dotenv-gad 1.5.0 → 1.6.0

package/README.md

@@ -4,11 +4,12 @@
 [![CI](https://github.com/kasimlyee/dotenv-gad/actions/workflows/ci.yml/badge.svg)](https://github.com/kasimlyee/dotenv-gad/actions/workflows/ci.yml)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen)](https://nodejs.org)
+[![Bun](https://img.shields.io/badge/bun-%3E%3D1.0-blue)](https://bun.sh)
 [![TypeScript](https://img.shields.io/badge/TypeScript-first--class-blue?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![Docs](https://img.shields.io/badge/docs-latest-blue?style=flat-square)](https://kasimlyee.github.io/dotenv-gad/)
 [![npm downloads](https://img.shields.io/npm/dm/dotenv-gad.svg)](https://www.npmjs.com/package/dotenv-gad)
 
-**dotenv-gad** is an environment variable validation library that brings type safety, schema validation, and runtime checks to your Node.js and JavaScript applications. It works with any environment variable source — `.env` files, platform dashboards (Vercel, Railway, Docker), CI/CD pipelines, or `process.env` directly.
+**dotenv-gad** is an environment variable validation library that brings type safety, schema validation, and runtime checks to your Node.js, Bun, and JavaScript applications. It works with any environment variable source — `.env` files, platform dashboards (Vercel, Railway, Docker), CI/CD pipelines, or `process.env` directly.
 
 - Type-safe environment variables with full IntelliSense
 - Schema validation (string, number, boolean, url, email, ip, port, json, array, object)
@@ -28,6 +29,8 @@ npm install dotenv-gad
 yarn add dotenv-gad
 # or
 pnpm add dotenv-gad
+# or
+bun add dotenv-gad
 ```
 
 ## Quick Start
@@ -240,6 +243,36 @@ const env = loadEnv(schema);
 // { DATABASE: { DB_NAME: 'mydb', PORT: 5432, PWD: 'supersecret' } }
 ```
 
+## Bun Support
+
+**dotenv-gad** has support for Bun! All features work seamlessly with Bun's runtime.
+
+### Using the CLI with Bun
+
+```bash
+bunx dotenv-gad check
+bunx dotenv-gad keygen
+bunx dotenv-gad encrypt
+```
+
+### Bun Runtime Example
+
+```typescript
+import { loadEnv } from "dotenv-gad";
+import schema from "./env.schema";
+
+const env = loadEnv(schema);
+console.log(`Server running on port ${env.PORT}`);
+
+// Start a Bun HTTP server
+Bun.serve({
+  port: env.PORT,
+  fetch() {
+    return new Response("Hello from Bun with dotenv-gad!");
+  },
+});
+```
+
 ## Framework Integrations
 
 ### Express.js

package/dist/cli/commands/encrypt.js

@@ -9,7 +9,8 @@ import { loadSchema } from "./utils.js";
 export default function (_program) {
     return new Command("encrypt")
         .description("Encrypt plaintext values for fields marked encrypted: true in the schema")
-        .action(async (_opts, command) => {
+        .option("--no-backup", "Skip creating a plaintext .env.bak backup file")
+        .action(async (opts, command) => {
         const rootOpts = command.parent.opts();
         const envPath = rootOpts.env ?? ".env";
         const schemaPath = rootOpts.schema ?? "env.schema.ts";
@@ -72,10 +73,15 @@ export default function (_program) {
                 }
             }
             if (encryptedCount > 0) {
-                copyFileSync(envPath, `${envPath}.bak`);
+                if (opts.backup !== false) {
+                    copyFileSync(envPath, `${envPath}.bak`);
+                }
                 writeFileSync(envPath, updatedContent);
+                const backupNote = opts.backup !== false
+                    ? chalk.yellow(`  ⚠ Backup ${envPath}.bak contains plaintext secrets — delete it after verifying.`)
+                    : chalk.dim(`  No backup created (--no-backup).`);
                 console.log(`\n${chalk.green("✓")} ${encryptedCount} field(s) encrypted in ${chalk.bold(envPath)}\n` +
-                    chalk.dim(`  Backup saved to ${envPath}.bak`));
+                    backupNote);
             }
             else {
                 console.log(chalk.dim("\nNo fields needed encryption."));

