secenvs 0.1.0

package/README.md

@@ -0,0 +1,149 @@
+# secenvs
+
+**Make `.env` secure again. Commit to GitHub without fear.**
+
+secenvs encrypts your environment variables so you can safely commit them to version control. It's `.env` you
+can actually share—without the security headaches.
+
+## Why secenvs?
+
+- **Zero wrapper needed** — Import and use secrets directly in your code
+- **Lightning fast** — Cold start <50ms, cached access <1ms
+- **Battle-tested encryption** — AEAD encryption via [age](https://github.com/FiloSottile/age)
+- **CI/CD ready** — Works seamlessly with GitHub Actions and other pipelines
+- **Defense-first** — Private fields prevent memory-scanning attacks
+
+## Quick Start
+
+```bash
+# Install
+npm install secenvs
+
+# Initialize (one-time setup)
+npx secenvs init
+
+# Add a secret
+npx secenvs set API_KEY "your-secret-key"
+
+# Use in code
+import { env } from 'secenvs';
+
+const apiKey = await env.API_KEY;
+```
+
+## CLI Commands
+
+```bash
+secenvs init              # Initialize identity and project
+secenvs set KEY VALUE     # Set a secret (encrypted)
+secenvs get KEY           # Get a secret (decrypted)
+secenvs list              # List all keys
+secenvs rotate KEY        # Rotate a secret
+secenvs delete KEY        # Delete a secret
+secenvs doctor            # Verify setup and encryption
+secenvs key export        # Export private key for CI
+```
+
+## SDK Usage
+
+### Basic Access
+
+```typescript
+import { env } from "secenvs"
+
+const dbUrl = await env.DATABASE_URL
+const apiKey = await env.API_KEY
+```
+
+### Fallback to process.env
+
+The SDK checks `process.env` first, then falls back to your `.secenvs` file:
+
+```typescript
+// In production, set DATABASE_URL in your deployment platform
+// Locally, use .secenvs
+const dbUrl = await env.DATABASE_URL
+```
+
+### Error Handling
+
+```typescript
+import { env, SecretNotFoundError } from "secenvs"
+
+try {
+   const key = await env.MISSING_KEY
+} catch (e) {
+   if (e instanceof SecretNotFoundError) {
+      console.error("Secret not found in .secenvs")
+   }
+}
+```
+
+### Programmatic API
+
+```typescript
+import { createSecenv } from "secenvs"
+
+const sdk = await createSecenv()
+await sdk.set("API_KEY", "secret-value")
+const value = await sdk.get("API_KEY")
+```
+
+## The `.secenvs` File
+
+Store secrets in `.secenvs` in your project root:
+
+```env
+# Encrypted values (auto-decrypted)
+API_KEY=enc:age:AGE-SECRET-KEY-1XYZ...
+
+# Plaintext values (non-sensitive config)
+PORT=3000
+NODE_ENV=development
+```
+
+Use `--base64` flag for binary values like certificates:
+
+```bash
+secenvs set TLS_CERT --base64 < server.crt
+```
+
+## CI/CD Integration
+
+### 1. Export your identity
+
+```bash
+secenvs key export
+```
+
+### 2. Add to CI secrets
+
+Add the output as `SECENV_ENCODED_IDENTITY` in your CI provider (GitHub Secrets, etc.).
+
+### 3. Use in CI
+
+```yaml
+# GitHub Actions example
+- name: Run app
+  env:
+     SECENV_ENCODED_IDENTITY: ${{ secrets.SECENV_ENCODED_IDENTITY }}
+  run: npm run start
+```
+
+## Security
+
+- **AEAD encryption** — Each secret is encrypted separately with age
+- **Private fields** — JavaScript private class fields protect against memory-scanning
+- **Constant-time lookups** — Prevents timing attacks
+- **Symlink protection** — Blocks symlink attacks
+
+For full security details, see [SECURITY.md](./SECURITY.md).
