envlope 0.1.0

package/dist/cli.cjs

@@ -0,0 +1,702 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// node_modules/tsup/assets/cjs_shims.js
+var getImportMetaUrl = () => typeof document === "undefined" ? new URL(`file:${__filename}`).href : document.currentScript && document.currentScript.tagName.toUpperCase() === "SCRIPT" ? document.currentScript.src : new URL("main.js", document.baseURI).href;
+var importMetaUrl = /* @__PURE__ */ getImportMetaUrl();
+
+// src/cli.ts
+var import_commander = require("commander");
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+var import_node_url = require("url");
+var import_update_notifier = __toESM(require("update-notifier"), 1);
+
+// src/crypto.ts
+var import_node_crypto = require("crypto");
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var TAG_LENGTH = 16;
+var FORMAT_VERSION = 1;
+var DecryptionError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "DecryptionError";
+  }
+};
+function encrypt(plaintext, key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid key length: expected 32 bytes, got ${key.length}`);
+  }
+  const iv = (0, import_node_crypto.randomBytes)(IV_LENGTH);
+  const cipher = (0, import_node_crypto.createCipheriv)(ALGORITHM, key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const payload = Buffer.concat([iv, ciphertext, tag]);
+  return `envlope:${FORMAT_VERSION}:${payload.toString("base64")}`;
+}
+function decrypt(blob, key) {
+  if (key.length !== 32) {
+    throw new Error(`Invalid key length: expected 32 bytes, got ${key.length}`);
+  }
+  const trimmed = blob.trim();
+  const parts = trimmed.split(":");
+  if (parts.length !== 3 || parts[0] !== "envlope") {
+    throw new DecryptionError("Not a valid envlope-encrypted file.");
+  }
+  const version = Number(parts[1]);
+  if (version !== FORMAT_VERSION) {
+    throw new DecryptionError(
+      `Unsupported envlope format version ${version}. This tool supports version ${FORMAT_VERSION}.`
+    );
+  }
+  const payload = Buffer.from(parts[2], "base64");
+  if (payload.length < IV_LENGTH + TAG_LENGTH) {
+    throw new DecryptionError("Encrypted payload is truncated or malformed.");
+  }
+  const iv = payload.subarray(0, IV_LENGTH);
+  const tag = payload.subarray(payload.length - TAG_LENGTH);
+  const ciphertext = payload.subarray(IV_LENGTH, payload.length - TAG_LENGTH);
+  const decipher = (0, import_node_crypto.createDecipheriv)(ALGORITHM, key, iv);
+  decipher.setAuthTag(tag);
+  try {
+    return Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+  } catch {
+    throw new DecryptionError("Invalid key \u2014 decryption failed.");
+  }
+}
+
+// src/files.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+var DEFAULT_ENV_FILE = ".env";
+var GITIGNORE_FILE = ".gitignore";
+var BASELINE_GITIGNORE_ENTRIES = [".env", ".env.local"];
+function envPath(file = DEFAULT_ENV_FILE, cwd = process.cwd()) {
+  return (0, import_node_path.resolve)(cwd, file);
+}
+function encryptedPath(file = DEFAULT_ENV_FILE, cwd = process.cwd()) {
+  return (0, import_node_path.resolve)(cwd, `${file}.encrypted`);
+}
+function backupPath(file = DEFAULT_ENV_FILE, cwd = process.cwd()) {
+  return (0, import_node_path.resolve)(cwd, `${file}.encrypted.bak`);
+}
+function gitignorePath(cwd = process.cwd()) {
+  return (0, import_node_path.resolve)(cwd, GITIGNORE_FILE);
+}
+function readEnv(file, cwd) {
+  return (0, import_node_fs.readFileSync)(envPath(file, cwd));
+}
+function writeEnv(content, file, cwd) {
+  (0, import_node_fs.writeFileSync)(envPath(file, cwd), content);
