npm - cf-envsync - Versions diffs - 0.2.0 → 0.3.1 - Mend

cf-envsync 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -7,6 +7,20 @@
 <h1 align="center">envsync</h1>
+<p align="center">
+  <a href="https://www.npmjs.com/package/cf-envsync"><img src="https://img.shields.io/npm/v/cf-envsync.svg" alt="npm version" /></a>
+  <a href="https://www.npmjs.com/package/cf-envsync"><img src="https://img.shields.io/npm/dm/cf-envsync.svg" alt="npm downloads" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync/blob/main/LICENSE"><img src="https://img.shields.io/npm/l/cf-envsync.svg" alt="license" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync"><img src="https://img.shields.io/github/stars/hakkokimkr/cf-envsync.svg?style=social" alt="GitHub stars" /></a>
+</p>
+<p align="center">
+  <a href="https://nodejs.org/"><img src="https://img.shields.io/node/v/cf-envsync.svg" alt="node version" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync"><img src="https://img.shields.io/github/last-commit/hakkokimkr/cf-envsync.svg" alt="last commit" /></a>
+  <a href="https://github.com/hakkokimkr/cf-envsync/issues"><img src="https://img.shields.io/github/issues/hakkokimkr/cf-envsync.svg" alt="issues" /></a>
+  <img src="https://img.shields.io/badge/TypeScript-100%25-blue.svg" alt="TypeScript" />
+</p>
 <p align="center">
   One <code>.env</code> file. Every Worker. Every environment.<br />
   No SaaS. No dashboard. Just your repo.
@@ -75,7 +89,136 @@ envsync validate
 - [Node.js](https://nodejs.org) >= 18 or [Bun](https://bun.sh)
 - [wrangler](https://developers.cloudflare.com/workers/wrangler/) CLI (peer dependency, for push/pull/diff)
-- [dotenvx](https://dotenvx.com) (optional, for encryption)
+- [dotenvx](https://dotenvx.com) (optional, only if using `encryption: "dotenvx"`)
+---
+## 5-Minute Tutorial
+A complete walkthrough: project setup → local dev → deploy to staging → validate.
+### 1. Initialize your project
+```bash
+# In your monorepo root
+npm install -D cf-envsync
+envsync init --monorepo
+```
+This scans for `wrangler.jsonc` files, discovers your workers, and generates:
+```
+envsync.config.ts   ← config with all apps/workers detected
+.env.example        ← key reference (committed to git)
+.env                ← local shared secrets
+.env.staging        ← staging secrets (empty, you'll fill these)
+.env.production     ← production secrets (empty)
+.gitignore          ← updated with .env.local, .env.password, **/.dev.vars
+```
+### 2. Fill in your secrets
+```bash
+# .env — local development values (committed, encrypted)
+DATABASE_URL=postgres://localhost:5432/mydb
+JWT_SECRET=dev_jwt_secret
+AUTH_SECRET=dev_auth_secret
+API_URL=http://localhost:8787
+# .env.staging — staging values
+DATABASE_URL=postgres://staging-db.example.com/mydb
+JWT_SECRET=staging_jwt_secret_abc
+AUTH_SECRET=staging_auth_secret_xyz
+API_URL=https://api-staging.example.com
+# .env.local — YOUR dev-specific overrides (gitignored, each dev has their own)
+OAUTH_REDIRECT_URL=https://my-tunnel.ngrok.io/callback
+DEV_TUNNEL_URL=https://my-tunnel.ngrok.io
+```
+### 3. Encrypt before committing (optional)
+```bash
+# Set a password
+echo "ENVSYNC_PASSWORD=my-team-password" > .env.password
+# Encrypt all plain values
+envsync encrypt staging
+envsync encrypt production
+# Now .env.staging looks like:
+# DATABASE_URL=envsync:v1:base64payload...
+# JWT_SECRET=envsync:v1:base64payload...
+```
+### 4. Local development
+```bash
+envsync dev
+```
+This reads `.env` + `.env.local`, merges them, and writes `.dev.vars` into each app directory. Start wrangler as usual — it reads `.dev.vars` automatically.
+```
+apps/api/.dev.vars      ← DATABASE_URL, JWT_SECRET, API_URL, OAUTH_REDIRECT_URL
+apps/web/.dev.vars      ← AUTH_SECRET, VITE_API_URL, VITE_OAUTH_REDIRECT_URL
+```
+> **Vite / non-wrangler apps:** `.dev.vars` is for wrangler only. If your app runs with `vite dev`, set `devFile` in your config:
+>
+> ```ts
+> apps: {
+>   web: {
+>     path: "apps/web",
+>     devFile: ".env.local",          // Vite reads this
+>     // or generate both:
+>     // devFile: [".dev.vars", ".env.local"],
+>   },
+> }
+> ```
+If you forgot to set a per-dev override, envsync tells you:
+```
+⚠ Missing in .env.local: DEV_TUNNEL_URL (required per-dev override)
+  → echo "DEV_TUNNEL_URL=https://your-tunnel.example.com" >> .env.local
+```
+### 5. Push to staging
+```bash
+# Preview first
+envsync push staging --dry-run
+# Push for real
+envsync push staging
+#   Push 4 secrets to worker "my-api-staging" (staging)? yes
+#   ✓ Pushed 4 secrets to my-api-staging
+#   Push 1 secrets to worker "my-web-staging" (staging)? yes
+#   ✓ Pushed 1 secrets to my-web-staging
+```
+### 6. Validate before deploying
+```bash
+envsync validate
+# Checks every app × every environment against .env.example
+# Exit code 1 if anything is missing → safe for CI
+```
+### 7. CI/CD integration
+```yaml
+# GitHub Actions example
+- name: Validate env vars
+  run: envsync validate
+- name: Push secrets to production
+  run: envsync push production --force
+  env:
+    ENVSYNC_PASSWORD: ${{ secrets.ENVSYNC_PASSWORD }}
+    CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+```
 ---
@@ -116,6 +259,8 @@ Done!
 Every key shows exactly where its value came from. Missing per-dev overrides are caught immediately.
+> **Vite / non-wrangler apps:** Set `devFile: ".env.local"` in your app config. See [the tutorial](#4-local-development).