+
+## Requirements
+
+- Node.js 18+
+- No external dependencies (age encryption bundled)
+
+## License
+
+MIT

package/bin/secenvs

@@ -0,0 +1,14 @@
+#!/usr/bin/env node
+import*as u from"fs";import*as de from"path";import*as ue from"readline";import*as E from"age-encryption";import*as D from"fs";import*as Y from"path";import*as J from"os";var k={IDENTITY_NOT_FOUND:"IDENTITY_NOT_FOUND",DECRYPTION_FAILED:"DECRYPTION_FAILED",SECRET_NOT_FOUND:"SECRET_NOT_FOUND",PARSE_ERROR:"PARSE_ERROR",FILE_ERROR:"FILE_ERROR",ENCRYPTION_FAILED:"ENCRYPTION_FAILED",VALIDATION_ERROR:"VALIDATION_ERROR"},p=class extends Error{code;constructor(t,n){super(n),this.name="SecenvError",this.code=t}},b=class extends p{constructor(t){super(k.VALIDATION_ERROR,t)}},h=class extends p{constructor(t){super(k.IDENTITY_NOT_FOUND,`Identity key not found at ${t}. Run 'secenv init' to create one.`)}},F=class extends p{constructor(t="Failed to decrypt value. Check identity key."){super(k.DECRYPTION_FAILED,t)}},$=class extends p{constructor(t){super(k.SECRET_NOT_FOUND,`Secret '${t}' not found in .secenvs or process.env.`)}},x=class extends p{line;raw;constructor(t,n,r){super(k.PARSE_ERROR,r),this.line=t,this.raw=n}},d=class extends p{constructor(t){super(k.FILE_ERROR,t)}},I=class extends p{constructor(t="Failed to encrypt value."){super(k.ENCRYPTION_FAILED,t)}};import*as m from"fs";import*as U from"path";function N(e){try{if(m.lstatSync(e).isSymbolicLink())throw new d(`Symlink detected at ${e}. Security policy prohibits following symlinks.`);return m.readFileSync(e,"utf-8")}catch(t){throw t instanceof d?t:new d(`Failed to read file ${e}: ${t.message}`)}}function G(e,t){let n=U.resolve(e);try{if(m.existsSync(e)&&m.lstatSync(e).isSymbolicLink())throw new d(`Symlink detected at ${e}. Security policy prohibits following symlinks.`)}catch(r){if(r instanceof d)throw r}if(t){let r=U.resolve(t);if(!n.startsWith(r))throw new d(`Directory traversal detected: ${e} is outside of ${t}`)}return n}function Z(e){try{if(!m.existsSync(e)){m.mkdirSync(e,{recursive:!0,mode:448});return}if(m.lstatSync(e).isSymbolicLink())throw new d(`Symlink detected at directory ${e}. Security policy prohibits following symlinks.`)}catch(t){throw t instanceof d?t:new d(`Failed to ensure safe directory ${e}: ${t.message}`)}}var pe=".secenvs",me="keys",we="default.key";function Q(e){return new ReadableStream({start(t){t.enqueue(e),t.close()}})}async function ee(e){if(!(e instanceof ReadableStream))throw new Error("readAll expects a ReadableStream<Uint8Array>");return new Uint8Array(await new Response(e).arrayBuffer())}function te(){let e=process.env.SECENV_HOME||J.homedir(),t=G(e);return Y.join(t,pe,me)}function v(){return Y.join(te(),we)}function ge(){let e=te();Z(e)}async function ne(){return E.generateX25519Identity()}async function re(e){ge();let t=v();return D.writeFileSync(t,e,{mode:384}),t}async function C(){let e=v();if(!D.existsSync(e))throw new h(e);return D.readFileSync(e,"utf-8")}async function se(e,t){let n=await E.identityToRecipient(e),r=new E.Encrypter;r.addRecipient(n);let s=await r.encrypt(Q(Buffer.from(t))),i=await ee(s);return Buffer.from(i).toString("base64")}async function _(e,t){try{let n=new E.Decrypter;n.addIdentity(e);let r=Q(Buffer.from(t,"base64")),s=await n.decrypt(r),i=await ee(s);return new TextDecoder().decode(i)}catch(n){throw new F(`Failed to decrypt value: ${n}`)}}function P(){let e=v();return D.existsSync(e)}async function V(e){return E.identityToRecipient(e)}import*as y from"fs";import*as ae from"path";var Ee=/^[A-Z0-9_]+$/,he=5*1024*1024,xe=new Set(["CON","PRN","AUX","NUL","COM1","COM2","COM3","COM4","COM5","COM6","COM7","COM8","COM9","LPT1","LPT2","LPT3","LPT4","LPT5","LPT6","LPT7","LPT8","LPT9"]);function A(e){if(!e)throw new b("Key cannot be empty");if(!Ee.test(e))throw new b(`Invalid key: '${e}'. Keys must only contain uppercase letters, numbers, and underscores (^[A-Z0-9_]+$).`);if(xe.has(e))throw new b(`Invalid key: '${e}' is a reserved system name.`)}function ie(e){if(Buffer.byteLength(e,"utf-8")>he)throw new b("Value size exceeds maximum limit of 5MB")}import{timingSafeEqual as ve}from"node:crypto";function oe(e,t){return e.length!==t.length?!1:ve(Buffer.from(e),Buffer.from(t))}var Se="enc:age:";function Re(e){return e.startsWith(Se)}function L(e){if(!y.existsSync(e))return{lines:[],keys:new Set,encryptedCount:0,plaintextCount:0};let t=N(e);t.startsWith("\uFEFF")&&(t=t.slice(1));let n=t.split(`
