npm - @yhonda/gcloud-secrets - Versions diffs - 2.0.12 → 3.1.0 - Mend

@yhonda/gcloud-secrets 2.0.12 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.js CHANGED Viewed

@@ -1,24 +1,32 @@
 #!/usr/bin/env node
-import { SecretManagerServiceClient } from "@google-cloud/secret-manager";
 import { readFileSync, writeFileSync, existsSync, readdirSync, lstatSync, mkdirSync, chmodSync, rmSync } from "fs";
 import { createHash } from "crypto";
 import { basename, join, dirname, resolve } from "path";
 import { homedir } from "os";
-import { execSync } from "child_process";
-// SDK クライアント初期化
-const client = new SecretManagerServiceClient();
-// 引数パース (--env / -e オプション抽出)
+import { execSync, execFileSync } from "child_process";
+import { createServer } from "http";
+import { google } from "googleapis";
+import { Readable } from "stream";
+// ============================================================
+// 引数パース
+// ============================================================
 function parseArgs(args) {
-  const result = { positional: [], env: null };
+  const result = { positional: [], env: null, ageKey: null, agePub: null, clientId: null, clientSecret: null };
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--env' || args[i] === '-e') {
-      result.env = args[i + 1];
-      i++;
+      result.env = args[i + 1]; i++;
     } else if (args[i].startsWith('--env=')) {
       result.env = args[i].split('=')[1];
+    } else if (args[i] === '--age-key') {
+      result.ageKey = args[i + 1]; i++;
+    } else if (args[i] === '--age-pub') {
+      result.agePub = args[i + 1]; i++;
+    } else if (args[i] === '--client-id') {
+      result.clientId = args[i + 1]; i++;
+    } else if (args[i] === '--client-secret') {
+      result.clientSecret = args[i + 1]; i++;
     } else {
       result.positional.push(args[i]);
     }
@@ -26,75 +34,408 @@ function parseArgs(args) {
   return result;
 }
-// 設定読み込み
+// ============================================================
+// 設定
+// ============================================================
 function getConfig() {
   const configFile = `${homedir()}/.secrets-manager.conf`;
   const config = {
-    centralProject: process.env.SECRETS_CENTRAL_PROJECT || "",
-    defaultEnvironment: process.env.DEFAULT_ENVIRONMENT || "dev"
+    driveFolderId: process.env.DRIVE_FOLDER_ID || "",
+    defaultEnvironment: process.env.DEFAULT_ENVIRONMENT || "dev",
+    agePublicKey: process.env.AGE_PUBLIC_KEY || "",
+    ageKeyPath: process.env.AGE_KEY_PATH || join(homedir(), ".age", "key.txt"),
+    googleClientId: process.env.GOOGLE_CLIENT_ID || "",
+    googleClientSecret: process.env.GOOGLE_CLIENT_SECRET || "",
+    googleDeviceClientId: process.env.GOOGLE_DEVICE_CLIENT_ID || "",
+    googleDeviceClientSecret: process.env.GOOGLE_DEVICE_CLIENT_SECRET || "",
   };
   if (existsSync(configFile)) {
     const content = readFileSync(configFile, "utf-8");
-    const projectMatch = content.match(/SECRETS_CENTRAL_PROJECT=(.+)/);
-    if (projectMatch) {
-      config.centralProject = projectMatch[1].trim();
-    }
-    const envMatch = content.match(/DEFAULT_ENVIRONMENT=(.+)/);
-    if (envMatch) {
-      config.defaultEnvironment = envMatch[1].trim();
+    for (const [envKey, configKey] of [
+      ['DRIVE_FOLDER_ID', 'driveFolderId'],
+      ['DEFAULT_ENVIRONMENT', 'defaultEnvironment'],
+      ['AGE_PUBLIC_KEY', 'agePublicKey'],
+      ['AGE_KEY_PATH', 'ageKeyPath'],
+      ['GOOGLE_CLIENT_ID', 'googleClientId'],
+      ['GOOGLE_CLIENT_SECRET', 'googleClientSecret'],
+      ['GOOGLE_DEVICE_CLIENT_ID', 'googleDeviceClientId'],
+      ['GOOGLE_DEVICE_CLIENT_SECRET', 'googleDeviceClientSecret'],
+    ]) {
+      const match = content.match(new RegExp(`^${envKey}=(.+)$`, 'm'));
+      if (match) config[configKey] = match[1].trim();
     }
   }
   return config;
 }
-// シークレット名生成 (環境対応)
-function makeSecretName(folder, key, env = null) {
-  if (env) {
-    return `${folder}_${env}_${key}`;
+function writeConfig(values) {
+  const configFile = `${homedir()}/.secrets-manager.conf`;
+  const lines = [];
+  for (const [key, value] of Object.entries(values)) {
+    if (value) lines.push(`${key}=${value}`);
   }
-  return `${folder}_${key}`;
+  writeFileSync(configFile, lines.join('\n') + '\n');
+}
+// ============================================================
+// age ヘルパー
+// ============================================================
+function checkAgeInstalled() {
+  try {
+    execFileSync('age', ['--version'], { stdio: 'ignore' });
+  } catch {
+    console.error('エラー: age がインストールされていません');
+    console.error('インストール: sudo apt install age (Linux) / brew install age (macOS)');
+    process.exit(1);
+  }
+}
+function ageEncrypt(plaintext, publicKey) {
+  return execFileSync('age', ['-r', publicKey], { input: Buffer.from(plaintext) });
 }
-// シークレット名からキーと環境を抽出
-function getKeyFromSecret(secretName, folderName) {
-  const prefix = folderName + "_";
-  if (!secretName.startsWith(prefix)) {
-    return { key: secretName, env: null };
+function ageDecrypt(ciphertext, keyPath) {
+  return execFileSync('age', ['-d', '-i', keyPath], { input: ciphertext, encoding: 'utf-8' });
+}
+function getAgePublicKeyFromFile(keyPath) {
+  const content = readFileSync(keyPath, 'utf-8');
+  const match = content.match(/# public key: (age1[a-z0-9]+)/);
+  if (match) return match[1];
+  throw new Error('age 公開鍵が見つかりません: ' + keyPath);
+}
+// ============================================================
+// OAuth2 認証
+// ============================================================
+const OAUTH_REDIRECT_PORT = 3456;
+const OAUTH_REDIRECT_URI = `http://localhost:${OAUTH_REDIRECT_PORT}/callback`;
+const OAUTH_SCOPES = ['https://www.googleapis.com/auth/drive'];
+const DEVICE_CODE_URL = 'https://oauth2.googleapis.com/device/code';
+const TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const DEVICE_GRANT_TYPE = 'urn:ietf:params:oauth:grant-type:device_code';
+function getTokenPath() {
+  return join(homedir(), '.secrets-manager-oauth.json');
+}
+async function performDeviceFlow(config) {
+  if (!config.googleDeviceClientId || !config.googleDeviceClientSecret) {
+    throw new Error(
+      'Device flow 用 OAuth client が未設定です。\n' +
+      '~/.secrets-manager.conf に GOOGLE_DEVICE_CLIENT_ID / GOOGLE_DEVICE_CLIENT_SECRET を設定してください\n' +
+      '(Google Cloud Console → OAuth 2.0 クライアント ID → "TVs and Limited Input devices" タイプ)'
