npm - @yhonda/gcloud-secrets - Versions diffs - 2.0.12 → 3.0.0 - Mend

@yhonda/gcloud-secrets 2.0.12 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.js CHANGED Viewed

@@ -1,24 +1,32 @@
 #!/usr/bin/env node
-import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
 import { readFileSync, writeFileSync, existsSync, readdirSync, lstatSync, mkdirSync, chmodSync, rmSync } from "fs";
 import { createHash } from "crypto";
 import { basename, join, dirname, resolve } from "path";
 import { homedir } from "os";
-import { execSync } from "child_process";
-// SDK クライアント初期化
-const client = new SecretManagerServiceClient();
-// 引数パース (--env / -e オプション抽出)
+import { execSync, execFileSync } from "child_process";
+import { createServer } from "http";
+import { google } from "googleapis";
+import { Readable } from "stream";
+// ============================================================
+// 引数パース
+// ============================================================
 function parseArgs(args) {
-  const result = { positional: [], env: null };
+  const result = { positional: [], env: null, ageKey: null, agePub: null, clientId: null, clientSecret: null };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--env' || args[i] === '-e') {
-      result.env = args[i + 1];
-      i++;
+      result.env = args[i + 1]; i++;
     } else if (args[i].startsWith('--env=')) {
       result.env = args[i].split('=')[1];
+    } else if (args[i] === '--age-key') {
+      result.ageKey = args[i + 1]; i++;
+    } else if (args[i] === '--age-pub') {
+      result.agePub = args[i + 1]; i++;
+    } else if (args[i] === '--client-id') {
+      result.clientId = args[i + 1]; i++;
+    } else if (args[i] === '--client-secret') {
+      result.clientSecret = args[i + 1]; i++;
     } else {
       result.positional.push(args[i]);
     }
@@ -26,75 +34,312 @@ function parseArgs(args) {
   return result;
 }
-// 設定読み込み
+// ============================================================
+// 設定
+// ============================================================
 function getConfig() {
   const configFile = `${homedir()}/.secrets-manager.conf`;
   const config = {
-    centralProject: process.env.SECRETS_CENTRAL_PROJECT || "",
-    defaultEnvironment: process.env.DEFAULT_ENVIRONMENT || "dev"
+    driveFolderId: process.env.DRIVE_FOLDER_ID || "",
+    defaultEnvironment: process.env.DEFAULT_ENVIRONMENT || "dev",
+    agePublicKey: process.env.AGE_PUBLIC_KEY || "",
+    ageKeyPath: process.env.AGE_KEY_PATH || join(homedir(), ".age", "key.txt"),
+    googleClientId: process.env.GOOGLE_CLIENT_ID || "",
+    googleClientSecret: process.env.GOOGLE_CLIENT_SECRET || "",
   };
   if (existsSync(configFile)) {
     const content = readFileSync(configFile, "utf-8");
-    const projectMatch = content.match(/SECRETS_CENTRAL_PROJECT=(.+)/);
-    if (projectMatch) {
-      config.centralProject = projectMatch[1].trim();
-    }
-    const envMatch = content.match(/DEFAULT_ENVIRONMENT=(.+)/);
-    if (envMatch) {
-      config.defaultEnvironment = envMatch[1].trim();
+    for (const [envKey, configKey] of [
+      ['DRIVE_FOLDER_ID', 'driveFolderId'],
+      ['DEFAULT_ENVIRONMENT', 'defaultEnvironment'],
+      ['AGE_PUBLIC_KEY', 'agePublicKey'],
+      ['AGE_KEY_PATH', 'ageKeyPath'],
+      ['GOOGLE_CLIENT_ID', 'googleClientId'],
+      ['GOOGLE_CLIENT_SECRET', 'googleClientSecret'],
+    ]) {
+      const match = content.match(new RegExp(`^${envKey}=(.+)$`, 'm'));
+      if (match) config[configKey] = match[1].trim();
     }
   }
   return config;
 }
-// シークレット名生成 (環境対応)
-function makeSecretName(folder, key, env = null) {
-  if (env) {
-    return `${folder}_${env}_${key}`;
+function writeConfig(values) {
+  const configFile = `${homedir()}/.secrets-manager.conf`;
+  const lines = [];
+  for (const [key, value] of Object.entries(values)) {
+    if (value) lines.push(`${key}=${value}`);
+  }
+  writeFileSync(configFile, lines.join('\n') + '\n');
+}
+// ============================================================
+// age ヘルパー
+// ============================================================
+function checkAgeInstalled() {
+  try {
+    execFileSync('age', ['--version'], { stdio: 'ignore' });
+  } catch {
+    console.error('エラー: age がインストールされていません');
+    console.error('インストール: sudo apt install age (Linux) / brew install age (macOS)');
+    process.exit(1);
   }
-  return `${folder}_${key}`;
 }
-// シークレット名からキーと環境を抽出
-function getKeyFromSecret(secretName, folderName) {
-  const prefix = folderName + "_";
-  if (!secretName.startsWith(prefix)) {
-    return { key: secretName, env: null };
+function ageEncrypt(plaintext, publicKey) {
+  return execFileSync('age', ['-r', publicKey], { input: Buffer.from(plaintext) });
+}
+function ageDecrypt(ciphertext, keyPath) {
+  return execFileSync('age', ['-d', '-i', keyPath], { input: ciphertext, encoding: 'utf-8' });
+}
+function getAgePublicKeyFromFile(keyPath) {
+  const content = readFileSync(keyPath, 'utf-8');
+  const match = content.match(/# public key: (age1[a-z0-9]+)/);
+  if (match) return match[1];
+  throw new Error('age 公開鍵が見つかりません: ' + keyPath);
+}
+// ============================================================
+// OAuth2 認証
+// ============================================================
+const OAUTH_REDIRECT_PORT = 3456;
+const OAUTH_REDIRECT_URI = `http://localhost:${OAUTH_REDIRECT_PORT}/callback`;
+const OAUTH_SCOPES = ['https://www.googleapis.com/auth/drive'];
+function getTokenPath() {
+  return join(homedir(), '.secrets-manager-oauth.json');
+}
+async function getAuthClient(config) {
+  if (!config.googleClientId || !config.googleClientSecret) {
+    console.error('エラー: Google OAuth クライアント ID/Secret が設定されていません');
+    console.error('init コマンドで --client-id と --client-secret を指定してください');
+    process.exit(1);
   }
-  const rest = secretName.slice(prefix.length);
-  const parts = rest.split("_");