+`),r=[],s=new Set,i=0,o=0;for(let c=0;c<n.length;c++){let f=c+1,l=n[c],g=l.trim();if(!g||g.startsWith("#")){r.push({key:"",value:g,encrypted:!1,lineNumber:f,raw:l});continue}let T=g.indexOf("=");if(T===-1)throw new x(f,l,"Invalid line: missing '=' separator");let O=g.slice(0,T),H=g.slice(T+1);if(!O)throw new x(f,l,"Invalid line: missing key before '='");if(A(O),s.has(O))throw new x(f,l,`Duplicate key '${O}'`);let z=Re(H);r.push({key:O,value:H,encrypted:z,lineNumber:f,raw:l}),s.add(O),z?i++:o++}return{lines:r,keys:s,encryptedCount:i,plaintextCount:o}}function B(e,t){let n=null;for(let r of e.lines)oe(r.key,t)&&(n=r);return n}async function ce(e,t,n){A(t),ie(n),await M(e,async()=>{let s=(y.existsSync(e)?N(e):"").split(`
+`),i=!1,o=[];for(let f of s){let l=f.trim();if(!l||l.startsWith("#")){o.push(f);continue}let g=l.indexOf("=");if(g!==-1&&l.slice(0,g)===t){o.push(`${t}=${n}`),i=!0;continue}o.push(f)}i||o.push(`${t}=${n}`);let c=o.filter((f,l)=>f.trim()!==""||l<o.length-1).join(`
+`).trim()+`
+`;await W(e,c)})}async function fe(e,t){A(t),await M(e,async()=>{let r=(y.existsSync(e)?N(e):"").split(`
+`),s=[];for(let o of r){let c=o.trim();if(!c||c.startsWith("#")){s.push(o);continue}let f=c.indexOf("=");f!==-1&&c.slice(0,f)===t||s.push(o)}let i=s.filter((o,c)=>o.trim()!==""||c<s.length-1).join(`
+`).trim()+`
+`;await W(e,i)})}async function M(e,t){let n=`${e}.lock`,r=null,s=100,i=10;for(;s>0;)try{r=await y.promises.open(n,"wx"),await r.write(process.pid.toString());break}catch(o){if(o.code==="EEXIST"){try{let c=await y.promises.readFile(n,"utf-8"),f=parseInt(c.trim(),10);if(!isNaN(f))try{process.kill(f,0)}catch(l){if(l.code==="ESRCH")try{await y.promises.unlink(n);continue}catch{}}}catch{}s--,await new Promise(c=>setTimeout(c,i)),i=Math.min(i*1.5+Math.random()*50,5e3)}else throw new d(`Failed to acquire lock on ${e}: ${o}`)}if(!r)throw new d(`Timeout waiting for lock on ${e}`);try{await t()}finally{await r.close();try{await y.promises.unlink(n)}catch{}}}async function le(e,t){await M(e,async()=>{await W(e,t)})}async function W(e,t){let n=`${e}.tmp.${Date.now()}`;try{await y.promises.writeFile(n,t,{mode:420});let r=await y.promises.open(n,"r");await r.sync(),await r.close(),await y.promises.rename(n,e)}catch(r){try{y.existsSync(n)&&await y.promises.unlink(n)}catch{}throw new d(`Failed to write ${e}: ${r}`)}}function S(){return ae.join(process.cwd(),".secenvs")}var K="enc:age:";function a(e,t="reset",n=!1){let r={reset:"\x1B[0m",green:"\x1B[32m",red:"\x1B[31m",yellow:"\x1B[33m",blue:"\x1B[34m",cyan:"\x1B[36m"};(n?process.stderr:process.stdout).write(`${r[t]||r.reset}${e}${r.reset}
+`)}function w(e){a(`\u2713 ${e}`,"green")}function R(e){a(`\u2717 ${e}`,"red",!0)}function X(e){a(`\u26A0 ${e}`,"yellow")}function q(e){a(`\u2139 ${e}`,"cyan")}async function j(e){let t=ue.createInterface({input:process.stdin,output:process.stdout});return new Promise((n,r)=>{t.question(e,s=>{t.close(),n(s)})})}async function be(e){return(await j(`${e} (yes/no): `)).toLowerCase()==="yes"}async function $e(){if(P()){X('Identity already exists. Run "secenvs doctor" to check.');return}q("Generating identity key...");let e=await ne(),t=await re(e);w(`Identity created at ${t}`);let n=S();u.existsSync(n)||(await le(n,""),w(`Created ${n}`));let r=de.join(process.cwd(),".gitignore"),s="";u.existsSync(r)&&(s=u.readFileSync(r,"utf-8"));let i=`.secenvs
+`;s.includes(i)||(s&&!s.endsWith(`
+`)&&(s+=`
+`),s+=i,u.writeFileSync(r,s),w("Updated .gitignore"));let o=await V(e);q(`Your public key: ${o}`),q("Keep your private key safe!")}async function ye(e,t,n=!1){if(!P())throw new h(v());let r=t;if(r||(r=await j(`Enter value for ${e}: `)),!r)throw new I("Value cannot be empty");if(n)try{Buffer.from(r,"base64")}catch{throw new I("Invalid base64 value")}else if(r.includes(`
+`)||r.includes("\r"))throw new I("Multiline values are not allowed. Use --base64 for binary data.");let s=await C(),i=await se(s,r),o=`${K}${i}`,c=S();await ce(c,e,o),w(`Encrypted and stored ${e}`)}async function Ie(e){if(!P())throw new h(v());let t=await C(),n=S();if(!u.existsSync(n))throw new $(e);let r=L(n),s=B(r,e);if(!s)throw new $(e);if(s.encrypted){let i=await _(t,s.value.slice(K.length));process.stdout.write(i)}else process.stdout.write(s.value)}async function ke(){let e=S();if(!u.existsSync(e))return;let t=L(e);for(let n of t.lines)if(n.key){let r=n.encrypted?"