lazy-vault 1.0.0

package/LICENCE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ghost
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,179 @@
+# Lazy Vault
+
+![npm version](https://img.shields.io/npm/v/lazy-vault?color=blue)
+![license](https://img.shields.io/badge/license-MIT-green)
+![status](https://img.shields.io/badge/status-stable-brightgreen)
+
+**Stop leaking secrets & Start committing safely.**
+
+`lazy-vault` is a simple CLI tool that lets you **encrypt `.env` files**, commit them to Git safely, and **sync secrets across machines** using a password you control.
+
+No cloud. No accounts. No lock-in.
+
+---
+
+## Why Lazy Vault?
+
+Environment variables are:
+
+- Critical
+- Sensitive
+- Painful to share across machines and teams
+
+`.env` files don’t belong in Git — but **encrypted `.env` files do**.
+
+`lazy-vault` solves this by giving you a **password-based, zero-trust workflow**.
+
+---
+
+## Core Features
+
+- **Strong Encryption**
+  Uses modern, authenticated encryption with a password-derived key.
+
+- **Git-Friendly**
+  Encrypt once → commit `.env.enc` → safely sync anywhere.
+
+- **Simple CLI Workflow**
+  Two commands. No config files. No magic.
+
+- **Merge-Aware Syncing**
+  Remote secrets override conflicts, local-only keys are preserved.
+
+- **Safe by Default**
+  Automatically adds `.env` to `.gitignore`.
+
+---
+
+## Installation
+
+```bash
+npm install -g lazy-vault
+```
+
+Or use without installing:
+
+```bash
+npx lazy-vault
+```
+
+---
+
+## Quick Start
+
+### Encrypt Your `.env`
+
+```bash
+lazy-vault lock
+```
+
+You will be prompted for a password.
+
+This will:
+
+- Encrypt `.env` → `.env.enc`
+- Add `.env` to `.gitignore`
+- Leave `.env.enc` safe to commit
+
+```bash
+git add .env.enc
+git commit -m "Add encrypted env"
+```
+
+---
+
+### Sync on Another Machine
+
+```bash
+lazy-vault sync
+```
+
+- Enter the same password
+- `.env` will be created or merged automatically
+
+---
+
+## How It Works (High Level)
+
+1. Your password is converted into a cryptographic key using a memory-hard algorithm
+2. `.env` is encrypted using authenticated encryption
+3. The encrypted file (`.env.enc`) contains:
+   - A random salt
+   - A random IV
+   - An authentication tag
+   - The encrypted payload
+
+4. On sync, the file is decrypted and merged safely
+
+**Your password is never stored. Ever.**
+
+---
+
+## Security Model
+
+- **Zero-Knowledge**:
+  `lazy-vault` cannot recover your password.
+
+- **Authenticated Encryption**:
+  Tampered or corrupted files will fail to decrypt.
+
+- **Local-Only Secrets**:
+  All encryption happens on your machine.
+
+**Important**
+If you lose your password, your secrets cannot be recovered.
+
+---
+
+## Supported `.env` Format
+
+- Simple `KEY=value` pairs
+- Comments (`#`) are ignored
+- Quotes are supported
+
+```env
+DATABASE_URL="postgres://localhost/db"
+API_KEY=super-secret
+```
+
+Advanced `.env` features (multiline values, shell expansion) are intentionally not supported.
+
+---
+
+## Commands
+
+### `lazy-vault lock`
+
+Encrypts `.env` into `.env.enc`.
+
+```bash
+lazy-vault lock
+```
+
+---
+
+### `lazy-vault sync`
+
+Decrypts `.env.enc` and merges it into `.env`.
+
+```bash
+lazy-vault sync
+```
+
+---
+
+## Contributing
+
+Contributions are welcome.
+
+1. Fork the repo
+2. Create a feature branch
+3. Open a pull request
+
+Security-related issues should be reported responsibly.
