env-secrets 0.5.3 → 0.5.4

package/.rulesrc.json

@@ -0,0 +1,20 @@
+{
+  "targets": ["claude", "codex"],
+  "agents": [
+    "local-dev",
+    "docs",
+    "cicd",
+    "observability",
+    "publishing",
+    "git-hooks",
+    "linting",
+    "logging",
+    "testing"
+  ],
+  "skills": ["github-health-check"],
+  "ballastVersion": "5.9.2",
+  "languages": ["typescript"],
+  "paths": {
+    "typescript": ["."]
+  }
+}

package/AGENTS.md

@@ -156,3 +156,37 @@ yarn install
 brew install awscli-local
 yarn build
 ```
+
+## Installed agent rules
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and follow these rule files in `.codex/rules/` when they apply:
+
+- `.codex/rules/local-dev-badges.md` — Add standard badges (CI, Release, License, GitHub Release, npm) to the top of README.md
+- `.codex/rules/local-dev-env.md` — Local development environment specialist - reproducible dev setup, DX, and documentation
+- `.codex/rules/local-dev-license.md` — License setup - ensure LICENSE file, package.json license field, and README reference (default MIT; overridable in AGENTS.md/CLAUDE.md)
+- `.codex/rules/local-dev-mcp.md` — Optional: use GitHub MCP and issues MCP (Jira/Linear/GitHub) for local-dev context
+- `.codex/rules/docs.md` — Documentation specialist - GitHub Markdown docs by default, or maintain existing Docusaurus sites with publish-docs automation
+- `.codex/rules/cicd.md` — CI/CD specialist - pipeline design, quality gates, and deployment
+- `.codex/rules/observability.md` — Observability specialist - logging, tracing, metrics, and SLOs
+- `.codex/rules/publishing-api.md` — REST API publishing specialist - Docker CD with Kubernetes health probes and Helm chart update
+- `.codex/rules/publishing-apps.md` — App publishing specialist - npmjs for Node apps, PyPI for Python apps, GitHub Releases for Go apps
+- `.codex/rules/publishing-apt.md` — APT/deb package publishing specialist - GoReleaser nfpms and GitHub Releases
+- `.codex/rules/publishing-brew.md` — Homebrew tap publishing specialist - GoReleaser brews block and tap repo setup
+- `.codex/rules/publishing-cli.md` — CLI publishing specialist - GoReleaser for Go, npmjs for Node, PyPI for Python
+- `.codex/rules/publishing-libraries.md` — Library publishing specialist - npmjs for TypeScript, PyPI for Python, GitHub tags/releases for Go
+- `.codex/rules/publishing-sdks.md` — SDK publishing specialist - npmjs for TypeScript SDKs, PyPI for Python SDKs, GitHub tags/releases for Go SDKs
+- `.codex/rules/publishing-web.md` — Web app publishing specialist - Docker to GHCR/Docker Hub with Helm chart CD on push to main
+- `.codex/rules/git-hooks.md` — Git hook specialist - configure pre-commit, pre-push, and Husky workflows that match the repository layout
+- `.codex/rules/typescript-linting.md` — TypeScript linting specialist - implements comprehensive linting and code formatting for TypeScript/JavaScript projects
+- `.codex/rules/typescript-logging.md` — Centralized logging specialist - configures Pino with Fluentd for Node/Next.js, and pino-browser to /api/logs
+- `.codex/rules/typescript-testing.md` — Testing specialist - sets up Jest (default) or Vitest for Vite projects, 50% coverage, and test step in build GitHub Action
+
+## Installed skills
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and use these skill files in `.codex/rules/` when they are relevant:
+