[encrypted]":"[plaintext]";a(`${n.key}  ${r}`)}}async function De(e){let t=S();if(!u.existsSync(t))throw new $(e);let n=L(t);if(!B(n,e))throw new $(e);await fe(t,e),w(`Deleted ${e}`)}async function Pe(e,t){let n=t;if(n||(n=await j(`Enter new value for ${e}: `)),!n)throw new I("Value cannot be empty");await ye(e,n),w(`Rotated ${e}`)}async function Le(e=!1){if(!e&&!await be("WARNING: You are about to export ALL secrets in PLAINTEXT")){a("Export cancelled.");return}if(!P())throw new h(v());let t=await C(),n=S();if(!u.existsSync(n)){a("No .secenvs file found.");return}let r=L(n);for(let s of r.lines)if(s.key){let i;s.encrypted?i=await _(t,s.value.slice(K.length)):i=s.value,a(`${s.key}=${i}`)}}async function Oe(){let e=0,t=0;e++;let n=v();if(P())try{let s=u.statSync(n);process.platform!=="win32"&&(s.mode&511)!==384?X(`Identity: ${n} (exists, but permissions should be 0600, found ${(s.mode&511).toString(8)})`):w(`Identity: ${n}`);let o=await C();await V(o),w(`Identity: ${n}`),t++}catch{R(`Identity: ${n} (invalid)`)}else R(`Identity: ${n} (not found)`);e++;let r=S();if(u.existsSync(r)?(w(`File: ${r} (exists)`),t++):(X(`File: ${r} (not found)`),t++),e++,u.existsSync(r))try{let s=L(r);w(`Syntax: ${s.lines.length} lines, ${s.encryptedCount} encrypted, ${s.plaintextCount} plaintext`),t++}catch(s){s instanceof x?R(`Syntax: Line ${s.line}: ${s.message}`):R(`Syntax: ${s}`)}else a("Syntax: (no file)"),t++;if(e++,P()&&u.existsSync(r))try{let s=await C(),i=L(r),o=0,c=0;for(let f of i.lines)if(f.encrypted)try{await _(s,f.value.slice(K.length)),o++}catch{c++}c===0?(w(`Decryption: ${o}/${o} keys verified`),t++):R(`Decryption: ${o} succeeded, ${c} failed`)}catch(s){R(`Decryption: ${s}`)}else a("Decryption: (skipped - no identity or file)"),t++;a(""),a(`Doctor: ${t}/${e} checks passed`)}async function Ce(){let e=process.argv.slice(2),t=e[0]||"help";try{switch(t){case"init":await $e();break;case"set":{let n=e.includes("--base64"),r=e.filter(o=>o!=="--base64"),s=r[1];if(!s)throw new Error("Missing KEY argument. Usage: secenvs set KEY [VALUE] [--base64]");let i=r[2];await ye(s,i,n);break}case"get":{let n=e[1];if(!n)throw new Error("Missing KEY argument. Usage: secenvs get KEY");await Ie(n);break}case"list":await ke();break;case"delete":{let n=e[1];if(!n)throw new Error("Missing KEY argument. Usage: secenvs delete KEY");await De(n);break}case"rotate":{let n=e[1];if(!n)throw new Error("Missing KEY argument. Usage: secenvs rotate KEY [VALUE]");let r=e[2];await Pe(n,r);break}case"export":{let n=e.includes("--force");await Le(n);break}case"doctor":await Oe();break;case"help":default:a("secenvs - The Breeze: Secret management without the overhead"),a(""),a("Usage: secenvs <command> [arguments]"),a(""),a("Commands:"),a("  init              Bootstrap identity and create .secenvs/.gitignore"),a("  set KEY [VALUE]    Encrypt a value into .secenvs (primary method)"),a("  set KEY [VALUE] --base64  Encrypt a base64 value (for binary data)"),a("  get KEY           Decrypt and print a specific key value"),a("  list              List all available key names (values hidden)"),a("  delete KEY        Remove a key from .secenvs"),a("  rotate KEY [VALUE] Update a secret value and re-encrypt"),a("  export [--force]  Dump all decrypted values (requires --force)"),a("  doctor            Health check: identity, file integrity, decryption"),a("");break}}catch(n){throw n instanceof p&&(R(n.message),process.exit(1)),n}}Ce().catch(e=>{R(e.message),process.exit(1)});

package/lib/index.cjs

@@ -0,0 +1,509 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DecryptionError: () => DecryptionError,
+  EncryptionError: () => EncryptionError,
+  FileError: () => FileError,
+  IdentityNotFoundError: () => IdentityNotFoundError,
+  ParseError: () => ParseError,
+  SECENV_ERROR_CODES: () => SECENV_ERROR_CODES,
+  SecenvError: () => SecenvError,
+  SecenvSDK: () => SecenvSDK,
+  SecretNotFoundError: () => SecretNotFoundError,
+  ValidationError: () => ValidationError,
+  createSecenv: () => createSecenv,
+  env: () => env,
+  getDefaultKeyPath: () => getDefaultKeyPath,
+  getEnvPath: () => getEnvPath,
+  identityExists: () => identityExists,
+  loadIdentity: () => loadIdentity,
+  parseEnvFile: () => parseEnvFile
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/env.ts
+var fs4 = __toESM(require("fs"), 1);
+
+// src/age.ts
+var age = __toESM(require("age-encryption"), 1);
+var fs2 = __toESM(require("fs"), 1);
+var path2 = __toESM(require("path"), 1);
+var os = __toESM(require("os"), 1);
+
+// src/errors.ts
+var SECENV_ERROR_CODES = {
+  IDENTITY_NOT_FOUND: "IDENTITY_NOT_FOUND",
+  DECRYPTION_FAILED: "DECRYPTION_FAILED",
+  SECRET_NOT_FOUND: "SECRET_NOT_FOUND",
+  PARSE_ERROR: "PARSE_ERROR",
+  FILE_ERROR: "FILE_ERROR",
+  ENCRYPTION_FAILED: "ENCRYPTION_FAILED",
+  VALIDATION_ERROR: "VALIDATION_ERROR"
+};
+var SecenvError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "SecenvError";
+    this.code = code;
+  }
+};
+var ValidationError = class extends SecenvError {
