dotenv-gad 1.4.2 → 1.5.0

package/dist/types/crypto.d.ts

@@ -0,0 +1,58 @@
+export interface KeyPair {
+    /** Hex-encoded 44-byte SPKI DER. Store as ENVGAD_PUBLIC_KEY in .env (safe to commit). */
+    publicKeyHex: string;
+    /** Hex-encoded 48-byte PKCS8 DER. Store as ENVGAD_PRIVATE_KEY in .env.keys (never commit). */
+    privateKeyHex: string;
+}
+/**
+ * Generates a new key pair using the X25519 curve.
+ *
+ * @returns An object containing the hex-encoded public and private keys.
+ * The public key is safe to commit to version control (e.g. .env), while the private key
+ * should be kept secret and stored securely (e.g. .env.keys).
+ */
+export declare function generateKeyPair(): KeyPair;
+/**
+ * Encrypts a plaintext string using ChaCha20-Poly1305 authenticated encryption.
+ * The encryption key is derived from the shared secret of the ephemeral key pair
+ * and the recipient's public key using HKDF-SHA256.
+ *
+ * @param plaintext - The plaintext string to encrypt.
+ * @param recipientPublicKeyHex - Hex-encoded 44-byte SPKI DER of the recipient's public key.
+ * @param varName - The name of the environment variable being encrypted.
+ * @returns A wire-format string containing the encrypted ciphertext and
+ *   ephemeral public key information: `encrypted:v1:<base64>`.
+ */
+export declare function encryptEnvValue(plaintext: string, recipientPublicKeyHex: string, varName: string): string;
+/**
+ * Decrypt a wire-format ciphertext produced by {@link encryptEnvValue}.
+ *
+ * @param token - Wire-format string: `encrypted:v1:<base64>`.
+ * @param privateKeyHex - Hex-encoded PKCS8 DER of the recipient's private key (from ENVGAD_PRIVATE_KEY).
+ * @param varName - Schema variable name, must match the one used during encryption (AAD check).
+ * @returns Decrypted plaintext string.
+ * @throws {@link DecryptionFailedError} if the key is wrong, ciphertext is tampered, or AAD mismatches.
+ */
+export declare function decryptEnvValue(token: string, privateKeyHex: string, varName: string): string;
+/**
+ * Returns true if the given value starts with the encrypted value
+ * prefix, and false otherwise.
+ *
+ * The encrypted value prefix is in the format of
+ * `encrypted:v1:<base64-encoded-payload>`.
+ *
+ * @param {string} value the value to check
+ * @returns {boolean} true if the value is an encrypted value, false otherwise
+ */
+export declare function isEncryptedValue(value: string): boolean;
+/**
+ * Loads the ENVGAD_PRIVATE_KEY value from the given path (default: `.env.keys`)
+ * or the ENVGAD_PRIVATE_KEY environment variable if present.
+ * Returns the hex-encoded DER value of the private key if found, or null otherwise.
+ * @param {Object} [options] Optional options.
+ * @param {string} [options.keysPath] Path to the `.env.keys` file (default: `.env.keys`).
+ * @returns {string | null} Hex-encoded DER value of the private key if found, or null otherwise.
+ */
+export declare function loadPrivateKey(options?: {
+    keysPath?: string;
+}): string | null;

