env-secrets 0.5.1 → 0.5.3

package/.github/workflows/deploy-docs.yml

@@ -34,7 +34,7 @@ jobs:
         working-directory: website
         run: yarn build
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@v5
         with:
           path: website/build
 

package/README.md

@@ -246,6 +246,12 @@ env-secrets aws secret upsert --file .env --name app/dev --output json
 # {"NAME":"secret1"}
 ```
 
+`env-secrets aws secret create` also always stores `SecretString` as a JSON object:
+
+- object JSON input is preserved semantically as an object (formatting and key order may change)
+- dotenv-style input is converted into key/value pairs
+- scalar input is wrapped as `{"value":"..."}`.
+
 12. **Append/remove keys on an existing JSON secret:**
 
 ```bash

package/__e2e__/aws-exec-args.test.ts

@@ -1,4 +1,4 @@
-import { cliWithEnv } from './utils/test-utils';
+import { cliWithEnv, cliWithRealSpawn } from './utils/test-utils';
 import { registerAwsE2eContext } from './utils/aws-e2e-context';
 
 describe('AWS Program Execution CLI Args', () => {
@@ -42,3 +42,99 @@ describe('AWS Program Execution CLI Args', () => {
     expect(envVars.API_KEY).toBe('secret123');
   });
 });
+
+describe('AWS Real Spawn Execution (no NODE_ENV=test)', () => {
+  const { createTestSecret, getLocalStackEnv } = registerAwsE2eContext();
+
+  test('injected env vars are visible to the spawned child process (shell mode)', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-realspawn-${Date.now()}`,
+      value: '{"INJECTED_KEY": "injected_value"}',
+      description: 'Real spawn env injection test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      ['aws', '-s', secret.prefixedName, '--', 'printenv', 'INJECTED_KEY'],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('injected_value');
+  });
+
+  test('exit code of child process is propagated on success', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-ok-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (success)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(0)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+  });
+
+  test('exit code of child process is propagated on failure', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-fail-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (failure)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(42)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(42);
+  });
+
+  test('--no-shell passes args directly and env is injected', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-noshell-${Date.now()}`,
+      value: '{"INJECTED_KEY": "direct_value"}',
+      description: 'No-shell spawn test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'printenv',
+        'INJECTED_KEY'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('direct_value');
+  });
+});

package/__e2e__/aws-secret-lifecycle.test.ts

@@ -5,7 +5,8 @@ import * as path from 'path';
 import {
   cliWithEnv,
   cliWithEnvAndStdin,
-  cleanupTempFile
+  cleanupTempFile,
+  execAwslocalCommand
 } from './utils/test-utils';
 import { registerAwsE2eContext } from './utils/aws-e2e-context';
 
@@ -38,6 +39,14 @@ describe('AWS Secret Subcommand Lifecycle Args', () => {
     expect(getResult.stdout).toContain(secretName);
     expect(getResult.stdout).not.toContain('initial-value');
 
+    const createdSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(createdSecret.stdout.trim())).toEqual({
+      value: 'initial-value'
+    });
+
     const deleteResult = await cliWithEnv(
       [
         'aws',
@@ -84,6 +93,39 @@ describe('AWS Secret Subcommand Lifecycle Args', () => {
     expect(deleteResult.code).toBe(0);
   });
 
+  test('should create a json secret object from stdin', async () => {
+    const secretName = `managed-secret-create-stdin-${Date.now()}`;
+
+    const createResult = await cliWithEnvAndStdin(
+      ['aws', 'secret', 'create', '-n', secretName, '--value-stdin'],
+      getLocalStackEnv(),
+      'stdin-create-value'
+    );
+    expect(createResult.code).toBe(0);
+
+    const createdSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(createdSecret.stdout.trim())).toEqual({
+      value: 'stdin-create-value'
+    });
+
+    const deleteResult = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult.code).toBe(0);
+  });
+
   test('should create from a single-line env file and retrieve via aws -s', async () => {
     const secretName = `managed-secret-create-single-file-${Date.now()}`;
     const tempFile = path.join(
@@ -119,6 +161,14 @@ describe('AWS Secret Subcommand Lifecycle Args', () => {
     >;
     expect(envVars.GITHUB_PAT).toBe('github_pat_single_line');
 