+  constructor(message) {
+    super(SECENV_ERROR_CODES.VALIDATION_ERROR, message);
+  }
+};
+var IdentityNotFoundError = class extends SecenvError {
+  constructor(path4) {
+    super(
+      SECENV_ERROR_CODES.IDENTITY_NOT_FOUND,
+      `Identity key not found at ${path4}. Run 'secenv init' to create one.`
+    );
+  }
+};
+var DecryptionError = class extends SecenvError {
+  constructor(message = "Failed to decrypt value. Check identity key.") {
+    super(SECENV_ERROR_CODES.DECRYPTION_FAILED, message);
+  }
+};
+var SecretNotFoundError = class extends SecenvError {
+  constructor(key) {
+    super(SECENV_ERROR_CODES.SECRET_NOT_FOUND, `Secret '${key}' not found in .secenvs or process.env.`);
+  }
+};
+var ParseError = class extends SecenvError {
+  line;
+  raw;
+  constructor(line, raw, message) {
+    super(SECENV_ERROR_CODES.PARSE_ERROR, message);
+    this.line = line;
+    this.raw = raw;
+  }
+};
+var FileError = class extends SecenvError {
+  constructor(message) {
+    super(SECENV_ERROR_CODES.FILE_ERROR, message);
+  }
+};
+var EncryptionError = class extends SecenvError {
+  constructor(message = "Failed to encrypt value.") {
+    super(SECENV_ERROR_CODES.ENCRYPTION_FAILED, message);
+  }
+};
+
+// src/filesystem.ts
+var fs = __toESM(require("fs"), 1);
+var path = __toESM(require("path"), 1);
+function safeReadFile(filePath) {
+  try {
+    const stats = fs.lstatSync(filePath);
+    if (stats.isSymbolicLink()) {
+      throw new FileError(`Symlink detected at ${filePath}. Security policy prohibits following symlinks.`);
+    }
+    return fs.readFileSync(filePath, "utf-8");
+  } catch (error) {
+    if (error instanceof FileError) throw error;
+    throw new FileError(`Failed to read file ${filePath}: ${error.message}`);
+  }
+}
+function sanitizePath(filePath, baseDir) {
+  const absolutePath = path.resolve(filePath);
+  try {
+    if (fs.existsSync(filePath)) {
+      const stats = fs.lstatSync(filePath);
+      if (stats.isSymbolicLink()) {
+        throw new FileError(
+          `Symlink detected at ${filePath}. Security policy prohibits following symlinks.`
+        );
+      }
+    }
+  } catch (error) {
+    if (error instanceof FileError) throw error;
+  }
+  if (baseDir) {
+    const absoluteBaseDir = path.resolve(baseDir);
+    if (!absolutePath.startsWith(absoluteBaseDir)) {
+      throw new FileError(`Directory traversal detected: ${filePath} is outside of ${baseDir}`);
+    }
+  }
+  return absolutePath;
+}
+
+// src/age.ts
+var SECENV_DIR = ".secenvs";
+var KEYS_DIR = "keys";
+var DEFAULT_KEY_FILE = "default.key";
+function stream(a) {
+  return new ReadableStream({
+    start(controller) {
+      controller.enqueue(a);
+      controller.close();
+    }
+  });
+}
+async function readAll(stream2) {
+  if (!(stream2 instanceof ReadableStream)) {
+    throw new Error("readAll expects a ReadableStream<Uint8Array>");
+  }
+  return new Uint8Array(await new Response(stream2).arrayBuffer());
+}
+function getKeysDir() {
+  const baseDir = process.env.SECENV_HOME || os.homedir();
+  const sanitizedBase = sanitizePath(baseDir);
+  return path2.join(sanitizedBase, SECENV_DIR, KEYS_DIR);
+}
+function getDefaultKeyPath() {
+  return path2.join(getKeysDir(), DEFAULT_KEY_FILE);
+}
+async function loadIdentity() {
+  const keyPath = getDefaultKeyPath();
+  if (!fs2.existsSync(keyPath)) {
+    throw new IdentityNotFoundError(keyPath);
+  }
+  return fs2.readFileSync(keyPath, "utf-8");
+}
+async function decrypt(identity, encryptedMessage) {
+  try {
+    const decrypter = new age.Decrypter();
+    decrypter.addIdentity(identity);
+    const armoredStream = stream(Buffer.from(encryptedMessage, "base64"));
+    const decryptedStream = await decrypter.decrypt(armoredStream);
+    const decryptedBytes = await readAll(decryptedStream);
+    return new TextDecoder().decode(decryptedBytes);
+  } catch (error) {
+    throw new DecryptionError(`Failed to decrypt value: ${error}`);
+  }
+}
+function identityExists() {
+  const keyPath = getDefaultKeyPath();
+  return fs2.existsSync(keyPath);
+}
+
+// src/parse.ts
+var fs3 = __toESM(require("fs"), 1);
+var path3 = __toESM(require("path"), 1);
+
+// src/validators.ts
+var KEY_REGEX = /^[A-Z0-9_]+$/;
+var MAX_VALUE_SIZE = 5 * 1024 * 1024;
+var WINDOWS_RESERVED_NAMES = /* @__PURE__ */ new Set([
+  "CON",
+  "PRN",
+  "AUX",
+  "NUL",
+  "COM1",
+  "COM2",
+  "COM3",
+  "COM4",
+  "COM5",
+  "COM6",
+  "COM7",
+  "COM8",
+  "COM9",
+  "LPT1",
+  "LPT2",
+  "LPT3",
+  "LPT4",
+  "LPT5",
+  "LPT6",
+  "LPT7",
+  "LPT8",
+  "LPT9"
+]);
+function validateKey(key) {
