dotsec 1.0.0-alpha.2 → 1.0.0-alpha.20

package/dist/esm/ds/cli.js

@@ -1,1116 +0,0 @@
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-
-// src/ds/cli.ts
-import { Command as Command2 } from "commander";
-
-// src/ds/commands/run.ts
-import fs from "node:fs";
-import commander from "commander";
-import spawn from "cross-spawn";
-import { parse } from "dotenv";
-
-// src/utils/getCredentialsProfileRegion.ts
-import {
-  fromEnv,
-  fromIni,
-  fromTemporaryCredentials
-} from "@aws-sdk/credential-providers";
-import { loadSharedConfigFiles } from "@aws-sdk/shared-ini-file-loader";
-
-// src/utils/logger.ts
-import chalk from "chalk";
-import { highlight, plain } from "cli-highlight";
-var _logger;
-var getLogger = () => {
-  if (!_logger) {
-    _logger = console;
-  }
-  return _logger;
-};
-var emphasis = (str) => chalk.yellowBright(str);
-var strong = (str) => chalk.yellow.bold(str);
-var myTheme = {
-  attr: chalk.yellow.bold,
-  string: chalk.yellowBright.dim,
-  params: chalk.red,
-  deletion: chalk.red.strikethrough,
-  number: plain
-};
-var prettyCode = (str) => {
-  return highlight(str, { theme: myTheme });
-};
-
-// src/utils/getCredentialsProfileRegion.ts
-var getCredentialsProfileRegion = async ({
-  argv,
-  env
-}) => {
-  var _a, _b, _c;
-  const sharedConfigFiles = await loadSharedConfigFiles();
-  let credentialsAndOrigin = void 0;
-  let profileAndOrigin = void 0;
-  let regionAndOrigin = void 0;
-  if (argv.profile) {
-    profileAndOrigin = {
-      value: argv.profile,
-      origin: `command line option: ${emphasis(argv.profile)}`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: argv.profile
-      })(),
-      origin: `${emphasis(`[${argv.profile}]`)} in credentials file`
-    };
-  } else if (env.AWS_PROFILE) {
-    profileAndOrigin = {
-      value: env.AWS_PROFILE,
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: env.AWS_PROFILE
-      })(),
-      origin: `env variable ${emphasis("AWS_PROFILE")}: ${strong(env.AWS_PROFILE)}`
-    };
-  } else if (env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY) {
-    credentialsAndOrigin = {
-      value: await fromEnv()(),
-      origin: `env variables ${emphasis("AWS_ACCESS_KEY_ID")} and ${emphasis("AWS_SECRET_ACCESS_KEY")}`
-    };
-  } else if ((_a = sharedConfigFiles.credentialsFile) == null ? void 0 : _a.default) {
-    profileAndOrigin = {
-      value: "default",
-      origin: `${emphasis("[default]")} in credentials file`
-    };
-    credentialsAndOrigin = {
-      value: await fromIni({
-        profile: "default"
-      })(),
-      origin: `profile ${emphasis("[default]")}`
-    };
-  }
-  if (argv.region) {
-    regionAndOrigin = {
-      value: argv.region,
-      origin: `command line option: ${emphasis(argv.region)}`
-    };
-  } else if (env.AWS_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_REGION,
-      origin: `env variable ${emphasis("AWS_REGION")}: ${strong(env.AWS_REGION)}`
-    };
-  } else if (env.AWS_DEFAULT_REGION) {
-    regionAndOrigin = {
-      value: env.AWS_DEFAULT_REGION,
-      origin: `env variable ${emphasis("AWS_DEFAULT_REGION")}: ${strong(env.AWS_DEFAULT_REGION)}`
-    };
-  } else if (profileAndOrigin) {
-    const foundRegion = (_c = (_b = sharedConfigFiles == null ? void 0 : sharedConfigFiles.configFile) == null ? void 0 : _b[profileAndOrigin.value]) == null ? void 0 : _c.region;
-    if (foundRegion) {
-      regionAndOrigin = {
-        value: foundRegion,
-        origin: `${emphasis(`[profile ${profileAndOrigin.value}]`)} in config file`
-      };
-    }
-  }
-  const assumedRole = argv.assumeRoleArn || env.AWS_ASSUME_ROLE_ARN;
-  if (assumedRole) {
-    const origin = argv.assumeRoleArn ? "command line option" : "env variable";
-    credentialsAndOrigin = {
-      value: await fromTemporaryCredentials({
-        masterCredentials: credentialsAndOrigin == null ? void 0 : credentialsAndOrigin.value,
-        params: {
-          DurationSeconds: argv.assumeRoleSessionDuration || Number(env.AWS_ASSUME_ROLE_SESSION_DURATION) || 3600,
-          RoleArn: assumedRole
-        },
-        clientConfig: {
-          region: regionAndOrigin == null ? void 0 : regionAndOrigin.value
-        }
-      })(),
-      origin: `${origin} ${emphasis(`[${assumedRole}]`)}`
-    };
-  }
-  return { credentialsAndOrigin, regionAndOrigin, profileAndOrigin };
-};
-var printVerboseCredentialsProfileRegion = ({
