dotenv-gad 1.4.2 → 1.5.0

package/dist/index.cjs

@@ -31,18 +31,28 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var src_exports = {};
 __export(src_exports, {
   AggregateError: () => AggregateError,
+  DecryptionFailedError: () => DecryptionFailedError,
+  EncryptedFieldMismatchError: () => EncryptedFieldMismatchError,
+  EncryptionKeyMissingError: () => EncryptionKeyMissingError,
   EnvAggregateError: () => EnvAggregateError,
   EnvValidationError: () => EnvValidationError,
   EnvValidator: () => EnvValidator,
   composeSchema: () => composeSchema,
   createEnvProxy: () => createEnvProxy,
+  decryptEnvValue: () => decryptEnvValue,
   defineSchema: () => defineSchema,
+  encryptEnvValue: () => encryptEnvValue,
+  generateKeyPair: () => generateKeyPair,
+  isEncryptedValue: () => isEncryptedValue,
   loadEnv: () => loadEnv,
+  loadPrivateKey: () => loadPrivateKey,
   validateEnv: () => validateEnv
 });
 module.exports = __toCommonJS(src_exports);
 
 // src/errors.ts
+var kValidationError = /* @__PURE__ */ Symbol.for("dotenv-gad.EnvValidationError");
+var kAggregateError = /* @__PURE__ */ Symbol.for("dotenv-gad.EnvAggregateError");
 var EnvValidationError = class extends Error {
   constructor(key, message, receiveValue) {
     super(message);
@@ -50,15 +60,40 @@ var EnvValidationError = class extends Error {
     this.message = message;
     this.receiveValue = receiveValue;
     this.name = "EnvValidationError";
+    Object.defineProperty(this, kValidationError, { value: true, enumerable: false });
+  }
+  static [Symbol.hasInstance](instance) {
+    return typeof instance === "object" && instance !== null && Object.prototype.hasOwnProperty.call(instance, kValidationError);
   }
 };
+Object.defineProperty(EnvValidationError, "name", {
+  value: "EnvValidationError",
+  configurable: true,
+  writable: false
+});
+var errorsMap = /* @__PURE__ */ new WeakMap();
 var EnvAggregateError = class _EnvAggregateError extends Error {
+  get errors() {
+    return errorsMap.get(this);
+  }
   constructor(errors, message) {
-    super(message);
-    this.errors = errors;
+    const summary = errors.map((e) => {
+      let line = `
+  - ${e.key}: ${e.message}`;
+      if (e.value !== void 0) line += ` (received: ${JSON.stringify(e.value)})`;
+      if (e.rule?.docs) line += `
+    hint: ${e.rule.docs}`;
+      return line;
+    }).join("");
+    super(message + summary);
     this.name = "EnvAggregateError";
+    errorsMap.set(this, errors);
+    Object.defineProperty(this, kAggregateError, { value: true, enumerable: false });
     Object.setPrototypeOf(this, _EnvAggregateError.prototype);
   }
+  static [Symbol.hasInstance](instance) {
+    return typeof instance === "object" && instance !== null && Object.prototype.hasOwnProperty.call(instance, kAggregateError);
+  }
   toString() {
     const errorList = this.errors.map((e) => {
       let msg = `  - ${e.key}: ${e.message}`;
@@ -68,27 +103,211 @@ var EnvAggregateError = class _EnvAggregateError extends Error {
     ${e.rule.docs}`;
       return msg;
     }).join("\n");
-    return `${this.message}:
+    return `${this.name}: ${this.message}
 ${errorList}`;
   }
 };
+Object.defineProperty(EnvAggregateError, "name", {
+  value: "EnvAggregateError",
+  configurable: true,
+  writable: false
+});
 var AggregateError = EnvAggregateError;
+var EncryptionKeyMissingError = class _EncryptionKeyMissingError extends Error {
+  constructor(context) {