-  // 2つ以上のパートがあり、最初がアルファベット小文字のみなら環境名と判断
-  if (parts.length >= 2 && /^[a-z]+$/.test(parts[0])) {
-    return { key: parts.slice(1).join("_"), env: parts[0] };
+  const oauth2Client = new google.auth.OAuth2(
+    config.googleClientId,
+    config.googleClientSecret,
+    OAUTH_REDIRECT_URI
+  );
+  const tokenPath = getTokenPath();
+  if (existsSync(tokenPath)) {
+    const tokens = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+    oauth2Client.setCredentials(tokens);
+    oauth2Client.on('tokens', (newTokens) => {
+      try {
+        const saved = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+        writeFileSync(tokenPath, JSON.stringify({ ...saved, ...newTokens }, null, 2));
+      } catch { }
+    });
+    return oauth2Client;
+  }
+  // 初回認証フロー
+  const authUrl = oauth2Client.generateAuthUrl({
+    access_type: 'offline',
+    scope: OAUTH_SCOPES,
+    prompt: 'consent',
+  });
+  console.log('ブラウザで認証を行います...');
+  try {
+    const openCmd = process.platform === 'darwin' ? 'open' : 'xdg-open';
+    execSync(`${openCmd} "${authUrl}"`, { stdio: 'ignore' });
+  } catch {
+    console.log(`以下のURLをブラウザで開いてください:\n${authUrl}`);
   }
-  return { key: rest, env: null };
+  const code = await new Promise((resolve, reject) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${OAUTH_REDIRECT_PORT}`);
+      const authCode = url.searchParams.get('code');
+      const error = url.searchParams.get('error');
+      if (error) {
+        res.end('認証がキャンセルされました。');
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+      if (authCode) {
+        res.end('認証完了！このタブを閉じてください。');
+        server.close();
+        resolve(authCode);
+      }
+    });
+    server.listen(OAUTH_REDIRECT_PORT, () => {
+      console.log(`認証待機中... (localhost:${OAUTH_REDIRECT_PORT})`);
+    });
+  });
+  const { tokens } = await oauth2Client.getToken(code);
+  oauth2Client.setCredentials(tokens);
+  writeFileSync(tokenPath, JSON.stringify(tokens, null, 2));
+  console.log('認証完了');
+  oauth2Client.on('tokens', (newTokens) => {
+    try {
+      const saved = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+      writeFileSync(tokenPath, JSON.stringify({ ...saved, ...newTokens }, null, 2));
+    } catch { }
+  });
+  return oauth2Client;
+}
+async function getDriveClient(config) {
+  const auth = await getAuthClient(config);
+  return google.drive({ version: 'v3', auth });
+}
+// ============================================================
+// Drive ヘルパー
+// ============================================================
+function escapeQuery(str) {
+  return str.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
 }
-// フォルダ名を正規化 (camelCase → kebab-case)
+async function listDriveFolders(drive, rootFolderId) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(rootFolderId)}' in parents and mimeType = 'application/vnd.google-apps.folder' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1000,
+  });
+  return res.data.files || [];
+}
+async function findFolder(drive, parentId, folderName) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentId)}' in parents and name = '${escapeQuery(folderName)}' and mimeType = 'application/vnd.google-apps.folder' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1,
+  });
+  return (res.data.files || [])[0] || null;
+}
+async function getOrCreateFolder(drive, parentId, folderName) {
+  const existing = await findFolder(drive, parentId, folderName);
+  if (existing) return existing;
+  const res = await drive.files.create({
+    requestBody: {
+      name: folderName,
+      mimeType: 'application/vnd.google-apps.folder',
+      parents: [parentId],
+    },
+    fields: 'id, name',
+  });
+  return res.data;
+}
+async function findEnvAgeFile(drive, parentFolderId, env) {
+  const fileName = `${env}.env.age`;
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name = '${escapeQuery(fileName)}' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1,
+  });
+  return (res.data.files || [])[0] || null;
+}
+async function listEnvAgeFiles(drive, parentFolderId) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name contains '.env.age' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1000,
+  });
+  return res.data.files || [];
+}
+async function downloadFile(drive, fileId) {
+  const res = await drive.files.get({
+    fileId,
+    alt: 'media',
+  }, { responseType: 'arraybuffer' });
+  return Buffer.from(res.data);
+}
+async function uploadFile(drive, parentFolderId, fileName, content) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name = '${escapeQuery(fileName)}' and trashed = false`,
+    fields: 'files(id)',
+    pageSize: 1,
+  });
+  const existing = (res.data.files || [])[0];
+  if (existing) {
+    await drive.files.update({
+      fileId: existing.id,
+      media: {
+        mimeType: 'application/octet-stream',
+        body: Readable.from(content),
+      },
+    });
+    return existing.id;
+  } else {
+    const created = await drive.files.create({
+      requestBody: {
+        name: fileName,
+        parents: [parentFolderId],
+      },
+      media: {
+        mimeType: 'application/octet-stream',
+        body: Readable.from(content),
+      },
+      fields: 'id',
+    });
+    return created.data.id;
+  }
+}
+async function listAllEnvFiles(drive, rootFolderId) {
+  const folders = await listDriveFolders(drive, rootFolderId);
+  const result = [];
+  await Promise.all(folders.map(async (folder) => {
+    const files = await listEnvAgeFiles(drive, folder.id);
+    for (const file of files) {
+      const envMatch = file.name.match(/^(.+)\.env\.age$/);
+      if (envMatch) {
+        result.push({
+          fileId: file.id,
+          fileName: file.name,
+          folder: folder.name,
+          folderId: folder.id,
+          env: envMatch[1],
+        });
+      }
+    }
+  }));
+  return result;
+}
+// ============================================================
