env-secrets 0.5.2 → 0.5.4

package/.github/workflows/unittests.yaml

@@ -39,7 +39,7 @@ jobs:
         run: yarn test:unit:coverage
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           directory: ./coverage

package/.rulesrc.json

@@ -0,0 +1,20 @@
+{
+  "targets": ["claude", "codex"],
+  "agents": [
+    "local-dev",
+    "docs",
+    "cicd",
+    "observability",
+    "publishing",
+    "git-hooks",
+    "linting",
+    "logging",
+    "testing"
+  ],
+  "skills": ["github-health-check"],
+  "ballastVersion": "5.9.2",
+  "languages": ["typescript"],
+  "paths": {
+    "typescript": ["."]
+  }
+}

package/AGENTS.md

@@ -156,3 +156,37 @@ yarn install
 brew install awscli-local
 yarn build
 ```
+
+## Installed agent rules
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and follow these rule files in `.codex/rules/` when they apply:
+
+- `.codex/rules/local-dev-badges.md` — Add standard badges (CI, Release, License, GitHub Release, npm) to the top of README.md
+- `.codex/rules/local-dev-env.md` — Local development environment specialist - reproducible dev setup, DX, and documentation
+- `.codex/rules/local-dev-license.md` — License setup - ensure LICENSE file, package.json license field, and README reference (default MIT; overridable in AGENTS.md/CLAUDE.md)
+- `.codex/rules/local-dev-mcp.md` — Optional: use GitHub MCP and issues MCP (Jira/Linear/GitHub) for local-dev context
+- `.codex/rules/docs.md` — Documentation specialist - GitHub Markdown docs by default, or maintain existing Docusaurus sites with publish-docs automation
+- `.codex/rules/cicd.md` — CI/CD specialist - pipeline design, quality gates, and deployment
+- `.codex/rules/observability.md` — Observability specialist - logging, tracing, metrics, and SLOs
+- `.codex/rules/publishing-api.md` — REST API publishing specialist - Docker CD with Kubernetes health probes and Helm chart update
+- `.codex/rules/publishing-apps.md` — App publishing specialist - npmjs for Node apps, PyPI for Python apps, GitHub Releases for Go apps
+- `.codex/rules/publishing-apt.md` — APT/deb package publishing specialist - GoReleaser nfpms and GitHub Releases
+- `.codex/rules/publishing-brew.md` — Homebrew tap publishing specialist - GoReleaser brews block and tap repo setup
+- `.codex/rules/publishing-cli.md` — CLI publishing specialist - GoReleaser for Go, npmjs for Node, PyPI for Python
+- `.codex/rules/publishing-libraries.md` — Library publishing specialist - npmjs for TypeScript, PyPI for Python, GitHub tags/releases for Go
+- `.codex/rules/publishing-sdks.md` — SDK publishing specialist - npmjs for TypeScript SDKs, PyPI for Python SDKs, GitHub tags/releases for Go SDKs
+- `.codex/rules/publishing-web.md` — Web app publishing specialist - Docker to GHCR/Docker Hub with Helm chart CD on push to main
+- `.codex/rules/git-hooks.md` — Git hook specialist - configure pre-commit, pre-push, and Husky workflows that match the repository layout
+- `.codex/rules/typescript-linting.md` — TypeScript linting specialist - implements comprehensive linting and code formatting for TypeScript/JavaScript projects
+- `.codex/rules/typescript-logging.md` — Centralized logging specialist - configures Pino with Fluentd for Node/Next.js, and pino-browser to /api/logs
+- `.codex/rules/typescript-testing.md` — Testing specialist - sets up Jest (default) or Vitest for Vite projects, 50% coverage, and test step in build GitHub Action
+
+## Installed skills
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and use these skill files in `.codex/rules/` when they are relevant:
+