-  credentialsAndOrigin,
-  regionAndOrigin,
-  profileAndOrigin
-}) => {
-  const out = [];
-  if (profileAndOrigin) {
-    out.push(`Got profile name from ${profileAndOrigin.origin}`);
-  }
-  if (credentialsAndOrigin) {
-    out.push(`Resolved credentials from ${credentialsAndOrigin.origin}`);
-  }
-  if (regionAndOrigin) {
-    out.push(`Resolved region from ${regionAndOrigin.origin}`);
-  }
-  return out.join("\n");
-};
-
-// src/lib/partial-commands/handleCredentialsAndRegion.ts
-var handleCredentialsAndRegion = async ({
-  argv,
-  env
-}) => {
-  const { credentialsAndOrigin, regionAndOrigin, profileAndOrigin } = await getCredentialsProfileRegion({
-    argv: {
-      region: argv.awsRegion,
-      profile: argv.awsProfile,
-      assumeRoleArn: argv.awsAssumeRoleArn,
-      assumeRoleSessionDuration: argv.awsAssumeRoleSessionDuration
-    },
-    env: __spreadValues({}, env)
-  });
-  if (argv.verbose === true) {
-    console.log(printVerboseCredentialsProfileRegion({
-      credentialsAndOrigin,
-      regionAndOrigin,
-      profileAndOrigin
-    }));
-  }
-  if (!credentialsAndOrigin || !regionAndOrigin) {
-    if (!credentialsAndOrigin) {
-      console.error("Could not find credentials");
-      throw new Error("Could not find credentials");
-    }
-    if (!regionAndOrigin) {
-      console.error("Could not find region");
-      throw new Error("Could not find region");
-    }
-  }
-  return { credentialsAndOrigin, regionAndOrigin };
-};
-
-// src/lib/wtf/crypto.ts
-import {
-  DecryptCommand,
-  DescribeKeyCommand as DescribeKeyCommand2,
-  EncryptCommand
-} from "@aws-sdk/client-kms";
-import {
-  CreateSecretCommand,
-  ListSecretsCommand,
-  PutSecretValueCommand
-} from "@aws-sdk/client-secrets-manager";
-import {
-  ParameterTier,
-  ParameterType,
-  PutParameterCommand
-} from "@aws-sdk/client-ssm";
-import { constantCase } from "constant-case";
-
-// src/utils/kms.ts
-import {
-  DescribeKeyCommand,
-  KMSClient
-} from "@aws-sdk/client-kms";
-var getKMSClient = ({
-  configuration
-}) => {
-  const kmsClient = new KMSClient(configuration);
-  return kmsClient;
-};
-var getEncryptionAlgorithm = async (kmsClient, awsKeyAlias) => {
-  var _a, _b;
-  const describeKeyCommand = new DescribeKeyCommand({
-    KeyId: awsKeyAlias
-  });
-  const describeKeyResult = await kmsClient.send(describeKeyCommand);
-  const encryptionAlgorithm = (_b = (_a = describeKeyResult.KeyMetadata) == null ? void 0 : _a.EncryptionAlgorithms) == null ? void 0 : _b[0];
-  if (encryptionAlgorithm === void 0) {
-    throw new Error(`Could not determine encryption algorithm`);
-  }
-  return encryptionAlgorithm;
-};
-
-// src/utils/secretsManager.ts
-import {
-  SecretsManagerClient
-} from "@aws-sdk/client-secrets-manager";
-
-// src/utils/ssm.ts
-import { SSMClient } from "@aws-sdk/client-ssm";
-
-// src/lib/wtf/types.ts
-var isString = (value) => {
-  return typeof value === "string";
-};
-var isNumber = (value) => {
-  return typeof value === "number";
-};
-var isBoolean = (value) => {
-  return typeof value === "boolean";
-};
-var isSSMParameter = (leafOrTree) => {
-  const ssmParameter = leafOrTree;
-  return typeof ssmParameter === "object" && ssmParameter !== null && "type" in ssmParameter && ssmParameter.type === "ssm";
-};
-var isRegularParameterObject = (value) => {
-  const regularParameter = value;
-  return typeof regularParameter === "object" && regularParameter !== null && "type" in regularParameter && regularParameter.type === "standard";
-};
-var isRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return isString(leaf) || isNumber(leaf) || isBoolean(leaf) || isRegularParameterObject(leaf);
-};
-var isEncryptedSSMParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "ssm" && leaf.encryptedValue !== void 0;
-};
-var isEncryptedRegularParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "standard" && leaf.encryptedValue !== void 0;
-};
-var isSecretsManagerParameter = (leafOrTree) => {
-  const leaf = leafOrTree;
-  return leaf.type !== void 0 && leaf.type === "secretsManager" && !(isString(leaf) || isNumber(leaf) || isBoolean(leaf));
-};
-var isDotSecTree = (leafOrTree) => {
-  if (typeof leafOrTree === "object" && !Array.isArray(leafOrTree) && leafOrTree !== null && !isSSMParameter(leafOrTree) && !isRegularParameter(leafOrTree) && !isEncryptedSSMParameter(leafOrTree) && !isEncryptedRegularParameter(leafOrTree) && !isSecretsManagerParameter(leafOrTree)) {
