dotsec 1.0.0-alpha.2 → 1.0.0-alpha.20

package/dist/ds/cli.js

@@ -1,1111 +0,0 @@
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
-var __reExport = (target, module2, desc) => {
-  if (module2 && typeof module2 === "object" || typeof module2 === "function") {
-    for (let key of __getOwnPropNames(module2))
-      if (!__hasOwnProp.call(target, key) && key !== "default")
-        __defProp(target, key, { get: () => module2[key], enumerable: !(desc = __getOwnPropDesc(module2, key)) || desc.enumerable });
-  }
-  return target;
-};
-var __toModule = (module2) => {
-  return __reExport(__markAsModule(__defProp(module2 != null ? __create(__getProtoOf(module2)) : {}, "default", module2 && module2.__esModule && "default" in module2 ? { get: () => module2.default, enumerable: true } : { value: module2, enumerable: true })), module2);
-};
-
-// src/ds/cli.ts
-var import_commander2 = __toModule(require("commander"));
-
-// src/ds/commands/run.ts
-var import_node_fs = __toModule(require("node:fs"));
-var import_commander = __toModule(require("commander"));
-var import_cross_spawn = __toModule(require("cross-spawn"));
-var import_dotenv = __toModule(require("dotenv"));
-
-// src/utils/getCredentialsProfileRegion.ts
-var import_credential_providers = __toModule(require("@aws-sdk/credential-providers"));
-var import_shared_ini_file_loader = __toModule(require("@aws-sdk/shared-ini-file-loader"));
-
-// src/utils/logger.ts
-var import_chalk = __toModule(require("chalk"));
-var import_cli_highlight = __toModule(require("cli-highlight"));
-var _logger;
-var getLogger = () => {
-  if (!_logger) {
-    _logger = console;
-  }
-  return _logger;
-};
-var emphasis = (str) => import_chalk.default.yellowBright(str);
-var strong = (str) => import_chalk.default.yellow.bold(str);
-var myTheme = {
-  attr: import_chalk.default.yellow.bold,
-  string: import_chalk.default.yellowBright.dim,
-  params: import_chalk.default.red,
-  deletion: import_chalk.default.red.strikethrough,
-  number: import_cli_highlight.plain
-};
-var prettyCode = (str) => {
-  return (0, import_cli_highlight.highlight)(str, { theme: myTheme });
-};
-
-// src/utils/getCredentialsProfileRegion.ts
-var getCredentialsProfileRegion = async ({
-  argv,
-  env
-}) => {
-  var _a, _b, _c;
-  const sharedConfigFiles = await (0, import_shared_ini_file_loader.loadSharedConfigFiles)();
-  let credentialsAndOrigin = void 0;
-  let profileAndOrigin = void 0;
-  let regionAndOrigin = void 0;
-  if (argv.profile) {
-    profileAndOrigin = {
-      value: argv.profile,
-      origin: `command line option: ${emphasis(argv.profile)}`
-    };
-    credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromIni)({
-        profile: argv.profile
-      })(),
-      origin: `${emphasis(`[${argv.profile}]`)} in credentials file`
-    };
-  } else if (env.AWS_PROFILE) {
-    profileAndOrigin = {
-      value: env.AWS_PROFILE,
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-    credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromIni)({
-        profile: env.AWS_PROFILE
-      })(),
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-  } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
-    credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromEnv)()(),
-      origin: `env variables ${emphasis("AWS_ACCESS_KEY_ID")} and ${emphasis("AWS_SECRET_ACCESS_KEY")}`
-    };
-  } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = {
-      value: "default",
-      origin: `${emphasis("[default]")} in credentials file`
-    };
-    credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromIni)({
-        profile: "default"
-      })(),
-      origin: `profile ${emphasis("[default]")}`
-    };
-  }
-  if (argv.region) {
-    regionAndOrigin = {
-      value: argv.region,
-      origin: `command line option: ${emphasis(argv.region)}`
-    };
-  } else if (env.AWS_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_REGION,
-      origin: `env variable ${emphasis("AWS_REGION")}: ${strong(env.AWS_REGION)}`
-    };
-  } else if (env.AWS_DEFAULT_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_DEFAULT_REGION,
-      origin: `env variable ${emphasis("AWS_DEFAULT_REGION")}: ${strong(env.AWS_DEFAULT_REGION)}`
-    };