+    );
+  }
+  // Step 1: Device code 取得
+  const deviceRes = await fetch(DEVICE_CODE_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({
+      client_id: config.googleDeviceClientId,
+      scope: OAUTH_SCOPES.join(' '),
+    }),
+  });
+  if (!deviceRes.ok) {
+    const text = await deviceRes.text();
+    throw new Error(`Device code リクエスト失敗 (${deviceRes.status}): ${text}`);
+  }
+  const dc = await deviceRes.json();
+  // dc: { device_code, user_code, verification_url, expires_in, interval }
+  // Step 2: ユーザーへ案内
+  console.log('\n認証するには、以下の URL を別デバイスのブラウザで開き、コードを入力してください:');
+  console.log(`  URL:  ${dc.verification_url}`);
+  console.log(`  Code: ${dc.user_code}`);
+  console.log(`  (有効期限 ${Math.floor(dc.expires_in / 60)} 分、待機中...)\n`);
+  // Step 3: Poll
+  const pollInterval = Math.max(dc.interval || 5, 1);
+  const deadline = Date.now() + dc.expires_in * 1000;
+  let currentInterval = pollInterval;
+  while (Date.now() < deadline) {
+    await new Promise((r) => setTimeout(r, currentInterval * 1000));
+    const tokenRes = await fetch(TOKEN_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        client_id: config.googleDeviceClientId,
+        client_secret: config.googleDeviceClientSecret,
+        device_code: dc.device_code,
+        grant_type: DEVICE_GRANT_TYPE,
+      }),
+    });
+    const data = await tokenRes.json();
+    if (data.error === 'authorization_pending') continue;
+    if (data.error === 'slow_down') { currentInterval += 5; continue; }
+    if (data.error === 'access_denied') throw new Error('ユーザーが認証を拒否しました');
+    if (data.error === 'expired_token') throw new Error('Device code が失効しました、再実行してください');
+    if (data.error) throw new Error(`Device flow エラー: ${data.error} ${data.error_description || ''}`);
+    if (data.access_token) {
+      const tokenPath = getTokenPath();
+      // _client_type マーカーで、後続の refresh 時にどの client で発行されたか判別する
+      const annotated = { ...data, _client_type: 'device' };
+      writeFileSync(tokenPath, JSON.stringify(annotated, null, 2));
+      console.log('認証完了');
+      return annotated;
+    }
+  }
+  throw new Error('Device flow タイムアウト');
+}
+function isInvalidGrantError(err) {
+  const msg = String(err?.message || '');
+  const data = err?.response?.data || {};
+  return msg.includes('invalid_grant') || data.error === 'invalid_grant';
+}
+async function performOAuthFlow(oauth2Client) {
+  const authUrl = oauth2Client.generateAuthUrl({
+    access_type: 'offline',
+    scope: OAUTH_SCOPES,
+    prompt: 'consent',
+  });
+  console.log('ブラウザで認証を行います...');
+  let browserOpened = false;
+  try {
+    const openCmd = process.platform === 'darwin' ? 'open' : 'xdg-open';
+    execSync(`${openCmd} "${authUrl}"`, { stdio: 'ignore' });
+    browserOpened = true;
+  } catch { }
+  if (!browserOpened) {
+    console.log(`ブラウザが開けませんでした。以下のURLを手動で開いてください:\n${authUrl}`);
+  } else {
+    // リモートセッションなど stdio 共有環境用に URL も常時表示
+    console.log(`(ブラウザが開かない場合は以下を開いてください)\n${authUrl}`);
+  }
+  const code = await new Promise((resolve, reject) => {
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${OAUTH_REDIRECT_PORT}`);
+      const authCode = url.searchParams.get('code');
+      const error = url.searchParams.get('error');
+      if (error) {
+        res.end('認証がキャンセルされました。');
+        server.close();
+        reject(new Error(`OAuth error: ${error}`));
+        return;
+      }
+      if (authCode) {
+        res.end('認証完了！このタブを閉じてください。');
+        server.close();
+        resolve(authCode);
+      }
+    });
+    server.listen(OAUTH_REDIRECT_PORT, () => {
+      console.log(`認証待機中... (localhost:${OAUTH_REDIRECT_PORT})`);
+    });
+  });
+  const { tokens } = await oauth2Client.getToken(code);
+  oauth2Client.setCredentials(tokens);
+  const tokenPath = getTokenPath();
+  writeFileSync(tokenPath, JSON.stringify(tokens, null, 2));
+  console.log('認証完了');
+  oauth2Client.on('tokens', (newTokens) => {
+    try {
+      const saved = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+      writeFileSync(tokenPath, JSON.stringify({ ...saved, ...newTokens }, null, 2));
+    } catch { }
+  });
+  return oauth2Client;
+}
+async function getAuthClient(config) {
+  const tokenPath = getTokenPath();
+  // 既存 token があれば、発行元 client (desktop / device) を判別して対応する credential を使う
+  if (existsSync(tokenPath)) {
+    const tokens = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+    const isDeviceToken = tokens._client_type === 'device';
+    const clientId = isDeviceToken ? config.googleDeviceClientId : config.googleClientId;
+    const clientSecret = isDeviceToken ? config.googleDeviceClientSecret : config.googleClientSecret;
+    if (!clientId || !clientSecret) {
+      console.error(`エラー: token (${isDeviceToken ? 'device' : 'desktop'}) 発行元の OAuth client 情報が未設定です`);
+      process.exit(1);
+    }
+    const oauth2Client = new google.auth.OAuth2(clientId, clientSecret, OAUTH_REDIRECT_URI);
+    oauth2Client.setCredentials(tokens);
+    oauth2Client.on('tokens', (newTokens) => {
+      try {
+        const saved = JSON.parse(readFileSync(tokenPath, 'utf-8'));
+        writeFileSync(tokenPath, JSON.stringify({ ...saved, ...newTokens }, null, 2));
+      } catch { }
+    });
+    return oauth2Client;
+  }
+  // token 無し → 初回 desktop OAuth (init 用)
+  if (!config.googleClientId || !config.googleClientSecret) {
+    console.error('エラー: Google OAuth クライアント ID/Secret が設定されていません');
+    console.error('init コマンドで --client-id と --client-secret を指定してください');
+    process.exit(1);
   }
-  const rest = secretName.slice(prefix.length);
-  const parts = rest.split("_");
-  // 2つ以上のパートがあり、最初がアルファベット小文字のみなら環境名と判断
-  if (parts.length >= 2 && /^[a-z]+$/.test(parts[0])) {
-    return { key: parts.slice(1).join("_"), env: parts[0] };
+  const oauth2Client = new google.auth.OAuth2(
+    config.googleClientId,
+    config.googleClientSecret,
+    OAUTH_REDIRECT_URI
+  );
+  return performOAuthFlow(oauth2Client);
+}
+async function getDriveClient(config) {
+  const auth = await getAuthClient(config);
+  return google.drive({ version: 'v3', auth });
+}
+// ============================================================
+// Drive ヘルパー
+// ============================================================
+function escapeQuery(str) {
+  return str.replace(/\\/g, '\\\\').replace(/'/g, "\\'");
+}
