cf-envsync 0.2.0 → 0.3.0

package/README.md

@@ -7,6 +7,20 @@
 
 <h1 align="center">envsync</h1>
 
+<p align="center">
+  <a href="https://www.npmjs.com/package/cf-envsync"><img src="https://img.shields.io/npm/v/cf-envsync.svg" alt="npm version" /></a>
+  <a href="https://www.npmjs.com/package/cf-envsync"><img src="https://img.shields.io/npm/dm/cf-envsync.svg" alt="npm downloads" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/cf-envsync.svg" alt="license" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync"><img src="https://img.shields.io/github/stars/hakkokimkr/cf-envsync.svg?style=social" alt="GitHub stars" /></a>
+</p>
+
+<p align="center">
+  <a href="https://nodejs.org/"><img src="https://img.shields.io/node/v/cf-envsync.svg" alt="node version" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync"><img src="https://img.shields.io/github/last-commit/hakkokimkr/cf-envsync.svg" alt="last commit" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync/issues"><img src="https://img.shields.io/github/issues/hakkokimkr/cf-envsync.svg" alt="issues" /></a>
+  <img src="https://img.shields.io/badge/TypeScript-100%25-blue.svg" alt="TypeScript" />
+</p>
+
 <p align="center">
   One <code>.env</code> file. Every Worker. Every environment.<br />
   No SaaS. No dashboard. Just your repo.
@@ -75,7 +89,7 @@ envsync validate
 
 - [Node.js](https://nodejs.org) >= 18 or [Bun](https://bun.sh)
 - [wrangler](https://developers.cloudflare.com/workers/wrangler/) CLI (peer dependency, for push/pull/diff)
-- [dotenvx](https://dotenvx.com) (optional, for encryption)
+- [dotenvx](https://dotenvx.com) (optional, only if using `encryption: "dotenvx"`)
 
 ---
 
@@ -270,10 +284,11 @@ envsync init --monorepo    # Scans for wrangler.jsonc files
 ```
 
 What it does:
+- Asks for encryption method (`password`, `dotenvx`, or `none`)
 - Scans `wrangler.jsonc` files to discover workers and environments
 - Detects shared secrets across apps
 - Creates `envsync.config.ts`, `.env.example`, and empty `.env.{environment}` files
-- Adds `.env.local`, `.env.keys`, `**/.dev.vars` to `.gitignore`
+- Adds `.env.local`, `.env.keys`, `.env.password`, `**/.dev.vars` to `.gitignore`
 - Registers the custom Git merge driver in `.gitattributes`
 
 ---
@@ -289,9 +304,33 @@ envsync normalize .env.staging # Specific file
 
 ---
 
+### `envsync encrypt` — Encrypt plain values
+
+Encrypts plain-text values in a `.env` file using password-based encryption (AES-256-GCM). Only available when `encryption: "password"`.
+
+```bash
+envsync encrypt staging           # Encrypt all plain values in .env.staging
+envsync encrypt production        # Encrypt .env.production
+envsync encrypt staging --dry-run # Preview without writing
+```
+
+```
+$ envsync encrypt staging
+
+  DATABASE_URL: encrypted
+  API_KEY: encrypted
+  JWT_SECRET: encrypted
+
+Encrypted 3 values in .env.staging (0 skipped)
+```
+
+Already-encrypted and empty values are skipped automatically.
+
+---
+
 ### `envsync merge` — Git merge driver
 
-A 3-way merge driver that understands dotenvx encryption. Registered automatically by `envsync init`.
+A 3-way merge driver that understands both dotenvx and password encryption. Registered automatically by `envsync init`.
 
 ```
 # .gitattributes (auto-generated)
@@ -301,10 +340,10 @@ A 3-way merge driver that understands dotenvx encryption. Registered automatical
 
 How it works:
 
-1. Decrypts all three versions (base, ours, theirs)
+1. Decrypts all three versions (base, ours, theirs) — supports both dotenvx and password encryption
 2. 3-way merge at the **key level** — not the encrypted ciphertext
 3. Only real conflicts get conflict markers
-4. Re-encrypts the merged result
+4. Re-encrypts the merged result (password mode uses `encryptEnvMap`, dotenvx uses `dotenvx encrypt`)
 
 No more fake conflicts from identical values with different ciphertext.
 