package/dist/types/errors.d.ts

@@ -4,21 +4,44 @@ export declare class EnvValidationError extends Error {
     message: string;
     receiveValue?: unknown | undefined;
     constructor(key: string, message: string, receiveValue?: unknown | undefined);
+    static [Symbol.hasInstance](instance: unknown): boolean;
 }
+type ErrorItem = {
+    key: string;
+    message: string;
+    value?: any;
+    rule?: SchemaRule;
+};
 export declare class EnvAggregateError extends Error {
-    errors: {
-        key: string;
-        message: string;
-        value?: any;
-        rule?: SchemaRule;
-    }[];
-    constructor(errors: {
-        key: string;
-        message: string;
-        value?: any;
-        rule?: SchemaRule;
-    }[], message: string);
+    get errors(): ErrorItem[];
+    constructor(errors: ErrorItem[], message: string);
+    static [Symbol.hasInstance](instance: unknown): boolean;
     toString(): string;
 }
 /** @deprecated Use `EnvAggregateError` instead — avoids shadowing the built-in `AggregateError`. */
 export declare const AggregateError: typeof EnvAggregateError;
+/**
+ * Thrown when a required encryption or decryption key is not available.
+ * For encryption: ENVGAD_PUBLIC_KEY missing from .env.
+ * For decryption: ENVGAD_PRIVATE_KEY missing from .env.keys and environment.
+ */
+export declare class EncryptionKeyMissingError extends Error {
+    constructor(context: "encryption" | "decryption");
+}
+/**
+ * Thrown when ChaCha20-Poly1305 authenticated decryption fails.
+ * Common causes: wrong private key, corrupted ciphertext, or AAD mismatch
+ * (ciphertext copied from a different variable).
+ */
+export declare class DecryptionFailedError extends Error {
+    constructor(varName: string);
+}
+/**
+ * Thrown when an encrypted/plaintext value is found but the schema says otherwise.
+ * When `shouldBeEncrypted = true`: schema has `encrypted: true` but value is plaintext.
+ * When `shouldBeEncrypted = false`: value starts with `encrypted:v1:` but schema lacks `encrypted: true`.
+ */
+export declare class EncryptedFieldMismatchError extends Error {
+    constructor(varName: string, shouldBeEncrypted: boolean);
+}
+export {};

package/dist/types/index.d.ts

@@ -1,14 +1,18 @@
 import { EnvValidator } from "./validator.js";
 import { defineSchema, SchemaDefinition, SchemaRule } from "./schema.js";
-import { EnvAggregateError, AggregateError, EnvValidationError } from "./errors.js";
+import { EnvAggregateError, AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError } from "./errors.js";
 import { loadEnv, createEnvProxy } from "./utils.js";
 import { composeSchema } from "./compose.js";
 import { ExtractEnv, InferEnv } from "./types.js";
+import { generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey } from "./crypto.js";
+import type { KeyPair } from "./crypto.js";
 export { defineSchema, EnvAggregateError, 
 /** @deprecated Use `EnvAggregateError` instead. */
-AggregateError, EnvValidationError, EnvValidator, loadEnv, createEnvProxy, composeSchema, };
-export type { SchemaDefinition, SchemaRule, ExtractEnv, InferEnv };
+AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, };
+export type { SchemaDefinition, SchemaRule, ExtractEnv, InferEnv, KeyPair };
 export declare function validateEnv(schema: SchemaDefinition, options?: {
     strict?: boolean;
     path?: string;
+    allowPlaintext?: boolean;
+    keysPath?: string;
 }): Record<string, any>;

package/dist/types/schema.d.ts

@@ -12,6 +12,13 @@ export interface SchemaRule {
     validate?: (value: any) => boolean;
     transform?: (value: any) => any;
     sensitive?: boolean;
+    /**
+     * When true, the value must be stored encrypted in the .env file using the
+     * dotenv-gad ECIES scheme. The validator will automatically decrypt the value
+     * before type-checking and returning it to the application.
+     * Use `npx dotenv-gad keygen` and `npx dotenv-gad encrypt` to manage keys.
+     */
+    encrypted?: boolean;
     docs?: string;
     enum?: any[];
     regex?: RegExp;