+async function listDriveFolders(drive, rootFolderId) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(rootFolderId)}' in parents and mimeType = 'application/vnd.google-apps.folder' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1000,
+  });
+  return res.data.files || [];
+}
+async function findFolder(drive, parentId, folderName) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentId)}' in parents and name = '${escapeQuery(folderName)}' and mimeType = 'application/vnd.google-apps.folder' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1,
+  });
+  return (res.data.files || [])[0] || null;
+}
+async function getOrCreateFolder(drive, parentId, folderName) {
+  const existing = await findFolder(drive, parentId, folderName);
+  if (existing) return existing;
+  const res = await drive.files.create({
+    requestBody: {
+      name: folderName,
+      mimeType: 'application/vnd.google-apps.folder',
+      parents: [parentId],
+    },
+    fields: 'id, name',
+  });
+  return res.data;
+}
+async function findEnvAgeFile(drive, parentFolderId, env) {
+  const fileName = `${env}.env.age`;
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name = '${escapeQuery(fileName)}' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1,
+  });
+  return (res.data.files || [])[0] || null;
+}
+async function listEnvAgeFiles(drive, parentFolderId) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name contains '.env.age' and trashed = false`,
+    fields: 'files(id, name)',
+    pageSize: 1000,
+  });
+  return res.data.files || [];
+}
+async function downloadFile(drive, fileId) {
+  const res = await drive.files.get({
+    fileId,
+    alt: 'media',
+  }, { responseType: 'arraybuffer' });
+  return Buffer.from(res.data);
+}
+async function uploadFile(drive, parentFolderId, fileName, content) {
+  const res = await drive.files.list({
+    q: `'${escapeQuery(parentFolderId)}' in parents and name = '${escapeQuery(fileName)}' and trashed = false`,
+    fields: 'files(id)',
+    pageSize: 1,
+  });
+  const existing = (res.data.files || [])[0];
+  if (existing) {
+    await drive.files.update({
+      fileId: existing.id,
+      media: {
+        mimeType: 'application/octet-stream',
+        body: Readable.from(content),
+      },
+    });
+    return existing.id;
+  } else {
+    const created = await drive.files.create({
+      requestBody: {
+        name: fileName,
+        parents: [parentFolderId],
+      },
+      media: {
+        mimeType: 'application/octet-stream',
+        body: Readable.from(content),
+      },
+      fields: 'id',
+    });
+    return created.data.id;
   }
-  return { key: rest, env: null };
 }
-// フォルダ名を正規化 (camelCase → kebab-case)
+async function listAllEnvFiles(drive, rootFolderId) {
+  const folders = await listDriveFolders(drive, rootFolderId);
+  const result = [];
+  await Promise.all(folders.map(async (folder) => {
+    const files = await listEnvAgeFiles(drive, folder.id);
+    for (const file of files) {
+      const envMatch = file.name.match(/^(.+)\.env\.age$/);
+      if (envMatch) {
+        result.push({
+          fileId: file.id,
+          fileName: file.name,
+          folder: folder.name,
+          folderId: folder.id,
+          env: envMatch[1],
+        });
+      }
+    }
+  }));
+  return result;
+}
+// ============================================================
+// ユーティリティ (変更なし)
+// ============================================================
 function normalizeFolder(name) {
   return name
-    .replace(/([a-z])([A-Z])/g, '$1-$2')  // camelCase → kebab-case
+    .replace(/([a-z])([A-Z])/g, '$1-$2')
     .toLowerCase()
     .replace(/[^a-z0-9_-]/g, '-');
 }
-// Git リポジトリを再帰的に検索
 function findGitRepositories(basePath, maxDepth = 5, currentDepth = 0) {
   const repos = [];
   if (currentDepth > maxDepth) return repos;
   try {
     const entries = readdirSync(basePath, { withFileTypes: true });
     for (const entry of entries) {
       if (!entry.isDirectory()) continue;
       if (entry.name.startsWith('.') && entry.name !== '.git') continue;
       if (entry.name === 'node_modules') continue;
       const fullPath = join(basePath, entry.name);
-      try {
-        if (lstatSync(fullPath).isSymbolicLink()) continue;
-      } catch { continue; }
+      try { if (lstatSync(fullPath).isSymbolicLink()) continue; } catch { continue; }
       if (entry.name === '.git') {
         repos.push(dirname(fullPath));
       } else {
@@ -105,7 +446,6 @@ function findGitRepositories(basePath, maxDepth = 5, currentDepth = 0) {
   return repos;
 }
-// .env ファイルを検索
 function findEnvFiles(repoPath) {
   const envFiles = [];
   for (const filename of ['.env', '.dev.vars', '.env.local', '.env.production']) {
@@ -122,7 +462,6 @@ function findEnvFiles(repoPath) {
   return envFiles;
 }
-// .env ファイルをパース
 function parseEnvFile(content) {
   const entries = [];
   const multilineRegex = /^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*`([\s\S]*?)`/gm;
@@ -142,7 +481,6 @@ function parseEnvFile(content) {
   return entries;
 }
-// 値の比較
 function compareValues(a, b) {
   return a.trim().replace(/\r\n/g, '\n') === b.trim().replace(/\r\n/g, '\n');
 }
@@ -168,14 +506,16 @@ function hashContent(content) {
   return createHash('md5').update(content).digest('hex');
 }
-// CLI モード
+// ============================================================
+// CLI メイン
+// ============================================================
 async function runCli(args) {
   const parsed = parseArgs(args);
   const command = parsed.positional[0];
   const config = getConfig();
   const targetEnv = parsed.env || config.defaultEnvironment;
-  if (!config.centralProject && command !== "init" && command !== "pre-commit" && command !== "hook") {
+  if (!config.driveFolderId && command && command !== "init" && command !== "pre-commit" && command !== "hook") {
     console.error("エラー: 先に init を実行してください");
     process.exit(1);
   }
@@ -183,87 +523,204 @@ async function runCli(args) {
   try {
     switch (command) {
       case "init": {
-        const projectId = parsed.positional[1];
+        const driveFolderId = parsed.positional[1];
         const defaultEnv = parsed.env || "dev";
-        if (!projectId) {
-          console.error("使い方: gcloud-secrets init <project-id> [--env <default-env>]");
+        const clientId = parsed.clientId || config.googleClientId;
