dotsec 1.0.0-alpha.2 → 1.0.0-alpha.20

package/dist/esm/cli.js

@@ -1,2245 +0,0 @@
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __markAsModule = (target) => __defProp(target, "__esModule", { value: true });
-var __export = (target, all) => {
-  __markAsModule(target);
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/cli.ts
-import { hideBin } from "yargs/helpers";
-import yargs from "yargs/yargs";
-
-// src/commonCliOptions.ts
-var commonCliOptions = {
-  awsProfile: {
-    string: true,
-    describe: "AWS profile"
-  },
-  awsRegion: {
-    string: true,
-    describe: "AWS region"
-  },
-  awsKeyAlias: {
-    string: true,
-    describe: "AWS KMS key alias"
-  },
-  awsKeyArn: {
-    string: true,
-    describe: "AWS KMS key id"
-  },
-  awsKey: {
-    string: true,
-    describe: "AWS KMS key arn"
-  },
-  envFile: {
-    string: true,
-    describe: ".env file"
-  },
-  ignoreMissingEnvFile: {
-    boolean: true,
-    describe: `Don't halt on missing .env file`
-  },
-  secFile: {
-    string: true,
-    describe: ".sec file",
-    default: ".sec"
-  },
-  awsAssumeRoleArn: {
-    string: true,
-    describe: "arn or role to assume. Can also be set using the AWS_ASSUME_ROLE_ARN environment variable, or, when using --env-file in the target env file. The cli option overrides the environment variable."
-  },
-  awsAssumeRoleSessionDuration: {
-    number: true,
-    describe: "Duration of assume role sessions. Defaults to 3600 seconds. Can also be set using the AWS_ASSUME_ROLE_SESSION_DURATION environment variable, or, when using --env-file in the target env file. The cli option overrides the environment variable."
-  },
-  useTopLevelsAsEnvironments: {
-    boolean: true,
-    describe: "Use top level keys as environments"
-  },
-  verbose: {
-    boolean: true,
-    describe: "Be verbose"
-  },
-  encryptedSecretsFile: {
-    string: true,
-    describe: "filename of json file for reading encrypted secrets"
-  },
-  jsonFilter: {
-    string: true,
-    describe: "dot separated filter path, for example a.b.c will return { a: { b: { c: ... }}}"
-  },
-  searchpath: {
-    string: true,
-    describe: "search path in which to look for secrets tree"
-  },
-  yes: {
-    boolean: true,
-    describe: "Proceeds without confirmation"
-  },
-  dryRun: {
-    boolean: true,
-    describe: "Do a dry run"
-  }
-};
-
-// src/commands/convert.ts
-var convertModule = {
-  command: "convert",
-  describe: "does stuff",
-  builder: {
-    "env-file": commonCliOptions.envFile,
-    "search-path": commonCliOptions.searchpath,
-    "aws-profile": commonCliOptions.awsProfile,
-    "aws-region": commonCliOptions.awsRegion,
-    "aws-key-alias": commonCliOptions.awsKeyAlias,
-    "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-    "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-    "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-    verbose: commonCliOptions.verbose,
-    yes: __spreadValues({}, commonCliOptions.yes)
-  },
-  handler: (a) => {
-    console.log(a.d);
-    console.log(a["env-file"]);
-  }
-};
-var convert_default = convertModule;
-
-// src/commands/defaultCommand.ts
-var defaultCommand_exports = {};
-__export(defaultCommand_exports, {
-  builder: () => builder,
-  command: () => command,
-  desc: () => desc,
-  handler: () => handler
-});
-import fs3 from "node:fs";
-import path5 from "node:path";
-import { KMSClient as KMSClient2, DecryptCommand } from "@aws-sdk/client-kms";
-import { redBright as redBright2 } from "chalk";
-import { constantCase } from "constant-case";
-import { spawn } from "cross-spawn";
-import { parse } from "dotenv";
-import flat from "flat";
-
-// src/lib/config-old/index.ts
-import path2 from "node:path";
-import { bundleRequire } from "bundle-require";
-import JoyCon from "joycon";
-
-// src/lib/json.ts
-import fs from "fs";
-import path from "node:path";
-function jsoncParse(data) {
-  try {
-    return new Function("return " + data.trim())();
-  } catch {
-    return {};
-  }
-}
-var loadJson = async (filepath) => {
-  try {
-    return jsoncParse(await fs.promises.readFile(filepath, "utf8"));
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${path.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/lib/config-old/constants.ts
-var defaultConfig = {
-  aws: {
-    keyAlias: "alias/top-secret"
-  }
-};
-
-// src/lib/config-old/index.ts
-var getConfig = async () => {
-  const cwd = process.cwd();
-  const configJoycon = new JoyCon();
-  const configPath = await configJoycon.resolve({
-    files: [
-      "dotsec.config.ts",
-      "dotsec.config.js",
-      "dotsec.config.cjs",
-      "dotsec.config.mjs",
-      "dotsec.config.json",
-      "package.json"
-    ],
-    cwd,
-    stopDir: path2.parse(cwd).root,
-    packageKey: "dotsec"
-  });
-  if (configPath) {
-    if (configPath.endsWith(".json")) {
-      const rawData = await loadJson(configPath);
-      let data;
-      if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
-        data = rawData.dotsec;
-      } else {
-        data = rawData;
-      }
-      return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
-        aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
-      });
-    }
-    const config = await bundleRequire({
-      filepath: configPath
-    });
-    const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
-    return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
-  }
-  return __spreadValues({}, defaultConfig);
-};
-
-// src/lib/encryptedSecrets.ts
-import fs2 from "fs";
-import path4 from "path";
-import { redBright } from "chalk";
-
-// src/utils/io.ts
-import { stat } from "fs/promises";
-import prompts from "prompts";
-import path3 from "node:path";
-var fileExists = async (source) => {
-  try {
-    await stat(source);
-    return true;
-  } catch {
-    return false;
-  }
-};
-var promptOverwriteIfFileExists = async ({
-  filePath,
-  skip
-}) => {
-  let overwriteResponse;
-  if (await fileExists(filePath) && skip !== true) {
-    overwriteResponse = await prompts({
-      type: "confirm",
-      name: "overwrite",
-      message: () => {
-        return `Overwrite './${path3.relative(process.cwd(), filePath)}' ?`;
-      }
-    });
-  } else {
-    overwriteResponse = void 0;
-  }
-  return overwriteResponse;
-};
-
-// src/lib/encryptedSecrets.ts
-var loadEncryptedSecrets = async ({
-  encryptedSecretsFile
-}) => {
-  const encryptedSecretsPath = path4.resolve(process.cwd(), encryptedSecretsFile);
-  if (!await fileExists(encryptedSecretsPath)) {
-    throw new Error(`Could not open ${redBright(encryptedSecretsPath)}`);
-  }
-  const encryptedSecrets = JSON.parse(fs2.readFileSync(encryptedSecretsPath, { encoding: "utf8" }));
-  if (!encryptedSecrets) {
-    throw new Error(`No encrypted secrets found in ${redBright(encryptedSecretsPath)}`);
-  }
-  if (!encryptedSecrets.encryptedParameters) {
-    throw new Error(`Expected 'encryptedParameters' property, but got none`);
-  }
-  return encryptedSecrets;
-};
-
-// src/utils/getCredentialsProfileRegion.ts
-import {
-  fromEnv,
-  fromIni,
-  fromTemporaryCredentials
-} from "@aws-sdk/credential-providers";
-import { loadSharedConfigFiles } from "@aws-sdk/shared-ini-file-loader";
-
-// src/utils/logger.ts
-import chalk from "chalk";
-import { highlight, plain } from "cli-highlight";
-var _logger;
-var getLogger = () => {
-  if (!_logger) {
-    _logger = console;
-  }
-  return _logger;
-};
-var emphasis = (str) => chalk.yellowBright(str);
-var strong = (str) => chalk.yellow.bold(str);
-var myTheme = {
-  attr: chalk.yellow.bold,
-  string: chalk.yellowBright.dim,
-  params: chalk.red,
-  deletion: chalk.red.strikethrough,
-  number: plain
-};
-var prettyCode = (str) => {
-  return highlight(str, { theme: myTheme });
-};
-
-// src/utils/getCredentialsProfileRegion.ts
-var getCredentialsProfileRegion = async ({
-  argv,
-  env
-}) => {
-  var _a, _b, _c;
-  const sharedConfigFiles = await loadSharedConfigFiles();