package/dist/cli/commands/utils.js

@@ -41,12 +41,18 @@ export async function applyFix(issues, schema, envPath = ".env") {
             }
             // Sanitize: strip newlines and carriage returns to prevent .env injection
             const sanitized = input.replace(/[\r\n]/g, "");
+            // Quote the value if it contains characters with special meaning in .env files
+            // (#  starts a comment, leading/trailing spaces are stripped without quotes)
+            const needsQuoting = /[#"\\]/.test(sanitized) || sanitized !== sanitized.trim();
+            const envValue = needsQuoting
+                ? `"${sanitized.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`
+                : sanitized;
             const lineIndex = envLines.findIndex((line) => line.startsWith(`${key}=`));
             if (lineIndex >= 0) {
-                envLines[lineIndex] = `${key}=${sanitized}`;
+                envLines[lineIndex] = `${key}=${envValue}`;
             }
             else {
-                envLines.push(`${key}=${sanitized}`);
+                envLines.push(`${key}=${envValue}`);
             }
         }
     }

package/dist/crypto.js

@@ -1,6 +1,8 @@
-import { createCipheriv, createDecipheriv, createPrivateKey, createPublicKey, diffieHellman, generateKeyPairSync, hkdfSync, randomBytes, } from "node:crypto";
+import { createPrivateKey, createPublicKey, diffieHellman, generateKeyPairSync, hkdfSync, randomBytes, } from "node:crypto";
+import { chacha20poly1305 } from "@noble/ciphers/chacha.js";
 import { existsSync, readFileSync } from "node:fs";
 import { DecryptionFailedError } from "./errors.js";
+import { getEnv } from "./runtime.js";
 const SPKI_PREFIX = Buffer.from("302a300506032b656e032100", "hex");
 const RAW_KEY_LENGTH = 32;
 const NONCE_LENGTH = 12;
@@ -54,12 +56,12 @@ export function encryptEnvValue(plaintext, recipientPublicKeyHex, varName) {
     });
     const encKey = Buffer.from(hkdfSync("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32));
     const nonce = randomBytes(NONCE_LENGTH);
-    const cipher = createCipheriv("chacha20-poly1305", encKey, nonce, { authTagLength: AUTH_TAG_LENGTH });
-    cipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
-    const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-    const authTag = cipher.getAuthTag();
+    const aad = Buffer.from(`${AAD_PREFIX}${varName}`);
+    const cipher = chacha20poly1305(encKey, nonce, aad);
+    // encrypt() returns ciphertext || 16-byte auth tag concatenated
+    const encrypted = cipher.encrypt(Buffer.from(plaintext, "utf8"));
     const rawEphPubKey = ephSpki.subarray(SPKI_PREFIX.length);
-    const payload = Buffer.concat([rawEphPubKey, nonce, ciphertext, authTag]);
+    const payload = Buffer.concat([rawEphPubKey, nonce, encrypted]);
     return `${PROTOCOL_PREFIX}${ENCRYPTION_VERSION}:${payload.toString("base64")}`;
 }
 /**
@@ -94,9 +96,8 @@ export function decryptEnvValue(token, privateKeyHex, varName) {
     }
     const rawEphPubKey = payload.subarray(0, RAW_KEY_LENGTH);
     const nonce = payload.subarray(RAW_KEY_LENGTH, RAW_KEY_LENGTH + NONCE_LENGTH);
-    const rest = payload.subarray(RAW_KEY_LENGTH + NONCE_LENGTH);
-    const authTag = rest.subarray(rest.length - AUTH_TAG_LENGTH);
-    const ciphertext = rest.subarray(0, rest.length - AUTH_TAG_LENGTH);
+    // rest = ciphertext || 16-byte auth tag (as produced by @noble/ciphers encrypt)
+    const encrypted = payload.subarray(RAW_KEY_LENGTH + NONCE_LENGTH);
     const ephSpki = Buffer.concat([SPKI_PREFIX, rawEphPubKey]);
     // ECDH: recipient private × ephemeral public → shared secret
     const pkcs8 = Buffer.from(privateKeyHex, "hex");
@@ -106,12 +107,11 @@ export function decryptEnvValue(token, privateKeyHex, varName) {
     });
     // HKDF-SHA256: same derivation as encryption
     const encKey = Buffer.from(hkdfSync("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32));
-    const decipher = createDecipheriv("chacha20-poly1305", encKey, nonce, { authTagLength: AUTH_TAG_LENGTH });
-    decipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
-    decipher.setAuthTag(authTag);
+    const aad = Buffer.from(`${AAD_PREFIX}${varName}`);
+    const decipher = chacha20poly1305(encKey, nonce, aad);
     try {
-        const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-        return plaintext.toString("utf8");
+        const plaintext = decipher.decrypt(encrypted);
+        return Buffer.from(plaintext).toString("utf8");
     }
     catch {
         throw new DecryptionFailedError(varName);
@@ -151,8 +151,11 @@ export function loadPrivateKey(options = {}) {
             return key;
         }
     }
-    const envKey = process.env.ENVGAD_PRIVATE_KEY;
+    const runtimeEnv = getEnv();
+    const envKey = runtimeEnv.ENVGAD_PRIVATE_KEY;
     if (envKey) {
+        // Remove the key from environment after reading for security
+        delete runtimeEnv.ENVGAD_PRIVATE_KEY;
         if (!/^[a-fA-F0-9]+$/.test(envKey) || envKey.length !== PRIVATE_KEY_HEX_LENGTH) {
             throw new Error(`Invalid ENVGAD_PRIVATE_KEY format (expected ${PRIVATE_KEY_HEX_LENGTH}-char hex-encoded PKCS8 DER, got ${envKey.length} chars)`);
         }