+        const clientSecret = parsed.clientSecret || config.googleClientSecret;
+        if (!clientId || !clientSecret) {
+          console.error("使い方: gcloud-secrets init [drive-folder-id] --client-id <id> --client-secret <secret> [--env <default>] [--age-pub <key>] [--age-key <path>]");
           process.exit(1);
         }
-        const configFile = `${homedir()}/.secrets-manager.conf`;
-        const configContent = `SECRETS_CENTRAL_PROJECT=${projectId}\nDEFAULT_ENVIRONMENT=${defaultEnv}\n`;
-        writeFileSync(configFile, configContent);
-        console.log(`設定完了: ${projectId} (デフォルト環境: ${defaultEnv})`);
+        // age チェック
+        checkAgeInstalled();
+        // age 鍵の設定
+        let ageKeyPath = parsed.ageKey || config.ageKeyPath;
+        let agePublicKey = parsed.agePub || config.agePublicKey;
+        if (!existsSync(ageKeyPath)) {
+          const ageDir = dirname(ageKeyPath);
+          if (!existsSync(ageDir)) mkdirSync(ageDir, { recursive: true });
+          console.log(`age 鍵を生成中: ${ageKeyPath}`);
+          execFileSync('age-keygen', ['-o', ageKeyPath]);
+        }
+        if (!agePublicKey) {
+          agePublicKey = getAgePublicKeyFromFile(ageKeyPath);
+        }
+        // OAuth 認証テスト
+        const tempConfig = { ...config, googleClientId: clientId, googleClientSecret: clientSecret };
+        const drive = await getDriveClient(tempConfig);
+        let folderId = driveFolderId;
+        if (!folderId) {
+          // ルートフォルダ作成
+          console.log('Drive にルートフォルダ "gcloud-secrets" を作成中...');
+          const res = await drive.files.create({
+            requestBody: {
+              name: 'gcloud-secrets',
+              mimeType: 'application/vnd.google-apps.folder',
+            },
+            fields: 'id, name',
+          });
+          folderId = res.data.id;
+          console.log(`フォルダ作成完了: ${res.data.name} (${folderId})`);
+        } else {
+          // 既存フォルダの検証
+          try {
+            const res = await drive.files.get({ fileId: folderId, fields: 'id, name' });
+            console.log(`Drive フォルダ確認: ${res.data.name} (${folderId})`);
+          } catch {
+            console.error(`エラー: Drive フォルダ ID "${folderId}" にアクセスできません`);
+            process.exit(1);
+          }
+        }
+        // 設定保存
+        writeConfig({
+          DRIVE_FOLDER_ID: folderId,
+          DEFAULT_ENVIRONMENT: defaultEnv,
+          AGE_PUBLIC_KEY: agePublicKey,
+          AGE_KEY_PATH: ageKeyPath,
+          GOOGLE_CLIENT_ID: clientId,
+          GOOGLE_CLIENT_SECRET: clientSecret,
+        });
+        console.log(`設定完了:
+  Drive フォルダ: ${folderId}
+  デフォルト環境: ${defaultEnv}
+  age 公開鍵: ${agePublicKey}
+  age 秘密鍵: ${ageKeyPath}`);
+        break;
+      }
+      case "reauth": {
+        // init 済み前提
+        if (!config.driveFolderId) {
+          console.error('エラー: DRIVE_FOLDER_ID が未設定です');
+          console.error('先に init を実行してください');
+          process.exit(1);
+        }
+        if (!config.googleDeviceClientId || !config.googleDeviceClientSecret) {
+          console.error('エラー: Device flow 用 OAuth client が未設定です');
+          console.error('~/.secrets-manager.conf に GOOGLE_DEVICE_CLIENT_ID / GOOGLE_DEVICE_CLIENT_SECRET を追加してください');
+          console.error('(Google Cloud Console → OAuth 2.0 クライアント ID → "TVs and Limited Input devices" タイプを作成)');
+          process.exit(1);
+        }
+        // 失効 token を退避
+        const tokenPath = getTokenPath();
+        if (existsSync(tokenPath)) {
+          const backupPath = `${tokenPath}.stale-${Date.now()}`;
+          try {
+            writeFileSync(backupPath, readFileSync(tokenPath));
+            rmSync(tokenPath);
+            console.log(`旧 token を退避: ${backupPath}`);
+          } catch (e) {
+            console.error(`警告: 旧 token の退避に失敗: ${e.message}`);
+          }
+        }
+        // Device Flow 実行 (別デバイスのブラウザで承認)
+        const tokens = await performDeviceFlow(config);
+        // googleapis の OAuth2 クライアントにトークンを流し込んで Drive 疎通確認
+        const oauth2Client = new google.auth.OAuth2(
+          config.googleDeviceClientId,
+          config.googleDeviceClientSecret
+        );
+        oauth2Client.setCredentials(tokens);
+        const drive = google.drive({ version: 'v3', auth: oauth2Client });
+        try {
+          const res = await drive.files.get({ fileId: config.driveFolderId, fields: 'id, name' });
+          console.log(`Drive フォルダ確認: ${res.data.name} (${config.driveFolderId})`);
+        } catch (e) {
+          console.error(`警告: Drive フォルダ検証失敗 (${e.message})`);
+          console.error('token は更新済み。フォルダ ID / 権限を確認してください');
+          process.exit(1);
+        }
+        console.log('再認証完了');
         break;
       }
       case "list": {
         const folder = parsed.positional[1];
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
+        const drive = await getDriveClient(config);
         if (!folder) {
-          // フォルダ一覧 (環境ごとにグループ化)
-          const folderEnvs = new Map();
-          for (const secret of secrets) {
-            const [secretData] = await client.getSecret({ name: secret.name });
-            if (secretData.labels?.folder) {
-              const f = secretData.labels.folder;
-              const e = secretData.labels?.environment || "(default)";
-              if (!folderEnvs.has(f)) folderEnvs.set(f, new Set());
-              folderEnvs.get(f).add(e);
-            }
+          // フォルダ一覧
+          const folders = await listDriveFolders(drive, config.driveFolderId);
+          if (folders.length === 0) {
+            console.log("シークレットが登録されていません");
+            break;
           }
           console.log("フォルダ一覧:");
-          for (const [f, envs] of folderEnvs) {
-            const envList = Array.from(envs).sort().join(', ');
-            console.log(`  ${f} [${envList}]`);
+          for (const f of folders) {
+            const files = await listEnvAgeFiles(drive, f.id);
+            const envs = files
+              .map(file => file.name.match(/^(.+)\.env\.age$/))
+              .filter(Boolean)
+              .map(m => m[1])
+              .sort();
+            console.log(`  ${f.name} [${envs.join(', ')}]`);
           }
         } else {
-          // 特定フォルダのシークレット一覧 (環境でフィルタ)
-          console.log(`${folder} (${targetEnv}) のシークレット:`);
-          for (const secret of secrets) {
