@super-repo/envx 0.2.3-b.2 → 0.2.3-b.3

package/README.md

@@ -1,24 +1,71 @@
-# @honeycluster/envx
+# @super-repo/envx
 
-A small wrapper around [`@dotenvx/dotenvx`](https://www.npmjs.com/package/@dotenvx/dotenvx)
-for monorepos. Auto-detects the active environment from common
-platform signals, loads the matching `.env*` files from the workspace
-root and the current package, and runs your command (or your code)
-with that environment applied.
+Workspace-aware env-file loader, runner, and encryption tool — built for monorepos.
 
 ```sh
-pnpm add @honeycluster/envx
+pnpm add @super-repo/envx
 ```
 
+## Tribute
+
+This package stands on the shoulders of [`@dotenvx/dotenvx`](https://www.npmjs.com/package/@dotenvx/dotenvx). The encryption format, the `.env.keys` convention, the public-key header layout, and the broad CLI shape are all directly inspired by — and **wire-format compatible with** — dotenvx. We re-use [`eciesjs`](https://www.npmjs.com/package/eciesjs) (the same library dotenvx uses) for asymmetric encryption, so a `.env*` file encrypted by either tool can be decrypted by the other given the matching private key.
+
+If you're building a single application, **just use [`@dotenvx/dotenvx`](https://dotenvx.com)**. It's excellent, well-maintained, and battle-tested. This package exists for one specific case: when "load the environment for one app" doesn't capture what you actually need.
+
+## The problem
+
+Monorepos break a lot of dotenv-style assumptions:
+
+- **Env files live at multiple levels.** Workspace-wide secrets sit at the repo root; per-package overrides sit inside each package; CI injects yet another layer. dotenv's "look in cwd" model produces different results depending on which package directory you happen to be in when you ran the command.
+- **`.env.keys` lives in *one* place, but encrypted `.env*` files live in many.** Without a workspace-aware lookup, every package needs its own copy of the keys file, or a fragile `--env-keys-file ../../../.env.keys` per command.
+- **Cascade resolution wants the workspace root, not cwd.** `--cascade prod` should layer `.env`, `.env.prod`, `.env.local`, and `.env.prod.local` from the *workspace root*, regardless of which subpackage triggered the load. Without this, a Vite build run from `packages/web/` and a Node script run from `apps/api/` see different environments for the same prod target.
+- **Encryption keys want to rotate atomically across the whole stack.** Rotating one package's key while leaving the others stale is a leak waiting to happen. You want one `rotate` command that walks the workspace.
+- **Per-package configuration is a real thing.** Some packages legitimately want a different env-file set than the rest of the monorepo (e.g. a Docker image-builder package that pulls from `vault/` while the rest pull from `.env`).
+
+dotenvx handles single-app cases beautifully. envx handles the workspace shape on top of dotenvx's foundation.
+
+## The solution
+
+envx adds three things on top of the dotenvx model:
+
+1. **Cwd-first paths with workspace-root fallback.** Both `--dir`/`--env-path` and `--env-keys-file`/`-fk` resolve **relative to where the command is invoked**. If the requested directory or keys file isn't there, envx walks *up* to the nearest workspace root (any ancestor with `pnpm-workspace.yaml`, `package.json#workspaces`, `nx.json`, etc.) and looks again. So `envx encrypt --dir vault` works whether `vault/` lives in your current package or at the workspace root — same command, same intent, no per-package `../../../.env.keys` ceremony.
+
+2. **One `.env.keys` for the workspace by default.** With no `-fk` flag, envx looks for `.env.keys` at cwd; if it's not there, it walks up. So a single keys file at the workspace root serves every encrypted `.env*` across the monorepo. Override per-call with `-fk <path>` whenever you need a different file.
+
+3. **`rotate` walks every encrypted file you point it at.** One command refreshes the asymmetric keypair for every file the resolver picks up — every file in `--dir vault`, every file in a `-e` list, every cascade target. The new keypair lands in both the env file's `ENVX_PUBLIC_KEY*` header and the matching `.env.keys` entry atomically.
+
+The CLI shape, the `encrypted:<base64>` ciphertext format, the `ENVX_PUBLIC_KEY*` headers, and the `.env.keys` file layout are all directly compatible with `dotenvx`. envx also reads keys stored under the upstream `DOTENV_PUBLIC_KEY*` / `DOTENV_PRIVATE_KEY*` names so a `.env.keys` produced by either tool decrypts under the other.
+
+## envx vs. dotenvx
+
+| capability                                | `dotenvx`                                                  | `envx`                                                                                |
+| ----------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------- |
+| **Target shape**                          | Single application                                         | pnpm / yarn / npm workspaces, Nx, Turborepo, Bazel, etc.                              |
+| **Env-file path resolution**              | Relative to `cwd`                                          | Cwd-first; walks up to workspace root (`pnpm-workspace.yaml`, `package.json#workspaces`, `nx.json`, …) on miss |
+| **`.env.keys` default location**          | Alongside the env file                                     | Cwd first, then walk-up to workspace root — one keys file serves the whole monorepo |
+| **`--env-keys-file` relative resolution** | Relative to `cwd`                                          | Relative to `cwd`, with walk-up to the workspace root if the file isn't at cwd       |
+| **`--dir` flag**                          | Not present (use `-f <path>` per file)                     | First-class `--dir` / `-d` / `--env-path`, cwd-first with workspace fallback         |
+| **Per-package config**                    | Single project root                                        | `package.json#envx.config: "<path>"` per package + workspace-level inheritance       |
+| **Cascade discovery**                     | From cwd                                                   | From workspace root, then layered with package-local overrides                       |
+| **Encryption**                            | ECIES via `eciesjs` (secp256k1 + AES-256-GCM)              | **Identical** ECIES via `eciesjs` — wire-format compatible                           |
+| **Public-key header**                     | `DOTENV_PUBLIC_KEY*`                                       | `ENVX_PUBLIC_KEY*` (canonical), `DOTENV_PUBLIC_KEY*` accepted as a read fallback     |
+| **Private-key var name**                  | `DOTENV_PRIVATE_KEY*`                                      | `ENVX_PRIVATE_KEY*` (canonical), `DOTENV_PRIVATE_KEY*` accepted as a read fallback   |
+| **`rotate` command**                      | Per-file rotation                                          | Walks every encrypted file the resolver picks up                                     |
+| **Programmatic API**                      | `dotenvx.config()` / library functions                     | `envx()` (single call), `import "@super-repo/envx/auto"` side-effect entry           |
+| **Auto-environment detection**            | Limited                                                    | Reads `VERCEL_ENV`, Netlify `CONTEXT`, `NODE_ENV` to pick `.env.<env>` when `--env` is omitted |
+| **Distribution**                          | npm package                                                | npm package + workspace-private helpers (`envx-libs`, `envx-common`) bundled via Vite |
+| **License**                               | BSD-3-Clause                                               | MIT                                                                                   |
+
+In short: same crypto, same file formats, same CLI vocabulary — different path-resolution layer underneath.
+
 ## Programmatic API
 
