e2sm 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 mfyuu
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,3 @@
+# e2sm
+
+.env to AWS Secrets Manager

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "e2sm",
+  "version": "0.1.0",
+  "bin": {
+    "e2sm": "src/index.ts"
+  },
+  "files": [
+    "src/index.ts",
+    "src/lib.ts"
+  ],
+  "type": "module",
+  "module": "src/index.ts",
+  "scripts": {
+    "prepare": "lefthook install",
+    "preinstall": "npx only-allow bun",
+    "fmt": "oxfmt",
+    "fmt:check": "oxfmt --check",
+    "lint": "oxlint",
+    "lint-types": "oxlint --type-aware",
+    "check": "oxfmt && oxlint --type-aware",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@clack/prompts": "^0.11.0",
+    "gunshi": "0.27.5"
+  },
+  "devDependencies": {
+    "@changesets/changelog-github": "^0.5.2",
+    "@changesets/cli": "^2.29.8",
+    "@gunshi/docs": "0.27.5",
+    "@types/bun": "latest",
+    "lefthook": "^2.0.15",
+    "oxfmt": "^0.26.0",
+    "oxlint": "^1.41.0",
+    "oxlint-tsgolint": "^0.11.1"
+  },
+  "peerDependencies": {
+    "typescript": "^5"
+  }
+}

package/src/index.ts

@@ -0,0 +1,169 @@
+#!/usr/bin/env bun
+import * as p from "@clack/prompts";
+import { cli, define } from "gunshi";
+import pkg from "../package.json";
+import { parseEnvContent, validateUnknownFlags } from "./lib";
+
+function isCancel(value: unknown): value is symbol {
+  return p.isCancel(value);
+}
+
+const command = define({
+  name: "e2sm",
+  description: "Upload .env file to AWS Secrets Manager",
+  args: {
+    dryRun: {
+      type: "boolean",
+      short: "d",
+      toKebab: true,
+      description: "Preview JSON output without uploading",
+    },
+    profile: {
+      type: "string",
+      short: "p",
+      description: "AWS profile to use",
+    },
+    input: {
+      type: "string",
+      short: "i",
+      description: "Path to the .env file (skip interactive prompt)",
+    },
+    name: {
+      type: "string",
+      short: "n",
+      description: "Secret name for AWS Secrets Manager (skip interactive prompt)",
+    },
+    region: {
+      type: "string",
+      short: "r",
+      description: "AWS region to use (e.g., ap-northeast-1)",
+    },
+  },
+  run: async (ctx) => {
+    // Validate unknown flags first
+    const unknownFlagError = validateUnknownFlags(ctx.tokens, ctx.args);
+    if (unknownFlagError) {
+      console.error(unknownFlagError);
+      process.exit(1);
+    }
+
+    const isDryRun = ctx.values.dryRun;
+    const profile = ctx.values.profile;
+    const inputFlag = ctx.values.input;
+    const nameFlag = ctx.values.name;
+    const region = ctx.values.region;
+
+    p.intro(`e2sm v${pkg.version} - env to AWS Secrets Manager`);
+
+    // 1. Get env file path (from flag or interactively)
+    let envFilePath: string;
+
+    if (inputFlag) {
+      envFilePath = inputFlag;
+    } else {
+      const result = await p.text({
+        message: "Enter the path to your .env file:",
+        placeholder: ".env.local",
+        defaultValue: ".env.local",
+      });
+
+      if (isCancel(result)) {
+        p.cancel("Operation cancelled");
+        process.exit(0);
+      }
+
+      envFilePath = result;
+    }
+
+    // 2. Read and parse env file
+    const file = Bun.file(envFilePath);
+    const exists = await file.exists();
+
+    if (!exists) {
+      p.cancel(`File not found: ${envFilePath}`);
+      process.exit(1);
+    }
+
+    const content = await file.text();
+    const envData = parseEnvContent(content);
+
+    if (Object.keys(envData).length === 0) {
+      p.cancel("No valid environment variables found in the file");
+      process.exit(1);
+    }
+
+    const jsonString = JSON.stringify(envData);
+
+    // 3. Dry-run mode: preview with jq
+    if (isDryRun) {
+      p.log.info("Dry-run mode: Previewing JSON output");
+      const jqResult = await Bun.$`echo ${jsonString} | jq -C .`.text();
+      console.log(jqResult);
+      p.outro("Dry-run complete");
+      return;
+    }
+
+    // 4. Get secret name (from flag or interactively)
+    let secretName: string;
+
+    if (nameFlag) {
+      secretName = nameFlag;
+    } else {
+      const result = await p.text({
+        message: "Enter the secret name for AWS Secrets Manager:",
+        placeholder: "my-app/default",
+        defaultValue: "my-app/default",
+      });
+
+      if (isCancel(result)) {
+        p.cancel("Operation cancelled");
+        process.exit(0);
+      }
+
+      secretName = result;
+    }
+
+    // 5. Upload to AWS Secrets Manager
+    const spinner = p.spinner();
+    spinner.start("Uploading to AWS Secrets Manager...");
+
+    const profileArgs = profile ? ["--profile", profile] : [];
+    const regionArgs = region ? ["--region", region] : [];
+
+    // First, try to check if the secret already exists
+    const describeResult =
+      await Bun.$`aws secretsmanager describe-secret --secret-id ${secretName} ${profileArgs} ${regionArgs} 2>/dev/null`.nothrow();
+
+    if (describeResult.exitCode === 0) {
+      // Secret exists, update it
+      const updateResult =
+        await Bun.$`aws secretsmanager put-secret-value --secret-id ${secretName} --secret-string ${jsonString} ${profileArgs} ${regionArgs}`.nothrow();
+
+      if (updateResult.exitCode !== 0) {
+        spinner.stop("Failed to update secret");
+        p.cancel(`Error: ${updateResult.stderr.toString()}`);
+        process.exit(1);
+      }
+
+      spinner.stop("Secret updated successfully");
+    } else {
+      // Secret doesn't exist, create it
+      const createResult =
+        await Bun.$`aws secretsmanager create-secret --name ${secretName} --secret-string ${jsonString} ${profileArgs} ${regionArgs}`.nothrow();
+
+      if (createResult.exitCode !== 0) {
+        spinner.stop("Failed to create secret");
+        p.cancel(`Error: ${createResult.stderr.toString()}`);
+        process.exit(1);
+      }
+
+      spinner.stop("Secret created successfully");
+    }
+
+    p.outro(`Secret '${secretName}' has been saved to AWS Secrets Manager`);
+  },
+});
+
+await cli(process.argv.slice(2), command, {
+  version: pkg.version,
+});