 ---
 ### `envsync push` — Deploy secrets
@@ -270,10 +415,11 @@ envsync init --monorepo    # Scans for wrangler.jsonc files
 ```
 What it does:
+- Asks for encryption method (`password`, `dotenvx`, or `none`)
 - Scans `wrangler.jsonc` files to discover workers and environments
 - Detects shared secrets across apps
 - Creates `envsync.config.ts`, `.env.example`, and empty `.env.{environment}` files
-- Adds `.env.local`, `.env.keys`, `**/.dev.vars` to `.gitignore`
+- Adds `.env.local`, `.env.keys`, `.env.password`, `**/.dev.vars` to `.gitignore`
 - Registers the custom Git merge driver in `.gitattributes`
 ---
@@ -289,9 +435,33 @@ envsync normalize .env.staging # Specific file
 ---
+### `envsync encrypt` — Encrypt plain values
+Encrypts plain-text values in a `.env` file using password-based encryption (AES-256-GCM). Only available when `encryption: "password"`.
+```bash
+envsync encrypt staging           # Encrypt all plain values in .env.staging
+envsync encrypt production        # Encrypt .env.production
+envsync encrypt staging --dry-run # Preview without writing
+```
+```
+$ envsync encrypt staging
+  DATABASE_URL: encrypted
+  API_KEY: encrypted
+  JWT_SECRET: encrypted
+Encrypted 3 values in .env.staging (0 skipped)
+```
+Already-encrypted and empty values are skipped automatically.
+---
 ### `envsync merge` — Git merge driver
-A 3-way merge driver that understands dotenvx encryption. Registered automatically by `envsync init`.
+A 3-way merge driver that understands both dotenvx and password encryption. Registered automatically by `envsync init`.
 ```
 # .gitattributes (auto-generated)
@@ -301,10 +471,10 @@ A 3-way merge driver that understands dotenvx encryption. Registered automatical
 How it works:
-1. Decrypts all three versions (base, ours, theirs)
+1. Decrypts all three versions (base, ours, theirs) — supports both dotenvx and password encryption
 2. 3-way merge at the **key level** — not the encrypted ciphertext
 3. Only real conflicts get conflict markers
-4. Re-encrypts the merged result
+4. Re-encrypts the merged result (password mode uses `encryptEnvMap`, dotenvx uses `dotenvx encrypt`)
 No more fake conflicts from identical values with different ciphertext.
@@ -415,11 +585,12 @@ export default {
 | `envFiles.pattern` | `string` | File naming pattern. `{env}` is replaced. `local` falls back to `.env` |
 | `envFiles.local` | `string` | Per-developer override file (gitignored) |
 | `envFiles.perApp` | `boolean` | Allow per-app `.env.{env}` files for app-specific overrides |
-| `encryption` | `"dotenvx" \| "none"` | Encryption method for `.env` files |
+| `encryption` | `"password" \| "dotenvx" \| "none"` | Encryption method for `.env` files |
 | `apps.{name}.path` | `string` | Path to app directory relative to project root |
 | `apps.{name}.workers` | `Record<string, string>` | Worker name per environment |
 | `apps.{name}.secrets` | `string[]` | Secret keys pushed via `wrangler secret bulk` |
 | `apps.{name}.vars` | `string[]` | Non-secret env vars (not pushed as secrets) |
+| `apps.{name}.devFile` | `string \| string[]` | Output file(s) for `envsync dev`. Default: `".dev.vars"`. Use `".env.local"` for Vite apps, or an array for both |
 | `shared` | `string[]` | Keys with the same value across multiple apps |
 | `local.overrides` | `string[]` | Keys each developer must set in `.env.local` |
 | `local.perApp` | `Record<string, string[]>` | Per-app developer override keys |
@@ -428,6 +599,48 @@ export default {
 Config file search order: `envsync.config.ts` > `.js` > `.mjs` > `envsync.json` > `envsync.jsonc`
+### Encryption
+envsync supports three encryption modes:
+| Mode | How it works | Dependencies |
+|------|-------------|--------------|
+| `"password"` | AES-256-GCM, per-value encryption with a shared password. Values stored as `envsync:v1:{base64}`. | None (uses `node:crypto`) |
+| `"dotenvx"` | ECIES public/private key encryption via dotenvx CLI. | `dotenvx` CLI |
+| `"none"` | No encryption. `.env` files stored in plain text. | None |
+#### Password encryption
+Per-value encryption means each key-value pair is encrypted independently — git diffs are readable at the key level, and merges work cleanly.
+```
+# .env.staging (committed, encrypted)
+DATABASE_URL=envsync:v1:base64encodedpayload...
+API_KEY=envsync:v1:base64encodedpayload...
+```
+**Password source** (checked in order):
+1. `ENVSYNC_PASSWORD_{ENV}` env var (e.g. `ENVSYNC_PASSWORD_STAGING`)
+2. `ENVSYNC_PASSWORD` env var (generic fallback)
+3. `.env.password` file with `ENVSYNC_PASSWORD_{ENV}=xxx` (env-specific)
+4. `.env.password` file with `ENVSYNC_PASSWORD=xxx` (generic fallback)
+```bash
+# Quick setup
+echo "ENVSYNC_PASSWORD=your-strong-password" > .env.password
+# Or per-environment passwords
+cat > .env.password << 'EOF'
+ENVSYNC_PASSWORD_STAGING=staging-password
+ENVSYNC_PASSWORD_PRODUCTION=production-password
+EOF
+# Encrypt plain values
+envsync encrypt staging
+envsync encrypt production
+```
 ### File structure
 ```
@@ -440,6 +653,7 @@ project/
 ├── .env.local                      # Per-developer overrides (gitignored)
 ├── .env.example                    # Key reference (committed)
 ├── .env.keys                       # dotenvx private keys (gitignored)
+├── .env.password                   # Password encryption keys (gitignored)
 │
 ├── apps/
 │   ├── api/
@@ -454,7 +668,7 @@ project/
 │       ├── .dev.vars               # ← generated
 │       └── .env                    # app-specific secrets (YOUTUBE_API_KEY, etc.)
 │
-└── .gitignore                      # .env.local, .env.keys, **/.dev.vars
+└── .gitignore                      # .env.local, .env.keys, .env.password, **/.dev.vars
 ```
 ### Merge priority
@@ -501,12 +715,39 @@ export default defineConfig({
 <tr><td><strong>.dev.vars</strong></td><td>Local dev secrets</td><td>Doesn't sync with anything</td></tr>
 </table>
-**envsync** fills the gap: encrypted `.env` files as the single source of truth, synced to every target — Workers secrets, `.dev.vars`, validation — with monorepo and multi-environment support built in.
+**envsync** fills the gap: encrypted `.env` files as the single source of truth, synced to every target — Workers secrets, `.dev.vars`, validation — with monorepo and multi-environment support built in. Choose password encryption (zero dependencies, per-value, merge-friendly) or dotenvx (ECIES key pairs).
 No SaaS. No dashboard. Just a CLI, your `.env` files, and Cloudflare's API.