-  } else if (profileAndOrigin) {
-    const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
-    if (foundRegion) {
-      regionAndOrigin = {
-        value: foundRegion,
-        origin: `${emphasis(`[profile ${profileAndOrigin.value}]`)} in config file`
-      };
-    }
-  }
-  const assumedRole = argv.assumeRoleArn || env.AWS_ASSUME_ROLE_ARN;
-  if (assumedRole) {
-    const origin = argv.assumeRoleArn ? "command line option" : "env variable";
-    credentialsAndOrigin = {
-      value: await (0, import_credential_providers.fromTemporaryCredentials)({
-        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
-        params: {
-          DurationSeconds: argv.assumeRoleSessionDuration || Number(env.AWS_ASSUME_ROLE_SESSION_DURATION) || 3600,
-          RoleArn: assumedRole
-        },
-        clientConfig: {
-          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
-        }
-      })(),
-      origin: `${origin} ${emphasis(`[${assumedRole}]`)}`
-    };
-  }
-  return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
-};
-var printVerboseCredentialsProfileRegion = ({
-  credentialsAndOrigin,
-  regionAndOrigin,
-  profileAndOrigin
-}) => {
-  const out = [];
-  if (profileAndOrigin) {
-    out.push(`Got profile name from ${profileAndOrigin.origin}`);
-  }
-  if (credentialsAndOrigin) {
-    out.push(`Resolved credentials from ${credentialsAndOrigin.origin}`);
-  }
-  if (regionAndOrigin) {
-    out.push(`Resolved region from ${regionAndOrigin.origin}`);
-  }
-  return out.join("\n");
-};
-
-// src/lib/partial-commands/handleCredentialsAndRegion.ts
-var handleCredentialsAndRegion = async ({
-  argv,
-  env
-}) => {
-  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
-    argv: {
-      region: argv.awsRegion,
-      profile: argv.awsProfile,
-      assumeRoleArn: argv.awsAssumeRoleArn,
-      assumeRoleSessionDuration: argv.awsAssumeRoleSessionDuration
-    },
-    env: __spreadValues({}, env)
-  });
-  if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({
-      credentialsAndOrigin,
-      regionAndOrigin,
-      profileAndOrigin
-    }));
-  }
-  if (!credentialsAndOrigin || !regionAndOrigin) {
-    if (!credentialsAndOrigin) {
-      console.error("Could not find credentials");
-      throw new Error("Could not find credentials");
-    }
-    if (!regionAndOrigin) {
-      console.error("Could not find region");
-      throw new Error("Could not find region");
-    }
-  }
-  return { credentialsAndOrigin, regionAndOrigin };
-};
-
-// src/lib/wtf/crypto.ts
-var import_client_kms2 = __toModule(require("@aws-sdk/client-kms"));
-var import_client_secrets_manager2 = __toModule(require("@aws-sdk/client-secrets-manager"));
-var import_client_ssm2 = __toModule(require("@aws-sdk/client-ssm"));
-var import_constant_case = __toModule(require("constant-case"));
-
-// src/utils/kms.ts
-var import_client_kms = __toModule(require("@aws-sdk/client-kms"));
-var getKMSClient = ({
-  configuration
-}) => {
-  const kmsClient = new import_client_kms.KMSClient(configuration);
-  return kmsClient;
-};
-var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
-  var _a, _b;
-  const describeKeyCommand = new import_client_kms.DescribeKeyCommand({
-    KeyId: awsKeyAlias
-  });
-  const describeKeyResult = await kmsClient.send(describeKeyCommand);
-  const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
-  if (encryptionAlgorithm === void 0) {
-    throw new Error(`Could not determine encryption algorithm`);
-  }
-  return encryptionAlgorithm;
-};
-
-// src/utils/secretsManager.ts
-var import_client_secrets_manager = __toModule(require("@aws-sdk/client-secrets-manager"));
-
-// src/utils/ssm.ts
-var import_client_ssm = __toModule(require("@aws-sdk/client-ssm"));
-
-// src/lib/wtf/types.ts
-var isString = (value) => {
-  return typeof value === "string";
-};
-var isNumber = (value) => {
-  return typeof value === "number";
-};
-var isBoolean = (value) => {
-  return typeof value === "boolean";
-};
-var isSSMParameter = (leafOrTree) => {
-  const ssmParameter = leafOrTree;
-  return typeof ssmParameter === "object" && ssmParameter !== null && "type" in ssmParameter && ssmParameter.type === "ssm";
-};
-var isRegularParameterObject = (value) => {
-  const regularParameter = value;
