envmatic 1.0.0

package/dist/commands/lock.js

@@ -0,0 +1,245 @@
+/**
+ * Lock Command
+ * List and lock mutable (unlocked) env files
+ */
+import ora from 'ora';
+import inquirer from 'inquirer';
+import { listEnvFiles, getEnvFilePath, readEnvFile, updateEnvFile } from '../services/envfile.js';
+import { sync, commitChanges } from '../services/git.js';
+import { getConfig } from '../services/config.js';
+import { makeImmutable, isImmutable } from '../services/protection.js';
+import { syncCopies } from '../services/linker.js';
+import { printBanner, success, error, info, warning, colors, formatFileId } from '../utils/display.js';
+import { getEncryptionOptions, confirm } from '../utils/prompts.js';
+/**
+ * Find all unlocked (mutable) env files
+ */
+async function findUnlockedFiles() {
+    const files = await listEnvFiles();
+    const unlocked = [];
+    for (const file of files) {
+        // Only check files that should be immutable
+        if (file.immutable) {
+            const filePath = getEnvFilePath(file.id, file.encrypted);
+            const currentlyImmutable = await isImmutable(filePath);
+            if (!currentlyImmutable) {
+                unlocked.push({ file, filePath });
+            }
+        }
+    }
+    return unlocked;
+}
+/**
+ * Lock a single file
+ */
+async function lockFile(file, filePath) {
+    try {
+        await makeImmutable(filePath);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Lock command - list and lock mutable files
+ */
+export async function lockCommand(fileId, options = {}) {
+    printBanner();
+    const config = await getConfig();
+    if (!config) {
+        error('Envmatic is not initialized. Run `envmatic init` first.');
+        return;
+    }
+    // If specific file ID provided, lock just that file
+    if (fileId) {
+        const files = await listEnvFiles();
+        const file = files.find(f => f.id === fileId);
+        if (!file) {
+            error(`Env file not found: ${fileId}`);
+            return;
+        }
+        const filePath = getEnvFilePath(file.id, file.encrypted);
+        const currentlyImmutable = await isImmutable(filePath);
+        if (currentlyImmutable) {
+            info(`${formatFileId(fileId)} is already locked.`);
+            return;
+        }
+        const spinner = ora('Locking file...').start();
+        const locked = await lockFile(file, filePath);
+        if (locked) {
+            spinner.succeed('File locked');
+            // If file was edited, we should sync
+            const shouldSync = await confirm('Sync changes to remote?', true);
+            if (shouldSync) {
+                const encryptionOptions = await getEncryptionOptions();
+                // Re-encrypt if needed (in case content was modified)
+                try {
+                    const { variables } = await readEnvFile(file.id, encryptionOptions);
+                    await updateEnvFile(file.id, variables, encryptionOptions);
+                    await syncCopies(file.id, encryptionOptions);
+                }
+                catch (err) {
+                    // File might not have been modified, that's ok
+                }
+                const syncSpinner = ora('Syncing to remote...').start();
+                try {
+                    await commitChanges(`Update ${file.id}`);
+                    await sync();
+                    syncSpinner.succeed('Synced');
+                }
+                catch {
+                    syncSpinner.warn('Could not sync (will sync later)');
+                }
+            }
+            console.log();
+            success(`${formatFileId(fileId)} is now locked.`);
+        }
+        else {
+            spinner.fail('Failed to lock file');
+        }
+        return;
+    }
+    // Find all unlocked files
+    const unlockedFiles = await findUnlockedFiles();
+    if (unlockedFiles.length === 0) {
+        success('All files are locked.');
+        console.log();
+        console.log(colors.muted('No unlocked files found.'));
+        return;
+    }
+    console.log(colors.warning(`Found ${unlockedFiles.length} unlocked file(s):\n`));
+    for (const { file } of unlockedFiles) {
+        const flags = [];
+        if (file.encrypted)
+            flags.push('🔒');
+        const flagStr = flags.length > 0 ? ' ' + flags.join(' ') : '';
+        console.log(`  ${colors.accent('🔓')} ${formatFileId(file.id)}${flagStr}`);
+    }
+    console.log();
+    // Lock all option
+    if (options.all) {
+        const spinner = ora('Locking all files...').start();