 ---
+## Testing
+150 tests across 20 files covering utils, core modules, and all 10 commands.
+```bash
+bun test              # Run tests
+bun test --coverage   # Run with coverage report
+```
+### Coverage
+| File | % Funcs | % Lines |
+|------|---------|---------|
+| **All files** | **83.93** | **76.13** |
+| src/core/resolver.ts | 100.00 | 100.00 |
+| src/core/wrangler.ts | 100.00 | 100.00 |
+| src/core/env-file.ts | 100.00 | 98.65 |
+| src/core/encryption.ts | 100.00 | 95.65 |
+| src/utils/fs.ts | 100.00 | 97.44 |
+| src/core/config.ts | 71.43 | 76.23 |
+| src/commands/merge.ts | 75.00 | 28.40 |
+| src/utils/output.ts | 25.00 | 12.70 |
+> `merge.ts` and `output.ts` line coverage is lower because their command handlers and print functions are tested via CLI integration tests (spawned subprocesses), which bun's coverage instrumentation does not trace into.
+---
 ## Tech Stack
 | | |
@@ -515,7 +756,7 @@ No SaaS. No dashboard. Just a CLI, your `.env` files, and Cloudflare's API.
 | **CLI framework** | [citty](https://github.com/unjs/citty) |
 | **Output** | [consola](https://github.com/unjs/consola) |
 | **Config loading** | [jiti](https://github.com/unjs/jiti) |
-| **Encryption** | [@dotenvx/dotenvx](https://dotenvx.com) |
+| **Encryption** | `node:crypto` AES-256-GCM (password mode) / [@dotenvx/dotenvx](https://dotenvx.com) (dotenvx mode) |
 | **CF Secrets** | [wrangler](https://developers.cloudflare.com/workers/wrangler/) CLI (shell out) |
 ---

package/dist/index.js CHANGED Viewed

@@ -2315,11 +2315,13 @@ function resolveConfig(config, cwd) {
         allKeys.push(key);
       }
     }
+    const devFiles = app.devFile ? Array.isArray(app.devFile) ? app.devFile : [app.devFile] : [".dev.vars"];
     apps[name] = {
       ...app,
       name,
       absolutePath: resolve2(projectRoot, app.path),
-      allKeys
+      allKeys,
+      devFiles
     };
   }
   return {
@@ -2333,15 +2335,23 @@ function resolveApps(config, appNames) {
   if (!appNames || appNames.length === 0) {
     return Object.values(config.apps);
   }
+  const available = Object.keys(config.apps);
   const resolved = [];
+  const unknown = [];
   for (const name of appNames) {
     const app = config.apps[name];
     if (!app) {
-      consola.warn(`Unknown app: "${name}". Skipping.`);
+      unknown.push(name);
       continue;
     }
     resolved.push(app);
   }
+  if (unknown.length > 0) {
+    for (const name of unknown) {
+      consola.error(`Unknown app: "${name}". Available: ${available.join(", ")}`);
+    }
+    process.exit(1);
+  }
   return resolved;
 }
 function getWorkerName(app, environment) {
@@ -13007,6 +13017,9 @@ var require_main2 = __commonJS((exports, module) => {
 });
 // src/core/encryption.ts
+import { readFileSync } from "node:fs";
+import { join as join2 } from "node:path";
+import { scryptSync, randomBytes, createCipheriv, createDecipheriv } from "node:crypto";
 function decryptEnvContent(content, privateKey) {
   if (privateKey) {
     const prev = process.env.DOTENV_PRIVATE_KEY;
@@ -13023,27 +13036,164 @@ function decryptEnvContent(content, privateKey) {
   }
   return import_dotenvx.parse(content);
 }
-function findPrivateKey(env2) {
+function loadEnvKeysFileSync(filePath) {
+  try {
+    const content = readFileSync(filePath, "utf-8");
+    const result = {};
+    for (const line of content.split(`
+`)) {
+      const trimmed = line.trim();
+      if (trimmed === "" || trimmed.startsWith("#"))
+        continue;
+      const eqIdx = trimmed.indexOf("=");
+      if (eqIdx === -1)
+        continue;
+      const key = trimmed.slice(0, eqIdx).trim();
+      let value = trimmed.slice(eqIdx + 1).trim();
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      }
+      result[key] = value;
+    }
+    return result;
+  } catch {
+    return {};
+  }
+}
+function findPrivateKey(env2, projectRoot) {
   if (env2) {
     const envKey = `DOTENV_PRIVATE_KEY_${env2.toUpperCase()}`;
     if (process.env[envKey])
       return process.env[envKey];
   }
-  return process.env.DOTENV_PRIVATE_KEY;
+  if (process.env.DOTENV_PRIVATE_KEY)
+    return process.env.DOTENV_PRIVATE_KEY;
+  if (projectRoot) {
+    const keysFile = loadEnvKeysFileSync(join2(projectRoot, ".env.keys"));
+    if (env2) {
+      const envKey = `DOTENV_PRIVATE_KEY_${env2.toUpperCase()}`;
+      if (keysFile[envKey])
+        return keysFile[envKey];
+    }
+    if (keysFile.DOTENV_PRIVATE_KEY)
+      return keysFile.DOTENV_PRIVATE_KEY;
+  }
+  return;
+}
+function isEnvsyncEncrypted(value) {
+  return value.startsWith(ENVSYNC_PREFIX);
+}
+function encryptValue(plaintext, password) {
+  const salt = randomBytes(16);
+  const iv = randomBytes(12);
+  const key = scryptSync(password, salt, 32);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const payload = Buffer.concat([salt, iv, encrypted, tag]);
+  return ENVSYNC_PREFIX + payload.toString("base64");
+}
+function decryptValue(token, password) {
+  if (!token.startsWith(ENVSYNC_PREFIX)) {
+    throw new Error("Not an envsync-encrypted value");
+  }
+  const payload = Buffer.from(token.slice(ENVSYNC_PREFIX.length), "base64");
+  const salt = payload.subarray(0, 16);
+  const iv = payload.subarray(16, 28);
+  const tag = payload.subarray(payload.length - 16);
+  const encrypted = payload.subarray(28, payload.length - 16);
+  const key = scryptSync(password, salt, 32);
+  const decipher = createDecipheriv("aes-256-gcm", key, iv);
+  decipher.setAuthTag(tag);
+  return decipher.update(encrypted) + decipher.final("utf8");
+}
+function decryptEnvMap(envMap, password) {
+  const result = {};
+  for (const [key, value] of Object.entries(envMap)) {
+    result[key] = isEnvsyncEncrypted(value) ? decryptValue(value, password) : value;
+  }
+  return result;
+}
+function encryptEnvMap(envMap, password) {
+  const result = {};