-  return typeof regularParameter === "object" && regularParameter !== null && "type" in regularParameter && regularParameter.type === "standard";
-};
-var isRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return isString(leaf) || isNumber(leaf) || isBoolean(leaf) || isRegularParameterObject(leaf);
-};
-var isEncryptedSSMParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "ssm" && leaf.encryptedValue !== void 0;
-};
-var isEncryptedRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "standard" && leaf.encryptedValue !== void 0;
-};
-var isSecretsManagerParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "secretsManager" && !(isString(leaf) || isNumber(leaf) || isBoolean(leaf));
-};
-var isDotSecTree = (leafOrTree) => {
-  if (typeof leafOrTree === "object" && !Array.isArray(leafOrTree) && leafOrTree !== null && !isSSMParameter(leafOrTree) && !isRegularParameter(leafOrTree) && !isEncryptedSSMParameter(leafOrTree) && !isEncryptedRegularParameter(leafOrTree) && !isSecretsManagerParameter(leafOrTree)) {
-    return true;
-  }
-  return false;
-};
-
-// src/lib/wtf/flat.ts
-var flattenTree = (tree) => {
-  const lazy = {};
-  const innerParser = (leafOrTree, paths = []) => {
-    if (isDotSecTree(leafOrTree)) {
-      Object.entries(leafOrTree).map(([key, value]) => {
-        innerParser(value, [...paths, key]);
-      });
-    } else {
-      lazy[paths.join("/")] = leafOrTree;
-    }
-  };
-  innerParser(tree);
-  return lazy;
-};
-var flattenPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: flattenTree(dotSec.plaintext) });
-};
-var flattenEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: flattenTree(dotSec.encrypted) });
-};
-var expandTree = (tree) => {
-  const lazy = {};
-  Object.entries(tree).map(([key, value]) => {
-    const paths = key.split("/");
-    let current = lazy;
-    paths.forEach((pathKey, index) => {
-      if (!current[pathKey]) {
-        if (index === paths.length - 1) {
-          current[pathKey] = value;
-        } else {
-          current[pathKey] = {};
-        }
-      }
-      current = current[pathKey];
-    });
-  });
-  return lazy;
-};
-var expandPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: expandTree(dotSec.plaintext) });
-};
-var expandEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: expandTree(dotSec.encrypted) });
-};
-
-// src/lib/wtf/crypto.ts
-var maybeJson = (value) => {
-  try {
-    return JSON.parse(value);
-  } catch (e) {
-    return value;
-  }
-};
-var decryptedEncrypted = async (options) => {
-  var _a, _b;
-  const { dotSecEncrypted, credentials, region, verbose, keyAlias } = options;
-  const dotSecEncryptedFlattened = flattenEncrypted(dotSecEncrypted);
-  const { info, table } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecEncrypted.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new import_client_kms2.DescribeKeyCommand({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const dotSecFlattened = {
-    config: __spreadValues({}, dotSecEncrypted.config),
-    plaintext: {}
-  };
-  for (const [key, encryptedValue] of Object.entries(dotSecEncryptedFlattened.encrypted)) {
-    const decryptCommand = new import_client_kms2.DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue.encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const decryptedKeyValue = JSON.parse(decryptedValue);
-    dotSecFlattened.plaintext[key] = maybeJson(decryptedKeyValue.value);
-  }
-  return expandPlainText(dotSecFlattened);
-};
-var encryptPlainText = async (options) => {
-  var _a, _b;
-  const { dotSecPlainText, credentials, region, verbose, keyAlias } = options;
-  const dotSecFlattened = flattenPlainText(dotSecPlainText);
-  const { info } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecFlattened.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new import_client_kms2.DescribeKeyCommand({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const encryptedDotSecFlattened = {
-    config: __spreadValues({}, dotSecFlattened.config),
-    encrypted: {}
-  };
-  for (const [key, plainTextValue] of Object.entries(dotSecFlattened.plaintext)) {
-    let plainTextValueCopy = plainTextValue;
-    if (typeof plainTextValueCopy !== "string" && typeof plainTextValueCopy !== "number" && typeof plainTextValueCopy !== "boolean") {