-    return true;
-  }
-  return false;
-};
-
-// src/lib/wtf/flat.ts
-var flattenTree = (tree) => {
-  const lazy = {};
-  const innerParser = (leafOrTree, paths = []) => {
-    if (isDotSecTree(leafOrTree)) {
-      Object.entries(leafOrTree).map(([key, value]) => {
-        innerParser(value, [...paths, key]);
-      });
-    } else {
-      lazy[paths.join("/")] = leafOrTree;
-    }
-  };
-  innerParser(tree);
-  return lazy;
-};
-var flattenPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: flattenTree(dotSec.plaintext) });
-};
-var flattenEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: flattenTree(dotSec.encrypted) });
-};
-var expandTree = (tree) => {
-  const lazy = {};
-  Object.entries(tree).map(([key, value]) => {
-    const paths = key.split("/");
-    let current = lazy;
-    paths.forEach((pathKey, index) => {
-      if (!current[pathKey]) {
-        if (index === paths.length - 1) {
-          current[pathKey] = value;
-        } else {
-          current[pathKey] = {};
-        }
-      }
-      current = current[pathKey];
-    });
-  });
-  return lazy;
-};
-var expandPlainText = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { plaintext: expandTree(dotSec.plaintext) });
-};
-var expandEncrypted = (dotSec) => {
-  return __spreadProps(__spreadValues({}, dotSec), { encrypted: expandTree(dotSec.encrypted) });
-};
-
-// src/lib/wtf/crypto.ts
-var maybeJson = (value) => {
-  try {
-    return JSON.parse(value);
-  } catch (e) {
-    return value;
-  }
-};
-var decryptedEncrypted = async (options) => {
-  var _a, _b;
-  const { dotSecEncrypted, credentials, region, verbose, keyAlias } = options;
-  const dotSecEncryptedFlattened = flattenEncrypted(dotSecEncrypted);
-  const { info, table } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecEncrypted.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new DescribeKeyCommand2({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const dotSecFlattened = {
-    config: __spreadValues({}, dotSecEncrypted.config),
-    plaintext: {}
-  };
-  for (const [key, encryptedValue] of Object.entries(dotSecEncryptedFlattened.encrypted)) {
-    const decryptCommand = new DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue.encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const decryptedKeyValue = JSON.parse(decryptedValue);
-    dotSecFlattened.plaintext[key] = maybeJson(decryptedKeyValue.value);
-  }
-  return expandPlainText(dotSecFlattened);
-};
-var encryptPlainText = async (options) => {
-  var _a, _b;
-  const { dotSecPlainText, credentials, region, verbose, keyAlias } = options;
-  const dotSecFlattened = flattenPlainText(dotSecPlainText);
-  const { info } = getLogger();
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const awsKeyAlias = keyAlias || ((_b = (_a = dotSecFlattened.config) == null ? void 0 : _a.aws) == null ? void 0 : _b.keyAlias);
-  if (!awsKeyAlias) {
-    throw new Error("No key alias specified");
-  }
-  if (verbose) {
-    info(`Encrypting using key alias ${emphasis(awsKeyAlias)} in ${emphasis(await kmsClient.config.region())}`);
-    const describeKeyCommand = new DescribeKeyCommand2({
-      KeyId: awsKeyAlias
-    });
-    const describeKeyResult = await kmsClient.send(describeKeyCommand);
-    info("keyMetaData", __spreadValues({}, describeKeyResult.KeyMetadata));
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, awsKeyAlias);
-  const encryptedDotSecFlattened = {
-    config: __spreadValues({}, dotSecFlattened.config),
-    encrypted: {}
-  };
-  for (const [key, plainTextValue] of Object.entries(dotSecFlattened.plaintext)) {
-    let plainTextValueCopy = plainTextValue;
-    if (typeof plainTextValueCopy !== "string" && typeof plainTextValueCopy !== "number" && typeof plainTextValueCopy !== "boolean") {
-      plainTextValueCopy = JSON.stringify(plainTextValue);
-    }
-    const damn = JSON.stringify({ key, value: plainTextValueCopy });
-    const encryptCommand = new EncryptCommand({
-      KeyId: awsKeyAlias,
-      Plaintext: Buffer.from(String(damn)),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const encryptionResult = await kmsClient.send(encryptCommand);
-    if (!encryptionResult.CiphertextBlob) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        value: plainTextValue,