+  for (const [key, value] of Object.entries(envMap)) {
+    if (isEnvsyncEncrypted(value) || value === "") {
+      result[key] = value;
+    } else {
+      result[key] = encryptValue(value, password);
+    }
+  }
+  return result;
+}
+function findPassword(env2, projectRoot) {
+  if (env2) {
+    const envKey = `ENVSYNC_PASSWORD_${env2.toUpperCase()}`;
+    if (process.env[envKey])
+      return process.env[envKey];
+  }
+  if (process.env.ENVSYNC_PASSWORD)
+    return process.env.ENVSYNC_PASSWORD;
+  if (projectRoot) {
+    const passwordFile = loadEnvKeysFileSync(join2(projectRoot, ".env.password"));
+    if (env2) {
+      const envKey = `ENVSYNC_PASSWORD_${env2.toUpperCase()}`;
+      if (passwordFile[envKey])
+        return passwordFile[envKey];
+    }
+    if (passwordFile.ENVSYNC_PASSWORD)
+      return passwordFile.ENVSYNC_PASSWORD;
+  }
+  return;
 }
-var import_dotenvx;
+var import_dotenvx, ENVSYNC_PREFIX = "envsync:v1:";
 var init_encryption = __esm(() => {
   import_dotenvx = __toESM(require_main2(), 1);
 });
 // src/core/env-file.ts
-import { join as join2 } from "node:path";
-async function loadEnvFile(filePath, env2) {
+import { join as join3 } from "node:path";
+function parsePlainEnv(content) {
+  const result = {};
+  for (const line of content.split(`
+`)) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#"))
+      continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1)
+      continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    let value = trimmed.slice(eqIdx + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1);
+    }
+    result[key] = value;
+  }
+  return result;
+}
+async function loadEnvFile(filePath, env2, projectRoot, encryption) {
   if (!fileExists(filePath)) {
     return {};
   }
   const content = await readFile(filePath);
-  const privateKey = findPrivateKey(env2);
+  if (encryption) {
+    const hasEnvsyncValues = content.includes("envsync:v1:");
+    const hasDotenvxValues = content.includes("encrypted:");
+    if (encryption === "dotenvx" && hasEnvsyncValues) {
+      consola.warn(`${filePath}: config uses encryption: "dotenvx" but file contains "envsync:v1:" (password-encrypted) values. ` + `Check your encryption setting.`);
+    }
+    if (encryption === "password" && hasDotenvxValues && !hasEnvsyncValues) {
+      consola.warn(`${filePath}: config uses encryption: "password" but file contains dotenvx-encrypted values. ` + `Check your encryption setting.`);
+    }
+  }
+  if (encryption === "password") {
+    const envMap = parsePlainEnv(content);
+    const password = findPassword(env2, projectRoot);
+    if (!password)
+      return envMap;
+    return decryptEnvMap(envMap, password);
+  }
+  const privateKey = findPrivateKey(env2, projectRoot);
   return decryptEnvContent(content, privateKey);
 }
 async function writeEnvFile(filePath, envMap) {
@@ -13087,34 +13237,41 @@ function filterForApp(envMap, app) {
 function getRootEnvPath(config, environment) {
   const pattern = config.raw.envFiles.pattern;
   const relativePath = resolveEnvFilePath(pattern, environment);
-  return join2(config.projectRoot, relativePath);
+  return join3(config.projectRoot, relativePath);
 }
 function getAppEnvPath(config, app, environment) {
   const pattern = config.raw.envFiles.pattern;
   const relativePath = resolveEnvFilePath(pattern, environment);
-  return join2(app.absolutePath, relativePath);
+  return join3(app.absolutePath, relativePath);
 }
 function getLocalOverridePath(config) {
-  return join2(config.projectRoot, config.raw.envFiles.local);
+  return join3(config.projectRoot, config.raw.envFiles.local);
 }
 var init_env_file = __esm(() => {
+  init_dist2();
   init_encryption();
   init_config();
   init_fs();
 });
 // src/core/resolver.ts
+import { normalize, relative } from "node:path";
 async function resolveAppEnv(config, app, environment) {
   const layers = [];
+  const encryption = config.raw.encryption;
   const rootEnvPath = getRootEnvPath(config, environment);
-  const rootEnv = await loadEnvFile(rootEnvPath, environment);
+  if (!fileExists(rootEnvPath) && environment !== "local" && !warnedMissingFiles.has(rootEnvPath)) {
+    warnedMissingFiles.add(rootEnvPath);
+    consola.warn(`Missing env file: ${relative(config.projectRoot, rootEnvPath)} (create it or run \`envsync init\`)`);
+  }
+  const rootEnv = await loadEnvFile(rootEnvPath, environment, config.projectRoot, encryption);
   if (Object.keys(rootEnv).length > 0) {
     layers.push({ source: rootEnvPath, map: rootEnv });
   }
   if (config.raw.envFiles.perApp) {
     const appEnvPath = getAppEnvPath(config, app, environment);
-    if (appEnvPath !== rootEnvPath) {
-      const appEnv = await loadEnvFile(appEnvPath, environment);
+    if (normalize(appEnvPath) !== normalize(rootEnvPath)) {
+      const appEnv = await loadEnvFile(appEnvPath, environment, config.projectRoot, encryption);
       if (Object.keys(appEnv).length > 0) {
         layers.push({ source: appEnvPath, map: appEnv });
       }
@@ -13149,8 +13306,12 @@ function findMissingOverrides(config, app, localEnv) {
   }
   return missing;
 }
+var warnedMissingFiles;
 var init_resolver = __esm(() => {
+  init_dist2();
   init_env_file();
+  init_fs();
+  warnedMissingFiles = new Set;
 });
 // src/commands/dev.ts
@@ -13158,13 +13319,13 @@ var exports_dev = {};
 __export(exports_dev, {
   default: () => dev_default
 });
-import { join as join3, relative } from "node:path";
+import { join as join4, relative as relative2 } from "node:path";
 function parseAppNames(args) {
   const rest = args._;
   return rest?.length ? rest : undefined;
 }
 function formatSource(source, key, projectRoot, sharedKeys, localOverrideKeys) {
-  const rel = relative(projectRoot, source);
+  const rel = relative2(projectRoot, source);