-      plainTextValueCopy = JSON.stringify(plainTextValue);
-    }
-    const damn = JSON.stringify({ key, value: plainTextValueCopy });
-    const encryptCommand = new import_client_kms2.EncryptCommand({
-      KeyId: awsKeyAlias,
-      Plaintext: Buffer.from(String(damn)),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const encryptionResult = await kmsClient.send(encryptCommand);
-    if (!encryptionResult.CiphertextBlob) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        value: plainTextValue,
-        encryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Encrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
-    if (isRegularParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "standard",
-        encryptedValue: cipherText
-      };
-    } else if (isSSMParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "ssm",
-        encryptedValue: cipherText
-      };
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "secretsManager",
-        encryptedValue: cipherText
-      };
-    }
-  }
-  return expandEncrypted(encryptedDotSecFlattened);
-};
-var decryptRawDotSecValues = async (options) => {
-  const { info } = getLogger();
-  const {
-    dotSecKeysValues: rawDotSec,
-    credentials,
-    region,
-    verbose,
-    keyAlias,
-    searchPath
-  } = options;
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const s = searchPath == null ? void 0 : searchPath.split(".").map((part) => `${(0, import_constant_case.constantCase)(part)}_`).join("");
-  const awsKeyAlias = keyAlias;
-  if (!keyAlias) {
-    throw new Error("No key alias specified");
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, keyAlias);
-  const dotEnvLines = [];
-  const filtered = s ? Object.fromEntries(Object.entries(rawDotSec).filter(([key]) => key.startsWith(s)).map(([key, value]) => [key.replace(s, ""), value])) : rawDotSec;
-  for (const [key, encryptedValue] of Object.entries(filtered)) {
-    const decryptCommand = new import_client_kms2.DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const parsedValue = JSON.parse(decryptedValue);
-    const stringOrJson = maybeJson(parsedValue.value);
-    if (isRegularParameter(stringOrJson)) {
-      if (isRegularParameterObject(stringOrJson)) {
-        dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-      } else {
-        dotEnvLines.push(`${key}=${String(stringOrJson)}`);
-      }
-    } else if (isSSMParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    } else if (isSecretsManagerParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    }
-  }
-  return dotEnvLines.join("\n");
-};
-
-// src/lib/wtf/dotenv.ts
-var import_constant_case2 = __toModule(require("constant-case"));
-var fromPlainTextLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => (0, import_constant_case2.constantCase)(k)).join("_");
-    let storageValue;
-    if (isRegularParameter(plainTextValue)) {
-      if (isRegularParameterObject(plainTextValue)) {
-        storageValue = plainTextValue.value;
-      } else {
-        storageValue = plainTextValue;
-      }
-    } else if (isSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    if (!isString(storageValue) && !isNumber(storageValue) && !isBoolean(storageValue)) {
-      storageValue = JSON.stringify(storageValue);
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotEnv = (options) => {
-  const { info } = getLogger();
-  const { dotSecPlainText, searchPath, verbose } = options;
-  let tree = dotSecPlainText.plaintext;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-      if (tree === void 0) {
-        throw new Error(`Invalid search path: '${searchPath}', part: '${pathPart}' could not be found`);
-      }
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromPlainTextLeafsToEnvEntries(flattenedTree).join("\n");
-};
-
-// src/ds/commands/run.ts
-var run_default = (program2) => {
-  const subProgram = program2.command("run").description("run a command with the decrypted .sec file as environment variables: dotsec run --sec .sec command npm run start").summary(`Spawns a process with (decrypted) environment variables. 
-Works with .env, .sec, secrets.{json|yml|ts} and secrets.encrypted.{json|yml|ts}.