package/dist/types/utils.d.ts

@@ -1,23 +1,32 @@
 import { SchemaDefinition } from "./schema.js";
 import type { InferEnv } from "./types.js";
 /**
- * Loads environment variables from .env file and validates them against
- * the given schema.
+ * Silently reads and parses a .env file without injecting into process.env.
+ * Returns an empty object when the file does not exist (e.g. Vercel, Railway,
+ * Docker — where env vars are already present in process.env).
+ */
+export declare function readEnvFile(path?: string): Record<string, string>;
+/**
+ * Loads environment variables from a `.env` file (if present) and validates them
+ * against the provided schema.
  *
- * @template S The type of the schema definition.
- * @param {S} schema The schema definition for the environment variables.
- * @param {Object} [options] Optional options for the validation process.
- * @param {boolean} [options.strict] When true, fail on environment variables not present in the schema.
- * @param {boolean} [options.includeRaw] Include raw values in error reports (non-sensitive by default).
- * @param {boolean} [options.includeSensitive] When used with `includeRaw`, will reveal values marked sensitive (use only for local debugging).
- * @param {string} [options.path] Path to the .env file to load (defaults to `.env` in cwd).
- * @returns {InferEnv<S>} The validated environment variables.
+ * @param schema The schema definition for the environment variables.
+ * @param options Optional options for the validation process.
+ * @param options.strict When true, environment variables not present in the schema will be rejected.
+ * @param options.includeRaw When true, include raw values in error reports (non-sensitive by default).
+ * @param options.includeSensitive When true, include values marked sensitive in error reports (use only for local debugging).
+ * @param options.path Path to the `.env` file (defaults to `.env` in cwd).
+ * @param options.allowPlaintext When true, fields with `encrypted: true` that have plaintext values emit a warning instead of an error.
+ * @param options.keysPath Path to the `.env.keys` file containing ENVGAD_PRIVATE_KEY (default: `.env.keys`).
+ * @returns The validated environment variables, typed according to the schema.
  */
 export declare function loadEnv<S extends SchemaDefinition>(schema: S, options?: {
     strict?: boolean;
     includeRaw?: boolean;
     includeSensitive?: boolean;
     path?: string;
+    allowPlaintext?: boolean;
+    keysPath?: string;
 }): InferEnv<S>;
 /**
  * Create a proxy around the validated environment variables. The proxy will

package/dist/types/validator.d.ts

@@ -2,21 +2,61 @@ import { SchemaDefinition } from "./schema.js";
 export declare class EnvValidator {
     private schema;
     private options?;
+    private static readonly EMAIL_REGEX;
+    private static readonly LOCAL_MAX;
+    private static readonly DOMAIN_MAX;
+    private static readonly DOMAIN_PART_MAX;
     private errors;
     /**
      * Constructs a new EnvValidator instance.
      * @param {SchemaDefinition} schema The schema definition for the environment variables.
      * @param {Object} [options] Optional options for the validation process.
      * @param {boolean} [options.strict] When true, environment variables not present in the schema will be rejected.
+     * @param {boolean} [options.allowPlaintext] When true, fields with `encrypted: true` that have plaintext values emit a warning instead of an error. Useful for gradual migration.
+     * @param {string} [options.keysPath] Path to the `.env.keys` file (default: `.env.keys`).
      */
     constructor(schema: SchemaDefinition, options?: {
         strict?: boolean;
         includeRaw?: boolean;
         includeSensitive?: boolean;
+        allowPlaintext?: boolean;
+        keysPath?: string;
     } | undefined);
+    /** Bundler-safe instanceof — checks the symbol marker, not the class name. */
+    static [Symbol.hasInstance](instance: unknown): boolean;
     validate(env: Record<string, string | undefined>): Record<string, any>;
+    /**
+     * Redacts a value to hide its contents, following these rules:
+     * - If `value` is undefined, returns undefined.
+     * - If `sensitive` is true, returns `"****"`.
+     * - If `value` is not a string, returns the original value.
+     * - If `value` is a string longer than 64 characters, truncates it to 4 characters
+     *   at the start and end, and replaces the middle with `"..."`.
+     * - Otherwise, returns the original string.
+     * @param value The value to redact.
+     * @param sensitive If true, redacts the value to `"****"`.
+     */
     private redactValue;
+    /**
+     * Tries to parse the given value as a JSON object.
+     * Returns `{ ok: true, value: JSON.parse(s) }` if successful,
+     * or `{ ok: false }` if not.
+     * The following conditions will cause the function to return `{ ok: false }`:
+     * - `value` is not a string
+     * - `value` is an empty string
+     * - `value` does not start with one of the following characters: `{`, `[`, `"`, `t`, `f`, `n`, or a digit
+     * - `value` cannot be parsed as a JSON object
+     */
     private tryParseJSON;
     private validateKey;
     private getEffectiveRule;
+    /**
+     * Preprocesses environment variables to detect and handle encrypted values.
+     *   1. Decrypts any encrypted values using the private key.
+     *   2. Checks if any plaintext values are present for fields that should be encrypted.
+     *   3. Flags any env value that looks encrypted but the schema doesn't declare encrypted: true.
+     * @returns An object containing the processed environment variables and a set of keys that were skipped due to errors.
+     */
+    private preprocessEncryption;
+    private validateEmail;
 }