+}
+function readEncrypted(file, cwd) {
+  return (0, import_node_fs.readFileSync)(encryptedPath(file, cwd), "utf8");
+}
+function writeEncrypted(blob, file, cwd) {
+  (0, import_node_fs.writeFileSync)(encryptedPath(file, cwd), blob + "\n");
+}
+function envExists(file, cwd) {
+  return (0, import_node_fs.existsSync)(envPath(file, cwd));
+}
+function encryptedExists(file, cwd) {
+  return (0, import_node_fs.existsSync)(encryptedPath(file, cwd));
+}
+function envMtime(file, cwd) {
+  const p = envPath(file, cwd);
+  return (0, import_node_fs.existsSync)(p) ? (0, import_node_fs.statSync)(p).mtime : null;
+}
+function encryptedMtime(file, cwd) {
+  const p = encryptedPath(file, cwd);
+  return (0, import_node_fs.existsSync)(p) ? (0, import_node_fs.statSync)(p).mtime : null;
+}
+function backupEncrypted(file, cwd) {
+  (0, import_node_fs.copyFileSync)(encryptedPath(file, cwd), backupPath(file, cwd));
+}
+function gitignoreEntriesFor(file) {
+  const entries = [];
+  if (file === DEFAULT_ENV_FILE) {
+    entries.push(...BASELINE_GITIGNORE_ENTRIES);
+  } else {
+    entries.push(file);
+  }
+  entries.push(`${file}.encrypted.bak`);
+  return entries;
+}
+function ensureGitignore(file = DEFAULT_ENV_FILE, cwd) {
+  const path = gitignorePath(cwd);
+  const existed = (0, import_node_fs.existsSync)(path);
+  const current = existed ? (0, import_node_fs.readFileSync)(path, "utf8") : "";
+  const lines = current.split(/\r?\n/).map((l) => l.trim());
+  const present = new Set(lines);
+  const desired = gitignoreEntriesFor(file);
+  const toAdd = desired.filter((entry) => !present.has(entry));
+  if (toAdd.length === 0) {
+    return { added: [], existed };
+  }
+  const prefix = current.length > 0 && !current.endsWith("\n") ? "\n" : "";
+  const addition = prefix + toAdd.join("\n") + "\n";
+  (0, import_node_fs.writeFileSync)(path, current + addition);
+  return { added: toAdd, existed };
+}
+function isGitignored(file = DEFAULT_ENV_FILE, cwd) {
+  const path = gitignorePath(cwd);
+  if (!(0, import_node_fs.existsSync)(path)) return false;
+  const lines = (0, import_node_fs.readFileSync)(path, "utf8").split(/\r?\n/).map((l) => l.trim());
+  return lines.includes(file);
+}
+
+// src/key.ts
+var import_node_crypto2 = require("crypto");
+
+// src/ui.ts
+var prompts = __toESM(require("@clack/prompts"), 1);
+var import_picocolors = __toESM(require("picocolors"), 1);
+async function confirm2(message, defaultValue = false) {
+  const result = await prompts.confirm({
+    message,
+    initialValue: defaultValue
+  });
+  if (prompts.isCancel(result)) {
+    return false;
+  }
+  return result;
+}
+async function promptKey(message = "Enter your envlope key:") {
+  const result = await prompts.password({
+    message,
+    validate: (value) => {
+      if (!value) return "Key is required.";
+      if (!value.startsWith("envlope_key_")) return "Key must start with envlope_key_";
+      return void 0;
+    }
+  });
+  if (prompts.isCancel(result)) {
+    throw new UserCancelled();
+  }
+  return result;
+}
+var UserCancelled = class extends Error {
+  constructor() {
+    super("Cancelled.");
+    this.name = "UserCancelled";
+  }
+};
+
+// src/key.ts
+var KEY_PREFIX = "envlope_key_";
+var KEY_BYTES = 32;
+var ENV_VAR_NAME = "ENVLOPE_KEY";
+var InvalidKeyError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "InvalidKeyError";
+  }
+};
+function generateKey() {
+  return (0, import_node_crypto2.randomBytes)(KEY_BYTES);
+}
+function formatKey(key) {