+- `.codex/rules/github-health-check.md` — Run a comprehensive GitHub repository health check. Use this skill whenever the user asks to: check GitHub health, audit the repo, check CI status, review open PRs, merge Dependabot PRs, check code coverage, check GitHub Code Quality, check GitHub security feature enablement, check security advisories, check Dependabot alerts, check code scanning alerts, check secret scanning alerts, check Snyk integration, keep GitHub in good shape, or any variation of "how is the repo doing". Also trigger for: "check dependabot PRs", "any PRs to merge", "check branch status", "repo health", "GitHub status check", "what needs attention in GitHub", "tidy up GitHub".

package/CLAUDE.md

@@ -0,0 +1,58 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code for working in this repository.
+
+## Repository Facts
+
+Use this section for durable repo-specific facts that agents repeatedly need. Prefer facts stored here over re-deriving them with shell commands on every task.
+
+Keep only stable, reviewable metadata here. Do not store secrets, credentials, or ephemeral runtime state.
+
+Suggested facts to record:
+
+- Canonical GitHub repo: `<OWNER/REPO>`
+- Default branch: `<main>`
+- Primary package manager: `<pnpm | npm | yarn | uv | go>`
+- Version-file locations agents should check first: `<.nvmrc, packageManager, pyproject.toml, go.mod, etc.>`
+- Canonical config files: `<paths agents should read before falling back to discovery>`
+- Primary CI workflows: `<workflow filenames>`
+- Primary release/publish workflows: `<workflow filenames>`
+- Preferred build/test/lint/format/coverage commands: `<commands>`
+- Coverage threshold: `<value>`
+- Generated or protected paths agents should avoid editing directly: `<paths>`
+
+Update this section when those facts change. If live runtime state is required, discover it separately instead of treating it as a durable repo fact.
+
+## Installed agent rules
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and follow these rule files in `.claude/rules/` when they apply:
+
+- `.claude/rules/local-dev-badges.md` — Add standard badges (CI, Release, License, GitHub Release, npm) to the top of README.md
+- `.claude/rules/local-dev-env.md` — Local development environment specialist - reproducible dev setup, DX, and documentation
+- `.claude/rules/local-dev-license.md` — License setup - ensure LICENSE file, package.json license field, and README reference (default MIT; overridable in AGENTS.md/CLAUDE.md)
+- `.claude/rules/local-dev-mcp.md` — Optional: use GitHub MCP and issues MCP (Jira/Linear/GitHub) for local-dev context
+- `.claude/rules/docs.md` — Documentation specialist - GitHub Markdown docs by default, or maintain existing Docusaurus sites with publish-docs automation
+- `.claude/rules/cicd.md` — CI/CD specialist - pipeline design, quality gates, and deployment
+- `.claude/rules/observability.md` — Observability specialist - logging, tracing, metrics, and SLOs
+- `.claude/rules/publishing-api.md` — REST API publishing specialist - Docker CD with Kubernetes health probes and Helm chart update
+- `.claude/rules/publishing-apps.md` — App publishing specialist - npmjs for Node apps, PyPI for Python apps, GitHub Releases for Go apps
+- `.claude/rules/publishing-apt.md` — APT/deb package publishing specialist - GoReleaser nfpms and GitHub Releases
+- `.claude/rules/publishing-brew.md` — Homebrew tap publishing specialist - GoReleaser brews block and tap repo setup
+- `.claude/rules/publishing-cli.md` — CLI publishing specialist - GoReleaser for Go, npmjs for Node, PyPI for Python
+- `.claude/rules/publishing-libraries.md` — Library publishing specialist - npmjs for TypeScript, PyPI for Python, GitHub tags/releases for Go
+- `.claude/rules/publishing-sdks.md` — SDK publishing specialist - npmjs for TypeScript SDKs, PyPI for Python SDKs, GitHub tags/releases for Go SDKs
+- `.claude/rules/publishing-web.md` — Web app publishing specialist - Docker to GHCR/Docker Hub with Helm chart CD on push to main