+    const createdSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(createdSecret.stdout.trim())).toEqual({
+      GITHUB_PAT: 'github_pat_single_line'
+    });
+
     const deleteResult = await cliWithEnv(
       [
         'aws',
@@ -176,6 +226,15 @@ describe('AWS Secret Subcommand Lifecycle Args', () => {
     expect(envVars.GITHUB_PAT).toBe('github_pat_multi_line');
     expect(envVars.API_URL).toBe('https://example.com');
 
+    const createdSecret = await execAwslocalCommand(
+      `awslocal secretsmanager get-secret-value --secret-id "${secretName}" --region us-east-1 --query SecretString --output text`,
+      getLocalStackEnv()
+    );
+    expect(JSON.parse(createdSecret.stdout.trim())).toEqual({
+      GITHUB_PAT: 'github_pat_multi_line',
+      API_URL: 'https://example.com'
+    });
+
     const deleteResult = await cliWithEnv(
       [
         'aws',

package/__e2e__/utils/test-utils.ts

@@ -654,6 +654,84 @@ export function restoreTestProfile(
   }
 }
 
+/**
+ * Like cliWithEnv but does NOT set NODE_ENV=test, so the real spawn path in
+ * src/index.ts is exercised instead of the early-return test branch.
+ */
+export async function cliWithRealSpawn(
+  args: string[],
+  env: Record<string, string>,
+  cwd = '.'
+): Promise<CliResult> {
+  return new Promise((resolve) => {
+    const cleanEnv = { ...process.env };
+    delete cleanEnv.AWS_PROFILE;
+    delete cleanEnv.AWS_DEFAULT_PROFILE;
+    delete cleanEnv.AWS_SESSION_TOKEN;
+    delete cleanEnv.AWS_SECURITY_TOKEN;
+    delete cleanEnv.AWS_ROLE_ARN;
+    delete cleanEnv.AWS_ROLE_SESSION_NAME;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN_FILE;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN;
+    // Deliberately omit NODE_ENV=test so real spawn is used
+    delete cleanEnv.NODE_ENV;
+
+    const defaultEnv = {
+      AWS_ENDPOINT_URL: process.env.LOCALSTACK_URL || 'http://localhost:4566',
+      AWS_ACCESS_KEY_ID: 'test',
+      AWS_SECRET_ACCESS_KEY: 'test',
+      AWS_DEFAULT_REGION: 'us-east-1',
+      AWS_REGION: 'us-east-1'
+    };
+
+    const envVars = { ...cleanEnv, ...defaultEnv, ...env };
+    const cliPath = path.resolve('./dist/index');
+    const spawnArgs = [cliPath, ...args];
+    const command = `node ${cliPath} ${args.join(' ')}`;
+
+    debugLog(`Running CLI command (real spawn): ${command}`);
+
+    const child = spawn('node', spawnArgs, { cwd, env: envVars });
+
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (chunk: Buffer) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on('data', (chunk: Buffer) => {
+      stderr += chunk.toString();
+    });
+
+    child.on('close', (code: number | null, signal: NodeJS.Signals | null) => {
+      const exitCode = code ?? (signal ? 1 : 0);
+      const errorMessage = signal
+        ? `Process terminated by signal ${signal}`
+        : exitCode !== 0
+        ? `Process exited with code ${exitCode}`
+        : null;
+      const result = {
+        code: exitCode,
+        error: errorMessage ? new Error(errorMessage) : null,
+        stdout,
+        stderr
+      };
+
+      if (exitCode !== 0) {
+        debugError(
+          signal
+            ? `CLI command failed: terminated by signal ${signal}`
+            : `CLI command failed with code ${exitCode}`
+        );
+        debugError(`Command: ${command}`);
+        debugError(`Stdout: ${result.stdout}`);
+        debugError(`Stderr: ${result.stderr}`);
+      }
+
+      resolve(result);
+    });
+  });
+}
+
 export async function checkAwslocalInstalled(): Promise<void> {
   try {
     await execAwslocalCommand('awslocal --version', {});

package/__tests__/index.test.ts

@@ -39,6 +39,24 @@ const mockObjectToExport = objectToExport as jest.MockedFunction<
   typeof objectToExport
 >;
 