-            const [secretData] = await client.getSecret({ name: secret.name });
-            const secretEnv = secretData.labels?.environment || null;
-            if (secretData.labels?.folder === folder && secretEnv === targetEnv) {
-              const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-              console.log(`  ${key}`);
-            }
+          // 特定フォルダのキー一覧
+          checkAgeInstalled();
+          const normalizedFolder = normalizeFolder(folder);
+          const folderObj = await findFolder(drive, config.driveFolderId, normalizedFolder);
+          if (!folderObj) {
+            console.error(`フォルダが見つかりません: ${normalizedFolder}`);
+            process.exit(1);
+          }
+          const file = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+          if (!file) {
+            console.error(`${normalizedFolder} (${targetEnv}) にシークレットが見つかりません`);
+            break;
+          }
+          const encrypted = await downloadFile(drive, file.id);
+          const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+          const entries = parseEnvFile(decrypted);
+          console.log(`${normalizedFolder} (${targetEnv}) のシークレット:`);
+          for (const entry of entries) {
+            console.log(`  ${entry.key}`);
           }
         }
         break;
       }
       case "pull": {
+        checkAgeInstalled();
         const folder = normalizeFolder(parsed.positional[1] || basename(process.cwd()));
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
-        const envLines = [];
-        for (const secret of secrets) {
-          const [secretData] = await client.getSecret({ name: secret.name });
-          const secretEnv = secretData.labels?.environment || null;
-          if (secretData.labels?.folder === folder && secretEnv === targetEnv) {
-            const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-            const [version] = await client.accessSecretVersion({
-              name: `${secret.name}/versions/latest`,
-            });
-            const value = version.payload.data.toString("utf-8");
-            if (value.includes("\n")) {
-              envLines.push(`${key}=\`${value}\``);
-            } else {
-              envLines.push(`${key}=${value}`);
-            }
-          }
+        const drive = await getDriveClient(config);
+        const folderObj = await findFolder(drive, config.driveFolderId, folder);
+        if (!folderObj) {
+          console.error(`警告: ${folder} (${targetEnv}) にシークレットが見つかりません`);
+          break;
         }
-        if (envLines.length === 0) {
+        const file = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+        if (!file) {
           console.error(`警告: ${folder} (${targetEnv}) にシークレットが見つかりません`);
-        } else {
-          console.log(envLines.join("\n"));
+          break;
         }
+        const encrypted = await downloadFile(drive, file.id);
+        const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+        console.log(decrypted.trimEnd());
         break;
       }
       case "push": {
+        checkAgeInstalled();
         const folder = normalizeFolder(parsed.positional[1] || basename(process.cwd()));
         const envFile = parsed.positional[2] || ".env";
@@ -273,67 +730,43 @@ async function runCli(args) {
         }
         const content = readFileSync(envFile, "utf-8");
-        const lines = content.split("\n");
-        const parent = `projects/${config.centralProject}`;
-        const labels = { folder, environment: targetEnv };
-        let count = 0;
-        for (const line of lines) {
-          if (!line.trim() || line.startsWith("#")) continue;
-          const match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/i);
-          if (match) {
-            const [, key, value] = match;
-            const secretId = makeSecretName(folder, key, targetEnv);
-            const secretName = `${parent}/secrets/${secretId}`;
-            try {
-              await client.getSecret({ name: secretName });
-              // 既存シークレットのラベルも更新
-              await client.updateSecret({
-                secret: { name: secretName, labels },
-                updateMask: { paths: ['labels'] }
-              });
-              await client.addSecretVersion({
-                parent: secretName,
-                payload: { data: Buffer.from(value) },
-              });
-            } catch {
-              await client.createSecret({
-                parent,
-                secretId,
-                secret: { replication: { automatic: {} }, labels },
-              });
-              await client.addSecretVersion({
-                parent: secretName,
-                payload: { data: Buffer.from(value) },
-              });
-            }
-            count++;
-          }
+        const entries = parseEnvFile(content);
+        if (entries.length === 0) {
+          console.error("有効なシークレットが見つかりません");
+          process.exit(1);
         }
-        console.log(`${count} 件のシークレットをアップロードしました (${folder}/${targetEnv})`);
+        const drive = await getDriveClient(config);
+        const folderObj = await getOrCreateFolder(drive, config.driveFolderId, folder);
+        const encrypted = ageEncrypt(content, config.agePublicKey);
+        const fileName = `${targetEnv}.env.age`;
+        await uploadFile(drive, folderObj.id, fileName, encrypted);
+        console.log(`${entries.length} 件のシークレットをアップロードしました (${folder}/${targetEnv})`);
         break;
       }
       case "scan": {
+        checkAgeInstalled();
         const basePath = parsed.positional[1] || homedir();
-        const filterEnv = parsed.env; // null の場合は全環境を表示
+        const filterEnv = parsed.env;
         const repos = findGitRepositories(basePath, 5);
-        const parent = `projects/${config.centralProject}`;
-        const [allSecrets] = await client.listSecrets({ parent });
-        // フォルダ+環境ごとにグループ化
-        const secretsByFolderEnv = new Map();
-        for (const secret of allSecrets) {
-          const [secretData] = await client.getSecret({ name: secret.name });
-          const f = secretData.labels?.folder;
-          const e = secretData.labels?.environment || null;
-          if (f) {
-            const key = `${f}|${e || ''}`;
-            if (!secretsByFolderEnv.has(key)) secretsByFolderEnv.set(key, []);
-            secretsByFolderEnv.get(key).push({ secret, env: e });