-  let credentialsAndOrigin = void 0;
-  let profileAndOrigin = void 0;
-  let regionAndOrigin = void 0;
-  if (argv.profile) {
-    profileAndOrigin = {
-      value: argv.profile,
-      origin: `command line option: ${emphasis(argv.profile)}`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: argv.profile
-      })(),
-      origin: `${emphasis(`[${argv.profile}]`)} in credentials file`
-    };
-  } else if (env.AWS_PROFILE) {
-    profileAndOrigin = {
-      value: env.AWS_PROFILE,
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: env.AWS_PROFILE
-      })(),
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-  } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
-    credentialsAndOrigin = {
-      value: await fromEnv()(),
-      origin: `env variables ${emphasis("AWS_ACCESS_KEY_ID")} and ${emphasis("AWS_SECRET_ACCESS_KEY")}`
-    };
-  } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = {
-      value: "default",
-      origin: `${emphasis("[default]")} in credentials file`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: "default"
-      })(),
-      origin: `profile ${emphasis("[default]")}`
-    };
-  }
-  if (argv.region) {
-    regionAndOrigin = {
-      value: argv.region,
-      origin: `command line option: ${emphasis(argv.region)}`
-    };
-  } else if (env.AWS_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_REGION,
-      origin: `env variable ${emphasis("AWS_REGION")}: ${strong(env.AWS_REGION)}`
-    };
-  } else if (env.AWS_DEFAULT_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_DEFAULT_REGION,
-      origin: `env variable ${emphasis("AWS_DEFAULT_REGION")}: ${strong(env.AWS_DEFAULT_REGION)}`
-    };
-  } else if (profileAndOrigin) {
-    const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
-    if (foundRegion) {
-      regionAndOrigin = {
-        value: foundRegion,
-        origin: `${emphasis(`[profile ${profileAndOrigin.value}]`)} in config file`
-      };
-    }
-  }
-  const assumedRole = argv.assumeRoleArn || env.AWS_ASSUME_ROLE_ARN;
-  if (assumedRole) {
-    const origin = argv.assumeRoleArn ? "command line option" : "env variable";
-    credentialsAndOrigin = {
-      value: await fromTemporaryCredentials({
-        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
-        params: {
-          DurationSeconds: argv.assumeRoleSessionDuration || Number(env.AWS_ASSUME_ROLE_SESSION_DURATION) || 3600,
-          RoleArn: assumedRole
-        },
-        clientConfig: {
-          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
-        }
-      })(),
-      origin: `${origin} ${emphasis(`[${assumedRole}]`)}`
-    };
-  }
-  return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
-};
-var printVerboseCredentialsProfileRegion = ({
-  credentialsAndOrigin,
-  regionAndOrigin,
-  profileAndOrigin
-}) => {
-  const out = [];
-  if (profileAndOrigin) {
-    out.push(`Got profile name from ${profileAndOrigin.origin}`);
-  }
-  if (credentialsAndOrigin) {
-    out.push(`Resolved credentials from ${credentialsAndOrigin.origin}`);
-  }
-  if (regionAndOrigin) {
-    out.push(`Resolved region from ${regionAndOrigin.origin}`);
-  }
-  return out.join("\n");
-};
-
-// src/lib/partial-commands/handleCredentialsAndRegion.ts
-var handleCredentialsAndRegion = async ({
-  argv,
-  env
-}) => {
-  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
-    argv: {
-      region: argv.awsRegion,
-      profile: argv.awsProfile,
-      assumeRoleArn: argv.awsAssumeRoleArn,
-      assumeRoleSessionDuration: argv.awsAssumeRoleSessionDuration
-    },
-    env: __spreadValues({}, env)
-  });
-  if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({
-      credentialsAndOrigin,
-      regionAndOrigin,
-      profileAndOrigin
-    }));
-  }
-  if (!credentialsAndOrigin || !regionAndOrigin) {
-    if (!credentialsAndOrigin) {
-      console.error("Could not find credentials");
-      throw new Error("Could not find credentials");
-    }
-    if (!regionAndOrigin) {
-      console.error("Could not find region");
-      throw new Error("Could not find region");
-    }
-  }
-  return { credentialsAndOrigin, regionAndOrigin };
-};
-
-// src/utils/kms.ts
-import {
-  DescribeKeyCommand,
-  KMSClient
-} from "@aws-sdk/client-kms";
-var getKMSClient = ({
-  configuration
-}) => {
-  const kmsClient = new KMSClient(configuration);
-  return kmsClient;
-};
-var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
-  var _a, _b;
-  const describeKeyCommand = new DescribeKeyCommand({
-    KeyId: awsKeyAlias
-  });
-  const describeKeyResult = await kmsClient.send(describeKeyCommand);
-  const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
-  if (encryptionAlgorithm === void 0) {
-    throw new Error(`Could not determine encryption algorithm`);
-  }
-  return encryptionAlgorithm;
-};
-
-// src/commands/defaultCommand.ts
-var command = "$0 <command>";
-var desc = "Decrypts a .sec file, injects the results into a separate process and runs a command";
-var builder = {
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "sec-file": commonCliOptions.secFile,
-  "env-file": commonCliOptions.envFile,
-  "ignore-missing-env-file": commonCliOptions.ignoreMissingEnvFile,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "encrypted-secrets-file": commonCliOptions.encryptedSecretsFile,
-  "json-filter": commonCliOptions.jsonFilter,
-  verbose: commonCliOptions.verbose,
-  command: { string: true, required: true }
-};
-var handleSec = async ({
-  secFile,
-  credentialsAndOrigin,
-  regionAndOrigin,
-  awsKeyAlias
-}) => {
-  const secSource = path5.resolve(process.cwd(), secFile);
-  if (!await fileExists(secSource)) {
-    console.error(`Could not open ${redBright2(secSource)}`);
-    return;
-  }
-  const parsedSec = parse(fs3.readFileSync(secSource, { encoding: "utf8" }));
-  const kmsClient = new KMSClient2({
-    credentials: credentialsAndOrigin.value,
-    region: regionAndOrigin.value
-  });
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const envEntries = await Promise.all(Object.entries(parsedSec).map(async ([key, cipherText]) => {
-    const decryptCommand = new DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(cipherText, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-      throw new Error(`No: ${JSON.stringify({
-        key,
-        cipherText,
-        decryptCommand
-      })}`);
-    }
-    const value = Buffer.from(decryptionResult.Plaintext).toString();
-    return [key, value];
-  }));
-  const env = Object.fromEntries(envEntries);
-  return env;
-};
-var handleEncryptedJson = async ({
-  encryptedSecretsFile,
-  jsonFilter,
-  credentialsAndOrigin,
-  regionAndOrigin,
-  awsKeyAlias
-}) => {
-  const encryptedSecrets = await loadEncryptedSecrets({
-    encryptedSecretsFile
-  });
-  const flattened = flat.flatten(encryptedSecrets.encryptedParameters, {
-    delimiter: "__",
-    transformKey: (key) => {
-      return constantCase(key);
-    }
-  });
-  const kmsClient = new KMSClient2({
-    credentials: credentialsAndOrigin.value,
-    region: regionAndOrigin.value
-  });
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const filterKey = jsonFilter == null ? void 0 : jsonFilter.split(".").map((part) => constantCase(part)).join("__");
-  const envEntries = await Promise.all(Object.entries(flattened).filter(([key]) => {
-    if (filterKey) {
-      return key.indexOf(filterKey) === 0;
-    }
-    return true;
-  }).map(async ([key, cipherText]) => {
-    const decryptCommand = new DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(cipherText, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!(decryptionResult == null ? void 0 : decryptionResult.Plaintext)) {
-      throw new Error(`No: ${JSON.stringify({
-        key,
-        cipherText,
-        decryptCommand
-      })}`);
-    }
-    const value = Buffer.from(decryptionResult.Plaintext).toString();
-    return [key, value];
-  }));