+// Build a ChildProcess-like mock that records event handlers
+function makeChildMock() {
+  const handlers: Record<string, ((...args: unknown[]) => void)[]> = {};
+  const child = {
+    stdio: 'inherit',
+    on: jest.fn((event: string, cb: (...args: unknown[]) => void) => {
+      if (!handlers[event]) handlers[event] = [];
+      handlers[event].push(cb);
+      return child;
+    }),
+    emit(event: string, ...args: unknown[]) {
+      (handlers[event] ?? []).forEach((cb) => cb(...args));
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  } as any;
+  return child;
+}
+
 describe('index.ts CLI functionality', () => {
   beforeEach(() => {
     jest.clearAllMocks();
@@ -94,43 +112,67 @@ describe('index.ts CLI functionality', () => {
       );
     });
 
-    it('should spawn a program when provided', async () => {
+    it('should spawn using shell (default) with joined command string', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1', 'arg2'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
         });
       }
 
-      expect(mockSpawn).toHaveBeenCalledWith(
-        'node',
-        ['script.js', 'arg1', 'arg2'],
-        {
-          stdio: 'inherit',
-          shell: true,
-          env: expect.objectContaining({
-            SECRET_KEY: 'secret_value'
-          })
+      expect(mockSpawn).toHaveBeenCalledWith('node script.js arg1 arg2', [], {
+        stdio: 'inherit',
+        shell: true,
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
+    });
+
+    it('should spawn without shell when --no-shell is passed', async () => {
+      const mockEnv = { SECRET_KEY: 'secret_value' };
+      mockSecretsmanager.mockResolvedValue(mockEnv);
+
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const program = ['node', 'script.js', 'arg1'];
+      const options = { secret: 'my-secret', shell: false };
+
+      let env = await mockSecretsmanager(options);
+      env = Object.assign({}, process.env, env);
+
+      if (program && program.length > 0) {
+        if (options.shell) {
+          mockSpawn(program.join(' '), [], {
+            stdio: 'inherit',
+            shell: true,
+            env
+          });
+        } else {
+          mockSpawn(program[0], program.slice(1), { stdio: 'inherit', env });
         }
-      );
+      }
+
+      expect(mockSpawn).toHaveBeenCalledWith('node', ['script.js', 'arg1'], {
+        stdio: 'inherit',
+        env: expect.objectContaining({
+          SECRET_KEY: 'secret_value'
+        })
+      });
     });
 
     it('should not spawn a program when no program is provided', async () => {
@@ -143,7 +185,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -163,7 +205,7 @@ describe('index.ts CLI functionality', () => {
 
       const program: string[] = [];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -173,26 +215,21 @@ describe('index.ts CLI functionality', () => {
       expect(mockSpawn).not.toHaveBeenCalled();
     });
 
-    it('should handle single program argument', async () => {
+    it('should handle single program argument (shell mode)', async () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['echo'];
-      const options = { secret: 'my-secret' };
+      const options = { secret: 'my-secret', shell: true };
 
-      // Simulate the action logic
       let env = await mockSecretsmanager(options);
       env = Object.assign({}, process.env, env);
 
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -219,13 +256,12 @@ describe('index.ts CLI functionality', () => {
 
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -247,13 +283,12 @@ describe('index.ts CLI functionality', () => {
     it('should handle secretsmanager returning empty object', async () => {
       mockSecretsmanager.mockResolvedValue({});
 
-      // Simulate the action logic
       let env = await mockSecretsmanager({ secret: 'my-secret' });
       env = Object.assign({}, process.env, env);
 