@@ -415,7 +454,7 @@ export default {
 | `envFiles.pattern` | `string` | File naming pattern. `{env}` is replaced. `local` falls back to `.env` |
 | `envFiles.local` | `string` | Per-developer override file (gitignored) |
 | `envFiles.perApp` | `boolean` | Allow per-app `.env.{env}` files for app-specific overrides |
-| `encryption` | `"dotenvx" \| "none"` | Encryption method for `.env` files |
+| `encryption` | `"password" \| "dotenvx" \| "none"` | Encryption method for `.env` files |
 | `apps.{name}.path` | `string` | Path to app directory relative to project root |
 | `apps.{name}.workers` | `Record<string, string>` | Worker name per environment |
 | `apps.{name}.secrets` | `string[]` | Secret keys pushed via `wrangler secret bulk` |
@@ -428,6 +467,48 @@ export default {
 
 Config file search order: `envsync.config.ts` > `.js` > `.mjs` > `envsync.json` > `envsync.jsonc`
 
+### Encryption
+
+envsync supports three encryption modes:
+
+| Mode | How it works | Dependencies |
+|------|-------------|--------------|
+| `"password"` | AES-256-GCM, per-value encryption with a shared password. Values stored as `envsync:v1:{base64}`. | None (uses `node:crypto`) |
+| `"dotenvx"` | ECIES public/private key encryption via dotenvx CLI. | `dotenvx` CLI |
+| `"none"` | No encryption. `.env` files stored in plain text. | None |
+
+#### Password encryption
+
+Per-value encryption means each key-value pair is encrypted independently — git diffs are readable at the key level, and merges work cleanly.
+
+```
+# .env.staging (committed, encrypted)
+DATABASE_URL=envsync:v1:base64encodedpayload...
+API_KEY=envsync:v1:base64encodedpayload...
+```
+
+**Password source** (checked in order):
+
+1. `ENVSYNC_PASSWORD_{ENV}` env var (e.g. `ENVSYNC_PASSWORD_STAGING`)
+2. `ENVSYNC_PASSWORD` env var (generic fallback)
+3. `.env.password` file with `ENVSYNC_PASSWORD_{ENV}=xxx` (env-specific)
+4. `.env.password` file with `ENVSYNC_PASSWORD=xxx` (generic fallback)
+
+```bash
+# Quick setup
+echo "ENVSYNC_PASSWORD=your-strong-password" > .env.password
+
+# Or per-environment passwords
+cat > .env.password << 'EOF'
+ENVSYNC_PASSWORD_STAGING=staging-password
+ENVSYNC_PASSWORD_PRODUCTION=production-password
+EOF
+
+# Encrypt plain values
+envsync encrypt staging
+envsync encrypt production
+```
+
 ### File structure
 
 ```
@@ -440,6 +521,7 @@ project/
 ├── .env.local                      # Per-developer overrides (gitignored)
 ├── .env.example                    # Key reference (committed)
 ├── .env.keys                       # dotenvx private keys (gitignored)
+├── .env.password                   # Password encryption keys (gitignored)
 │
 ├── apps/
 │   ├── api/
@@ -454,7 +536,7 @@ project/
 │       ├── .dev.vars               # ← generated
 │       └── .env                    # app-specific secrets (YOUTUBE_API_KEY, etc.)
 │
-└── .gitignore                      # .env.local, .env.keys, **/.dev.vars
+└── .gitignore                      # .env.local, .env.keys, .env.password, **/.dev.vars
 ```
 
 ### Merge priority
@@ -501,12 +583,39 @@ export default defineConfig({
 <tr><td><strong>.dev.vars</strong></td><td>Local dev secrets</td><td>Doesn't sync with anything</td></tr>
 </table>
 
-**envsync** fills the gap: encrypted `.env` files as the single source of truth, synced to every target — Workers secrets, `.dev.vars`, validation — with monorepo and multi-environment support built in.
+**envsync** fills the gap: encrypted `.env` files as the single source of truth, synced to every target — Workers secrets, `.dev.vars`, validation — with monorepo and multi-environment support built in. Choose password encryption (zero dependencies, per-value, merge-friendly) or dotenvx (ECIES key pairs).
 
 No SaaS. No dashboard. Just a CLI, your `.env` files, and Cloudflare's API.
 