+// ユーティリティ (変更なし)
+// ============================================================
 function normalizeFolder(name) {
   return name
-    .replace(/([a-z])([A-Z])/g, '$1-$2')  // camelCase → kebab-case
+    .replace(/([a-z])([A-Z])/g, '$1-$2')
     .toLowerCase()
     .replace(/[^a-z0-9_-]/g, '-');
 }
-// Git リポジトリを再帰的に検索
 function findGitRepositories(basePath, maxDepth = 5, currentDepth = 0) {
   const repos = [];
   if (currentDepth > maxDepth) return repos;
   try {
     const entries = readdirSync(basePath, { withFileTypes: true });
     for (const entry of entries) {
       if (!entry.isDirectory()) continue;
       if (entry.name.startsWith('.') && entry.name !== '.git') continue;
       if (entry.name === 'node_modules') continue;
       const fullPath = join(basePath, entry.name);
-      try {
-        if (lstatSync(fullPath).isSymbolicLink()) continue;
-      } catch { continue; }
+      try { if (lstatSync(fullPath).isSymbolicLink()) continue; } catch { continue; }
       if (entry.name === '.git') {
         repos.push(dirname(fullPath));
       } else {
@@ -105,7 +350,6 @@ function findGitRepositories(basePath, maxDepth = 5, currentDepth = 0) {
   return repos;
 }
-// .env ファイルを検索
 function findEnvFiles(repoPath) {
   const envFiles = [];
   for (const filename of ['.env', '.dev.vars', '.env.local', '.env.production']) {
@@ -122,7 +366,6 @@ function findEnvFiles(repoPath) {
   return envFiles;
 }
-// .env ファイルをパース
 function parseEnvFile(content) {
   const entries = [];
   const multilineRegex = /^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*`([\s\S]*?)`/gm;
@@ -142,7 +385,6 @@ function parseEnvFile(content) {
   return entries;
 }
-// 値の比較
 function compareValues(a, b) {
   return a.trim().replace(/\r\n/g, '\n') === b.trim().replace(/\r\n/g, '\n');
 }
@@ -168,14 +410,16 @@ function hashContent(content) {
   return createHash('md5').update(content).digest('hex');
 }
-// CLI モード
+// ============================================================
+// CLI メイン
+// ============================================================
 async function runCli(args) {
   const parsed = parseArgs(args);
   const command = parsed.positional[0];
   const config = getConfig();
   const targetEnv = parsed.env || config.defaultEnvironment;
-  if (!config.centralProject && command !== "init" && command !== "pre-commit" && command !== "hook") {
+  if (!config.driveFolderId && command && command !== "init" && command !== "pre-commit" && command !== "hook") {
     console.error("エラー: 先に init を実行してください");
     process.exit(1);
   }
@@ -183,87 +427,155 @@ async function runCli(args) {
   try {
     switch (command) {
       case "init": {
-        const projectId = parsed.positional[1];
+        const driveFolderId = parsed.positional[1];
         const defaultEnv = parsed.env || "dev";
-        if (!projectId) {
-          console.error("使い方: gcloud-secrets init <project-id> [--env <default-env>]");
+        const clientId = parsed.clientId || config.googleClientId;
+        const clientSecret = parsed.clientSecret || config.googleClientSecret;
+        if (!clientId || !clientSecret) {
+          console.error("使い方: gcloud-secrets init [drive-folder-id] --client-id <id> --client-secret <secret> [--env <default>] [--age-pub <key>] [--age-key <path>]");
           process.exit(1);
         }
-        const configFile = `${homedir()}/.secrets-manager.conf`;
-        const configContent = `SECRETS_CENTRAL_PROJECT=${projectId}\nDEFAULT_ENVIRONMENT=${defaultEnv}\n`;
-        writeFileSync(configFile, configContent);
-        console.log(`設定完了: ${projectId} (デフォルト環境: ${defaultEnv})`);
+        // age チェック
+        checkAgeInstalled();
+        // age 鍵の設定
+        let ageKeyPath = parsed.ageKey || config.ageKeyPath;
+        let agePublicKey = parsed.agePub || config.agePublicKey;
+        if (!existsSync(ageKeyPath)) {
+          const ageDir = dirname(ageKeyPath);
+          if (!existsSync(ageDir)) mkdirSync(ageDir, { recursive: true });
+          console.log(`age 鍵を生成中: ${ageKeyPath}`);
+          execFileSync('age-keygen', ['-o', ageKeyPath]);
+        }
+        if (!agePublicKey) {
+          agePublicKey = getAgePublicKeyFromFile(ageKeyPath);
+        }
+        // OAuth 認証テスト
+        const tempConfig = { ...config, googleClientId: clientId, googleClientSecret: clientSecret };
+        const drive = await getDriveClient(tempConfig);
+        let folderId = driveFolderId;
+        if (!folderId) {
+          // ルートフォルダ作成
+          console.log('Drive にルートフォルダ "gcloud-secrets" を作成中...');
+          const res = await drive.files.create({
+            requestBody: {
+              name: 'gcloud-secrets',
+              mimeType: 'application/vnd.google-apps.folder',
+            },
+            fields: 'id, name',
+          });
+          folderId = res.data.id;
+          console.log(`フォルダ作成完了: ${res.data.name} (${folderId})`);
+        } else {
+          // 既存フォルダの検証
+          try {
+            const res = await drive.files.get({ fileId: folderId, fields: 'id, name' });
+            console.log(`Drive フォルダ確認: ${res.data.name} (${folderId})`);
+          } catch {
+            console.error(`エラー: Drive フォルダ ID "${folderId}" にアクセスできません`);
+            process.exit(1);
+          }
+        }
+        // 設定保存
+        writeConfig({
+          DRIVE_FOLDER_ID: folderId,
+          DEFAULT_ENVIRONMENT: defaultEnv,
+          AGE_PUBLIC_KEY: agePublicKey,
+          AGE_KEY_PATH: ageKeyPath,
+          GOOGLE_CLIENT_ID: clientId,
+          GOOGLE_CLIENT_SECRET: clientSecret,
+        });
+        console.log(`設定完了:
+  Drive フォルダ: ${folderId}
+  デフォルト環境: ${defaultEnv}
+  age 公開鍵: ${agePublicKey}
+  age 秘密鍵: ${ageKeyPath}`);
         break;
       }
       case "list": {
         const folder = parsed.positional[1];
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
+        const drive = await getDriveClient(config);