-  const env = Object.fromEntries(envEntries);
-  return env;
-};
-var handler = async (argv) => {
-  const config = await getConfig();
-  try {
-    let env;
-    let awsEnv;
-    try {
-      if (argv.envFile) {
-        env = parse(fs3.readFileSync(argv.envFile, { encoding: "utf8" }));
-        if (argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) {
-          const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-            argv: __spreadProps(__spreadValues({}, argv), {
-              awsRegion: config.aws.region || argv.awsRegion,
-              awsProfile: config.aws.profile || argv.awsProfile,
-              awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-              awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-            }),
-            env: __spreadValues({}, process.env)
-          });
-          awsEnv = {
-            AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
-            AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey
-          };
-          if (credentialsAndOrigin.value.sessionToken) {
-            awsEnv.AWS_SESSION_TOKEN = credentialsAndOrigin.value.sessionToken;
-          }
-        }
-      } else {
-        const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-          argv: __spreadProps(__spreadValues({}, argv), {
-            awsRegion: config.aws.region || argv.awsRegion,
-            awsProfile: config.aws.profile || argv.awsProfile,
-            awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-            awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-          }),
-          env: __spreadValues({}, process.env)
-        });
-        if ((argv.awsAssumeRoleArn || process.env.AWS_ASSUME_ROLE_ARN || (env == null ? void 0 : env.AWS_ASSUME_ROLE_ARN)) && credentialsAndOrigin.value.sessionToken !== void 0) {
-          awsEnv = {
-            AWS_ACCESS_KEY_ID: credentialsAndOrigin.value.accessKeyId,
-            AWS_SECRET_ACCESS_KEY: credentialsAndOrigin.value.secretAccessKey,
-            AWS_SESSION_TOKEN: credentialsAndOrigin.value.sessionToken
-          };
-        }
-        if (argv.verbose) {
-          console.log({ credentialsAndOrigin, regionAndOrigin });
-        }
-        const awsKeyAlias = argv.awsKeyAlias || config.aws.keyAlias;
-        if (argv.encryptedSecretsFile) {
-          env = await handleEncryptedJson({
-            encryptedSecretsFile: argv.encryptedSecretsFile,
-            jsonFilter: argv.jsonFilter,
-            credentialsAndOrigin,
-            regionAndOrigin,
-            awsKeyAlias
-          });
-        } else {
-          env = await handleSec({
-            secFile: argv.secFile,
-            credentialsAndOrigin,
-            regionAndOrigin,
-            awsKeyAlias
-          });
-        }
-      }
-    } catch (e) {
-      if (argv.ignoreMissingEnvFile !== true) {
-        throw e;
-      }
-    }
-    const userCommandArgs = process.argv.slice(process.argv.indexOf(argv.command) + 1);
-    if (argv.command) {
-      spawn(argv.command, [...userCommandArgs], {
-        stdio: "inherit",
-        shell: false,
-        env: __spreadValues(__spreadValues(__spreadValues({}, process.env), awsEnv), env)
-      });
-    }
-  } catch (e) {
-    console.error(e);
-  }
-};
-
-// src/commands/dot-sec-to-dot-env.ts
-var dot_sec_to_dot_env_exports = {};
-__export(dot_sec_to_dot_env_exports, {
-  builder: () => builder2,
-  command: () => command2,
-  desc: () => desc2,
-  handler: () => handler2
-});
-import fs7 from "node:fs";
-import path9 from "node:path";
-import {
-  parse as parse2
-} from "dotenv";
-
-// src/lib/wtf/crypto.ts
-import {
-  DecryptCommand as DecryptCommand2,
-  DescribeKeyCommand as DescribeKeyCommand2,
-  EncryptCommand
-} from "@aws-sdk/client-kms";
-import {
-  CreateSecretCommand,
-  ListSecretsCommand,
-  PutSecretValueCommand
-} from "@aws-sdk/client-secrets-manager";
-import {
-  ParameterTier,
-  ParameterType,
-  PutParameterCommand
-} from "@aws-sdk/client-ssm";
-import { constantCase as constantCase2 } from "constant-case";
-
-// src/utils/secretsManager.ts
-import {
-  SecretsManagerClient
-} from "@aws-sdk/client-secrets-manager";
-var getSecretsManagerClient = ({
-  configuration
-}) => {
-  const secretsManagerClient = new SecretsManagerClient(configuration);
-  return secretsManagerClient;
-};
-
-// src/utils/ssm.ts
-import { SSMClient } from "@aws-sdk/client-ssm";
-var getSSMClient = ({
-  configuration
-}) => {
-  const ssmClient = new SSMClient(configuration);
-  return ssmClient;
-};
-
-// src/lib/wtf/types.ts
-var isString = (value) => {
-  return typeof value === "string";
-};
-var isNumber = (value) => {
-  return typeof value === "number";
-};
-var isBoolean = (value) => {
-  return typeof value === "boolean";
-};
-var isSSMParameter = (leafOrTree) => {
-  const ssmParameter = leafOrTree;
-  return typeof ssmParameter === "object" && ssmParameter !== null && "type" in ssmParameter && ssmParameter.type === "ssm";
-};
-var isRegularParameterObject = (value) => {
-  const regularParameter = value;
-  return typeof regularParameter === "object" && regularParameter !== null && "type" in regularParameter && regularParameter.type === "standard";
-};
-var isRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return isString(leaf) || isNumber(leaf) || isBoolean(leaf) || isRegularParameterObject(leaf);
-};
-var isEncryptedSSMParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "ssm" && leaf.encryptedValue !== void 0;
-};
-var isEncryptedRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "standard" && leaf.encryptedValue !== void 0;
-};
-var isSecretsManagerParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "secretsManager" && !(isString(leaf) || isNumber(leaf) || isBoolean(leaf));
-};
-var isDotSecTree = (leafOrTree) => {
-  if (typeof leafOrTree === "object" && !Array.isArray(leafOrTree) && leafOrTree !== null && !isSSMParameter(leafOrTree) && !isRegularParameter(leafOrTree) && !isEncryptedSSMParameter(leafOrTree) && !isEncryptedRegularParameter(leafOrTree) && !isSecretsManagerParameter(leafOrTree)) {
-    return true;
-  }
-  return false;
-};
-
-// src/lib/wtf/flat.ts
-var flattenTree = (tree) => {
-  const lazy = {};
-  const innerParser = (leafOrTree, paths = []) => {
-    if (isDotSecTree(leafOrTree)) {
-      Object.entries(leafOrTree).map(([key, value]) => {
-        innerParser(value, [...paths, key]);
-      });
-    } else {
-      lazy[paths.join("/")] = leafOrTree;
-    }
-  };
-  innerParser(tree);
-  return lazy;
-};
-var flattenPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: flattenTree(dotSec.plaintext) });
-};
-var flattenEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: flattenTree(dotSec.encrypted) });
-};
-var expandTree = (tree) => {
-  const lazy = {};
-  Object.entries(tree).map(([key, value]) => {
-    const paths = key.split("/");
-    let current = lazy;
-    paths.forEach((pathKey, index) => {
-      if (!current[pathKey]) {
-        if (index === paths.length - 1) {
-          current[pathKey] = value;
-        } else {
-          current[pathKey] = {};
-        }
-      }
-      current = current[pathKey];
-    });
-  });
-  return lazy;
-};
-var expandPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: expandTree(dotSec.plaintext) });
-};
-var expandEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: expandTree(dotSec.encrypted) });
-};
-
-// src/lib/wtf/crypto.ts
-var maybeJson = (value) => {
-  try {
-    return JSON.parse(value);
-  } catch (e) {
-    return value;
-  }
-};
-var decryptedEncrypted = async (options) => {
-  var _a, _b;
-  const { dotSecEncrypted, credentials, region, verbose, keyAlias } = options;
-  const dotSecEncryptedFlattened = flattenEncrypted(dotSecEncrypted);
-  const { info, table } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecEncrypted.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new DescribeKeyCommand2({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const dotSecFlattened = {