+    const message = context === "encryption" ? "Public key not found. Run: npx dotenv-gad keygen" : "Private key not found. Obtain .env.keys from your team or set ENVGAD_PRIVATE_KEY env var. Run: npx dotenv-gad keygen to generate new keys.";
+    super(message);
+    this.name = "EncryptionKeyMissingError";
+    Object.setPrototypeOf(this, _EncryptionKeyMissingError.prototype);
+  }
+};
+var DecryptionFailedError = class _DecryptionFailedError extends Error {
+  constructor(varName) {
+    super(
+      `Decryption failed for "${varName}". Possible causes:
+  - Wrong private key
+  - Corrupted ciphertext
+  - Ciphertext moved from a different variable (AAD mismatch)`
+    );
+    this.name = "DecryptionFailedError";
+    Object.setPrototypeOf(this, _DecryptionFailedError.prototype);
+  }
+};
+var EncryptedFieldMismatchError = class _EncryptedFieldMismatchError extends Error {
+  constructor(varName, shouldBeEncrypted) {
+    const message = shouldBeEncrypted ? `"${varName}" must be encrypted but received a plaintext value. Run: npx dotenv-gad encrypt` : `"${varName}" has an encrypted value but schema does not declare encrypted: true`;
+    super(message);
+    this.name = "EncryptedFieldMismatchError";
+    Object.setPrototypeOf(this, _EncryptedFieldMismatchError.prototype);
+  }
+};
+
+// src/crypto.ts
+var import_node_crypto = require("crypto");
+var import_node_fs = require("fs");
+var SPKI_PREFIX = Buffer.from("302a300506032b656e032100", "hex");
+var RAW_KEY_LENGTH = 32;
+var NONCE_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var PROTOCOL_PREFIX = "encrypted:";
+var ENCRYPTION_VERSION = "v1";
+var HKDF_INFO = Buffer.from("dotenv-gad:v1");
+var HKDF_SALT = Buffer.alloc(0);
+var AAD_PREFIX = "dotenv-gad:v1:";
+var PRIVATE_KEY_HEX_LENGTH = 96;
+var PUBLIC_KEY_HEX_LENGTH = 88;
+function generateKeyPair() {
+  const { publicKey, privateKey } = (0, import_node_crypto.generateKeyPairSync)("x25519", {
+    publicKeyEncoding: { type: "spki", format: "der" },
+    privateKeyEncoding: { type: "pkcs8", format: "der" }
+  });
+  return {
+    publicKeyHex: publicKey.toString("hex"),
+    privateKeyHex: privateKey.toString("hex")
+  };
+}
+function encryptEnvValue(plaintext, recipientPublicKeyHex, varName) {
+  if (!/^[a-fA-F0-9]+$/.test(recipientPublicKeyHex) || recipientPublicKeyHex.length !== PUBLIC_KEY_HEX_LENGTH) {
+    throw new Error(
+      `Invalid ENVGAD_PUBLIC_KEY format (expected ${PUBLIC_KEY_HEX_LENGTH}-char hex-encoded SPKI DER, got ${recipientPublicKeyHex.length} chars)`
+    );
+  }
+  const recipientSpki = Buffer.from(recipientPublicKeyHex, "hex");
+  const { publicKeyHex: ephPubHex, privateKeyHex: ephPrivHex } = generateKeyPair();
+  const ephSpki = Buffer.from(ephPubHex, "hex");
+  const ephPkcs8 = Buffer.from(ephPrivHex, "hex");
+  const sharedSecret = (0, import_node_crypto.diffieHellman)({
+    privateKey: (0, import_node_crypto.createPrivateKey)({ key: ephPkcs8, format: "der", type: "pkcs8" }),
+    publicKey: (0, import_node_crypto.createPublicKey)({ key: recipientSpki, format: "der", type: "spki" })
+  });
+  const encKey = Buffer.from(
+    (0, import_node_crypto.hkdfSync)("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32)
+  );
+  const nonce = (0, import_node_crypto.randomBytes)(NONCE_LENGTH);
+  const cipher = (0, import_node_crypto.createCipheriv)(
+    "chacha20-poly1305",
+    encKey,
+    nonce,
+    { authTagLength: AUTH_TAG_LENGTH }
+  );
+  cipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