+        let locked = 0;
+        let failed = 0;
+        for (const { file, filePath } of unlockedFiles) {
+            if (await lockFile(file, filePath)) {
+                locked++;
+            }
+            else {
+                failed++;
+            }
+        }
+        if (failed > 0) {
+            spinner.warn(`Locked ${locked} file(s), ${failed} failed`);
+        }
+        else {
+            spinner.succeed(`Locked ${locked} file(s)`);
+        }
+        // Sync changes
+        const shouldSync = await confirm('Sync changes to remote?', true);
+        if (shouldSync) {
+            const syncSpinner = ora('Syncing to remote...').start();
+            try {
+                await commitChanges('Lock files after editing');
+                await sync();
+                syncSpinner.succeed('Synced');
+            }
+            catch {
+                syncSpinner.warn('Could not sync (will sync later)');
+            }
+        }
+        console.log();
+        success('All files locked.');
+        return;
+    }
+    // Interactive selection
+    const { action } = await inquirer.prompt([
+        {
+            type: 'list',
+            name: 'action',
+            message: 'What would you like to do?',
+            choices: [
+                { name: 'Lock all unlocked files', value: 'all' },
+                { name: 'Select files to lock', value: 'select' },
+                { name: 'Cancel', value: 'cancel' },
+            ],
+        },
+    ]);
+    if (action === 'cancel') {
+        info('No files were locked.');
+        console.log();
+        warning('Remember: Unlocked files are not protected from accidental edits.');
+        return;
+    }
+    if (action === 'all') {
+        return lockCommand(undefined, { all: true });
+    }
+    // Select specific files
+    const { selectedFiles } = await inquirer.prompt([
+        {
+            type: 'checkbox',
+            name: 'selectedFiles',
+            message: 'Select files to lock:',
+            choices: unlockedFiles.map(({ file }) => ({
+                name: file.id,
+                value: file.id,
+                checked: true,
+            })),
+        },
+    ]);
+    if (selectedFiles.length === 0) {
+        info('No files selected.');
+        return;
+    }
+    const spinner = ora('Locking selected files...').start();
+    let locked = 0;
+    let failed = 0;
+    for (const id of selectedFiles) {
+        const item = unlockedFiles.find(u => u.file.id === id);
+        if (item && await lockFile(item.file, item.filePath)) {
+            locked++;
+        }
+        else {
+            failed++;
+        }
+    }
+    if (failed > 0) {
+        spinner.warn(`Locked ${locked} file(s), ${failed} failed`);
+    }
+    else {
+        spinner.succeed(`Locked ${locked} file(s)`);
+    }
+    // Sync changes
+    const shouldSync = await confirm('Sync changes to remote?', true);
+    if (shouldSync) {
+        const syncSpinner = ora('Syncing to remote...').start();
+        try {
+            await commitChanges('Lock files after editing');
+            await sync();
+            syncSpinner.succeed('Synced');
+        }
+        catch {
+            syncSpinner.warn('Could not sync (will sync later)');
+        }
+    }
+    console.log();
+    success('Selected files locked.');
+}
+/**
+ * Unlock command - unlock a file for editing
+ * (This is primarily used internally by the edit --editor command)
+ */
+export async function unlockFileForEditing(fileId) {
+    const files = await listEnvFiles();
+    const file = files.find(f => f.id === fileId);
+    if (!file) {
+        return null;
+    }
+    const filePath = getEnvFilePath(file.id, file.encrypted);
+    // Make it mutable
+    const { makeMutable } = await import('../services/protection.js');
+    await makeMutable(filePath);
+    return filePath;
+}
+//# sourceMappingURL=lock.js.map