+  if (key.length !== KEY_BYTES) {
+    throw new Error(`Invalid key length: expected ${KEY_BYTES} bytes, got ${key.length}`);
+  }
+  return `${KEY_PREFIX}${key.toString("base64")}`;
+}
+function parseKey(formatted) {
+  const trimmed = formatted.trim();
+  if (!trimmed.startsWith(KEY_PREFIX)) {
+    throw new InvalidKeyError(
+      `Key must start with "${KEY_PREFIX}". Did you paste the whole key?`
+    );
+  }
+  const base64 = trimmed.slice(KEY_PREFIX.length);
+  let key;
+  try {
+    key = Buffer.from(base64, "base64");
+  } catch {
+    throw new InvalidKeyError("Key contents are not valid base64.");
+  }
+  if (key.length !== KEY_BYTES) {
+    throw new InvalidKeyError(
+      `Decoded key is ${key.length} bytes; expected ${KEY_BYTES}. Key may be corrupted.`
+    );
+  }
+  return key;
+}
+async function resolveKey(options, promptMessage = "Enter your envlope key:") {
+  if (options.key) {
+    return parseKey(options.key);
+  }
+  const envValue = process.env[ENV_VAR_NAME];
+  if (envValue && envValue.length > 0) {
+    return parseKey(envValue);
+  }
+  if (options.json) {
+    throw new InvalidKeyError(
+      `No key provided. In --json mode, pass --key <key> or set ${ENV_VAR_NAME} env var.`
+    );
+  }
+  if (!process.stdin.isTTY) {
+    throw new InvalidKeyError(
+      `No key provided. Pass --key <key>, set ${ENV_VAR_NAME} env var, or run interactively.`
+    );
+  }
+  const formatted = await promptKey(promptMessage);
+  return parseKey(formatted);
+}
+
+// src/output.ts
+var import_picocolors2 = __toESM(require("picocolors"), 1);
+var Output = class {
+  constructor(json = false) {
+    this.json = json;
+  }
+  json;
+  get isHuman() {
+    return !this.json;
+  }
+  success(message) {
+    if (this.json) return;
+    console.log(`${import_picocolors2.default.green("\u2713")} ${message}`);
+  }
+  info(message) {
+    if (this.json) return;
+    console.log(`${import_picocolors2.default.cyan("\u203A")} ${message}`);
+  }
+  warn(message) {
+    if (this.json) return;
+    console.log(`${import_picocolors2.default.yellow("\u26A0")} ${message}`);
+  }
+  /** Render the prominent "SAVE THIS KEY" block. Human mode only. */
+  keyBlock(formattedKey) {
+    if (this.json) return;
+    const bar = import_picocolors2.default.dim("\u2500".repeat(64));
+    console.log("");
+    console.log(import_picocolors2.default.bold(import_picocolors2.default.yellow("SAVE THIS KEY \u2014 it cannot be recovered:")));
+    console.log(bar);
+    console.log(`   ${import_picocolors2.default.bold(formattedKey)}`);
+    console.log(bar);
+    console.log(
+      import_picocolors2.default.dim(
+        "Save it in your password manager and share with teammates over a secure channel."
+      )
+    );
+    console.log("");
+  }
+  /** Render a "Next steps" section. Human mode only. */
+  nextSteps(steps) {
+    if (this.json) return;
+    console.log("");
+    console.log(import_picocolors2.default.bold("Next:"));
+    for (const step of steps) {
+      console.log(`  ${import_picocolors2.default.dim("$")} ${step}`);
+    }
+    console.log("");
+  }
+  /**
+   * Emit the final structured result. In JSON mode, prints one JSON object to
+   * stdout. In human mode, this is a no-op (success/info etc. handled output).
+   */
+  emit(data) {
+    if (!this.json) return;
+    console.log(JSON.stringify(data));
+  }
+  /**
+   * Emit a failure. In JSON mode, writes a structured `{error, code}` JSON
+   * object to stdout. In human mode, writes a red ✗ line to stderr.