+  const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const rawEphPubKey = ephSpki.subarray(SPKI_PREFIX.length);
+  const payload = Buffer.concat([rawEphPubKey, nonce, ciphertext, authTag]);
+  return `${PROTOCOL_PREFIX}${ENCRYPTION_VERSION}:${payload.toString("base64")}`;
+}
+function decryptEnvValue(token, privateKeyHex, varName) {
+  const prefix = `${PROTOCOL_PREFIX}${ENCRYPTION_VERSION}:`;
+  if (!token.startsWith(prefix)) {
+    const versionMatch = token.match(/^encrypted:(\w+):/);
+    if (versionMatch) {
+      throw new Error(
+        `Unsupported encryption version: ${versionMatch[1]}. This version of dotenv-gad supports: ${ENCRYPTION_VERSION}`
+      );
+    }
+    throw new Error("Invalid encrypted value format");
+  }
+  let payload;
+  try {
+    payload = Buffer.from(token.slice(prefix.length), "base64");
+  } catch {
+    throw new Error("Invalid base64 encoding in encrypted value");
+  }
+  const minLength = RAW_KEY_LENGTH + NONCE_LENGTH + AUTH_TAG_LENGTH;
+  if (payload.length < minLength) {
+    throw new Error(
+      `Encrypted value too short: ${payload.length} bytes (minimum: ${minLength})`
+    );
+  }
+  const rawEphPubKey = payload.subarray(0, RAW_KEY_LENGTH);
+  const nonce = payload.subarray(RAW_KEY_LENGTH, RAW_KEY_LENGTH + NONCE_LENGTH);
+  const rest = payload.subarray(RAW_KEY_LENGTH + NONCE_LENGTH);
+  const authTag = rest.subarray(rest.length - AUTH_TAG_LENGTH);
+  const ciphertext = rest.subarray(0, rest.length - AUTH_TAG_LENGTH);
+  const ephSpki = Buffer.concat([SPKI_PREFIX, rawEphPubKey]);
+  const pkcs8 = Buffer.from(privateKeyHex, "hex");
+  const sharedSecret = (0, import_node_crypto.diffieHellman)({
+    privateKey: (0, import_node_crypto.createPrivateKey)({ key: pkcs8, format: "der", type: "pkcs8" }),
+    publicKey: (0, import_node_crypto.createPublicKey)({ key: ephSpki, format: "der", type: "spki" })
+  });
+  const encKey = Buffer.from(
+    (0, import_node_crypto.hkdfSync)("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32)
+  );
+  const decipher = (0, import_node_crypto.createDecipheriv)(
+    "chacha20-poly1305",
+    encKey,
+    nonce,
+    { authTagLength: AUTH_TAG_LENGTH }
+  );
+  decipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
+  decipher.setAuthTag(authTag);
+  try {
+    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plaintext.toString("utf8");
+  } catch {
+    throw new DecryptionFailedError(varName);
+  }
+}
+function isEncryptedValue(value) {
+  return value.startsWith(`${PROTOCOL_PREFIX}${ENCRYPTION_VERSION}:`);
+}
+function loadPrivateKey(options = {}) {
+  const keysPath = options.keysPath ?? ".env.keys";
+  if ((0, import_node_fs.existsSync)(keysPath)) {
+    const content = (0, import_node_fs.readFileSync)(keysPath, "utf8");
+    const match = content.match(/^ENVGAD_PRIVATE_KEY=([a-fA-F0-9]+)/m);
+    if (match) {
+      const key = match[1];
+      if (key.length !== PRIVATE_KEY_HEX_LENGTH) {
+        throw new Error(
+          `Invalid ENVGAD_PRIVATE_KEY in ${keysPath}: expected ${PRIVATE_KEY_HEX_LENGTH}-char hex-encoded PKCS8 DER, got ${key.length} chars`
+        );
+      }
+      return key;
+    }
+  }
+  const envKey = process.env.ENVGAD_PRIVATE_KEY;
+  if (envKey) {
+    if (!/^[a-fA-F0-9]+$/.test(envKey) || envKey.length !== PRIVATE_KEY_HEX_LENGTH) {
+      throw new Error(
+        `Invalid ENVGAD_PRIVATE_KEY format (expected ${PRIVATE_KEY_HEX_LENGTH}-char hex-encoded PKCS8 DER, got ${envKey.length} chars)`
+      );
+    }
+    return envKey;
+  }
+  return null;
+}
 
