dotsec 4.0.0-alpha.2 → 4.0.0-alpha.23

package/dist/cli/index.mjs

@@ -1,4 +1,442 @@
-import{Command as Ke}from"commander";var de="dotsec.config.ts",G=[de],R=".sec",M=".env",T={defaults:{}};import fe from"fs";import me from"node:path";function ge(t){try{return new Function(`return ${t.trim()}`)()}catch{return{}}}var W=async t=>{try{return ge(await fe.promises.readFile(t,"utf8"))}catch(i){throw i instanceof Error?new Error(`Failed to parse ${me.relative(process.cwd(),t)}: ${i.message}`):i}};import{bundleRequire as ue}from"bundle-require";import ye from"joycon";import Oe from"path";var U=async t=>{let i=process.cwd(),n=await new ye().resolve({files:t?[t]:[...G,"package.json"],cwd:i,stopDir:Oe.parse(i).root,packageKey:"dotsec"});if(t&&n===null)throw new Error(`Could not find config file ${t}`);if(n){if(n.endsWith(".json")){let e=await W(n),o;return n.endsWith("package.json")&&e.dotsec!==void 0?o=e.dotsec:o=e,{source:"json",contents:{...T,...o,defaults:{...o?.defaults,...T.defaults,plugins:{...o?.defaults?.plugins,...T.defaults?.plugins}},push:{...o?.push}}}}else if(n.endsWith(".ts")){let e=await ue({filepath:n}),o=e.mod.dotsec||e.mod.default||e.mod;return{source:"ts",contents:{...T,...o,defaults:{...o?.defaults,...T.defaults,plugins:{...o?.defaults?.plugins,...T.defaults?.plugins}},push:{...o?.push}}}}}return{source:"defaultConfig",contents:T}};var q=async t=>import(t.name).then(i=>i.default);import{Option as Ce}from"commander";var F=(t,i,p)=>{t&&Object.values(t).map(n=>{let e;if(Array.isArray(n)){let[o,a,l]=n;e={flags:o,description:a,defaultValue:l}}else{let{flags:o,description:a,defaultValue:l,choices:s,env:r,fn:f}=n;e={flags:o,description:a,defaultValue:l,choices:s,env:r,fn:f}}if(e){let o=new Ce(e.flags,e.description);e.fn&&o.argParser(e.fn),e.defaultValue&&o.default(e.defaultValue),e.env&&o.env(e.env),p&&o.makeOptionMandatory(!0),e.choices&&o.choices(e.choices),i.addOption(o)}})};import K,{stat as he}from"node:fs/promises";import ve from"node:path";import Ee from"prompts";var j=async t=>await K.readFile(t,"utf-8"),_=async(t,i)=>await K.writeFile(t,i,"utf-8"),we=async t=>{try{return await he(t),!0}catch{return!1}},V=async({filePath:t,skip:i})=>{let p;return await we(t)&&i!==!0?p=await Ee({type:"confirm",name:"overwrite",message:()=>`Overwrite './${ve.relative(process.cwd(),t)}' ?`}):p=void 0,p};import De from"chalk";import On from"cli-table";var C=t=>De.yellow.bold(t);import{Option as Te}from"commander";var b={option:["--env-file <envFile>",`Path to .env file. If not provided, will look for value in 'ENV_FILE' environment variable. If not provided, will look for '${M}' file in current directory.`,M],env:"ENV_FILE"},I={option:["--sec-file, <secFile>",`Path to .sec file. If not provided, will look for value in 'SEC_FILE' environment variable. If not provided, will look for '${R}' file in current directory.`,R],env:"SEC_FILE"},k={flags:"--using <using>",description:"Wether to use a dot env file or a dot sec file",choices:["env","sec"],env:"DOTSEC_USING"},J={flags:"--using <using>",description:"Wether to use a dot env file or a dot sec file",choices:["env"],env:"DOTSEC_USING"},P={option:["--yes","Skip confirmation prompts"]};var D={option:["-c, --config-file, --configFile <configFile>","Config file"],env:"DOTSEC_CONFIG_FILE"},B={option:["--plugin <plugin>","Comma-separated list of plugins to use"],env:"DOTSEC_PLUGIN"},Y={option:["--engine <engine>","Encryption engine to use"],env:"DOTSEC_ENGINE"},H={option:["--create-manifest","Create a markdown manifest file. See the --manifest-file option for more information."],env:"CREATE_MANIFEST"},L={option:["--manifest-file <manifestFile>","Specify the name of the manifest file to create."],env:"ENCRYPTION_MANIFEST_FILE"};var Fe={decrypt:{options:{configFile:D,envFile:b,secFile:I,createManifest:H,manifestFile:L,yes:P},description:"Decrypt a sec file",helpText:`Examples:
+import { Command, Option } from 'commander';
+import fs from 'fs';
+import path from 'node:path';
+import { bundleRequire } from 'bundle-require';
+import JoyCon from 'joycon';
+import path2 from 'path';
+import fs2, { stat } from 'node:fs/promises';
+import prompts from 'prompts';
+import chalk2 from 'chalk';
+import 'cli-table';
+import { expand } from 'dotenv-expand';
+import fs3 from 'node:fs';
+import { camelCase } from 'camel-case';
+import { spawn } from 'node:child_process';
+import Ajv from 'ajv';
+import yargsParser from 'yargs-parser';
+
+// src/cli/index.ts
+
+// src/constants.ts
+var DOTSEC_DEFAULT_CONFIG_FILE = "dotsec.config.ts";
+var DOTSEC_CONFIG_FILES = [DOTSEC_DEFAULT_CONFIG_FILE];
+var DOTSEC_DEFAULT_DOTSEC_FILENAME = ".sec";
+var DOTSEC_DEFAULT_DOTENV_FILENAME = ".env";
+var defaultConfig = {
+  defaults: {
+    // encryptionEngine: "pke",
+    // plugins: {
+    // 	pke: {},
+    // },
+  }
+};
+function jsoncParse(data) {
+  try {
+    return new Function(`return ${data.trim()}`)();
+  } catch {
+    return {};
+  }
+}
+var loadJson = async (filepath) => {
+  try {
+    return jsoncParse(await fs.promises.readFile(filepath, "utf8"));
+  } catch (error) {
+    if (error instanceof Error) {
+      throw new Error(
+        `Failed to parse ${path.relative(process.cwd(), filepath)}: ${error.message}`
+      );
+    } else {
+      throw error;
+    }
+  }
+};
+var getMagicalConfig = async (filename) => {
+  const cwd = process.cwd();
+  const configJoycon = new JoyCon();
+  const configPath = await configJoycon.resolve({
+    files: filename ? [filename] : [...DOTSEC_CONFIG_FILES, "package.json"],
+    cwd,
+    stopDir: path2.parse(cwd).root,
+    packageKey: "dotsec"
+  });
+  if (filename && configPath === null) {
+    throw new Error(`Could not find config file ${filename}`);
+  }
+  if (configPath) {
+    if (configPath.endsWith(".json")) {
+      const rawData = await loadJson(configPath);
+      let data;
+      if (configPath.endsWith("package.json") && rawData.dotsec !== void 0) {
+        data = rawData.dotsec;
+      } else {
+        data = rawData;
+      }
+      return {
+        source: "json",
+        contents: {
+          ...defaultConfig,
+          ...data,
+          defaults: {
+            ...data?.defaults,
+            ...defaultConfig.defaults,
+            output: {
+              ...data?.defaults?.output,
+              ...defaultConfig.defaults?.output
+            },
+            plugins: {
+              ...data?.defaults?.plugins,
+              ...defaultConfig.defaults?.plugins
+            }
+          },
+          push: {
+            ...data?.push
+          }
+        }
+      };
+    } else if (configPath.endsWith(".ts")) {
+      const bundleRequireResult = await bundleRequire({
+        filepath: configPath
+      });
+      const data = bundleRequireResult.mod.dotsec || bundleRequireResult.mod.default || bundleRequireResult.mod;
+      return {
+        source: "ts",
+        contents: {
+          ...defaultConfig,
+          ...data,
+          defaults: {
+            ...data?.defaults,
+            ...defaultConfig.defaults,
+            output: {
+              ...data?.defaults?.output,
+              ...defaultConfig.defaults?.output
+            },
+            plugins: {
+              ...data?.defaults?.plugins,
+              ...defaultConfig.defaults?.plugins
+            }
+          },
+          push: {
+            ...data?.push
+          }
+        }
+      };
+    }
+  }
+  return { source: "defaultConfig", contents: defaultConfig };
+};
+
+// src/lib/loadDotsecPlugin.ts
+var loadDotsecPlugin = async (options) => {
+  return import(options.name).then((imported) => {
+    return imported.default;
+  });
+};
+var addPluginOptions = (options, command, mandatory) => {
+  if (options) {
+    Object.values(options).map((option) => {
+      let optionProps;
+      if (Array.isArray(option)) {
+        const [flags, description, defaultValue] = option;