-        encryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Encrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const cipherText = Buffer.from(encryptionResult.CiphertextBlob).toString("base64");
-    if (isRegularParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "standard",
-        encryptedValue: cipherText
-      };
-    } else if (isSSMParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "ssm",
-        encryptedValue: cipherText
-      };
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      encryptedDotSecFlattened.encrypted[key] = {
-        type: "secretsManager",
-        encryptedValue: cipherText
-      };
-    }
-  }
-  return expandEncrypted(encryptedDotSecFlattened);
-};
-var decryptRawDotSecValues = async (options) => {
-  const { info } = getLogger();
-  const {
-    dotSecKeysValues: rawDotSec,
-    credentials,
-    region,
-    verbose,
-    keyAlias,
-    searchPath
-  } = options;
-  const kmsClient = getKMSClient({
-    configuration: {
-      credentials,
-      region
-    },
-    verbose
-  });
-  const s = searchPath == null ? void 0 : searchPath.split(".").map((part) => `${constantCase(part)}_`).join("");
-  const awsKeyAlias = keyAlias;
-  if (!keyAlias) {
-    throw new Error("No key alias specified");
-  }
-  const encryptionAlgorithm = await getEncryptionAlgorithm(kmsClient, keyAlias);
-  const dotEnvLines = [];
-  const filtered = s ? Object.fromEntries(Object.entries(rawDotSec).filter(([key]) => key.startsWith(s)).map(([key, value]) => [key.replace(s, ""), value])) : rawDotSec;
-  for (const [key, encryptedValue] of Object.entries(filtered)) {
-    const decryptCommand = new DecryptCommand({
-      KeyId: awsKeyAlias,
-      CiphertextBlob: Buffer.from(encryptedValue, "base64"),
-      EncryptionAlgorithm: encryptionAlgorithm
-    });
-    const decryptionResult = await kmsClient.send(decryptCommand);
-    if (!decryptionResult.Plaintext) {
-      throw new Error(`Something bad happened: ${JSON.stringify({
-        key,
-        cipherText: encryptedValue,
-        decryptCommand
-      })}`);
-    }
-    if (verbose) {
-      info(`Decrypting key ${emphasis(key)} ${strong("ok")}`);
-    }
-    const decryptedValue = Buffer.from(decryptionResult.Plaintext).toString();
-    const parsedValue = JSON.parse(decryptedValue);
-    const stringOrJson = maybeJson(parsedValue.value);
-    if (isRegularParameter(stringOrJson)) {
-      if (isRegularParameterObject(stringOrJson)) {
-        dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-      } else {
-        dotEnvLines.push(`${key}=${String(stringOrJson)}`);
-      }
-    } else if (isSSMParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    } else if (isSecretsManagerParameter(stringOrJson)) {
-      dotEnvLines.push(`${key}=${JSON.stringify(stringOrJson.value)}`);
-    }
-  }
-  return dotEnvLines.join("\n");
-};
-
-// src/lib/wtf/dotenv.ts
-import { constantCase as constantCase2 } from "constant-case";
-var fromPlainTextLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => constantCase2(k)).join("_");
-    let storageValue;
-    if (isRegularParameter(plainTextValue)) {
-      if (isRegularParameterObject(plainTextValue)) {
-        storageValue = plainTextValue.value;
-      } else {
-        storageValue = plainTextValue;
-      }
-    } else if (isSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.value;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    if (!isString(storageValue) && !isNumber(storageValue) && !isBoolean(storageValue)) {
-      storageValue = JSON.stringify(storageValue);
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotEnv = (options) => {
-  const { info } = getLogger();
-  const { dotSecPlainText, searchPath, verbose } = options;
-  let tree = dotSecPlainText.plaintext;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-      if (tree === void 0) {
-        throw new Error(`Invalid search path: '${searchPath}', part: '${pathPart}' could not be found`);
-      }
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromPlainTextLeafsToEnvEntries(flattenedTree).join("\n");
-};
-
-// src/ds/commands/run.ts
-var run_default = (program2) => {
-  const subProgram = program2.command("run").description("run a command with the decrypted .sec file as environment variables: dotsec run --sec .sec command npm run start").summary(`Spawns a process with (decrypted) environment variables. 
-Works with .env, .sec, secrets.{json|yml|ts} and secrets.encrypted.{json|yml|ts}.