 ---
 
+## Testing
+
+150 tests across 20 files covering utils, core modules, and all 10 commands.
+
+```bash
+bun test              # Run tests
+bun test --coverage   # Run with coverage report
+```
+
+### Coverage
+
+| File | % Funcs | % Lines |
+|------|---------|---------|
+| **All files** | **83.93** | **76.13** |
+| src/core/resolver.ts | 100.00 | 100.00 |
+| src/core/wrangler.ts | 100.00 | 100.00 |
+| src/core/env-file.ts | 100.00 | 98.65 |
+| src/core/encryption.ts | 100.00 | 95.65 |
+| src/utils/fs.ts | 100.00 | 97.44 |
+| src/core/config.ts | 71.43 | 76.23 |
+| src/commands/merge.ts | 75.00 | 28.40 |
+| src/utils/output.ts | 25.00 | 12.70 |
+
+> `merge.ts` and `output.ts` line coverage is lower because their command handlers and print functions are tested via CLI integration tests (spawned subprocesses), which bun's coverage instrumentation does not trace into.
+
+---
+
 ## Tech Stack
 
 | | |
@@ -515,7 +624,7 @@ No SaaS. No dashboard. Just a CLI, your `.env` files, and Cloudflare's API.
 | **CLI framework** | [citty](https://github.com/unjs/citty) |
 | **Output** | [consola](https://github.com/unjs/consola) |
 | **Config loading** | [jiti](https://github.com/unjs/jiti) |
-| **Encryption** | [@dotenvx/dotenvx](https://dotenvx.com) |
+| **Encryption** | `node:crypto` AES-256-GCM (password mode) / [@dotenvx/dotenvx](https://dotenvx.com) (dotenvx mode) |
 | **CF Secrets** | [wrangler](https://developers.cloudflare.com/workers/wrangler/) CLI (shell out) |
 
 ---

package/dist/index.js

@@ -13007,6 +13007,9 @@ var require_main2 = __commonJS((exports, module) => {
 });
 
 // src/core/encryption.ts
+import { readFileSync } from "node:fs";
+import { join as join2 } from "node:path";
+import { scryptSync, randomBytes, createCipheriv, createDecipheriv } from "node:crypto";
 function decryptEnvContent(content, privateKey) {
   if (privateKey) {
     const prev = process.env.DOTENV_PRIVATE_KEY;
@@ -13023,27 +13026,154 @@ function decryptEnvContent(content, privateKey) {
   }
   return import_dotenvx.parse(content);
 }
-function findPrivateKey(env2) {
+function loadEnvKeysFileSync(filePath) {
+  try {
+    const content = readFileSync(filePath, "utf-8");
+    const result = {};
+    for (const line of content.split(`
+`)) {
+      const trimmed = line.trim();
+      if (trimmed === "" || trimmed.startsWith("#"))
+        continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx === -1)
+        continue;
+      const key = trimmed.slice(0, eqIdx).trim();
+      let value = trimmed.slice(eqIdx + 1).trim();
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      }
+      result[key] = value;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+function findPrivateKey(env2, projectRoot) {
   if (env2) {
     const envKey = `DOTENV_PRIVATE_KEY_${env2.toUpperCase()}`;
     if (process.env[envKey])
       return process.env[envKey];
   }
-  return process.env.DOTENV_PRIVATE_KEY;
+  if (process.env.DOTENV_PRIVATE_KEY)
+    return process.env.DOTENV_PRIVATE_KEY;
+  if (projectRoot) {
+    const keysFile = loadEnvKeysFileSync(join2(projectRoot, ".env.keys"));
+    if (env2) {
+      const envKey = `DOTENV_PRIVATE_KEY_${env2.toUpperCase()}`;
+      if (keysFile[envKey])
+        return keysFile[envKey];
+    }
+    if (keysFile.DOTENV_PRIVATE_KEY)
+      return keysFile.DOTENV_PRIVATE_KEY;
+  }
+  return;
+}
+function isEnvsyncEncrypted(value) {
+  return value.startsWith(ENVSYNC_PREFIX);
+}
+function encryptValue(plaintext, password) {
+  const salt = randomBytes(16);
+  const iv = randomBytes(12);
+  const key = scryptSync(password, salt, 32);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const payload = Buffer.concat([salt, iv, encrypted, tag]);
+  return ENVSYNC_PREFIX + payload.toString("base64");
+}
+function decryptValue(token, password) {
+  if (!token.startsWith(ENVSYNC_PREFIX)) {
+    throw new Error("Not an envsync-encrypted value");
+  }
+  const payload = Buffer.from(token.slice(ENVSYNC_PREFIX.length), "base64");
+  const salt = payload.subarray(0, 16);
+  const iv = payload.subarray(16, 28);
+  const tag = payload.subarray(payload.length - 16);
+  const encrypted = payload.subarray(28, payload.length - 16);
+  const key = scryptSync(password, salt, 32);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+function decryptEnvMap(envMap, password) {
+  const result = {};
+  for (const [key, value] of Object.entries(envMap)) {
+    result[key] = isEnvsyncEncrypted(value) ? decryptValue(value, password) : value;
+  }
+  return result;
+}
+function encryptEnvMap(envMap, password) {
+  const result = {};
+  for (const [key, value] of Object.entries(envMap)) {
+    if (isEnvsyncEncrypted(value) || value === "") {
+      result[key] = value;
+    } else {
+      result[key] = encryptValue(value, password);
+    }
+  }
+  return result;
+}
+function findPassword(env2, projectRoot) {
+  if (env2) {
+    const envKey = `ENVSYNC_PASSWORD_${env2.toUpperCase()}`;
+    if (process.env[envKey])
+      return process.env[envKey];
+  }
+  if (process.env.ENVSYNC_PASSWORD)
+    return process.env.ENVSYNC_PASSWORD;
+  if (projectRoot) {
+    const passwordFile = loadEnvKeysFileSync(join2(projectRoot, ".env.password"));
+    if (env2) {
+      const envKey = `ENVSYNC_PASSWORD_${env2.toUpperCase()}`;
+      if (passwordFile[envKey])
+        return passwordFile[envKey];
+    }
+    if (passwordFile.ENVSYNC_PASSWORD)
+      return passwordFile.ENVSYNC_PASSWORD;
+  }
+  return;
 }
-var import_dotenvx;
+var import_dotenvx, ENVSYNC_PREFIX = "envsync:v1:";
 var init_encryption = __esm(() => {
   import_dotenvx = __toESM(require_main2(), 1);
 });
 