         if (!folder) {
-          // フォルダ一覧 (環境ごとにグループ化)
-          const folderEnvs = new Map();
-          for (const secret of secrets) {
-            const [secretData] = await client.getSecret({ name: secret.name });
-            if (secretData.labels?.folder) {
-              const f = secretData.labels.folder;
-              const e = secretData.labels?.environment || "(default)";
-              if (!folderEnvs.has(f)) folderEnvs.set(f, new Set());
-              folderEnvs.get(f).add(e);
-            }
+          // フォルダ一覧
+          const folders = await listDriveFolders(drive, config.driveFolderId);
+          if (folders.length === 0) {
+            console.log("シークレットが登録されていません");
+            break;
           }
           console.log("フォルダ一覧:");
-          for (const [f, envs] of folderEnvs) {
-            const envList = Array.from(envs).sort().join(', ');
-            console.log(`  ${f} [${envList}]`);
+          for (const f of folders) {
+            const files = await listEnvAgeFiles(drive, f.id);
+            const envs = files
+              .map(file => file.name.match(/^(.+)\.env\.age$/))
+              .filter(Boolean)
+              .map(m => m[1])
+              .sort();
+            console.log(`  ${f.name} [${envs.join(', ')}]`);
           }
         } else {
-          // 特定フォルダのシークレット一覧 (環境でフィルタ)
-          console.log(`${folder} (${targetEnv}) のシークレット:`);
-          for (const secret of secrets) {
-            const [secretData] = await client.getSecret({ name: secret.name });
-            const secretEnv = secretData.labels?.environment || null;
-            if (secretData.labels?.folder === folder && secretEnv === targetEnv) {
-              const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-              console.log(`  ${key}`);
-            }
+          // 特定フォルダのキー一覧
+          checkAgeInstalled();
+          const normalizedFolder = normalizeFolder(folder);
+          const folderObj = await findFolder(drive, config.driveFolderId, normalizedFolder);
+          if (!folderObj) {
+            console.error(`フォルダが見つかりません: ${normalizedFolder}`);
+            process.exit(1);
+          }
+          const file = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+          if (!file) {
+            console.error(`${normalizedFolder} (${targetEnv}) にシークレットが見つかりません`);
+            break;
+          }
+          const encrypted = await downloadFile(drive, file.id);
+          const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+          const entries = parseEnvFile(decrypted);
+          console.log(`${normalizedFolder} (${targetEnv}) のシークレット:`);
+          for (const entry of entries) {
+            console.log(`  ${entry.key}`);
           }
         }
         break;
       }
       case "pull": {
+        checkAgeInstalled();
         const folder = normalizeFolder(parsed.positional[1] || basename(process.cwd()));
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
-        const envLines = [];
-        for (const secret of secrets) {
-          const [secretData] = await client.getSecret({ name: secret.name });
-          const secretEnv = secretData.labels?.environment || null;
-          if (secretData.labels?.folder === folder && secretEnv === targetEnv) {
-            const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-            const [version] = await client.accessSecretVersion({
-              name: `${secret.name}/versions/latest`,
-            });
-            const value = version.payload.data.toString("utf-8");
-            if (value.includes("\n")) {
-              envLines.push(`${key}=\`${value}\``);
-            } else {
-              envLines.push(`${key}=${value}`);
-            }
-          }
+        const drive = await getDriveClient(config);
+        const folderObj = await findFolder(drive, config.driveFolderId, folder);
+        if (!folderObj) {
+          console.error(`警告: ${folder} (${targetEnv}) にシークレットが見つかりません`);
+          break;
         }
-        if (envLines.length === 0) {
+        const file = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+        if (!file) {
           console.error(`警告: ${folder} (${targetEnv}) にシークレットが見つかりません`);
-        } else {
-          console.log(envLines.join("\n"));
+          break;
         }
+        const encrypted = await downloadFile(drive, file.id);
+        const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+        console.log(decrypted.trimEnd());
         break;
       }
       case "push": {
+        checkAgeInstalled();
         const folder = normalizeFolder(parsed.positional[1] || basename(process.cwd()));
         const envFile = parsed.positional[2] || ".env";
@@ -273,67 +585,43 @@ async function runCli(args) {
         }
         const content = readFileSync(envFile, "utf-8");
-        const lines = content.split("\n");
-        const parent = `projects/${config.centralProject}`;
-        const labels = { folder, environment: targetEnv };
-        let count = 0;
-        for (const line of lines) {
-          if (!line.trim() || line.startsWith("#")) continue;
-          const match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/i);
-          if (match) {
-            const [, key, value] = match;
-            const secretId = makeSecretName(folder, key, targetEnv);
-            const secretName = `${parent}/secrets/${secretId}`;
-            try {
-              await client.getSecret({ name: secretName });
-              // 既存シークレットのラベルも更新
-              await client.updateSecret({
-                secret: { name: secretName, labels },
-                updateMask: { paths: ['labels'] }
-              });
-              await client.addSecretVersion({
-                parent: secretName,
-                payload: { data: Buffer.from(value) },
-              });
-            } catch {