-
-Examples:
-
-// run npm start with .sec file
-dotsec run --sec .sec command npm start
-dotsec run command npm start
-
-
-// run npm start with .env file
-dotsec run --env .env command npm start
-
-
-// run npm start with secrets.json file 
-dotsec run --secrets secrets.json command npm start
-
-
-// run npm start with secrets.encrypted.json file
-dotsec run --encrypted-secrets secrets.encrypted.json command npm start
-`).option("--env <env>", "Run command with .env file").option("--sec <sec>", "Run command with .sec file").option("--secrets <secrets>", "Run command with secrets.json file").option("--encryptedSecrets,--encrypted-secrets <encryptedSecrets>", "Run command with encrypted.secrets.json file").option("--awsKeyAlias, --aws-key-alias <awsKeyAlias>").option("--awsRegion, --aws-region <awsRegion>").option("--searchPath, --search-path <searchPath>").action((_options, command) => {
-    command.help();
-  });
-  subProgram.command("command <command...>").allowUnknownOption().passThroughOptions().action(async (commands, _options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i;
-    const config = (_a = command.parent) == null ? void 0 : _a.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_b = command.parent) == null ? void 0 : _b.getOptionValue("verbose"));
-    const awsKeyAlias = ((_c = command.parent) == null ? void 0 : _c.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_d = command.parent) == null ? void 0 : _d.getOptionValue("awsRegion")) || config.aws.region;
-    const searchPath = (_e = command.parent) == null ? void 0 : _e.getOptionValue("searchPath");
-    const sec = (_f = command.parent) == null ? void 0 : _f.getOptionValue("sec");
-    const env = (_g = command.parent) == null ? void 0 : _g.getOptionValue("env");
-    console.log("awsKeyAlias", {
-      awsRegion,
-      awsKeyAlias,
-      searchPath,
-      sec,
-      env,
-      commands
-    });
-    const inputFiles = ["env", "sec", "secrets", "encryptedSecrets"].map((fileType) => {
-      var _a2;
-      const filename = (_a2 = command.parent) == null ? void 0 : _a2.getOptionValue(fileType);
-      if (filename) {
-        return [fileType, filename];
-      }
-    }).filter((v) => !!v);
-    let rawDotenv;
-    if (inputFiles.length <= 1) {
-      try {
-        const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-          argv: {},
-          env: __spreadValues({}, process.env)
-        });
-        const fileType = inputFiles.length === 0 ? "sec" : (_h = inputFiles[0]) == null ? void 0 : _h[0];
-        const filename = inputFiles.length === 0 ? ".sec" : (_i = inputFiles[0]) == null ? void 0 : _i[1];
-        console.log("filename", filename);
-        if (filename && fileType) {
-          const raw = fs.readFileSync(filename, "utf8");
-          if (fileType === "sec") {
-            rawDotenv = await decryptRawDotSecValues({
-              dotSecKeysValues: parse(raw),
-              credentials: credentialsAndOrigin.value,
-              region: awsRegion || regionAndOrigin.value,
-              keyAlias: awsKeyAlias,
-              verbose,
-              searchPath
-            });
-          } else if (fileType === "env") {
-            rawDotenv = raw;
-          } else if (fileType === "secrets") {
-            const dotSecPlainText = JSON.parse(raw);
-            rawDotenv = toDotEnv({
-              dotSecPlainText,
-              verbose,
-              searchPath
-            });
-          } else if (fileType === "encryptedSecrets") {
-            rawDotenv = raw;
-            const dotSecEncrypted = JSON.parse(raw);
-            const dotSecPlainText = await decryptedEncrypted({
-              dotSecEncrypted,
-              credentials: credentialsAndOrigin.value,
-              region: awsRegion || regionAndOrigin.value,
-              keyAlias: awsKeyAlias,
-              verbose
-            });
-            rawDotenv = toDotEnv({
-              dotSecPlainText,
-              verbose,
-              searchPath
-            });
-          }
-        }
-        if (rawDotenv) {
-          const [userCommand, ...userCommandArgs] = commands;
-          const parsedDotEnv = parse(rawDotenv);
-          spawn(userCommand, [...userCommandArgs], {
-            stdio: "inherit",
-            shell: false,
-            env: __spreadProps(__spreadValues(__spreadValues({}, process.env), parsedDotEnv), {
-              __DOTSEC_VARS: JSON.stringify(Object.keys(parsedDotEnv))
-            })
-          });
-        }
-      } catch (e) {
-        if (e instanceof Error) {
-          console.error(e.message);
-          if (verbose) {
-            console.error(e.name, e.stack);