+- `.codex/rules/github-health-check.md` — Run a comprehensive GitHub repository health check. Use this skill whenever the user asks to: check GitHub health, audit the repo, check CI status, review open PRs, merge Dependabot PRs, check code coverage, check GitHub Code Quality, check GitHub security feature enablement, check security advisories, check Dependabot alerts, check code scanning alerts, check secret scanning alerts, check Snyk integration, keep GitHub in good shape, or any variation of "how is the repo doing". Also trigger for: "check dependabot PRs", "any PRs to merge", "check branch status", "repo health", "GitHub status check", "what needs attention in GitHub", "tidy up GitHub".

package/CLAUDE.md

@@ -0,0 +1,58 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code for working in this repository.
+
+## Repository Facts
+
+Use this section for durable repo-specific facts that agents repeatedly need. Prefer facts stored here over re-deriving them with shell commands on every task.
+
+Keep only stable, reviewable metadata here. Do not store secrets, credentials, or ephemeral runtime state.
+
+Suggested facts to record:
+
+- Canonical GitHub repo: `<OWNER/REPO>`
+- Default branch: `<main>`
+- Primary package manager: `<pnpm | npm | yarn | uv | go>`
+- Version-file locations agents should check first: `<.nvmrc, packageManager, pyproject.toml, go.mod, etc.>`
+- Canonical config files: `<paths agents should read before falling back to discovery>`
+- Primary CI workflows: `<workflow filenames>`
+- Primary release/publish workflows: `<workflow filenames>`
+- Preferred build/test/lint/format/coverage commands: `<commands>`
+- Coverage threshold: `<value>`
+- Generated or protected paths agents should avoid editing directly: `<paths>`
+
+Update this section when those facts change. If live runtime state is required, discover it separately instead of treating it as a durable repo fact.
+
+## Installed agent rules
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and follow these rule files in `.claude/rules/` when they apply:
+
+- `.claude/rules/local-dev-badges.md` — Add standard badges (CI, Release, License, GitHub Release, npm) to the top of README.md
+- `.claude/rules/local-dev-env.md` — Local development environment specialist - reproducible dev setup, DX, and documentation
+- `.claude/rules/local-dev-license.md` — License setup - ensure LICENSE file, package.json license field, and README reference (default MIT; overridable in AGENTS.md/CLAUDE.md)
+- `.claude/rules/local-dev-mcp.md` — Optional: use GitHub MCP and issues MCP (Jira/Linear/GitHub) for local-dev context
+- `.claude/rules/docs.md` — Documentation specialist - GitHub Markdown docs by default, or maintain existing Docusaurus sites with publish-docs automation
+- `.claude/rules/cicd.md` — CI/CD specialist - pipeline design, quality gates, and deployment
+- `.claude/rules/observability.md` — Observability specialist - logging, tracing, metrics, and SLOs
+- `.claude/rules/publishing-api.md` — REST API publishing specialist - Docker CD with Kubernetes health probes and Helm chart update
+- `.claude/rules/publishing-apps.md` — App publishing specialist - npmjs for Node apps, PyPI for Python apps, GitHub Releases for Go apps
+- `.claude/rules/publishing-apt.md` — APT/deb package publishing specialist - GoReleaser nfpms and GitHub Releases
+- `.claude/rules/publishing-brew.md` — Homebrew tap publishing specialist - GoReleaser brews block and tap repo setup
+- `.claude/rules/publishing-cli.md` — CLI publishing specialist - GoReleaser for Go, npmjs for Node, PyPI for Python
+- `.claude/rules/publishing-libraries.md` — Library publishing specialist - npmjs for TypeScript, PyPI for Python, GitHub tags/releases for Go
+- `.claude/rules/publishing-sdks.md` — SDK publishing specialist - npmjs for TypeScript SDKs, PyPI for Python SDKs, GitHub tags/releases for Go SDKs
+- `.claude/rules/publishing-web.md` — Web app publishing specialist - Docker to GHCR/Docker Hub with Helm chart CD on push to main