-
-Examples:
-
-// run npm start with .sec file
-dotsec run --sec .sec command npm start
-dotsec run command npm start
-
-
-// run npm start with .env file
-dotsec run --env .env command npm start
-
-
-// run npm start with secrets.json file 
-dotsec run --secrets secrets.json command npm start
-
-
-// run npm start with secrets.encrypted.json file
-dotsec run --encrypted-secrets secrets.encrypted.json command npm start
-`).option("--env <env>", "Run command with .env file").option("--sec <sec>", "Run command with .sec file").option("--secrets <secrets>", "Run command with secrets.json file").option("--encryptedSecrets,--encrypted-secrets <encryptedSecrets>", "Run command with encrypted.secrets.json file").option("--awsKeyAlias, --aws-key-alias <awsKeyAlias>").option("--awsRegion, --aws-region <awsRegion>").option("--searchPath, --search-path <searchPath>").action((_options, command) => {
-    command.help();
-  });
-  subProgram.command("command <command...>").allowUnknownOption().passThroughOptions().action(async (commands, _options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i;
-    const config = (_a = command.parent) == null ? void 0 : _a.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_b = command.parent) == null ? void 0 : _b.getOptionValue("verbose"));
-    const awsKeyAlias = ((_c = command.parent) == null ? void 0 : _c.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_d = command.parent) == null ? void 0 : _d.getOptionValue("awsRegion")) || config.aws.region;
-    const searchPath = (_e = command.parent) == null ? void 0 : _e.getOptionValue("searchPath");
-    const sec = (_f = command.parent) == null ? void 0 : _f.getOptionValue("sec");
-    const env = (_g = command.parent) == null ? void 0 : _g.getOptionValue("env");
-    console.log("awsKeyAlias", {
-      awsRegion,
-      awsKeyAlias,
-      searchPath,
-      sec,
-      env,
-      commands
-    });
-    const inputFiles = ["env", "sec", "secrets", "encryptedSecrets"].map((fileType) => {
-      var _a2;
-      const filename = (_a2 = command.parent) == null ? void 0 : _a2.getOptionValue(fileType);
-      if (filename) {
-        return [fileType, filename];
-      }
-    }).filter((v) => !!v);
-    let rawDotenv;
-    if (inputFiles.length <= 1) {
-      try {
-        const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-          argv: {},
-          env: __spreadValues({}, process.env)
-        });
-        const fileType = inputFiles.length === 0 ? "sec" : (_h = inputFiles[0]) == null ? void 0 : _h[0];
-        const filename = inputFiles.length === 0 ? ".sec" : (_i = inputFiles[0]) == null ? void 0 : _i[1];
-        console.log("filename", filename);
-        if (filename && fileType) {
-          const raw = import_node_fs.default.readFileSync(filename, "utf8");
-          if (fileType === "sec") {
-            rawDotenv = await decryptRawDotSecValues({
-              dotSecKeysValues: (0, import_dotenv.parse)(raw),
-              credentials: credentialsAndOrigin.value,
-              region: awsRegion || regionAndOrigin.value,
-              keyAlias: awsKeyAlias,
-              verbose,
-              searchPath
-            });
-          } else if (fileType === "env") {
-            rawDotenv = raw;
-          } else if (fileType === "secrets") {
-            const dotSecPlainText = JSON.parse(raw);
-            rawDotenv = toDotEnv({
-              dotSecPlainText,
-              verbose,
-              searchPath
-            });
-          } else if (fileType === "encryptedSecrets") {
-            rawDotenv = raw;
-            const dotSecEncrypted = JSON.parse(raw);
-            const dotSecPlainText = await decryptedEncrypted({
-              dotSecEncrypted,
-              credentials: credentialsAndOrigin.value,
-              region: awsRegion || regionAndOrigin.value,
-              keyAlias: awsKeyAlias,
-              verbose
-            });
-            rawDotenv = toDotEnv({
-              dotSecPlainText,
-              verbose,
-              searchPath
-            });
-          }
-        }
-        if (rawDotenv) {
-          const [userCommand, ...userCommandArgs] = commands;
-          const parsedDotEnv = (0, import_dotenv.parse)(rawDotenv);
-          (0, import_cross_spawn.default)(userCommand, [...userCommandArgs], {
-            stdio: "inherit",
-            shell: false,