-              await client.createSecret({
-                parent,
-                secretId,
-                secret: { replication: { automatic: {} }, labels },
-              });
-              await client.addSecretVersion({
-                parent: secretName,
-                payload: { data: Buffer.from(value) },
-              });
-            }
-            count++;
-          }
+        const entries = parseEnvFile(content);
+        if (entries.length === 0) {
+          console.error("有効なシークレットが見つかりません");
+          process.exit(1);
         }
-        console.log(`${count} 件のシークレットをアップロードしました (${folder}/${targetEnv})`);
+        const drive = await getDriveClient(config);
+        const folderObj = await getOrCreateFolder(drive, config.driveFolderId, folder);
+        const encrypted = ageEncrypt(content, config.agePublicKey);
+        const fileName = `${targetEnv}.env.age`;
+        await uploadFile(drive, folderObj.id, fileName, encrypted);
+        console.log(`${entries.length} 件のシークレットをアップロードしました (${folder}/${targetEnv})`);
         break;
       }
       case "scan": {
+        checkAgeInstalled();
         const basePath = parsed.positional[1] || homedir();
-        const filterEnv = parsed.env; // null の場合は全環境を表示
+        const filterEnv = parsed.env;
         const repos = findGitRepositories(basePath, 5);
-        const parent = `projects/${config.centralProject}`;
-        const [allSecrets] = await client.listSecrets({ parent });
-        // フォルダ+環境ごとにグループ化
-        const secretsByFolderEnv = new Map();
-        for (const secret of allSecrets) {
-          const [secretData] = await client.getSecret({ name: secret.name });
-          const f = secretData.labels?.folder;
-          const e = secretData.labels?.environment || null;
-          if (f) {
-            const key = `${f}|${e || ''}`;
-            if (!secretsByFolderEnv.has(key)) secretsByFolderEnv.set(key, []);
-            secretsByFolderEnv.get(key).push({ secret, env: e });
-          }
-        }
+        const drive = await getDriveClient(config);
+        // リモートの全ファイルを取得
+        const remoteFiles = await listAllEnvFiles(drive, config.driveFolderId);
+        // リモートデータをダウンロード・復号（並列）
+        const remoteData = new Map(); // key: "folder|env" -> parsed entries
+        await Promise.all(remoteFiles.map(async (rf) => {
+          try {
+            const encrypted = await downloadFile(drive, rf.fileId);
+            const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+            const entries = parseEnvFile(decrypted);
+            remoteData.set(`${rf.folder}|${rf.env}`, entries);
+          } catch { }
+        }));
         const results = [];
         let syncedCount = 0, diffCount = 0, newCount = 0;
@@ -353,56 +641,52 @@ async function runCli(args) {
             const localEntries = parseEnvFile(content);
             if (localEntries.length === 0) continue;
-            // 環境フィルタがある場合はその環境のみ、なければ全環境をチェック
-            const envsToCheck = filterEnv ? [filterEnv] : [null, ...Array.from(new Set(
-              Array.from(secretsByFolderEnv.keys())
-                .filter(k => k.startsWith(normalizedFolder + '|'))
-                .map(k => k.split('|')[1])
-                .filter(Boolean)
-            ))];
+            // チェック対象の環境を決定
+            const envsToCheck = filterEnv
+              ? [filterEnv]
+              : [...new Set(
+                  Array.from(remoteData.keys())
+                    .filter(k => k.startsWith(normalizedFolder + '|'))
+                    .map(k => k.split('|')[1])
+                )];
+            if (envsToCheck.length === 0) {
+              results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: filterEnv || "(default)", keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+              newCount++;
+              continue;
+            }
             for (const checkEnv of envsToCheck) {
-              const mapKey = `${normalizedFolder}|${checkEnv || ''}`;
-              const folderSecrets = secretsByFolderEnv.get(mapKey) || [];
-              const envLabel = checkEnv || "(default)";
+              const mapKey = `${normalizedFolder}|${checkEnv}`;
+              const remoteEntries = remoteData.get(mapKey);
-              if (folderSecrets.length === 0) {
-                results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+              if (!remoteEntries) {
+                results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 newCount++;
                 continue;
               }
-              // リモート値取得・比較
+              // 比較
+              const remoteMap = new Map(remoteEntries.map(e => [e.key, e.value]));
               let hasDiff = false;
-              const remoteKeys = new Set();
-              const remoteValues = new Map();
-              for (const { secret } of folderSecrets) {
-                const { key } = getKeyFromSecret(secret.name.split('/').pop(), normalizedFolder);
-                remoteKeys.add(key);
-                try {
-                  const [version] = await client.accessSecretVersion({ name: `${secret.name}/versions/latest` });
-                  remoteValues.set(key, version.payload.data.toString('utf8'));
-                } catch { }
-              }
               for (const entry of localEntries) {
-                if (!remoteKeys.has(entry.key) || !compareValues(entry.value, remoteValues.get(entry.key) || '')) {
+                if (!remoteMap.has(entry.key) || !compareValues(entry.value, remoteMap.get(entry.key))) {
                   hasDiff = true;
                   break;
                 }
               }
               if (!hasDiff) {
-                for (const key of remoteKeys) {
-                  if (!localEntries.find(e => e.key === key)) { hasDiff = true; break; }
+                for (const re of remoteEntries) {
+                  if (!localEntries.find(e => e.key === re.key)) { hasDiff = true; break; }