 // src/validator.ts
-var EnvValidator = class {
+var import_net = __toESM(require("net"), 1);
+var kValidator = /* @__PURE__ */ Symbol.for("dotenv-gad.EnvValidator");
+var EnvValidator = class _EnvValidator {
   /**
    * Constructs a new EnvValidator instance.
    * @param {SchemaDefinition} schema The schema definition for the environment variables.
    * @param {Object} [options] Optional options for the validation process.
    * @param {boolean} [options.strict] When true, environment variables not present in the schema will be rejected.
+   * @param {boolean} [options.allowPlaintext] When true, fields with `encrypted: true` that have plaintext values emit a warning instead of an error. Useful for gradual migration.
+   * @param {string} [options.keysPath] Path to the `.env.keys` file (default: `.env.keys`).
    */
   constructor(schema, options) {
     this.schema = schema;
     this.options = options;
+    Object.defineProperty(this, kValidator, { value: true, enumerable: false });
   }
+  static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-*\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
+  static LOCAL_MAX = 64;
+  static DOMAIN_MAX = 255;
+  static DOMAIN_PART_MAX = 63;
   errors = [];
+  /** Bundler-safe instanceof — checks the symbol marker, not the class name. */
+  static [Symbol.hasInstance](instance) {
+    return typeof instance === "object" && instance !== null && Object.prototype.hasOwnProperty.call(instance, kValidator);
+  }
   validate(env) {
     this.errors = [];
+    const { processedEnv, skipKeys } = this.preprocessEncryption(env);
     const result = {};
     const groupedEnv = {};
     const prefixes = [];
@@ -100,14 +319,14 @@ var EnvValidator = class {
         groupedEnv[k] = {};
       }
     }
-    const envKeys = Object.keys(env);
+    const envKeys = Object.keys(processedEnv);
     for (let i = 0; i < envKeys.length; i++) {
       const eKey = envKeys[i];
       for (let j = 0; j < prefixes.length; j++) {
         const { key, prefix } = prefixes[j];
         if (eKey.startsWith(prefix)) {
           const subKey = eKey.slice(prefix.length);
-          groupedEnv[key][subKey] = env[eKey];
+          groupedEnv[key][subKey] = processedEnv[eKey];
         }
       }
     }
@@ -115,9 +334,10 @@ var EnvValidator = class {
     for (let i = 0; i < schemaKeys.length; i++) {
       const key = schemaKeys[i];
       const rule = this.schema[key];
+      if (skipKeys.has(key)) continue;
       try {
-        const valToValidate = groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 ? groupedEnv[key] : env[key];
-        if (groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 && env[key] !== void 0) {
+        const valToValidate = groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 ? groupedEnv[key] : processedEnv[key];
+        if (groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 && processedEnv[key] !== void 0) {
           console.warn(`Both prefixed variables and top-level ${key} exist; prefixed vars are used`);
         }
         if (this.options?.strict && groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0) {
@@ -137,16 +357,16 @@ var EnvValidator = class {
       } catch (error) {
         if (error instanceof Error) {
           let displayedValue;
-          if (env[key] === void 0) {
+          if (processedEnv[key] === void 0) {
             displayedValue = void 0;
           } else if (this.options?.includeRaw) {
             if (rule.sensitive && !this.options?.includeSensitive) {
               displayedValue = "****";
             } else {
-              displayedValue = env[key];
+              displayedValue = processedEnv[key];
             }
           } else {
-            displayedValue = this.redactValue(env[key], rule.sensitive);
+            displayedValue = this.redactValue(processedEnv[key], rule.sensitive);
           }
           this.errors.push({
             key,
@@ -182,7 +402,17 @@ var EnvValidator = class {
     }
     return result;
   }
-  // Redact or trim sensitive values for error reporting
+  /**
+   * Redacts a value to hide its contents, following these rules:
+   * - If `value` is undefined, returns undefined.
+   * - If `sensitive` is true, returns `"****"`.
+   * - If `value` is not a string, returns the original value.
+   * - If `value` is a string longer than 64 characters, truncates it to 4 characters
+   *   at the start and end, and replaces the middle with `"..."`.
+   * - Otherwise, returns the original string.
+   * @param value The value to redact.
+   * @param sensitive If true, redacts the value to `"****"`.
+   */
   redactValue(value, sensitive) {
     if (value === void 0) return void 0;
     if (sensitive) return "****";
@@ -192,8 +422,16 @@ var EnvValidator = class {
     }
     return value;
   }
-  // Try to quickly determine if a string *might* be JSON before parsing to avoid
-  // costly exceptions in the hot path for clearly non-JSON values.
+  /**
+   * Tries to parse the given value as a JSON object.
+   * Returns `{ ok: true, value: JSON.parse(s) }` if successful,
+   * or `{ ok: false }` if not.
+   * The following conditions will cause the function to return `{ ok: false }`:
+   * - `value` is not a string
+   * - `value` is an empty string
+   * - `value` does not start with one of the following characters: `{`, `[`, `"`, `t`, `f`, `n`, or a digit
+   * - `value` cannot be parsed as a JSON object
+   */
   tryParseJSON(value) {
     if (typeof value !== "string") return { ok: false };
     const s = value.trim();
@@ -215,12 +453,20 @@ var EnvValidator = class {
