
+    -v, --version    Show version
+
+  ${bold("Programmatic:")}
+    import 'dotenv-guard/auto';
+    // Auto-check on import
+    import { guard } from 'dotenv-guard';  // Manual check
+  `);
+}
+var envPath = args.includes("--env") ? args[args.indexOf("--env") + 1] : ".env";
+var examplePath = args.includes("--example") ? args[args.indexOf("--example") + 1] : ".env.example";
+switch (command) {
+  case "sync": {
+    try {
+      const result = syncCheck(envPath, examplePath);
+      console.log("");
+      console.log(bold("  dotenv-guard sync"));
+      console.log(gray(`  ${result.envPath} \u2194 ${result.examplePath}`));
+      console.log("");
+      if (result.missing.length > 0) {
+        console.log(red(`  \u2716 Missing (${result.missing.length}):`));
+        result.missing.forEach((k) => console.log(yellow(`    \u2192 ${k}`)));
+        console.log("");
+      }
+      if (result.extra.length > 0) {
+        console.log(yellow(`  \u26A0 Extra (${result.extra.length}):`));
+        result.extra.forEach((k) => console.log(gray(`    \u2192 ${k}`)));
+        console.log("");
+      }
+      console.log(green(`  \u2713 Synced: ${result.synced.length} variables`));
+      if (result.missing.length > 0) {
+        console.log("");
+        console.log(dim(`  Add missing variables to ${result.envPath} to fix.`));
+      }
+      console.log("");
+      process.exit(result.missing.length > 0 ? 1 : 0);
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "validate": {
+    try {
+      if (!(0, import_fs4.existsSync)(examplePath)) {
+        console.error(red(`
+  \u2716 ${examplePath} not found. Run "dotenv-guard init" first.
+`));
+        process.exit(1);
+      }
+      const exampleContent = (0, import_fs4.readFileSync)(examplePath, "utf-8");
+      const rules = inferRules(exampleContent);
+      const envMap = (0, import_fs4.existsSync)(envPath) ? parseEnvFileToMap((0, import_fs4.readFileSync)(envPath, "utf-8")) : /* @__PURE__ */ new Map();
+      const env = {};
+      for (const rule of rules) {
+        env[rule.key] = process.env[rule.key] || envMap.get(rule.key);
+      }
+      const errors = validate(env, rules);
+      console.log("");
+      console.log(bold("  dotenv-guard validate"));
+      console.log("");
+      if (errors.length === 0) {
+        console.log(green(`  \u2713 All ${rules.length} variables are valid`));
+      } else {
+        console.log(red(`  \u2716 ${errors.length} validation error(s):`));
+        console.log("");
+        errors.forEach((e) => {
+          console.log(`    ${red("\u2716")} ${bold(e.key)} ${e.message}`);
+          if (e.value) console.log(gray(`      current value: "${e.value}"`));
+        });
+      }
+      console.log("");
+      process.exit(errors.length > 0 ? 1 : 0);
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "leak-check": {
+    const result = checkLeaks(".");
+    console.log("");
+    console.log(bold("  dotenv-guard leak-check"));
+    console.log("");
+    if (result.gitignoreHasEnv) {
+      console.log(green("  \u2713 .gitignore includes .env"));
+    } else {
+      console.log(red("  \u2716 .gitignore does NOT include .env"));
+      console.log(gray("    Run: dotenv-guard init"));
+    }
+    if (result.preCommitHookInstalled) {
+      console.log(green("  \u2713 Pre-commit hook installed"));
+    } else {
+      console.log(yellow("  \u26A0 No pre-commit hook"));
+      console.log(gray("    Run: dotenv-guard install-hook"));
+    }
+    if (result.leaks.length === 0) {
+      console.log(green("  \u2713 No .env files tracked in git"));
+    } else {
+      console.log(red(`  \u2716 ${result.leaks.length} leaked variable(s) in git:`));
+      console.log("");
+      result.leaks.forEach((l) => {
+        const icon = l.severity === "high" ? red("HIGH") : yellow("MED");
+        console.log(`    [${icon}] ${l.file}:${l.line} \u2014 ${bold(l.key)}`);
+      });
+      console.log("");
+      console.log(dim("  Remove tracked files: git rm --cached .env"));
+    }
+    console.log("");
+    process.exit(result.leaks.length > 0 ? 1 : 0);
+    break;
+  }
+  case "init": {
+    console.log("");
+    console.log(bold("  dotenv-guard init"));
+    console.log("");