package/dist/index.cjs

@@ -43,6 +43,10 @@ __export(src_exports, {
   defineSchema: () => defineSchema,
   encryptEnvValue: () => encryptEnvValue,
   generateKeyPair: () => generateKeyPair,
+  getEnv: () => getEnv,
+  getRuntimeName: () => getRuntimeName,
+  getRuntimeVersion: () => getRuntimeVersion,
+  isBun: () => isBun,
   isEncryptedValue: () => isEncryptedValue,
   loadEnv: () => loadEnv,
   loadPrivateKey: () => loadPrivateKey,
@@ -144,7 +148,30 @@ var EncryptedFieldMismatchError = class _EncryptedFieldMismatchError extends Err
 
 // src/crypto.ts
 var import_node_crypto = require("crypto");
+var import_chacha = require("@noble/ciphers/chacha.js");
 var import_node_fs = require("fs");
+
+// src/runtime.ts
+function isBun() {
+  return typeof globalThis.Bun !== "undefined";
+}
+function getEnv() {
+  if (isBun() && typeof globalThis.Bun.env !== "undefined") {
+    return globalThis.Bun.env;
+  }
+  return process.env;
+}
+function getRuntimeName() {
+  return isBun() ? "Bun" : "Node.js";
+}
+function getRuntimeVersion() {
+  if (isBun()) {
+    return globalThis.Bun.version || "unknown";
+  }
+  return process.version;
+}
+
+// src/crypto.ts
 var SPKI_PREFIX = Buffer.from("302a300506032b656e032100", "hex");
 var RAW_KEY_LENGTH = 32;
 var NONCE_LENGTH = 12;
@@ -184,17 +211,11 @@ function encryptEnvValue(plaintext, recipientPublicKeyHex, varName) {
     (0, import_node_crypto.hkdfSync)("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32)
   );
   const nonce = (0, import_node_crypto.randomBytes)(NONCE_LENGTH);
-  const cipher = (0, import_node_crypto.createCipheriv)(
-    "chacha20-poly1305",
-    encKey,
-    nonce,
-    { authTagLength: AUTH_TAG_LENGTH }
-  );
-  cipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
-  const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
-  const authTag = cipher.getAuthTag();
+  const aad = Buffer.from(`${AAD_PREFIX}${varName}`);
+  const cipher = (0, import_chacha.chacha20poly1305)(encKey, nonce, aad);
+  const encrypted = cipher.encrypt(Buffer.from(plaintext, "utf8"));
   const rawEphPubKey = ephSpki.subarray(SPKI_PREFIX.length);
-  const payload = Buffer.concat([rawEphPubKey, nonce, ciphertext, authTag]);
+  const payload = Buffer.concat([rawEphPubKey, nonce, encrypted]);
   return `${PROTOCOL_PREFIX}${ENCRYPTION_VERSION}:${payload.toString("base64")}`;
 }
 function decryptEnvValue(token, privateKeyHex, varName) {
@@ -222,9 +243,7 @@ function decryptEnvValue(token, privateKeyHex, varName) {
   }
   const rawEphPubKey = payload.subarray(0, RAW_KEY_LENGTH);
   const nonce = payload.subarray(RAW_KEY_LENGTH, RAW_KEY_LENGTH + NONCE_LENGTH);
-  const rest = payload.subarray(RAW_KEY_LENGTH + NONCE_LENGTH);
-  const authTag = rest.subarray(rest.length - AUTH_TAG_LENGTH);
-  const ciphertext = rest.subarray(0, rest.length - AUTH_TAG_LENGTH);
+  const encrypted = payload.subarray(RAW_KEY_LENGTH + NONCE_LENGTH);
   const ephSpki = Buffer.concat([SPKI_PREFIX, rawEphPubKey]);
   const pkcs8 = Buffer.from(privateKeyHex, "hex");
   const sharedSecret = (0, import_node_crypto.diffieHellman)({
@@ -234,17 +253,11 @@ function decryptEnvValue(token, privateKeyHex, varName) {
   const encKey = Buffer.from(
     (0, import_node_crypto.hkdfSync)("sha256", sharedSecret, HKDF_SALT, HKDF_INFO, 32)
   );
-  const decipher = (0, import_node_crypto.createDecipheriv)(
-    "chacha20-poly1305",
-    encKey,