 // src/core/env-file.ts
-import { join as join2 } from "node:path";
-async function loadEnvFile(filePath, env2) {
+import { join as join3 } from "node:path";
+function parsePlainEnv(content) {
+  const result = {};
+  for (const line of content.split(`
+`)) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#"))
+      continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1)
+      continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    result[key] = value;
+  }
+  return result;
+}
+async function loadEnvFile(filePath, env2, projectRoot, encryption) {
   if (!fileExists(filePath)) {
     return {};
   }
   const content = await readFile(filePath);
-  const privateKey = findPrivateKey(env2);
+  if (encryption === "password") {
+    const envMap = parsePlainEnv(content);
+    const password = findPassword(env2, projectRoot);
+    if (!password)
+      return envMap;
+    return decryptEnvMap(envMap, password);
+  }
+  const privateKey = findPrivateKey(env2, projectRoot);
   return decryptEnvContent(content, privateKey);
 }
 async function writeEnvFile(filePath, envMap) {
@@ -13087,15 +13217,15 @@ function filterForApp(envMap, app) {
 function getRootEnvPath(config, environment) {
   const pattern = config.raw.envFiles.pattern;
   const relativePath = resolveEnvFilePath(pattern, environment);
-  return join2(config.projectRoot, relativePath);
+  return join3(config.projectRoot, relativePath);
 }
 function getAppEnvPath(config, app, environment) {
   const pattern = config.raw.envFiles.pattern;
   const relativePath = resolveEnvFilePath(pattern, environment);
-  return join2(app.absolutePath, relativePath);
+  return join3(app.absolutePath, relativePath);
 }
 function getLocalOverridePath(config) {
-  return join2(config.projectRoot, config.raw.envFiles.local);
+  return join3(config.projectRoot, config.raw.envFiles.local);
 }
 var init_env_file = __esm(() => {
   init_encryption();
@@ -13104,17 +13234,19 @@ var init_env_file = __esm(() => {
 });
 