+    if ((0, import_fs4.existsSync)(".env") && !(0, import_fs4.existsSync)(".env.example")) {
+      generateExample(".env", ".env.example");
+      console.log(green("  \u2713 Created .env.example from .env"));
+    } else if ((0, import_fs4.existsSync)(".env.example")) {
+      console.log(gray("  \u2022 .env.example already exists"));
+    } else {
+      console.log(yellow("  \u26A0 No .env file found \u2014 create one first"));
+    }
+    const updated = ensureGitignore(".");
+    if (updated) {
+      console.log(green("  \u2713 Updated .gitignore with .env entries"));
+    } else {
+      console.log(gray("  \u2022 .gitignore already includes .env"));
+    }
+    console.log("");
+    break;
+  }
+  case "install-hook": {
+    try {
+      installPreCommitHook(".");
+      console.log("");
+      console.log(green(bold("  \u2713 Pre-commit hook installed")));
+      console.log(gray("    .env files will be blocked from commits"));
+      console.log(gray("    Bypass with: git commit --no-verify"));
+      console.log("");
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "-v":
+  case "--version":
+    console.log("1.0.0");
+    break;
+  case "-h":
+  case "--help":
+  case void 0:
+    showHelp();
+    break;
+  default:
+    console.error(red(`
+  Unknown command: ${command}`));
+    showHelp();
+    process.exit(1);
+}

package/dist/cli.mjs

@@ -0,0 +1,211 @@
+#!/usr/bin/env node
+import {
+  bold,
+  dim,
+  gray,
+  green,
+  red,
+  yellow
+} from "./chunk-RLNPDDSP.mjs";
+import {
+  checkLeaks,
+  ensureGitignore,
+  generateExample,
+  inferRules,
+  installPreCommitHook,
+  validate
+} from "./chunk-QXZQR35R.mjs";
+import {
+  parseEnvFileToMap,
+  syncCheck
+} from "./chunk-YYFNUR7Y.mjs";
+
+// src/cli.ts
+import { readFileSync, existsSync } from "fs";
+var args = process.argv.slice(2);
+var command = args[0];
+function showHelp() {
+  console.log(`
+  ${bold("dotenv-guard")} \u2014 Validate env vars, sync .env files, prevent leaks
+
+  ${bold("Usage:")}
+    dotenv-guard <command> [options]
+
+  ${bold("Commands:")}
+    sync             Compare .env with .env.example
+    validate         Validate env var types (from .env.example hints)
+    leak-check       Scan for leaked secrets in git
+    init             Create .env.example + update .gitignore
+    install-hook     Install git pre-commit hook to block .env commits
+
+  ${bold("Options:")}
+    --env <path>     Path to .env file (default: .env)
+    --example <path> Path to .env.example (default: .env.example)
+    -h, --help       Show help
+    -v, --version    Show version
+
+  ${bold("Programmatic:")}
+    import 'dotenv-guard/auto';
+    // Auto-check on import
+    import { guard } from 'dotenv-guard';  // Manual check
+  `);
+}
+var envPath = args.includes("--env") ? args[args.indexOf("--env") + 1] : ".env";
+var examplePath = args.includes("--example") ? args[args.indexOf("--example") + 1] : ".env.example";
+switch (command) {
+  case "sync": {
+    try {
+      const result = syncCheck(envPath, examplePath);
+      console.log("");
+      console.log(bold("  dotenv-guard sync"));
+      console.log(gray(`  ${result.envPath} \u2194 ${result.examplePath}`));
+      console.log("");
+      if (result.missing.length > 0) {
+        console.log(red(`  \u2716 Missing (${result.missing.length}):`));
+        result.missing.forEach((k) => console.log(yellow(`    \u2192 ${k}`)));
+        console.log("");
+      }
+      if (result.extra.length > 0) {
+        console.log(yellow(`  \u26A0 Extra (${result.extra.length}):`));
+        result.extra.forEach((k) => console.log(gray(`    \u2192 ${k}`)));
+        console.log("");
+      }
+      console.log(green(`  \u2713 Synced: ${result.synced.length} variables`));
+      if (result.missing.length > 0) {
+        console.log("");
+        console.log(dim(`  Add missing variables to ${result.envPath} to fix.`));
+      }
+      console.log("");
+      process.exit(result.missing.length > 0 ? 1 : 0);
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "validate": {
+    try {
+      if (!existsSync(examplePath)) {
+        console.error(red(`
+  \u2716 ${examplePath} not found. Run "dotenv-guard init" first.