-    nonce,
-    { authTagLength: AUTH_TAG_LENGTH }
-  );
-  decipher.setAAD(Buffer.from(`${AAD_PREFIX}${varName}`));
-  decipher.setAuthTag(authTag);
+  const aad = Buffer.from(`${AAD_PREFIX}${varName}`);
+  const decipher = (0, import_chacha.chacha20poly1305)(encKey, nonce, aad);
   try {
-    const plaintext = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-    return plaintext.toString("utf8");
+    const plaintext = decipher.decrypt(encrypted);
+    return Buffer.from(plaintext).toString("utf8");
   } catch {
     throw new DecryptionFailedError(varName);
   }
@@ -267,8 +280,10 @@ function loadPrivateKey(options = {}) {
       return key;
     }
   }
-  const envKey = process.env.ENVGAD_PRIVATE_KEY;
+  const runtimeEnv = getEnv();
+  const envKey = runtimeEnv.ENVGAD_PRIVATE_KEY;
   if (envKey) {
+    delete runtimeEnv.ENVGAD_PRIVATE_KEY;
     if (!/^[a-fA-F0-9]+$/.test(envKey) || envKey.length !== PRIVATE_KEY_HEX_LENGTH) {
       throw new Error(
         `Invalid ENVGAD_PRIVATE_KEY format (expected ${PRIVATE_KEY_HEX_LENGTH}-char hex-encoded PKCS8 DER, got ${envKey.length} chars)`
@@ -296,7 +311,7 @@ var EnvValidator = class _EnvValidator {
     this.options = options;
     Object.defineProperty(this, kValidator, { value: true, enumerable: false });
   }
-  static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-*\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
+  static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-?\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
   static LOCAL_MAX = 64;
   static DOMAIN_MAX = 255;
   static DOMAIN_PART_MAX = 63;
@@ -616,7 +631,8 @@ var EnvValidator = class _EnvValidator {
     return value;
   }
   getEffectiveRule(_key, rule) {
-    const envName = process.env.NODE_ENV || "development";
+    const runtimeEnv = getEnv();
+    const envName = runtimeEnv.NODE_ENV || "development";
     const envRule = rule.env?.[envName] || {};
     return { ...rule, ...envRule };
   }
@@ -722,14 +738,25 @@ function readEnvFile(path) {
   const filePath = path ?? ".env";
   if (!(0, import_node_fs2.existsSync)(filePath)) return {};
   try {
-    return (0, import_dotenv.parse)((0, import_node_fs2.readFileSync)(filePath, "utf-8"));
-  } catch {
+    let content;
+    if (isBun() && typeof globalThis.Bun?.file === "function") {
+      const file = globalThis.Bun.file(filePath);
+      content = file.text ? typeof file.text === "function" ? file.text() : file.text : (0, import_node_fs2.readFileSync)(filePath, "utf-8");
+      content = (0, import_node_fs2.readFileSync)(filePath, "utf-8");
+    } else {
+      content = (0, import_node_fs2.readFileSync)(filePath, "utf-8");
+    }
+    return (0, import_dotenv.parse)(content);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(`[dotenv-gad] Failed to parse ${filePath}: ${message}`);
     return {};
   }
 }
 function loadEnv(schema, options) {
   const fileEnv = readEnvFile(options?.path);
-  const env = { ...process.env, ...fileEnv };
+  const runtimeEnv = getEnv();
+  const env = { ...runtimeEnv, ...fileEnv };
   const validator = new EnvValidator(schema, options);
   return validator.validate(env);
 }
@@ -780,6 +807,10 @@ function validateEnv(schema, options) {
   defineSchema,
   encryptEnvValue,
   generateKeyPair,
+  getEnv,
+  getRuntimeName,
+  getRuntimeVersion,
+  isBun,
   isEncryptedValue,
   loadEnv,
   loadPrivateKey,