-            env: __spreadProps(__spreadValues(__spreadValues({}, process.env), parsedDotEnv), {
-              __DOTSEC_VARS: JSON.stringify(Object.keys(parsedDotEnv))
-            })
-          });
-        }
-      } catch (e) {
-        if (e instanceof Error) {
-          console.error(e.message);
-          if (verbose) {
-            console.error(e.name, e.stack);
-          }
-        }
-      }
-    } else {
-      throw new import_commander.default.InvalidOptionArgumentError("Can only pick one of --sec. --env, --secrets or --encryptedSecrets");
-    }
-  });
-  return subProgram;
-};
-
-// src/ds/commands/encrypt.ts
-var import_node_fs2 = __toModule(require("node:fs"));
-var import_node_path2 = __toModule(require("node:path"));
-
-// src/utils/io.ts
-var import_promises = __toModule(require("fs/promises"));
-var import_prompts = __toModule(require("prompts"));
-var import_node_path = __toModule(require("node:path"));
-var fileExists = async (source) => {
-  try {
-    await (0, import_promises.stat)(source);
-    return true;
-  } catch {
-    return false;
-  }
-};
-var promptOverwriteIfFileExists = async ({
-  filePath,
-  skip
-}) => {
-  let overwriteResponse;
-  if (await fileExists(filePath) && skip !== true) {
-    overwriteResponse = await (0, import_prompts.default)({
-      type: "confirm",
-      name: "overwrite",
-      message: () => {
-        return `Overwrite './${import_node_path.default.relative(process.cwd(), filePath)}' ?`;
-      }
-    });
-  } else {
-    overwriteResponse = void 0;
-  }
-  return overwriteResponse;
-};
-
-// src/lib/wtf/dotsec.ts
-var import_constant_case3 = __toModule(require("constant-case"));
-var fromEncryptedLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => (0, import_constant_case3.constantCase)(k)).join("_");
-    let storageValue;
-    if (isEncryptedRegularParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isEncryptedSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotSec = (options) => {
-  const { info } = getLogger();
-  const { dotSecEncrypted, searchPath, verbose } = options;
-  let tree = dotSecEncrypted.encrypted;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromEncryptedLeafsToEnvEntries(flattenedTree).join("\n");
-};
-
-// src/ds/commands/encrypt.ts
-var writeOut = async (options) => {
-  const { info } = getLogger();
-  const {
-    targetFile: encryptedSecretsPath,
-    converted,
-    skipPromptForOverride
-  } = options;
-  info(`target: ${strong(encryptedSecretsPath)}
-`);
-  info(prettyCode(converted));
-  info("\n");
-  const overwriteResponse = await promptOverwriteIfFileExists({
-    filePath: encryptedSecretsPath,
-    skip: skipPromptForOverride
-  });
-  if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-    import_node_fs2.default.writeFileSync(encryptedSecretsPath, converted);
-    info(`Wrote encrypted secrets to ${strong(`./${import_node_path2.default.relative(process.cwd(), encryptedSecretsPath)}`)}`);
-  }
-};
-var encrypt = async (options) => {
-  console.log("options", options);
-  const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-    argv: {},
-    env: __spreadValues({}, process.env)
-  });
-  const {
-    secrets,
-    awsKeyAlias,
-    awsRegion,
-    verbose,
-    encryptedSecrets,
-    sec,
-    skipPromptForOverride
-  } = options;
-  const dotSecPlainText = JSON.parse(import_node_fs2.default.readFileSync(secrets, "utf8"));
-  const dotSecEncrypted = await encryptPlainText({
-    dotSecPlainText,
-    credentials: credentialsAndOrigin.value,
-    region: awsRegion || regionAndOrigin.value,
-    keyAlias: awsKeyAlias,
-    verbose
-  });
-  if (encryptedSecrets) {
-    const targetFile = import_node_path2.default.resolve(process.cwd(), encryptedSecrets);
-    const converted = JSON.stringify(dotSecEncrypted, null, 2);
-    await writeOut({
-      targetFile,
-      converted,
-      skipPromptForOverride
-    });
-  } else if (sec) {
-    const dotSec = toDotSec({
-      dotSecEncrypted,
-      verbose
-    });
-    const targetFile = import_node_path2.default.resolve(process.cwd(), sec);
-    await writeOut({
-      targetFile,
-      converted: dotSec,
-      skipPromptForOverride
-    });
-  } else {
-    throw new Error("Must provide either encryptedSecrets or sec");
-  }
-};
-var encrypt_default = (program2) => {