+        optionProps = {
+          flags,
+          description,
+          defaultValue
+        };
+      } else {
+        const { flags, description, defaultValue, choices, env, fn } = option;
+        optionProps = {
+          flags,
+          description,
+          defaultValue,
+          choices,
+          env,
+          fn
+        };
+      }
+      if (optionProps) {
+        const newOption = new Option(
+          optionProps.flags,
+          optionProps.description
+        );
+        if (optionProps.fn) {
+          newOption.argParser(optionProps.fn);
+        }
+        if (optionProps.defaultValue) {
+          newOption.default(optionProps.defaultValue);
+        }
+        if (optionProps.env) {
+          newOption.env(optionProps.env);
+        }
+        if (mandatory) {
+          newOption.makeOptionMandatory(true);
+        }
+        if (optionProps.choices) {
+          newOption.choices(optionProps.choices);
+        }
+        command.addOption(newOption);
+      }
+    });
+  }
+};
+var readContentsFromFile = async (filePath) => {
+  return await fs2.readFile(filePath, "utf-8");
+};
+var writeContentsToFile = async (filePath, contents) => {
+  return await fs2.writeFile(filePath, contents, "utf-8");
+};
+var fileExists = async (source) => {
+  try {
+    await stat(source);
+    return true;
+  } catch {
+    return false;
+  }
+};
+var promptOverwriteIfFileExists = async ({
+  filePath,
+  skip
+}) => {
+  let overwriteResponse;
+  if (await fileExists(filePath) && skip !== true) {
+    overwriteResponse = await prompts({
+      type: "confirm",
+      name: "overwrite",
+      message: () => {
+        return `Overwrite './${path.relative(process.cwd(), filePath)}' ?`;
+      }
+    });
+  } else {
+    overwriteResponse = void 0;
+  }
+  return overwriteResponse;
+};
+
+// src/lib/parse.ts
+var LINE = /^(#.*)|(\s?\r?\n)|(?:^|^)\s*(?:export\s+)?([\w.-]*)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?(\s*)(#.*)?(?:$|$)/gm;
+var parse = (src) => {
+  const obj = {};
+  const blocks = [];
+  let lines = src.toString();
+  lines = lines.replace(/\r\n?/gm, "\n");
+  let match;
+  while ((match = LINE.exec(lines)) != null) {
+    const key = match[3];
+    if (match?.[1]?.[0] === "#") {
+      blocks.push({ type: "comment", raw: match[1] });
+    } else if (match?.[2]) {
+      blocks.push({ type: "whitespace", raw: match[2] });
+    } else {
+      let value = match[4] || "";
+      value = value.trim();
+      const maybeQuote = value[0];
+      value = value.replace(/^(['"`])([\s\S]*)\1$/gm, "$2");
+      if (maybeQuote === '"') {
+        value = value.replace(/\\n/g, "\n");
+        value = value.replace(/\\r/g, "\r");
+      }
+      obj[key] = value;
+      blocks.push({
+        type: "value",
+        key,
+        value,
+        raw: value + (match[5] ? match[5] : "") + (match[6] ? match[6] : "")
+      });
+    }
+  }
+  return { blocks, obj };
+};
+if (import.meta.vitest) {
+  const { it, expect } = import.meta.vitest;
+  it("parse", () => {
+    const input1 = "KEY=value";
+    const input2 = 'KEY="value"';
+    const input3 = "KEY='value'";
+    const input4 = "KEY=value #   this is a comment";
+    expect(parse(input1)).toMatchInlineSnapshot(`
+			{
+			  "blocks": [
+			    {
+			      "key": "KEY",
+			      "raw": "value",
+			      "type": "value",
+			      "value": "value",
+			    },
+			  ],
+			  "obj": {
+			    "KEY": "value",
+			  },
+			}
+		`);
+    expect(parse(input2)).toMatchInlineSnapshot(`
+			{
+			  "blocks": [
+			    {
+			      "key": "KEY",
+			      "raw": "value",
+			      "type": "value",
+			      "value": "value",
+			    },
+			  ],
+			  "obj": {
+			    "KEY": "value",
+			  },
+			}
+		`);
+    expect(parse(input3)).toMatchInlineSnapshot(`
+			{
+			  "blocks": [
+			    {
+			      "key": "KEY",
+			      "raw": "value",
+			      "type": "value",
+			      "value": "value",
+			    },
+			  ],
+			  "obj": {
+			    "KEY": "value",
+			  },
+			}
+		`);
+    expect(parse(input4)).toMatchInlineSnapshot(`
+      {
+        "blocks": [
+          {
+            "key": "KEY",
+            "raw": "value#   this is a comment",
+            "type": "value",
+            "value": "value",
+          },
+        ],
+        "obj": {
+          "KEY": "value",
+        },
+      }
+    `);
+  });
+}
+var strong = (str) => chalk2.yellow.bold(str);
+
+// src/types/colors.ts
+var backgroundColors = [
+  "black",
+  "red",
+  "green",
+  "yellow",
+  "blue",
+  "magenta",
+  "cyan",
+  "white",
+  "black-bright",
+  "gray",
+  "grey",
+  "red-bright",
+  "green-bright",
+  "yellow-bright",
+  "blue-bright",
+  "magenta-bright",
+  "cyan-bright",
+  "white-bright"
+];
+
+// src/cli/options/sharedOptions.ts
+var envFileOption = {
+  option: [
+    "--env-file <envFile>",
+    `Path to .env file. If not provided, will look for value in 'ENV_FILE' environment variable. If not provided, will look for '${DOTSEC_DEFAULT_DOTENV_FILENAME}' file in current directory.`,
+    DOTSEC_DEFAULT_DOTENV_FILENAME
+  ],
+  env: "ENV_FILE"
+};
+var secFileOption = {
+  option: [
+    "--sec-file, <secFile>",
+    `Path to .sec file. If not provided, will look for value in 'SEC_FILE' environment variable. If not provided, will look for '${DOTSEC_DEFAULT_DOTSEC_FILENAME}' file in current directory.`,
+    DOTSEC_DEFAULT_DOTSEC_FILENAME
+  ],
+  env: "SEC_FILE"
+};
+var usingOption = {
+  flags: "--using <using>",
+  description: "Wether to use a dot env file or a dot sec file",
+  choices: ["env", "sec"],
+  env: "DOTSEC_USING"
+};
+var usingNoEncryptionEngineOption = {
+  flags: "--using <using>",
+  description: "Wether to use a dot env file or a dot sec file",
+  choices: ["env"],
+  env: "DOTSEC_USING"
+};
+var showRedactedOption = {
+  flags: "--show-redacted",
+  description: 'Wether to show redacted values."',
+  env: "DOTSEC_SHOW_REDACTED"
+};
+var showOutputPrefixOption = {
+  flags: "--show-output-prefix",
+  description: "Show output prefix",
+  env: "DOTSEC_SHOW_OUTPUT_PREFIX"
+};
+var outputPrefixOption = {
+  flags: "--output-prefix <outputPrefix>",
+  description: "Output prefix",
+  env: "DOTSEC_OUTPUT_PREFIX"
+};
+var showOutputBackgroundColorOption = {
+  flags: "--show-output-background-color",
+  description: "Show output background color",
+  env: "DOTSEC_SHOW_OUTPUT_BACKGROUND_COLOR"
+};
+var outputBackgroundColorOption = {
+  flags: "--output-background-color <outputBackgroundColor>",
+  description: "Background color of the output.",
+  env: "DOTSEC_OUTPUT_BACKGROUND_COLOR",
+  choices: backgroundColors,
+  defaultValue: "red-bright"
+};
+var yesOption = {
+  option: ["--yes", "Skip confirmation prompts"]
+};
+var configFileOption = {
+  option: ["-c, --config-file, --configFile <configFile>", "Config file"],
+  env: "DOTSEC_CONFIG_FILE"
+};
+var pluginOption = {
+  option: ["--plugin <plugin>", "Comma-separated list of plugins to use"],
+  env: "DOTSEC_PLUGIN"
+};
+var engineOption = {
+  option: ["--engine <engine>", "Encryption engine to use"],
+  env: "DOTSEC_ENGINE"
+};
+var createManifestOption = {
+  option: [
+    "--create-manifest",
+    "Create a markdown manifest file. See the --manifest-file option for more information."
+  ],
+  env: "CREATE_MANIFEST"
+};
+var manifestFilePrefixOption = {
+  option: [
+    "--manifest-file-prefix <manifestFilePrefix>",
+    "Mmanifest file prefix"
+  ],
+  env: "ENCRYPTION_MANIFEST_FILE"
+};
+
+// src/cli/options/decrypt.ts
+var decryptCommandDefaults = {
+  decrypt: {
+    options: {
+      configFile: configFileOption,
+      envFile: envFileOption,
+      secFile: secFileOption,
+      createManifest: createManifestOption,
+      manifestFilePrefix: manifestFilePrefixOption,
+      yes: yesOption
+    },
+    description: "Decrypt a sec file",
+    helpText: `Examples:
 