-### `import envx from "@honeycluster/envx"`
+### `import envx from "@super-repo/envx"`
 
 ```ts
-import envx from "@honeycluster/envx";
+import envx from "@super-repo/envx";
 
 // Three call shapes — all mutate process.env and return it for ergonomics.
-
 const env = envx();              // load .env (auto-detect from NODE_ENV / VERCEL_ENV / NETLIFY)
 const env = envx("prod");        // cascade-load .env, .env.prod, .env.local, .env.prod.local
 const env = envx({               // full options
@@ -30,56 +77,34 @@ const env = envx({               // full options
 });
 ```
 
-The string form (`envx("prod")`) is shorthand for "scope this load to
-the named environment" — it sets `cascade` so `.env.prod` and any local
-overrides layer cleanly over `.env`.
+The string form (`envx("prod")`) is shorthand for "scope this load to the named environment" — it sets `cascade` so `.env.prod` and any local overrides layer cleanly over `.env`.
 
-`envx()` discovers `envx.config.{ts,js,json}` and `package.json`'s
-`envx.config` automatically; the explicit args you pass override
-matching fields from the config. See [`docs/CONFIG.md`](../../docs/CONFIG.md).
+`envx()` discovers `envx.config.{ts,js,json}` and `package.json#envx.config` automatically; explicit args override matching fields from the config.
 
-### `import "@honeycluster/envx/auto"` — side-effect
+### Side-effect import
 
 ```ts
 // In your app's entry file:
-import "@honeycluster/envx/auto";
+import "@super-repo/envx/auto";
 
 // envx() has already run by the time this line executes.
 const env = process.env;
 ```
 
-`@honeycluster/envx/config` is an alias of `/auto` (matches the
-`dotenv/config` convention).
-
-### Lower-level building blocks
-
-The same helpers the CLI uses are also exported from
-`@honeycluster/libs` if you want fine-grained control:
-
-```ts
-import {
-  detectEnvironment,
-  expandCascadePaths,
-  findWorkspaceRoot,
-  loadEnv,
-  resolveEnvPaths,
-  encryptFiles,
-  decryptFiles,
-  expandEnvSrc,
-  loadDotenvxConfig,
-} from "@honeycluster/libs";
-```
+`@super-repo/envx/config` is an alias of `/auto` (matches the `dotenv/config` convention).
 