-          }
-        }
+        const drive = await getDriveClient(config);
+        // リモートの全ファイルを取得
+        const remoteFiles = await listAllEnvFiles(drive, config.driveFolderId);
+        // リモートデータをダウンロード・復号（並列）
+        const remoteData = new Map(); // key: "folder|env" -> parsed entries
+        await Promise.all(remoteFiles.map(async (rf) => {
+          try {
+            const encrypted = await downloadFile(drive, rf.fileId);
+            const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+            const entries = parseEnvFile(decrypted);
+            remoteData.set(`${rf.folder}|${rf.env}`, entries);
+          } catch { }
+        }));
         const results = [];
         let syncedCount = 0, diffCount = 0, newCount = 0;
@@ -353,56 +786,52 @@ async function runCli(args) {
             const localEntries = parseEnvFile(content);
             if (localEntries.length === 0) continue;
-            // 環境フィルタがある場合はその環境のみ、なければ全環境をチェック
-            const envsToCheck = filterEnv ? [filterEnv] : [null, ...Array.from(new Set(
-              Array.from(secretsByFolderEnv.keys())
-                .filter(k => k.startsWith(normalizedFolder + '|'))
-                .map(k => k.split('|')[1])
-                .filter(Boolean)
-            ))];
+            // チェック対象の環境を決定
+            const envsToCheck = filterEnv
+              ? [filterEnv]
+              : [...new Set(
+                  Array.from(remoteData.keys())
+                    .filter(k => k.startsWith(normalizedFolder + '|'))
+                    .map(k => k.split('|')[1])
+                )];
+            if (envsToCheck.length === 0) {
+              results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: filterEnv || "(default)", keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+              newCount++;
+              continue;
+            }
             for (const checkEnv of envsToCheck) {
-              const mapKey = `${normalizedFolder}|${checkEnv || ''}`;
-              const folderSecrets = secretsByFolderEnv.get(mapKey) || [];
-              const envLabel = checkEnv || "(default)";
+              const mapKey = `${normalizedFolder}|${checkEnv}`;
+              const remoteEntries = remoteData.get(mapKey);
-              if (folderSecrets.length === 0) {
-                results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+              if (!remoteEntries) {
+                results.push({ status: "NEW", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 newCount++;
                 continue;
               }
-              // リモート値取得・比較
+              // 比較
+              const remoteMap = new Map(remoteEntries.map(e => [e.key, e.value]));
               let hasDiff = false;
-              const remoteKeys = new Set();
-              const remoteValues = new Map();
-              for (const { secret } of folderSecrets) {
-                const { key } = getKeyFromSecret(secret.name.split('/').pop(), normalizedFolder);
-                remoteKeys.add(key);
-                try {
-                  const [version] = await client.accessSecretVersion({ name: `${secret.name}/versions/latest` });
-                  remoteValues.set(key, version.payload.data.toString('utf8'));
-                } catch { }
-              }
               for (const entry of localEntries) {
-                if (!remoteKeys.has(entry.key) || !compareValues(entry.value, remoteValues.get(entry.key) || '')) {
+                if (!remoteMap.has(entry.key) || !compareValues(entry.value, remoteMap.get(entry.key))) {
                   hasDiff = true;
                   break;
                 }
               }
               if (!hasDiff) {
-                for (const key of remoteKeys) {
-                  if (!localEntries.find(e => e.key === key)) { hasDiff = true; break; }
+                for (const re of remoteEntries) {
+                  if (!localEntries.find(e => e.key === re.key)) { hasDiff = true; break; }
                 }
               }
               if (hasDiff) {
-                results.push({ status: "DIFF", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+                results.push({ status: "DIFF", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 diffCount++;
               } else {
-                results.push({ status: "OK", repo: repoName, file: envFile.filename, env: envLabel, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
+                results.push({ status: "OK", repo: repoName, file: envFile.filename, env: checkEnv, keyCount: localEntries.length, gitIgnored: envFile.gitIgnored });
                 syncedCount++;
               }
             }
@@ -410,7 +839,7 @@ async function runCli(args) {
         }
         const envSuffix = filterEnv ? ` (${filterEnv})` : "";
-        console.log(`=== Secret Manager 同期状況${envSuffix} ===\n`);
+        console.log(`=== シークレット同期状況${envSuffix} ===\n`);
         if (results.length === 0) {
           console.log(".env / .dev.vars ファイルが見つかりませんでした");
         } else {
@@ -432,7 +861,11 @@ async function runCli(args) {
       case "pre-commit": {
         // config なし → サイレント exit
-        if (!config.centralProject) process.exit(0);
+        if (!config.driveFolderId || !config.googleClientId) process.exit(0);
+        // OAuth トークンなし → サイレント exit (対話的認証を避ける)
+        if (!existsSync(getTokenPath())) process.exit(0);
+        // age なし → サイレント exit
+        try { execFileSync('age', ['--version'], { stdio: 'ignore' }); } catch { process.exit(0); }
         const cwd = process.cwd();
         const folder = normalizeFolder(basename(resolve(cwd)));
@@ -440,10 +873,20 @@ async function runCli(args) {
         if (envFiles.length === 0) process.exit(0);
         const cache = readCache();
-        const parent = `projects/${config.centralProject}`;
         let totalPushed = 0;
+        let drive;
+        try { drive = await getDriveClient(config); } catch { process.exit(0); }
+        let reauthWarned = false;
+        const warnReauth = () => {
+          if (reauthWarned) return;
+          reauthWarned = true;
+          console.error('⚠ OAuth expired. Run `gcloud-secrets reauth` to re-authenticate.');
+        };
         for (const envFile of envFiles) {
+          if (reauthWarned) break;
           let content;
           try { content = readFileSync(envFile.path, 'utf-8'); } catch { continue; }
