@super-repo/envx 0.2.3-b.5 → 0.3.0

package/dist/auto.js

@@ -1,4 +1,4 @@
-import envx from "./index.js";
+import { t as envx } from "./chunks/src-B_rA7_sV.js";
 //#region src/auto.ts
 envx();
 //#endregion

package/dist/chunks/{commands-Cg8YMJHj.js → commands-B70xh15E.js}

@@ -1,8 +1,8 @@
-import { A as isEncrypted, C as parseEnv, D as decryptValueAsymmetric, S as log, T as toRecord, _ as resolveCwdOrWorkspace, a as auditFiles, b as expandEnvSrc, c as encryptFiles, f as DEFAULT_NODE_ENV_MAP, g as loadEnv, h as listEnvFiles, l as defaultKeysPath, m as findWorkspaceRoot, o as rotateFiles, p as detectEnvironment, r as loadDotenvxConfig, s as decryptFiles, t as writeProcessed, u as readKeysFile, v as resolveEnvPaths, x as expandRecord, y as validateCmdVariable } from "./src-jaqb5pGP.js";
+import { A as isEncrypted, C as parseEnv, D as decryptValueAsymmetric, S as log, T as toRecord, _ as resolveCwdOrWorkspace, a as auditFiles, b as expandEnvSrc, c as encryptFiles, f as DEFAULT_NODE_ENV_MAP, g as loadEnv, h as listEnvFiles, l as defaultKeysPath, m as findWorkspaceRoot, o as rotateFiles, p as detectEnvironment, r as loadDotenvxConfig, s as decryptFiles, t as writeProcessed, u as readKeysFile, v as resolveEnvPaths, x as expandRecord, y as validateCmdVariable } from "./src-BeMTu_ms.js";
 import * as fs from "fs";
 import * as path from "path";
 import yargs from "yargs";
-import { execSync, spawn } from "child_process";
+import { execFileSync, execSync, spawn } from "child_process";
 //#region src/commands/audit.ts
 /**
 * Walk the repo looking for plaintext secrets — committed AWS keys,
@@ -30,6 +30,14 @@ var auditCommand = {
 		type: "number",
 		default: 50,
 		describe: "Stop after reporting this many findings (0 = unlimited)."
+	}).option("respect-gitignore", {
+		type: "boolean",
+		default: true,
+		describe: "Skip files and directories matched by .gitignore (and .git/info/exclude). Pass --no-respect-gitignore to scan everything."
+	}).option("staged", {
+		type: "boolean",
+		default: false,
+		describe: "Scan only files staged for the next commit (added/copied/modified/renamed). Mutually exclusive with positional paths. Suitable as the body of a pre-commit hook."
 	}).option("json", {
 		type: "boolean",
 		default: false,
@@ -37,14 +45,37 @@ var auditCommand = {
 	}),
 	handler: (argv) => {
 		const rawPaths = argv["paths"];
-		const roots = (rawPaths && rawPaths.length > 0 ? rawPaths : ["."]).map((p) => path.resolve(process.cwd(), p));
+		const staged = argv["staged"];
 		const ignore = argv["ignore"];
 		const max = argv["max"];
+		const respectGitignore = argv["respect-gitignore"];
 		const asJson = argv["json"];
+		let roots;
+		if (staged) {
+			if (rawPaths && rawPaths.length > 0) {
+				log.error("audit: --staged cannot be combined with positional paths (it scans the git-staged set)");
+				process.exit(2);
+			}
+			const stagedFiles = listStagedFiles();
+			if (stagedFiles === null) {
+				log.error("audit: --staged requires a git repository (no .git directory found above cwd)");
+				process.exit(2);
+			}
+			if (stagedFiles.length === 0) {
+				if (asJson) process.stdout.write(JSON.stringify({
+					filesScanned: 0,
+					findings: []
+				}) + "\n");
+				else log.info("audit: no staged files — nothing to scan");
+				return;
+			}
+			roots = stagedFiles.map((p) => path.resolve(process.cwd(), p));
+		} else roots = (rawPaths && rawPaths.length > 0 ? rawPaths : ["."]).map((p) => path.resolve(process.cwd(), p));
 		const { findings, filesScanned } = auditFiles({
 			roots,
 			ignore,
-			max
+			max,
+			respectGitignore
 		});
 		if (asJson) {
 			process.stdout.write(JSON.stringify({
@@ -86,6 +117,36 @@ function groupByPattern(findings) {
 	}
 	return [...map.entries()];
 }
+/**
+* Returns the list of files staged for the next commit (added, copied,
+* modified, or renamed — `--diff-filter=ACMR` excludes deletions). NUL-
+* delimited (`-z`) so paths with spaces or newlines round-trip safely.