 
 Decrypt .sec file to .env file
@@ -16,7 +454,7 @@ Specify a different .env file
 $ npx dotsec decrypt --env-file .env.dev
 $ ENV_FILE=.env.dev npx dotsec decrypt
 
-Write a manifest file
+Write a manifest markdown file
 
 $ npx dotsec decrypt --create-manifest
 $ CREATE_MANIFEST=true npx dotsec decrypt
@@ -24,8 +462,36 @@ $ CREATE_MANIFEST=true npx dotsec decrypt
 Specify a different manifest file
 
 $ npx dotsec decrypt --manifest-file .manifest.dev
-$ MANIFEST_FILE=.manifest.dev npx dotsec decrypt
-`}},z=Fe;var xe={dotsec:{options:{configFile:D,plugin:B}}},Q=xe;var Pe={encrypt:{options:{configFile:D,envFile:b,secFile:I,createManifest:H,manifestFile:L,yes:P},description:"Encrypt an env file",helpText:`Examples:
+$ MANIFEST_FILE=decryption-manifest.md npx dotsec decrypt
+`
+  }
+};
+var decrypt_default = decryptCommandDefaults;
+
+// src/cli/options/dotsec.ts
+var dotsecCommandDefaults = {
+  dotsec: {
+    options: {
+      configFile: configFileOption,
+      plugin: pluginOption
+    }
+  }
+};
+var dotsec_default = dotsecCommandDefaults;
+
+// src/cli/options/encrypt.ts
+var encryptCommandDefaults = {
+  encrypt: {
+    options: {
+      configFile: configFileOption,
+      envFile: envFileOption,
+      secFile: secFileOption,
+      createManifest: createManifestOption,
+      manifestFile: manifestFilePrefixOption,
+      yes: yesOption
+    },
+    description: "Encrypt an env file",
+    helpText: `Examples:
 
 
 Encrypt .env file to .sec file
@@ -38,13 +504,14 @@ Specify a different .env file
 $ npx dotsec encrypt --env-file .env.dev
 $ ENV_FILE=.env.dev npx dotsec encrypt
 
+
 Specify a different .sec file
 
 $ npx dotsec encrypt --sec-file .sec.dev
 $ SEC_FILE=.sec.dev npx dotsec encrypt
 
 
-Write a manifest file
+Write a manifest markdown file
 
 $ npx dotsec encrypt --create-manifest
 $ CREATE_MANIFEST=true npx dotsec encrypt
@@ -52,9 +519,22 @@ $ CREATE_MANIFEST=true npx dotsec encrypt
 
 Specify a different manifest file
 
-$ npx dotsec encrypt --manifest-file .manifest.dev
-$ MANIFEST_FILE=.manifest.dev npx dotsec encrypt
-`}},X=Pe;var $e={init:{options:{configFile:D,yes:P},description:"Initialize a dotsec project by creating a dotsec.config.ts file.",helpText:`Examples:
+$ npx dotsec encrypt --manifest-file manifest.dev
+$ MANIFEST_FILE=encryption-manifest.md npx dotsec encrypt
+`
+  }
+};
+var encrypt_default = encryptCommandDefaults;
+
+// src/cli/options/init.ts
+var initCommandDefaults = {
+  init: {
+    options: {
+      configFile: configFileOption,
+      yes: yesOption
+    },
+    description: "Initialize a dotsec project by creating a dotsec.config.ts file.",
+    helpText: `Examples:
 
 Create a dotsec.config.ts file in the current directory
 
@@ -73,7 +553,25 @@ By specifying the --config-file option, you can create a dotsec config file with
 $ npx dotsec init --config-file dotsec.config.ts
 
 $ DOTSEC_CONFIG_FILE=my.config.ts npx dotsec init
-`}},Z=$e;var be={push:{options:{configFile:D,envFile:b,secFile:I,yes:P},requiredOptions:{using:k},description:"Push variables from env or sec file to a remote",helpText:`Examples:
+`
+  }
+};
+var init_default = initCommandDefaults;
+
+// src/cli/options/push.ts
+var pushCommandDefaults = {
+  push: {
+    options: {
+      configFile: configFileOption,
+      envFile: envFileOption,
+      secFile: secFileOption,
+      yes: yesOption
+    },
+    requiredOptions: {
+      using: usingOption
+    },
+    description: "Push variables from env or sec file to a remote",
+    helpText: `Examples:
 
 Push variables from .env file to remote
 
@@ -85,7 +583,31 @@ Push variables from .sec file to remote
 
 $ npx dotsec push --using sec
 $ DOTSEC_USING=sec npx dotsec push
-`}},ee=be;var Se={runEnvOnly:{usage:"--using env [commandArgs...]",options:{configFile:D,envFile:b,yes:P,engine:Y},requiredOptions:{using:J},description:"Run a command in a separate process and populate env with contents of a dotenv file.",helpText:`Examples:
+`
+  }
+};
+var push_default = pushCommandDefaults;
+
+// src/cli/options/run.ts
+var runCommandDefaults = {
+  runEnvOnly: {
+    usage: "--using env [commandArgs...]",
+    options: {
+      configFile: configFileOption,
+      envFile: envFileOption,
+      yes: yesOption,
+      engine: engineOption,
+      showRedacted: showRedactedOption,
+      outputBackgroundColor: outputBackgroundColorOption,
+      showOutputBackgroundColor: showOutputBackgroundColorOption,
+      showOutputPrefix: showOutputPrefixOption,
+      outputPrefix: outputPrefixOption
+    },
+    requiredOptions: {
+      using: usingNoEncryptionEngineOption
+    },
+    description: "Run a command in a separate process and populate env with contents of a dotenv file.",
+    helpText: `Examples:
 		
 Run a command with a .env file
 		
@@ -105,63 +627,872 @@ $ ENV_FILE=.env.dev npx dotsec run --using env node -e "console.log(process.env)
 You can also specify 'using' as an environment variable
 
 $ DOTSEC_USING=env npx dotsec run node -e "console.log(process.env)"
-		`},run:{options:{configFile:D,envFile:b,secFile:I,yes:P},requiredOptions:{using:k},usage:"[--using env] [--using sec] [commandArgs...]",description:`Run a command in a separate process and populate env with either 
+		`
+  },
+  run: {
+    options: {
+      configFile: configFileOption,
+      envFile: envFileOption,
+      secFile: secFileOption,
+      yes: yesOption,
+      showRedacted: showRedactedOption,
+      outputBackgroundColor: outputBackgroundColorOption,
+      hideOutputBackgroundColor: showOutputBackgroundColorOption,
+      hideOutputPrefix: showOutputPrefixOption,
+      outputPrefix: outputPrefixOption
+    },
+    requiredOptions: {
+      using: usingOption
+    },
+    usage: "[--using env] [--using sec] [commandArgs...]",
+    description: `Run a command in a separate process and populate env with either 
 			- contents of a dotenv file
 			- decrypted values of a dotsec file.
 
-The --withEnv option will take precedence over the --withSec option. If neither are specified, the --withEnv option will be used by default.`,helpText:`Examples:
+The --withEnv option will take precedence over the --withSec option. If neither are specified, the --withEnv option will be used by default.`,
+    helpText: `${"Examples:"}
 
-Run a command with a .env file
+${"Run a command with a .env file"}
 
 $ dotsec run echo "hello world"
 
 
-Run a command with a specific .env file
+${"Run a command with a specific .env file"}
 
 $ dotsec run --with-env --env-file .env.dev echo "hello world"
 
 
-Run a command with a .sec file
+${"Run a command with a .sec file"}
 
 $ dotsec run --with-sec echo "hello world"
 
 
-Run a command with a specific .sec file
+${"Run a command with a specific .sec file"}
 