       const program = ['echo'];
       if (program && program.length > 0) {
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -276,6 +311,128 @@ describe('index.ts CLI functionality', () => {
         'AWS connection failed'
       );
     });
+
+    describe('ChildProcess error and exit handling', () => {
+      beforeEach(() => {
+        jest.spyOn(process, 'exit').mockImplementation(() => {
+          throw new Error('process.exit called');
+        });
+        jest.spyOn(console, 'error').mockImplementation(() => undefined);
+      });
+
+      afterEach(() => {
+        jest.restoreAllMocks();
+      });
+
+      it('should print error message and exit 1 on child process error', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        const program = ['nonexistent-cmd'];
+        mockSpawn(program.join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        // Simulate attaching handlers as src/index.ts does
+        child.on('error', (err: Error) => {
+          // eslint-disable-next-line no-console
+          console.error(`Failed to start process: ${err.message}`);
+          process.exit(1);
+        });
+
+        expect(() => child.emit('error', new Error('spawn ENOENT'))).toThrow(
+          'process.exit called'
+        );
+
+        // eslint-disable-next-line no-console
+        expect(console.error).toHaveBeenCalledWith(
+          'Failed to start process: spawn ENOENT'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+
+      it('should propagate child exit code 0', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(0)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 0, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(0);
+      });
+
+      it('should propagate non-zero child exit code', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn(['node', '-e', '"process.exit(42)"'].join(' '), [], {
+          stdio: 'inherit',
+          shell: true,
+          env
+        });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', 42, null)).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(42);
+      });
+
+      it('should exit 1 when child is killed by a signal', async () => {
+        const mockEnv = { SECRET_KEY: 'secret_value' };
+        mockSecretsmanager.mockResolvedValue(mockEnv);
+
+        const child = makeChildMock();
+        mockSpawn.mockReturnValue(child);
+
+        let env = await mockSecretsmanager({ secret: 'my-secret' });
+        env = Object.assign({}, process.env, env);
+
+        mockSpawn('sleep 10', [], { stdio: 'inherit', shell: true, env });
+
+        child.on('exit', (code: number | null, signal: string | null) => {
+          process.exit(signal ? 1 : code ?? 0);
+        });
+
+        expect(() => child.emit('exit', null, 'SIGTERM')).toThrow(
+          'process.exit called'
+        );
+        expect(process.exit).toHaveBeenCalledWith(1);
+      });
+    });
   });
 
   describe('Debug logging', () => {
@@ -314,12 +471,8 @@ describe('index.ts CLI functionality', () => {
       const mockEnv = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockEnv);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
 
       const program = ['node', 'script.js', 'arg1'];
 
@@ -331,7 +484,7 @@ describe('index.ts CLI functionality', () => {
         // Simulate debug logging
         mockDebugInstance(`${program[0]} ${program.slice(1).join(' ')}`);
 
-        mockSpawn(program[0], program.slice(1), {
+        mockSpawn(program.join(' '), [], {
           stdio: 'inherit',
           shell: true,
           env
@@ -438,16 +591,12 @@ describe('index.ts CLI functionality', () => {
       const mockSecrets = { SECRET_KEY: 'secret_value' };
       mockSecretsmanager.mockResolvedValue(mockSecrets);
 
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      const mockChildProcess = {
-        stdio: 'inherit'
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      } as any;
-      mockSpawn.mockReturnValue(mockChildProcess);
-
-      const options: { secret: string; output?: string } = {
-        secret: 'my-secret'
-        // No output option
+      const child = makeChildMock();
+      mockSpawn.mockReturnValue(child);
+
+      const options: { secret: string; output?: string; shell: boolean } = {
+        secret: 'my-secret',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -474,7 +623,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env
@@ -483,7 +632,7 @@ describe('index.ts CLI functionality', () => {
       }
 
       expect(mockSecretsmanager).toHaveBeenCalledWith(options);
-      expect(mockSpawn).toHaveBeenCalledWith('echo', ['hello'], {
+      expect(mockSpawn).toHaveBeenCalledWith('echo hello', [], {
         stdio: 'inherit',
         shell: true,
         env: expect.objectContaining({
@@ -538,9 +687,10 @@ describe('index.ts CLI functionality', () => {
       mockObjectToExport.mockReturnValue(mockEnvContent);
       mockExistsSync.mockReturnValue(false);
 