package/dist/index.js

@@ -5,9 +5,10 @@ import { loadEnv, createEnvProxy } from "./utils.js";
 import { composeSchema } from "./compose.js";
 import { generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, } from "./crypto.js";
 import { readEnvFile } from "./utils.js";
+import { isBun, getEnv, getRuntimeName, getRuntimeVersion } from "./runtime.js";
 export { defineSchema, EnvAggregateError, 
 /** @deprecated Use `EnvAggregateError` instead. */
-AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, };
+AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, isBun, getEnv, getRuntimeName, getRuntimeVersion, };
 export function validateEnv(schema, options) {
     const fileEnv = readEnvFile(options?.path);
     const env = { ...process.env, ...fileEnv };

package/dist/runtime.js

@@ -0,0 +1,43 @@
+/**
+ * Runtime detection and compatibility utilities for Node.js and Bun.
+ *
+ * This module provides utilities to detect the current runtime environment
+ * and offers optimized implementations based on the runtime.
+ */
+/**
+ * Checks if the current runtime is Bun.
+ * @returns true if running in Bun, false otherwise
+ */
+export function isBun() {
+    return typeof globalThis.Bun !== 'undefined';
+}
+/**
+ * Gets the appropriate environment object for the current runtime.
+ * In Bun, this returns Bun.env, in Node.js it returns process.env.
+ * Both are compatible, but Bun.env may have better performance in Bun.
+ *
+ * @returns The environment variables object
+ */
+export function getEnv() {
+    if (isBun() && typeof globalThis.Bun.env !== 'undefined') {
+        return globalThis.Bun.env;
+    }
+    return process.env;
+}
+/**
+ * Gets the current runtime name for logging/debugging purposes.
+ * @returns "Bun" or "Node.js"
+ */
+export function getRuntimeName() {
+    return isBun() ? 'Bun' : 'Node.js';
+}
+/**
+ * Gets the runtime version string.
+ * @returns The version of the current runtime
+ */
+export function getRuntimeVersion() {
+    if (isBun()) {
+        return globalThis.Bun.version || 'unknown';
+    }
+    return process.version;
+}

package/dist/schema-loader.js

@@ -4,14 +4,17 @@
  * Deliberately free of CLI-only dependencies (chalk, inquirer) so it can be
  * imported by the Vite plugin without pulling in heavy Node packages.
  *
- * esbuild is required only when loading `.ts` schemas and is imported
+ * esbuild is required only when loading `.ts` schemas in Node.js and is imported
  * lazily via `await import("esbuild")` so the module itself has no
  * top-level dependency on it.
+ *
+ * In Bun, TypeScript files are loaded directly without transpilation.
  */
 import { readFileSync, writeFileSync, unlinkSync, existsSync } from "fs";
 import { dirname, join, resolve } from "path";
 import { fileURLToPath, pathToFileURL } from "url";
 import { randomBytes } from "crypto";
+import { isBun } from "./runtime.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 async function importModule(filePath) {
     const fileUrl = pathToFileURL(filePath).href;
@@ -23,6 +26,11 @@ async function importModule(filePath) {
     return schema;
 }
 async function loadTsModule(tsFilePath) {
+    // Bun can import TypeScript files directly without transpilation
+    if (isBun()) {
+        return await importModule(tsFilePath);
+    }
+    // Node.js requires transpilation via esbuild
     const tempFile = join(__dirname, `../temp-schema-${randomBytes(8).toString("hex")}.mjs`);
     try {
         const { transformSync } = await import("esbuild");
@@ -32,7 +40,7 @@ async function loadTsModule(tsFilePath) {
             loader: "ts",
             target: "esnext",
         });
-        writeFileSync(tempFile, code);
+        writeFileSync(tempFile, code, { mode: 0o600 });
         return await importModule(tempFile);
     }
     finally {
@@ -45,7 +53,8 @@ async function loadTsModule(tsFilePath) {
  * Loads a schema from a file.
  *
  * Supports `.ts`, `.js`, `.mjs`, `.cjs`, and `.json` formats.
- * TypeScript files are transpiled on-the-fly via esbuild (loaded lazily).
+ * TypeScript files are loaded natively in Bun, or transpiled on-the-fly
+ * via esbuild in Node.js (loaded lazily).
  */
 export async function loadSchema(schemaPath) {
     const absPath = resolve(schemaPath);