   if (localOverrideKeys.has(key))
     return `${rel} (per-dev override)`;
   if (sharedKeys.has(key))
@@ -13220,26 +13381,21 @@ var init_dev = __esm(() => {
       const localEnv = await loadEnvFile(localOverridePath);
       for (const app of apps) {
         const resolved = await resolveAppEnv(config, app, environment);
-        const devVarsPath = join3(app.absolutePath, ".dev.vars");
-        const relDevVars = relative(config.projectRoot, devVarsPath);
         if (Object.keys(resolved.map).length === 0) {
           consola.warn(`  No env vars resolved for ${app.name}. Skipping.`);
           continue;
         }
-        if (args["dry-run"]) {
-          consola.log(`
-  ${relDevVars}`);
-          for (let i2 = 0;i2 < resolved.entries.length; i2++) {
-            const entry = resolved.entries[i2];
-            const isLast = i2 === resolved.entries.length - 1;
-            const prefix = isLast ? "└" : "├";
-            const src2 = formatSource(entry.source, entry.key, config.projectRoot, sharedKeys, localOverrideKeys);
-            consola.log(`  ${prefix} ${entry.key.padEnd(24)} ← ${src2}`);
+        for (const devFileName of app.devFiles) {
+          const devFilePath = join4(app.absolutePath, devFileName);
+          const relDevFile = relative2(config.projectRoot, devFilePath);
+          if (args["dry-run"]) {
+            consola.log(`
+  ${relDevFile}`);
+          } else {
+            await writeEnvFile(devFilePath, resolved.map);
+            consola.log(`
+  ${relDevFile}`);
           }
-        } else {
-          await writeEnvFile(devVarsPath, resolved.map);
-          consola.log(`
-  ${relDevVars}`);
           for (let i2 = 0;i2 < resolved.entries.length; i2++) {
             const entry = resolved.entries[i2];
             const isLast = i2 === resolved.entries.length - 1;
@@ -13253,12 +13409,18 @@ var init_dev = __esm(() => {
           if (missing.length > 0) {
             for (const key of missing) {
               consola.warn(`
-⚠ Missing in ${relative(config.projectRoot, localOverridePath)}: ${key} (required per-dev override)`);
-              consola.log(`  → echo "${key}=<your-value>" >> ${relative(config.projectRoot, localOverridePath)}`);
+⚠ Missing in ${relative2(config.projectRoot, localOverridePath)}: ${key} (required per-dev override)`);
+              consola.log(`  → echo "${key}=<your-value>" >> ${relative2(config.projectRoot, localOverridePath)}`);
             }
           }
         }
       }
+      if (environment !== "local") {
+        const hasOverrides = (config.raw.local?.overrides?.length ?? 0) > 0 || Object.keys(config.raw.local?.perApp ?? {}).length > 0;
+        if (hasOverrides) {
+          consola.info(`Per-dev overrides are only applied in "local" environment (current: ${environment}).`);
+        }
+      }
       consola.success(`
 Done!`);
     }
@@ -13440,14 +13602,33 @@ var init_push = __esm(() => {
         consola.warn("No apps to process.");
         return;
       }
+      if (args.force && !args["dry-run"]) {
+        const targets = apps.map((app) => {
+          const w2 = getWorkerName(app, environment);
+          return w2 ? `${app.name} → ${w2}` : null;
+        }).filter(Boolean);
+        if (targets.length > 0) {
+          consola.warn(`Force-pushing to ${environment}: ${targets.join(", ")}`);
+        }
+      }
       const sharedKeys = new Set(config.raw.shared ?? []);
-      for (const app of apps) {
+      let hasFailure = false;
+      if (args.shared) {
+        if (sharedKeys.size === 0) {
+          consola.error("No shared keys defined in config. Nothing to push with --shared.");
+          process.exit(1);
+        }
+        consola.info(`--shared: pushing only shared keys (${[...sharedKeys].join(", ")})`);
+      }
+      for (let i2 = 0;i2 < apps.length; i2++) {
+        const app = apps[i2];
+        const progress = apps.length > 1 ? `[${i2 + 1}/${apps.length}] ` : "";
         const workerName = getWorkerName(app, environment);
         if (!workerName) {
-          consola.warn(`  No worker defined for ${app.name} in ${environment}. Skipping.`);
+          consola.warn(`${progress}No worker defined for ${app.name} in ${environment}. Skipping.`);
           continue;
         }
-        consola.start(`Pushing secrets for ${app.name} → ${workerName} (${environment})...`);
+        consola.start(`${progress}Pushing secrets for ${app.name} → ${workerName} (${environment})...`);
         const resolved = await resolveAppEnv(config, app, environment);
         let secretsToPush;
         if (args.shared) {
@@ -13468,7 +13649,8 @@ var init_push = __esm(() => {
         }
         const keyCount = Object.keys(secretsToPush).length;
         if (keyCount === 0) {
-          consola.warn(`  No secrets to push for ${app.name}. Skipping.`);
+          const reason = args.shared ? " (no shared keys for this app)" : "";
+          consola.warn(`  No secrets to push for ${app.name}${reason}. Skipping.`);
           continue;
         }
         if (args["dry-run"]) {
@@ -13491,8 +13673,13 @@ var init_push = __esm(() => {
           consola.success(`  Pushed ${keyCount} secrets to ${workerName}`);
         } else {
           consola.error(`  Failed to push secrets to ${workerName}`);
+          hasFailure = true;
         }
       }
+      if (hasFailure) {
+        consola.error("Some pushes failed.");
+        process.exit(1);
+      }
       consola.success("Done!");
     }
   });
@@ -13565,7 +13752,7 @@ var init_pull = __esm(() => {
         }
         consola.info(`  Found ${remoteKeys.length} remote keys`);
         const envFilePath = getRootEnvPath(config, environment);
-        const localEnv = await loadEnvFile(envFilePath, environment);
+        const localEnv = await loadEnvFile(envFilePath, environment, config.projectRoot, config.raw.encryption);