                 }
               }
               if (hasDiff) {
-                results.push({ status: "DIFF", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+                results.push({ status: "DIFF", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 diffCount++;
               } else {
-                results.push({ status: "OK", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+                results.push({ status: "OK", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 syncedCount++;
               }
             }
@@ -410,7 +694,7 @@ async function runCli(args) {
         }
         const envSuffix = filterEnv ? ` (${filterEnv})` : "";
-        console.log(`=== Secret Manager 同期状況${envSuffix} ===\n`);
+        console.log(`=== シークレット同期状況${envSuffix} ===\n`);
         if (results.length === 0) {
           console.log(".env / .dev.vars ファイルが見つかりませんでした");
         } else {
@@ -432,7 +716,11 @@ async function runCli(args) {
       case "pre-commit": {
         // config なし → サイレント exit
-        if (!config.centralProject) process.exit(0);
+        if (!config.driveFolderId || !config.googleClientId) process.exit(0);
+        // OAuth トークンなし → サイレント exit (対話的認証を避ける)
+        if (!existsSync(getTokenPath())) process.exit(0);
+        // age なし → サイレント exit
+        try { execFileSync('age', ['--version'], { stdio: 'ignore' }); } catch { process.exit(0); }
         const cwd = process.cwd();
         const folder = normalizeFolder(basename(resolve(cwd)));
@@ -440,9 +728,11 @@ async function runCli(args) {
         if (envFiles.length === 0) process.exit(0);
         const cache = readCache();
-        const parent = `projects/${config.centralProject}`;
         let totalPushed = 0;
+        let drive;
+        try { drive = await getDriveClient(config); } catch { process.exit(0); }
         for (const envFile of envFiles) {
           let content;
           try { content = readFileSync(envFile.path, 'utf-8'); } catch { continue; }
@@ -460,78 +750,41 @@ async function runCli(args) {
           const localEntries = parseEnvFile(content);
           if (localEntries.length === 0) continue;
-          const labels = { folder, environment: targetEnv };
           try {
-            // フィルタ付き listSecrets (1 API コール、ラベル込み)
-            const filter = `labels.folder=${folder} AND labels.environment=${targetEnv}`;
-            const [remoteSecrets] = await client.listSecrets({ parent, filter });
-            // リモートキー → シークレット名マップ
-            const remoteMap = new Map();
-            for (const secret of remoteSecrets) {
-              const { key } = getKeyFromSecret(secret.name.split('/').pop(), folder);
-              remoteMap.set(key, secret.name);
-            }
-            // リモート値を並列取得
-            const remoteValues = new Map();
-            const keysToCompare = localEntries.filter(e => remoteMap.has(e.key));
-            if (keysToCompare.length > 0) {
-              const results = await Promise.all(
-                keysToCompare.map(async (entry) => {
-                  try {
-                    const [version] = await client.accessSecretVersion({
-                      name: `${remoteMap.get(entry.key)}/versions/latest`,
-                    });
-                    return { key: entry.key, value: version.payload.data.toString('utf-8') };
-                  } catch { return { key: entry.key, value: null }; }
-                })
-              );
-              for (const r of results) {
-                if (r.value !== null) remoteValues.set(r.key, r.value);
-              }
-            }
-            // 新規/変更キーを特定
-            const toPush = [];
-            for (const entry of localEntries) {
-              if (!remoteMap.has(entry.key)) {
-                toPush.push(entry);
-              } else if (!remoteValues.has(entry.key) || !compareValues(entry.value, remoteValues.get(entry.key))) {
-                toPush.push(entry);
+            // リモートファイルを取得して比較
+            const folderObj = await findFolder(drive, config.driveFolderId, folder);
+            let needsPush = true;
+            if (folderObj) {
+              const remoteFile = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+              if (remoteFile) {
+                const encrypted = await downloadFile(drive, remoteFile.id);
+                const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+                const remoteEntries = parseEnvFile(decrypted);
+                const remoteMap = new Map(remoteEntries.map(e => [e.key, e.value]));
+                // 差分チェック
+                needsPush = false;
+                for (const entry of localEntries) {
+                  if (!remoteMap.has(entry.key) || !compareValues(entry.value, remoteMap.get(entry.key))) {
+                    needsPush = true;
+                    break;
+                  }
+                }
+                if (!needsPush) {
+                  for (const re of remoteEntries) {
+                    if (!localEntries.find(e => e.key === re.key)) { needsPush = true; break; }
+                  }
+                }
               }
             }
-            // push
-            if (toPush.length > 0) {
-              for (const entry of toPush) {
-                const secretId = makeSecretName(folder, entry.key, targetEnv);
-                const secretName = `${parent}/secrets/${secretId}`;
-                try {
-                  await client.getSecret({ name: secretName });
-                  await client.updateSecret({
-                    secret: { name: secretName, labels },
-                    updateMask: { paths: ['labels'] }
-                  });
-                  await client.addSecretVersion({
-                    parent: secretName,
-                    payload: { data: Buffer.from(entry.value) },
-                  });
-                } catch {