package/dist/commands/lock.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lock.js","sourceRoot":"","sources":["../../src/commands/lock.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,QAAQ,MAAM,UAAU,CAAC;AAChC,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAClG,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EACL,WAAW,EACX,OAAO,EACP,KAAK,EACL,IAAI,EACJ,OAAO,EACP,MAAM,EACN,YAAY,EACb,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC;AAQpE;;GAEG;AACH,KAAK,UAAU,iBAAiB;IAC9B,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;IACnC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,4CAA4C;QAC5C,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;YACzD,MAAM,kBAAkB,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;YAEvD,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,IAAa,EAAE,QAAgB;IACrD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;QAC9B,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAe,EACf,UAA6B,EAAE;IAE/B,WAAW,EAAE,CAAC;IAEd,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IAED,oDAAoD;IACpD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;QAE9C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,KAAK,CAAC,uBAAuB,MAAM,EAAE,CAAC,CAAC;YACvC,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QACzD,MAAM,kBAAkB,GAAG,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;QAEvD,IAAI,kBAAkB,EAAE,CAAC;YACvB,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC,KAAK,EAAE,CAAC;QAE/C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE9C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;YAE/B,qCAAqC;YACrC,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,IAAI,CAAC,CAAC;YAElE,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,iBAAiB,GAAG,MAAM,oBAAoB,EAAE,CAAC;gBAEvD,sDAAsD;gBACtD,IAAI,CAAC;oBACH,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,iBAAiB,CAAC,CAAC;oBACpE,MAAM,aAAa,CAAC,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;oBAC3D,MAAM,UAAU,CAAC,IAAI,CAAC,EAAE,EAAE,iBAAiB,CAAC,CAAC;gBAC/C,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,+CAA+C;gBACjD,CAAC;gBAED,MAAM,WAAW,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;gBACxD,IAAI,CAAC;oBACH,MAAM,aAAa,CAAC,UAAU,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;oBACzC,MAAM,IAAI,EAAE,CAAC;oBACb,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;gBAChC,CAAC;gBAAC,MAAM,CAAC;oBACP,WAAW,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;YAED,OAAO,CAAC,GAAG,EAAE,CAAC;YACd,OAAO,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QACtC,CAAC;QAED,OAAO;IACT,CAAC;IAED,0BAA0B;IAC1B,MAAM,aAAa,GAAG,MAAM,iBAAiB,EAAE,CAAC;IAEhD,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,uBAAuB,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;QACtD,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,aAAa,CAAC,MAAM,sBAAsB,CAAC,CAAC,CAAC;IAEjF,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,aAAa,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,EAAE,CAAC;QACjB,IAAI,IAAI,CAAC,SAAS;YAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAE9D,OAAO,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,kBAAkB;IAClB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,OAAO,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;QAEpD,IAAI,MAAM,GAAG,CAAC,CAAC;QACf,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,KAAK,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/C,IAAI,MAAM,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,EAAE,CAAC;gBACnC,MAAM,EAAE,CAAC;YACX,CAAC;iBAAM,CAAC;gBACN,MAAM,EAAE,CAAC;YACX,CAAC;QACH,CAAC;QAED,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,UAAU,MAAM,aAAa,MAAM,SAAS,CAAC,CAAC;QAC7D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,OAAO,CAAC,UAAU,MAAM,UAAU,CAAC,CAAC;QAC9C,CAAC;QAED,eAAe;QACf,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,IAAI,CAAC,CAAC;QAElE,IAAI,UAAU,EAAE,CAAC;YACf,MAAM,WAAW,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;YACxD,IAAI,CAAC;gBACH,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;gBAChD,MAAM,IAAI,EAAE,CAAC;gBACb,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,WAAW,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,mBAAmB,CAAC,CAAC;QAC7B,OAAO;IACT,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;QACvC;YACE,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,4BAA4B;YACrC,OAAO,EAAE;gBACP,EAAE,IAAI,EAAE,yBAAyB,EAAE,KAAK,EAAE,KAAK,EAAE;gBACjD,EAAE,IAAI,EAAE,sBAAsB,EAAE,KAAK,EAAE,QAAQ,EAAE;gBACjD,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE;aACpC;SACF;KACF,CAAC,CAAC;IAEH,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,mEAAmE,CAAC,CAAC;QAC7E,OAAO;IACT,CAAC;IAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,OAAO,WAAW,CAAC,SAAS,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC;QAC9C;YACE,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,eAAe;YACrB,OAAO,EAAE,uBAAuB;YAChC,OAAO,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;gBACxC,IAAI,EAAE,IAAI,CAAC,EAAE;gBACb,KAAK,EAAE,IAAI,CAAC,EAAE;gBACd,OAAO,EAAE,IAAI;aACd,CAAC,CAAC;SACJ;KACF,CAAC,CAAC;IAEH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IAEzD,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACvD,IAAI,IAAI,IAAI,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrD,MAAM,EAAE,CAAC;QACX,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