 // src/core/resolver.ts
+import { normalize } from "node:path";
 async function resolveAppEnv(config, app, environment) {
   const layers = [];
+  const encryption = config.raw.encryption;
   const rootEnvPath = getRootEnvPath(config, environment);
-  const rootEnv = await loadEnvFile(rootEnvPath, environment);
+  const rootEnv = await loadEnvFile(rootEnvPath, environment, config.projectRoot, encryption);
   if (Object.keys(rootEnv).length > 0) {
     layers.push({ source: rootEnvPath, map: rootEnv });
   }
   if (config.raw.envFiles.perApp) {
     const appEnvPath = getAppEnvPath(config, app, environment);
-    if (appEnvPath !== rootEnvPath) {
-      const appEnv = await loadEnvFile(appEnvPath, environment);
+    if (normalize(appEnvPath) !== normalize(rootEnvPath)) {
+      const appEnv = await loadEnvFile(appEnvPath, environment, config.projectRoot, encryption);
       if (Object.keys(appEnv).length > 0) {
         layers.push({ source: appEnvPath, map: appEnv });
       }
@@ -13158,7 +13290,7 @@ var exports_dev = {};
 __export(exports_dev, {
   default: () => dev_default
 });
-import { join as join3, relative } from "node:path";
+import { join as join4, relative } from "node:path";
 function parseAppNames(args) {
   const rest = args._;
   return rest?.length ? rest : undefined;
@@ -13220,7 +13352,7 @@ var init_dev = __esm(() => {
       const localEnv = await loadEnvFile(localOverridePath);
       for (const app of apps) {
         const resolved = await resolveAppEnv(config, app, environment);
-        const devVarsPath = join3(app.absolutePath, ".dev.vars");
+        const devVarsPath = join4(app.absolutePath, ".dev.vars");
         const relDevVars = relative(config.projectRoot, devVarsPath);
         if (Object.keys(resolved.map).length === 0) {
           consola.warn(`  No env vars resolved for ${app.name}. Skipping.`);
@@ -13565,7 +13697,7 @@ var init_pull = __esm(() => {
         }
         consola.info(`  Found ${remoteKeys.length} remote keys`);
         const envFilePath = getRootEnvPath(config, environment);
-        const localEnv = await loadEnvFile(envFilePath, environment);
+        const localEnv = await loadEnvFile(envFilePath, environment, config.projectRoot, config.raw.encryption);
         const localKeys = new Set(Object.keys(localEnv));
         const missingKeys = remoteKeys.filter((k2) => !localKeys.has(k2));
         if (missingKeys.length === 0) {
@@ -13590,7 +13722,7 @@ var exports_validate = {};
 __export(exports_validate, {
   default: () => validate_default
 });
-import { join as join4 } from "node:path";
+import { join as join5 } from "node:path";
 function parseAppNames4(args, skip = 1) {
   const rest = args._?.slice(skip);
   return rest?.length ? rest : undefined;
@@ -13638,7 +13770,7 @@ var init_validate = __esm(() => {
         appNames = undefined;
       }
       const apps = resolveApps(config, appNames);
-      const examplePath = join4(config.projectRoot, ".env.example");
+      const examplePath = join5(config.projectRoot, ".env.example");
       if (!fileExists(examplePath)) {
         consola.error("No .env.example found at project root.");
         process.exit(1);
@@ -13736,10 +13868,10 @@ function printDiff(entries) {
   for (const entry of entries) {
     switch (entry.status) {
       case "added":
-        consola.log(`  + ${entry.key} = ${maskValue(entry.remoteValue)}`);
+        consola.log(`  + ${entry.key} = ${maskValue(entry.localValue)}`);
         break;
       case "removed":
-        consola.log(`  - ${entry.key} = ${maskValue(entry.localValue)}`);
+        consola.log(`  - ${entry.key}`);
         break;
       case "changed":
         consola.log(`  ~ ${entry.key}`);
@@ -13917,7 +14049,7 @@ var exports_init = {};
 __export(exports_init, {
   default: () => init_default
 });
-import { join as join5, relative as relative2, basename } from "node:path";
+import { join as join6, relative as relative2, basename } from "node:path";
 function generateConfigTS(config) {
   const lines = [
     `import { defineConfig } from "cf-envsync";`,
@@ -13998,7 +14130,7 @@ var init_init = __esm(() => {
     },
     async run({ args }) {
       const cwd = process.cwd();
-      const existingConfig = CONFIG_FILES.find((f3) => fileExists(join5(cwd, f3)));
+      const existingConfig = CONFIG_FILES.find((f3) => fileExists(join6(cwd, f3)));
       if (existingConfig) {
         consola.warn(`${existingConfig} already exists.`);
         const overwrite = await consola.prompt("Overwrite?", {