+  if (!key) {
+    throw new ValidationError("Key cannot be empty");
+  }
+  if (!KEY_REGEX.test(key)) {
+    throw new ValidationError(
+      `Invalid key: '${key}'. Keys must only contain uppercase letters, numbers, and underscores (^[A-Z0-9_]+$).`
+    );
+  }
+  if (WINDOWS_RESERVED_NAMES.has(key)) {
+    throw new ValidationError(`Invalid key: '${key}' is a reserved system name.`);
+  }
+}
+
+// src/crypto-utils.ts
+var import_node_crypto = require("crypto");
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  return (0, import_node_crypto.timingSafeEqual)(Buffer.from(a), Buffer.from(b));
+}
+function constantTimeHas(keys, target) {
+  let found = false;
+  const targetBuffer = Buffer.from(target);
+  for (const key of keys) {
+    const keyBuffer = Buffer.from(key);
+    if (keyBuffer.length === targetBuffer.length) {
+      if ((0, import_node_crypto.timingSafeEqual)(keyBuffer, targetBuffer)) {
+        found = true;
+      }
+    }
+  }
+  return found;
+}
+
+// src/parse.ts
+var ENCRYPTED_PREFIX = "enc:age:";
+function isEncryptedValue(value) {
+  return value.startsWith(ENCRYPTED_PREFIX);
+}
+function parseEnvFile(filePath) {
+  if (!fs3.existsSync(filePath)) {
+    return { lines: [], keys: /* @__PURE__ */ new Set(), encryptedCount: 0, plaintextCount: 0 };
+  }
+  let content = safeReadFile(filePath);
+  if (content.startsWith("\uFEFF")) {
+    content = content.slice(1);
+  }
+  const lines = content.split("\n");
+  const parsedLines = [];
+  const keys = /* @__PURE__ */ new Set();
+  let encryptedCount = 0;
+  let plaintextCount = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const lineNumber = i + 1;
+    const raw = lines[i];
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      parsedLines.push({
+        key: "",
+        value: trimmed,
+        encrypted: false,
+        lineNumber,
+        raw
+      });
+      continue;
+    }
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) {
+      throw new ParseError(lineNumber, raw, `Invalid line: missing '=' separator`);
+    }
+    const key = trimmed.slice(0, eqIndex);
+    const value = trimmed.slice(eqIndex + 1);
+    if (!key) {
+      throw new ParseError(lineNumber, raw, `Invalid line: missing key before '='`);
+    }
+    validateKey(key);
+    if (keys.has(key)) {
+      throw new ParseError(lineNumber, raw, `Duplicate key '${key}'`);
+    }
+    const encrypted = isEncryptedValue(value);
+    parsedLines.push({
+      key,
+      value,
+      encrypted,
+      lineNumber,
+      raw
+    });
+    keys.add(key);
+    if (encrypted) {
+      encryptedCount++;
+    } else {
+      plaintextCount++;
+    }
+  }
+  return {
+    lines: parsedLines,
+    keys,
+    encryptedCount,
+    plaintextCount
+  };
+}
+function findKey(env2, key) {
+  let result = null;
+  for (const line of env2.lines) {
+    if (constantTimeEqual(line.key, key)) {
+      result = line;
+    }
+  }
+  return result;
+}
+function getEnvPath() {
+  return path3.join(process.cwd(), ".secenvs");
+}
+
+// src/env.ts
+var SecenvSDK = class {
+  #identity = null;
+  #identityPromise = null;
+  #cache = /* @__PURE__ */ new Map();
+  #cacheTimestamp = 0;
+  #cacheSize = 0;
+  #envPath = "";
+  #parsedEnv = null;
+  constructor() {
+    this.#envPath = getEnvPath();
+  }
+  async loadIdentity() {
+    if (this.#identity) {
+      return this.#identity;
+    }
+    if (this.#identityPromise) {
+      return this.#identityPromise;
+    }
+    if (process.env.SECENV_ENCODED_IDENTITY) {
+      try {
+        const decoded = Buffer.from(process.env.SECENV_ENCODED_IDENTITY, "base64");
+        const privateKey = decoded.toString("utf-8");
+        this.#identity = privateKey;
+        return this.#identity;
+      } catch (error) {
+        throw new IdentityNotFoundError("SECENV_ENCODED_IDENTITY");
+      }
+    }
+    if (!identityExists()) {
+      throw new IdentityNotFoundError(getDefaultKeyPath());
+    }
+    this.#identityPromise = loadIdentity().then((identity) => {
+      this.#identity = identity;
+      this.#identityPromise = null;
+      return this.#identity;
+    });
+    return this.#identityPromise;
+  }
+  reloadEnv() {
+    if (!fs4.existsSync(this.#envPath)) {
+      this.#parsedEnv = null;
+      this.#cache.clear();
+      this.#cacheTimestamp = 0;
+      this.#cacheSize = 0;
+      return;
+    }
+    const stats = fs4.statSync(this.#envPath);
+    const newTimestamp = stats.mtimeMs;
+    const newSize = stats.size;
+    if (newTimestamp !== this.#cacheTimestamp || newSize !== this.#cacheSize) {
+      this.#parsedEnv = parseEnvFile(this.#envPath);