+
+---
+
+## 📄 License
+
+MIT License © ghost

package/dist/cli/bin.js

@@ -0,0 +1,261 @@
+#!/usr/bin/env node
+
+// src/cli/bin.ts
+import { Command as Command3 } from "commander";
+
+// src/cli/commands/sync.ts
+import { Command } from "commander";
+import chalk from "chalk";
+import inquirer from "inquirer";
+
+// src/lib/storage.ts
+import fs from "fs-extra";
+
+// src/constants/index.ts
+var ENC_FILE = ".env.enc";
+var RAW_FILE = ".env";
+
+// src/lib/storage.ts
+async function hasRawEnv() {
+  return fs.pathExists(RAW_FILE);
+}
+async function hasEncEnv() {
+  return fs.pathExists(ENC_FILE);
+}
+async function readRawEnv() {
+  if (!await hasRawEnv()) return "";
+  return fs.readFile(RAW_FILE, "utf-8");
+}
+async function readEncEnv() {
+  if (!await hasEncEnv()) {
+    throw new Error("No encrypted .env.enc file found.");
+  }
+  return fs.readFile(ENC_FILE, "utf-8");
+}
+async function writeRawEnv(content) {
+  await fs.writeFile(RAW_FILE, content, "utf-8");
+}
+async function writeEncEnv(content) {
+  await fs.writeFile(ENC_FILE, content, "utf-8");
+}
+async function ensureGitIgnore() {
+  const gitignorePath = ".gitignore";
+  const ignoreRule = "\n# Added by lazy-vault\n.env\n";
+  if (!await fs.pathExists(gitignorePath)) {
+    await fs.writeFile(gitignorePath, ignoreRule);
+    return;
+  }
+  const content = await fs.readFile(gitignorePath, "utf-8");
+  if (!content.includes(".env")) {
+    await fs.appendFile(gitignorePath, ignoreRule);
+  }
+}
+
+// src/lib/crypto.ts
+import crypto from "crypto";
+import argon2 from "argon2";
+var ALGORITHM = "aes-256-gcm";
+var VERSION = "v1";
+async function encrypt(text, password) {
+  const salt = crypto.randomBytes(16);
+  const iv = crypto.randomBytes(16);
+  const key = await argon2.hash(password, {
+    type: argon2.argon2id,
+    salt,
+    raw: true,
+    hashLength: 32,
+    timeCost: 3,
+    memoryCost: 65536,
+    parallelism: 1
+  });
+  if (ALGORITHM !== "aes-256-gcm") {
+    throw new Error("Unsupported encryption algorithm");
+  }
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(text, "utf8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  key.fill(0);
+  return `${VERSION}:${salt.toString("hex")}:${iv.toString("hex")}:${authTag.toString("hex")}:${encrypted.toString("hex")}`;
+}
+async function decrypt(encryptedText, password) {
+  const parts = encryptedText.split(":");
+  if (parts.length !== 5) {
+    throw new Error("Invalid encrypted file format");
+  }
+  const [version, saltHex, ivHex, authTagHex, cipherTextHex] = parts;
+  if (version !== "v1") {
+    throw new Error(`Unsupported encrypted format version: ${version}`);
+  }
+  const salt = Buffer.from(saltHex, "hex");
+  const iv = Buffer.from(ivHex, "hex");
+  const authTag = Buffer.from(authTagHex, "hex");
+  const cipherText = Buffer.from(cipherTextHex, "hex");
+  const key = await argon2.hash(password, {
+    type: argon2.argon2id,
+    salt,
+    raw: true,
+    hashLength: 32,
+    timeCost: 3,
+    memoryCost: 65536,
+    parallelism: 1
+  });
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(authTag);
+  const decrypted = Buffer.concat([
+    decipher.update(cipherText),
+    decipher.final()
+  ]);
+  key.fill(0);
+  return decrypted.toString("utf8");
+}
+
+// src/lib/parser.ts
+function parse(content) {
+  const result = {};
+  const lines = content.split(/\r?\n/);
+  for (const line of lines) {
+    const trimmedLine = line.trim();
+    if (trimmedLine === "" || trimmedLine.startsWith("#")) {
+      continue;
+    }
+    if (!trimmedLine.includes("=")) {
+      throw new Error(`Invalid env line (missing '='): ${line}`);
+    }
+    const [rawKey, ...valueParts] = trimmedLine.split("=");
+    const key = rawKey.trim();
+    if (!key) {
+      throw new Error(`Invalid env line (empty key): ${line}`);
+    }
+    const value = valueParts.join("=");
+    const cleanValue = value.replace(/^['"](.*)['"]$/, "$1").trim();
+    result[key] = cleanValue;
+  }
+  return result;
+}
+function stringify(envObject) {
+  let result = "";
+  for (const [key, value] of Object.entries(envObject)) {
+    result += `${key}=${value}
+`;
+  }
+  return result.trimEnd();
+}
+function merge(local, remote) {
+  return { ...local, ...remote };
+}
+
+// src/cli/commands/sync.ts
+var syncCommand = new Command("sync").description("Decrypts .env.enc and merges it with local .env").action(async () => {
+  try {
+    console.log(chalk.blue("Preparing to Sync (Decrypt)..."));
+    if (!await hasEncEnv()) {
+      console.error(chalk.red("Error: No .env.enc file found."));
+      process.exit(1);
+    }
+    const answers = await inquirer.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Enter password to decrypt:",
+        mask: "*"
+      }
+    ]);
+    const password = answers.password;
+    const encryptedContent = await readEncEnv();
+    let decryptedRaw = "";
+    try {
+      decryptedRaw = await decrypt(encryptedContent, password);
+    } catch (e) {
+      throw new Error("Invalid password or corrupted file.");
+    }
+    const remoteObj = parse(decryptedRaw);
+    let finalObj = remoteObj;
+    let actionMsg = "Created new .env";
+    if (await hasRawEnv()) {
+      console.log(chalk.gray("Local .env found. Merging..."));
+      const localRaw = await readRawEnv();
+      const localObj = parse(localRaw);
+      finalObj = merge(localObj, remoteObj);
+      actionMsg = "Merged with local .env";
+    }
+    const finalString = stringify(finalObj);
+    await writeRawEnv(finalString);
+    console.log(chalk.green(`
+Success! ${actionMsg}`));
+    console.log(
+      chalk.white("Keys in final .env: ") + chalk.yellow(Object.keys(finalObj).length)
+    );
+  } catch (error) {
+    console.error(chalk.red("\nFailed:"), error.message);
+    process.exit(1);
+  }
+});
+
+// src/cli/commands/lock.ts
+import { Command as Command2 } from "commander";
+import chalk2 from "chalk";
+import inquirer2 from "inquirer";
+var lockCommand = new Command2("lock").description("Encrypts local .env file and saves it to env.enc").action(async () => {
+  try {
+    console.log(chalk2.blue("Preparing to lock (Encrypt)..."));
+    if (!await hasRawEnv()) {
+      console.error(chalk2.red("Error: No .env file found to encrypt."));
+      process.exit(1);
+    }
+    const answers = await inquirer2.prompt([
+      {
+        type: "password",
+        name: "password",
+        message: "Enter Password to encrypt: ",
+        mask: "*",
+        validate: (input) => input.length > 0 ? true : "Password cannot be empty."