         throw new Error(`Missing required environment variable`);
       return effectiveRule.default;
     }
+    if (typeof value === "string") {
+      value = value.trim();
+      if (value === "") {
+        if (effectiveRule.required)
+          throw new Error(`Missing required environment variable`);
+        return effectiveRule.default;
+      }
+    }
     if (effectiveRule.transform) {
       value = effectiveRule.transform(value);
     }
     switch (effectiveRule.type) {
       case "string":
-        value = String(value).trim();
+        value = String(value);
         if (effectiveRule.minLength !== void 0 && value.length < effectiveRule.minLength) {
           throw new Error(
             `Environment variable ${key} must be at least ${effectiveRule.minLength} characters`
@@ -251,9 +497,9 @@ var EnvValidator = class {
       case "boolean":
         if (typeof value === "string") {
           value = value.toLowerCase();
-          if (value === "true") {
+          if (value === "true" || value === "yes" || value === "1" || value === "on") {
             value = true;
-          } else if (value === "false") {
+          } else if (value === "false" || value === "no" || value === "0" || value === "off") {
             value = false;
           }
         }
@@ -279,12 +525,12 @@ var EnvValidator = class {
         }
         break;
       case "email":
-        if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(String(value))) {
+        if (!this.validateEmail(value)) {
           throw new Error("Must be a valid email");
         }
         break;
       case "ip":
-        if (!/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/.test(String(value))) {
+        if (!import_net.default.isIP(value)) {
           throw new Error("Must be a valid IP address");
         }
         break;
@@ -369,12 +615,100 @@ var EnvValidator = class {
     }
     return value;
   }
-  getEffectiveRule(key, rule) {
+  getEffectiveRule(_key, rule) {
     const envName = process.env.NODE_ENV || "development";
     const envRule = rule.env?.[envName] || {};
     return { ...rule, ...envRule };
   }
+  /**
+   * Preprocesses environment variables to detect and handle encrypted values.
+   *   1. Decrypts any encrypted values using the private key.
+   *   2. Checks if any plaintext values are present for fields that should be encrypted.
+   *   3. Flags any env value that looks encrypted but the schema doesn't declare encrypted: true.
+   * @returns An object containing the processed environment variables and a set of keys that were skipped due to errors.
+   */
+  preprocessEncryption(env) {
+    const processedEnv = { ...env };
+    const skipKeys = /* @__PURE__ */ new Set();
+    const encryptedSchemaKeys = Object.keys(this.schema).filter(
+      (k) => this.schema[k].encrypted
+    );
+    if (encryptedSchemaKeys.length > 0) {
+      const needsDecryption = encryptedSchemaKeys.some(
+        (k) => processedEnv[k] != null && processedEnv[k] !== "" && isEncryptedValue(processedEnv[k])
+      );
+      let privateKeyHex = null;
+      if (needsDecryption) {
+        privateKeyHex = loadPrivateKey({ keysPath: this.options?.keysPath });
+        if (!privateKeyHex) {
+          throw new EncryptionKeyMissingError("decryption");
+        }
+      }
+      for (const key of encryptedSchemaKeys) {
+        const value = processedEnv[key];
+        if (value == null || value === "") continue;
+        if (isEncryptedValue(value)) {
+          try {
+            processedEnv[key] = decryptEnvValue(value, privateKeyHex, key);
+          } catch (err) {
+            this.errors.push({
+              key,
+              message: err instanceof Error ? err.message : "Decryption failed",
+              rule: this.schema[key]
+            });
+            skipKeys.add(key);
+          }
+        } else {
+          if (this.options?.allowPlaintext) {
+            console.warn(
+              `[dotenv-gad] "${key}" has a plaintext value but schema declares encrypted: true. Run: npx dotenv-gad encrypt`
+            );
+          } else {
+            this.errors.push({
+              key,
+              message: "Must be encrypted. Run: npx dotenv-gad encrypt",
+              rule: this.schema[key]
+            });
+            skipKeys.add(key);
+          }
+        }
+      }
+    }
+    for (const [eKey, value] of Object.entries(processedEnv)) {
+      if (skipKeys.has(eKey)) continue;
+      if (value && isEncryptedValue(value) && !this.schema[eKey]?.encrypted) {
+        this.errors.push({
+          key: eKey,
+          message: "Encrypted value found but schema does not declare encrypted: true"
+        });
+        skipKeys.add(eKey);
+      }
+    }
+    return { processedEnv, skipKeys };
+  }
+  /*
+  * Email validation logic adapted from:
+  * Project: email-validator
+  *  * Repository: https://github.com/manishsaraan/email-validator
+  * 
+  * * Adapted to enforce email validation rules more strictly
+  */
+  validateEmail(email) {
+    if (!email) return false;
+    const emailParts = email.split("@");
+    if (emailParts.length !== 2) return false;
+    const [local, domain] = emailParts;
+    if (local.length > _EnvValidator.LOCAL_MAX || domain.length > _EnvValidator.DOMAIN_MAX) return false;
+    const domainParts = domain.split(".");
+    if (domainParts.some((part) => part.length > _EnvValidator.DOMAIN_PART_MAX)) return false;
+    return _EnvValidator.EMAIL_REGEX.test(email);
+  }
 };
+Object.defineProperty(EnvValidator, "name", {
+  value: "EnvValidator",
+  configurable: true,
+  writable: false
+});
 