+- `.claude/rules/git-hooks.md` — Git hook specialist - configure pre-commit, pre-push, and Husky workflows that match the repository layout
+- `.claude/rules/typescript-linting.md` — TypeScript linting specialist - implements comprehensive linting and code formatting for TypeScript/JavaScript projects
+- `.claude/rules/typescript-logging.md` — Centralized logging specialist - configures Pino with Fluentd for Node/Next.js, and pino-browser to /api/logs
+- `.claude/rules/typescript-testing.md` — Testing specialist - sets up Jest (default) or Vitest for Vite projects, 50% coverage, and test step in build GitHub Action
+
+## Installed skills
+
+Created by [Ballast](https://github.com/everydaydevopsio/ballast) v5.9.2. Do not edit this section.
+
+Read and use these skill files in `.claude/skills/` when they are relevant:
+
+- `.claude/skills/github-health-check.skill` — Run a comprehensive GitHub repository health check. Use this skill whenever the user asks to: check GitHub health, audit the repo, check CI status, review open PRs, merge Dependabot PRs, check code coverage, check GitHub Code Quality, check GitHub security feature enablement, check security advisories, check Dependabot alerts, check code scanning alerts, check secret scanning alerts, check Snyk integration, keep GitHub in good shape, or any variation of "how is the repo doing". Also trigger for: "check dependabot PRs", "any PRs to merge", "check branch status", "repo health", "GitHub status check", "what needs attention in GitHub", "tidy up GitHub".

package/README.md

@@ -101,9 +101,10 @@ env-secrets aws -s my-app-secrets -r us-east-1 -- node app.js
 - `-r, --region <region>` (optional): AWS region where the secret is stored. If not provided, uses `AWS_DEFAULT_REGION` environment variable
 - `-p, --profile <profile>` (optional): Local AWS profile to use. If not provided, uses `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables
 - `-o, --output <file>` (optional): Output secrets to a file instead of injecting into environment variables. File will be created with 0400 permissions and will not overwrite existing files
+- `--no-shell` (optional): Run the program directly without a shell wrapper. Disables shell expansion — use when you do not need `$VAR` interpolation in arguments
 - `-- <program-to-run>`: The program to run with the injected environment variables (only used when `-o` is not specified)
 
-For `aws secret` management subcommands (`create`, `update`, `append`, `remove`, `upsert`/`import`, `list`, `get`, `delete`), use:
+For `aws secret` management subcommands (`create`, `update`, `upsert`/`import`, `append`, `remove`, `list`, `get`, `value`, `delete`), use:
 
 - `-r, --region <region>` to target a specific region
 - `-p, --profile <profile>` to select credentials profile
@@ -111,8 +112,8 @@ For `aws secret` management subcommands (`create`, `update`, `append`, `remove`,
 
 These options are honored consistently on `aws secret` subcommands.
 
-`env-secrets aws -s` is for fetching/injecting secret values into a child process.  
-`env-secrets aws secret ...` is for lifecycle management commands (`create`, `update`, `append`, `remove`, `upsert`/`import`, `list`, `get`, `delete`).
+`env-secrets aws -s` is for fetching/injecting secret values into a child process. Use `--no-shell` to run the program directly without a shell wrapper (disables shell expansion).  
+`env-secrets aws secret ...` is for lifecycle management commands (`create`, `update`, `upsert`/`import`, `append`, `remove`, `list`, `get`, `value`, `delete`).
 
 #### Examples
 
@@ -262,6 +263,19 @@ env-secrets aws secret append -n app/dev --key JIRA_EMAIL_TOKEN -v blah --output
 env-secrets aws secret remove -n app/dev --key API_KEY --key OLD_TOKEN --output json
 ```
 