+- `.claude/rules/git-hooks.md` — Git hook specialist - configure pre-commit, pre-push, and Husky workflows that match the repository layout
+- `.claude/rules/typescript-linting.md` — TypeScript linting specialist - implements comprehensive linting and code formatting for TypeScript/JavaScript projects
+- `.claude/rules/typescript-logging.md` — Centralized logging specialist - configures Pino with Fluentd for Node/Next.js, and pino-browser to /api/logs
+- `.claude/rules/typescript-testing.md` — Testing specialist - sets up Jest (default) or Vitest for Vite projects, 50% coverage, and test step in build GitHub Action
+
+## Installed skills
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and use these skill files in `.claude/skills/` when they are relevant:
+
+- `.claude/skills/github-health-check.skill` — Run a comprehensive GitHub repository health check. Use this skill whenever the user asks to: check GitHub health, audit the repo, check CI status, review open PRs, merge Dependabot PRs, check code coverage, check GitHub Code Quality, check GitHub security feature enablement, check security advisories, check Dependabot alerts, check code scanning alerts, check secret scanning alerts, check Snyk integration, keep GitHub in good shape, or any variation of "how is the repo doing". Also trigger for: "check dependabot PRs", "any PRs to merge", "check branch status", "repo health", "GitHub status check", "what needs attention in GitHub", "tidy up GitHub".

package/README.md

@@ -101,9 +101,10 @@ env-secrets aws -s my-app-secrets -r us-east-1 -- node app.js
 - `-r, --region <region>` (optional): AWS region where the secret is stored. If not provided, uses `AWS_DEFAULT_REGION` environment variable
 - `-p, --profile <profile>` (optional): Local AWS profile to use. If not provided, uses `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables
 - `-o, --output <file>` (optional): Output secrets to a file instead of injecting into environment variables. File will be created with 0400 permissions and will not overwrite existing files
+- `--no-shell` (optional): Run the program directly without a shell wrapper. Disables shell expansion — use when you do not need `$VAR` interpolation in arguments
 - `-- <program-to-run>`: The program to run with the injected environment variables (only used when `-o` is not specified)
 
-For `aws secret` management subcommands (`create`, `update`, `append`, `remove`, `upsert`/`import`, `list`, `get`, `delete`), use:
+For `aws secret` management subcommands (`create`, `update`, `upsert`/`import`, `append`, `remove`, `list`, `get`, `value`, `delete`), use:
 
 - `-r, --region <region>` to target a specific region
 - `-p, --profile <profile>` to select credentials profile
@@ -111,8 +112,8 @@ For `aws secret` management subcommands (`create`, `update`, `append`, `remove`,
 
 These options are honored consistently on `aws secret` subcommands.
 
-`env-secrets aws -s` is for fetching/injecting secret values into a child process.  
-`env-secrets aws secret ...` is for lifecycle management commands (`create`, `update`, `append`, `remove`, `upsert`/`import`, `list`, `get`, `delete`).
+`env-secrets aws -s` is for fetching/injecting secret values into a child process. Use `--no-shell` to run the program directly without a shell wrapper (disables shell expansion).  
+`env-secrets aws secret ...` is for lifecycle management commands (`create`, `update`, `upsert`/`import`, `append`, `remove`, `list`, `get`, `value`, `delete`).
 
 #### Examples
 
@@ -262,6 +263,19 @@ env-secrets aws secret append -n app/dev --key JIRA_EMAIL_TOKEN -v blah --output
 env-secrets aws secret remove -n app/dev --key API_KEY --key OLD_TOKEN --output json
 ```
 