package/dist/types/index.d.ts

@@ -6,9 +6,10 @@ import { composeSchema } from "./compose.js";
 import { ExtractEnv, InferEnv } from "./types.js";
 import { generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey } from "./crypto.js";
 import type { KeyPair } from "./crypto.js";
+import { isBun, getEnv, getRuntimeName, getRuntimeVersion } from "./runtime.js";
 export { defineSchema, EnvAggregateError, 
 /** @deprecated Use `EnvAggregateError` instead. */
-AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, };
+AggregateError, EnvValidationError, EncryptionKeyMissingError, DecryptionFailedError, EncryptedFieldMismatchError, EnvValidator, loadEnv, createEnvProxy, composeSchema, generateKeyPair, encryptEnvValue, decryptEnvValue, isEncryptedValue, loadPrivateKey, isBun, getEnv, getRuntimeName, getRuntimeVersion, };
 export type { SchemaDefinition, SchemaRule, ExtractEnv, InferEnv, KeyPair };
 export declare function validateEnv(schema: SchemaDefinition, options?: {
     strict?: boolean;

package/dist/types/runtime.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Runtime detection and compatibility utilities for Node.js and Bun.
+ *
+ * This module provides utilities to detect the current runtime environment
+ * and offers optimized implementations based on the runtime.
+ */
+/**
+ * Checks if the current runtime is Bun.
+ * @returns true if running in Bun, false otherwise
+ */
+export declare function isBun(): boolean;
+/**
+ * Gets the appropriate environment object for the current runtime.
+ * In Bun, this returns Bun.env, in Node.js it returns process.env.
+ * Both are compatible, but Bun.env may have better performance in Bun.
+ *
+ * @returns The environment variables object
+ */
+export declare function getEnv(): Record<string, string | undefined>;
+/**
+ * Gets the current runtime name for logging/debugging purposes.
+ * @returns "Bun" or "Node.js"
+ */
+export declare function getRuntimeName(): string;
+/**
+ * Gets the runtime version string.
+ * @returns The version of the current runtime
+ */
+export declare function getRuntimeVersion(): string;

package/dist/types/schema-loader.d.ts

@@ -4,15 +4,18 @@
  * Deliberately free of CLI-only dependencies (chalk, inquirer) so it can be
  * imported by the Vite plugin without pulling in heavy Node packages.
  *
- * esbuild is required only when loading `.ts` schemas and is imported
+ * esbuild is required only when loading `.ts` schemas in Node.js and is imported
  * lazily via `await import("esbuild")` so the module itself has no
  * top-level dependency on it.
+ *
+ * In Bun, TypeScript files are loaded directly without transpilation.
  */
 import type { SchemaDefinition } from "./schema.js";
 /**
  * Loads a schema from a file.
  *
  * Supports `.ts`, `.js`, `.mjs`, `.cjs`, and `.json` formats.
- * TypeScript files are transpiled on-the-fly via esbuild (loaded lazily).
+ * TypeScript files are loaded natively in Bun, or transpiled on-the-fly
+ * via esbuild in Node.js (loaded lazily).
  */
 export declare function loadSchema(schemaPath: string): Promise<SchemaDefinition>;

package/dist/types/utils.d.ts

@@ -4,6 +4,8 @@ import type { InferEnv } from "./types.js";
  * Silently reads and parses a .env file without injecting into process.env.
  * Returns an empty object when the file does not exist (e.g. Vercel, Railway,
  * Docker — where env vars are already present in process.env).
+ *
+ * In Bun, this uses Bun's optimized file reading when available.
  */
 export declare function readEnvFile(path?: string): Record<string, string>;
 /**