-                  await client.createSecret({
-                    parent,
-                    secretId,
-                    secret: { replication: { automatic: {} }, labels },
-                  });
-                  await client.addSecretVersion({
-                    parent: secretName,
-                    payload: { data: Buffer.from(entry.value) },
-                  });
-                }
-              }
-              console.log(`↑ ${envFile.filename}: ${toPush.length} secrets pushed (${folder}/${targetEnv})`);
-              totalPushed += toPush.length;
+            if (needsPush) {
+              const targetFolder = await getOrCreateFolder(drive, config.driveFolderId, folder);
+              const encryptedContent = ageEncrypt(content, config.agePublicKey);
+              await uploadFile(drive, targetFolder.id, `${targetEnv}.env.age`, encryptedContent);
+              console.log(`↑ ${envFile.filename}: pushed (${folder}/${targetEnv})`);
+              totalPushed++;
             } else {
               console.log(`✓ ${envFile.filename} synced`);
             }
@@ -559,42 +812,35 @@ async function runCli(args) {
           process.exit(1);
         }
+        checkAgeInstalled();
         const filterEnv = parsed.env;
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
+        const drive = await getDriveClient(config);
+        const allFiles = await listAllEnvFiles(drive, config.driveFolderId);
+        // 環境フィルタ
+        const targetFiles = filterEnv ? allFiles.filter(f => f.env === filterEnv) : allFiles;
         console.log(`Searching for: "${keyword}"`);
         if (filterEnv) console.log(`  環境: ${filterEnv}`);
-        console.log(`\nScanning ${secrets.length} secrets...\n`);
+        console.log(`\nScanning ${targetFiles.length} files...\n`);
         const results = await Promise.all(
-          secrets.map(async (secret) => {
+          targetFiles.map(async (rf) => {
             try {
-              const [secretData] = await client.getSecret({ name: secret.name });
-              const folder = secretData.labels?.folder;
-              const env = secretData.labels?.environment || "(default)";
-              // 環境フィルタ
-              if (filterEnv && secretData.labels?.environment !== filterEnv) return null;
-              // 値を取得してキーワード検索
-              const [version] = await client.accessSecretVersion({
-                name: `${secret.name}/versions/latest`,
-              });
-              const value = version.payload.data.toString("utf-8");
-              if (value.includes(keyword)) {
-                const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-                return { folder, env, key };
-              }
+              const encrypted = await downloadFile(drive, rf.fileId);
+              const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+              const entries = parseEnvFile(decrypted);
+              return entries
+                .filter(e => e.value.includes(keyword))
+                .map(e => ({ folder: rf.folder, env: rf.env, key: e.key }));
             } catch {
-              // バージョンがない場合はスキップ
+              return [];
             }
-            return null;
           })
         );
-        const matches = results.filter((r) => r !== null);
-        const folders = new Set(matches.map((m) => m.folder));
+        const matches = results.flat();
+        const folders = new Set(matches.map(m => m.folder));
         if (matches.length === 0) {
           console.log("No matches found");
@@ -607,6 +853,71 @@ async function runCli(args) {
         break;
       }
+      case "key": {
+        const subcommand = parsed.positional[1];
+        if (subcommand === "backup") {
+          checkAgeInstalled();
+          if (!existsSync(config.ageKeyPath)) {
+            console.error(`エラー: age 秘密鍵が見つかりません: ${config.ageKeyPath}`);
+            process.exit(1);
+          }
+          // gpg で暗号化
+          try { execFileSync('gpg', ['--version'], { stdio: 'ignore' }); } catch {
+            console.error('エラー: gpg がインストールされていません');
+            process.exit(1);
+          }
+          const tmpGpg = join(homedir(), '.age', 'age-key.gpg');
+          console.log('gpg パスワードを入力してください（復元時に必要）...');
+          execSync(`gpg --symmetric --cipher-algo AES256 -o "${tmpGpg}" "${config.ageKeyPath}"`, { stdio: 'inherit' });
+          // Drive にアップロード
+          const drive = await getDriveClient(config);
+          const gpgContent = readFileSync(tmpGpg);
+          await uploadFile(drive, config.driveFolderId, 'age-key.gpg', gpgContent);
+          rmSync(tmpGpg);
+          console.log('age 秘密鍵を暗号化して Drive にバックアップしました (age-key.gpg)');
+        } else if (subcommand === "restore") {
+          // Drive からダウンロード
+          const drive = await getDriveClient(config);
+          const res = await drive.files.list({
+            q: `'${escapeQuery(config.driveFolderId)}' in parents and name = 'age-key.gpg' and trashed = false`,
+            fields: 'files(id)',
+            pageSize: 1,
+          });
+          const file = (res.data.files || [])[0];
+          if (!file) {
+            console.error('エラー: Drive に age-key.gpg が見つかりません');
+            process.exit(1);
+          }
+          const gpgData = await downloadFile(drive, file.id);
+          const tmpGpg = join(homedir(), '.age', 'age-key.gpg');
+          const ageDir = dirname(config.ageKeyPath);
+          if (!existsSync(ageDir)) mkdirSync(ageDir, { recursive: true });
+          writeFileSync(tmpGpg, gpgData);
+          console.log('gpg パスワードを入力してください...');
+          execSync(`gpg --decrypt -o "${config.ageKeyPath}" "${tmpGpg}"`, { stdio: 'inherit' });
+          rmSync(tmpGpg);
+          // 公開鍵も表示
+          const pubKey = getAgePublicKeyFromFile(config.ageKeyPath);
+          console.log(`age 秘密鍵を復元しました: ${config.ageKeyPath}`);
+          console.log(`公開鍵: ${pubKey}`);