-          }
-        }
-      }
-    } else {
-      throw new commander.InvalidOptionArgumentError("Can only pick one of --sec. --env, --secrets or --encryptedSecrets");
-    }
-  });
-  return subProgram;
-};
-
-// src/ds/commands/encrypt.ts
-import fs2 from "node:fs";
-import path2 from "node:path";
-
-// src/utils/io.ts
-import { stat } from "fs/promises";
-import prompts from "prompts";
-import path from "node:path";
-var fileExists = async (source) => {
-  try {
-    await stat(source);
-    return true;
-  } catch {
-    return false;
-  }
-};
-var promptOverwriteIfFileExists = async ({
-  filePath,
-  skip
-}) => {
-  let overwriteResponse;
-  if (await fileExists(filePath) && skip !== true) {
-    overwriteResponse = await prompts({
-      type: "confirm",
-      name: "overwrite",
-      message: () => {
-        return `Overwrite './${path.relative(process.cwd(), filePath)}' ?`;
-      }
-    });
-  } else {
-    overwriteResponse = void 0;
-  }
-  return overwriteResponse;
-};
-
-// src/lib/wtf/dotsec.ts
-import { constantCase as constantCase3 } from "constant-case";
-var fromEncryptedLeafsToEnvEntries = (leafs) => {
-  return Object.entries(leafs).map(([key, plainTextValue]) => {
-    const parts = key.split("/");
-    const dotEnvKeyPath = parts.map((k) => constantCase3(k)).join("_");
-    let storageValue;
-    if (isEncryptedRegularParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isEncryptedSSMParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else if (isSecretsManagerParameter(plainTextValue)) {
-      storageValue = plainTextValue.encryptedValue;
-    } else {
-      throw new Error("Invalid parameter type");
-    }
-    return `${dotEnvKeyPath}=${String(storageValue)}`;
-  });
-};
-var toDotSec = (options) => {
-  const { info } = getLogger();
-  const { dotSecEncrypted, searchPath, verbose } = options;
-  let tree = dotSecEncrypted.encrypted;
-  if (searchPath) {
-    if (verbose) {
-      info(`Searching for path: ${strong(searchPath)}`);
-    }
-    const pathParts = searchPath.split("/");
-    for (const pathPart of pathParts) {
-      tree = tree[pathPart];
-    }
-  }
-  const flattenedTree = flattenTree(tree);
-  return fromEncryptedLeafsToEnvEntries(flattenedTree).join("\n");
-};
-
-// src/ds/commands/encrypt.ts
-var writeOut = async (options) => {
-  const { info } = getLogger();
-  const {
-    targetFile: encryptedSecretsPath,
-    converted,
-    skipPromptForOverride
-  } = options;
-  info(`target: ${strong(encryptedSecretsPath)}
-`);
-  info(prettyCode(converted));
-  info("\n");
-  const overwriteResponse = await promptOverwriteIfFileExists({
-    filePath: encryptedSecretsPath,
-    skip: skipPromptForOverride
-  });
-  if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-    fs2.writeFileSync(encryptedSecretsPath, converted);
-    info(`Wrote encrypted secrets to ${strong(`./${path2.relative(process.cwd(), encryptedSecretsPath)}`)}`);
-  }
-};
-var encrypt = async (options) => {
-  console.log("options", options);
-  const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-    argv: {},
-    env: __spreadValues({}, process.env)
-  });
-  const {
-    secrets,
-    awsKeyAlias,
-    awsRegion,
-    verbose,
-    encryptedSecrets,
-    sec,
-    skipPromptForOverride
-  } = options;
-  const dotSecPlainText = JSON.parse(fs2.readFileSync(secrets, "utf8"));
-  const dotSecEncrypted = await encryptPlainText({
-    dotSecPlainText,
-    credentials: credentialsAndOrigin.value,
-    region: awsRegion || regionAndOrigin.value,
-    keyAlias: awsKeyAlias,
-    verbose
-  });
-  if (encryptedSecrets) {
-    const targetFile = path2.resolve(process.cwd(), encryptedSecrets);
-    const converted = JSON.stringify(dotSecEncrypted, null, 2);
-    await writeOut({
-      targetFile,
-      converted,
-      skipPromptForOverride
-    });
-  } else if (sec) {
-    const dotSec = toDotSec({
-      dotSecEncrypted,
-      verbose
-    });
-    const targetFile = path2.resolve(process.cwd(), sec);
-    await writeOut({
-      targetFile,
-      converted: dotSec,
-      skipPromptForOverride
-    });
-  } else {
-    throw new Error("Must provide either encryptedSecrets or sec");
-  }
-};
-var encrypt_default = (program2) => {
-  const encryptProgram = program2.enablePositionalOptions().command("encrypt").option("--secrets [secrets]", "Run command with secrets.json file", "secrets.json").option("--awsKeyAlias, --aws-key-alias [awsKeyAlias]").option("--awsRegion, --aws-region [awsRegion]").usage("encrypt [--secrets secrets.json] [to]").summary("Encrypt secrets.json file").description("Encrypts secrets.json to secrets.encrypted.json.\n1123").action(async (_options, command) => {