 ## CLI
 
 ```sh
-envx -- node app.js                # load .env (auto-detected) and run
-envx --env dev -- pnpm start       # load .env.dev
-envx print DATABASE_URL            # print one variable
-envx debug --cascade prod          # show resolved paths
-envx encrypt -e .env.prod          # encrypt values in .env.prod
-envx decrypt -e .env.prod -k FOO   # decrypt only FOO
-envx expand -e vault/.env.prod     # decrypt + expand to stdout
+envx -- node app.js                      # load .env (auto-detected) and run
+envx --env dev -- pnpm start             # load .env.dev
+envx --dir vault -- pnpm test            # load every .env* in vault/
+envx print DATABASE_URL                  # print one variable
+envx debug --cascade prod                # show resolved paths
+envx encrypt -e .env.prod                # encrypt values in .env.prod (writes ./.env.keys)
+envx decrypt -e .env.prod -k FOO         # decrypt only FOO
+envx rotate --dir vault                  # rotate keypair for every vault/.env* file
+envx expand -e vault/.env.prod           # decrypt + expand to stdout
 envx -c ./envx.config.json run -- node app.js
 ```
 
@@ -88,7 +113,7 @@ envx -c ./envx.config.json run -- node app.js
 | bin              | source                       | what it does                                    |
 | ---------------- | ---------------------------- | ----------------------------------------------- |
 | `envx`           | `dist/cli.js`                | This package's CLI (subcommands below)          |
-| `dotenvx-proxy`  | `dist/bin/dotenvx.js`        | Passthrough to upstream `@dotenvx/dotenvx`      |
+| `dotenvx-proxy`  | `dist/bin/dotenvx.js`        | Direct passthrough to upstream `@dotenvx/dotenvx` |
 
 ### Subcommands
 
@@ -99,46 +124,397 @@ envx -c ./envx.config.json run -- node app.js
 | `debug`   | show which files would be loaded without loading them                                  |
 | `encrypt` | encrypt values in one or more `.env*` files (writes `.env.keys` on first run)          |
 | `decrypt` | decrypt values back in place                                                           |
+| `rotate`  | generate a fresh keypair and re-encrypt every encrypted value in place                 |
+| `info`    | print resolved configuration, auto-detection details, NODE_ENV mappings, and the env files that would load |
 | `expand`  | decrypt (if needed) and expand `${VAR}` / `$VAR` / `${VAR:-default}` / `${VAR:?msg}`   |
 