+      },
+      {
+        type: "password",
+        name: "passwordConfirm",
+        message: "Confirm password:",
+        mask: "*",
+        validate: (input, answers2) => input === answers2.password || "Passwords do not match."
+      }
+    ]);
+    const password = answers.password;
+    const rawContent = await readRawEnv();
+    const parsed = parse(rawContent);
+    const keysCount = Object.keys(parsed).length;
+    const encryptedData = await encrypt(rawContent, password);
+    await writeEncEnv(encryptedData);
+    await ensureGitIgnore();
+    console.log(
+      chalk2.green(`
+Success! Encrypted ${keysCount} secrets to .env.enc`)
+    );
+    console.log(chalk2.gray("You can now commit .env.enc to Git."));
+  } catch (error) {
+    console.error(chalk2.red("\n Failed:"), error.message);
+    process.exit(1);
+  }
+});
+
+// src/cli/bin.ts
+import chalk3 from "chalk";
+var program = new Command3();
+program.name("lazy-vault").description("A secure, simple way to manage encrypted .env files in Git").version("1.0.0");
+program.addCommand(syncCommand);
+program.addCommand(lockCommand);
+program.on("command:*", () => {
+  console.error(
+    chalk3.red(
+      "Invalid command: %s\nSee --help for a list of available commands."
+    ),
+    program.args.join(" ")
+  );
+  process.exit(1);
+});
+program.parse(process.argv);
+if (!process.argv.slice(2).length) {
+  program.outputHelp();
+}
+//# sourceMappingURL=bin.js.map

package/dist/cli/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/cli/bin.ts","../../src/cli/commands/sync.ts","../../src/lib/storage.ts","../../src/constants/index.ts","../../src/lib/crypto.ts","../../src/lib/parser.ts","../../src/cli/commands/lock.ts"],"sourcesContent":["#!/usr/bin/env node\r\nimport { Command } from \"commander\";\r\nimport { syncCommand } from \"./commands/sync\";\r\nimport { lockCommand } from \"./commands/lock\";\r\nimport chalk from \"chalk\";\r\n\r\nconst program = new Command();\r\n\r\nprogram\r\n  .name(\"lazy-vault\")\r\n  .description(\"A secure, simple way to manage encrypted .env files in Git\")\r\n  .version(\"1.0.0\");\r\n\r\nprogram.addCommand(syncCommand);\r\nprogram.addCommand(lockCommand);\r\n\r\nprogram.on(\"command:*\", () => {\r\n  console.error(\r\n    chalk.red(\r\n      \"Invalid command: %s\\nSee --help for a list of available commands.\",\r\n    ),\r\n    program.args.join(\" \"),\r\n  );\r\n  process.exit(1);\r\n});\r\n\r\nprogram.parse(process.argv);\r\n\r\nif (!process.argv.slice(2).length) {\r\n  program.outputHelp();\r\n}\r\n","import { Command } from \"commander\";\r\nimport chalk from \"chalk\";\r\nimport inquirer from \"inquirer\";\r\n\r\nimport * as storage from \"../../lib/storage\";\r\nimport * as crypto from \"../../lib/crypto\";\r\nimport * as parser from \"../../lib/parser\";\r\n\r\nexport const syncCommand = new Command(\"sync\")\r\n  .description(\"Decrypts .env.enc and merges it with local .env\")\r\n  .action(async () => {\r\n    try {\r\n      console.log(chalk.blue(\"Preparing to Sync (Decrypt)...\"));\r\n\r\n      if (!(await storage.hasEncEnv())) {\r\n        console.error(chalk.red(\"Error: No .env.enc file found.