-    config: __spreadValues({}, dotSecEncrypted.config),
-    plaintext: {}
-  };
-  for (const [key, encryptedValue] of Object.entries(dotSecEncryptedFlattened.encrypted)) {
-    const decryptCommand = new DecryptCommand2({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue.encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const decryptedKeyValue = JSON.parse(decryptedValue);
-    dotSecFlattened.plaintext[key] = maybeJson(decryptedKeyValue.value);
-  }
-  return expandPlainText(dotSecFlattened);
-};
-var encryptPlainText = async (options) => {
-  var _a, _b;
-  const { dotSecPlainText, credentials, region, verbose, keyAlias } = options;
-  const dotSecFlattened = flattenPlainText(dotSecPlainText);
-  const { info } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecFlattened.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new DescribeKeyCommand2({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const encryptedDotSecFlattened = {
-    config: __spreadValues({}, dotSecFlattened.config),
-    encrypted: {}
-  };
-  for (const [key, plainTextValue] of Object.entries(dotSecFlattened.plaintext)) {
-    let plainTextValueCopy = plainTextValue;
-    if (typeof plainTextValueCopy !== "string" && typeof plainTextValueCopy !== "number" && typeof plainTextValueCopy !== "boolean") {
-      plainTextValueCopy = JSON.stringify(plainTextValue);
-    }
-    const damn = JSON.stringify({ key, value: plainTextValueCopy });
-    const encryptCommand = new EncryptCommand({
-      KeyId: awsKeyAlias,
-      Plaintext: Buffer.from(String(damn)),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const encryptionResult = await kmsClient.send(encryptCommand);
-    if (!encryptionResult.CiphertextBlob) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        value: plainTextValue,
-        encryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Encrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
-    if (isRegularParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "standard",
-        encryptedValue: cipherText
-      };
-    } else if (isSSMParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "ssm",
-        encryptedValue: cipherText
-      };
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "secretsManager",
-        encryptedValue: cipherText
-      };
-    }
-  }
-  return expandEncrypted(encryptedDotSecFlattened);
-};
-var createStorePlaintextTasks = async (options) => {
-  var _a, _b, _c, _d, _e, _f, _g, _h;
-  const { dotSecPlainText, credentials, region, verbose, keyAlias } = options;
-  const dotSecPlainTextFlattened = flattenPlainText(dotSecPlainText);
-  const { info } = getLogger();
-  const ssmClient = getSSMClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const secretsManagerClient = getSecretsManagerClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const secretNameArnTuples = (_b = (_a = await secretsManagerClient.send(new ListSecretsCommand({}))) == null ? void 0 : _a.SecretList) == null ? void 0 : _b.map((secret) => [secret.Name, secret.ARN]).filter(([name, ARN]) => name && ARN);
-  const existingSecrets = secretNameArnTuples ? Object.fromEntries(secretNameArnTuples) : {};
-  const awsKeyAlias = keyAlias || ((_d = (_c = dotSecPlainText.config) == null ? void 0 : _c.aws) == null ? void 0 : _d.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error(`No key alias specified`);
-  }
-  if (verbose) {
-    info(`Encrypting to SSM and/or SecretsManager in ${emphasis(region)}`);
-  }
-  const putParameterCommands = [];
-  const createSecretCommands = [];
-  const putSecretValueCommands = [];
-  for (const [keyPath, plainTextValue] of Object.entries(dotSecPlainTextFlattened.plaintext)) {
-    let storageValue;
-    if (isRegularParameter(plainTextValue)) {
-      if (isRegularParameterObject(plainTextValue)) {
-        storageValue = plainTextValue.value;
-      } else {
-        storageValue = plainTextValue;
-      }
-    } else if (isSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    if (!isString(storageValue) && !isNumber(storageValue) && !isBoolean(storageValue)) {
-      storageValue = JSON.stringify(storageValue);
-    }
-    if (isSSMParameter(plainTextValue) || isRegularParameter(plainTextValue) && ((_e = dotSecPlainText.config) == null ? void 0 : _e.standardParameterStorageType) === "ssm" && (isRegularParameterObject(plainTextValue) ? plainTextValue.dontStore !== true : true)) {
-      let parameterTier = ParameterTier.STANDARD;
-      let parameterType = ParameterType.STRING;
-      let description;
-      if (isSSMParameter(plainTextValue)) {
-        if ((_f = plainTextValue == null ? void 0 : plainTextValue.ssm) == null ? void 0 : _f.tier) {
-          parameterTier = plainTextValue.ssm.tier;
-        }
-        if ((_g = plainTextValue == null ? void 0 : plainTextValue.ssm) == null ? void 0 : _g.type) {
-          parameterType = plainTextValue.ssm.type;
-        }
-        if (plainTextValue == null ? void 0 : plainTextValue.description) {
-          description = plainTextValue.description;
-        }
-      }
-      const putParameterCommand = new PutParameterCommand({
-        Name: `/${keyPath}`,
-        Value: String(storageValue),
-        Type: parameterType,
-        Tier: parameterTier,
-        Description: description,
-        Overwrite: true
-      });
-      putParameterCommands.push(putParameterCommand);
-    } else if (isSecretsManagerParameter(plainTextValue) || isRegularParameter(plainTextValue) && ((_h = dotSecPlainText.config) == null ? void 0 : _h.standardParameterStorageType) === "secretsManager" && (isRegularParameterObject(plainTextValue) ? plainTextValue.dontStore !== true : true)) {
-      const existingSecretARN = existingSecrets[keyPath];
-      if (!existingSecretARN) {
-        const createSecretCommand = new CreateSecretCommand({
-          Name: keyPath,
-          SecretString: String(storageValue)
-        });
-        createSecretCommands.push(createSecretCommand);
-      } else {
-        const putSecretCommand = new PutSecretValueCommand({
-          SecretId: existingSecretARN,
-          SecretString: String(storageValue)
-        });
-        putSecretValueCommands.push(putSecretCommand);
-      }
-    }
-  }
-  return {
-    total: putParameterCommands.length + createSecretCommands.length + putSecretValueCommands.length,
-    putParameterCommands,
-    createSecretCommands,
-    putSecretValueCommands
-  };
-};
-var executeStorePlainTextTasks = async (options) => {
-  const { credentials, region, verbose, tasks } = options;
-  const { info } = getLogger();
-  const ssmClient = getSSMClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const secretsManagerClient = getSecretsManagerClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  for (const putParameterCommand of tasks.putParameterCommands) {
-    process.stdout.write(`Storing SSM parameter ${emphasis(putParameterCommand.input.Name || "<unnamed> ")}... `);
-    await ssmClient.send(putParameterCommand);
-    process.stdout.write(`done
-`);
-  }
-  for (const createSecretCommand of tasks.createSecretCommands) {
-    process.stdout.write(`Creating Secret ${emphasis(createSecretCommand.input.Name || "<unnamed> ")}... `);
-    await secretsManagerClient.send(createSecretCommand);
-    process.stdout.write(`done
-`);
-  }
-  for (const putSecretValueCommand of tasks.putSecretValueCommands) {
-    process.stdout.write(`Updating Secret ${emphasis(putSecretValueCommand.input.SecretId || "<unknown id> ")}... `);
-    await secretsManagerClient.send(putSecretValueCommand);
-    process.stdout.write(`done
-`);
-  }
-};
-var prettyPrintTasks = (tasks) => {
-  const { info, table } = getLogger();
-  const { putParameterCommands, createSecretCommands, putSecretValueCommands } = tasks;
-  const ssmTasks = putParameterCommands.map((command10) => {
-    return {
-      name: command10.input.Name,