package/dist/utils.js

@@ -1,19 +1,36 @@
 import { parse as parseEnv } from "dotenv";
 import { readFileSync, existsSync } from "node:fs";
 import { EnvValidator } from "./validator.js";
+import { isBun, getEnv } from "./runtime.js";
 /**
  * Silently reads and parses a .env file without injecting into process.env.
  * Returns an empty object when the file does not exist (e.g. Vercel, Railway,
  * Docker — where env vars are already present in process.env).
+ *
+ * In Bun, this uses Bun's optimized file reading when available.
  */
 export function readEnvFile(path) {
     const filePath = path ?? ".env";
     if (!existsSync(filePath))
         return {};
     try {
-        return parseEnv(readFileSync(filePath, "utf-8"));
+        // Use Bun's file reading when available for better performance
+        let content;
+        if (isBun() && typeof globalThis.Bun?.file === 'function') {
+            // Bun's synchronous text reading
+            const file = globalThis.Bun.file(filePath);
+            content = file.text ? (typeof file.text === 'function' ? file.text() : file.text) : readFileSync(filePath, "utf-8");
+            // Note: Bun.file().text() is async, so fallback to readFileSync for sync operation
+            content = readFileSync(filePath, "utf-8");
+        }
+        else {
+            content = readFileSync(filePath, "utf-8");
+        }
+        return parseEnv(content);
     }
-    catch {
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        console.warn(`[dotenv-gad] Failed to parse ${filePath}: ${message}`);
         return {};
     }
 }
@@ -33,7 +50,9 @@ export function readEnvFile(path) {
  */
 export function loadEnv(schema, options) {
     const fileEnv = readEnvFile(options?.path);
-    const env = { ...process.env, ...fileEnv };
+    // Use runtime-aware environment getter (process.env or Bun.env)
+    const runtimeEnv = getEnv();
+    const env = { ...runtimeEnv, ...fileEnv };
     const validator = new EnvValidator(schema, options);
     return validator.validate(env);
 }

package/dist/validator.js

@@ -1,11 +1,12 @@
 import { EnvAggregateError, EncryptionKeyMissingError } from "./errors.js";
 import { decryptEnvValue, isEncryptedValue, loadPrivateKey } from "./crypto.js";
+import { getEnv } from "./runtime.js";
 import net from "net";
 const kValidator = Symbol.for("dotenv-gad.EnvValidator");
 export class EnvValidator {
     schema;
     options;
-    static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-*\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
+    static EMAIL_REGEX = /^[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~](\.?[-!#$%&'*+\/0-9=?A-Z^_a-z`{|}~])*@[a-zA-Z0-9](-?\.?[a-zA-Z0-9])*\.[a-zA-Z](-?[a-zA-Z0-9])+$/;
     static LOCAL_MAX = 64;
     static DOMAIN_MAX = 255;
     static DOMAIN_PART_MAX = 63;
@@ -349,7 +350,8 @@ export class EnvValidator {
         return value;
     }
     getEffectiveRule(_key, rule) {
-        const envName = process.env.NODE_ENV || "development";
+        const runtimeEnv = getEnv();
+        const envName = runtimeEnv.NODE_ENV || "development";
         const envRule = rule.env?.[envName] || {};
         return { ...rule, ...envRule };
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dotenv-gad",
-  "version": "1.5.0",
+  "version": "1.6.0",
   "main": "dist/index.js",
   "types": "dist/types/index.d.ts",
   "type": "module",
@@ -32,10 +32,12 @@
     "config",
     "type-safe",
     "nodejs",
+    "bun",
     "cli"
   ],
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=18.0.0",
+    "bun": ">=1.0.0"
   },
   "exports": {
     ".": {
@@ -63,7 +65,7 @@
   ],
   "author": "Kasim Lyee",
   "license": "MIT",
-  "description": "Environment variable validation and type safety for Node.js and modern JavaScript applications",
+  "description": "Environment variable validation and type safety for Node.js, Bun, and modern JavaScript applications",
   "repository": {
     "type": "git",
     "url": "https://github.com/kasimlyee/dotenv-gad.git"
@@ -96,6 +98,7 @@
     "esbuild": "^0.27.2"
   },
   "dependencies": {
+    "@noble/ciphers": "2.2.0",
     "chalk": "^5.6.2",
     "commander": "^14.0.2",
     "dotenv": "^17.2.3",