\"));\r\n        process.exit(1);\r\n      }\r\n\r\n      const answers = await inquirer.prompt([\r\n        {\r\n          type: \"password\",\r\n          name: \"password\",\r\n          message: \"Enter password to decrypt:\",\r\n          mask: \"*\",\r\n        },\r\n      ]);\r\n\r\n      const password = answers.password;\r\n\r\n      const encryptedContent = await storage.readEncEnv();\r\n      let decryptedRaw = \"\";\r\n\r\n      try {\r\n        decryptedRaw = await crypto.decrypt(encryptedContent, password);\r\n      } catch (e) {\r\n        throw new Error(\"Invalid password or corrupted file.\");\r\n      }\r\n\r\n      const remoteObj = parser.parse(decryptedRaw);\r\n\r\n      let finalObj = remoteObj;\r\n      let actionMsg = \"Created new .env\";\r\n\r\n      if (await storage.hasRawEnv()) {\r\n        console.log(chalk.gray(\"Local .env found. Merging...\"));\r\n        const localRaw = await storage.readRawEnv();\r\n        const localObj = parser.parse(localRaw);\r\n\r\n        // MERGE: Remote wins conflicts, Local keeps unique keys\r\n        finalObj = parser.merge(localObj, remoteObj);\r\n        actionMsg = \"Merged with local .env\";\r\n      }\r\n\r\n      const finalString = parser.stringify(finalObj);\r\n      await storage.writeRawEnv(finalString);\r\n\r\n      console.log(chalk.green(`\\nSuccess! ${actionMsg}`));\r\n      console.log(\r\n        chalk.white(\"Keys in final .env: \") +\r\n          chalk.yellow(Object.keys(finalObj).length),\r\n      );\r\n    } catch (error: any) {\r\n      console.error(chalk.red(\"\\nFailed:\"), error.message);\r\n      process.exit(1);\r\n    }\r\n  });\r\n","import fs from \"fs-extra\";\r\nimport { ENC_FILE, RAW_FILE } from \"../constants\";\r\n\r\n/**\r\n * Checks if the raw .env file exists.\r\n * @return True if the file exists, false otherwise\r\n */\r\nexport async function hasRawEnv(): Promise<boolean> {\r\n  return fs.pathExists(RAW_FILE);\r\n}\r\n\r\n/**\r\n * Checks if the encrypted .env file exists.\r\n * @return True if the file exists, false otherwise\r\n */\r\nexport async function hasEncEnv(): Promise<boolean> {\r\n  return fs.pathExists(ENC_FILE);\r\n}\r\n\r\n/**\r\n * Reads the RAW .env file.\r\n * @return The content of the raw .env file\r\n */\r\nexport async function readRawEnv(): Promise<string> {\r\n  if (!(await hasRawEnv())) return \"\";\r\n  return fs.readFile(RAW_FILE, \"utf-8\");\r\n}\r\n\r\n/**\r\n * Reads the ENCRYPTED .env.enc file.\r\n * @return The content of the encrypted .env.enc file\r\n */\r\nexport async function readEncEnv(): Promise<string> {\r\n  if (!(await hasEncEnv())) {\r\n    throw new Error(\"No encrypted .env.enc file found.\");\r\n  }\r\n  return fs.readFile(ENC_FILE, \"utf-8\");\r\n}\r\n\r\n/**\r\n * Writes data to the RAW .env file.\r\n * @param content The content to write to the raw .env file\r\n * @return A promise that resolves when the write is complete\r\n */\r\nexport async function writeRawEnv(content: string): Promise<void> {\r\n  await fs.writeFile(RAW_FILE, content, \"utf-8\");\r\n}\r\n\r\n/**\r\n * Writes data to the ENCRYPTED .env.enc file.\r\n * @param content The content to write to the encrypted .env.enc file\r\n * @return A promise that resolves when the write is complete\r\n */\r\nexport async function writeEncEnv(content: string): Promise<void> {\r\n  await fs.writeFile(ENC_FILE, content, \"utf-8\");\r\n}\r\n\r\n/**\r\n * Adds .env to .gitignore if it's missing.\r\n * This is a safety feature to prevent accidental commits.\r\n */\r\nexport async function ensureGitIgnore(): Promise<void> {\r\n  const gitignorePath = \".gitignore\";\r\n  const ignoreRule = \"\\n# Added by lazy-vault\\n.env\\n\";\r\n\r\n  if (!