-      description: command10.input.Description || "<no description>",
-      tier: command10.input.Tier,
-      type: command10.input.Type,
-      value: command10.input.Value
-    };
-  });
-  info(emphasis(`AWS Systems Manager > Parameter Store: create or update`));
-  table(ssmTasks);
-  const createSecretTasks = createSecretCommands.map((command10) => {
-    return {
-      secretName: command10.input.Name,
-      description: command10.input.Description || "<no description>",
-      value: "**** redacted ****>"
-    };
-  });
-  if (createSecretTasks.length) {
-    info(emphasis(`AWS Secrets Manager Secrets: create`));
-    table(createSecretTasks);
-  }
-  const updateSecretTasks = putSecretValueCommands.map((command10) => {
-    return {
-      secretName: command10.input.SecretId,
-      value: "**** redacted ****>"
-    };
-  });
-  if (updateSecretTasks.length) {
-    info(emphasis(`AWS Secrets Manager Secrets: update`));
-    table(updateSecretTasks);
-  }
-};
-var decryptRawDotSecValues = async (options) => {
-  const { info } = getLogger();
-  const {
-    dotSecKeysValues: rawDotSec,
-    credentials,
-    region,
-    verbose,
-    keyAlias,
-    searchPath
-  } = options;
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const s = searchPath == null ? void 0 : searchPath.split(".").map((part) => `${constantCase2(part)}_`).join("");
-  const awsKeyAlias = keyAlias;
-  if (!keyAlias) {
-    throw new Error("No key alias specified");
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, keyAlias);
-  const dotEnvLines = [];
-  const filtered = s ? Object.fromEntries(Object.entries(rawDotSec).filter(([key]) => key.startsWith(s)).map(([key, value]) => [key.replace(s, ""), value])) : rawDotSec;
-  for (const [key, encryptedValue] of Object.entries(filtered)) {
-    const decryptCommand = new DecryptCommand2({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const parsedValue = JSON.parse(decryptedValue);
-    const stringOrJson = maybeJson(parsedValue.value);
-    if (isRegularParameter(stringOrJson)) {
-      if (isRegularParameterObject(stringOrJson)) {
-        dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-      } else {
-        dotEnvLines.push(`${key}=${String(stringOrJson)}`);
-      }
-    } else if (isSSMParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    } else if (isSecretsManagerParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    }
-  }
-  return dotEnvLines.join("\n");
-};
-
-// src/lib/wtf/io.ts
-import fs6 from "node:fs";
-import path8 from "node:path";
-import { bundleRequire as bundleRequire2 } from "bundle-require";
-import JoyCon2 from "joycon";
-
-// src/lib/wtf/json.ts
-import fs4 from "fs";
-import path6 from "node:path";
-function jsoncParse2(data) {
-  try {
-    return new Function("return " + data.trim())();
-  } catch {
-    return {};
-  }
-}
-var loadJson2 = async (filepath) => {
-  try {
-    return jsoncParse2(await fs4.promises.readFile(filepath, "utf8"));
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${path6.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/lib/wtf/yaml.ts
-import fs5 from "fs";
-import path7 from "node:path";
-import YAML from "yaml";
-var loadYml = async (filepath) => {
-  try {
-    return YAML.parse(await fs5.promises.readFile(filepath, "utf8"));
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${path7.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/lib/wtf/io.ts
-var getDotSecPlainText = async ({
-  defaultConfig: defaultConfig2,
-  options
-}) => {
-  var _a, _b, _c, _d, _e, _f;
-  const { info } = getLogger();
-  const { filename, verbose } = options || {};
-  const cwd = process.cwd();
-  const configJoycon = new JoyCon2();
-  const files = filename ? [filename] : [
-    "secrets.json",
-    "secrets.yaml",
-    "secrets.yml",
-    "secrets.ts"
-  ];
-  if (verbose) {
-    info(`Looking for file(s) with the following signature(s): ${strong(files.join(", "))}`);
-  }
-  const configPath = await configJoycon.resolve({
-    files,
-    cwd,
-    stopDir: path8.parse(cwd).root,
-    packageKey: "secrets"
-  });
-  if (configPath) {
-    if (verbose) {
-      info(`Found plaintext secrets at ${strong(configPath)}`);
-    }
-    let configType;
-    let data;
-    if (configPath.endsWith(".json")) {
-      configType = "json";
-      data = await loadJson2(configPath);
-    } else if (configPath.endsWith(".yaml") || configPath.endsWith(".yml")) {
-      configType = "yml";
-      data = await loadYml(configPath);
-    } else if (configPath.endsWith(".ts")) {
-      const bundleRequireResult = await bundleRequire2({
-        filepath: configPath
-      });
-      configType = "ts";
-      data = bundleRequireResult.mod.dotsec || bundleRequireResult.mod.default || bundleRequireResult.mod;
-    }
-    if (!configType) {
-      throw new Error(`Expected configType, but got none`);
-    }
-    if (!data) {
-      throw new Error(`Expected data, but got none`);
-    }
-    const validatedConfig = {
-      config: __spreadProps(__spreadValues({}, data.config), {
-        aws: {
-          regions: ((_b = (_a = data == null ? void 0 : data.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.regions) && Array.isArray((_d = (_c = data == null ? void 0 : data.config) == null ? void 0 : _c.aws) == null ? void 0 : _d.regions) ? data.config.aws.regions : defaultConfig2.config.aws.regions,
-          keyAlias: ((_f = (_e = data == null ? void 0 : data.config) == null ? void 0 : _e.aws) == null ? void 0 : _f.keyAlias) || defaultConfig2.config.aws.keyAlias
-        }
-      })
-    };
-    return {
-      fileType: configType,
-      path: configPath,
-      dotSecPlainText: __spreadValues(__spreadValues({}, data), validatedConfig)
-    };
-  }
-  throw new Error("No secrets file found");
-};
-var getDotSecEncrypted = async ({
-  defaultConfig: defaultConfig2,
-  options
-}) => {
-  var _a, _b, _c, _d, _e, _f;
-  const { filename, verbose } = options || {};
-  const cwd = process.cwd();
-  const configJoycon = new JoyCon2();
-  const configPath = await configJoycon.resolve({
-    files: filename ? [filename] : [
-      "secrets.encrypted.json",
-      "secrets.encrypted.yaml",
-      "secrets.encrypted.yml",
-      "secrets.encrypted.ts"
-    ],
-    cwd,
-    stopDir: path8.parse(cwd).root,
-    packageKey: "secrets"
-  });
-  if (configPath) {
-    if (verbose) {
-      console.log(`Found encrypted secrets file at ${configPath}`);
-    }
-    let configType;
-    let data;
-    if (configPath.endsWith(".json")) {
-      configType = "json";
-      data = await loadJson2(configPath);
-    } else if (configPath.endsWith(".yaml") || configPath.endsWith(".yml")) {
-      configType = path8.parse(configPath).ext.substring(1);
-      data = await loadYml(configPath);
-    }
-    if (!configType) {
-      throw new Error(`Config file ${configPath} is not supported`);
-    }
-    if (!data) {
-      throw new Error("Did not find any data");
-    }
-    const validatedConfig = {
-      config: __spreadProps(__spreadValues({}, data.config), {
-        aws: {
-          regions: ((_b = (_a = data == null ? void 0 : data.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.regions) && Array.isArray((_d = (_c = data == null ? void 0 : data.config) == null ? void 0 : _c.aws) == null ? void 0 : _d.regions) ? data.config.aws.regions : defaultConfig2.config.aws.regions,
-          keyAlias: ((_f = (_e = data == null ? void 0 : data.config) == null ? void 0 : _e.aws) == null ? void 0 : _f.keyAlias) || defaultConfig2.config.aws.keyAlias
-        }
-      })
-    };
-    return {
-      fileType: configType,
-      path: configPath,
-      dotSecEncrypted: __spreadValues(__spreadValues({}, data), validatedConfig)
-    };
-  }
-  throw new Error("No encrypted secrets file found");
-};
-var loadFile = async (filepath) => {
-  try {
-    return await fs6.promises.readFile(filepath, "utf8");