 $ dotsec run --with-sec --sec-file .sec.dev echo "hello world"
-`}},ne=Se;var _e={...Q,...Z,...X,...z,...ne,...ee},Ie=t=>{if(Array.isArray(t)){let[i,p,n]=t;return{flags:i,description:p,defaultValue:n}}else{if("option"in t){let[i,p,n]=t.option;return{flags:i,description:p,defaultValue:n,env:t.env}}return t}},te=(t,i)=>{let p=i?.dotsecConfig?.defaults?.options?.[i?.optionKey],n=Ie(t),e=new Te(n.flags,n.description);return n.fn&&e.argParser(n.fn),n.defaultValue&&e.default(p||n.defaultValue),n.env&&e.env(n.env),i.required&&e.makeOptionMandatory(!0),n.choices&&e.choices(n.choices),e},x=t=>{let{program:i,commandName:p,dotsecConfig:n}=t,e=_e[p||i.name()];if(e){let{options:o,requiredOptions:a,description:l,usage:s,helpText:r}=e;o&&Object.keys(o).forEach(f=>{let m=o[f],d=te(m,{dotsecConfig:n,optionKey:f});i.addOption(d)}),a&&Object.keys(a).forEach(f=>{let m=a[f],d=te(m,{required:!0,dotsecConfig:n,optionKey:f});i.addOption(d)}),l&&i.description(l),s&&i.usage(s),r&&i.description(r)}};import{parse as Ne}from"dotenv";var je=async(t,i)=>{let{dotsecConfig:p,decryptHandlers:n}=i,e=t.enablePositionalOptions().passThroughOptions().command("decrypt").action(async(a,l)=>{try{let{envFile:s,secFile:r,engine:f,createManifest:m,manifestFile:d,yes:c}=l.optsWithGlobals(),O=f||p?.defaults?.encryptionEngine,u=(n||[]).find(h=>h.triggerOptionValue===O);if(!u)throw new Error(`No decryption plugin found, available decryption engine(s): ${i.decryptHandlers.map(h=>`--${h.triggerOptionValue}`).join(", ")}`);console.log("Decrypting with",C(u.encryptionEngineName||u.triggerOptionValue),"engine");let g=[...Object.keys(u.options||{}),...Object.keys(u.requiredOptions||{})],w=Object.fromEntries(g.map(h=>[h,a[h]])),v=await j(r),E=await u.handler({ciphertext:v,...w}),N=await V({filePath:s,skip:c});if((N===void 0||N.overwrite===!0)&&(await _(s,E),console.log(`Wrote plaintext contents of ${C(r)} file to ${C(s)}`)),m){let h=Ne(E),y=`# Dotsec decryption manifest 
+`
+  }
+  // push: {
+  // 	options: {
+  // 		...dotsecCommandDefaults.dotsec.options,
+  // 		withEnv: withEnvOption,
+  // 		withSec: withSecOption,
+  // 		envFile: envFileOption,
+  // 		secFile: secFileOption,
+  // 		yes: yesOption,
+  // 	},
+  // 	requiredOptions: {
+  // 		...dotsecCommandDefaults.dotsec.requiredOptions,
+  // 	},
+  // },
+};
+var run_default = runCommandDefaults;
+
+// src/cli/options/index.ts
+var commandOptions = {
+  ...dotsec_default,
+  ...init_default,
+  ...encrypt_default,
+  ...decrypt_default,
+  ...run_default,
+  ...push_default
+};
+var expandCommandOption = (commandOption) => {
+  if (Array.isArray(commandOption)) {
+    const [flags, description, defaultValue] = commandOption;
+    const optionProps = {
+      flags,
+      description,
+      defaultValue
+    };
+    return optionProps;
+  } else {
+    if ("option" in commandOption) {
+      const [flags, description, defaultValue] = commandOption.option;
+      const optionProps = {
+        flags,
+        description,
+        defaultValue,
+        env: commandOption.env
+      };
+      return optionProps;
+    }
+    return commandOption;
+  }
+};
+var createOption = (commandOption, options) => {
+  const defaultOptionValueFromConfig = options?.dotsecConfig?.defaults?.options?.[options?.optionKey];
+  const optionProps = expandCommandOption(commandOption);
+  const newOption = new Option(optionProps.flags, optionProps.description);
+  if (optionProps.fn) {
+    newOption.argParser(optionProps.fn);
+  }
+  if (optionProps.defaultValue) {
+    newOption.default(defaultOptionValueFromConfig || optionProps.defaultValue);
+  }
+  if (optionProps.env) {
+    newOption.env(optionProps.env);
+  }
+  if (options.required) {
+    newOption.makeOptionMandatory(true);
+  }
+  if (optionProps.choices) {
+    newOption.choices(optionProps.choices);
+  }
+  return newOption;
+};
+var setProgramOptions = (params) => {
+  const { program: program2, commandName, dotsecConfig } = params;
+  const programOptions = commandOptions[commandName || program2.name()];
+  if (programOptions) {
+    const { options, requiredOptions, description, usage, helpText } = programOptions;
+    if (options) {
+      Object.keys(options).forEach((optionKey) => {
+        const commandOption = options[optionKey];
+        const newOption = createOption(commandOption, {
+          dotsecConfig,
+          optionKey
+        });
+        program2.addOption(newOption);
+      });
+    }
+    if (requiredOptions) {
+      Object.keys(requiredOptions).forEach((requiredOptionKey) => {
+        const requiredOption = requiredOptions[requiredOptionKey];
+        const newOption = createOption(requiredOption, {
+          required: true,
+          dotsecConfig,
+          optionKey: requiredOptionKey
+        });
+        program2.addOption(newOption);
+      });
+    }
+    if (description) {
+      program2.description(description);
+    }
+    if (usage) {
+      program2.usage(usage);
+    }
+    if (helpText) {
+      program2.description(helpText);
+    }
+  }
+};
+
+// src/cli/commands/decrypt.ts
+var addEncryptProgram = async (program2, options) => {
+  const { dotsecConfig, decryptHandlers } = options;
+  const subProgram = program2.enablePositionalOptions().passThroughOptions().command("decrypt").action(async (_options, command) => {
+    try {
+      const {
+        // verbose,
+        envFile,
+        secFile,
+        engine,
+        createManifest,
+        manifestFile,
+        yes
+      } = command.optsWithGlobals();
+      const encryptionEngine = engine || dotsecConfig?.defaults?.encryptionEngine;
+      const pluginCliDecrypt = (decryptHandlers || []).find((handler) => {
+        return handler.triggerOptionValue === encryptionEngine;
+      });
+      if (!pluginCliDecrypt) {
+        throw new Error(
+          `No decryption plugin found, available decryption engine(s): ${options.decryptHandlers.map((e) => `--${e.triggerOptionValue}`).join(", ")}`
+        );
+      }
+      console.log(
+        "Decrypting with",
+        strong(
+          pluginCliDecrypt.encryptionEngineName || pluginCliDecrypt.triggerOptionValue
+        ),
+        "engine"
+      );
+      const allOptionKeys = [
+        ...Object.keys(pluginCliDecrypt.options || {}),
+        ...Object.keys(pluginCliDecrypt.requiredOptions || {})
+      ];
+      const allOptionsValues = Object.fromEntries(
+        allOptionKeys.map((key) => {
+          return [key, _options[key]];
+        })
+      );
+      const dotsecString = await readContentsFromFile(secFile);
+      const plaintext = await pluginCliDecrypt.handler({
+        ciphertext: dotsecString,
+        ...allOptionsValues
+      });
+      const dotenvOverwriteResponse = await promptOverwriteIfFileExists({
+        filePath: envFile,
+        skip: yes
+      });
+      if (dotenvOverwriteResponse === void 0 || dotenvOverwriteResponse.overwrite === true) {
+        await writeContentsToFile(envFile, plaintext);
+        console.log(
+          `Wrote plaintext contents of ${strong(secFile)} file to ${strong(
+            envFile
+          )}`
+        );
+      }
+      if (createManifest || dotsecConfig?.defaults?.options?.createManifest) {
+        const dotenvVars = parse(plaintext).obj;
+        const markdownManifest = `# Dotsec decryption manifest
 
 ## Overview
 
-- plaintext source: ${s}
-- ciphertext target: ${r}
-- created: ${new Date().toUTCString()}
-- Decryption engine: ${u.encryptionEngineName||u.triggerOptionValue}
-- Decryption engine options: ${JSON.stringify(w)}
+- plaintext source: ${envFile}
+- ciphertext target: ${secFile}
+- created: ${( new Date()).toUTCString()}
+- Decryption engine: ${pluginCliDecrypt.encryptionEngineName || pluginCliDecrypt.triggerOptionValue}
+- Decryption engine options: ${JSON.stringify(allOptionsValues)}
 