(await fs.pathExists(gitignorePath))) {\r\n    await fs.writeFile(gitignorePath, ignoreRule);\r\n    return;\r\n  }\r\n\r\n  const content = await fs.readFile(gitignorePath, \"utf-8\");\r\n  if (!content.includes(\".env\")) {\r\n    await fs.appendFile(gitignorePath, ignoreRule);\r\n  }\r\n}\r\n","export const ALGORITHM = \"aes-256-gcm\";\r\nexport const ENC_FILE = \".env.enc\";\r\nexport const RAW_FILE = \".env\";\r\n","import crypto from \"node:crypto\";\r\nimport argon2 from \"argon2\";\r\n\r\nconst ALGORITHM = \"aes-256-gcm\" as const;\r\nconst VERSION = \"v1\";\r\n\r\n/**\r\n * Encrypts a raw string using a password.\r\n * Format: salt:iv:authTag:cipherText\r\n * @param text The string to encrypt\r\n * @param password The password to use for encryption\r\n */\r\n\r\nexport async function encrypt(text: string, password: string): Promise<string> {\r\n  const salt = crypto.randomBytes(16);\r\n  const iv = crypto.randomBytes(16);\r\n\r\n  const key = await argon2.hash(password, {\r\n    type: argon2.argon2id,\r\n    salt: salt,\r\n    raw: true,\r\n    hashLength: 32,\r\n    timeCost: 3,\r\n    memoryCost: 65536,\r\n    parallelism: 1,\r\n  });\r\n\r\n  if (ALGORITHM !== \"aes-256-gcm\") {\r\n    throw new Error(\"Unsupported encryption algorithm\");\r\n  }\r\n\r\n  const cipher = crypto.createCipheriv(ALGORITHM, key, iv);\r\n\r\n  const encrypted = Buffer.concat([\r\n    cipher.update(text, \"utf8\"),\r\n    cipher.final(),\r\n  ]);\r\n  const authTag = cipher.getAuthTag();\r\n\r\n  key.fill(0);\r\n\r\n  return `${VERSION}:${salt.toString(\"hex\")}:${iv.toString(\"hex\")}:${authTag.toString(\"hex\")}:${encrypted.toString(\"hex\")}`;\r\n}\r\n\r\n/** * Decrypts an encrypted string using a password.\r\n * @param encryptedText The encrypted string to decrypt\r\n * @param password The password to use for decryption\r\n * @return The decrypted string\r\n */\r\nexport async function decrypt(\r\n  encryptedText: string,\r\n  password: string,\r\n): Promise<string> {\r\n  const parts = encryptedText.split(\":\");\r\n\r\n  if (parts.length !== 5) {\r\n    throw new Error(\"Invalid encrypted file format\");\r\n  }\r\n  const [version, saltHex, ivHex, authTagHex, cipherTextHex] = parts as [\r\n    string,\r\n    string,\r\n    string,\r\n    string,\r\n    string,\r\n  ];\r\n\r\n  if (version !== \"v1\") {\r\n    throw new Error(`Unsupported encrypted format version: ${version}`);\r\n  }\r\n  const salt = Buffer.from(saltHex, \"hex\");\r\n  const iv = Buffer.from(ivHex, \"hex\");\r\n  const authTag = Buffer.from(authTagHex, \"hex\");\r\n  const cipherText = Buffer.from(cipherTextHex, \"hex\");\r\n\r\n  const key = await argon2.hash(password, {\r\n    type: argon2.argon2id,\r\n    salt: salt,\r\n    raw: true,\r\n    hashLength: 32,\r\n    timeCost: 3,\r\n    memoryCost: 65536,\r\n    parallelism: 1,\r\n  });\r\n\r\n  const decipher = crypto.createDecipheriv(ALGORITHM, key, iv);\r\n  decipher.setAuthTag(authTag);\r\n\r\n  const decrypted = Buffer.concat([\r\n    decipher.update(cipherText),\r\n    decipher.final(),\r\n  ]);\r\n\r\n  key.fill(0);\r\n\r\n  return decrypted.toString(\"utf8\");\r\n}\r\n","import type { EnvObject } from \"..\";\r\n\r\n/**\r\n * Parses a raw .env string into a Key-Value object.\r\n * Ignores comments and empty lines.\r\n * @param content The raw .env string\r\n * @return An object representing the parsed .env variables\r\n */\r\n\r\nexport function parse(content: string): EnvObject {\r\n  const result: EnvObject = {};\r\n  const lines = content.split(/\\r?