+*
+* Returns `null` when not inside a git repo (so the caller can render a
+* nicer error than git's stderr). Empty array means "in a repo, but
+* nothing staged" — distinct from the failure case.
+*
+* Exported for unit testing.
+*/
+function listStagedFiles() {
+	try {
+		const out = execFileSync("git", [
+			"diff",
+			"--cached",
+			"--name-only",
+			"--diff-filter=ACMR",
+			"-z"
+		], { stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		] }).toString("utf8");
+		if (out.length === 0) return [];
+		return (out.endsWith("\0") ? out.slice(0, -1) : out).split("\0").filter((p) => p.length > 0);
+	} catch {
+		return null;
+	}
+}
 //#endregion
 //#region src/commands/bake.ts
 /**
@@ -1062,11 +1123,190 @@ var runCommand = {
 	}
 };
 //#endregion
+//#region src/commands/template-ai.ts
+var ANTHROPIC_DEFAULT_BASE = "https://api.anthropic.com";
+var OPENAI_DEFAULT_BASE = "https://api.openai.com/v1";
+var ANTHROPIC_OAUTH_BETA = "oauth-2025-04-20";
+var ANTHROPIC_OAUTH_ENVS = ["CLAUDE_CODE_OAUTH_TOKEN", "ANTHROPIC_AUTH_TOKEN"];
+var REQUEST_TIMEOUT_MS = 6e4;
+var AiError = class extends Error {
+	constructor(message) {
+		super(`envx template ai: ${message}`);
+		this.name = "AiError";
+	}
+};
+/**
+* Resolve an API key from `process.env`. Looks at `apiKeyEnv` first
+* (defaults to provider-appropriate name), then known OAuth fallbacks
+* for Anthropic. Returns `null` when nothing is set — caller decides
+* how to surface the failure.
+*/
+function resolveAuth(provider, apiKeyEnv) {
+	const direct = process.env[apiKeyEnv];
+	if (direct) return {
+		token: direct,
+		kind: provider === "anthropic" && direct.startsWith("sk-ant-oat") ? "oauth" : "api-key",
+		sourceEnv: apiKeyEnv
+	};
+	if (provider === "anthropic") for (const name of ANTHROPIC_OAUTH_ENVS) {
+		const v = process.env[name];
+		if (v) return {
+			token: v,
+			kind: v.startsWith("sk-ant-oat") ? "oauth" : "api-key",
+			sourceEnv: name
+		};
+	}
+	return null;
+}
+/**
+* Generate an example value per key. Returns a Map keyed by env-var
+* name. Keys without a usable AI response fall back to an empty string
+* so the template still serializes cleanly.
+*
+* `context` is an optional per-key hint the renderer can supply (e.g.
+* the trailing comment from the source line, or the comment block
+* directly above) to anchor the generation.
+*/
+async function generateExamples(keys, opts = {}) {
+	if (keys.length === 0) return /* @__PURE__ */ new Map();
+	const provider = opts.provider ?? "anthropic";
+	const apiKeyEnv = opts.apiKeyEnv ?? (provider === "anthropic" ? "ANTHROPIC_API_KEY" : "OPENAI_API_KEY");
+	const auth = resolveAuth(provider, apiKeyEnv);
+	if (!auth) throw new AiError(`${apiKeyEnv} not set in process.env (load it from your .env, or export it). For Anthropic, ${ANTHROPIC_OAUTH_ENVS.join(" / ")} are also accepted.`);
+	const model = opts.model ?? (provider === "anthropic" ? "claude-haiku-4-5-20251001" : "gpt-4o-mini");
+	const prompt = buildPrompt(keys);
+	return parseResponse(provider === "anthropic" ? await callAnthropic({
+		auth,
+		model,
+		prompt,
+		baseUrl: opts.baseUrl
+	}) : await callOpenAi({
+		apiKey: auth.token,
+		model,
+		prompt,
+		baseUrl: opts.baseUrl
+	}), keys.map((k) => k.name));
+}
+function buildPrompt(keys) {
+	return [
+		"You are generating placeholder values for a `.env.example` file.",
+		"Each value should be a realistic-looking but obviously-fake example a developer can copy and replace.",
+		"",
+		"Rules:",
+		"- Output JSON only, no prose, no code fences. A single object mapping each key (verbatim) to its example string value.",
+		"- Use shape that matches the key name: URLs for *_URL, ports for PORT/*_PORT, booleans (`true`/`false`) for IS_*/HAS_*/ENABLE_*, hex/base64-ish strings for *_KEY/*_TOKEN/*_SECRET, integers for *_COUNT/*_LIMIT, log levels for LOG_LEVEL, etc.",
+		"- Never use a real-looking secret. Prefix sensitive-looking values with `your-` or end with `-here` so reviewers see them as placeholders.",
+		"- Keep each value short — under 60 chars unless a JWT or URL forces it.",
+		"- If a hint is given in parentheses after a key, use it as context.",
+		"",
+		"Keys:",
+		keys.map((k) => k.hint && k.hint.length > 0 ? `- ${k.name} (${k.hint.trim()})` : `- ${k.name}`).join("\n"),
+		"",
+		"Return JSON object:"
+	].join("\n");
+}
+/**
+* Parse the AI's JSON response. Tolerant of code fences, leading prose,
+* trailing junk — extracts the first {…} block and JSON.parses it. Any
+* key missing from the parsed object is omitted from the result map
+* (caller falls back to an empty value).