+13. **View the values of a secret:**
+
+```bash
+# Table output — values masked as **** by default
+env-secrets aws secret value -n app/dev -r us-east-1
+
+# Reveal actual values (warning printed to stderr)
+env-secrets aws secret value -n app/dev -r us-east-1 --reveal
+
+# JSON output — full values, suitable for scripting (warns if stdout is a terminal)
+env-secrets aws secret value -n app/dev -r us-east-1 --output json
+```
+
 ## Security Considerations
 
 - 🔐 **Credential Management**: The tool respects AWS credential precedence (environment variables, IAM roles, profiles)

package/__e2e__/aws-secret-value-args.test.ts

@@ -0,0 +1,142 @@
+import * as fs from 'fs';
+import * as os from 'os';
+import * as path from 'path';
+
+import { cliWithEnv, cleanupTempFile } from './utils/test-utils';
+import { registerAwsE2eContext } from './utils/aws-e2e-context';
+
+describe('AWS Secret Value CLI Args', () => {
+  const { getLocalStackEnv } = registerAwsE2eContext();
+
+  test('should show masked values by default (table output)', async () => {
+    const secretName = `e2e-value-masked-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-value-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    expect(valueResult.stdout).toContain('DB_PASSWORD');
+    expect(valueResult.stdout).toContain('API_KEY');
+    expect(valueResult.stdout).toContain('****');
+    expect(valueResult.stdout).not.toContain('super-secret');
+    expect(valueResult.stdout).not.toContain('abc123');
+
+    const deleteResult1 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult1.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should reveal values with --reveal flag and warn on stderr', async () => {
+    const secretName = `e2e-value-reveal-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-reveal-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName, '--reveal'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    expect(valueResult.stdout).toContain('DB_PASSWORD');
+    expect(valueResult.stdout).toContain('super-secret');
+    expect(valueResult.stdout).toContain('API_KEY');
+    expect(valueResult.stdout).toContain('abc123');
+    expect(valueResult.stderr).toContain(
+      'Warning: displaying sensitive secret values.'
+    );
+
+    const deleteResult2 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult2.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should output full values as JSON without --reveal', async () => {
+    const secretName = `e2e-value-json-${Date.now()}`;
+    const tempFile = path.join(
+      os.tmpdir(),
+      `env-secrets-json-${Date.now()}.env`
+    );
+    fs.writeFileSync(tempFile, 'DB_PASSWORD=super-secret\nAPI_KEY=abc123');
+
+    const createResult = await cliWithEnv(
+      ['aws', 'secret', 'upsert', '--file', tempFile, '--name', secretName],
+      getLocalStackEnv()
+    );
+    expect(createResult.code).toBe(0);
+
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', secretName, '--output', 'json'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).toBe(0);
+    const parsed = JSON.parse(valueResult.stdout) as Record<string, string>;
+    expect(parsed.DB_PASSWORD).toBe('super-secret');
+    expect(parsed.API_KEY).toBe('abc123');
+
+    const deleteResult3 = await cliWithEnv(
+      [
+        'aws',
+        'secret',
+        'delete',
+        '-n',
+        secretName,
+        '--force-delete-without-recovery',
+        '--yes'
+      ],
+      getLocalStackEnv()
+    );
+    expect(deleteResult3.code).toBe(0);
+    cleanupTempFile(tempFile);
+  });
+
+  test('should fail for a non-existent secret', async () => {
+    const valueResult = await cliWithEnv(
+      ['aws', 'secret', 'value', '-n', 'does-not-exist-e2e'],
+      getLocalStackEnv()
+    );
+    expect(valueResult.code).not.toBe(0);
+    expect(valueResult.stderr).toContain('not found');
+  });
+});

package/__tests__/cli/helpers.test.ts

@@ -11,6 +11,7 @@ import {
   readStdin,
   renderTable,
   resolveAwsScope,
+  resolveOutputFormat,
   resolveSecretValue
 } from '../../src/cli/helpers';
 