\\n/);\r\n\r\n  for (const line of lines) {\r\n    const trimmedLine = line.trim();\r\n    if (trimmedLine === \"\" || trimmedLine.startsWith(\"#\")) {\r\n      continue;\r\n    }\r\n\r\n    if (!trimmedLine.includes(\"=\")) {\r\n      throw new Error(`Invalid env line (missing '='): ${line}`);\r\n    }\r\n\r\n    const [rawKey, ...valueParts] = trimmedLine.split(\"=\") as [string, any];\r\n\r\n    const key = rawKey.trim();\r\n    if (!key) {\r\n      throw new Error(`Invalid env line (empty key): ${line}`);\r\n    }\r\n\r\n    const value = valueParts.join(\"=\");\r\n    const cleanValue = value.replace(/^['\"](.*)['\"]$/, \"$1\").trim();\r\n\r\n    result[key] = cleanValue;\r\n  }\r\n\r\n  return result;\r\n}\r\n\r\n/**\r\n * Stringifies a Key-Value object into a raw .env string.\r\n * @param envObject The object representing .env variables\r\n * @return A raw .env string\r\n */\r\nexport function stringify(envObject: EnvObject): string {\r\n  let result = \"\";\r\n  for (const [key, value] of Object.entries(envObject)) {\r\n    result += `${key}=${value}\\n`;\r\n  }\r\n\r\n  return result.trimEnd();\r\n}\r\n\r\n/**\r\n * Merge logic\r\n * Remote keys override local keys if they exist\r\n * Unique keys from both are preserved\r\n * @param local The local .env object\r\n * @param remote The remote .env object\r\n */\r\n\r\nexport function merge(local: EnvObject, remote: EnvObject): EnvObject {\r\n  return { ...local, ...remote };\r\n}\r\n","import { Command } from \"commander\";\r\nimport chalk from \"chalk\";\r\nimport inquirer, { type Answers } from \"inquirer\";\r\n\r\nimport * as storage from \"../../lib/storage\";\r\nimport * as crypto from \"../../lib/crypto\";\r\nimport { parse } from \"../../lib/parser\";\r\n\r\nexport const lockCommand = new Command(\"lock\")\r\n  .description(\"Encrypts local .env file and saves it to env.enc\")\r\n  .action(async () => {\r\n    try {\r\n      console.log(chalk.blue(\"Preparing to lock (Encrypt)...\"));\r\n\r\n      if (!(await storage.hasRawEnv())) {\r\n        console.error(chalk.red(\"Error: No .env file found to encrypt.\"));\r\n        process.exit(1);\r\n      }\r\n\r\n      const answers = await inquirer.prompt([\r\n        {\r\n          type: \"password\",\r\n          name: \"password\",\r\n          message: \"Enter Password to encrypt: \",\r\n          mask: \"*\",\r\n          validate: (input) =>\r\n            input.length > 0 ? true : \"Password cannot be empty.\",\r\n        },\r\n        {\r\n          type: \"password\",\r\n          name: \"passwordConfirm\",\r\n          message: \"Confirm password:\",\r\n          mask: \"*\",\r\n          validate: (input: string, answers: Answers) =>\r\n            input === answers.password || \"Passwords do not match.\",\r\n        },\r\n      ]);\r\n\r\n      const password = answers.password;\r\n\r\n      const rawContent = await storage.readRawEnv();\r\n      const parsed = parse(rawContent);\r\n      const keysCount = Object.keys(parsed).length;\r\n\r\n      const encryptedData = await crypto.encrypt(rawContent, password);\r\n      await storage.writeEncEnv(encryptedData);\r\n      await storage.ensureGitIgnore();\r\n\r\n      console.log(\r\n        chalk.green(`\\nSuccess! Encrypted ${keysCount} secrets to .env.enc`),\r\n      );\r\n      console.log(chalk.gray(\"You can now commit .env.enc to Git.