,CAAC;QACX,CAAC;IACH,CAAC;IAED,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,UAAU,MAAM,aAAa,MAAM,SAAS,CAAC,CAAC;IAC7D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,OAAO,CAAC,UAAU,MAAM,UAAU,CAAC,CAAC;IAC9C,CAAC;IAED,eAAe;IACf,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,yBAAyB,EAAE,IAAI,CAAC,CAAC;IAElE,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,WAAW,GAAG,GAAG,CAAC,sBAAsB,CAAC,CAAC,KAAK,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,0BAA0B,CAAC,CAAC;YAChD,MAAM,IAAI,EAAE,CAAC;YACb,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,WAAW,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,wBAAwB,CAAC,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,MAAc;IACvD,MAAM,KAAK,GAAG,MAAM,YAAY,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IAE9C,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;IAEzD,kBAAkB;IAClB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,2BAA2B,CAAC,CAAC;IAClE,MAAM,WAAW,CAAC,QAAQ,CAAC,CAAC;IAE5B,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/commands/rotate.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Rotate Command
+ * Change encryption password or rotate encryption key/method
+ */
+/**
+ * Change password command
+ * Requires old password to decrypt, then re-encrypts with new password
+ */
+export declare function changePasswordCommand(): Promise<void>;
+/**
+ * Rotate encryption key/method
+ * Can switch between password and SSH key encryption
+ */
+export declare function rotateKeyCommand(): Promise<void>;
+//# sourceMappingURL=rotate.d.ts.map

package/dist/commands/rotate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rotate.d.ts","sourceRoot":"","sources":["../../src/commands/rotate.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAyBH;;;GAGG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC,CAsK3D;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAqRtD"}

package/dist/commands/rotate.js

@@ -0,0 +1,406 @@
+/**
+ * Rotate Command
+ * Change encryption password or rotate encryption key/method
+ */
+import ora from 'ora';
+import inquirer from 'inquirer';
+import { readEnvFile, updateEnvFile, listEnvFiles, getEnvFilePath } from '../services/envfile.js';
+import { sync } from '../services/git.js';
+import { getConfig, updateConfig } from '../services/config.js';
+import { verifyEncryption, validateSSHKey } from '../services/encryption.js';
+import { makeMutable, makeImmutable } from '../services/protection.js';
+import { printBanner, success, error, info, warning, colors } from '../utils/display.js';
+/**
+ * Change password command
+ * Requires old password to decrypt, then re-encrypts with new password
+ */
+export async function changePasswordCommand() {
+    printBanner();
+    const config = await getConfig();
+    if (!config) {
+        error('Envmatic is not initialized. Run `envmatic init` first.');
+        return;
+    }
+    if (!config.encryptionEnabled) {
+        error('Encryption is not enabled. Nothing to change.');
+        info('Run `envmatic rotate-key` to enable encryption.');
+        return;
+    }
+    if (config.encryptionMethod !== 'password') {
+        error('Current encryption method is SSH key, not password.');
+        info('Use `envmatic rotate-key` to switch encryption methods.');
+        return;
+    }
+    console.log(colors.muted('Change your encryption password.\n'));
+    warning('You will need to enter your current password to proceed.');
+    console.log();
+    // Get old password
+    const { oldPassword } = await inquirer.prompt([
+        {
+            type: 'password',
+            name: 'oldPassword',
+            message: 'Enter your CURRENT password:',
+            mask: '*',
+            validate: (input) => {
+                if (!input || input.length < 8) {
+                    return 'Password must be at least 8 characters';
+                }
+                return true;
+            },
+        },
+    ]);
+    // Verify old password works
+    const oldOptions = {
+        method: 'password',
+        password: oldPassword,
+    };
+    const verifySpinner = ora('Verifying current password...').start();
+    const isValid = await verifyEncryption(oldOptions);
+    if (!isValid) {
+        verifySpinner.fail('Current password is incorrect');
+        error('Cannot proceed without the correct current password.');
+        return;
+    }
+    verifySpinner.succeed('Current password verified');
+    // Get new password
+    console.log();
+    const { newPassword } = await inquirer.prompt([
+        {
+            type: 'password',