 // src/schema.ts
 function defineSchema(schema) {
@@ -382,9 +716,19 @@ function defineSchema(schema) {
 }
 
 // src/utils.ts
-var import_dotenv = __toESM(require("dotenv"), 1);
+var import_dotenv = require("dotenv");
+var import_node_fs2 = require("fs");
+function readEnvFile(path) {
+  const filePath = path ?? ".env";
+  if (!(0, import_node_fs2.existsSync)(filePath)) return {};
+  try {
+    return (0, import_dotenv.parse)((0, import_node_fs2.readFileSync)(filePath, "utf-8"));
+  } catch {
+    return {};
+  }
+}
 function loadEnv(schema, options) {
-  const fileEnv = import_dotenv.default.config({ debug: false, path: options?.path }).parsed || {};
+  const fileEnv = readEnvFile(options?.path);
   const env = { ...process.env, ...fileEnv };
   const validator = new EnvValidator(schema, options);
   return validator.validate(env);
@@ -415,9 +759,8 @@ function composeSchema(...schemas) {
 }
 
 // src/index.ts
-var import_dotenv2 = __toESM(require("dotenv"), 1);
 function validateEnv(schema, options) {
-  const fileEnv = import_dotenv2.default.config({ debug: false, path: options?.path }).parsed || {};
+  const fileEnv = readEnvFile(options?.path);
   const env = { ...process.env, ...fileEnv };
   const validator = new EnvValidator(schema, options);
   return validator.validate(env);
@@ -425,12 +768,20 @@ function validateEnv(schema, options) {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AggregateError,
+  DecryptionFailedError,
+  EncryptedFieldMismatchError,
+  EncryptionKeyMissingError,
   EnvAggregateError,
   EnvValidationError,
   EnvValidator,
   composeSchema,
   createEnvProxy,
+  decryptEnvValue,
   defineSchema,
+  encryptEnvValue,
+  generateKeyPair,
+  isEncryptedValue,
   loadEnv,
+  loadPrivateKey,
   validateEnv
 });