         const localKeys = new Set(Object.keys(localEnv));
         const missingKeys = remoteKeys.filter((k2) => !localKeys.has(k2));
         if (missingKeys.length === 0) {
@@ -13590,7 +13777,7 @@ var exports_validate = {};
 __export(exports_validate, {
   default: () => validate_default
 });
-import { join as join4 } from "node:path";
+import { join as join5 } from "node:path";
 function parseAppNames4(args, skip = 1) {
   const rest = args._?.slice(skip);
   return rest?.length ? rest : undefined;
@@ -13628,17 +13815,24 @@ var init_validate = __esm(() => {
       let environments;
       let appNames;
       if (envArg && config.environments.includes(envArg)) {
+        if (envArg in config.apps) {
+          consola.error(`"${envArg}" is both an environment and an app name. This is ambiguous.`);
+          consola.info(`  To validate environment: envsync validate ${envArg} --
+` + `  To validate app:         envsync validate -- ${envArg}`);
+          process.exit(1);
+        }
         environments = [envArg];
         appNames = parseAppNames4(args);
       } else if (envArg) {
         environments = config.environments;
         appNames = parseAppNames4(args, 0);
+        consola.info(`"${envArg}" is not an environment. Treating as app name. Validating all environments.`);
       } else {
         environments = config.environments;
         appNames = undefined;
       }
       const apps = resolveApps(config, appNames);
-      const examplePath = join4(config.projectRoot, ".env.example");
+      const examplePath = join5(config.projectRoot, ".env.example");
       if (!fileExists(examplePath)) {
         consola.error("No .env.example found at project root.");
         process.exit(1);
@@ -13651,10 +13845,12 @@ var init_validate = __esm(() => {
         ...config.raw.local?.overrides ?? [],
         ...Object.values(config.raw.local?.perApp ?? {}).flat()
       ]);
+      const totalChecks = environments.length * apps.length;
       consola.log(`
-Checking against .env.example...`);
+Checking against .env.example... (${environments.length} env × ${apps.length} app${apps.length > 1 ? "s" : ""})`);
       const results = [];
       let hasIssues = false;
+      let checkIdx = 0;
       for (const environment of environments) {
         consola.log(`
   ${environment}`);
@@ -13736,10 +13932,10 @@ function printDiff(entries) {
   for (const entry of entries) {
     switch (entry.status) {
       case "added":
-        consola.log(`  + ${entry.key} = ${maskValue(entry.remoteValue)}`);
+        consola.log(`  + ${entry.key} = ${maskValue(entry.localValue)}`);
         break;
       case "removed":
-        consola.log(`  - ${entry.key} = ${maskValue(entry.localValue)}`);
+        consola.log(`  - ${entry.key}`);
         break;
       case "changed":
         consola.log(`  ~ ${entry.key}`);
@@ -13819,8 +14015,15 @@ var init_diff = __esm(() => {
         process.exit(1);
       }
       const target = args.target;
-      const isEnvVsEnv = target && config.environments.includes(target);
-      if (isEnvVsEnv) {
+      const isEnv = target && config.environments.includes(target);
+      const isApp = target && target in config.apps;
+      if (isEnv && isApp) {
+        consola.error(`"${target}" is both an environment and an app name. This is ambiguous.`);
+        consola.info(`  To compare environments: envsync diff ${env1} ${target} --
+` + `  To diff local vs remote: envsync diff ${env1} -- ${target}`);
+        process.exit(1);
+      }
+      if (isEnv) {
         const env2 = target;
         const appNames = parseAppNames5(args, 2);
         const apps = resolveApps(config, appNames);
@@ -13917,7 +14120,7 @@ var exports_init = {};
 __export(exports_init, {
   default: () => init_default
 });
-import { join as join5, relative as relative2, basename } from "node:path";
+import { join as join6, relative as relative3, basename } from "node:path";
 function generateConfigTS(config) {
   const lines = [
     `import { defineConfig } from "cf-envsync";`,
@@ -13998,10 +14201,19 @@ var init_init = __esm(() => {
     },
     async run({ args }) {
       const cwd = process.cwd();
-      const existingConfig = CONFIG_FILES.find((f3) => fileExists(join5(cwd, f3)));
+      const existingConfig = CONFIG_FILES.find((f3) => fileExists(join6(cwd, f3)));
       if (existingConfig) {
         consola.warn(`${existingConfig} already exists.`);
-        const overwrite = await consola.prompt("Overwrite?", {
+        const existingContent = await readFile(join6(cwd, existingConfig));
+        const lines = existingContent.split(`
+`);
+        const preview = lines.length > 20 ? [...lines.slice(0, 20), `  ... (${lines.length - 20} more lines)`].join(`
+`) : existingContent;
+        consola.log(`
+Current config:
+${preview}
+`);
+        const overwrite = await consola.prompt("Overwrite with new config?", {
           type: "confirm"
         });
         if (!overwrite) {
@@ -14011,7 +14223,7 @@ var init_init = __esm(() => {
       }
       const encryption = await consola.prompt("Encryption method:", {
         type: "select",
-        options: ["dotenvx", "none"]
+        options: ["password", "dotenvx", "none"]
       });
       const defaultEnvs = "local, staging, production";
       const envsInput = await consola.prompt("Environments (comma-separated):", {
@@ -14028,12 +14240,13 @@ var init_init = __esm(() => {
           return (name === "wrangler.json" || name === "wrangler.jsonc") && !f3.includes("node_modules");
         });
         if (wranglerFiles.length === 0) {
-          consola.warn("No wrangler config files found. Creating manually.");
+          consola.warn(`No wrangler.json or wrangler.jsonc files found (searched all subdirectories, excluding node_modules).