+   */
+  fail(message, code = 1) {
+    if (this.json) {
+      console.log(JSON.stringify({ error: message, code }));
+    } else {
+      console.error(`${import_picocolors2.default.red("\u2717")} ${message}`);
+    }
+  }
+  /** Print a raw line (used by `view` to print the variable value). */
+  raw(line) {
+    console.log(line);
+  }
+};
+
+// src/commands/decrypt.ts
+async function decryptCommand(options = {}) {
+  const file = options.file ?? DEFAULT_ENV_FILE;
+  const out = new Output(options.json);
+  if (!encryptedExists(file)) {
+    out.fail(`No ${file}.encrypted file found in this directory.`);
+    out.info("Nothing to decrypt. Did you run `git pull` in the right directory?");
+    return 1;
+  }
+  let key;
+  try {
+    key = await resolveKey(options);
+  } catch (err) {
+    if (err instanceof InvalidKeyError) {
+      out.fail(err.message);
+      return 1;
+    }
+    if (err instanceof UserCancelled) return 130;
+    throw err;
+  }
+  const blob = readEncrypted(file);
+  let plaintext;
+  try {
+    plaintext = decrypt(blob, key);
+  } catch (err) {
+    if (err instanceof DecryptionError) {
+      out.fail(err.message);
+      return 1;
+    }
+    throw err;
+  }
+  if (envExists(file) && !options.yes) {
+    if (options.json) {
+      out.fail(`${file} already exists. Pass --yes to confirm overwrite in --json mode.`);
+      return 1;
+    }
+    const overwrite = await confirm2(
+      `${file} already exists. Overwrite it with the decrypted contents?`,
+      false
+    );
+    if (!overwrite) {
+      out.info(`Aborted. ${file} left untouched.`);
+      return 0;
+    }
+  }
+  writeEnv(plaintext, file);
+  ensureGitignore(file);
+  out.success(`Decrypted to ${file}`);
+  out.emit({ success: true, output_file: file });
+  return 0;
+}
+
+// src/commands/encrypt.ts
+async function encryptCommand(options = {}) {
+  const file = options.file ?? DEFAULT_ENV_FILE;
+  const out = new Output(options.json);
+  if (!envExists(file)) {
+    out.fail(`No ${file} file found in this directory.`);
+    out.info(`Nothing to encrypt. Create a ${file} file first.`);
+    return 1;
+  }
+  if (!encryptedExists(file)) {
+    out.fail(`No ${file}.encrypted file found in this directory.`);
+    out.info("Run `envlope init` first to create one.");
+    return 1;
+  }
+  let key;
+  try {
+    key = await resolveKey(options, `Enter your envlope key to re-encrypt ${file}:`);
+  } catch (err) {
+    if (err instanceof InvalidKeyError) {
+      out.fail(err.message);
+      return 1;
+    }
+    if (err instanceof UserCancelled) return 130;
+    throw err;
+  }
+  const existingBlob = readEncrypted(file);
+  try {
+    decrypt(existingBlob, key);
+  } catch (err) {
+    if (err instanceof DecryptionError) {
+      out.fail(`This key does not match the current ${file}.encrypted.`);
+      out.info(
+        "Either the key is wrong, or someone rotated the key with `envlope init`. Ask a teammate for the current key."
+      );
+      return 1;
+    }
+    throw err;
+  }
+  const plaintext = readEnv(file);
+  const blob = encrypt(plaintext, key);
+  writeEncrypted(blob, file);
+  out.success(`Updated ${file}.encrypted \u2014 ready to commit.`);
+  out.emit({ success: true, encrypted_file: `${file}.encrypted` });
+  return 0;
+}
+
+// src/commands/init.ts
+async function initCommand(options = {}) {
+  const file = options.file ?? DEFAULT_ENV_FILE;
+  const out = new Output(options.json);
+  if (!envExists(file)) {
+    out.fail(`No ${file} file found in this directory.`);
+    out.info(`Create a plaintext ${file} first, then run \`envlope init\` again.`);
+    return 1;
+  }
+  if (encryptedExists(file)) {
+    out.warn(`${file}.encrypted already exists.`);
+    out.info(
+      "Generating a new key will replace it \u2014 any teammates still using the old key will lose access until you share the new key with them."
+    );
+    if (options.yes) {
+      out.info("--yes provided; proceeding with re-encryption.");
+    } else if (options.json) {
+      out.fail(
+        `${file}.encrypted already exists. Pass --yes to confirm re-encryption in --json mode.`
+      );
+      return 1;
+    } else {
+      const proceed = await confirm2("Generate a new key and re-encrypt?", false);
+      if (!proceed) {
+        out.info("Aborted. No changes made.");
+        return 0;
+      }
+    }
+    backupEncrypted(file);
+    out.success(`Backed up old ${file}.encrypted \u2192 ${file}.encrypted.bak`);
+  }
+  let key;
+  if (options.key) {
+    try {
+      key = parseKey(options.key);
+    } catch (err) {
+      if (err instanceof InvalidKeyError) {
+        out.fail(err.message);
+        return 1;
+      }
+      throw err;
+    }
+  } else {
+    key = generateKey();
+  }
+  const plaintext = readEnv(file);
+  const blob = encrypt(plaintext, key);
+  writeEncrypted(blob, file);
+  const gitignoreResult = ensureGitignore(file);
+  out.success(`Encrypted ${file} \u2192 ${file}.encrypted`);
+  if (gitignoreResult.added.length > 0) {
+    const verb = gitignoreResult.existed ? "Updated" : "Created";
+    out.success(`${verb} .gitignore (added ${gitignoreResult.added.join(", ")})`);
+  } else {
+    out.info(`.gitignore already protects ${file} \u2014 no changes.`);
+  }
+  const formattedKey = formatKey(key);
+  if (options.key) {
+    out.success(
+      "Used the provided key \u2014 encrypted file is now unlockable with the same key as your other repos."