\"));\r\n    } catch (error: any) {\r\n      console.error(chalk.red(\"\\n Failed:\"), error.message);\r\n      process.exit(1);\r\n    }\r\n  });\r\n"],"mappings":";;;AACA,SAAS,WAAAA,gBAAe;;;ACDxB,SAAS,eAAe;AACxB,OAAO,WAAW;AAClB,OAAO,cAAc;;;ACFrB,OAAO,QAAQ;;;ACCR,IAAM,WAAW;AACjB,IAAM,WAAW;;;ADKxB,eAAsB,YAA8B;AAClD,SAAO,GAAG,WAAW,QAAQ;AAC/B;AAMA,eAAsB,YAA8B;AAClD,SAAO,GAAG,WAAW,QAAQ;AAC/B;AAMA,eAAsB,aAA8B;AAClD,MAAI,CAAE,MAAM,UAAU,EAAI,QAAO;AACjC,SAAO,GAAG,SAAS,UAAU,OAAO;AACtC;AAMA,eAAsB,aAA8B;AAClD,MAAI,CAAE,MAAM,UAAU,GAAI;AACxB,UAAM,IAAI,MAAM,mCAAmC;AAAA,EACrD;AACA,SAAO,GAAG,SAAS,UAAU,OAAO;AACtC;AAOA,eAAsB,YAAY,SAAgC;AAChE,QAAM,GAAG,UAAU,UAAU,SAAS,OAAO;AAC/C;AAOA,eAAsB,YAAY,SAAgC;AAChE,QAAM,GAAG,UAAU,UAAU,SAAS,OAAO;AAC/C;AAMA,eAAsB,kBAAiC;AACrD,QAAM,gBAAgB;AACtB,QAAM,aAAa;AAEnB,MAAI,CAAE,MAAM,GAAG,WAAW,aAAa,GAAI;AACzC,UAAM,GAAG,UAAU,eAAe,UAAU;AAC5C;AAAA,EACF;AAEA,QAAM,UAAU,MAAM,GAAG,SAAS,eAAe,OAAO;AACxD,MAAI,CAAC,QAAQ,SAAS,MAAM,GAAG;AAC7B,UAAM,GAAG,WAAW,eAAe,UAAU;AAAA,EAC/C;AACF;;;AE1EA,OAAO,YAAY;AACnB,OAAO,YAAY;AAEnB,IAAM,YAAY;AAClB,IAAM,UAAU;AAShB,eAAsB,QAAQ,MAAc,UAAmC;AAC7E,QAAM,OAAO,OAAO,YAAY,EAAE;AAClC,QAAM,KAAK,OAAO,YAAY,EAAE;AAEhC,QAAM,MAAM,MAAM,OAAO,KAAK,UAAU;AAAA,IACtC,MAAM,OAAO;AAAA,IACb;AAAA,IACA,KAAK;AAAA,IACL,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf,CAAC;AAED,MAAI,cAAc,eAAe;AAC/B,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AAEA,QAAM,SAAS,OAAO,eAAe,WAAW,KAAK,EAAE;AAEvD,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,OAAO,OAAO,MAAM,MAAM;AAAA,IAC1B,OAAO,MAAM;AAAA,EACf,CAAC;AACD,QAAM,UAAU,OAAO,WAAW;AAElC,MAAI,KAAK,CAAC;AAEV,SAAO,GAAG,OAAO,IAAI,KAAK,SAAS,KAAK,CAAC,IAAI,GAAG,SAAS,KAAK,CAAC,IAAI,QAAQ,SAAS,KAAK,CAAC,IAAI,UAAU,SAAS,KAAK,CAAC;AACzH;AAOA,eAAsB,QACpB,eACA,UACiB;AACjB,QAAM,QAAQ,cAAc,MAAM,GAAG;AAErC,MAAI,MAAM,WAAW,GAAG;AACtB,UAAM,IAAI,MAAM,+BAA+B;AAAA,EACjD;AACA,QAAM,CAAC,SAAS,SAAS,OAAO,YAAY,aAAa,IAAI;AAQ7D,MAAI,YAAY,MAAM;AACpB,UAAM,IAAI,MAAM,yCAAyC,OAAO,EAAE;AAAA,EACpE;AACA,QAAM,OAAO,OAAO,KAAK,SAAS,KAAK;AACvC,QAAM,KAAK,OAAO,KAAK,OAAO,KAAK;AACnC,QAAM,UAAU,OAAO,KAAK,YAAY,KAAK;AAC7C,QAAM,aAAa,OAAO,KAAK,eAAe,KAAK;AAEnD,QAAM,MAAM,MAAM,OAAO,KAAK,UAAU;AAAA,IACtC,MAAM,OAAO;AAAA,IACb;AAAA,IACA,KAAK;AAAA,IACL,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,YAAY;AAAA,IACZ,aAAa;AAAA,EACf,CAAC;AAED,QAAM,WAAW,OAAO,iBAAiB,WAAW,KAAK,EAAE;AAC3D,WAAS,WAAW,OAAO;AAE3B,QAAM,YAAY,OAAO,OAAO;AAAA,IAC9B,SAAS,OAAO,UAAU;AAAA,IAC1B,SAAS,MAAM;AAAA,EACjB,CAAC;AAED,MAAI,KAAK,CAAC;AAEV,SAAO,UAAU,SAAS,MAAM;AAClC;;;ACtFO,SAAS,MAAM,SAA4B;AAChD,QAAM,SAAoB,CAAC;AAC3B,QAAM,QAAQ,QAAQ,MAAM,OAAO;AAEnC,aAAW,QAAQ,OAAO;AACxB,UAAM,cAAc,KAAK,KAAK;AAC9B,QAAI,gBAAgB,MAAM,YAAY,WAAW,GAAG,GAAG;AACrD;AAAA,IACF;AAEA,QAAI,CAAC,YAAY,SAAS,GAAG,GAAG;AAC9B,YAAM,IAAI,MAAM,mCAAmC,IAAI,EAAE;AAAA,IAC3D;AAEA,UAAM,CAAC,QAAQ,GAAG,UAAU,IAAI,YAAY,MAAM,GAAG;AAErD,UAAM,MAAM,OAAO,KAAK;AACxB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI,MAAM,iCAAiC,IAAI,EAAE;AAAA,IACzD;AAEA,UAAM,QAAQ,WAAW,KAAK,GAAG;AACjC,UAAM,aAAa,MAAM,QAAQ,kBAAkB,IAAI,EAAE,KAAK;AAE9D,WAAO,GAAG,IAAI;AAAA,EAChB;AAEA,SAAO;AACT;AAOO,SAAS,UAAU,WAA8B;AACtD,MAAI,SAAS;AACb,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,SAAS,GAAG;AACpD,cAAU,GAAG,GAAG,IAAI,KAAK;AAAA;AAAA,EAC3B;AAEA,SAAO,OAAO,QAAQ;AACxB;AAUO,SAAS,MAAM,OAAkB,QAA8B;AACpE,SAAO,EAAE,GAAG,OAAO,GAAG,OAAO;AAC/B;;;AJvDO,IAAM,cAAc,IAAI,QAAQ,MAAM,EAC1C,YAAY,iDAAiD,EAC7D,OAAO,YAAY;AAClB,MAAI;AACF,YAAQ,IAAI,MAAM,KAAK,gCAAgC,CAAC;AAExD,QAAI,CAAE,MAAc,UAAU,GAAI;AAChC,cAAQ,MAAM,MAAM,IAAI,gCAAgC,CAAC;AACzD,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,UAAM,UAAU,MAAM