+      this.#cacheTimestamp = newTimestamp;
+      this.#cacheSize = newSize;
+      this.#cache.clear();
+    }
+  }
+  async get(key) {
+    let envValue = void 0;
+    for (const k in process.env) {
+      if (k === key) {
+        envValue = process.env[k];
+      }
+    }
+    if (envValue !== void 0) {
+      return envValue;
+    }
+    this.reloadEnv();
+    let cachedValue = void 0;
+    for (const [k, entry] of this.#cache.entries()) {
+      if (k === key) {
+        cachedValue = entry.value;
+      }
+    }
+    if (cachedValue !== void 0) {
+      return cachedValue;
+    }
+    if (!this.#parsedEnv) {
+      throw new SecretNotFoundError(key);
+    }
+    const line = findKey(this.#parsedEnv, key);
+    if (!line) {
+      throw new SecretNotFoundError(key);
+    }
+    if (!line.encrypted) {
+      const value = line.value;
+      this.#cache.set(key, { value, decryptedAt: Date.now() });
+      return value;
+    }
+    const identity = await this.loadIdentity();
+    const encryptedMessage = line.value.slice(ENCRYPTED_PREFIX.length);
+    const decrypted = await decrypt(identity, encryptedMessage);
+    this.#cache.set(key, { value: decrypted, decryptedAt: Date.now() });
+    return decrypted;
+  }
+  has(key) {
+    let found = false;
+    for (const k in process.env) {
+      if (k === key) {
+        found = true;
+      }
+    }
+    this.reloadEnv();
+    if (this.#parsedEnv) {
+      if (constantTimeHas(this.#parsedEnv.keys, key)) {
+        found = true;
+      }
+    }
+    return found;
+  }
+  keys() {
+    const allKeys = new Set(Object.keys(process.env));
+    this.reloadEnv();
+    if (this.#parsedEnv) {
+      for (const key of this.#parsedEnv.keys) {
+        allKeys.add(key);
+      }
+    }
+    return Array.from(allKeys);
+  }
+  clearCache() {
+    this.#cache.clear();
+    this.#cacheTimestamp = 0;
+    this.#cacheSize = 0;
+    this.#parsedEnv = null;
+  }
+};
+var globalSDK = new SecenvSDK();
+function createSecenv() {
+  return new SecenvSDK();
+}
+var env = globalSDK;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  DecryptionError,
+  EncryptionError,
+  FileError,
+  IdentityNotFoundError,
+  ParseError,
+  SECENV_ERROR_CODES,
+  SecenvError,
+  SecenvSDK,
+  SecretNotFoundError,
+  ValidationError,
+  createSecenv,
+  env,
+  getDefaultKeyPath,
+  getEnvPath,
+  identityExists,
+  loadIdentity,
+  parseEnvFile
+});

package/lib/index.d.cts

@@ -0,0 +1,74 @@
+declare class SecenvSDK {
+    #private;
+    constructor();
+    private loadIdentity;
+    private reloadEnv;
+    get<T extends string = string>(key: string): Promise<T>;
+    has(key: string): boolean;
+    keys(): string[];
+    clearCache(): void;
+}
+declare function createSecenv(): SecenvSDK;
+declare const env: {
+    [key: string]: string;
+};
+
+declare const SECENV_ERROR_CODES: {
+    readonly IDENTITY_NOT_FOUND: "IDENTITY_NOT_FOUND";
+    readonly DECRYPTION_FAILED: "DECRYPTION_FAILED";
+    readonly SECRET_NOT_FOUND: "SECRET_NOT_FOUND";
+    readonly PARSE_ERROR: "PARSE_ERROR";
+    readonly FILE_ERROR: "FILE_ERROR";
+    readonly ENCRYPTION_FAILED: "ENCRYPTION_FAILED";
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+};
+type SecenvErrorCode = (typeof SECENV_ERROR_CODES)[keyof typeof SECENV_ERROR_CODES];
+declare class SecenvError extends Error {
+    code: SecenvErrorCode;
+    constructor(code: SecenvErrorCode, message: string);
+}
+declare class ValidationError extends SecenvError {
+    constructor(message: string);
+}
+declare class IdentityNotFoundError extends SecenvError {
+    constructor(path: string);
+}
+declare class DecryptionError extends SecenvError {
+    constructor(message?: string);
+}
+declare class SecretNotFoundError extends SecenvError {
+    constructor(key: string);
+}
+declare class ParseError extends SecenvError {
+    line: number;
+    raw: string;
+    constructor(line: number, raw: string, message: string);
+}
+declare class FileError extends SecenvError {
+    constructor(message: string);
+}
+declare class EncryptionError extends SecenvError {
+    constructor(message?: string);
+}
+
+declare function getDefaultKeyPath(): string;
+declare function loadIdentity(): Promise<string>;
+declare function identityExists(): boolean;
+
+interface ParsedLine {
+    key: string;
+    value: string;
+    encrypted: boolean;
+    lineNumber: number;
+    raw: string;
+}
+interface ParsedEnv {
+    lines: ParsedLine[];
+    keys: Set<string>;
+    encryptedCount: number;
+    plaintextCount: number;
+}
+declare function parseEnvFile(filePath: string): ParsedEnv;