package/src/lib.ts

@@ -0,0 +1,90 @@
+import type { ArgSchema, ArgToken } from "gunshi";
+
+export function toKebabCase(str: string): string {
+  return str.replace(/([a-z])([A-Z])/g, "$1-$2").toLowerCase();
+}
+
+/**
+ * Validates that all provided flags are known options.
+ * @returns Error message if an unknown flag is found, null otherwise
+ */
+export function validateUnknownFlags(
+  tokens: ArgToken[],
+  args: Record<string, ArgSchema>,
+): string | null {
+  // Build set of known option names
+  const knownOptions = new Set<string>();
+
+  // Built-in options
+  knownOptions.add("help");
+  knownOptions.add("h");
+  knownOptions.add("version");
+  knownOptions.add("v");
+
+  // User-defined options
+  for (const [key, schema] of Object.entries(args)) {
+    knownOptions.add(key);
+    knownOptions.add(toKebabCase(key));
+
+    if (schema.short) {
+      knownOptions.add(schema.short);
+    }
+  }
+
+  // Check for unknown options
+  for (const token of tokens) {
+    if (token.kind === "option" && token.name) {
+      // Handle --no- prefix for negatable options
+      const name = token.name.startsWith("no-") ? token.name.slice(3) : token.name;
+
+      if (!knownOptions.has(name)) {
+        return `Unknown option: --${token.name}`;
+      }
+    }
+  }
+
+  return null;
+}
+
+export function parseEnvContent(content: string): Record<string, string> {
+  const result: Record<string, string> = {};
+
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+
+    // Skip empty lines and comments
+    if (trimmed === "" || trimmed.startsWith("#")) {
+      continue;
+    }
+
+    const equalIndex = trimmed.indexOf("=");
+    if (equalIndex === -1) {
+      continue;
+    }
+
+    const key = trimmed.slice(0, equalIndex).trim();
+    let value = trimmed.slice(equalIndex + 1).trim();
+
+    // Check if value is quoted
+    const isQuoted =
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"));
+
+    // Remove surrounding quotes if present
+    if (isQuoted) {
+      value = value.slice(1, -1);
+    } else {
+      // Remove inline comment for unquoted values
+      const commentIndex = value.indexOf("#");
+      if (commentIndex !== -1) {
+        value = value.slice(0, commentIndex).trim();
+      }
+    }
+
+    if (key) {
+      result[key] = value;
+    }
+  }
+
+  return result;
+}