-      const options: { secret: string; output: string } = {
+      const options: { secret: string; output: string; shell: boolean } = {
         secret: 'my-secret',
-        output: '/tmp/secrets.env'
+        output: '/tmp/secrets.env',
+        shell: true
       };
 
       const program = ['echo', 'hello'];
@@ -566,7 +716,7 @@ describe('index.ts CLI functionality', () => {
         const env = Object.assign({}, process.env, secrets);
 
         if (program && program.length > 0) {
-          mockSpawn(program[0], program.slice(1), {
+          mockSpawn(program.join(' '), [], {
             stdio: 'inherit',
             shell: true,
             env

package/dist/index.js

@@ -43,6 +43,40 @@ const parseSecretJsonObject = (secretName, value) => {
     }
     return parsed;
 };
+const parseEnvToObject = (value) => {
+    try {
+        const parsed = (0, helpers_1.parseEnvSecrets)(value);
+        if (parsed.entries.length === 0) {
+            return undefined;
+        }
+        return Object.fromEntries(parsed.entries.map((entry) => [entry.key, entry.value]));
+    }
+    catch (_a) {
+        return undefined;
+    }
+};
+const toSecretJsonObject = (value) => {
+    try {
+        const parsed = JSON.parse(value);
+        if (parsed && !Array.isArray(parsed) && typeof parsed === 'object') {
+            return parsed;
+        }
+        if (typeof parsed === 'string') {
+            const envPayload = parseEnvToObject(parsed);
+            if (envPayload) {
+                return envPayload;
+            }
+        }
+        return { value: parsed };
+    }
+    catch (_a) {
+        const envPayload = parseEnvToObject(value);
+        if (envPayload) {
+            return envPayload;
+        }
+    }
+    return { value };
+};
 // main program
 program
     .name('env-secrets')
@@ -57,6 +91,7 @@ const awsCommand = program
     .option('-p, --profile <profile>', 'profile to use')
     .option('-r, --region <region>', 'region to use')
     .option('-o, --output <file>', 'output secrets to file instead of environment variables')
+    .option('--no-shell', 'run program directly without a shell (disables shell expansion)')
     .action((program, options) => __awaiter(void 0, void 0, void 0, function* () {
     if (!options.secret) {
         exitWithError(new Error('Missing required option --secret for this command.'));
@@ -89,10 +124,20 @@ const awsCommand = program
                 console.log(JSON.stringify(env));
                 return;
             }
-            (0, node_child_process_1.spawn)(program[0], program.slice(1), {
-                stdio: 'inherit',
-                shell: true,
-                env
+            const child = options.shell
+                ? (0, node_child_process_1.spawn)(program.join(' '), [], {
+                    stdio: 'inherit',
+                    shell: true,
+                    env
+                })
+                : (0, node_child_process_1.spawn)(program[0], program.slice(1), { stdio: 'inherit', env });
+            child.on('error', (err) => {
+                // eslint-disable-next-line no-console
+                console.error(`Failed to start process: ${err.message}`);
+                process.exit(1);
+            });
+            child.on('exit', (code, signal) => {
+                process.exit(signal ? 1 : code !== null && code !== void 0 ? code : 0);
             });
         }
     }
@@ -125,9 +170,10 @@ secretCommand
         if (!value) {
             throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
         }
+        const payload = toSecretJsonObject(value);
         const result = yield (0, secretsmanager_admin_1.createSecret)({
             name: options.name,
-            value,
+            value: JSON.stringify(payload),
             description: options.description,
             kmsKeyId: options.kmsKeyId,
             tags: options.tag,

package/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   localstack:
     container_name: 'localstack'
-    image: localstack/localstack:latest
+    image: localstack/localstack:3
     ports:
       - '4566:4566' # LocalStack Gateway
     environment:

package/docs/AWS.md

@@ -200,6 +200,12 @@ source secrets.env
      --output json
    ```
 
+   `create` always writes a JSON object:
+
+   - object JSON input is preserved semantically as an object (formatting and key order may change) (`{"API_KEY":"abc123"}`)
+   - dotenv-style input is converted (`KEY=value` -> `{"KEY":"value"}`)
+   - non-object/scalar input is wrapped (`super-secret-value` -> `{"value":"super-secret-value"}`)
+
 2. **Create from stdin (recommended for sensitive values):**
 