package/dist/utils.js

@@ -1,20 +1,38 @@
-import dotenv from "dotenv";
+import { parse as parseEnv } from "dotenv";
+import { readFileSync, existsSync } from "node:fs";
 import { EnvValidator } from "./validator.js";
 /**
- * Loads environment variables from .env file and validates them against
- * the given schema.
+ * Silently reads and parses a .env file without injecting into process.env.
+ * Returns an empty object when the file does not exist (e.g. Vercel, Railway,
+ * Docker — where env vars are already present in process.env).
+ */
+export function readEnvFile(path) {
+    const filePath = path ?? ".env";
+    if (!existsSync(filePath))
+        return {};
+    try {
+        return parseEnv(readFileSync(filePath, "utf-8"));
+    }
+    catch {
+        return {};
+    }
+}
+/**
+ * Loads environment variables from a `.env` file (if present) and validates them
+ * against the provided schema.
  *
- * @template S The type of the schema definition.
- * @param {S} schema The schema definition for the environment variables.
- * @param {Object} [options] Optional options for the validation process.
- * @param {boolean} [options.strict] When true, fail on environment variables not present in the schema.
- * @param {boolean} [options.includeRaw] Include raw values in error reports (non-sensitive by default).
- * @param {boolean} [options.includeSensitive] When used with `includeRaw`, will reveal values marked sensitive (use only for local debugging).
- * @param {string} [options.path] Path to the .env file to load (defaults to `.env` in cwd).
- * @returns {InferEnv<S>} The validated environment variables.
+ * @param schema The schema definition for the environment variables.
+ * @param options Optional options for the validation process.
+ * @param options.strict When true, environment variables not present in the schema will be rejected.
+ * @param options.includeRaw When true, include raw values in error reports (non-sensitive by default).
+ * @param options.includeSensitive When true, include values marked sensitive in error reports (use only for local debugging).
+ * @param options.path Path to the `.env` file (defaults to `.env` in cwd).
+ * @param options.allowPlaintext When true, fields with `encrypted: true` that have plaintext values emit a warning instead of an error.
+ * @param options.keysPath Path to the `.env.keys` file containing ENVGAD_PRIVATE_KEY (default: `.env.keys`).
+ * @returns The validated environment variables, typed according to the schema.
  */
 export function loadEnv(schema, options) {
-    const fileEnv = dotenv.config({ debug: false, path: options?.path }).parsed || {};
+    const fileEnv = readEnvFile(options?.path);
     const env = { ...process.env, ...fileEnv };
     const validator = new EnvValidator(schema, options);
     return validator.validate(env);