 ### Global options
 
-| option          | alias       | default     | description                                                                              |
-| --------------- | ----------- | ----------- | ---------------------------------------------------------------------------------------- |
-| `--config`      | `-c`        | _(auto)_    | Path to an `envx.config.{ts,js,json}`. Discovery order: flag → `package.json` `envx.config` → auto-discover. |
-| `--env`         | `-e`        | `[".env"]`  | Files to load (repeatable). Auto-discovered from `--env-path` when omitted.              |
-| `--env-path`    |             | _(none)_    | Subdirectory holding env files. When set + `--env` omitted, every `.env*` in the dir is included. |
-| `--vault`       | `--va`      | `false`     | Shortcut for `--env-path vault`.                                                         |
-| `--variables`   | `-v`        | `[]`        | Inline `name=value` overrides (repeatable).                                              |
-| `--cascade`     |             | _(off)_     | Cascade name; expands `.env`, `.env.<c>`, `.env.local`, `.env.<c>.local`.                |
-| `--override`    | `-o`        | `false`     | Override existing `process.env` values. Conflicts with `--cascade`.                      |
-| `--quiet`       | `-q`        | `true`      | Suppress dotenv's own output.                                                            |
-
-### Auto-detect rules
-
-The auto-detected environment becomes the suffix on `.env.<env>`:
-
-| signal                                | resolves to     |
-| ------------------------------------- | --------------- |
-| `VERCEL_ENV=production`               | `.env.prod`     |
-| `VERCEL_ENV=preview` (or unset)       | `.env.dev`      |
-| Netlify `CONTEXT=production`          | `.env.prod`     |
-| Netlify `CONTEXT=deploy-preview` / `branch-deploy` | `.env.dev` |
-| `NODE_ENV=production`                 | `.env.prod`     |
-| `NODE_ENV=development`                | `.env.dev`      |
-| `NODE_ENV=local`                      | `.env.local`    |
-| _no signals_                          | `.env`          |
-
-Auto-detection only triggers when `--env` is left at its default
-(`[".env"]`). Explicit `--env` always wins.
+| option            | alias            | default              | description                                                                              |
+| ----------------- | ---------------- | -------------------- | ---------------------------------------------------------------------------------------- |
+| `--config`        | `-c`             | _(auto)_             | Path to an `envx.config.{ts,js,json}`. Discovery: flag → `package.json#envx.config` → walk-up auto-discovery. |
+| `--env`           | `-e`             | `[".env"]`           | Files to load (repeatable). Auto-discovered from `--env-path` when omitted.              |
+| `--env-path`      | `-d`, `--dir`    | _(none)_             | Subdirectory holding env files. Cwd-first; falls back to `<workspace-root>/<dir>` if the cwd path doesn't exist. When set + `--env` omitted, every `.env*` in the resolved dir is included. |
+| `--vault`         | `--va`           | `false`              | Shortcut for `--env-path vault`.                                                         |
+| `--env-keys-file` | `-fk`            | `<cwd>/.env.keys`    | Path to the `.env.keys` file. Cwd-first; walks up to the workspace root if no keys file exists at cwd. |
+| `--variables`     | `-v`             | `[]`                 | Inline `name=value` overrides (repeatable).                                              |
+| `--cascade`       |                  | _(off)_              | Cascade name; expands `.env`, `.env.<c>`, `.env.local`, `.env.<c>.local`.                |
+| `--override`      | `-o`             | `false`              | Override existing `process.env` values. Conflicts with `--cascade`.                      |
+| `--quiet`         | `-q`             | `true`               | Suppress dotenv's own output.                                                            |
+
+### Defaults
+
+Six resolution rules drive every envx invocation. Each is overridable — see [Configuration](#configuration) below for the layered customization map.
+
+#### 1. Environment auto-detection
+
+When `--env` is left at its default (`[".env"]`), envx auto-detects the deployment environment from well-known platform signals and rewrites the env-file suffix accordingly. Source-of-truth: `detectEnvironment()`.
+
+Order of precedence: **Vercel → Netlify → `NODE_ENV` → unsuffixed**.
+
+| signal                                                  | detected   | env file picked |
+| ------------------------------------------------------- | ---------- | --------------- |
+| `VERCEL` set + `VERCEL_ENV=production`                  | `prod`     | `.env.prod`     |
+| `VERCEL` set + any other `VERCEL_ENV` (or unset)        | `dev`      | `.env.dev`      |
+| `NETLIFY` set + `CONTEXT=production`                    | `prod`     | `.env.prod`     |
+| `NETLIFY` set + `CONTEXT=deploy-preview` / `branch-deploy` | `dev`   | `.env.dev`      |
+| `NETLIFY` set + any other `CONTEXT`                     | `dev`      | `.env.dev`      |
+| `NODE_ENV=production`                                   | `prod`     | `.env.prod`     |
+| `NODE_ENV=development`                                  | `dev`      | `.env.dev`      |
+| `NODE_ENV=local`                                        | `local`    | `.env.local`    |
+| `NODE_ENV=<other>` (e.g. `staging`, `qa`, `preview`)    | `<other>`  | `.env.<other>`  |
+| _no signals_                                            | `root`     | `.env`          |
+
+`NODE_ENV` values not in the built-in map (`production`, `development`, `local`) **pass through lowercased** as the suffix. So `NODE_ENV=staging` → `.env.staging`, `NODE_ENV=QA` → `.env.qa`, etc. — no config required.
+
+**Customize:**