+*/
+function parseResponse(text, expectedKeys) {
+	const fenced = /```(?:json)?\s*([\s\S]*?)```/.exec(text);
+	const candidate = fenced ? fenced[1] : text;
+	const start = candidate.indexOf("{");
+	const end = candidate.lastIndexOf("}");
+	if (start === -1 || end === -1 || end <= start) throw new AiError(`AI returned no JSON object: ${text.slice(0, 200)}`);
+	const slice = candidate.slice(start, end + 1);
+	let parsed;
+	try {
+		parsed = JSON.parse(slice);
+	} catch (e) {
+		throw new AiError(`AI returned invalid JSON: ${e.message} — ${slice.slice(0, 200)}`);
+	}
+	if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) throw new AiError("AI returned a non-object payload");
+	const out = /* @__PURE__ */ new Map();
+	const obj = parsed;
+	for (const k of expectedKeys) {
+		const v = obj[k];
+		if (typeof v === "string") out.set(k, v);
+		else if (typeof v === "number" || typeof v === "boolean") out.set(k, String(v));
+	}
+	return out;
+}
+async function fetchWithTimeout(url, init, ms) {
+	const ctrl = new AbortController();
+	const timer = setTimeout(() => ctrl.abort(), ms);
+	try {
+		return await fetch(url, {
+			...init,
+			signal: ctrl.signal
+		});
+	} catch (err) {
+		if (err.name === "AbortError") throw new AiError(`request timed out after ${ms}ms (${url})`);
+		throw err;
+	} finally {
+		clearTimeout(timer);
+	}
+}
+async function callAnthropic(opts) {
+	const base = opts.baseUrl ?? ANTHROPIC_DEFAULT_BASE;
+	const headers = {
+		"content-type": "application/json",
+		"anthropic-version": "2023-06-01"
+	};
+	if (opts.auth.kind === "oauth") {
+		headers.authorization = `Bearer ${opts.auth.token}`;
+		headers["anthropic-beta"] = ANTHROPIC_OAUTH_BETA;
+	} else headers["x-api-key"] = opts.auth.token;
+	const res = await fetchWithTimeout(`${base}/v1/messages`, {
+		method: "POST",
+		headers,
+		body: JSON.stringify({
+			model: opts.model,
+			max_tokens: 2048,
+			messages: [{
+				role: "user",
+				content: opts.prompt
+			}]
+		})
+	}, REQUEST_TIMEOUT_MS);
+	if (!res.ok) throw new AiError(`anthropic ${res.status}: ${await res.text()}`);
+	const block = (await res.json()).content?.find((b) => b.type === "text");
+	if (!block?.text) throw new AiError("anthropic returned no text content");
+	return block.text;
+}
+async function callOpenAi(opts) {
+	const res = await fetchWithTimeout(`${opts.baseUrl ?? OPENAI_DEFAULT_BASE}/chat/completions`, {
+		method: "POST",
+		headers: {
+			"content-type": "application/json",
+			authorization: `Bearer ${opts.apiKey}`
+		},
+		body: JSON.stringify({
+			model: opts.model,
+			messages: [{
+				role: "user",
+				content: opts.prompt
+			}],
+			temperature: .2
+		})
+	}, REQUEST_TIMEOUT_MS);
+	if (!res.ok) throw new AiError(`openai ${res.status}: ${await res.text()}`);
+	const text = (await res.json()).choices?.[0]?.message?.content;
+	if (!text) throw new AiError("openai returned no text content");
+	return text;
+}
+//#endregion
 //#region src/commands/template.ts
 /**
 * Generate (or check) a stripped `.env.example` from one or more real
-* env files. Values are removed; keys, declaration order, comments,
-* and blank lines are preserved so the example file stays readable.