+    );
+  } else {
+    out.keyBlock(formattedKey);
+  }
+  out.nextSteps([`git add ${file}.encrypted .gitignore`, 'git commit -m "Add encrypted env"']);
+  out.emit({
+    success: true,
+    file,
+    encrypted_file: `${file}.encrypted`,
+    ...options.key ? {} : { key: formattedKey }
+  });
+  return 0;
+}
+
+// src/commands/status.ts
+function humanizeAge(date) {
+  const seconds = Math.max(0, Math.floor((Date.now() - date.getTime()) / 1e3));
+  if (seconds < 60) return `${seconds}s ago`;
+  if (seconds < 3600) return `${Math.floor(seconds / 60)}m ago`;
+  if (seconds < 86400) return `${Math.floor(seconds / 3600)}h ago`;
+  return `${Math.floor(seconds / 86400)}d ago`;
+}
+async function statusCommand(options = {}) {
+  const file = options.file ?? DEFAULT_ENV_FILE;
+  const out = new Output(options.json);
+  const envEx = envExists(file);
+  const encEx = encryptedExists(file);
+  const envT = envMtime(file);
+  const encT = encryptedMtime(file);
+  const gitignored = isGitignored(file);
+  let inSync = null;
+  if (envEx && encEx && envT && encT) {
+    inSync = envT.getTime() <= encT.getTime() + 1e3;
+  }
+  if (out.isHuman) {
+    console.log(`File: ${file}`);
+    if (envEx) {
+      out.success(`${file} exists`);
+    } else {
+      out.warn(`${file} does not exist`);
+    }
+    if (encEx && encT) {
+      out.success(`${file}.encrypted exists (last encrypted ${humanizeAge(encT)})`);
+    } else {
+      out.warn(`${file}.encrypted does not exist`);
+    }
+    if (envEx && encEx) {
+      if (inSync === false) {
+        out.warn(
+          `${file} was modified after ${file}.encrypted \u2014 run \`envlope encrypt\` before committing.`
+        );
+      } else if (inSync === true) {
+        out.success(`${file} and ${file}.encrypted are in sync`);
+      }
+    }
+    if (gitignored) {
+      out.success(`.gitignore protects ${file}`);
+    } else {
+      out.warn(
+        `${file} is not in .gitignore \u2014 run \`envlope init\` or add it manually before committing.`
+      );
+    }
+  }
+  out.emit({
+    file,
+    env_exists: envEx,
+    encrypted_exists: encEx,
+    in_sync: inSync,
+    last_encrypted: encT ? encT.toISOString() : null,
+    gitignored
+  });
+  if (options.strict && inSync === false) return 1;
+  return 0;
+}
+
+// src/commands/view.ts
+async function viewCommand(variable, options = {}) {
+  const file = options.file ?? DEFAULT_ENV_FILE;
+  const out = new Output(options.json);
+  if (!encryptedExists(file)) {
+    out.fail(`No ${file}.encrypted file found in this directory.`);
+    return 1;
+  }
+  let key;
+  try {
+    key = await resolveKey(options);
+  } catch (err) {
+    if (err instanceof InvalidKeyError) {
+      out.fail(err.message);
+      return 1;
+    }
+    if (err instanceof UserCancelled) return 130;
+    throw err;
+  }
+  const blob = readEncrypted(file);
+  let plaintext;
+  try {
+    plaintext = decrypt(blob, key);
+  } catch (err) {
+    if (err instanceof DecryptionError) {
+      out.fail(err.message);
+      return 1;
+    }
+    throw err;
+  }
+  const lines = plaintext.toString("utf8").split(/\r?\n/);
+  for (const line of lines) {
+    if (!line || line.trimStart().startsWith("#")) continue;
+    const eqIdx = line.indexOf("=");
+    if (eqIdx === -1) continue;
+    const name = line.slice(0, eqIdx).trim();
+    if (name !== variable) continue;
+    const value = line.slice(eqIdx + 1);
+    if (options.json) {
+      out.emit({ variable, value });
+    } else {
+      out.raw(value);
+    }
+    return 0;
+  }
+  out.fail(`Variable '${variable}' not found in ${file}.encrypted.`);
+  return 1;
+}
+
+// src/cli.ts