+- Pass `--env <name>` (or `-e <name>`) to bypass detection entirely; bare names get the `.env.` prefix automatically (`--env staging` → `.env.staging`).
+- Disable detection: set `autoDetect: false` in `envx.config.{ts,js,json}`.
+- Override the `NODE_ENV → suffix` mapping in config:
+  ```ts
+  // envx.config.ts
+  export default {
+    nodeEnvMap: {
+      // built-ins keep working unless you override them:
+      production: "prod",
+      development: "dev",
+      local: "local",
+      // your additions / remappings:
+      qa: "qa-prod",       // NODE_ENV=qa → .env.qa-prod
+      preview: "",         // NODE_ENV=preview → .env (no suffix)
+    },
+  }
+  ```
+- Programmatic: `envx({ envFiles: [...] })`, `envx("staging")` (sets `cascade`), or `envx({ autoDetect: false, nodeEnvMap: { ... } })`.
+
+Run **`envx info`** to print the resolved settings, the detected environment, the active mapping, and which files would be loaded.
+
+#### 2. Cascade expansion order
+
+`--cascade <name>` expands the base files into a layered set, **least- to most-specific**, so that the most specific one wins. Source-of-truth: `expandCascadePaths()`.
+
+For a base of `.env` and `--cascade prod`:
+
+| order | path              | role                              |
+| :---: | ----------------- | --------------------------------- |
+|   1   | `.env.prod.local` | per-developer prod override (gitignored) |
+|   2   | `.env.local`      | per-developer override (gitignored) |
+|   3   | `.env.prod`       | shared prod values (committable, encryptable) |
+|   4   | `.env`            | shared baseline                   |
+
+Without `--cascade`: `.env.local` → `.env` (still least-specific-last).
+
+**Customize:**
+- **CLI**: pass `--cascade <name>` to cascade with an explicit env name (e.g. `--cascade prod`).
+- **Config**: set `cascade: true` to cascade using the auto-detected env name. `cascade: false` (or omit) disables.
+- **Programmatic**: `envx({ cascade: true })` for auto-detected, `envx({ cascade: "prod" })` for explicit, `envx("prod")` (string shorthand) is equivalent to the explicit form.
+- `--override` conflicts with cascade — envx exits with an error if both are set.
+
+#### 3. Path resolution (cwd-first → workspace-root fallback)
+
+Every relative path passed to `--dir`, `--env-path`, `--env-keys-file`, or set in config goes through the same resolver. Source-of-truth: `resolveCwdOrWorkspace()`.
+
+```
+absolute path?            → use verbatim
+<cwd>/<rel> exists?       → use that
+<workspaceRoot>/<rel>?    → use that
+neither?                  → return <cwd>/<rel> so callers (encrypt, etc.) can create it
+```
+
+The "default `.env.keys`" lookup runs the same resolver against the literal `".env.keys"` — so a single `.env.keys` at the workspace root serves every package by default.
+
+**Customize:**
+- Pass an absolute path to `-fk` / `--dir` to skip the walk-up entirely.
+- Set `envKeysFile` / `envPath` in `envx.config.{ts,js,json}`.
+- Programmatic: `envx({ envPath: "vault", envKeysFile: "/abs/path/.env.keys" })`.
+
+#### 4. Workspace root detection
+
+`findWorkspaceRoot(startDir)` walks up from `startDir` and returns the first directory that matches one of these signals, in order:
+
+| pass | signal                                                       |
+| :--: | ------------------------------------------------------------ |
+|  1   | `package.json` with a `workspaces` field (npm/yarn)          |
+|  1   | `package.json` with a `pnpm.workspaces` field                |
+|  2   | `pnpm-workspace.yaml`                                        |
+|  2   | `lerna.json`                                                 |
+|  2   | `nx.json`                                                    |
+|  2   | `rush.json`                                                  |
+|  2   | `yarn.lock`                                                  |
+|  2   | `pnpm-lock.yaml`                                             |
+
+If nothing matches, `startDir` is returned (so envx degrades to single-package behavior — the cwd-first / fallback resolver still works, the fallback is just a no-op).
+
+**Customize:**
+- The detection is currently hardcoded. If you have a non-standard layout, pass absolute paths to `--dir` / `-fk` / `--env` and skip the walk entirely. Reach out if you have a layout that needs a new indicator added.
+
+#### 5. Default `--env` / `--env-path` behavior
+
+| condition                                              | resolved env files                                              |
+| ------------------------------------------------------ | --------------------------------------------------------------- |
+| `--env` explicitly passed                              | exactly the files passed (with `.env.` prefix added to bare names) |
+| `envFiles` set in config                               | the config's list                                               |
+| `--env-path <dir>` set, no `--env`                     | every `.env*` file inside `<dir>` (sorted, excluding `.env.keys`) |
+| neither set                                            | `[".env"]` (with auto-detection from rule #1)                  |
+
+`--vault` is exact shorthand for `--env-path vault`. The `.env.keys` file is **never** discovered by `listEnvFiles`, so `--dir vault` won't accidentally try to "encrypt" your private keys.
+
+**Customize:**
+- `--env <file>` (repeatable) — explicit list.
+- `--env-path <dir>` (or `--dir`, `-d`) — pull every `.env*` from a directory.
+- `envFiles` / `envPath` in config.
+- Programmatic: `envx({ envFiles: [...], envPath: "..." })`.
+
+#### 6. CLI variable overrides
+
+`-v KEY=VALUE` (repeatable) sets values on `process.env` *after* env files load. Format is `^(\w+)=([\s\S]+)$` — multi-line values are supported, but the key must be a valid bash identifier. Source-of-truth: `validateCmdVariable()`.
+
+**Customize:**
+- `-v KEY=VALUE` per-call.
+- Programmatic: `envx({ variables: ["KEY=VALUE", ...] })`.
+