    ```bash
@@ -262,6 +268,7 @@ source secrets.env
 
 - `delete` requires `--yes`.
 - `create`/`update` accept `--value`, `--value-stdin`, or `--file` (use only one).
+- `create` always stores `SecretString` as a JSON object.
 - `append` and `remove` require the secret value to be a JSON object.
 - `upsert/import --file --name` parses `export KEY=value` and `KEY=value`, stores them as one JSON secret object, ignores blank lines/comments, and reports `created`, `updated`, `skipped`, and `failed`.
 - Use `--value-stdin` to avoid shell history leakage for sensitive values.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "env-secrets",
-  "version": "0.5.1",
+  "version": "0.5.3",
   "description": "get secrets from a secrets vault and inject them into the running environment",
   "main": "index.js",
   "author": "Mark C Allen (@markcallen)",
@@ -31,7 +31,7 @@
   },
   "devDependencies": {
     "@everydaydevopsio/ballast": "^3.2.1",
-    "@types/debug": "^4.1.12",
+    "@types/debug": "^4.1.13",
     "@types/jest": "^29.5.14",
     "@types/node": "^18.19.130",
     "@typescript-eslint/eslint-plugin": "^5.62.0",
@@ -53,9 +53,9 @@
     "typescript": "^4.9.5"
   },
   "dependencies": {
-    "@aws-sdk/client-secrets-manager": "^3.1004.0",
-    "@aws-sdk/client-sts": "^3.1004.0",
-    "@aws-sdk/credential-providers": "^3.1004.0",
+    "@aws-sdk/client-secrets-manager": "^3.1030.0",
+    "@aws-sdk/client-sts": "^3.1030.0",
+    "@aws-sdk/credential-providers": "^3.1030.0",
     "commander": "^9.5.0",
     "debug": "^4.4.3"
   },

package/src/index.ts

@@ -18,6 +18,7 @@ import {
 } from './vaults/secretsmanager-admin';
 import {
   asOutputFormat,
+  parseEnvSecrets,
   parseEnvSecretsFile,
   printData,
   parseRecoveryDays,
@@ -58,6 +59,48 @@ const parseSecretJsonObject = (
   return parsed as Record<string, unknown>;
 };
 
+const parseEnvToObject = (
+  value: string
+): Record<string, unknown> | undefined => {
+  try {
+    const parsed = parseEnvSecrets(value);
+    if (parsed.entries.length === 0) {
+      return undefined;
+    }
+
+    return Object.fromEntries(
+      parsed.entries.map((entry) => [entry.key, entry.value])
+    );
+  } catch {
+    return undefined;
+  }
+};
+
+const toSecretJsonObject = (value: string): Record<string, unknown> => {
+  try {
+    const parsed = JSON.parse(value) as unknown;
+    if (parsed && !Array.isArray(parsed) && typeof parsed === 'object') {
+      return parsed as Record<string, unknown>;
+    }
+
+    if (typeof parsed === 'string') {
+      const envPayload = parseEnvToObject(parsed);
+      if (envPayload) {
+        return envPayload;
+      }
+    }
+
+    return { value: parsed };
+  } catch {
+    const envPayload = parseEnvToObject(value);
+    if (envPayload) {
+      return envPayload;
+    }
+  }
+
+  return { value };
+};
+
 // main program
 program
   .name('env-secrets')
@@ -78,6 +121,10 @@ const awsCommand = program
     '-o, --output <file>',
     'output secrets to file instead of environment variables'
   )
+  .option(
+    '--no-shell',
+    'run program directly without a shell (disables shell expansion)'
+  )
   .action(async (program, options) => {
     if (!options.secret) {
       exitWithError(
@@ -120,10 +167,22 @@ const awsCommand = program
           return;
         }
 
-        spawn(program[0], program.slice(1), {
-          stdio: 'inherit',
-          shell: true,
-          env
+        const child = options.shell
+          ? spawn(program.join(' '), [], {
+              stdio: 'inherit',
+              shell: true,
+              env
+            })
+          : spawn(program[0], program.slice(1), { stdio: 'inherit', env });
+
+        child.on('error', (err) => {
+          // eslint-disable-next-line no-console
+          console.error(`Failed to start process: ${err.message}`);
+          process.exit(1);
+        });
+
+        child.on('exit', (code, signal) => {
+          process.exit(signal ? 1 : code ?? 0);
         });
       }
     }
@@ -166,9 +225,10 @@ secretCommand
         );
       }
 
+      const payload = toSecretJsonObject(value);
       const result = await createSecret({
         name: options.name,
-        value,
+        value: JSON.stringify(payload),
         description: options.description,
         kmsKeyId: options.kmsKeyId,
         tags: options.tag,