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${path8.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/commands/dot-sec-to-dot-env.ts
-var command2 = "dot-sec-to-dot-env";
-var desc2 = `Creates .env file from a .sec file.`;
-var builder2 = {
-  "sec-file": commonCliOptions.secFile,
-  "env-file": commonCliOptions.envFile,
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler2 = async (argv) => {
-  const config = await getConfig();
-  const { error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const dotSecFilename = argv.secFile || ".sec";
-    const dotSecPath = path9.resolve(process.cwd(), dotSecFilename);
-    const dotSecString = await loadFile(dotSecPath);
-    const dotSecKeysValues = parse2(dotSecString);
-    const dotEnvString = await decryptRawDotSecValues({
-      dotSecKeysValues,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias || "alias/dotsec",
-      verbose: argv.verbose
-    });
-    const dotEnvFilename = argv.envFile || `.env`;
-    const dotEnvPath = path9.resolve(process.cwd(), dotEnvFilename);
-    const overwriteResponse = await promptOverwriteIfFileExists({
-      filePath: dotEnvPath,
-      skip: argv.yes
-    });
-    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-      fs7.writeFileSync(dotEnvPath, dotEnvString);
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/encrypted-secrets-to-dot-env.ts
-var encrypted_secrets_to_dot_env_exports = {};
-__export(encrypted_secrets_to_dot_env_exports, {
-  builder: () => builder3,
-  command: () => command3,
-  desc: () => desc3,
-  handler: () => handler3
-});
-import fs8 from "fs";
-import path10 from "node:path";
-
-// src/lib/wtf/dotenv.ts
-import { constantCase as constantCase3 } from "constant-case";
-var fromPlainTextLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => constantCase3(k)).join("_");
-    let storageValue;
-    if (isRegularParameter(plainTextValue)) {
-      if (isRegularParameterObject(plainTextValue)) {
-        storageValue = plainTextValue.value;
-      } else {
-        storageValue = plainTextValue;
-      }
-    } else if (isSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    if (!isString(storageValue) && !isNumber(storageValue) && !isBoolean(storageValue)) {
-      storageValue = JSON.stringify(storageValue);
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotEnv = (options) => {
-  const { info } = getLogger();
-  const { dotSecPlainText, searchPath, verbose } = options;
-  let tree = dotSecPlainText.plaintext;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-      if (tree === void 0) {
-        throw new Error(`Invalid search path: '${searchPath}', part: '${pathPart}' could not be found`);
-      }
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromPlainTextLeafsToEnvEntries(flattenedTree).join("\n");
-};
-var toDotEnvPerEnvironment = (options) => {
-  const { info } = getLogger();
-  const { dotSecPlainText, searchPath, verbose } = options;
-  const environments = Object.keys(dotSecPlainText.plaintext);
-  return Object.fromEntries(environments.map((environment) => {
-    let tree = dotSecPlainText.plaintext[environment];
-    if (searchPath) {
-      if (verbose) {
-        info(`Searching for path: ${strong(searchPath)}`);
-      }
-      const pathParts = searchPath.split("/");
-      for (const pathPart of pathParts) {
-        tree = tree[pathPart];
-        if (tree === void 0) {
-          throw new Error(`Invalid search path: '${searchPath}', part: '${pathPart}' could not be found`);
-        }
-      }
-    }
-    return [
-      environment,
-      fromPlainTextLeafsToEnvEntries(flattenTree(tree)).join("\n")
-    ];
-  }));
-};
-
-// src/commands/encrypted-secrets-to-dot-env.ts
-var command3 = "encrypted-secrets-to-dot-env";
-var desc3 = `Creates .env file from an encrypted secrets file.
-If '--use-top-levels-as-environments' is set, it will create a .env file for each top level key in the encrypted secrets file.`;
-var builder3 = {
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for writing encrypted secrets",
-    default: "secrets.encrypted.json"
-  },
-  "env-file": commonCliOptions.envFile,
-  "search-path": commonCliOptions.searchpath,
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler3 = async (argv) => {
-  var _a;
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecEncrypted } = await getDotSecEncrypted({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {
-        verbose: argv.verbose
-      }
-    });
-    if (!dotSecEncrypted.encrypted) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    const dotSecPlainText = await decryptedEncrypted({
-      dotSecEncrypted,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    if (argv.useTopLevelsAsEnvironments || ((_a = dotSecEncrypted.config) == null ? void 0 : _a.useTopLevelsAsEnvironments)) {
-      const dotEnvsPerEnvironment = toDotEnvPerEnvironment({
-        dotSecPlainText,
-        verbose: argv.verbose
-      });
-      for (const [environment, dotEnv] of Object.entries(dotEnvsPerEnvironment)) {
-        const fileName = `.env.${environment}`;
-        const dotEnvPath = path10.resolve(process.cwd(), fileName);
-        info(`target: ${strong(dotEnvPath)}
-`);
-        info(prettyCode(dotEnv));
-        info(`
-`);
-        const overwriteResponse = await promptOverwriteIfFileExists({
-          filePath: dotEnvPath,
-          skip: argv.yes
-        });
-        if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-          fs8.writeFileSync(dotEnvPath, dotEnv);
-        }
-      }
-    } else {
-      const dotEnv = toDotEnv({
-        dotSecPlainText,
-        verbose: argv.verbose,
-        searchPath: argv.searchPath
-      });
-      const fileName = argv.envFile || `.env`;
-      const dotEnvPath = path10.resolve(process.cwd(), fileName);
-      info(`target: ${strong(dotEnvPath)}
-`);
-      info(prettyCode(dotEnv));
-      info(`
-`);
-      const overwriteResponse = await promptOverwriteIfFileExists({
-        filePath: dotEnvPath,
-        skip: argv.yes
-      });
-      if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-        fs8.writeFileSync(dotEnvPath, dotEnv);
-      }
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/encrypted-secrets-to-dot-sec.ts
-var encrypted_secrets_to_dot_sec_exports = {};
-__export(encrypted_secrets_to_dot_sec_exports, {
-  builder: () => builder4,
-  command: () => command4,
-  desc: () => desc4,
-  handler: () => handler4
-});
-import fs9 from "fs";
-import path11 from "node:path";
-
-// src/lib/wtf/dotsec.ts
-import { constantCase as constantCase4 } from "constant-case";
-var fromEncryptedLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => constantCase4(k)).join("_");
-    let storageValue;
-    if (isEncryptedRegularParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isEncryptedSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotSec = (options) => {
-  const { info } = getLogger();
-  const { dotSecEncrypted, searchPath, verbose } = options;
-  let tree = dotSecEncrypted.encrypted;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromEncryptedLeafsToEnvEntries(flattenedTree).join("\n");
-};
-var toDotSecPerEnvironment = (options) => {
-  const { info } = getLogger();
-  const { dotSecEncrypted, searchPath, verbose } = options;
-  const environments = Object.keys(dotSecEncrypted.encrypted);
-  return Object.fromEntries(environments.map((environment) => {
-    let tree = dotSecEncrypted.encrypted[environment];
-    if (searchPath) {
-      if (verbose) {
-        info(`Searching for path: ${strong(searchPath)}`);
-      }
-      const pathParts = searchPath.split("/");
-      for (const pathPart of pathParts) {
-        tree = tree[pathPart];
-      }
-    }
-    return [
-      environment,
-      fromEncryptedLeafsToEnvEntries(flattenTree(tree)).join("\n")
-    ];
-  }));
-};
-
-// src/commands/encrypted-secrets-to-dot-sec.ts
-var command4 = "encrypted-secrets-to-dot-sec";
-var desc4 = `Creates .sec file from an encrypted secrets file.