package/dist/validator.js

@@ -1,20 +1,38 @@
-import { EnvAggregateError } from "./errors.js";
+import { EnvAggregateError, EncryptionKeyMissingError } from "./errors.js";
+import { decryptEnvValue, isEncryptedValue, loadPrivateKey } from "./crypto.js";
+import net from "net";
+const kValidator = Symbol.for("dotenv-gad.EnvValidator");
 export class EnvValidator {
     schema;
     options;
+    static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-*\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
+    static LOCAL_MAX = 64;
+    static DOMAIN_MAX = 255;
+    static DOMAIN_PART_MAX = 63;
     errors = [];
     /**
      * Constructs a new EnvValidator instance.
      * @param {SchemaDefinition} schema The schema definition for the environment variables.
      * @param {Object} [options] Optional options for the validation process.
      * @param {boolean} [options.strict] When true, environment variables not present in the schema will be rejected.
+     * @param {boolean} [options.allowPlaintext] When true, fields with `encrypted: true` that have plaintext values emit a warning instead of an error. Useful for gradual migration.
+     * @param {string} [options.keysPath] Path to the `.env.keys` file (default: `.env.keys`).
      */
     constructor(schema, options) {
         this.schema = schema;
         this.options = options;
+        Object.defineProperty(this, kValidator, { value: true, enumerable: false });
+    }
+    /** Bundler-safe instanceof — checks the symbol marker, not the class name. */
+    static [Symbol.hasInstance](instance) {
+        return (typeof instance === "object" &&
+            instance !== null &&
+            Object.prototype.hasOwnProperty.call(instance, kValidator));
     }
     validate(env) {
         this.errors = [];
+        // First Decrypt encrypted fields and check for schema/value mismatches.
+        const { processedEnv, skipKeys } = this.preprocessEncryption(env);
         const result = {};
         // Build grouping map for object types that support envPrefix.
         // We'll collect all prefixes first and then make a single pass over env keys
@@ -29,29 +47,31 @@ export class EnvValidator {
                 groupedEnv[k] = {};
             }
         }
-        const envKeys = Object.keys(env);
+        const envKeys = Object.keys(processedEnv);
         for (let i = 0; i < envKeys.length; i++) {
             const eKey = envKeys[i];
             for (let j = 0; j < prefixes.length; j++) {
                 const { key, prefix } = prefixes[j];
                 if (eKey.startsWith(prefix)) {
                     const subKey = eKey.slice(prefix.length);
-                    groupedEnv[key][subKey] = env[eKey];
+                    groupedEnv[key][subKey] = processedEnv[eKey];
                 }
             }
         }
-        // Micro-optimization: avoid creating intermediate arrays from Object.entries
         const schemaKeys = Object.keys(this.schema);
         for (let i = 0; i < schemaKeys.length; i++) {
             const key = schemaKeys[i];
             const rule = this.schema[key];
+            // Keys that already have a preprocessing error (encryption mismatch, decryption failure, etc.) get skipped
+            if (skipKeys.has(key))
+                continue;
             try {
                 // If we have grouped values for this key use them (preferred over JSON string)
                 const valToValidate = groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0
                     ? groupedEnv[key]
-                    : env[key];
+                    : processedEnv[key];
                 // If both grouped and a top-level JSON value exist, prefer grouped and warn
-                if (groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 && env[key] !== undefined) {
+                if (groupedEnv[key] && Object.keys(groupedEnv[key]).length > 0 && processedEnv[key] !== undefined) {
                     console.warn(`Both prefixed variables and top-level ${key} exist; prefixed vars are used`);
                 }
                 // If strict mode is enabled, and this key has grouped env vars, ensure there are no unexpected subkeys
@@ -77,7 +97,7 @@ export class EnvValidator {
                     // - includeRaw: include raw values for non-sensitive fields
                     // - includeSensitive: when used with includeRaw, include raw sensitive values too (use with caution)
                     let displayedValue;
-                    if (env[key] === undefined) {
+                    if (processedEnv[key] === undefined) {
                         displayedValue = undefined;
                     }
                     else if (this.options?.includeRaw) {
@@ -85,11 +105,11 @@ export class EnvValidator {
                             displayedValue = "****";
                         }