+* env files. The output mirrors the source files' organization —
+* comments, blank lines, and declaration order are preserved verbatim.
+* Values are stripped (or replaced with AI-generated placeholders when
+* `--ai` is set). The encryption banner block (`#/-----[ENVX_PUBLIC_KEY]…`)
+* and the `*PUBLIC_KEY*` kv lines themselves are dropped — the example
+* file should be encryption-agnostic.
 *
 * Three modes:
 *   - default:  write the rendered template to --out (default `.env.example`)
@@ -1087,17 +1327,27 @@ var templateCommand = {
 		type: "boolean",
 		default: false,
 		describe: "Compare the rendered template against the on-disk file; exit 1 on drift. Use this in CI."
-	}).option("annotate", {
+	}).option("ai", {
 		type: "boolean",
-		default: true,
-		describe: "Prefix each KEY= with a `# from <source-file>` comment so reviewers can see where each key came from."
+		default: false,
+		describe: "Use Claude (or OpenAI) to generate realistic-looking placeholder values for each key. Reads ANTHROPIC_API_KEY (or OPENAI_API_KEY) from your loaded env files. Non-deterministic — usually paired with manual review, not --check."
+	}).option("ai-provider", {
+		type: "string",
+		choices: ["anthropic", "openai"],
+		default: "anthropic",
+		describe: "Which AI provider --ai uses. Default: anthropic."
+	}).option("ai-model", {
+		type: "string",
+		describe: "Override the AI model. Defaults: claude-haiku-4-5-20251001 (anthropic), gpt-4o-mini (openai)."
 	}),
-	handler: (argv) => {
+	handler: async (argv) => {
 		const cfg = argv["__envxConfig"] ?? {};
 		const outArg = argv["out"];
 		const useStdout = argv["stdout"];
 		const check = argv["check"];
-		const annotate = argv["annotate"];
+		const useAi = argv["ai"];
+		const aiProvider = argv["ai-provider"];
+		const aiModel = argv["ai-model"];
 		const paths = resolveEnvPaths({
 			...argv["env"] !== void 0 ? { envFiles: argv["env"] } : {},
 			...argv["cascade"] !== void 0 ? { cascade: argv["cascade"] } : {},
@@ -1110,7 +1360,32 @@ var templateCommand = {
 			log.error("no env files found to template from");
 			process.exit(1);
 		}
-		const rendered = renderTemplate(existing, { annotate });
+		let aiValues = /* @__PURE__ */ new Map();
+		if (useAi) {
+			try {
+				loadEnv({
+					envFiles: existing,
+					quiet: true
+				});
+			} catch (e) {
+				log.error(`--ai: failed to load env for API-key lookup: ${e.message}`);
+				process.exit(1);
+			}
+			const keys = collectKeys(existing);
+			if (keys.length === 0) log.warn("--ai: no keys to generate examples for");
+			else try {
+				aiValues = await generateExamples(keys, {
+					provider: aiProvider,
+					...aiModel !== void 0 ? { model: aiModel } : {}
+				});
+				log.info(`--ai: generated ${aiValues.size}/${keys.length} example value(s)`);
+			} catch (e) {
+				if (e instanceof AiError) log.error(e.message);
+				else log.error(`--ai: ${e.message}`);
+				process.exit(1);
+			}
+		}
+		const rendered = renderTemplate(existing, { aiValues });
 		if (useStdout) {
 			process.stdout.write(rendered);
 			return;
@@ -1129,32 +1404,100 @@ var templateCommand = {
 		log.success(`wrote template: ${outPath} (${countKeys(rendered)} key(s))`);
 	}
 };
+/**
+* Render the template by walking each source file in order. Comments,
+* blank lines, and declaration order are preserved verbatim. A kv line
+* becomes `KEY=` (or `KEY=<ai-value>` when `--ai` populated `aiValues`).
+*
+* Two filters apply to every line, in this order:
+*   1. The encryption banner block — any line starting with `#/` (e.g.
+*      `#/-------------------[ENVX_PUBLIC_KEY]------------------/`).
+*      The full 4-line banner is dropped.
+*   2. Public-key kv lines — `ENVX_PUBLIC_KEY*` and the legacy
+*      `DOTENV_PUBLIC_KEY*`. They're committed alongside encrypted
+*      values, but `.env.example` is meant to be encryption-agnostic.