+## Encryption
+
+envx uses **asymmetric (ECIES) encryption by default** — exactly the same scheme as `dotenvx`. On first encrypt of a fresh `.env*` file:
+
+1. A fresh secp256k1 keypair is generated.
+2. The public key gets prepended to the env file as a banner + `ENVX_PUBLIC_KEY*` header (safe to commit).
+3. The matching private key gets written to `.env.keys` (gitignore this) under `ENVX_PRIVATE_KEY*` with a section banner per env file.
+4. Every selected value is encrypted with the public key. Since the public key is committed alongside the env file, anyone with read access can encrypt new values; only the private-key holder can decrypt.
+
+A typical encrypted `.env.dev`:
+
+```
+#/-------------------[ENVX_PUBLIC_KEY]----------------------/
+#/            public-key encryption for .env files          /
+#/       [how it works](https://dotenvx.com/encryption)     /
+#/----------------------------------------------------------/
+ENVX_PUBLIC_KEY_DEV="0266287313a6f4d107115d5963640830fcca378ae34a5e3dbf775122fd121f7084"
+
+DATABASE_URL=encrypted:Bf3p…
+API_KEY=encrypted:7nQ2…
+```
+
+…and the matching `.env.keys` (gitignored):
+
+```
+#/------------------!ENVX_PRIVATE_KEYS!---------------------/
+#/ private decryption keys. DO NOT commit to source control /
+#/     [how it works](https://dotenvx.com/encryption)       /
+#/----------------------------------------------------------/
+
+# .env.dev
+ENVX_PRIVATE_KEY_DEV="…64 hex chars…"
+
+# .env.prod
+ENVX_PRIVATE_KEY_PROD="…64 hex chars…"
+```
+
+### Rotating keys
+
+```sh
+envx rotate                  # rotate keypair for ./.env
+envx rotate --dir vault      # rotate every vault/.env* file
+envx rotate -k API_KEY       # rotate one variable in place
+```
+
+Rotation generates a fresh keypair, decrypts every value with the old private key, re-encrypts with the new public key, and updates both the env file and `.env.keys` atomically. Files without a public-key header surface an error — run `envx encrypt` against them first to set up the keypair.
+
+### dotenvx-compatible naming
+
+envx reads keys under either prefix and writes new ones under the canonical names:
+
+| concept     | canonical (envx writes this)   | dotenvx-compat (envx reads this) |
+| ----------- | ------------------------------- | -------------------------------- |
+| public key  | `ENVX_PUBLIC_KEY*`              | `DOTENV_PUBLIC_KEY*`             |
+| private key | `ENVX_PRIVATE_KEY*`             | `DOTENV_PRIVATE_KEY*`            |
+
+A `.env.keys` produced by upstream dotenvx will Just Work — envx decrypts and re-encrypts in place without renaming the entry, so the diff doesn't ripple.
+
+## Configuration
+
+Every default in the previous section can be overridden. There are three precedence layers — highest to lowest:
+
+| layer                                                  | scope                       | when to use                                                |
+| ------------------------------------------------------ | --------------------------- | ---------------------------------------------------------- |
+| 1. **Per-invocation overrides** — CLI flag (`--env`, `--dir`, …) **or** programmatic arg (`envx({...})`) | one invocation              | ad-hoc overrides, scripts, embedded usage |
+| 2. **The one resolved config file**                    | the package containing the resolved config | per-package or workspace-shared defaults |
+| 3. **Built-in defaults**                                | every invocation            | the fallbacks documented in [Defaults](#defaults)         |
+
+`-v KEY=VALUE` is **not** a config layer — it's a post-load mutation of `process.env` that runs after env files are read. See "Variable-value precedence" further down.
+
+The "one resolved config file" in layer 2 comes from this discovery walk (first match wins, no merging across files):
+
+| step | source                                                          | walks up? |
+| :--: | --------------------------------------------------------------- | :-------: |
+|  1   | `--config <path>` flag (CLI only)                               | n/a       |
+|  2   | nearest `package.json#envx.config: "<path>"` from cwd up to `/` | yes       |
+|  3   | `envx.config.{ts,mts,js,mjs,cjs,json}` in **cwd only**          | no        |
+|  4   | (none — fall through to defaults)                               | n/a       |
+
+A workspace-root `envx.config.ts` is not auto-discovered from sub-packages — point sub-packages at it via `package.json#envx.config: "../../envx.config.ts"` (or whatever the relative path is).
+
+The programmatic API runs the same discovery (minus step 1):
+
+```ts
+import envx from "@super-repo/envx";
+
+envx();              // discovery + defaults
+envx("staging");     // shorthand for envx({ cascade: "staging" })
+envx({ ... });       // explicit args play the role of CLI flags (layer 1)
+```
+
+### How the layers actually merge
+
+The precedence table glosses over a real distinction: **settings** (`envFiles`, `cascade`, `envKeysFile`, …) and **variable values** (the contents of `process.env` after envx runs) flow through different rules. Worth knowing the difference if you're debugging a "why is this value what it is?" moment.
+
+#### Per-setting merge (independent, top-to-bottom)
+
+Each setting in the config-file shape (next section) is resolved **independently**. envx walks the layers for each field on its own — there's no all-or-nothing inheritance.
+
+```
+For each setting field (envFiles, cascade, envPath, envKeysFile, override, quiet, …):
+
+  1. Did the CLI flag — or programmatic arg — set this field?   → use that, stop
+  2. Is it set in the resolved config file?                     → use that, stop
+  3. Otherwise                                                    → use the built-in default
+```
+
+So you can do this without thinking about layer order:
+
+```sh
+# Config provides envFiles; CLI overrides only `cascade`.