+            name: 'newPassword',
+            message: 'Enter your NEW password:',
+            mask: '*',
+            validate: (input) => {
+                if (!input || input.length < 8) {
+                    return 'Password must be at least 8 characters';
+                }
+                if (input === oldPassword) {
+                    return 'New password must be different from current password';
+                }
+                return true;
+            },
+        },
+    ]);
+    // Confirm new password
+    const { confirmPassword } = await inquirer.prompt([
+        {
+            type: 'password',
+            name: 'confirmPassword',
+            message: 'Confirm your NEW password:',
+            mask: '*',
+            validate: (input) => {
+                if (input !== newPassword) {
+                    return 'Passwords do not match';
+                }
+                return true;
+            },
+        },
+    ]);
+    const newOptions = {
+        method: 'password',
+        password: newPassword,
+    };
+    // Get all encrypted files
+    const files = await listEnvFiles();
+    const encryptedFiles = files.filter(f => f.encrypted);
+    if (encryptedFiles.length === 0) {
+        info('No encrypted files found. Password updated for future files.');
+        success('Password changed successfully!');
+        return;
+    }
+    console.log();
+    console.log(colors.muted(`Found ${encryptedFiles.length} encrypted file(s) to re-encrypt.\n`));
+    // Re-encrypt all files
+    const spinner = ora('Re-encrypting files...').start();
+    let processed = 0;
+    let errors = 0;
+    for (const file of encryptedFiles) {
+        try {
+            // Make file mutable if needed
+            const filePath = getEnvFilePath(file.id, file.encrypted);
+            if (file.immutable) {
+                await makeMutable(filePath);
+            }
+            // Read with old password
+            const { variables } = await readEnvFile(file.id, oldOptions);
+            // Write with new password
+            await updateEnvFile(file.id, variables, newOptions);
+            // Restore protection if needed
+            if (file.immutable) {
+                await makeImmutable(filePath);
+            }
+            processed++;
+            spinner.text = `Re-encrypting files... (${processed}/${encryptedFiles.length})`;
+        }
+        catch (err) {
+            errors++;
+            const errorMessage = err instanceof Error ? err.message : String(err);
+            console.error(`\nFailed to re-encrypt ${file.id}: ${errorMessage}`);
+        }
+    }
+    if (errors > 0) {
+        spinner.warn(`Re-encrypted ${processed} files with ${errors} error(s)`);
+    }
+    else {
+        spinner.succeed(`Re-encrypted ${processed} file(s)`);
+    }
+    // Sync to remote
+    const syncSpinner = ora('Syncing to remote...').start();
+    try {
+        await sync();
+        syncSpinner.succeed('Synced to remote');
+    }
+    catch {
+        syncSpinner.warn('Could not sync to remote (will sync later)');
+    }
+    console.log();
+    success('Password changed successfully!');
+    console.log();
+    warning('Remember your new password! It cannot be recovered.');
+    warning('If you forget it, all encrypted data will be permanently lost.');
+}
+/**
+ * Rotate encryption key/method
+ * Can switch between password and SSH key encryption
+ */
+export async function rotateKeyCommand() {
+    printBanner();
+    const config = await getConfig();
+    if (!config) {
+        error('Envmatic is not initialized. Run `envmatic init` first.');
+        return;
+    }
+    console.log(colors.muted('Rotate your encryption key or change encryption method.\n'));
+    // Determine current state
+    const currentMethod = config.encryptionEnabled
+        ? config.encryptionMethod || 'none'
+        : 'none';
+    console.log(colors.muted('Current encryption:') + ' ' +
+        (currentMethod === 'none'
+            ? colors.warning('disabled')
+            : colors.secondary(currentMethod)));
+    console.log();
+    // Get current encryption options if encryption is enabled
+    let oldOptions;
+    if (config.encryptionEnabled && config.encryptionMethod) {
+        warning('You will need to provide your current credentials to proceed.');
+        console.log();
+        if (config.encryptionMethod === 'password') {
+            const { password } = await inquirer.prompt([
+                {
+                    type: 'password',
+                    name: 'password',