@@ -14011,7 +14143,7 @@ var init_init = __esm(() => {
       }
       const encryption = await consola.prompt("Encryption method:", {
         type: "select",
-        options: ["dotenvx", "none"]
+        options: ["password", "dotenvx", "none"]
       });
       const defaultEnvs = "local, staging, production";
       const envsInput = await consola.prompt("Environments (comma-separated):", {
@@ -14031,8 +14163,8 @@ var init_init = __esm(() => {
           consola.warn("No wrangler config files found. Creating manually.");
         }
         for (const wranglerFile of wranglerFiles.sort()) {
-          const fullPath = join5(cwd, wranglerFile);
-          const appDir = join5(cwd, wranglerFile, "..");
+          const fullPath = join6(cwd, wranglerFile);
+          const appDir = join6(cwd, wranglerFile, "..");
           const appPath = relative2(cwd, appDir);
           const appName = basename(appDir);
           consola.info(`  Found ${wranglerFile}`);
@@ -14133,10 +14265,10 @@ var init_init = __esm(() => {
         apps,
         ...shared.length > 0 ? { shared } : {}
       };
-      const configPath = join5(cwd, "envsync.config.ts");
+      const configPath = join6(cwd, "envsync.config.ts");
       const tsContent = generateConfigTS(config);
       if (existingConfig && existingConfig !== "envsync.config.ts") {
-        const oldPath = join5(cwd, existingConfig);
+        const oldPath = join6(cwd, existingConfig);
         if (fileExists(oldPath)) {
           const { unlink } = await import("node:fs/promises");
           await unlink(oldPath);
@@ -14144,7 +14276,7 @@ var init_init = __esm(() => {
       }
       await writeFile(configPath, tsContent);
       consola.success("Created envsync.config.ts");
-      const examplePath = join5(cwd, ".env.example");
+      const examplePath = join6(cwd, ".env.example");
       if (!fileExists(examplePath)) {
         const allKeys = new Set;
         for (const app of Object.values(apps)) {
@@ -14167,21 +14299,21 @@ var init_init = __esm(() => {
       for (const env2 of environments) {
         if (env2 === "local")
           continue;
-        const envFile = join5(cwd, `.env.${env2}`);
+        const envFile = join6(cwd, `.env.${env2}`);
         if (!fileExists(envFile)) {
           await writeFile(envFile, `# ${env2} environment variables
 `);
           consola.success(`Created .env.${env2}`);
         }
       }
-      const rootEnv = join5(cwd, ".env");
+      const rootEnv = join6(cwd, ".env");
       if (!fileExists(rootEnv)) {
         await writeFile(rootEnv, `# Local environment variables
 `);
         consola.success("Created .env");
       }
-      const gitignorePath = join5(cwd, ".gitignore");
-      const gitignoreEntries = [".env.local", ".env.keys", "**/.dev.vars"];
+      const gitignorePath = join6(cwd, ".gitignore");
+      const gitignoreEntries = [".env.local", ".env.keys", ".env.password", "**/.dev.vars"];
       if (fileExists(gitignorePath)) {
         const existing = await readFile(gitignorePath);
         const toAdd = gitignoreEntries.filter((e2) => !existing.includes(e2));
@@ -14201,7 +14333,7 @@ var init_init = __esm(() => {
 `);
         consola.success(`Created .gitignore`);
       }
-      const gitattrsPath = join5(cwd, ".gitattributes");
+      const gitattrsPath = join6(cwd, ".gitattributes");
       const mergeDriverLines = `.env merge=envsync
 .env.* merge=envsync
 `;
@@ -14217,7 +14349,7 @@ var init_init = __esm(() => {
         await writeFile(gitattrsPath, mergeDriverLines);
         consola.success("Created .gitattributes with merge driver");
       }
-      const gitConfigPath = join5(cwd, ".git", "config");
+      const gitConfigPath = join6(cwd, ".git", "config");
       if (fileExists(gitConfigPath)) {
         const gitConfig = await readFile(gitConfigPath);
         if (!gitConfig.includes('[merge "envsync"]')) {
@@ -14232,14 +14364,18 @@ var init_init = __esm(() => {
       }
       consola.info(`
 Next steps:`);
-      if (encryption === "dotenvx") {
+      if (encryption === "password") {
+        consola.info('  1. Set a password: echo "ENVSYNC_PASSWORD=your-secret" > .env.password');
+        consola.info("  2. Add values to your .env files (plain KEY=VALUE)");
+        consola.info("  3. envsync encrypt staging  (encrypts plain values in .env.staging)");
+      } else if (encryption === "dotenvx") {
         consola.info('  1. dotenvx set DATABASE_URL "value" -f .env');
         for (const env2 of environments.filter((e2) => e2 !== "local")) {