,SAAS,OAAO;AAAA,MACpC;AAAA,QACE,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,MAAM;AAAA,MACR;AAAA,IACF,CAAC;AAED,UAAM,WAAW,QAAQ;AAEzB,UAAM,mBAAmB,MAAc,WAAW;AAClD,QAAI,eAAe;AAEnB,QAAI;AACF,qBAAe,MAAa,QAAQ,kBAAkB,QAAQ;AAAA,IAChE,SAAS,GAAG;AACV,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAEA,UAAM,YAAmB,MAAM,YAAY;AAE3C,QAAI,WAAW;AACf,QAAI,YAAY;AAEhB,QAAI,MAAc,UAAU,GAAG;AAC7B,cAAQ,IAAI,MAAM,KAAK,8BAA8B,CAAC;AACtD,YAAM,WAAW,MAAc,WAAW;AAC1C,YAAM,WAAkB,MAAM,QAAQ;AAGtC,iBAAkB,MAAM,UAAU,SAAS;AAC3C,kBAAY;AAAA,IACd;AAEA,UAAM,cAAqB,UAAU,QAAQ;AAC7C,UAAc,YAAY,WAAW;AAErC,YAAQ,IAAI,MAAM,MAAM;AAAA,WAAc,SAAS,EAAE,CAAC;AAClD,YAAQ;AAAA,MACN,MAAM,MAAM,sBAAsB,IAChC,MAAM,OAAO,OAAO,KAAK,QAAQ,EAAE,MAAM;AAAA,IAC7C;AAAA,EACF,SAAS,OAAY;AACnB,YAAQ,MAAM,MAAM,IAAI,WAAW,GAAG,MAAM,OAAO;AACnD,YAAQ,KAAK,CAAC;AAAA,EAChB;AACF,CAAC;;;AKlEH,SAAS,WAAAC,gBAAe;AACxB,OAAOC,YAAW;AAClB,OAAOC,eAAgC;AAMhC,IAAM,cAAc,IAAIC,SAAQ,MAAM,EAC1C,YAAY,kDAAkD,EAC9D,OAAO,YAAY;AAClB,MAAI;AACF,YAAQ,IAAIC,OAAM,KAAK,gCAAgC,CAAC;AAExD,QAAI,CAAE,MAAc,UAAU,GAAI;AAChC,cAAQ,MAAMA,OAAM,IAAI,uCAAuC,CAAC;AAChE,cAAQ,KAAK,CAAC;AAAA,IAChB;AAEA,UAAM,UAAU,MAAMC,UAAS,OAAO;AAAA,MACpC;AAAA,QACE,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,MAAM;AAAA,QACN,UAAU,CAAC,UACT,MAAM,SAAS,IAAI,OAAO;AAAA,MAC9B;AAAA,MACA;AAAA,QACE,MAAM;AAAA,QACN,MAAM;AAAA,QACN,SAAS;AAAA,QACT,MAAM;AAAA,QACN,UAAU,CAAC,OAAeC,aACxB,UAAUA,SAAQ,YAAY;AAAA,MAClC;AAAA,IACF,CAAC;AAED,UAAM,WAAW,QAAQ;AAEzB,UAAM,aAAa,MAAc,WAAW;AAC5C,UAAM,SAAS,MAAM,UAAU;AAC/B,UAAM,YAAY,OAAO,KAAK,MAAM,EAAE;AAEtC,UAAM,gBAAgB,MAAa,QAAQ,YAAY,QAAQ;AAC/D,UAAc,YAAY,aAAa;AACvC,UAAc,gBAAgB;AAE9B,YAAQ;AAAA,MACNF,OAAM,MAAM;AAAA,qBAAwB,SAAS,sBAAsB;AAAA,IACrE;AACA,YAAQ,IAAIA,OAAM,KAAK,qCAAqC,CAAC;AAAA,EAC/D,SAAS,OAAY;AACnB,YAAQ,MAAMA,OAAM,IAAI,YAAY,GAAG,MAAM,OAAO;AACpD,YAAQ,KAAK,CAAC;AAAA,EAChB;AACF,CAAC;;;ANpDH,OAAOG,YAAW;AAElB,IAAM,UAAU,IAAIC,SAAQ;AAE5B,QACG,KAAK,YAAY,EACjB,YAAY,4DAA4D,EACxE,QAAQ,OAAO;AAElB,QAAQ,WAAW,WAAW;AAC9B,QAAQ,WAAW,WAAW;AAE9B,QAAQ,GAAG,aAAa,MAAM;AAC5B,UAAQ;AAAA,IACND,OAAM;AAAA,MACJ;AAAA,IACF;AAAA,IACA,QAAQ,KAAK,KAAK,GAAG;AAAA,EACvB;AACA,UAAQ,KAAK,CAAC;AAChB,CAAC;AAED,QAAQ,MAAM,QAAQ,IAAI;AAE1B,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,EAAE,QAAQ;AACjC,UAAQ,WAAW;AACrB;","names":["Command","Command","chalk","inquirer","Command","chalk","inquirer","answers","chalk","Command"]}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "lazy-vault",
+  "version": "1.0.0",
+  "description": "A simple CLI for encrypting and syncing .env files safely in Git",
+  "license": "MIT",
+  "author": "ghost",
+  "type": "module",
+  "bin": {
+    "lazy-env": "./dist/cli/bin.js"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "lint": "tsc --noEmit",
+    "test": "vitest"
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Ghunter254/lazy-env"
+  },
+  "bugs": {
+    "url": "https://github.com/Ghunter254/lazy-env/issues"
+  },
+  "homepage": "https://github.com/Ghunter254/lazy-env#readme",
+  "keywords": [
+    "env",
+    "dotenv",
+    "environment",
+    "secrets",
+    "encryption",
+    "cli",
+    "git",
+    "nodejs",
+    "typescript"
+  ],
+  "dependencies": {
+    "argon2": "^0.44.0",
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "fs-extra": "^11.3.3",
+    "inquirer": "^13.2.0"
+  },
+  "devDependencies": {
+    "@types/fs-extra": "^11.0.4",
+    "@types/inquirer": "^9.0.9",
+    "@types/node": "^25.0.3",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^4.0.16",
+    "tsx": "^4.21.0"
+  }
+}