+# Effective settings: envFiles=[".env","vault/.env.prod"], cascade="prod", everything else default.
+envx --cascade prod -- node app.js
+```
+
+with
+
+```ts
+// envx.config.ts
+export default {
+  envFiles: [".env", "vault/.env.prod"],
+}
+```
+
+The CLI flag for `cascade` wins for that field; `envFiles` falls through to the config; everything else falls through to defaults.
+
+#### Variable-value precedence (after files load)
+
+Once envx has resolved settings and loaded the env files, the actual values that end up in `process.env` follow a different order — this is dotenv's contract, with two envx-specific tweaks:
+
+```
+Final value of process.env.SOME_KEY is the FIRST hit, top-down:
+
+  1. `-v SOME_KEY=…` passed on the CLI                    (always wins)
+  2. Existing process.env.SOME_KEY when --override=false  (the default)
+     OR, when --override=true:
+     The most-specific env file's value for SOME_KEY     (cascade-wise)
+  3. The next-most-specific env file's value             (cascade order)
+  4. … all the way down the cascade
+  5. unset
+```
+
+`-v` is **not** a config layer — it's a post-load mutation of `process.env`. It runs after every env file has been loaded, and it unconditionally overwrites whatever was there. Rule of thumb:
+
+- Need to inject one ad-hoc value? `-v KEY=VALUE`.
+- Need to swap a whole environment? `--env`, `--cascade`, or `envFiles` in config.
+
+#### `--override` flips one thing only
+
+`--override=false` (the default) means **existing `process.env` wins** over what's in the env files. This matches dotenv: if your shell already exports `DATABASE_URL`, env files won't clobber it.
+
+`--override=true` means **env files win** over existing `process.env`. Useful when you want a config-driven environment to be authoritative regardless of what's in the parent shell. It's incompatible with `--cascade` (envx exits with an error) — within a cascade chain, the *most-specific* file wins anyway, which is the only ordering that makes sense.
+
+### Config-file shape
+
+```ts
+// envx.config.ts
+export default {
+  // ── env-file selection ─────────────────────────────────
+  envFiles: [".env", ".env.local"],   // bypass auto-detect; explicit list
+  envPath: "vault",                    // workspace-relative subdir (cwd-first, ws-root fallback)
+  cascade: true,                       // boolean: enable layered cascade using the auto-detected env name
+                                       // (CLI `--cascade <name>` still accepts an explicit string and overrides)
+  variables: ["DEBUG=1"],              // KEY=VALUE overrides applied after load
+
+  // ── encryption keys ────────────────────────────────────
+  envKeysFile: ".env.keys",            // overrides the cwd-first / workspace fallback default
+
+  // ── load behavior ──────────────────────────────────────
+  override: false,                     // false: existing process.env wins
+                                       // true:  env files win (incompatible with cascade)
+  quiet: true,                         // suppress dotenv's load-line output
+
+  // ── auto-detection ─────────────────────────────────────
+  autoDetect: true,                    // false disables Vercel/Netlify/NODE_ENV detection
+  nodeEnvMap: {                         // override the NODE_ENV → suffix mapping
+    production: "prod",                 // (built-ins shown — yours layer on top)
+    development: "dev",
+    local: "local",
+    qa: "qa-prod",                      // NODE_ENV=qa → .env.qa-prod
+    preview: "",                        // NODE_ENV=preview → .env (empty = no suffix)
+  },
+
+  // ── post-load behavior ─────────────────────────────────
+  required: ["DATABASE_URL", "API_KEY"], // fail-fast: exit 1 if any are unset after load
+  expand: true,                          // auto-resolve ${VAR} references against process.env
+  defaults: {                            // applied AFTER files + variables, only for unset keys
+    LOG_LEVEL: "info",
+    PORT: "3000",
+  },
+
+  // ── advanced ───────────────────────────────────────────
+  workspaceRoot: "/abs/path/to/repo",   // escape hatch — skip findWorkspaceRoot() walk-up
+}
+```
+
+All fields are optional. Anything you omit falls through to the built-in default for that field.
+
+### Discovery order
+
+When `--config <path>` is not passed, envx walks up looking for a config in this order:
+
+1. `<cwd>/envx.config.{ts,js,json,mjs,cjs}` — first hit wins
+2. `<cwd>/package.json#envx.config: "<path>"` — the string is resolved relative to that `package.json`'s directory
+3. Each parent directory, up to the workspace root, repeating steps 1 & 2
+
+`package.json#envx.config` only accepts a **string path** (not an inline object), so the config is always a single file you can lint, review, and version-control independently from the manifest.
+
+### Programmatic customization
+
+Every config field maps 1:1 onto the options accepted by the `envx()` programmatic entry point:
+
+```ts
+import envx from "@super-repo/envx";
+
+// Same as `envx --env .env.prod --env-path vault --override`:
+envx({
+  envFiles: [".env.prod"],
+  envPath: "vault",
+  override: true,
+});
+
+// String shorthand sets `cascade`:
+envx("staging");                  // == envx({ cascade: "staging" })
+```
+
+Programmatic args **override** anything from the discovered config; the config supplies fields you didn't pass.
+
+## Further reading
+
+Expanded explanations, worked examples, and recipes ship with the package in [`./docs/`](./docs/):
+
+- **[Auto-detection](./docs/auto-detection.md)** — every `VERCEL_ENV` / `CONTEXT` / `NODE_ENV` shape walked through with the file that ends up loading.
+- **[Configuration](./docs/configuration.md)** — full schema, the per-field merge rules, where each field gets read from, and the discovery walk.
+- **[Monorepo recipes](./docs/recipes.md)** — common layouts (single workspace `.env.keys`, vault subdir, per-app overrides, CI patterns) with the exact files and commands.
 