-If '--use-top-levels-as-environments' is set, it will create a .sec file for each top level key in the encrypted secrets file.`;
-var builder4 = {
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for writing encrypted secrets",
-    default: "secrets.encrypted.json"
-  },
-  "sec-file": commonCliOptions.secFile,
-  "search-path": commonCliOptions.searchpath,
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler4 = async (argv) => {
-  var _a;
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecEncrypted } = await getDotSecEncrypted({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {
-        verbose: argv.verbose
-      }
-    });
-    if (!dotSecEncrypted.encrypted) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    const dotSecPlainText = await decryptedEncrypted({
-      dotSecEncrypted,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    if (argv.useTopLevelsAsEnvironments || ((_a = dotSecEncrypted.config) == null ? void 0 : _a.useTopLevelsAsEnvironments)) {
-      const dotSecsPerEnvironment = toDotSecPerEnvironment({
-        dotSecEncrypted,
-        searchPath: argv.searchPath,
-        verbose: argv.verbose
-      });
-      for (const [environment, dotSec] of Object.entries(dotSecsPerEnvironment)) {
-        const fileName = `.sec.${environment}`;
-        const dotSecPath = path11.resolve(process.cwd(), fileName);
-        info(`target: ${strong(dotSecPath)}
-`);
-        info(prettyCode(dotSec));
-        info(`
-`);
-        const overwriteResponse = await promptOverwriteIfFileExists({
-          filePath: dotSecPath,
-          skip: argv.yes
-        });
-        if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-          fs9.writeFileSync(dotSecPath, dotSec);
-        }
-      }
-    } else {
-      const dotSec = toDotSec({
-        dotSecEncrypted,
-        searchPath: argv.searchPath,
-        verbose: argv.verbose
-      });
-      const fileName = argv.secFile || `.sec`;
-      const dotSecPath = path11.resolve(process.cwd(), fileName);
-      info(`target: ${strong(dotSecPath)}
-`);
-      info(prettyCode(dotSec));
-      info(`
-`);
-      const overwriteResponse = await promptOverwriteIfFileExists({
-        filePath: dotSecPath,
-        skip: argv.yes
-      });
-      if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-        fs9.writeFileSync(dotSecPath, dotSec);
-      }
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/encrypted-secrets-to-plaintext-secrets.ts
-var encrypted_secrets_to_plaintext_secrets_exports = {};
-__export(encrypted_secrets_to_plaintext_secrets_exports, {
-  builder: () => builder5,
-  command: () => command5,
-  desc: () => desc5,
-  handler: () => handler5
-});
-import fs10 from "node:fs";
-import path12 from "node:path";
-import YAML2 from "yaml";
-var command5 = "encrypted-secrets-to-plaintext-secrets";
-var desc5 = "Decrypts an encrypted file and stores the result in a plaintext file";
-var builder5 = {
-  "secrets-file": {
-    string: true,
-    describe: "filename of json file reading secrets",
-    default: "secrets.json"
-  },
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for writing encrypted secrets",
-    default: "secrets.encrypted.json"
-  },
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler5 = async (argv) => {
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecEncrypted } = await getDotSecEncrypted({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {}
-    });
-    if (!dotSecEncrypted.encrypted) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    const dotSecPlainText = await decryptedEncrypted({
-      dotSecEncrypted,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    if (argv.secretsFile) {
-      const secretsFileExtension = path12.extname(argv.secretsFile).substring(1);
-    }
-    const secretsPath = path12.resolve(process.cwd(), path12.parse(argv.secretsFile || `secrets.json`).name + "." + fileType);
-    console.log("secretsPath", fileType, path12.parse(argv.secretsFile || `secrets.json`).name);
-    const converted = fileType === "yaml" || fileType === "yml" ? YAML2.stringify(dotSecPlainText) : JSON.stringify(dotSecPlainText, null, 2);
-    info(`target: ${strong(secretsPath)}
-`);
-    info(prettyCode(converted));
-    info(`
-`);
-    const overwriteResponse = await promptOverwriteIfFileExists({
-      filePath: secretsPath,
-      skip: argv.yes
-    });
-    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-      fs10.writeFileSync(secretsPath, converted);
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/offload-plaintext-secrets.ts
-var offload_plaintext_secrets_exports = {};
-__export(offload_plaintext_secrets_exports, {
-  builder: () => builder6,
-  command: () => command6,
-  desc: () => desc6,
-  handler: () => handler6
-});
-import prompts2 from "prompts";
-var command6 = "offload-plaintext-secrets";
-var desc6 = "Decrypts and pushes secret values to AWS SSM and SecretsManager";
-var builder6 = {
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for writing encrypted secrets",
-    default: "secrets.encrypted.json"
-  },
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler6 = async (argv) => {
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecEncrypted } = await getDotSecEncrypted({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {}
-    });
-    if (!dotSecEncrypted.encrypted) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    const dotSecPlainText = await decryptedEncrypted({
-      dotSecEncrypted,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    const tasks = await createStorePlaintextTasks({
-      dotSecPlainText,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    if (tasks.total > 0) {
-      prettyPrintTasks(tasks);
-      let proceed = argv.yes === true;
-      if (proceed === false) {
-        proceed = await prompts2({
-          type: "confirm",
-          name: "proceed",
-          message: () => {
-            return `Proceed ?`;
-          }
-        }).then((r) => r.proceed);
-      }
-      if (proceed) {
-        await executeStorePlainTextTasks({
-          credentials: credentialsAndOrigin.value,
-          region: regionAndOrigin.value,
-          verbose: argv.verbose,
-          tasks
-        });
-      }
-    } else {
-      info("Nothing to do");
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/plaintext-secrets-to-dot-env.ts
-var plaintext_secrets_to_dot_env_exports = {};
-__export(plaintext_secrets_to_dot_env_exports, {
-  builder: () => builder7,
-  command: () => command7,
-  desc: () => desc7,
-  handler: () => handler7
-});
-import fs11 from "fs";
-import path13 from "node:path";
-var command7 = "plaintext-secrets-to-dot-env";
-var desc7 = `Creates .env file from a secrets file.
-If '--use-top-levels-as-environments' is set, it will create a .env file for each top level key in the secrets file.`;
-var builder7 = {
-  "secrets-file": {
-    string: true,
-    describe: "filename of json file reading secrets",
-    default: "secrets.json"
-  },
-  "env-file": commonCliOptions.envFile,
-  "search-path": commonCliOptions.searchpath,
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes),
-  "dry-run": commonCliOptions.dryRun
-};
-var handler7 = async (argv) => {
-  var _a;
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { dotSecPlainText } = await getDotSecPlainText({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {
-        filename: argv.secretsFile,
-        verbose: argv.verbose
-      }
-    });
-    if (!dotSecPlainText.plaintext) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    if (argv.useTopLevelsAsEnvironments || ((_a = dotSecPlainText.config) == null ? void 0 : _a.useTopLevelsAsEnvironments)) {
-      const dotEnvsPerEnvironment = toDotEnvPerEnvironment({
-        dotSecPlainText,
-        verbose: argv.verbose
-      });
-      for (const [environment, dotEnv] of Object.entries(dotEnvsPerEnvironment)) {
-        const fileName = `.env.${environment}`;
-        const dotEnvPath = path13.resolve(process.cwd(), fileName);
-        if (argv.dryRun) {
-          info(strong(`// ${dotEnvPath}`));
-          info(emphasis(dotEnv));
-        } else {
-          const overwriteResponse = await promptOverwriteIfFileExists({
-            filePath: dotEnvPath,
-            skip: argv.yes
-          });
-          if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-            fs11.writeFileSync(dotEnvPath, dotEnv);
-          }
-        }
-      }
-    } else {
-      const dotEnv = toDotEnv({
-        dotSecPlainText,
-        verbose: argv.verbose,
-        searchPath: argv.searchPath
-      });
-      const fileName = argv.envFile || `.env`;
-      const dotEnvPath = path13.resolve(process.cwd(), fileName);
-      info(`target: ${strong(dotEnvPath)}
-`);
-      info(prettyCode(dotEnv));
-      info(`
-`);
-      const overwriteResponse = await promptOverwriteIfFileExists({
-        filePath: dotEnvPath,
-        skip: argv.yes
-      });
-      if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-        fs11.writeFileSync(dotEnvPath, dotEnv);
-      }
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/plaintext-secrets-to-dot-sec.ts
-var plaintext_secrets_to_dot_sec_exports = {};
-__export(plaintext_secrets_to_dot_sec_exports, {
-  builder: () => builder8,
-  command: () => command8,
-  desc: () => desc8,
-  handler: () => handler8
-});
-import fs12 from "fs";
-import path14 from "node:path";
-var command8 = "plaintext-secrets-to-dot-sec";
-var desc8 = `Creates .sec file from an secrets file.