@@ -214,4 +215,38 @@ describe('cli/helpers', () => {
       region: 'us-west-2'
     });
   });
+
+  describe('resolveOutputFormat', () => {
+    it('uses explicit local output option', () => {
+      expect(resolveOutputFormat({ output: 'json' })).toBe('json');
+      expect(resolveOutputFormat({ output: 'table' })).toBe('table');
+    });
+
+    it('throws for invalid local output option', () => {
+      expect(() => resolveOutputFormat({ output: 'xml' })).toThrow(
+        'Invalid output format'
+      );
+    });
+
+    it('inherits json or table from global options', () => {
+      const jsonCmd = { optsWithGlobals: () => ({ output: 'json' }) };
+      const tableCmd = { optsWithGlobals: () => ({ output: 'table' }) };
+      expect(resolveOutputFormat({}, jsonCmd)).toBe('json');
+      expect(resolveOutputFormat({}, tableCmd)).toBe('table');
+    });
+
+    it('ignores a file path in global output and defaults to table', () => {
+      const command = { optsWithGlobals: () => ({ output: 'secrets.env' }) };
+      expect(resolveOutputFormat({}, command)).toBe('table');
+    });
+
+    it('defaults to table when no options are provided', () => {
+      expect(resolveOutputFormat({})).toBe('table');
+    });
+
+    it('prefers local option over global option', () => {
+      const command = { optsWithGlobals: () => ({ output: 'json' }) };
+      expect(resolveOutputFormat({ output: 'table' }, command)).toBe('table');
+    });
+  });
 });

package/dist/cli/helpers.js

@@ -9,7 +9,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.resolveAwsScope = exports.parseEnvSecretsFile = exports.parseEnvSecrets = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
+exports.resolveAwsScope = exports.resolveOutputFormat = exports.parseEnvSecretsFile = exports.parseEnvSecrets = exports.resolveSecretValue = exports.readStdin = exports.parseRecoveryDays = exports.printData = exports.renderTable = exports.asOutputFormat = void 0;
 const promises_1 = require("node:fs/promises");
 const asOutputFormat = (value) => {
     if (value !== 'json' && value !== 'table') {
@@ -156,6 +156,18 @@ const parseEnvSecretsFile = (path) => __awaiter(void 0, void 0, void 0, function
     return (0, exports.parseEnvSecrets)(content);
 });
 exports.parseEnvSecretsFile = parseEnvSecretsFile;
+const resolveOutputFormat = (options, command) => {
+    var _a, _b;
+    if (options.output) {
+        return (0, exports.asOutputFormat)(options.output);
+    }
+    const globalOutput = (_b = (_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) === null || _b === void 0 ? void 0 : _b.output;
+    if (globalOutput === 'json' || globalOutput === 'table') {
+        return globalOutput;
+    }
+    return 'table';
+};
+exports.resolveOutputFormat = resolveOutputFormat;
 const resolveAwsScope = (options, command) => {
     var _a;
     const globalOptions = ((_a = command === null || command === void 0 ? void 0 : command.optsWithGlobals) === null || _a === void 0 ? void 0 : _a.call(command)) || {};