-    const verbose = Boolean(command.getOptionValue("verbose"));
-    const secrets = command.getOptionValue("secrets");
-    const config = command.getOptionValue("dotsecConfig");
-    const awsKeyAlias = command.getOptionValue("awsKeyAlias") || config.aws.keyAlias;
-    const awsRegion = command.getOptionValue("awsRegion") || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets: "encrypted.secrets.json",
-      skipPromptForOverride: false
-    });
-  });
-  const toProgram = encryptProgram.command("to").usage("[--encryptedSecrets [encrypted.secrets.json]] [--sec [.sec]]").summary("specifies encryption output format").action(async (_options, command) => {
-    command.help();
-  });
-  toProgram.command("dotsec").option("--sec, [sec]", "Target dotsec file", ".sec").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const sec = command.getOptionValue("sec");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      sec,
-      skipPromptForOverride: false
-    });
-  });
-  toProgram.command("encryptedSecrets").option("--encryptedSecrets,--encrypted-secrets [encryptedSecrets]", "Target encrypted secrets file", "encrypted.secrets.json").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const encryptedSecrets = command.getOptionValue("encryptedSecrets");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await encrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets,
-      skipPromptForOverride: false
-    });
-  });
-  return encryptProgram;
-};
-
-// src/ds/commands/decrypt.ts
-import fs3 from "node:fs";
-import path3 from "node:path";
-var writeOut2 = async (options) => {
-  const { info } = getLogger();
-  const {
-    targetFile: encryptedSecretsPath,
-    converted,
-    skipPromptForOverride
-  } = options;
-  info(`target: ${strong(encryptedSecretsPath)}
-`);
-  info(prettyCode(converted));
-  info("\n");
-  const overwriteResponse = await promptOverwriteIfFileExists({
-    filePath: encryptedSecretsPath,
-    skip: skipPromptForOverride
-  });
-  if (overwriteResponse === void 0 || overwriteResponse.overwrite === true) {
-    fs3.writeFileSync(encryptedSecretsPath, converted);
-    info(`Wrote encrypted secrets to ${strong(`./${path3.relative(process.cwd(), encryptedSecretsPath)}`)}`);
-  }
-};
-var decrypt = async (options) => {
-  console.log("options", options);
-  const { credentialsAndOrigin, regionAndOrigin } = await handleCredentialsAndRegion({
-    argv: {},
-    env: __spreadValues({}, process.env)
-  });
-  const {
-    secrets,
-    awsKeyAlias,
-    awsRegion,
-    verbose,
-    encryptedSecrets,
-    sec,
-    skipPromptForOverride
-  } = options;
-  const dotSecPlainText = JSON.parse(fs3.readFileSync(secrets, "utf8"));
-  const dotSecEncrypted = await encryptPlainText({
-    dotSecPlainText,
-    credentials: credentialsAndOrigin.value,
-    region: awsRegion || regionAndOrigin.value,
-    keyAlias: awsKeyAlias,
-    verbose
-  });
-  if (encryptedSecrets) {
-    const targetFile = path3.resolve(process.cwd(), encryptedSecrets);
-    const converted = JSON.stringify(dotSecEncrypted, null, 2);
-    await writeOut2({
-      targetFile,
-      converted,
-      skipPromptForOverride
-    });
-  } else if (sec) {
-    const dotSec = toDotSec({
-      dotSecEncrypted,
-      verbose
-    });
-    const targetFile = path3.resolve(process.cwd(), sec);
-    await writeOut2({
-      targetFile,
-      converted: dotSec,
-      skipPromptForOverride
-    });
-  } else {
-    throw new Error("Must provide either encryptedSecrets or sec");
-  }
-};
-var decrypt_default = (program2) => {
-  const encryptProgram = program2.enablePositionalOptions().command("decrypt").option("--secrets [secrets]", "Run command with secrets.json file", "secrets.json").option("--awsKeyAlias, --aws-key-alias [awsKeyAlias]").option("--awsRegion, --aws-region [awsRegion]").usage("encrypt [--secrets secrets.json] [to]").summary("Encrypt secrets.json file").description("Encrypts secrets.json to secrets.encrypted.json.\n1123").action(async (_options, command) => {
-    const verbose = Boolean(command.getOptionValue("verbose"));
-    const secrets = command.getOptionValue("secrets");
-    const config = command.getOptionValue("dotsecConfig");
-    const awsKeyAlias = command.getOptionValue("awsKeyAlias") || config.aws.keyAlias;
-    const awsRegion = command.getOptionValue("awsRegion") || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets: "encrypted.secrets.json",
-      skipPromptForOverride: false
-    });
-  });
-  const toProgram = encryptProgram.command("to").usage("[--encryptedSecrets [encrypted.secrets.json]] [--sec [.sec]]").summary("specifies encryption output format").action(async (_options, command) => {