           consola.info(`  2. dotenvx set DATABASE_URL "${env2}_value" -f .env.${env2}`);
         }
       }
-      consola.info(`  3. echo "OAUTH_REDIRECT_URL=https://your-tunnel/callback" >> .env.local`);
-      consola.info("  4. envsync dev");
+      consola.info(`  ${encryption === "password" ? "4" : "3"}. echo "OAUTH_REDIRECT_URL=https://your-tunnel/callback" >> .env.local`);
+      consola.info(`  ${encryption === "password" ? "5" : "4"}. envsync dev`);
     }
   });
 });
@@ -14333,6 +14469,10 @@ var init_normalize = __esm(() => {
 // src/commands/merge.ts
 var exports_merge = {};
 __export(exports_merge, {
+  parseEnvLines: () => parseEnvLines,
+  isPasswordEncrypted: () => isPasswordEncrypted,
+  isEncrypted: () => isEncrypted,
+  isDotenvxEncrypted: () => isDotenvxEncrypted,
   default: () => merge_default
 });
 function parseEnvLines(content) {
@@ -14353,9 +14493,15 @@ function parseEnvLines(content) {
     };
   });
 }
-function isEncrypted(content) {
+function isDotenvxEncrypted(content) {
   return content.includes("encrypted:");
 }
+function isPasswordEncrypted(content) {
+  return content.includes("envsync:v1:");
+}
+function isEncrypted(content) {
+  return isDotenvxEncrypted(content) || isPasswordEncrypted(content);
+}
 var merge_default;
 var init_merge = __esm(() => {
   init_dist();
@@ -14391,11 +14537,24 @@ var init_merge = __esm(() => {
         readFile(args.ours),
         readFile(args.theirs)
       ]);
-      const wasEncrypted = isEncrypted(oursContent);
-      const privateKey = findPrivateKey();
-      const baseParsed = isEncrypted(baseContent) ? decryptEnvContent(baseContent, privateKey) : Object.fromEntries(parseEnvLines(baseContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
-      const oursParsed = isEncrypted(oursContent) ? decryptEnvContent(oursContent, privateKey) : Object.fromEntries(parseEnvLines(oursContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
-      const theirsParsed = isEncrypted(theirsContent) ? decryptEnvContent(theirsContent, privateKey) : Object.fromEntries(parseEnvLines(theirsContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+      const wasDotenvx = isDotenvxEncrypted(oursContent);
+      const wasPassword = isPasswordEncrypted(oursContent);
+      const wasEncrypted = wasDotenvx || wasPassword;
+      const privateKey = findPrivateKey(undefined, process.cwd());
+      const password = findPassword(undefined, process.cwd());
+      function decryptContent(content) {
+        if (isPasswordEncrypted(content)) {
+          const plain = Object.fromEntries(parseEnvLines(content).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+          return password ? decryptEnvMap(plain, password) : plain;
+        }
+        if (isDotenvxEncrypted(content)) {
+          return decryptEnvContent(content, privateKey);
+        }
+        return Object.fromEntries(parseEnvLines(content).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+      }
+      const baseParsed = decryptContent(baseContent);
+      const oursParsed = decryptContent(oursContent);
+      const theirsParsed = decryptContent(theirsContent);
       const baseMap = new Map(Object.entries(baseParsed));
       const oursMap = new Map(Object.entries(oursParsed));
       const theirsMap = new Map(Object.entries(theirsParsed));
@@ -14452,10 +14611,19 @@ var init_merge = __esm(() => {
 `) + `
 `;
       if (wasEncrypted && !hasConflicts) {
-        await writeFile(args.ours, mergedContent);
-        const result = await exec(["dotenvx", "encrypt", "-f", args.ours]);
-        if (!result.success) {
-          consola.warn("Could not re-encrypt merged file:", result.stderr);
+        if (wasPassword && password) {
+          const plainMap = Object.fromEntries(parseEnvLines(mergedContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+          const encrypted = encryptEnvMap(plainMap, password);
+          const encLines = Object.entries(encrypted).map(([k2, v2]) => `${k2}=${v2}`);
+          await writeFile(args.ours, encLines.join(`
+`) + `
+`);
+        } else {
+          await writeFile(args.ours, mergedContent);
+          const result = await exec(["dotenvx", "encrypt", "-f", args.ours]);
+          if (!result.success) {
+            consola.warn("Could not re-encrypt merged file:", result.stderr);
+          }
         }
       } else {
         await writeFile(args.ours, mergedContent);
@@ -14612,6 +14780,124 @@ var init_list = __esm(() => {
   });
 });
 