           if (!content.trim()) continue;
@@ -460,78 +903,41 @@ async function runCli(args) {
           const localEntries = parseEnvFile(content);
           if (localEntries.length === 0) continue;
-          const labels = { folder, environment: targetEnv };
           try {
-            // フィルタ付き listSecrets (1 API コール、ラベル込み)
-            const filter = `labels.folder=${folder} AND labels.environment=${targetEnv}`;
-            const [remoteSecrets] = await client.listSecrets({ parent, filter });
-            // リモートキー → シークレット名マップ
-            const remoteMap = new Map();
-            for (const secret of remoteSecrets) {
-              const { key } = getKeyFromSecret(secret.name.split('/').pop(), folder);
-              remoteMap.set(key, secret.name);
-            }
-            // リモート値を並列取得
-            const remoteValues = new Map();
-            const keysToCompare = localEntries.filter(e => remoteMap.has(e.key));
-            if (keysToCompare.length > 0) {
-              const results = await Promise.all(
-                keysToCompare.map(async (entry) => {
-                  try {
-                    const [version] = await client.accessSecretVersion({
-                      name: `${remoteMap.get(entry.key)}/versions/latest`,
-                    });
-                    return { key: entry.key, value: version.payload.data.toString('utf-8') };
-                  } catch { return { key: entry.key, value: null }; }
-                })
-              );
-              for (const r of results) {
-                if (r.value !== null) remoteValues.set(r.key, r.value);
-              }
-            }
-            // 新規/変更キーを特定
-            const toPush = [];
-            for (const entry of localEntries) {
-              if (!remoteMap.has(entry.key)) {
-                toPush.push(entry);
-              } else if (!remoteValues.has(entry.key) || !compareValues(entry.value, remoteValues.get(entry.key))) {
-                toPush.push(entry);
+            // リモートファイルを取得して比較
+            const folderObj = await findFolder(drive, config.driveFolderId, folder);
+            let needsPush = true;
+            if (folderObj) {
+              const remoteFile = await findEnvAgeFile(drive, folderObj.id, targetEnv);
+              if (remoteFile) {
+                const encrypted = await downloadFile(drive, remoteFile.id);
+                const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+                const remoteEntries = parseEnvFile(decrypted);
+                const remoteMap = new Map(remoteEntries.map(e => [e.key, e.value]));
+                // 差分チェック
+                needsPush = false;
+                for (const entry of localEntries) {
+                  if (!remoteMap.has(entry.key) || !compareValues(entry.value, remoteMap.get(entry.key))) {
+                    needsPush = true;
+                    break;
+                  }
+                }
+                if (!needsPush) {
+                  for (const re of remoteEntries) {
+                    if (!localEntries.find(e => e.key === re.key)) { needsPush = true; break; }
+                  }
+                }
               }
             }
-            // push
-            if (toPush.length > 0) {
-              for (const entry of toPush) {
-                const secretId = makeSecretName(folder, entry.key, targetEnv);
-                const secretName = `${parent}/secrets/${secretId}`;
-                try {
-                  await client.getSecret({ name: secretName });
-                  await client.updateSecret({
-                    secret: { name: secretName, labels },
-                    updateMask: { paths: ['labels'] }
-                  });
-                  await client.addSecretVersion({
-                    parent: secretName,
-                    payload: { data: Buffer.from(entry.value) },
-                  });
-                } catch {
-                  await client.createSecret({
-                    parent,
-                    secretId,
-                    secret: { replication: { automatic: {} }, labels },
-                  });
-                  await client.addSecretVersion({
-                    parent: secretName,
-                    payload: { data: Buffer.from(entry.value) },
-                  });
-                }
-              }
-              console.log(`↑ ${envFile.filename}: ${toPush.length} secrets pushed (${folder}/${targetEnv})`);
-              totalPushed += toPush.length;
+            if (needsPush) {
+              const targetFolder = await getOrCreateFolder(drive, config.driveFolderId, folder);
+              const encryptedContent = ageEncrypt(content, config.agePublicKey);
+              await uploadFile(drive, targetFolder.id, `${targetEnv}.env.age`, encryptedContent);
+              console.log(`↑ ${envFile.filename}: pushed (${folder}/${targetEnv})`);
+              totalPushed++;
             } else {
               console.log(`✓ ${envFile.filename} synced`);
             }
@@ -544,6 +950,10 @@ async function runCli(args) {
               syncedAt: new Date().toISOString()
             };
           } catch (error) {
+            if (isInvalidGrantError(error)) {
+              warnReauth();
+              break;
+            }
             console.log(`⚠ ${envFile.filename}: sync skipped (${error.message})`);
           }
         }
@@ -559,42 +969,35 @@ async function runCli(args) {
           process.exit(1);
         }
+        checkAgeInstalled();
         const filterEnv = parsed.env;
-        const parent = `projects/${config.centralProject}`;
-        const [secrets] = await client.listSecrets({ parent });
+        const drive = await getDriveClient(config);
+        const allFiles = await listAllEnvFiles(drive, config.driveFolderId);
+        // 環境フィルタ
+        const targetFiles = filterEnv ? allFiles.filter(f => f.env === filterEnv) : allFiles;
         console.log(`Searching for: "${keyword}"`);
         if (filterEnv) console.log(`  環境: ${filterEnv}`);
-        console.log(`\nScanning ${secrets.length} secrets...\n`);
+        console.log(`\nScanning ${targetFiles.length} files...\n`);
         const results = await Promise.all(
-          secrets.map(async (secret) => {
+          targetFiles.map(async (rf) => {
             try {
-              const [secretData] = await client.getSecret({ name: secret.name });