+` + "  Falling back to manual configuration.");
         }
         for (const wranglerFile of wranglerFiles.sort()) {
-          const fullPath = join5(cwd, wranglerFile);
-          const appDir = join5(cwd, wranglerFile, "..");
-          const appPath = relative2(cwd, appDir);
+          const fullPath = join6(cwd, wranglerFile);
+          const appDir = join6(cwd, wranglerFile, "..");
+          const appPath = relative3(cwd, appDir);
           const appName = basename(appDir);
           consola.info(`  Found ${wranglerFile}`);
           let wranglerConfig = {};
@@ -14133,10 +14346,10 @@ var init_init = __esm(() => {
         apps,
         ...shared.length > 0 ? { shared } : {}
       };
-      const configPath = join5(cwd, "envsync.config.ts");
+      const configPath = join6(cwd, "envsync.config.ts");
       const tsContent = generateConfigTS(config);
       if (existingConfig && existingConfig !== "envsync.config.ts") {
-        const oldPath = join5(cwd, existingConfig);
+        const oldPath = join6(cwd, existingConfig);
         if (fileExists(oldPath)) {
           const { unlink } = await import("node:fs/promises");
           await unlink(oldPath);
@@ -14144,7 +14357,7 @@ var init_init = __esm(() => {
       }
       await writeFile(configPath, tsContent);
       consola.success("Created envsync.config.ts");
-      const examplePath = join5(cwd, ".env.example");
+      const examplePath = join6(cwd, ".env.example");
       if (!fileExists(examplePath)) {
         const allKeys = new Set;
         for (const app of Object.values(apps)) {
@@ -14167,21 +14380,21 @@ var init_init = __esm(() => {
       for (const env2 of environments) {
         if (env2 === "local")
           continue;
-        const envFile = join5(cwd, `.env.${env2}`);
+        const envFile = join6(cwd, `.env.${env2}`);
         if (!fileExists(envFile)) {
           await writeFile(envFile, `# ${env2} environment variables
 `);
           consola.success(`Created .env.${env2}`);
         }
       }
-      const rootEnv = join5(cwd, ".env");
+      const rootEnv = join6(cwd, ".env");
       if (!fileExists(rootEnv)) {
         await writeFile(rootEnv, `# Local environment variables
 `);
         consola.success("Created .env");
       }
-      const gitignorePath = join5(cwd, ".gitignore");
-      const gitignoreEntries = [".env.local", ".env.keys", "**/.dev.vars"];
+      const gitignorePath = join6(cwd, ".gitignore");
+      const gitignoreEntries = [".env.local", ".env.keys", ".env.password", "**/.dev.vars"];
       if (fileExists(gitignorePath)) {
         const existing = await readFile(gitignorePath);
         const toAdd = gitignoreEntries.filter((e2) => !existing.includes(e2));
@@ -14201,7 +14414,7 @@ var init_init = __esm(() => {
 `);
         consola.success(`Created .gitignore`);
       }
-      const gitattrsPath = join5(cwd, ".gitattributes");
+      const gitattrsPath = join6(cwd, ".gitattributes");
       const mergeDriverLines = `.env merge=envsync
 .env.* merge=envsync
 `;
@@ -14217,7 +14430,7 @@ var init_init = __esm(() => {
         await writeFile(gitattrsPath, mergeDriverLines);
         consola.success("Created .gitattributes with merge driver");
       }
-      const gitConfigPath = join5(cwd, ".git", "config");
+      const gitConfigPath = join6(cwd, ".git", "config");
       if (fileExists(gitConfigPath)) {
         const gitConfig = await readFile(gitConfigPath);
         if (!gitConfig.includes('[merge "envsync"]')) {
@@ -14232,14 +14445,18 @@ var init_init = __esm(() => {
       }
       consola.info(`
 Next steps:`);
-      if (encryption === "dotenvx") {
+      if (encryption === "password") {
+        consola.info('  1. Set a password: echo "ENVSYNC_PASSWORD=your-secret" > .env.password');
+        consola.info("  2. Add values to your .env files (plain KEY=VALUE)");
+        consola.info("  3. envsync encrypt staging  (encrypts plain values in .env.staging)");
+      } else if (encryption === "dotenvx") {
         consola.info('  1. dotenvx set DATABASE_URL "value" -f .env');
         for (const env2 of environments.filter((e2) => e2 !== "local")) {
           consola.info(`  2. dotenvx set DATABASE_URL "${env2}_value" -f .env.${env2}`);
         }
       }
-      consola.info(`  3. echo "OAUTH_REDIRECT_URL=https://your-tunnel/callback" >> .env.local`);
-      consola.info("  4. envsync dev");
+      consola.info(`  ${encryption === "password" ? "4" : "3"}. echo "OAUTH_REDIRECT_URL=https://your-tunnel/callback" >> .env.local`);
+      consola.info(`  ${encryption === "password" ? "5" : "4"}. envsync dev`);
     }
   });
 });
@@ -14333,6 +14550,10 @@ var init_normalize = __esm(() => {
 // src/commands/merge.ts
 var exports_merge = {};
 __export(exports_merge, {
+  parseEnvLines: () => parseEnvLines,
+  isPasswordEncrypted: () => isPasswordEncrypted,
+  isEncrypted: () => isEncrypted,
+  isDotenvxEncrypted: () => isDotenvxEncrypted,
   default: () => merge_default
 });
 function parseEnvLines(content) {
@@ -14353,9 +14574,15 @@ function parseEnvLines(content) {
     };
   });
 }
-function isEncrypted(content) {
+function isDotenvxEncrypted(content) {
   return content.includes("encrypted:");
 }
+function isPasswordEncrypted(content) {
+  return content.includes("envsync:v1:");
+}
+function isEncrypted(content) {
+  return isDotenvxEncrypted(content) || isPasswordEncrypted(content);
+}
 var merge_default;
 var init_merge = __esm(() => {
   init_dist();
@@ -14391,11 +14618,24 @@ var init_merge = __esm(() => {
         readFile(args.ours),
         readFile(args.theirs)
       ]);
-      const wasEncrypted = isEncrypted(oursContent);
-      const privateKey = findPrivateKey();
-      const baseParsed = isEncrypted(baseContent) ? decryptEnvContent(baseContent, privateKey) : Object.fromEntries(parseEnvLines(baseContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
-      const oursParsed = isEncrypted(oursContent) ? decryptEnvContent(oursContent, privateKey) : Object.fromEntries(parseEnvLines(oursContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
-      const theirsParsed = isEncrypted(theirsContent) ? decryptEnvContent(theirsContent, privateKey) : Object.fromEntries(parseEnvLines(theirsContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+      const wasDotenvx = isDotenvxEncrypted(oursContent);
+      const wasPassword = isPasswordEncrypted(oursContent);
+      const wasEncrypted = wasDotenvx || wasPassword;
+      const privateKey = findPrivateKey(undefined, process.cwd());
+      const password = findPassword(undefined, process.cwd());
+      function decryptContent(content) {
+        if (isPasswordEncrypted(content)) {
+          const plain = Object.fromEntries(parseEnvLines(content).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+          return password ? decryptEnvMap(plain, password) : plain;
+        }
+        if (isDotenvxEncrypted(content)) {
+          return decryptEnvContent(content, privateKey);
+        }
+        return Object.fromEntries(parseEnvLines(content).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+      }
+      const baseParsed = decryptContent(baseContent);
+      const oursParsed = decryptContent(oursContent);
+      const theirsParsed = decryptContent(theirsContent);
       const baseMap = new Map(Object.entries(baseParsed));