 ## Variables
 
-| Key | 
-| --- | 
-${Object.keys(h).map(A=>`| \`${A} \`| `).join(`
-`)}
-`,$=d||`${s}.decryption-manifest.md`;await _($,y),console.log(`Wrote manifest of ${C(s)} file to ${C($)}`)}}catch(s){console.error(C(s.message)),l.help()}});i.decryptHandlers.map(a=>{let{options:l,requiredOptions:s}=a;F(l,e),F(s,e,!0)});let o=i.decryptHandlers.map(a=>a.triggerOptionValue);return e.option("--engine <engine>",`Encryption engine${o.length>0?"s":""} to use: ${o.length===1?o[0]:o.join(", ")}`,o.length===1?o[0]:void 0),x({program:e,dotsecConfig:p}),e},oe=je;import{parse as Ve}from"dotenv";var Ae=async(t,i)=>{let{encryptHandlers:p,dotsecConfig:n}=i,e=t.enablePositionalOptions().passThroughOptions().command("encrypt").action(async(l,s)=>{try{let{envFile:r,secFile:f,engine:m,createManifest:d,manifestFile:c,yes:O}=s.optsWithGlobals(),u=m||n?.defaults?.encryptionEngine,g=(p||[]).find(y=>y.triggerOptionValue===u);if(!g)throw new Error(`No encryption plugin found, available encryption engine(s): ${i.encryptHandlers.map(y=>y.triggerOptionValue).join(", ")}`);let w=[...Object.keys(g.options||{}),...Object.keys(g.requiredOptions||{})],v=Object.fromEntries(w.map(y=>[y,l[y]])),E=await j(r),N=await g.handler({plaintext:E,...v}),h=await V({filePath:f,skip:O});if((h===void 0||h.overwrite===!0)&&(await _(f,N),console.log(`Wrote encrypted contents of ${C(r)} file to ${C(f)}`),d)){let y=Ve(E),$=`# Dotsec encryption manifest 
+| Key |
+| --- |
+${Object.keys(dotenvVars).map((key) => {
+          return `| \`${key} \`| `;
+        }).join("\n")}
+`;
+        const manifestTargetFile = manifestFile || `${envFile}.decryption-manifest.md`;
+        await writeContentsToFile(manifestTargetFile, markdownManifest);
+        console.log(
+          `Wrote manifest of ${strong(envFile)} file to ${strong(
+            manifestTargetFile
+          )}`
+        );
+      }
+    } catch (e) {
+      console.error(strong(e.message));
+      command.help();
+    }
+  });
+  options.decryptHandlers.map((decryption) => {
+    const { options: options2, requiredOptions } = decryption;
+    addPluginOptions(options2, subProgram);
+    addPluginOptions(requiredOptions, subProgram, true);
+  });
+  const engines = options.decryptHandlers.map((e) => e.triggerOptionValue);
+  subProgram.option(
+    "--engine <engine>",
+    `Encryption engine${engines.length > 0 ? "s" : ""} to use: ${engines.length === 1 ? engines[0] : engines.join(", ")}`,
+    engines.length === 1 ? engines[0] : void 0
+  );
+  setProgramOptions({ program: subProgram, dotsecConfig });
+  return subProgram;
+};
+var decrypt_default2 = addEncryptProgram;
+
+// src/cli/commands/encrypt.ts
+var addEncryptProgram2 = async (program2, options) => {
+  const { encryptHandlers, dotsecConfig } = options;
+  const subProgram = program2.enablePositionalOptions().passThroughOptions().command("encrypt").action(async (_options, command) => {
+    try {
+      const {
+        // verbose,
+        envFile,
+        secFile,
+        engine,
+        createManifest,
+        manifestFile,
+        yes
+      } = command.optsWithGlobals();
+      const encryptionEngine = engine || dotsecConfig?.defaults?.encryptionEngine;
+      const pluginCliEncrypt = (encryptHandlers || []).find((handler) => {
+        return handler.triggerOptionValue === encryptionEngine;
+      });
+      if (!pluginCliEncrypt) {
+        throw new Error(
+          `No encryption plugin found, available encryption engine(s): ${options.encryptHandlers.map((e) => e.triggerOptionValue).join(", ")}`
+        );
+      }
+      const allOptionKeys = [
+        ...Object.keys(pluginCliEncrypt.options || {}),
+        ...Object.keys(pluginCliEncrypt.requiredOptions || {})
+      ];
+      const allOptionsValues = Object.fromEntries(
+        allOptionKeys.map((key) => {
+          return [key, _options[key]];
+        })
+      );
+      const dotenvString = await readContentsFromFile(envFile);
+      let dotsecString;
+      try {
+        dotsecString = await readContentsFromFile(secFile);
+      } catch (e) {
+      }
+      const cipherText = await pluginCliEncrypt.handler({
+        plaintext: dotenvString,
+        ciphertext: dotsecString,
+        ...allOptionsValues
+      });
+      const dotsecOverwriteResponse = await promptOverwriteIfFileExists({
+        filePath: secFile,
+        skip: yes
+      });
+      if (dotsecOverwriteResponse === void 0 || dotsecOverwriteResponse.overwrite === true) {
+        await writeContentsToFile(secFile, cipherText);
+        console.log(
+          `Wrote encrypted contents of ${strong(envFile)} file to ${strong(
+            secFile
+          )}`
+        );
+        if (createManifest || dotsecConfig?.defaults?.options?.createManifest) {
+          const dotenvVars = parse(dotenvString).obj;
+          const markdownManifest = `# Dotsec encryption manifest 
 
 ## Overview
 
-- plaintext source: ${r}
-- ciphertext target: ${f}
-- created: ${new Date().toUTCString()}
-- encryption engine: ${g.encryptionEngineName||g.triggerOptionValue}
-- encryption engine options: ${JSON.stringify(v)}
+- plaintext source: ${envFile}
+- ciphertext target: ${secFile}
+- created: ${( new Date()).toUTCString()}
+- encryption engine: ${pluginCliEncrypt.encryptionEngineName || pluginCliEncrypt.triggerOptionValue}
+- encryption engine options: ${JSON.stringify(allOptionsValues)}
 