 ## Embedding the CLI
 
-The yargs factory is exported under the `./commands` subpath if you
-want to register `envx`'s commands inside your own tool:
+The yargs factory is exported under the `./commands` subpath if you want to register envx's commands inside your own tool:
 
 ```ts
-import { createCli } from "@honeycluster/envx/commands";
+import { createCli } from "@super-repo/envx/commands";
 
 createCli(process.argv.slice(2)).parseSync();
 ```
@@ -146,49 +522,48 @@ createCli(process.argv.slice(2)).parseSync();
 ## Development
 
 ```sh
-# From the package root
 pnpm install
-pnpm build               # tsc + tsc-alias → dist/
-pnpm dev                 # tsc --watch
+pnpm build               # vite library build → dist/
 pnpm test                # vitest unit tests
 pnpm test:integration    # spawn-based subprocess tests
-pnpm typecheck           # tsc --noEmit
-pnpm format              # prettier --write src/
 ```
 
-Tests live in `tests/`. The vitest config is at
-`configs/vitest.config.ts`; the `test` script invokes vitest with
-`--config` so the layout stays explicit. Integration fixtures live in
-`tests/integration/__static__/` — each subdirectory is a self-contained
-worked example (read the file content for the canonical demonstration
-of every feature).
+Tests live in `tests/`. Integration fixtures live in `tests/integration/__static__/` — each subdirectory is a self-contained worked example.
 
 ## Layout
 
 ```
-packages/core/
+packages/envx/core/
 ├── src/
-│   ├── index.ts         # default export: envx() programmatic API
-│   ├── auto.ts          # `import "@honeycluster/envx/auto"` side-effect entry
-│   ├── cli.ts           # `envx` bin entry — wires yargs + parses argv
+│   ├── index.ts            # default export: envx() programmatic API
+│   ├── auto.ts             # `import "@super-repo/envx/auto"` side-effect entry
+│   ├── cli.ts              # `envx` bin entry — wires yargs + parses argv
 │   ├── bin/
-│   │   └── dotenvx.ts   # `dotenvx-proxy` legacy passthrough
+│   │   └── dotenvx.ts      # `dotenvx-proxy` direct passthrough to upstream
 │   └── commands/
-│       ├── index.ts     # createCli — registers subcommands + global options
-│       ├── run.ts       # `run [command..]`
-│       ├── print.ts     # `print <variable>`
-│       ├── debug.ts     # `debug`
-│       ├── encrypt.ts   # `encrypt`
-│       ├── decrypt.ts   # `decrypt`
-│       └── expand.ts    # `expand`
+│       ├── index.ts        # createCli — registers subcommands + global options
+│       ├── run.ts          # `run [command..]`
+│       ├── print.ts        # `print <variable>`
+│       ├── debug.ts        # `debug`
+│       ├── encrypt.ts      # `encrypt`
+│       ├── decrypt.ts      # `decrypt`
+│       ├── rotate.ts       # `rotate`
+│       └── expand.ts       # `expand`
 ├── tests/
-│   ├── *.test.ts        # unit suites (env, factory, programmatic API)
+│   ├── *.test.ts           # unit suites
 │   └── integration/
-│       ├── cli.test.ts  # subprocess end-to-end suite
-│       └── __static__/  # read-only fixtures (cp'd to tmp per test)
+│       ├── cli.test.ts     # subprocess end-to-end suite
+│       └── __static__/     # read-only fixtures (cp'd to tmp per test)
 ├── configs/
 │   ├── tsconfig.build.json
+│   ├── vite.config.ts      # bundles workspace-private envx-libs/common helpers
 │   └── vitest.config.ts
 ├── tsconfig.json
 └── package.json
 ```
+
+The `envx-libs` and `envx-common` workspace packages are bundled into the published `dist/` via Vite, so this is the only npm package consumers need to install.
+
+## License
+
+MIT — same as `@dotenvx/dotenvx`. We're grateful for their work; please go support [`dotenvx.com`](https://dotenvx.com) if you build single-app stuff.