+        } else {
+          console.log(`使い方:
+  gcloud-secrets key backup     age 秘密鍵を gpg 暗号化して Drive にバックアップ
+  gcloud-secrets key restore    Drive から age 秘密鍵を復元`);
+        }
+        break;
+      }
       case "hook": {
         const subcommand = parsed.positional[1];
@@ -627,7 +938,7 @@ async function runCli(args) {
             if (hookType === 'pre-commit') {
               extraLogic = `
-# gcloud-secrets: auto-sync .env to Secret Manager
+# gcloud-secrets: auto-sync .env to Drive
 if command -v gcloud-secrets >/dev/null 2>&1; then
   gcloud-secrets pre-commit
 fi
@@ -690,18 +1001,21 @@ exit 0
       }
       default:
-        console.log(`gcloud-secrets - GCP Secret Manager CLI
+        console.log(`gcloud-secrets - シークレット管理 CLI (Google Drive + age 暗号化)
 使い方:
-  gcloud-secrets init <project-id> [--env <default>]  中央プロジェクトを設定
-  gcloud-secrets list [folder] [--env <env>]          一覧表示
-  gcloud-secrets pull [folder] [--env <env>]          シークレットを取得
-  gcloud-secrets push [folder] [file] [--env <env>]   シークレットをアップロード
-  gcloud-secrets scan [basePath] [--env <env>]        Git リポジトリの .env 同期状況をスキャン
-  gcloud-secrets search <keyword> [--env <env>]       値から逆引き検索
-  gcloud-secrets pre-commit                           .env 自動同期 (git hook 用)
-  gcloud-secrets hook install                         グローバル git hook インストール
-  gcloud-secrets hook uninstall                       グローバル git hook アンインストール
+  gcloud-secrets init [drive-folder-id] --client-id <id> --client-secret <secret> [--env <default>]
+                                                   初期設定 (OAuth + age 鍵 + Drive フォルダ)
+  gcloud-secrets list [folder] [--env <env>]       一覧表示
+  gcloud-secrets pull [folder] [--env <env>]       シークレットを取得
+  gcloud-secrets push [folder] [file] [--env <env>] シークレットをアップロード
+  gcloud-secrets scan [basePath] [--env <env>]     Git リポジトリの .env 同期状況をスキャン
+  gcloud-secrets search <keyword> [--env <env>]    値から逆引き検索
+  gcloud-secrets pre-commit                        .env 自動同期 (git hook 用)
+  gcloud-secrets key backup                        age 秘密鍵を暗号化して Drive にバックアップ
+  gcloud-secrets key restore                       Drive から age 秘密鍵を復元
+  gcloud-secrets hook install                      グローバル git hook インストール
+  gcloud-secrets hook uninstall                    グローバル git hook アンインストール
 オプション:
   --env, -e <env>  環境を指定 (dev, staging, prod など)

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@yhonda/gcloud-secrets",
-  "version": "2.0.12",
-  "description": "GCP Secret Manager を GitHub clone 風に管理する CLI ツール",
+  "version": "3.0.0",
+  "description": "Google Drive + age 暗号化でシークレットを管理する CLI ツール",
   "type": "module",
   "main": "cli.js",
   "bin": {
@@ -23,8 +23,9 @@
     "url": "git+https://github.com/yhonda-ohishi/gcloudSec.git"
   },
   "keywords": [
-    "gcp",
-    "secret-manager",
+    "google-drive",
+    "age-encryption",
+    "secrets",
     "env",
     "claude-code",
     "cli"
@@ -42,7 +43,7 @@
   },
   "homepage": "https://github.com/yhonda-ohishi/gcloudSec#readme",
   "dependencies": {
-    "@google-cloud/secret-manager": "^6.1.1"
+    "googleapis": "^144.0.0"
   },
   "devDependencies": {
     "husky": "^9.1.7"

package/skills/secrets.md CHANGED Viewed

@@ -1,14 +1,19 @@
 # Skill: secrets
-GCP Secret Manager を使って .env ファイルを管理するスキル
+Google Drive + age 暗号化でシークレットを管理するスキル
 ## コマンド一覧
 ### 初期化
 ```bash
-gcloud-secrets init <project-id> [--env <default>]
+gcloud-secrets init [drive-folder-id] --client-id <id> --client-secret <secret> [--env <default>]
 ```
-GCP プロジェクト ID を設定します。`--env` でデフォルト環境を指定できます（省略時は `dev`）。
+Google Drive + OAuth + age 鍵の初期設定を行います。
+- `drive-folder-id` 省略時は Drive に "gcloud-secrets" フォルダを自動作成
+- `--client-id` / `--client-secret`: Google Cloud Console で作成した OAuth クライアント情報
+- `--env` でデフォルト環境を指定（省略時は `dev`）
+- `--age-key <path>` で age 秘密鍵パスを指定（省略時は `~/.age/key.txt`、未作成なら自動生成）
+- `--age-pub <key>` で age 公開鍵を指定（省略時は秘密鍵ファイルから自動取得）
 ### 一覧表示
 ```bash
@@ -27,7 +32,7 @@ gcloud-secrets pull --env dev
 # 指定フォルダから取得
 gcloud-secrets pull <folder> --env prod
 ```
-Secret Manager から .env 形式でシークレットを取得します。
+Drive から暗号化ファイルをダウンロードし、age で復号して .env 形式で出力します。
 ### シークレット登録 (push)
 ```bash
@@ -40,6 +45,7 @@ gcloud-secrets push <folder> --env prod
 # 指定ファイルをアップロード
 gcloud-secrets push <folder> <file> --env staging
 ```
+.env ファイルを age で暗号化し、Drive にアップロードします。
 ### 同期状況スキャン (scan)
 ```bash
@@ -52,7 +58,7 @@ gcloud-secrets scan --env dev
 # 指定ディレクトリ以下をスキャン
 gcloud-secrets scan <path> --env prod
 ```
-Git リポジトリ内の .env / .dev.vars ファイルと Secret Manager の同期状況を確認します。
+Git リポジトリ内の .env / .dev.vars ファイルと Drive 上の暗号化ファイルの同期状況を確認します。
 ### 値から逆引き検索 (search)
 ```bash
@@ -62,13 +68,12 @@ gcloud-secrets search "api-key-12345"
 # 特定環境のみ検索
 gcloud-secrets search "client-id" --env prod
 ```
-シークレットの値から、使用しているフォルダ・環境・キーを逆引き検索します。
 出力例:
 ```
 Searching for: "api-key-12345"
-Scanning 45 secrets...
+Scanning 8 files...
 [FOUND] my-app / dev - EXTERNAL_API_KEY
 [FOUND] my-app / prod - EXTERNAL_API_KEY
@@ -79,7 +84,7 @@ Found 3 matches in 2 folders
 #### scan 出力例:
 ```
-=== Secret Manager 同期状況 ===
+=== シークレット同期状況 ===
 [OK]   project-a/ .env [dev] (3 keys)
 [DIFF] project-b/ .env [prod] (2 keys) - 差分あり
@@ -94,11 +99,11 @@ Found 3 matches in 2 folders
 ### .env 自動同期 (pre-commit)
 ```bash
-# カレントディレクトリの .env を Secret Manager に自動同期
+# カレントディレクトリの .env を Drive に自動同期
 gcloud-secrets pre-commit
 ```
 git hook 用の高速コマンド。キャッシュで .env の変更を検知し、変更がなければ API コール 0 で即座に終了。
-変更があれば `listSecrets` のフィルタ + 並列取得で高速にチェックし、新規/差分のある secret を自動 push。
+変更があれば Drive からダウンロード＋復号で比較し、差分があれば暗号化＋アップロード。
 ### グローバル git hook (hook)
 ```bash
@@ -124,8 +129,8 @@ gcloud-secrets hook uninstall
 ## 使用例
 ```bash
-# 1. 初期化 (デフォルト環境を dev に設定)
-gcloud-secrets init my-gcp-project --env dev
+# 1. 初期化 (OAuth クライアント情報を設定)
+gcloud-secrets init --client-id "xxx.apps.googleusercontent.com" --client-secret "GOCSPX-xxx" --env dev
 # 2. dev 環境に .env を登録
 gcloud-secrets push --env dev