       const oursMap = new Map(Object.entries(oursParsed));
       const theirsMap = new Map(Object.entries(theirsParsed));
@@ -14452,10 +14692,19 @@ var init_merge = __esm(() => {
 `) + `
 `;
       if (wasEncrypted && !hasConflicts) {
-        await writeFile(args.ours, mergedContent);
-        const result = await exec(["dotenvx", "encrypt", "-f", args.ours]);
-        if (!result.success) {
-          consola.warn("Could not re-encrypt merged file:", result.stderr);
+        if (wasPassword && password) {
+          const plainMap = Object.fromEntries(parseEnvLines(mergedContent).filter((e2) => e2.key).map((e2) => [e2.key, e2.value ?? ""]));
+          const encrypted = encryptEnvMap(plainMap, password);
+          const encLines = Object.entries(encrypted).map(([k2, v2]) => `${k2}=${v2}`);
+          await writeFile(args.ours, encLines.join(`
+`) + `
+`);
+        } else {
+          await writeFile(args.ours, mergedContent);
+          const result = await exec(["dotenvx", "encrypt", "-f", args.ours]);
+          if (!result.success) {
+            consola.warn("Could not re-encrypt merged file:", result.stderr);
+          }
         }
       } else {
         await writeFile(args.ours, mergedContent);
@@ -14612,6 +14861,124 @@ var init_list = __esm(() => {
   });
 });
+// src/commands/encrypt.ts
+var exports_encrypt = {};
+__export(exports_encrypt, {
+  default: () => encrypt_default
+});
+function parseLines(content) {
+  return content.split(`
+`).map((line) => {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) {
+      return { raw: line };
+    }
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) {
+      return { raw: line };
+    }
+    return {
+      key: line.slice(0, eqIdx).trim(),
+      value: line.slice(eqIdx + 1),
+      raw: line
+    };
+  });
+}
+var encrypt_default;
+var init_encrypt = __esm(() => {
+  init_dist();
+  init_dist2();
+  init_config();
+  init_env_file();
+  init_fs();
+  init_encryption();
+  encrypt_default = defineCommand({
+    meta: {
+      name: "encrypt",
+      description: "Encrypt plain .env values with password encryption"
+    },
+    args: {
+      env: {
+        type: "positional",
+        description: "Target environment (e.g. staging, production)",
+        required: true
+      },
+      "dry-run": {
+        type: "boolean",
+        description: "Preview changes without writing",
+        default: false
+      }
+    },
+    async run({ args }) {
+      const environment = args.env;
+      const rawConfig = await loadConfig();
+      const errors = validateConfig(rawConfig);
+      if (errors.length > 0) {
+        for (const err of errors)
+          consola.error(err);
+        process.exit(1);
+      }
+      const config = resolveConfig(rawConfig);
+      if (config.raw.encryption !== "password") {
+        consola.error('encrypt command requires encryption: "password" in config.');
+        process.exit(1);
+      }
+      if (!config.environments.includes(environment)) {
+        consola.error(`Unknown environment: "${environment}". Available: ${config.environments.join(", ")}`);
+        process.exit(1);
+      }
+      const password = findPassword(environment, config.projectRoot);
+      if (!password) {
+        consola.error(`No password found. Set ENVSYNC_PASSWORD or ENVSYNC_PASSWORD_${environment.toUpperCase()}, or create .env.password`);
+        process.exit(1);
+      }
+      const envFilePath = getRootEnvPath(config, environment);
+      if (!fileExists(envFilePath)) {
+        consola.error(`File not found: ${envFilePath}`);
+        process.exit(1);
+      }
+      const content = await readFile(envFilePath);
+      const lines = parseLines(content);
+      let encryptedCount = 0;
+      let skippedCount = 0;
+      const outputLines = [];
+      for (const line of lines) {
+        if (!line.key || line.value === undefined) {
+          outputLines.push(line.raw);
+          continue;
+        }
+        const value = line.value.trim();
+        if (isEnvsyncEncrypted(value) || value === "") {
+          outputLines.push(line.raw);
+          skippedCount++;
+          continue;
+        }
+        let plainValue = value;
+        if (plainValue.startsWith('"') && plainValue.endsWith('"') || plainValue.startsWith("'") && plainValue.endsWith("'")) {
+          plainValue = plainValue.slice(1, -1);
+        }
+        const encrypted = encryptValue(plainValue, password);
+        outputLines.push(`${line.key}=${encrypted}`);
+        encryptedCount++;
+        consola.log(`  ${line.key}: encrypted`);
+      }
+      if (encryptedCount === 0) {
+        consola.info("No values to encrypt.");
+        return;
+      }
+      const dryRun = args["dry-run"];
+      if (dryRun) {
+        consola.info(`[dry-run] Would encrypt ${encryptedCount} values in ${envFilePath}`);
+        return;
+      }
+      await writeFile(envFilePath, outputLines.join(`
+`) + `
+`);
+      consola.success(`Encrypted ${encryptedCount} values in ${envFilePath} (${skippedCount} skipped)`);
+    }
+  });
+});
 // src/index.ts
 init_dist();
 var main = defineCommand({
@@ -14629,7 +14996,8 @@ var main = defineCommand({
     init: () => Promise.resolve().then(() => (init_init(), exports_init)).then((m2) => m2.default),
     normalize: () => Promise.resolve().then(() => (init_normalize(), exports_normalize)).then((m2) => m2.default),
     merge: () => Promise.resolve().then(() => (init_merge(), exports_merge)).then((m2) => m2.default),
-    list: () => Promise.resolve().then(() => (init_list(), exports_list)).then((m2) => m2.default)
+    list: () => Promise.resolve().then(() => (init_list(), exports_list)).then((m2) => m2.default),
+    encrypt: () => Promise.resolve().then(() => (init_encrypt(), exports_encrypt)).then((m2) => m2.default)
   }
 });
 runMain(main);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cf-envsync",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "description": "Sync .env files to Cloudflare Workers secrets, .dev.vars, and more",
   "type": "module",
   "exports": {
@@ -18,7 +18,8 @@
     "dev": "bun run src/index.ts",
     "build": "bun build src/index.ts --outdir dist --target node --external jiti",
     "prepublishOnly": "bun run build",
-    "test": "bun test"
+    "test": "bun test",
+    "test:coverage": "bun test --coverage"
   },
   "peerDependencies": {
     "wrangler": ">=3"

package/src/types/config.ts CHANGED Viewed

@@ -14,7 +14,7 @@ export interface EnvSyncConfig {
   };
   /** Encryption method */
-  encryption: "dotenvx" | "none";
+  encryption: "dotenvx" | "password" | "none";
   /** App definitions */
   apps: Record<string, AppConfig>;
@@ -41,6 +41,9 @@ export interface AppConfig {
   secrets?: string[];
   /** Var keys for this app (non-secret env vars) */
   vars?: string[];
+  /** Output file(s) for `envsync dev`. Defaults to ".dev.vars".
+   *  Use an array to generate multiple files, e.g. [".dev.vars", ".env.local"] */
+  devFile?: string | string[];
 }
 /** Resolved config after defaults and path resolution */
@@ -62,4 +65,6 @@ export interface ResolvedAppConfig extends AppConfig {
   absolutePath: string;
   /** All keys this app needs (secrets + vars + local overrides) */
   allKeys: string[];
+  /** Normalized output file names for `envsync dev` (always an array) */
+  devFiles: string[];
 }