 ## Variables
 
 | Key | 
 | --- | 
-${Object.keys(y).map(le=>`| \`${le} \`| `).join(`
-`)}
-`,A=c||`${f}.encryption-manifest.md`;await _(A,$),console.log(`Wrote manifest of ${C(r)} file to ${C(A)}`)}}catch(r){console.error(C(r.message)),s.help()}});i.encryptHandlers.map(l=>{let{options:s,requiredOptions:r}=l;F(s,e),F(r,e,!0)});let o=i.encryptHandlers.map(l=>l.triggerOptionValue),a=i.encryptHandlers.map(l=>l.encryptionEngineName);return e.option("--engine <engine>",`Encryption engine${o.length>0?"s":""}: ${o.length===1?o[0]:o.join(", ")}`,o.length===1?o[0]:void 0),x({program:e,dotsecConfig:n}),e.description(`Encrypt .env file using ${a.join(", ")}`),e},ie=Ae;import ke from"node:path";var He=async(t,i)=>{let{dotsecConfig:p}=i,n=t.enablePositionalOptions().passThroughOptions().command("init").action(async(e,o)=>{let{configFile:a="dotsec.config.ts",yes:l}=o.optsWithGlobals();try{let s=await j(ke.resolve(__dirname,"../../src/templates/dotsec.config.ts")),r=await V({filePath:a,skip:l});(r===void 0||r.overwrite===!0)&&(await _(a,s),console.log(`Wrote config file to ${C(a)}`))}catch(s){o.error(s)}});return x({program:n,dotsecConfig:p}),n},re=He;import{parse as Le}from"dotenv";import{expand as Re}from"dotenv-expand";import se from"node:fs";var Me=async(t,i)=>{let{dotsecConfig:p,handlers:n}=i,e=t.enablePositionalOptions().passThroughOptions().command("push").action(async(r,f)=>{try{let{using:m,envFile:d,secFile:c,engine:O,yes:u}=f.optsWithGlobals(),g=O||p?.defaults?.encryptionEngine,w=(n||[]).find(y=>y.decrypt?.triggerOptionValue===g)?.decrypt,v=(n||[]).find(y=>y.push?.triggerOptionValue===g)?.push;if(!v)throw new Error("No push plugin found!");let E=[...Object.keys(w?.options||{}),...Object.keys(w?.requiredOptions||{}),...Object.keys(v?.options||{}),...Object.keys(v?.requiredOptions||{})],N=Object.fromEntries(E.map(y=>[y,r[y]])),h;if(m==="env"){if(!d)throw new Error("No dotenv file specified in --env-file option");h=se.readFileSync(d,"utf8")}else{if(!c)throw new Error("No dotsec file specified in --sec-file option");if(!w)throw new Error(`No decryption plugin found, available decryption engine(s): ${n.map($=>`--${$.decrypt?.triggerOptionValue}`).join(", ")}`);let y=se.readFileSync(c,"utf8");h=await w.handler({ciphertext:y,...N})}if(h){let y=Le(h),$=Re({ignoreProcessEnv:!0,parsed:{...process.env,...y}});$.parsed&&await v.handler({push:$.parsed,yes:u,...N})}else throw new Error("No .env or .sec file provided")}catch(m){console.error(m),process.exit(1)}});x({program:e,dotsecConfig:p});let o=i.handlers.map(({decrypt:r})=>r.triggerOptionValue);e.option("--engine <engine>",`Encryption engine${o.length>0?"s":""} to use: ${o.length===1?o[0]:o.join(", ")}`,o.length===1?o[0]:void 0);let a={};i.handlers.forEach(r=>{Object.keys(r).map(f=>{let{options:m,requiredOptions:d}=r[f];Object.keys(m||{}).forEach(c=>{a[c]=Array.isArray(m[c])?m[c]:{...a[c],...m[c]}}),Object.keys(d||{}).forEach(c=>{a[c]=Array.isArray(d[c])?d[c]:{...a[c],...d[c],required:!0}})})});let l=[],s=[];return n.forEach(r=>{r.push?.description&&s.push(r.push.description),r.push?.usage&&l.push(r.push.usage)}),s.length>0&&e.description(s.join(`
-`)),l.length>0&&e.usage(l.join(`
-`)),F(Object.fromEntries(Object.entries(a).filter(([r,f])=>f.required!==!0)),e),F(Object.fromEntries(Object.entries(a).filter(([r,f])=>f.required===!0)),e,!0),e},ae=Me;import ce from"node:fs";import{parse as qe}from"dotenv";import{expand as Ge}from"dotenv-expand";import{spawnSync as We}from"node:child_process";var Ue=(t,i)=>{let{dotsecConfig:p,decryptHandlers:n}=i||{},e=n!==void 0&&n.length>0,o=t.command("run <command...>").allowUnknownOption(!0).enablePositionalOptions().passThroughOptions().showHelpAfterError(!0).action(async(a,l,s)=>{try{let{envFile:r,using:f,secFile:m,engine:d}=s.optsWithGlobals(),c;if(f==="env"||e===!1){if(!r)throw new Error("No dotenv file specified in --env-file option");c=ce.readFileSync(r,"utf8")}else if(f==="sec"){if(!m)throw new Error("No dotsec file specified in --sec-file option");let O=d||p?.defaults?.encryptionEngine,u=(n||[]).find(E=>E.triggerOptionValue===O);if(!u)throw new Error(`No decryption plugin found, available decryption engine(s): ${(n||[]).map(E=>`--${E.triggerOptionValue}`).join(", ")}`);let g=[...Object.keys(u.options||{}),...Object.keys(u.requiredOptions||{})],w=Object.fromEntries(g.map(E=>[E,l[E]])),v=ce.readFileSync(m,"utf8");c=await u.handler({ciphertext:v,...w})}if(c){let O=qe(c),u=Ge({ignoreProcessEnv:!0,parsed:{...process.env,...O}}),[g,...w]=a,v=We(g,[...w],{stdio:"inherit",shell:!1,encoding:"utf-8",env:{...u.parsed,...process.env,__DOTSEC_ENV__:JSON.stringify(Object.keys(O))}});v.status!==0&&process.exit(v.status||1)}else throw new Error("No .env or .sec file provided")}catch(r){console.error(C(r.message)),s.help()}});if(x({program:o,commandName:e?"run":"runEnvOnly",dotsecConfig:p}),e){n?.map(l=>{let{options:s,requiredOptions:r}=l;F(s,o),F(r,o,!0)});let a=n?.map(l=>l.triggerOptionValue);o.option("--engine <engine>",`Encryption engine${a.length>0?"s":""}: ${a.join(", "),a.length===1?a[0]:void 0}`)}return o},pe=Ue;import Je from"ajv";import Be from"yargs-parser";var Ye={keyword:"separator",type:"string",metaSchema:{type:"string",description:"value separator"},modifying:!0,valid:!0,errors:!1,compile:t=>(i,p)=>{if(p){let{parentData:n,parentDataProperty:e}=p;return n[e]=i===""?[]:i.split(t),!0}else return!1}},S=new Ke;(async()=>{let t=Be(process.argv),i=[];t.plugin&&(Array.isArray(t.plugin)?i.push(...t.plugin):i.push(t.plugin));let p=[...Array.isArray(t.configFile)?t.configFile:[t.configFile],...Array.isArray(t.c)?t.c:[t.c]][0]||process.env.DOTSEC_CONFIG_FILE,{contents:n={}}=await U(p),{defaults:e={},push:o,plugins:a}=n;S.name("dotsec").description(".env, but secure").version("1.0.0").enablePositionalOptions().action((d,c)=>{c.help()}),x({program:S,dotsecConfig:n});let l=new Je({allErrors:!0,removeAdditional:!0,useDefaults:!0,coerceTypes:!0,allowUnionTypes:!0,addUsedSchema:!1,keywords:[Ye]}),s={};if(a)for(let d of a)e?.plugins?.[d]||(e.plugins={...e.plugins,[d]:{}});if(i.length>0)for(let d of i){let O=await(await q({name:d}))({dotsecConfig:n,ajv:l,configFile:p});s[O.name]=d,i.length===1&&(n.defaults={...n.defaults,encryptionEngine:String(O.name),plugins:{...n.defaults?.plugins,[O.name]:{...n.defaults?.plugins?.[O.name]}}})}e?.encryptionEngine&&(e?.plugins?.[e.encryptionEngine]||(e.plugins={...e.plugins,[e.encryptionEngine]:{}})),e?.plugins&&Object.entries(e?.plugins).forEach(([d,c])=>{c?.name?s[d]=c?.name:s[d]=`@dotsec/plugin-${d}`}),Object.values(o||{}).forEach(d=>{Object.keys(d).forEach(c=>{s[c]||(s[c]=`@dotsec/plugin-${c}`)})});let r=[],f=[],m=[];for(let d of Object.keys(s)){let c=s[d],O=await q({name:c}),{addCliCommand:u,cliHandlers:g}=await O({ajv:l,dotsecConfig:n,configFile:p});g?.encrypt&&r.push(g.encrypt),g?.decrypt&&(f.push(g.decrypt),g?.push&&m.push({push:g.push,decrypt:g.decrypt})),u&&u({program:S})}r.length&&await ie(S,{dotsecConfig:n,encryptHandlers:r}),f.length&&await oe(S,{dotsecConfig:n,decryptHandlers:f}),m.length&&await ae(S,{dotsecConfig:n,handlers:m}),await re(S,{dotsecConfig:n}),await pe(S,{dotsecConfig:n,decryptHandlers:f}),await S.parse()})();
+${Object.keys(dotenvVars).map((key) => {
+            return `| \`${key} \`| `;
+          }).join("\n")}
+`;
+          const manifestTargetFile = manifestFile || `${secFile}.encryption-manifest.md`;
+          await writeContentsToFile(manifestTargetFile, markdownManifest);
+          console.log(
+            `Wrote manifest of ${strong(envFile)} file to ${strong(
+              manifestTargetFile
+            )}`
+          );
+        }
+      }
+    } catch (e) {
+      console.error(strong(e.message));
+      command.help();
+    }
+  });
+  options.encryptHandlers.map((encryptionHandler) => {
+    const { options: options2, requiredOptions } = encryptionHandler;
+    addPluginOptions(options2, subProgram);
+    addPluginOptions(requiredOptions, subProgram, true);
+  });
+  const engines = options.encryptHandlers.map((e) => e.triggerOptionValue);
+  const encryptionEngineNames = options.encryptHandlers.map(
+    (e) => e.encryptionEngineName
+  );
+  subProgram.option(
+    "--engine <engine>",
+    `Encryption engine${engines.length > 0 ? "s" : ""}: ${engines.length === 1 ? engines[0] : engines.join(", ")}`,
+    engines.length === 1 ? engines[0] : void 0
+  );
+  setProgramOptions({ program: subProgram, dotsecConfig });
+  subProgram.description(
+    `Encrypt .env file using ${encryptionEngineNames.join(", ")}`
+  );
+  return subProgram;
+};
+var encrypt_default2 = addEncryptProgram2;
+var addInitProgram = async (program2, options) => {
+  const { dotsecConfig } = options;
+  const subProgram = program2.enablePositionalOptions().passThroughOptions().command("init").action(async (_options, command) => {
+    const { configFile = "dotsec.config.ts", yes } = command.optsWithGlobals();