+13. **View the values of a secret:**
+
+```bash
+# Table output — values masked as **** by default
+env-secrets aws secret value -n app/dev -r us-east-1
+
+# Reveal actual values (warning printed to stderr)
+env-secrets aws secret value -n app/dev -r us-east-1 --reveal
+
+# JSON output — full values, suitable for scripting (warns if stdout is a terminal)
+env-secrets aws secret value -n app/dev -r us-east-1 --output json
+```
+
 ## Security Considerations
 
 - 🔐 **Credential Management**: The tool respects AWS credential precedence (environment variables, IAM roles, profiles)

package/__e2e__/aws-exec-args.test.ts

@@ -1,4 +1,4 @@
-import { cliWithEnv } from './utils/test-utils';
+import { cliWithEnv, cliWithRealSpawn } from './utils/test-utils';
 import { registerAwsE2eContext } from './utils/aws-e2e-context';
 
 describe('AWS Program Execution CLI Args', () => {
@@ -42,3 +42,99 @@ describe('AWS Program Execution CLI Args', () => {
     expect(envVars.API_KEY).toBe('secret123');
   });
 });
+
+describe('AWS Real Spawn Execution (no NODE_ENV=test)', () => {
+  const { createTestSecret, getLocalStackEnv } = registerAwsE2eContext();
+
+  test('injected env vars are visible to the spawned child process (shell mode)', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-realspawn-${Date.now()}`,
+      value: '{"INJECTED_KEY": "injected_value"}',
+      description: 'Real spawn env injection test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      ['aws', '-s', secret.prefixedName, '--', 'printenv', 'INJECTED_KEY'],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('injected_value');
+  });
+
+  test('exit code of child process is propagated on success', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-ok-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (success)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(0)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+  });
+
+  test('exit code of child process is propagated on failure', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-exitcode-fail-${Date.now()}`,
+      value: '{"DUMMY": "1"}',
+      description: 'Exit code propagation test (failure)'
+    });
+
+    // Use --no-shell so node -e args are passed directly without shell re-parsing
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'node',
+        '-e',
+        'process.exit(42)'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(42);
+  });
+
+  test('--no-shell passes args directly and env is injected', async () => {
+    const secret = await createTestSecret({
+      name: `test-secret-noshell-${Date.now()}`,
+      value: '{"INJECTED_KEY": "direct_value"}',
+      description: 'No-shell spawn test'
+    });
+
+    // printenv avoids any shell-quoting complexity in the test command string
+    const result = await cliWithRealSpawn(
+      [
+        'aws',
+        '-s',
+        secret.prefixedName,
+        '--no-shell',
+        '--',
+        'printenv',
+        'INJECTED_KEY'
+      ],
+      getLocalStackEnv()
+    );
+
+    expect(result.code).toBe(0);
+    expect(result.stdout.trim()).toBe('direct_value');
+  });
+});

package/__e2e__/aws-secret-value-args.test.ts

@@ -0,0 +1,142 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+
+import { cliWithEnv, cleanupTempFile } from './utils/test-utils';
+import { registerAwsE2eContext } from './utils/aws-e2e-context';
+
+describe('AWS Secret Value CLI Args', () => {
+  const { getLocalStackEnv } = registerAwsE2eContext();
+
+  test('should show masked values by default (table output)', async () => {
+    const secretName = `e2e-value-masked-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-value-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    expect(valueResult.stdout).toContain('DB_PASSWORD');
+    expect(valueResult.stdout).toContain('API_KEY');
+    expect(valueResult.stdout).toContain('****');
+    expect(valueResult.stdout).not.toContain('super-secret');
+    expect(valueResult.stdout).not.toContain('abc123');
+
+    const deleteResult1 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult1.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should reveal values with --reveal flag and warn on stderr', async () => {
+    const secretName = `e2e-value-reveal-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-reveal-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName, '--reveal'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    expect(valueResult.stdout).toContain('DB_PASSWORD');
+    expect(valueResult.stdout).toContain('super-secret');
+    expect(valueResult.stdout).toContain('API_KEY');
+    expect(valueResult.stdout).toContain('abc123');
+    expect(valueResult.stderr).toContain(
+      'Warning: displaying sensitive secret values.'
+    );
+
+    const deleteResult2 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult2.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should output full values as JSON without --reveal', async () => {
+    const secretName = `e2e-value-json-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-json-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName, '--output', 'json'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    const parsed = JSON.parse(valueResult.stdout) as Record<string, string>;
+    expect(parsed.DB_PASSWORD).toBe('super-secret');
+    expect(parsed.API_KEY).toBe('abc123');
+
+    const deleteResult3 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult3.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should fail for a non-existent secret', async () => {
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', 'does-not-exist-e2e'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).not.toBe(0);
+    expect(valueResult.stderr).toContain('not found');
+  });
+});