-    command.help();
-  });
-  toProgram.command("dotsec").option("--sec, [sec]", "Target dotsec file", ".sec").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const sec = command.getOptionValue("sec");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      sec,
-      skipPromptForOverride: false
-    });
-  });
-  toProgram.command("encryptedSecrets").option("--encryptedSecrets,--encrypted-secrets [encryptedSecrets]", "Target encrypted secrets file", "encrypted.secrets.json").action(async (_options, command) => {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i, _j, _k, _l, _m;
-    const config = (_b = (_a = command.parent) == null ? void 0 : _a.parent) == null ? void 0 : _b.getOptionValue("dotsecConfig");
-    const verbose = Boolean((_e = (_d = (_c = command.parent) == null ? void 0 : _c.parent) == null ? void 0 : _d.parent) == null ? void 0 : _e.getOptionValue("verbose"));
-    const secrets = (_g = (_f = command.parent) == null ? void 0 : _f.parent) == null ? void 0 : _g.getOptionValue("secrets");
-    const encryptedSecrets = command.getOptionValue("encryptedSecrets");
-    const awsKeyAlias = ((_j = (_i = (_h = command.parent) == null ? void 0 : _h.parent) == null ? void 0 : _i.parent) == null ? void 0 : _j.getOptionValue("awsKeyAlias")) || config.aws.keyAlias;
-    const awsRegion = ((_m = (_l = (_k = command.parent) == null ? void 0 : _k.parent) == null ? void 0 : _l.parent) == null ? void 0 : _m.getOptionValue("awsRegion")) || config.aws.region;
-    await decrypt({
-      config,
-      verbose,
-      secrets,
-      awsKeyAlias,
-      awsRegion,
-      encryptedSecrets,
-      skipPromptForOverride: false
-    });
-  });
-  return encryptProgram;
-};
-
-// src/lib/config/index.ts
-import path5 from "node:path";
-import { bundleRequire } from "bundle-require";
-import JoyCon from "joycon";
-
-// src/lib/json.ts
-import fs4 from "fs";
-import path4 from "node:path";
-function jsoncParse(data) {
-  try {
-    return new Function("return " + data.trim())();
-  } catch {
-    return {};
-  }
-}
-var loadJson = async (filepath) => {
-  try {
-    return jsoncParse(await fs4.promises.readFile(filepath, "utf8"));
-  } catch (error) {
-    if (error instanceof Error) {
-      throw new Error(`Failed to parse ${path4.relative(process.cwd(), filepath)}: ${error.message}`);
-    } else {
-      throw error;
-    }
-  }
-};
-
-// src/lib/config/constants.ts
-var defaultConfig = {
-  aws: {
-    keyAlias: "alias/top-secret"
-  }
-};
-
-// src/lib/config/index.ts
-var getConfig = async (filename) => {
-  const cwd = process.cwd();
-  const configJoycon = new JoyCon();
-  const configPath = await configJoycon.resolve({
-    files: filename ? [filename] : [
-      "dotsec.config.ts",
-      "dotsec.config.js",
-      "dotsec.config.cjs",
-      "dotsec.config.mjs",
-      "dotsec.config.json",
-      "package.json"
-    ],
-    cwd,
-    stopDir: path5.parse(cwd).root,
-    packageKey: "dotsec"
-  });
-  if (filename && configPath === null) {
-    throw new Error(`Could not find config file ${filename}`);
-  }
-  if (configPath) {
-    if (configPath.endsWith(".json")) {
-      const rawData = await loadJson(configPath);
-      let data;
-      if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
-        data = rawData.dotsec;
-      } else {
-        data = rawData;
-      }
-      return __spreadProps(__spreadValues(__spreadValues({}, defaultConfig), data), {
-        aws: __spreadValues(__spreadValues({}, defaultConfig.aws), data.aws)
-      });
-    }
-    const config = await bundleRequire({
-      filepath: configPath
-    });
-    const retrievedConfig = config.mod.dotsec || config.mod.default || config.mod;
-    return __spreadValues(__spreadValues({}, defaultConfig), retrievedConfig);
-  }
-  return __spreadValues({}, defaultConfig);
-};
-
-// src/ds/cli.ts
-var program = new Command2();
-program.name("dotsec").description(".env, but secure").version("1.0.0").enablePositionalOptions().option("--verbose").option("--config, <dotsec config file>").action((_options, other) => {
-  other.help();
-}).hook("preSubcommand", async (thisCommand, actionCommand) => {
-  const configfile = thisCommand.getOptionValue("config");
-  const dotsecConfig = await getConfig(configfile);
-  actionCommand.setOptionValue("dotsecConfig", dotsecConfig);
-  actionCommand.setOptionValue("verbose", Boolean(thisCommand.getOptionValue("verbose")));
-});
-run_default(program);
-encrypt_default(program);
-decrypt_default(program);
-program.parse();
-//# sourceMappingURL=cli.js.map