-  const encryptProgram = program2.enablePositionalOptions().command("encrypt").option("--secrets [secrets]", "Run command with secrets.json file", "secrets.json").option("--awsKeyAlias, --aws-key-alias [awsKeyAlias]").option("--awsRegion, --aws-region [awsRegion]").usage("encrypt [--secrets secrets.json] [to]").summary("Encrypt secrets.json file").description("Encrypts secrets.json to secrets.encrypted.json.\n1123").action(async (_options, command) => {
-    const verbose = Boolean(command.getOptionValue("verbose"));
-    const secrets = command.getOptionValue("secrets");
-    const config = command.getOptionValue("dotsecConfig");
-    const awsKeyAlias = command.getOptionValue("awsKeyAlias") || config.aws.keyAlias;
-    const awsRegion = command.getOptionValue("awsRegion") || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets: "encrypted.secrets.json",
-      skipPromptForOverride: false
-    });
-  });
-  const toProgram = encryptProgram.command("to").usage("[--encryptedSecrets [encrypted.secrets.json]] [--sec [.sec]]").summary("specifies encryption output format").action(async (_options, command) => {
-    command.help();
-  });
-  toProgram.command("dotsec").option("--sec, [sec]", "Target dotsec file", ".sec").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const sec = command.getOptionValue("sec");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      sec,
-      skipPromptForOverride: false
-    });
-  });
-  toProgram.command("encryptedSecrets").option("--encryptedSecrets,--encrypted-secrets [encryptedSecrets]", "Target encrypted secrets file", "encrypted.secrets.json").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const encryptedSecrets = command.getOptionValue("encryptedSecrets");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets,
-      skipPromptForOverride: false
-    });
-  });
-  return encryptProgram;
-};
-
-// src/ds/commands/decrypt.ts
-var import_node_fs3 = __toModule(require("node:fs"));
-var import_node_path3 = __toModule(require("node:path"));
-var writeOut2 = async (options) => {
-  const { info } = getLogger();
-  const {
-    targetFile: encryptedSecretsPath,
-    converted,
-    skipPromptForOverride
-  } = options;
-  info(`target: ${strong(encryptedSecretsPath)}
-`);
-  info(prettyCode(converted));
-  info("\n");
-  const overwriteResponse = await promptOverwriteIfFileExists({
-    filePath: encryptedSecretsPath,
-    skip: skipPromptForOverride
-  });
-  if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-    import_node_fs3.default.writeFileSync(encryptedSecretsPath, converted);
-    info(`Wrote encrypted secrets to ${strong(`./${import_node_path3.default.relative(process.cwd(), encryptedSecretsPath)}`)}`);
-  }
-};
-var decrypt = async (options) => {
-  console.log("options", options);
-  const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-    argv: {},
-    env: __spreadValues({}, process.env)
-  });
-  const {
-    secrets,
-    awsKeyAlias,
-    awsRegion,
-    verbose,
-    encryptedSecrets,
-    sec,
-    skipPromptForOverride
-  } = options;
-  const dotSecPlainText = JSON.parse(import_node_fs3.default.readFileSync(secrets, "utf8"));
-  const dotSecEncrypted = await encryptPlainText({
-    dotSecPlainText,
-    credentials: credentialsAndOrigin.value,
-    region: awsRegion || regionAndOrigin.value,
-    keyAlias: awsKeyAlias,
-    verbose
-  });
-  if (encryptedSecrets) {
-    const targetFile = import_node_path3.default.resolve(process.cwd(), encryptedSecrets);
-    const converted = JSON.stringify(dotSecEncrypted, null, 2);
-    await writeOut2({
-      targetFile,
-      converted,
-      skipPromptForOverride
-    });
-  } else if (sec) {
-    const dotSec = toDotSec({
-      dotSecEncrypted,
-      verbose
-    });
-    const targetFile = import_node_path3.default.resolve(process.cwd(), sec);
-    await writeOut2({
-      targetFile,
-      converted: dotSec,
-      skipPromptForOverride
-    });
-  } else {
-    throw new Error("Must provide either encryptedSecrets or sec");
-  }
-};
-var decrypt_default = (program2) => {
-  const encryptProgram = program2.enablePositionalOptions().command("decrypt").option("--secrets [secrets]", "Run command with secrets.json file", "secrets.json").option("--awsKeyAlias, --aws-key-alias [awsKeyAlias]").option("--awsRegion, --aws-region [awsRegion]").usage("encrypt [--secrets secrets.json] [to]").summary("Encrypt secrets.json file").description("Encrypts secrets.json to secrets.encrypted.json.\n1123").action(async (_options, command) => {