package/dist/index.js

@@ -1,14 +1,15 @@
 import { EnvValidator } from "./validator.js";
 import { defineSchema } from "./schema.js";
-import { EnvAggregateError, AggregateError, EnvValidationError } from "./errors.js";
+import { EnvAggregateError, AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, } from "./errors.js";
 import { loadEnv, createEnvProxy } from "./utils.js";
 import { composeSchema } from "./compose.js";
-import dotenv from "dotenv";
+import { generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, } from "./crypto.js";
+import { readEnvFile } from "./utils.js";
 export { defineSchema, EnvAggregateError, 
 /** @deprecated Use `EnvAggregateError` instead. */
-AggregateError, EnvValidationError, EnvValidator, loadEnv, createEnvProxy, composeSchema, };
+AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, };
 export function validateEnv(schema, options) {
-    const fileEnv = dotenv.config({ debug: false, path: options?.path }).parsed || {};
+    const fileEnv = readEnvFile(options?.path);
     const env = { ...process.env, ...fileEnv };
     const validator = new EnvValidator(schema, options);
     return validator.validate(env);

package/dist/types/cli/commands/check.d.ts

@@ -1,2 +1,2 @@
 import { Command } from "commander";
-export default function (program: Command): Command;
+export default function (_program: Command): Command;

package/dist/types/cli/commands/decrypt.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (_program: Command): Command;

package/dist/types/cli/commands/docs.d.ts

@@ -1,2 +1,2 @@
 import { Command } from "commander";
-export default function (program: Command): Command;
+export default function (_program: Command): Command;

package/dist/types/cli/commands/encrypt.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (_program: Command): Command;

package/dist/types/cli/commands/fix.d.ts

@@ -1,2 +1,2 @@
 import { Command } from "commander";
-export default function (program: Command): Command;
+export default function (_program: Command): Command;

package/dist/types/cli/commands/init.d.ts

@@ -1,2 +1,2 @@
 import { Command } from "commander";
-export default function (program: Command): Command;
+export default function (_program: Command): Command;

package/dist/types/cli/commands/keygen.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (program: Command): Command;

package/dist/types/cli/commands/rotate.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (_program: Command): Command;

package/dist/types/cli/commands/status.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (_program: Command): Command;

package/dist/types/cli/commands/sync.d.ts

@@ -1,2 +1,2 @@
 import { Command } from "commander";
-export default function (program: Command): Command;
+export default function (_program: Command): Command;

package/dist/types/cli/commands/verify.d.ts

@@ -0,0 +1,2 @@
+import { Command } from "commander";
+export default function (_program: Command): Command;