+*
+* Multi-file dedup: when a key appears in more than one source file,
+* only the first occurrence's line is emitted. Subsequent files'
+* comments and blank lines still pass through (so the per-file
+* structure stays visible), but their kv duplicates are skipped.
+*/
 function renderTemplate(files, opts) {
 	const seen = /* @__PURE__ */ new Set();
 	const out = [];
 	out.push("# Generated by `envx template` — do not edit by hand.");
 	out.push("# Run `envx template` to regenerate, or `envx template --check` in CI.");
 	out.push("");
-	for (const file of files) {
+	for (let i = 0; i < files.length; i += 1) {
+		const file = files[i];
 		const display = path.relative(process.cwd(), file) || file;
 		const lines = parseEnv(fs.readFileSync(file, "utf8"));
-		const localKeys = [];
+		if (files.length > 1) out.push(`# ── ${display} ─────────────────────────────────`);
+		appendFile(out, lines, seen, opts.aiValues);
+		if (i < files.length - 1 && (out.length === 0 || out[out.length - 1] !== "")) out.push("");
+	}
+	return out.join("\n");
+}
+function appendFile(out, lines, seen, aiValues) {
+	for (const ln of lines) {
+		if (ln.type === "raw") {
+			if (isBannerLine(ln.raw)) continue;
+			out.push(ln.raw);
+			continue;
+		}
+		if (isPublicKeyName(ln.key)) continue;
+		if (seen.has(ln.key)) continue;
+		seen.add(ln.key);
+		const aiValue = aiValues.get(ln.key);
+		if (aiValue !== void 0 && aiValue !== "") {
+			const quoted = /[\s#'"\\$&;|<>(){}]/.test(aiValue) ? `"${aiValue.replace(/\\/g, "\\\\").replace(/"/g, "\\\"")}"` : aiValue;
+			out.push(`${ln.key}=${quoted}`);
+		} else out.push(`${ln.key}=`);
+	}
+}
+/**
+* Banner lines emitted by `envx encrypt` start with `#/`. Be permissive:
+* any comment beginning with that two-char prefix is treated as banner
+* decoration. Real user comments use `#` (with or without a space).
+*/
+function isBannerLine(raw) {
+	return /^\s*#\//.test(raw);
+}
+/**
+* `ENVX_PUBLIC_KEY*` is the canonical public-key var; `DOTENV_PUBLIC_KEY*`
+* is the upstream-dotenvx-compat variant envx also reads. Both are an
+* artifact of encryption, never user-meaningful — drop from `.env.example`.
+*/
+function isPublicKeyName(name) {
+	return /^(ENVX|DOTENV)_PUBLIC_KEY/.test(name);
+}
+/**
+* Collect every unique kv key (in declaration order) across the source
+* files, skipping the encryption-banner public-key vars. Used to feed
+* `--ai` exactly the keys that will appear in the rendered template.
+*
+* Each entry includes a `hint` derived from the kv line's trailing
+* comment (e.g. `# database connection string`) — the AI prompt uses
+* the hint to anchor the example value.
+*/
+function collectKeys(files) {
+	const seen = /* @__PURE__ */ new Set();
+	const out = [];
+	for (const file of files) {
+		const lines = parseEnv(fs.readFileSync(file, "utf8"));
 		for (const ln of lines) {
 			if (ln.type !== "kv") continue;
+			if (isPublicKeyName(ln.key)) continue;
 			if (seen.has(ln.key)) continue;
 			seen.add(ln.key);
-			localKeys.push(ln);
-		}
-		if (localKeys.length === 0) continue;
-		out.push(`# ── ${display} ─────────────────────────────────`);
-		for (const ln of localKeys) {
-			if (ln.type !== "kv") continue;
-			if (opts.annotate) out.push(`# from ${display}`);
-			out.push(`${ln.key}=`);
-			out.push("");
+			const hint = ln.trailing.replace(/^\s*#\s*/, "").trim();
+			out.push(hint.length > 0 ? {
+				name: ln.key,
+				hint
+			} : { name: ln.key });
 		}
 	}
-	return out.join("\n");
+	return out;
 }
 function countKeys(rendered) {
 	return rendered.split("\n").filter((l) => /^[A-Za-z_][A-Za-z0-9_]*=/.test(l)).length;
@@ -1499,4 +1842,4 @@ function createCli(argvInput) {
 //#endregion
 export { createCli as t };
 
-//# sourceMappingURL=commands-Cg8YMJHj.js.map
+//# sourceMappingURL=commands-B70xh15E.js.map