+                    message: 'Enter your CURRENT password:',
+                    mask: '*',
+                },
+            ]);
+            oldOptions = { method: 'password', password };
+            // Verify
+            const isValid = await verifyEncryption(oldOptions);
+            if (!isValid) {
+                error('Current password is incorrect. Cannot proceed.');
+                return;
+            }
+            success('Current password verified');
+        }
+        else if (config.encryptionMethod === 'ssh') {
+            oldOptions = {
+                method: 'ssh',
+                sshKeyPath: config.sshKeyPath
+            };
+            // Verify SSH key exists
+            const isValid = await validateSSHKey(config.sshKeyPath);
+            if (!isValid) {
+                error('Current SSH key is not accessible. Cannot proceed.');
+                return;
+            }
+            success('Current SSH key verified');
+        }
+    }
+    console.log();
+    // Ask for new method
+    const { newMethod } = await inquirer.prompt([
+        {
+            type: 'list',
+            name: 'newMethod',
+            message: 'Select new encryption method:',
+            choices: [
+                { name: 'Password encryption', value: 'password' },
+                { name: 'SSH key encryption', value: 'ssh' },
+                { name: 'Disable encryption (not recommended)', value: 'none' },
+            ],
+        },
+    ]);
+    let newOptions;
+    let newSshKeyPath;
+    if (newMethod === 'password') {
+        // Show password warning
+        console.log();
+        console.log(colors.error('╔══════════════════════════════════════════════════════════════╗'));
+        console.log(colors.error('║') + colors.warning('  ⚠️  PASSWORD SECURITY WARNING                                ') + colors.error('║'));
+        console.log(colors.error('╠══════════════════════════════════════════════════════════════╣'));
+        console.log(colors.error('║') + '  Your password is the ONLY way to decrypt your secrets.      ' + colors.error('║'));
+        console.log(colors.error('║') + '  There is NO password recovery mechanism.                    ' + colors.error('║'));
+        console.log(colors.error('║') + '                                                              ' + colors.error('║'));
+        console.log(colors.error('║') + colors.warning('  If you forget your password:                                 ') + colors.error('║'));
+        console.log(colors.error('║') + colors.error('  → All encrypted data will be PERMANENTLY LOST               ') + colors.error('║'));
+        console.log(colors.error('║') + colors.error('  → There is NO way to recover your secrets                   ') + colors.error('║'));
+        console.log(colors.error('║') + '                                                              ' + colors.error('║'));
+        console.log(colors.error('║') + '  We strongly recommend:                                      ' + colors.error('║'));
+        console.log(colors.error('║') + '  • Using a password manager to store your password           ' + colors.error('║'));
+        console.log(colors.error('║') + '  • Writing it down and storing it securely offline           ' + colors.error('║'));
+        console.log(colors.error('╚══════════════════════════════════════════════════════════════╝'));
+        console.log();
+        const { understood } = await inquirer.prompt([
+            {
+                type: 'confirm',
+                name: 'understood',
+                message: 'I understand that forgetting my password means losing all encrypted data',
+                default: false,
+            },
+        ]);
+        if (!understood) {
+            info('Operation cancelled.');
+            return;
+        }
+        const { password } = await inquirer.prompt([
+            {
+                type: 'password',
+                name: 'password',
+                message: 'Enter your NEW password:',
+                mask: '*',
+                validate: (input) => {
+                    if (!input || input.length < 8) {
+                        return 'Password must be at least 8 characters';
+                    }
+                    return true;
+                },
+            },
+        ]);
+        const { confirmPwd } = await inquirer.prompt([
+            {
+                type: 'password',
+                name: 'confirmPwd',
+                message: 'Confirm your NEW password:',
+                mask: '*',