+    try {
+      const configTemplate = await readContentsFromFile(
+        path.resolve(__dirname, "../../src/templates/dotsec.config.ts")
+      );
+      const dotsecConfigOverwriteResponse = await promptOverwriteIfFileExists(
+        {
+          filePath: configFile,
+          skip: yes
+        }
+      );
+      if (dotsecConfigOverwriteResponse === void 0 || dotsecConfigOverwriteResponse.overwrite === true) {
+        await writeContentsToFile(configFile, configTemplate);
+        console.log(`Wrote config file to ${strong(configFile)}`);
+      }
+    } catch (e) {
+      command.error(e);
+    }
+  });
+  setProgramOptions({ program: subProgram, dotsecConfig });
+  return subProgram;
+};
+var init_default2 = addInitProgram;
+var addPushProgram = async (program2, options) => {
+  const { dotsecConfig, handlers } = options;
+  const subProgram = program2.enablePositionalOptions().passThroughOptions().command("push").action(async (_options, command) => {
+    try {
+      const {
+        // verbose,
+        using,
+        envFile,
+        secFile,
+        engine,
+        yes
+      } = command.optsWithGlobals();
+      const encryptionEngine = engine || dotsecConfig?.defaults?.encryptionEngine;
+      const pluginCliDecrypt = (handlers || []).find((handler) => {
+        return handler.decrypt?.triggerOptionValue === encryptionEngine;
+      })?.decrypt;
+      const pluginCliPush = (handlers || []).find((handler) => {
+        return handler.push?.triggerOptionValue === encryptionEngine;
+      })?.push;
+      if (!pluginCliPush) {
+        throw new Error("No push plugin found!");
+      }
+      const allOptionKeys = [
+        ...Object.keys(pluginCliDecrypt?.options || {}),
+        ...Object.keys(pluginCliDecrypt?.requiredOptions || {}),
+        ...Object.keys(pluginCliPush?.options || {}),
+        ...Object.keys(pluginCliPush?.requiredOptions || {})
+      ];
+      const allOptionsValues = Object.fromEntries(
+        allOptionKeys.map((key) => {
+          return [key, _options[key]];
+        })
+      );
+      let envContents;
+      if (using === "env") {
+        if (!envFile) {
+          throw new Error("No dotenv file specified in --env-file option");
+        }
+        envContents = fs3.readFileSync(envFile, "utf8");
+      } else {
+        if (!secFile) {
+          throw new Error("No dotsec file specified in --sec-file option");
+        }
+        if (!pluginCliDecrypt) {
+          throw new Error(
+            `No decryption plugin found, available decryption engine(s): ${handlers.map((e) => `--${e.decrypt?.triggerOptionValue}`).join(", ")}`
+          );
+        }
+        const dotSecContents = fs3.readFileSync(secFile, "utf8");
+        envContents = await pluginCliDecrypt.handler({
+          ciphertext: dotSecContents,
+          ...allOptionsValues
+        });
+      }
+      if (envContents) {
+        const dotenvVars = parse(envContents).obj;
+        const expandedEnvVars = expand({
+          ignoreProcessEnv: true,
+          parsed: {
+            // add standard env variables
+            ...process.env,
+            // add custom env variables, either from .env or .sec, (or empty object if none)
+            ...dotenvVars
+          }
+        });
+        if (expandedEnvVars.parsed) {
+          await pluginCliPush.handler({
+            push: expandedEnvVars.parsed,
+            yes,
+            ...allOptionsValues
+          });
+        }
+      } else {
+        throw new Error("No .env or .sec file provided");
+      }
+    } catch (e) {
+      console.error(e);
+      process.exit(1);
+    }
+  });
+  setProgramOptions({ program: subProgram, dotsecConfig });
+  const engines = options.handlers.map(
+    ({ decrypt }) => decrypt.triggerOptionValue
+  );
+  subProgram.option(
+    "--engine <engine>",
+    `Encryption engine${engines.length > 0 ? "s" : ""} to use: ${engines.length === 1 ? engines[0] : engines.join(", ")}`,
+    engines.length === 1 ? engines[0] : void 0
+  );
+  const allOptions = {};
+  options.handlers.forEach((handlers2) => {
+    Object.keys(handlers2).map((handlerName) => {
+      const { options: cliOptions, requiredOptions } = handlers2[handlerName];
+      Object.keys(cliOptions || {}).forEach((key) => {
+        allOptions[key] = Array.isArray(cliOptions[key]) ? cliOptions[key] : { ...allOptions[key], ...cliOptions[key] };
+      });
+      Object.keys(requiredOptions || {}).forEach((key) => {
+        allOptions[key] = Array.isArray(requiredOptions[key]) ? requiredOptions[key] : {
+          ...allOptions[key],
+          ...requiredOptions[key],
+          required: true
+        };
+      });
+    });
+  });
+  const usage = [];
+  const descriptions = [];
+  handlers.forEach((handler) => {
+    if (handler.push?.description) {
+      descriptions.push(handler.push.description);
+    }
+    if (handler.push?.usage) {
+      usage.push(handler.push.usage);
+    }
+  });
+  if (descriptions.length > 0) {
+    subProgram.description(descriptions.join("\n"));
+  }
+  if (usage.length > 0) {
+    subProgram.usage(usage.join("\n"));
+  }
+  addPluginOptions(
+    Object.fromEntries(
+      Object.entries(allOptions).filter(
+        ([_key, value]) => value.required !== true
+      )
+    ),
+    subProgram
+  );
+  addPluginOptions(
+    Object.fromEntries(
+      Object.entries(allOptions).filter(
+        ([_key, value]) => value.required === true
+      )
+    ),
+    subProgram,
+    true
+  );
+  return subProgram;
+};
+var push_default2 = addPushProgram;
+var addRunProgam = (program2, options) => {
+  const { dotsecConfig, decryptHandlers } = options || {};
+  const hasDecryptEngine = decryptHandlers !== void 0 && decryptHandlers.length > 0;
+  const subProgram = program2.command("run <command...>").allowUnknownOption(true).enablePositionalOptions().passThroughOptions().showHelpAfterError(true).action(
+    async (commands, _options, command) => {
+      try {
+        const {
+          envFile,
+          using,
+          secFile,
+          engine,
+          showRedacted,
+          outputBackgroundColor,
+          showOutputBackgroundColor,
+          showOutputPrefix,
+          outputPrefix
+        } = command.optsWithGlobals();
+        let envContents;
+        if (using === "env" || hasDecryptEngine === false) {
+          if (!envFile) {
+            throw new Error("No dotenv file specified in --env-file option");
+          }
+          envContents = fs3.readFileSync(envFile, "utf8");
+        } else if (using === "sec") {
+          if (!secFile) {
+            throw new Error("No dotsec file specified in --sec-file option");
+          }
+          const encryptionEngine = engine || dotsecConfig?.defaults?.encryptionEngine;
+          const pluginCliDecrypt = (decryptHandlers || []).find((handler) => {
+            return handler.triggerOptionValue === encryptionEngine;
+          });
+          if (!pluginCliDecrypt) {
+            throw new Error(
+              `No decryption plugin found, available decryption engine(s): ${(decryptHandlers || []).map((e) => `--${e.triggerOptionValue}`).join(", ")}`
+            );
+          }
+          const allOptionKeys = [
+            ...Object.keys(pluginCliDecrypt.options || {}),
+            ...Object.keys(pluginCliDecrypt.requiredOptions || {})
+          ];
+          const allOptionsValues = Object.fromEntries(
+            allOptionKeys.map((key) => {
+              return [key, _options[key]];
+            })
+          );
+          try {
+            const dotSecContents = fs3.readFileSync(secFile, "utf8");
+            envContents = await pluginCliDecrypt.handler({
+              ciphertext: dotSecContents,
+              ...allOptionsValues
+            });
+          } catch (e) {
+            console.error("Something bad happened while decrypting.");
+            console.error(`File: ${secFile}`);
+            throw e;
+          }
+        }
+        if (envContents) {
+          const dotenvVars = parse(envContents).obj;
+          const expandedEnvVars = expand({
+            ignoreProcessEnv: true,
+            parsed: {
+              // add standard env variables
+              ...process.env,
+              // add custom env variables, either from .env or .sec, (or empty object if none)
+              ...dotenvVars
+            }
+          });
+          const [userCommand, ...userCommandArgs] = commands;
+          const waiter = await new Promise((resolve) => {
+            const cprocess = spawn(userCommand, [...userCommandArgs], {
+              stdio: "pipe",
+              shell: false,
+              env: {
+                ...expandedEnvVars.parsed,
+                ...process.env,
+                __DOTSEC_ENV__: JSON.stringify(Object.keys(dotenvVars))
+              }
+            });
+            const expandedEnvVarsWithoutEnv = expand({