-              const folder = secretData.labels?.folder;
-              const env = secretData.labels?.environment || "(default)";
-              // 環境フィルタ
-              if (filterEnv && secretData.labels?.environment !== filterEnv) return null;
-              // 値を取得してキーワード検索
-              const [version] = await client.accessSecretVersion({
-                name: `${secret.name}/versions/latest`,
-              });
-              const value = version.payload.data.toString("utf-8");
-              if (value.includes(keyword)) {
-                const { key } = getKeyFromSecret(secret.name.split("/").pop(), folder);
-                return { folder, env, key };
-              }
+              const encrypted = await downloadFile(drive, rf.fileId);
+              const decrypted = ageDecrypt(encrypted, config.ageKeyPath);
+              const entries = parseEnvFile(decrypted);
+              return entries
+                .filter(e => e.value.includes(keyword))
+                .map(e => ({ folder: rf.folder, env: rf.env, key: e.key }));
             } catch {
-              // バージョンがない場合はスキップ
+              return [];
             }
-            return null;
           })
         );
-        const matches = results.filter((r) => r !== null);
-        const folders = new Set(matches.map((m) => m.folder));
+        const matches = results.flat();
+        const folders = new Set(matches.map(m => m.folder));
         if (matches.length === 0) {
           console.log("No matches found");
@@ -607,6 +1010,71 @@ async function runCli(args) {
         break;
       }
+      case "key": {
+        const subcommand = parsed.positional[1];
+        if (subcommand === "backup") {
+          checkAgeInstalled();
+          if (!existsSync(config.ageKeyPath)) {
+            console.error(`エラー: age 秘密鍵が見つかりません: ${config.ageKeyPath}`);
+            process.exit(1);
+          }
+          // gpg で暗号化
+          try { execFileSync('gpg', ['--version'], { stdio: 'ignore' }); } catch {
+            console.error('エラー: gpg がインストールされていません');
+            process.exit(1);
+          }
+          const tmpGpg = join(homedir(), '.age', 'age-key.gpg');
+          console.log('gpg パスワードを入力してください（復元時に必要）...');
+          execSync(`gpg --symmetric --cipher-algo AES256 -o "${tmpGpg}" "${config.ageKeyPath}"`, { stdio: 'inherit' });
+          // Drive にアップロード
+          const drive = await getDriveClient(config);
+          const gpgContent = readFileSync(tmpGpg);
+          await uploadFile(drive, config.driveFolderId, 'age-key.gpg', gpgContent);
+          rmSync(tmpGpg);
+          console.log('age 秘密鍵を暗号化して Drive にバックアップしました (age-key.gpg)');
+        } else if (subcommand === "restore") {
+          // Drive からダウンロード
+          const drive = await getDriveClient(config);
+          const res = await drive.files.list({
+            q: `'${escapeQuery(config.driveFolderId)}' in parents and name = 'age-key.gpg' and trashed = false`,
+            fields: 'files(id)',
+            pageSize: 1,
+          });
+          const file = (res.data.files || [])[0];
+          if (!file) {
+            console.error('エラー: Drive に age-key.gpg が見つかりません');
+            process.exit(1);
+          }
+          const gpgData = await downloadFile(drive, file.id);
+          const tmpGpg = join(homedir(), '.age', 'age-key.gpg');
+          const ageDir = dirname(config.ageKeyPath);
+          if (!existsSync(ageDir)) mkdirSync(ageDir, { recursive: true });
+          writeFileSync(tmpGpg, gpgData);
+          console.log('gpg パスワードを入力してください...');
+          execSync(`gpg --decrypt -o "${config.ageKeyPath}" "${tmpGpg}"`, { stdio: 'inherit' });
+          rmSync(tmpGpg);
+          // 公開鍵も表示
+          const pubKey = getAgePublicKeyFromFile(config.ageKeyPath);
+          console.log(`age 秘密鍵を復元しました: ${config.ageKeyPath}`);
+          console.log(`公開鍵: ${pubKey}`);
+        } else {
+          console.log(`使い方:
+  gcloud-secrets key backup     age 秘密鍵を gpg 暗号化して Drive にバックアップ
+  gcloud-secrets key restore    Drive から age 秘密鍵を復元`);
+        }
+        break;
+      }
       case "hook": {
         const subcommand = parsed.positional[1];
@@ -627,7 +1095,7 @@ async function runCli(args) {
             if (hookType === 'pre-commit') {
               extraLogic = `
-# gcloud-secrets: auto-sync .env to Secret Manager
+# gcloud-secrets: auto-sync .env to Drive
 if command -v gcloud-secrets >/dev/null 2>&1; then
   gcloud-secrets pre-commit
 fi
@@ -690,18 +1158,22 @@ exit 0
       }
       default:
-        console.log(`gcloud-secrets - GCP Secret Manager CLI
+        console.log(`gcloud-secrets - シークレット管理 CLI (Google Drive + age 暗号化)
 使い方:
-  gcloud-secrets init <project-id> [--env <default>]  中央プロジェクトを設定
-  gcloud-secrets list [folder] [--env <env>]          一覧表示
-  gcloud-secrets pull [folder] [--env <env>]          シークレットを取得
-  gcloud-secrets push [folder] [file] [--env <env>]   シークレットをアップロード
-  gcloud-secrets scan [basePath] [--env <env>]        Git リポジトリの .env 同期状況をスキャン
-  gcloud-secrets search <keyword> [--env <env>]       値から逆引き検索
-  gcloud-secrets pre-commit                           .env 自動同期 (git hook 用)
-  gcloud-secrets hook install                         グローバル git hook インストール
-  gcloud-secrets hook uninstall                       グローバル git hook アンインストール
+  gcloud-secrets init [drive-folder-id] --client-id <id> --client-secret <secret> [--env <default>]
+                                                   初期設定 (OAuth + age 鍵 + Drive フォルダ)
+  gcloud-secrets reauth                            OAuth token 再認証のみ (config は保持)
+  gcloud-secrets list [folder] [--env <env>]       一覧表示
+  gcloud-secrets pull [folder] [--env <env>]       シークレットを取得
+  gcloud-secrets push [folder] [file] [--env <env>] シークレットをアップロード
+  gcloud-secrets scan [basePath] [--env <env>]     Git リポジトリの .env 同期状況をスキャン
+  gcloud-secrets search <keyword> [--env <env>]    値から逆引き検索
+  gcloud-secrets pre-commit                        .env 自動同期 (git hook 用)
+  gcloud-secrets key backup                        age 秘密鍵を暗号化して Drive にバックアップ
+  gcloud-secrets key restore                       Drive から age 秘密鍵を復元
+  gcloud-secrets hook install                      グローバル git hook インストール
+  gcloud-secrets hook uninstall                    グローバル git hook アンインストール
 オプション:
   --env, -e <env>  環境を指定 (dev, staging, prod など)