+var __dirname = (0, import_node_path2.dirname)((0, import_node_url.fileURLToPath)(importMetaUrl));
+var pkg = JSON.parse((0, import_node_fs2.readFileSync)((0, import_node_path2.resolve)(__dirname, "../package.json"), "utf8"));
+var isJsonMode = process.argv.includes("--json");
+if (!isJsonMode) {
+  try {
+    const notifier = (0, import_update_notifier.default)({
+      pkg,
+      updateCheckInterval: 1e3 * 60 * 60 * 24
+      // 24h
+    });
+    notifier.notify({
+      defer: false,
+      message: "Update available: {currentVersion} \u2192 {latestVersion}\nRun `npm i envlope@latest` (add `-g` if installed globally) to update."
+    });
+  } catch {
+  }
+}
+var program = new import_commander.Command();
+program.name("envlope").description(
+  "Encrypt your .env file with a key, push it to git safely, unlock with the same key."
+).version(pkg.version);
+program.command("init [file]").description("Generate a key (or use a provided one) and encrypt the env file in this directory.").option("-y, --yes", "Skip the re-init confirmation prompt (use in scripts/CI)").option(
+  "-k, --key <key>",
+  "Use this key instead of generating a new random one (for reusing one key across multiple repos)"
+).option("--json", "Emit JSON output instead of human-readable text").action(async (file, options) => {
+  process.exit(
+    await runWithErrorHandling(() => initCommand({ ...options, file }), options)
+  );
+});
+program.command("encrypt [file]").description("Re-encrypt the env file using your existing key.").option(
+  "-k, --key <key>",
+  "The envlope key (otherwise read from ENVLOPE_KEY env var or prompted)"
+).option("--json", "Emit JSON output instead of human-readable text").action(async (file, options) => {
+  process.exit(
+    await runWithErrorHandling(() => encryptCommand({ ...options, file }), options)
+  );
+});
+program.command("decrypt [file]").description("Decrypt the encrypted env file using your key.").option(
+  "-k, --key <key>",
+  "The envlope key (otherwise read from ENVLOPE_KEY env var or prompted)"
+).option("-y, --yes", "Overwrite an existing decrypted file without prompting").option("--json", "Emit JSON output instead of human-readable text").action(async (file, options) => {
+  process.exit(
+    await runWithErrorHandling(() => decryptCommand({ ...options, file }), options)
+  );
+});
+program.command("status [file]").description("Show the health of the env file: sync state, gitignore, last encrypted.").option("--json", "Emit JSON output instead of human-readable text").option("--strict", "Exit code 1 if the env file is out of sync with the encrypted file").action(async (file, options) => {
+  process.exit(
+    await runWithErrorHandling(() => statusCommand({ ...options, file }), options)
+  );
+});
+program.command("view <variable> [file]").description(
+  "Print the decrypted value of a single variable to stdout without writing the env file to disk."
+).option(
+  "-k, --key <key>",
+  "The envlope key (otherwise read from ENVLOPE_KEY env var or prompted)"
+).option("--json", "Emit JSON output instead of human-readable text").action(async (variable, file, options) => {
+  process.exit(
+    await runWithErrorHandling(
+      () => viewCommand(variable, { ...options, file }),
+      options
+    )
+  );
+});
+program.parseAsync().catch((err) => {
+  const out = new Output(isJsonMode);
+  out.fail(err instanceof Error ? err.message : String(err));
+  process.exit(1);
+});
+async function runWithErrorHandling(fn, options = {}) {
+  try {
+    return await fn();
+  } catch (err) {
+    const out = new Output(options.json);
+    out.fail(err instanceof Error ? err.message : String(err));
+    return 1;
+  }
+}