-If '--use-top-levels-as-environments' is set, it will create a .sec file for each top level key in the ecrets file.`;
-var builder8 = {
-  "secrets-file": {
-    string: true,
-    describe: "filename of json file reading secrets"
-  },
-  "sec-file": commonCliOptions.secFile,
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  "use-top-levels-as-environments": commonCliOptions.useTopLevelsAsEnvironments,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler8 = async (argv) => {
-  var _a;
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecPlainText } = await getDotSecPlainText({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {
-        filename: argv.secretsFile,
-        verbose: argv.verbose
-      }
-    });
-    console.log("dotSecPlainText", dotSecPlainText);
-    const dotSecEncrypted = await encryptPlainText({
-      dotSecPlainText,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    if (!dotSecPlainText.plaintext) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    if (!dotSecEncrypted.encrypted) {
-      throw new Error(`Expected 'encrypted' property, but got none`);
-    }
-    if (argv.useTopLevelsAsEnvironments || ((_a = dotSecPlainText.config) == null ? void 0 : _a.useTopLevelsAsEnvironments)) {
-      const dotSecsPerEnvironment = toDotSecPerEnvironment({
-        dotSecEncrypted,
-        verbose: argv.verbose
-      });
-      for (const [environment, dotSec] of Object.entries(dotSecsPerEnvironment)) {
-        const fileName = `.sec.${environment}`;
-        const dotSecPath = path14.resolve(process.cwd(), fileName);
-        info(`target: ${strong(dotSecPath)}
-`);
-        info(prettyCode(dotSec));
-        info(`
-`);
-        const overwriteResponse = await promptOverwriteIfFileExists({
-          filePath: dotSecPath,
-          skip: argv.yes
-        });
-        if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-          fs12.writeFileSync(dotSecPath, dotSec);
-        }
-      }
-    } else {
-      const dotSec = toDotSec({
-        dotSecEncrypted,
-        verbose: argv.verbose
-      });
-      const fileName = argv.secFile || `.sec`;
-      const dotSecPath = path14.resolve(process.cwd(), fileName);
-      info(`target: ${strong(dotSecPath)}
-`);
-      info(prettyCode(dotSec));
-      info(`
-`);
-      const overwriteResponse = await promptOverwriteIfFileExists({
-        filePath: dotSecPath,
-        skip: argv.yes
-      });
-      if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-        fs12.writeFileSync(dotSecPath, dotSec);
-      }
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/commands/plaintext-secrets-to-encrypted-secrets.ts
-var plaintext_secrets_to_encrypted_secrets_exports = {};
-__export(plaintext_secrets_to_encrypted_secrets_exports, {
-  builder: () => builder9,
-  command: () => command9,
-  desc: () => desc9,
-  handler: () => handler9
-});
-import fs13 from "node:fs";
-import path15 from "node:path";
-import YAML3 from "yaml";
-var command9 = "plaintext-secrets-to-encrypted-secrets";
-var desc9 = "Encrypts an unencrypted secretsfile";
-var builder9 = {
-  "secrets-file": {
-    string: true,
-    describe: "filename of json file reading secrets"
-  },
-  "encrypted-secrets-file": {
-    string: true,
-    describe: "filename of json file for writing encrypted secrets",
-    default: "secrets.encrypted.json"
-  },
-  "aws-profile": commonCliOptions.awsProfile,
-  "aws-region": commonCliOptions.awsRegion,
-  "aws-key-alias": commonCliOptions.awsKeyAlias,
-  "aws-assume-role-arn": commonCliOptions.awsAssumeRoleArn,
-  "aws-assume-role-session-duration": commonCliOptions.awsAssumeRoleSessionDuration,
-  verbose: commonCliOptions.verbose,
-  yes: __spreadValues({}, commonCliOptions.yes)
-};
-var handler9 = async (argv) => {
-  const config = await getConfig();
-  const { info, error } = getLogger();
-  try {
-    const defaultRegion = config.aws.region || argv.awsRegion;
-    const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-      argv: __spreadProps(__spreadValues({}, argv), {
-        awsRegion: defaultRegion,
-        awsProfile: config.aws.profile || argv.awsProfile,
-        awsAssumeRoleArn: config.aws.assumeRoleArn || argv.awsAssumeRoleArn,
-        awsAssumeRoleSessionDuration: config.aws.assumeRoleSessionDuration || argv.awsAssumeRoleSessionDuration
-      }),
-      env: __spreadValues({}, process.env)
-    });
-    const { fileType, dotSecPlainText } = await getDotSecPlainText({
-      defaultConfig: {
-        config: {
-          aws: {
-            keyAlias: "alias/dotsec",
-            regions: [regionAndOrigin.value]
-          }
-        }
-      },
-      options: {
-        filename: argv.secretsFile
-      }
-    });
-    if (!dotSecPlainText.plaintext) {
-      throw new Error(`Expected 'plaintext' property, but got none`);
-    }
-    const dotSecEncrypted = await encryptPlainText({
-      dotSecPlainText,
-      credentials: credentialsAndOrigin.value,
-      region: regionAndOrigin.value,
-      keyAlias: argv.awsKeyAlias,
-      verbose: argv.verbose
-    });
-    const encryptedSecretsPath = path15.resolve(process.cwd(), path15.parse(argv.encryptedSecretsFile || `secrets.encrypted.json`).name + "." + fileType);
-    const converted = fileType === "yaml" || fileType === "yml" ? YAML3.stringify(dotSecEncrypted) : JSON.stringify(dotSecEncrypted, null, 2);
-    info(`target: ${strong(encryptedSecretsPath)}
-`);
-    info(prettyCode(converted));
-    info(`
-`);
-    const overwriteResponse = await promptOverwriteIfFileExists({
-      filePath: encryptedSecretsPath,
-      skip: argv.yes
-    });
-    if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-      fs13.writeFileSync(encryptedSecretsPath, converted);
-    }
-  } catch (e) {
-    error(e);
-  }
-};
-
-// src/cli.ts
-void yargs(hideBin(process.argv)).command(convert_default).command(defaultCommand_exports).command(plaintext_secrets_to_encrypted_secrets_exports).command(encrypted_secrets_to_plaintext_secrets_exports).command(encrypted_secrets_to_dot_env_exports).command(encrypted_secrets_to_dot_sec_exports).command(plaintext_secrets_to_dot_env_exports).command(plaintext_secrets_to_dot_sec_exports).command(dot_sec_to_dot_env_exports).command(offload_plaintext_secrets_exports).parse();
-//# sourceMappingURL=cli.js.map