package/dist/index.js

@@ -159,13 +159,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _a;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_a = options.output) !== null && _a !== void 0 ? _a : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value) {
             throw new Error('Secret value is required. Provide --value, --value-stdin, or --file.');
@@ -203,13 +199,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _b;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_b = options.output) !== null && _b !== void 0 ? _b : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value && !options.description && !options.kmsKeyId) {
             throw new Error('Nothing to update. Provide --value/--value-stdin/--file, --description, or --kms-key-id.');
@@ -245,13 +237,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _c;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_c = options.output) !== null && _c !== void 0 ? _c : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const parsed = yield (0, helpers_1.parseEnvSecretsFile)(options.file);
         if (parsed.entries.length === 0) {
             throw new Error('No env entries found. Include lines like KEY=value or export KEY=value.');
@@ -357,13 +345,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _d;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_d = options.output) !== null && _d !== void 0 ? _d : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const value = yield (0, helpers_1.resolveSecretValue)(options.value, options.valueStdin, options.file);
         if (!value) {
             throw new Error('Append value is required. Provide --value, --value-stdin, or --file.');
@@ -404,13 +388,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _e;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_e = options.output) !== null && _e !== void 0 ? _e : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const keys = options.key;
         const current = yield (0, secretsmanager_admin_1.getSecretString)({
             name: options.name,
@@ -461,13 +441,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _f;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_f = options.output) !== null && _f !== void 0 ? _f : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const result = yield (0, secretsmanager_admin_1.listSecrets)({
             prefix: options.prefix,
             tags: options.tag,
@@ -497,13 +473,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _g;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_g = options.output) !== null && _g !== void 0 ? _g : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         const result = yield (0, secretsmanager_admin_1.getSecretMetadata)({
             name: options.name,
             profile,
@@ -532,6 +504,77 @@ secretCommand
         exitWithError(error);
     }
 }));
+secretCommand
+    .command('value')
+    .description('get the values of a secret')
+    .requiredOption('-n, --name <name>', 'secret name')
+    .option('--reveal', 'reveal secret values in table output (values are masked by default)', false)
+    .option('-p, --profile <profile>', 'profile to use')
+    .option('-r, --region <region>', 'region to use')
+    .option('--output <format>', 'output format: json|table')
+    .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
+    try {
+        const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
+        let secretString;
+        try {
+            secretString = yield (0, secretsmanager_admin_1.getSecretString)({
+                name: options.name,
+                profile,
+                region
+            });
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            if (msg.includes('cannot be edited with append/remove')) {
+                throw new Error(`Secret "${options.name}" is stored as binary and cannot be displayed as text.`);
+            }
+            throw error;
+        }
+        let jsonEntries;
+        try {
+            const parsed = JSON.parse(secretString);
+            if (parsed && !Array.isArray(parsed) && typeof parsed === 'object') {
+                jsonEntries = Object.entries(parsed).map(([key, value]) => ({ key, value }));
+            }
+            else {
+                jsonEntries = [{ key: options.name, value: secretString }];
+            }
+        }
+        catch (_a) {
+            jsonEntries = [{ key: options.name, value: secretString }];
+        }
+        if (output === 'json') {
+            if (process.stdout.isTTY) {
+                // eslint-disable-next-line no-console
+                console.error('Warning: displaying sensitive secret values.');
+            }
+            const result = Object.fromEntries(jsonEntries.map(({ key, value }) => [key, value]));
+            // eslint-disable-next-line no-console
+            console.log(JSON.stringify(result, null, 2));
+            return;
+        }
+        if (options.reveal) {
+            // eslint-disable-next-line no-console
+            console.error('Warning: displaying sensitive secret values.');
+        }
+        const rows = jsonEntries.map(({ key, value }) => ({
+            key,
+            value: options.reveal
+                ? typeof value === 'string'
+                    ? value
+                    : JSON.stringify(value)
+                : '****'
+        }));
+        (0, helpers_1.printData)((0, helpers_1.asOutputFormat)(output), [
+            { key: 'key', label: 'Key' },
+            { key: 'value', label: 'Value' }
+        ], rows);
+    }
+    catch (error) {
+        exitWithError(error);
+    }
+}));
 secretCommand
     .command('delete')
     .description('delete a secret in AWS Secrets Manager')
@@ -543,13 +586,9 @@ secretCommand
     .option('-r, --region <region>', 'region to use')
     .option('--output <format>', 'output format: json|table')
     .action((options, command) => __awaiter(void 0, void 0, void 0, function* () {
-    var _h;
     try {
         const { profile, region } = (0, helpers_1.resolveAwsScope)(options, command);
-        const globalOptions = command.optsWithGlobals();
-        const output = (_h = options.output) !== null && _h !== void 0 ? _h : (typeof globalOptions.output === 'string'
-            ? globalOptions.output
-            : 'table');
+        const output = (0, helpers_1.resolveOutputFormat)(options, command);
         if (!options.yes) {
             throw new Error('Delete requires --yes confirmation.');
         }