-    const verbose = Boolean(command.getOptionValue("verbose"));
-    const secrets = command.getOptionValue("secrets");
-    const config = command.getOptionValue("dotsecConfig");
-    const awsKeyAlias = command.getOptionValue("awsKeyAlias") || config.aws.keyAlias;
-    const awsRegion = command.getOptionValue("awsRegion") || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets: "encrypted.secrets.json",
-      skipPromptForOverride: false
-    });
-  });
-  const toProgram = encryptProgram.command("to").usage("[--encryptedSecrets [encrypted.secrets.json]] [--sec [.sec]]").summary("specifies encryption output format").action(async (_options, command) => {
-    command.help();
-  });
-  toProgram.command("dotsec").option("--sec, [sec]", "Target dotsec file", ".sec").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const sec = command.getOptionValue("sec");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      sec,
-      skipPromptForOverride: false
-    });
-  });
-  toProgram.command("encryptedSecrets").option("--encryptedSecrets,--encrypted-secrets [encryptedSecrets]", "Target encrypted secrets file", "encrypted.secrets.json").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const encryptedSecrets = command.getOptionValue("encryptedSecrets");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets,
-      skipPromptForOverride: false
-    });
-  });
-  return encryptProgram;
-};
-
-// src/lib/config/index.ts
-var import_node_path5 = __toModule(require("node:path"));
-var import_bundle_require = __toModule(require("bundle-require"));
-var import_joycon = __toModule(require("joycon"));
-
-// src/lib/json.ts
-var import_fs = __toModule(require("fs"));
-var import_node_path4 = __toModule(require("node:path"));
-function jsoncParse(data) {
-  try {
-    return new Function("return " + data.trim())();
-  } catch {
-    return {};
-  }
-}
-var loadJson = async (filepath) => {
-  try {
-    return jsoncParse(await import_fs.default.promises.readFile(filepath, "utf8"));
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${import_node_path4.default.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/lib/config/constants.ts
-var defaultConfig = {
-  aws: {
-    keyAlias: "alias/top-secret"
-  }
-};
-
-// src/lib/config/index.ts
-var getConfig = async (filename) => {
-  const cwd = process.cwd();
-  const configJoycon = new import_joycon.default();
-  const configPath = await configJoycon.resolve({
-    files: filename ? [filename] : [
-      "dotsec.config.ts",
-      "dotsec.config.js",
-      "dotsec.config.cjs",
-      "dotsec.config.mjs",
-      "dotsec.config.json",
-      "package.json"
-    ],
-    cwd,
-    stopDir: import_node_path5.default.parse(cwd).root,
-    packageKey: "dotsec"
-  });
-  if (filename && configPath === null) {
-    throw new Error(`Could not find config file ${filename}`);
-  }
-  if (configPath) {
-    if (configPath.endsWith(".json")) {
-      const rawData = await loadJson(configPath);
-      let data;
-      if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
-        data = rawData.dotsec;
-      } else {
-        data = rawData;
-      }
-      return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
-        aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
-      });
-    }
-    const config = await (0, import_bundle_require.bundleRequire)({
-      filepath: configPath
-    });
-    const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
-    return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
-  }
-  return __spreadValues({}, defaultConfig);
-};
-
-// src/ds/cli.ts
-var program = new import_commander2.Command();
-program.name("dotsec").description(".env, but secure").version("1.0.0").enablePositionalOptions().option("--verbose").option("--config, <dotsec config file>").action((_options, other) => {
-  other.help();
-}).hook("preSubcommand", async (thisCommand, actionCommand) => {
-  const configfile = thisCommand.getOptionValue("config");
-  const dotsecConfig = await getConfig(configfile);
-  actionCommand.setOptionValue("dotsecConfig", dotsecConfig);
-  actionCommand.setOptionValue("verbose", Boolean(thisCommand.getOptionValue("verbose")));
-});
-run_default(program);
-encrypt_default(program);
-decrypt_default(program);
-program.parse();
-//# sourceMappingURL=cli.js.map