+// src/commands/encrypt.ts
+var exports_encrypt = {};
+__export(exports_encrypt, {
+  default: () => encrypt_default
+});
+function parseLines(content) {
+  return content.split(`
+`).map((line) => {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) {
+      return { raw: line };
+    }
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) {
+      return { raw: line };
+    }
+    return {
+      key: line.slice(0, eqIdx).trim(),
+      value: line.slice(eqIdx + 1),
+      raw: line
+    };
+  });
+}
+var encrypt_default;
+var init_encrypt = __esm(() => {
+  init_dist();
+  init_dist2();
+  init_config();
+  init_env_file();
+  init_fs();
+  init_encryption();
+  encrypt_default = defineCommand({
+    meta: {
+      name: "encrypt",
+      description: "Encrypt plain .env values with password encryption"
+    },
+    args: {
+      env: {
+        type: "positional",
+        description: "Target environment (e.g. staging, production)",
+        required: true
+      },
+      "dry-run": {
+        type: "boolean",
+        description: "Preview changes without writing",
+        default: false
+      }
+    },
+    async run({ args }) {
+      const environment = args.env;
+      const rawConfig = await loadConfig();
+      const errors = validateConfig(rawConfig);
+      if (errors.length > 0) {
+        for (const err of errors)
+          consola.error(err);
+        process.exit(1);
+      }
+      const config = resolveConfig(rawConfig);
+      if (config.raw.encryption !== "password") {
+        consola.error('encrypt command requires encryption: "password" in config.');
+        process.exit(1);
+      }
+      if (!config.environments.includes(environment)) {
+        consola.error(`Unknown environment: "${environment}". Available: ${config.environments.join(", ")}`);
+        process.exit(1);
+      }
+      const password = findPassword(environment, config.projectRoot);
+      if (!password) {
+        consola.error(`No password found. Set ENVSYNC_PASSWORD or ENVSYNC_PASSWORD_${environment.toUpperCase()}, or create .env.password`);
+        process.exit(1);
+      }
+      const envFilePath = getRootEnvPath(config, environment);
+      if (!fileExists(envFilePath)) {
+        consola.error(`File not found: ${envFilePath}`);
+        process.exit(1);
+      }
+      const content = await readFile(envFilePath);
+      const lines = parseLines(content);
+      let encryptedCount = 0;
+      let skippedCount = 0;
+      const outputLines = [];
+      for (const line of lines) {
+        if (!line.key || line.value === undefined) {
+          outputLines.push(line.raw);
+          continue;
+        }
+        const value = line.value.trim();
+        if (isEnvsyncEncrypted(value) || value === "") {
+          outputLines.push(line.raw);
+          skippedCount++;
+          continue;
+        }
+        let plainValue = value;
+        if (plainValue.startsWith('"') && plainValue.endsWith('"') || plainValue.startsWith("'") && plainValue.endsWith("'")) {
+          plainValue = plainValue.slice(1, -1);
+        }
+        const encrypted = encryptValue(plainValue, password);
+        outputLines.push(`${line.key}=${encrypted}`);
+        encryptedCount++;
+        consola.log(`  ${line.key}: encrypted`);
+      }
+      if (encryptedCount === 0) {
+        consola.info("No values to encrypt.");
+        return;
+      }
+      const dryRun = args["dry-run"];
+      if (dryRun) {
+        consola.info(`[dry-run] Would encrypt ${encryptedCount} values in ${envFilePath}`);
+        return;
+      }
+      await writeFile(envFilePath, outputLines.join(`
+`) + `
+`);
+      consola.success(`Encrypted ${encryptedCount} values in ${envFilePath} (${skippedCount} skipped)`);
+    }
+  });
+});
+
 // src/index.ts
 init_dist();
 var main = defineCommand({
@@ -14629,7 +14915,8 @@ var main = defineCommand({
     init: () => Promise.resolve().then(() => (init_init(), exports_init)).then((m2) => m2.default),
     normalize: () => Promise.resolve().then(() => (init_normalize(), exports_normalize)).then((m2) => m2.default),
     merge: () => Promise.resolve().then(() => (init_merge(), exports_merge)).then((m2) => m2.default),
-    list: () => Promise.resolve().then(() => (init_list(), exports_list)).then((m2) => m2.default)
+    list: () => Promise.resolve().then(() => (init_list(), exports_list)).then((m2) => m2.default),
+    encrypt: () => Promise.resolve().then(() => (init_encrypt(), exports_encrypt)).then((m2) => m2.default)
   }
 });
 runMain(main);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cf-envsync",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Sync .env files to Cloudflare Workers secrets, .dev.vars, and more",
   "type": "module",
   "exports": {
@@ -18,7 +18,8 @@
     "dev": "bun run src/index.ts",
     "build": "bun build src/index.ts --outdir dist --target node --external jiti",
     "prepublishOnly": "bun run build",
-    "test": "bun test"
+    "test": "bun test",
+    "test:coverage": "bun test --coverage"
   },
   "peerDependencies": {
     "wrangler": ">=3"

package/src/types/config.ts

@@ -14,7 +14,7 @@ export interface EnvSyncConfig {
   };
 
   /** Encryption method */
-  encryption: "dotenvx" | "none";
+  encryption: "dotenvx" | "password" | "none";
 
   /** App definitions */
   apps: Record<string, AppConfig>;