                         else {
-                            displayedValue = env[key];
+                            displayedValue = processedEnv[key];
                         }
                     }
                     else {
-                        displayedValue = this.redactValue(env[key], rule.sensitive);
+                        displayedValue = this.redactValue(processedEnv[key], rule.sensitive);
                     }
                     this.errors.push({
                         key,
@@ -123,7 +143,17 @@ export class EnvValidator {
         }
         return result;
     }
-    // Redact or trim sensitive values for error reporting
+    /**
+     * Redacts a value to hide its contents, following these rules:
+     * - If `value` is undefined, returns undefined.
+     * - If `sensitive` is true, returns `"****"`.
+     * - If `value` is not a string, returns the original value.
+     * - If `value` is a string longer than 64 characters, truncates it to 4 characters
+     *   at the start and end, and replaces the middle with `"..."`.
+     * - Otherwise, returns the original string.
+     * @param value The value to redact.
+     * @param sensitive If true, redacts the value to `"****"`.
+     */
     redactValue(value, sensitive) {
         if (value === undefined)
             return undefined;
@@ -136,8 +166,16 @@ export class EnvValidator {
         }
         return value;
     }
-    // Try to quickly determine if a string *might* be JSON before parsing to avoid
-    // costly exceptions in the hot path for clearly non-JSON values.
+    /**
+     * Tries to parse the given value as a JSON object.
+     * Returns `{ ok: true, value: JSON.parse(s) }` if successful,
+     * or `{ ok: false }` if not.
+     * The following conditions will cause the function to return `{ ok: false }`:
+     * - `value` is not a string
+     * - `value` is an empty string
+     * - `value` does not start with one of the following characters: `{`, `[`, `"`, `t`, `f`, `n`, or a digit
+     * - `value` cannot be parsed as a JSON object
+     */
     tryParseJSON(value) {
         if (typeof value !== "string")
             return { ok: false };
@@ -162,12 +200,22 @@ export class EnvValidator {
                 throw new Error(`Missing required environment variable`);
             return effectiveRule.default;
         }
+        if (typeof value === "string") {
+            value = value.trim();
+            // Re-check emptiness after trim in case the value was only whitespace
+            if (value === "") {
+                if (effectiveRule.required)
+                    throw new Error(`Missing required environment variable`);
+                return effectiveRule.default;
+            }
+        }
         if (effectiveRule.transform) {
             value = effectiveRule.transform(value);
         }
         switch (effectiveRule.type) {
             case "string":
-                value = String(value).trim();
+                // value is already trimmed above; cast to string for minLength/maxLength checks
+                value = String(value);
                 if (effectiveRule.minLength !== undefined && value.length < effectiveRule.minLength) {
                     throw new Error(`Environment variable ${key} must be at least ${effectiveRule.minLength} characters`);
                 }
@@ -190,10 +238,10 @@ export class EnvValidator {
             case "boolean":
                 if (typeof value === "string") {
                     value = value.toLowerCase();
-                    if (value === "true") {
+                    if (value === "true" || value === "yes" || value === "1" || value === "on") {
                         value = true;
                     }
-                    else if (value === "false") {
+                    else if (value === "false" || value === "no" || value === "0" || value === "off") {
                         value = false;
                     }
                 }
@@ -218,12 +266,12 @@ export class EnvValidator {
                 }
                 break;
             case "email":
-                if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(String(value))) {
+                if (!this.validateEmail(value)) {
                     throw new Error("Must be a valid email");
                 }
                 break;
             case "ip":
-                if (!/^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/.test(String(value))) {
+                if (!net.isIP(value)) {
                     throw new Error("Must be a valid IP address");
                 }
                 break;
@@ -300,9 +348,104 @@ export class EnvValidator {
         }
         return value;
     }
-    getEffectiveRule(key, rule) {
+    getEffectiveRule(_key, rule) {
         const envName = process.env.NODE_ENV || "development";