package/__e2e__/utils/test-utils.ts

@@ -654,6 +654,84 @@ export function restoreTestProfile(
   }
 }
 
+/**
+ * Like cliWithEnv but does NOT set NODE_ENV=test, so the real spawn path in
+ * src/index.ts is exercised instead of the early-return test branch.
+ */
+export async function cliWithRealSpawn(
+  args: string[],
+  env: Record<string, string>,
+  cwd = '.'
+): Promise<CliResult> {
+  return new Promise((resolve) => {
+    const cleanEnv = { ...process.env };
+    delete cleanEnv.AWS_PROFILE;
+    delete cleanEnv.AWS_DEFAULT_PROFILE;
+    delete cleanEnv.AWS_SESSION_TOKEN;
+    delete cleanEnv.AWS_SECURITY_TOKEN;
+    delete cleanEnv.AWS_ROLE_ARN;
+    delete cleanEnv.AWS_ROLE_SESSION_NAME;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN_FILE;
+    delete cleanEnv.AWS_WEB_IDENTITY_TOKEN;
+    // Deliberately omit NODE_ENV=test so real spawn is used
+    delete cleanEnv.NODE_ENV;
+
+    const defaultEnv = {
+      AWS_ENDPOINT_URL: process.env.LOCALSTACK_URL || 'http://localhost:4566',
+      AWS_ACCESS_KEY_ID: 'test',
+      AWS_SECRET_ACCESS_KEY: 'test',
+      AWS_DEFAULT_REGION: 'us-east-1',
+      AWS_REGION: 'us-east-1'
+    };
+
+    const envVars = { ...cleanEnv, ...defaultEnv, ...env };
+    const cliPath = path.resolve('./dist/index');
+    const spawnArgs = [cliPath, ...args];
+    const command = `node ${cliPath} ${args.join(' ')}`;
+
+    debugLog(`Running CLI command (real spawn): ${command}`);
+
+    const child = spawn('node', spawnArgs, { cwd, env: envVars });
+
+    let stdout = '';
+    let stderr = '';
+    child.stdout.on('data', (chunk: Buffer) => {
+      stdout += chunk.toString();
+    });
+    child.stderr.on('data', (chunk: Buffer) => {
+      stderr += chunk.toString();
+    });
+
+    child.on('close', (code: number | null, signal: NodeJS.Signals | null) => {
+      const exitCode = code ?? (signal ? 1 : 0);
+      const errorMessage = signal
+        ? `Process terminated by signal ${signal}`
+        : exitCode !== 0
+        ? `Process exited with code ${exitCode}`
+        : null;
+      const result = {
+        code: exitCode,
+        error: errorMessage ? new Error(errorMessage) : null,
+        stdout,
+        stderr
+      };
+
+      if (exitCode !== 0) {
+        debugError(
+          signal
+            ? `CLI command failed: terminated by signal ${signal}`
+            : `CLI command failed with code ${exitCode}`
+        );
+        debugError(`Command: ${command}`);
+        debugError(`Stdout: ${result.stdout}`);
+        debugError(`Stderr: ${result.stderr}`);
+      }
+
+      resolve(result);
+    });
+  });
+}
+
 export async function checkAwslocalInstalled(): Promise<void> {
   try {
     await execAwslocalCommand('awslocal --version', {});

package/__tests__/cli/helpers.test.ts

@@ -11,6 +11,7 @@ import {
   readStdin,
   renderTable,
   resolveAwsScope,
+  resolveOutputFormat,
   resolveSecretValue
 } from '../../src/cli/helpers';
 
@@ -214,4 +215,38 @@ describe('cli/helpers', () => {
       region: 'us-west-2'
     });
   });
+
+  describe('resolveOutputFormat', () => {
+    it('uses explicit local output option', () => {
+      expect(resolveOutputFormat({ output: 'json' })).toBe('json');
+      expect(resolveOutputFormat({ output: 'table' })).toBe('table');
+    });
+
+    it('throws for invalid local output option', () => {
+      expect(() => resolveOutputFormat({ output: 'xml' })).toThrow(
+        'Invalid output format'
+      );
+    });
+
+    it('inherits json or table from global options', () => {
+      const jsonCmd = { optsWithGlobals: () => ({ output: 'json' }) };
+      const tableCmd = { optsWithGlobals: () => ({ output: 'table' }) };
+      expect(resolveOutputFormat({}, jsonCmd)).toBe('json');
+      expect(resolveOutputFormat({}, tableCmd)).toBe('table');
+    });
+
+    it('ignores a file path in global output and defaults to table', () => {
+      const command = { optsWithGlobals: () => ({ output: 'secrets.env' }) };
+      expect(resolveOutputFormat({}, command)).toBe('table');
+    });
+
+    it('defaults to table when no options are provided', () => {
+      expect(resolveOutputFormat({})).toBe('table');
+    });
+
+    it('prefers local option over global option', () => {
+      const command = { optsWithGlobals: () => ({ output: 'json' }) };
+      expect(resolveOutputFormat({ output: 'table' }, command)).toBe('table');
+    });
+  });
 });