+              ignoreProcessEnv: true,
+              parsed: {
+                // add standard env variables
+                // add custom env variables, either from .env or .sec, (or empty object if none)
+                ...dotenvVars
+              }
+            });
+            cprocess.stdout.setEncoding("utf8");
+            let addBackgroundColor = showOutputBackgroundColor || dotsecConfig.defaults?.options?.showBackgroundColor ? chalk2.bgRedBright : (str) => str;
+            if (outputBackgroundColor && (showOutputBackgroundColor || dotsecConfig.defaults?.options?.showBackgroundColor)) {
+              if (!backgroundColors.includes(
+                outputBackgroundColor
+              )) {
+                throw new Error(
+                  `Invalid background color: ${outputBackgroundColor}`
+                );
+              }
+              const backgroundColorFnName = camelCase(
+                `bg-${outputBackgroundColor}`
+              );
+              if (chalk2[backgroundColorFnName]) {
+                addBackgroundColor = chalk2[backgroundColorFnName];
+              } else {
+                console.warn(
+                  `Invalid background color: ${backgroundColorFnName}, using default: red`
+                );
+                addBackgroundColor = chalk2.bgRedBright;
+              }
+            }
+            const prefix = showOutputPrefix || dotsecConfig?.defaults?.options?.showOutputPrefix ? `${outputPrefix || "(dotsec) "}` : "";
+            cprocess.stdout.on("data", function(data) {
+              const lines = addBackgroundColor(
+                data.split(/\r?\n/).map((line) => `${prefix}${line}`).join("\n")
+              );
+              const redactedLines = (showRedacted || dotsecConfig?.defaults?.options?.showRedacted) !== true ? Object.entries(expandedEnvVarsWithoutEnv.parsed || {}).sort(([, a], [, b]) => {
+                if (a.length > b.length) {
+                  return -1;
+                } else if (a.length < b.length) {
+                  return 1;
+                } else {
+                  return 0;
+                }
+              }).reduce((acc, [key, value]) => {
+                console.log("KEY", key);
+                if (dotsecConfig?.redaction?.ignore?.includes(key)) {
+                  console.log("IGNORING", key);
+                  return acc;
+                } else {
+                  const redactedValue = value.replace(/./g, "*");
+                  return acc.replace(value, redactedValue);
+                }
+              }, lines) : lines;
+              console.log(redactedLines);
+            });
+            cprocess.stderr.setEncoding("utf8");
+            cprocess.stderr.on("data", function(data) {
+              process.stderr.write(data.toString());
+            });
+            cprocess.on("exit", (code) => {
+              resolve(code);
+            });
+          });
+          if (waiter !== 0) {
+            process.exit(waiter || 1);
+          }
+        } else {
+          throw new Error("No .env or .sec file provided");
+        }
+      } catch (e) {
+        console.error(strong(e.message));
+        command.help();
+      }
+    }
+  );
+  setProgramOptions({
+    program: subProgram,
+    commandName: hasDecryptEngine ? "run" : "runEnvOnly",
+    dotsecConfig
+  });
+  if (hasDecryptEngine) {
+    decryptHandlers?.map((run) => {
+      const { options: options2, requiredOptions } = run;
+      addPluginOptions(options2, subProgram);
+      addPluginOptions(requiredOptions, subProgram, true);
+    });
+    const engines = decryptHandlers?.map((e) => e.triggerOptionValue);
+    subProgram.option(
+      "--engine <engine>",
+      `Encryption engine${engines.length > 0 ? "s" : ""}: ${engines.join(", "), engines.length === 1 ? engines[0] : void 0}`
+      // engines.length === 1 ? engines[0] : undefined,
+    );
+  }
+  return subProgram;
+};
+var run_default2 = addRunProgam;
+var separator = {
+  keyword: "separator",
+  type: "string",
+  metaSchema: {
+    type: "string",
+    description: "value separator"
+  },
+  modifying: true,
+  valid: true,
+  errors: false,
+  compile: (schema) => (data, ctx) => {
+    if (ctx) {
+      const { parentData, parentDataProperty } = ctx;
+      parentData[parentDataProperty] = data === "" ? [] : data.split(schema);
+      return true;
+    } else {
+      return false;
+    }
+  }
+};
+var program = new Command();
+(async () => {
+  const parsedOptions = yargsParser(process.argv);
+  const argvPluginModules = [];
+  if (parsedOptions.plugin) {
+    if (Array.isArray(parsedOptions.plugin)) {
+      argvPluginModules.push(...parsedOptions.plugin);
+    } else {
+      argvPluginModules.push(parsedOptions.plugin);
+    }
+  }
+  const someConfigFile = parsedOptions.configFile || parsedOptions.c;
+  const configFile = [
+    ...Array.isArray(someConfigFile) ? someConfigFile : [someConfigFile]
+  ]?.[0] || process.env.DOTSEC_CONFIG_FILE;
+  const { contents: dotsecConfig = {} } = await getMagicalConfig(configFile);
+  const { defaults = {}, push: pushVariables, plugins } = dotsecConfig;
+  program.name("dotsec").description(".env, but secure").version("1.0.0").passThroughOptions().action((_options, other) => {
+    other.help();
+  });
+  setProgramOptions({ program, dotsecConfig });
+  const ajv = new Ajv({
+    allErrors: true,
+    removeAdditional: true,
+    useDefaults: true,
+    coerceTypes: true,
+    allowUnionTypes: true,
+    addUsedSchema: false,
+    keywords: [separator]
+  });
+  const pluginModules = {};
+  if (plugins) {
+    for (const pluginName of plugins) {
+      if (!defaults?.plugins?.[pluginName]) {
+        defaults.plugins = {
+          ...defaults.plugins,
+          [pluginName]: {}
+        };
+      }
+    }
+  }
+  if (argvPluginModules.length > 0) {
+    for (const pluginModule of argvPluginModules) {
+      const plugin = await loadDotsecPlugin({ name: pluginModule });
+      const loadedPlugin = await plugin({
+        dotsecConfig,
+        ajv,
+        configFile
+      });
+      pluginModules[loadedPlugin.name] = pluginModule;
+      if (argvPluginModules.length === 1) {
+        dotsecConfig.defaults = {
+          ...dotsecConfig.defaults,
+          encryptionEngine: String(loadedPlugin.name),
+          plugins: {
+            ...dotsecConfig.defaults?.plugins,
+            [loadedPlugin.name]: {
+              ...dotsecConfig.defaults?.plugins?.[loadedPlugin.name]
+            }
+          }
+        };
+      }
+    }
+  }
+  if (defaults?.encryptionEngine) {
+    if (!defaults?.plugins?.[defaults.encryptionEngine]) {
+      defaults.plugins = {
+        ...defaults.plugins,
+        [defaults.encryptionEngine]: {}
+      };
+    }
+  }
+  if (defaults?.plugins) {
+    Object.entries(defaults?.plugins).forEach(
+      ([pluginName, pluginModule]) => {
+        if (pluginModule?.name) {
+          pluginModules[pluginName] = pluginModule?.name;
+        } else {
+          pluginModules[pluginName] = `@dotsec/plugin-${pluginName}`;
+        }
+      }
+    );
+  }
+  Object.values(pushVariables || {}).forEach((pushVariable) => {
+    Object.keys(pushVariable).forEach((pluginName) => {
+      if (!pluginModules[pluginName]) {
+        pluginModules[pluginName] = `@dotsec/plugin-${pluginName}`;
+      }
+    });
+  });
+  const cliPluginEncryptHandlers = [];
+  const cliPluginDecryptHandlers = [];
+  const cliPluginPushHandlers = [];
+  for (const pluginName of Object.keys(pluginModules)) {
+    const pluginModule = pluginModules[pluginName];
+    const initDotsecPlugin = await loadDotsecPlugin({ name: pluginModule });
+    const { addCliCommand, cliHandlers: cli } = await initDotsecPlugin({
+      ajv,
+      dotsecConfig,
+      configFile
+    });
+    if (cli?.encrypt) {
+      cliPluginEncryptHandlers.push(cli.encrypt);
+    }
+    if (cli?.decrypt) {
+      cliPluginDecryptHandlers.push(cli.decrypt);
+      if (cli?.push) {
+        cliPluginPushHandlers.push({ push: cli.push, decrypt: cli.decrypt });
+      }
+    }
+    if (addCliCommand) {
+      addCliCommand({ program });
+    }
+  }
+  if (cliPluginEncryptHandlers.length) {
+    await encrypt_default2(program, {
+      dotsecConfig,
+      encryptHandlers: cliPluginEncryptHandlers
+    });
+  }
+  if (cliPluginDecryptHandlers.length) {
+    await decrypt_default2(program, {
+      dotsecConfig,
+      decryptHandlers: cliPluginDecryptHandlers
+    });
+  }
+  if (cliPluginPushHandlers.length) {
+    await push_default2(program, {
+      dotsecConfig,
+      handlers: cliPluginPushHandlers
+    });
+  }
+  await init_default2(program, { dotsecConfig });
+  await run_default2(program, {
+    dotsecConfig,
+    decryptHandlers: cliPluginDecryptHandlers
+  });
+  await program.parse();
+})();
+//# sourceMappingURL=out.js.map
 //# sourceMappingURL=index.mjs.map