+                validate: (input) => {
+                    if (input !== password) {
+                        return 'Passwords do not match';
+                    }
+                    return true;
+                },
+            },
+        ]);
+        newOptions = { method: 'password', password };
+    }
+    else if (newMethod === 'ssh') {
+        const { keyPath } = await inquirer.prompt([
+            {
+                type: 'input',
+                name: 'keyPath',
+                message: 'Path to SSH private key:',
+                default: '~/.ssh/id_rsa',
+            },
+        ]);
+        newSshKeyPath = keyPath.replace(/^~/, process.env.HOME || '');
+        const validKey = await validateSSHKey(newSshKeyPath);
+        if (!validKey) {
+            error('Invalid SSH key file. Please check the path and try again.');
+            return;
+        }
+        success('SSH key validated');
+        newOptions = { method: 'ssh', sshKeyPath: newSshKeyPath };
+    }
+    else {
+        // Disabling encryption
+        warning('Disabling encryption will store all files in PLAIN TEXT.');
+        warning('Anyone with access to the repository will be able to read your secrets.');
+        const { confirm } = await inquirer.prompt([
+            {
+                type: 'confirm',
+                name: 'confirm',
+                message: 'Are you sure you want to disable encryption?',
+                default: false,
+            },
+        ]);
+        if (!confirm) {
+            info('Operation cancelled.');
+            return;
+        }
+    }
+    // Get all files
+    const files = await listEnvFiles();
+    const encryptedFiles = files.filter(f => f.encrypted);
+    console.log();
+    if (encryptedFiles.length === 0) {
+        // No files to re-encrypt, just update config
+        await updateConfig({
+            encryptionEnabled: newMethod !== 'none',
+            encryptionMethod: newMethod === 'none' ? undefined : newMethod,
+            sshKeyPath: newSshKeyPath,
+        });
+        success('Encryption settings updated!');
+        info('New settings will apply to future files.');
+        return;
+    }
+    console.log(colors.muted(`Found ${encryptedFiles.length} encrypted file(s) to process.\n`));
+    // Re-encrypt all files
+    const spinner = ora('Processing files...').start();
+    let processed = 0;
+    let errors = 0;
+    for (const file of encryptedFiles) {
+        try {
+            const filePath = getEnvFilePath(file.id, file.encrypted);
+            // Make file mutable if needed
+            if (file.immutable) {
+                await makeMutable(filePath);
+            }
+            // Read with old options
+            const { variables } = await readEnvFile(file.id, oldOptions);
+            // Write with new options (or no encryption if disabling)
+            await updateEnvFile(file.id, variables, newOptions);
+            // Restore protection if needed
+            if (file.immutable) {
+                // File path might have changed (added/removed .enc extension)
+                const newFilePath = getEnvFilePath(file.id, newMethod !== 'none');
+                await makeImmutable(newFilePath);
+            }
+            processed++;
+            spinner.text = `Processing files... (${processed}/${encryptedFiles.length})`;
+        }
+        catch (err) {
+            errors++;
+            const errorMessage = err instanceof Error ? err.message : String(err);
+            console.error(`\nFailed to process ${file.id}: ${errorMessage}`);
+        }
+    }
+    if (errors > 0) {
+        spinner.warn(`Processed ${processed} files with ${errors} error(s)`);
+    }
+    else {
+        spinner.succeed(`Processed ${processed} file(s)`);
+    }
+    // Update config
+    await updateConfig({
+        encryptionEnabled: newMethod !== 'none',
+        encryptionMethod: newMethod === 'none' ? undefined : newMethod,
+        sshKeyPath: newSshKeyPath,
+    });
+    // Sync to remote
+    const syncSpinner = ora('Syncing to remote...').start();
+    try {
+        await sync();
+        syncSpinner.succeed('Synced to remote');
+    }
+    catch {
+        syncSpinner.warn('Could not sync to remote (will sync later)');
+    }
+    console.log();
+    success('Encryption key rotated successfully!');
+    if (newMethod === 'password') {
+        console.log();
+        warning('Remember your password! It cannot be recovered.');
+        warning('If you forget it, all encrypted data will be permanently lost.');
+    }
+}
+//# sourceMappingURL=rotate.js.map