         const envRule = rule.env?.[envName] || {};
         return { ...rule, ...envRule };
     }
+    /**
+     * Preprocesses environment variables to detect and handle encrypted values.
+     *   1. Decrypts any encrypted values using the private key.
+     *   2. Checks if any plaintext values are present for fields that should be encrypted.
+     *   3. Flags any env value that looks encrypted but the schema doesn't declare encrypted: true.
+     * @returns An object containing the processed environment variables and a set of keys that were skipped due to errors.
+     */
+    preprocessEncryption(env) {
+        const processedEnv = { ...env };
+        const skipKeys = new Set();
+        const encryptedSchemaKeys = Object.keys(this.schema).filter((k) => this.schema[k].encrypted);
+        if (encryptedSchemaKeys.length > 0) {
+            // Only load the private key when at least one value is already encrypted
+            const needsDecryption = encryptedSchemaKeys.some((k) => processedEnv[k] != null && processedEnv[k] !== "" && isEncryptedValue(processedEnv[k]));
+            let privateKeyHex = null;
+            if (needsDecryption) {
+                privateKeyHex = loadPrivateKey({ keysPath: this.options?.keysPath });
+                if (!privateKeyHex) {
+                    throw new EncryptionKeyMissingError("decryption");
+                }
+            }
+            for (const key of encryptedSchemaKeys) {
+                const value = processedEnv[key];
+                if (value == null || value === "")
+                    continue; // handled by required check in main loop
+                if (isEncryptedValue(value)) {
+                    try {
+                        processedEnv[key] = decryptEnvValue(value, privateKeyHex, key);
+                    }
+                    catch (err) {
+                        this.errors.push({
+                            key,
+                            message: err instanceof Error ? err.message : "Decryption failed",
+                            rule: this.schema[key],
+                        });
+                        skipKeys.add(key);
+                    }
+                }
+                else {
+                    // Plaintext value for a field that should be encrypted
+                    if (this.options?.allowPlaintext) {
+                        console.warn(`[dotenv-gad] "${key}" has a plaintext value but schema declares encrypted: true. ` +
+                            "Run: npx dotenv-gad encrypt");
+                    }
+                    else {
+                        this.errors.push({
+                            key,
+                            message: 'Must be encrypted. Run: npx dotenv-gad encrypt',
+                            rule: this.schema[key],
+                        });
+                        skipKeys.add(key);
+                    }
+                }
+            }
+        }
+        // Flag any env value that looks encrypted but the schema doesn't declare encrypted: true
+        for (const [eKey, value] of Object.entries(processedEnv)) {
+            if (skipKeys.has(eKey))
+                continue;
+            if (value && isEncryptedValue(value) && !this.schema[eKey]?.encrypted) {
+                this.errors.push({
+                    key: eKey,
+                    message: "Encrypted value found but schema does not declare encrypted: true",
+                });
+                skipKeys.add(eKey);
+            }
+        }
+        return { processedEnv, skipKeys };
+    }
+    /*
+   * Email validation logic adapted from:
+   * Project: email-validator
+   *  * Repository: https://github.com/manishsaraan/email-validator
+   *
+   * * Adapted to enforce email validation rules more strictly
+   */
+    validateEmail(email) {
+        if (!email)
+            return false;
+        const emailParts = email.split("@");
+        if (emailParts.length !== 2)
+            return false;
+        const [local, domain] = emailParts;
+        if (local.length > EnvValidator.LOCAL_MAX || domain.length > EnvValidator.DOMAIN_MAX)
+            return false;
+        const domainParts = domain.split(".");
+        if (domainParts.some(part => part.length > EnvValidator.DOMAIN_PART_MAX))
+            return false;
+        return EnvValidator.EMAIL_REGEX.test(email);
+    }
 }
+Object.defineProperty(EnvValidator, "name", {
+    value: "EnvValidator",
+    configurable: true,
+    writable: false,
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dotenv-gad",
-  "version": "1.4.2",
+  "version": "1.5.0",
   "main": "dist/index.js",
   "types": "dist/types/index.d.ts",
   "type": "module",
@@ -100,7 +100,6 @@
     "commander": "^14.0.2",
     "dotenv": "^17.2.3",
     "figlet": "^1.10.0",
-    "inquirer": "^13.2.1",
     "ora": "^9.1.0"
   }
 }