+`));
+        process.exit(1);
+      }
+      const exampleContent = readFileSync(examplePath, "utf-8");
+      const rules = inferRules(exampleContent);
+      const envMap = existsSync(envPath) ? parseEnvFileToMap(readFileSync(envPath, "utf-8")) : /* @__PURE__ */ new Map();
+      const env = {};
+      for (const rule of rules) {
+        env[rule.key] = process.env[rule.key] || envMap.get(rule.key);
+      }
+      const errors = validate(env, rules);
+      console.log("");
+      console.log(bold("  dotenv-guard validate"));
+      console.log("");
+      if (errors.length === 0) {
+        console.log(green(`  \u2713 All ${rules.length} variables are valid`));
+      } else {
+        console.log(red(`  \u2716 ${errors.length} validation error(s):`));
+        console.log("");
+        errors.forEach((e) => {
+          console.log(`    ${red("\u2716")} ${bold(e.key)} ${e.message}`);
+          if (e.value) console.log(gray(`      current value: "${e.value}"`));
+        });
+      }
+      console.log("");
+      process.exit(errors.length > 0 ? 1 : 0);
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "leak-check": {
+    const result = checkLeaks(".");
+    console.log("");
+    console.log(bold("  dotenv-guard leak-check"));
+    console.log("");
+    if (result.gitignoreHasEnv) {
+      console.log(green("  \u2713 .gitignore includes .env"));
+    } else {
+      console.log(red("  \u2716 .gitignore does NOT include .env"));
+      console.log(gray("    Run: dotenv-guard init"));
+    }
+    if (result.preCommitHookInstalled) {
+      console.log(green("  \u2713 Pre-commit hook installed"));
+    } else {
+      console.log(yellow("  \u26A0 No pre-commit hook"));
+      console.log(gray("    Run: dotenv-guard install-hook"));
+    }
+    if (result.leaks.length === 0) {
+      console.log(green("  \u2713 No .env files tracked in git"));
+    } else {
+      console.log(red(`  \u2716 ${result.leaks.length} leaked variable(s) in git:`));
+      console.log("");
+      result.leaks.forEach((l) => {
+        const icon = l.severity === "high" ? red("HIGH") : yellow("MED");
+        console.log(`    [${icon}] ${l.file}:${l.line} \u2014 ${bold(l.key)}`);
+      });
+      console.log("");
+      console.log(dim("  Remove tracked files: git rm --cached .env"));
+    }
+    console.log("");
+    process.exit(result.leaks.length > 0 ? 1 : 0);
+    break;
+  }
+  case "init": {
+    console.log("");
+    console.log(bold("  dotenv-guard init"));
+    console.log("");
+    if (existsSync(".env") && !existsSync(".env.example")) {
+      generateExample(".env", ".env.example");
+      console.log(green("  \u2713 Created .env.example from .env"));
+    } else if (existsSync(".env.example")) {
+      console.log(gray("  \u2022 .env.example already exists"));
+    } else {
+      console.log(yellow("  \u26A0 No .env file found \u2014 create one first"));
+    }
+    const updated = ensureGitignore(".");
+    if (updated) {
+      console.log(green("  \u2713 Updated .gitignore with .env entries"));
+    } else {
+      console.log(gray("  \u2022 .gitignore already includes .env"));
+    }
+    console.log("");
+    break;
+  }
+  case "install-hook": {
+    try {
+      installPreCommitHook(".");
+      console.log("");
+      console.log(green(bold("  \u2713 Pre-commit hook installed")));
+      console.log(gray("    .env files will be blocked from commits"));
+      console.log(gray("    Bypass with: git commit --no-verify"));
+      console.log("");
+    } catch (err) {
+      console.error(red(`
+  \u2716 ${err.message}
+`));
+      process.exit(1);
+    }
+    break;
+  }
+  case "-v":
+  case "--version":
+    console.log("1.0.0");
+    break;
+  case "-h":
+  case "--help":
+  case void 0:
+    showHelp();
+    break;
+  default:
+    console.error(red(`
+  Unknown command: ${command}`));
+    showHelp();
+    process.exit(1);
+}