+declare function getEnvPath(): string;
+
+export { DecryptionError, EncryptionError, FileError, IdentityNotFoundError, ParseError, SECENV_ERROR_CODES, SecenvError, type SecenvErrorCode, SecenvSDK, SecretNotFoundError, ValidationError, createSecenv, env, getDefaultKeyPath, getEnvPath, identityExists, loadIdentity, parseEnvFile };

package/lib/index.d.ts

@@ -0,0 +1,74 @@
+declare class SecenvSDK {
+    #private;
+    constructor();
+    private loadIdentity;
+    private reloadEnv;
+    get<T extends string = string>(key: string): Promise<T>;
+    has(key: string): boolean;
+    keys(): string[];
+    clearCache(): void;
+}
+declare function createSecenv(): SecenvSDK;
+declare const env: {
+    [key: string]: string;
+};
+
+declare const SECENV_ERROR_CODES: {
+    readonly IDENTITY_NOT_FOUND: "IDENTITY_NOT_FOUND";
+    readonly DECRYPTION_FAILED: "DECRYPTION_FAILED";
+    readonly SECRET_NOT_FOUND: "SECRET_NOT_FOUND";
+    readonly PARSE_ERROR: "PARSE_ERROR";
+    readonly FILE_ERROR: "FILE_ERROR";
+    readonly ENCRYPTION_FAILED: "ENCRYPTION_FAILED";
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+};
+type SecenvErrorCode = (typeof SECENV_ERROR_CODES)[keyof typeof SECENV_ERROR_CODES];
+declare class SecenvError extends Error {
+    code: SecenvErrorCode;
+    constructor(code: SecenvErrorCode, message: string);
+}
+declare class ValidationError extends SecenvError {
+    constructor(message: string);
+}
+declare class IdentityNotFoundError extends SecenvError {
+    constructor(path: string);
+}
+declare class DecryptionError extends SecenvError {
+    constructor(message?: string);
+}
+declare class SecretNotFoundError extends SecenvError {
+    constructor(key: string);
+}
+declare class ParseError extends SecenvError {
+    line: number;
+    raw: string;
+    constructor(line: number, raw: string, message: string);
+}
+declare class FileError extends SecenvError {
+    constructor(message: string);
+}
+declare class EncryptionError extends SecenvError {
+    constructor(message?: string);
+}
+
+declare function getDefaultKeyPath(): string;
+declare function loadIdentity(): Promise<string>;
+declare function identityExists(): boolean;
+
+interface ParsedLine {
+    key: string;
+    value: string;
+    encrypted: boolean;
+    lineNumber: number;
+    raw: string;
+}
+interface ParsedEnv {
+    lines: ParsedLine[];
+    keys: Set<string>;
+    encryptedCount: number;
+    plaintextCount: number;
+}
+declare function parseEnvFile(filePath: string): ParsedEnv;
+declare function getEnvPath(): string;
+
+export { DecryptionError, EncryptionError, FileError, IdentityNotFoundError, ParseError, SECENV_ERROR_CODES, SecenvError, type SecenvErrorCode, SecenvSDK, SecretNotFoundError, ValidationError, createSecenv, env, getDefaultKeyPath, getEnvPath, identityExists, loadIdentity, parseEnvFile };

package/lib/index.js

@@ -0,0 +1,456 @@
+// src/env.ts
+import * as fs4 from "fs";
+
+// src/age.ts
+import * as age from "age-encryption";
+import * as fs2 from "fs";
+import * as path2 from "path";
+import * as os from "os";
+
+// src/errors.ts
+var SECENV_ERROR_CODES = {
+  IDENTITY_NOT_FOUND: "IDENTITY_NOT_FOUND",
+  DECRYPTION_FAILED: "DECRYPTION_FAILED",
+  SECRET_NOT_FOUND: "SECRET_NOT_FOUND",
+  PARSE_ERROR: "PARSE_ERROR",
+  FILE_ERROR: "FILE_ERROR",
+  ENCRYPTION_FAILED: "ENCRYPTION_FAILED",
+  VALIDATION_ERROR: "VALIDATION_ERROR"
+};
+var SecenvError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "SecenvError";
+    this.code = code;
+  }
+};
+var ValidationError = class extends SecenvError {
+  constructor(message) {
+    super(SECENV_ERROR_CODES.VALIDATION_ERROR, message);
+  }
+};
+var IdentityNotFoundError = class extends SecenvError {
+  constructor(path4) {
+    super(
+      SECENV_ERROR_CODES.IDENTITY_NOT_FOUND,
+      `Identity key not found at ${path4}. Run 'secenv init' to create one.`
+    );
+  }
+};
+var DecryptionError = class extends SecenvError {
+  constructor(message = "Failed to decrypt value. Check identity key.") {
+    super(SECENV_ERROR_CODES.DECRYPTION_FAILED, message);
+  }
+};
+var SecretNotFoundError = class extends SecenvError {
+  constructor(key) {
+    super(SECENV_ERROR_CODES.SECRET_NOT_FOUND, `Secret '${key}' not found in .secenvs or process.env.`);
+  }
+};
+var ParseError = class extends SecenvError {
+  line;
+  raw;
+  constructor(line, raw, message) {
+    super(SECENV_ERROR_CODES.PARSE_ERROR, message);
+    this.line = line;
+    this.raw = raw;
+  }
+};
+var FileError = class extends SecenvError {
+  constructor(message) {
+    super(SECENV_ERROR_CODES.FILE_ERROR, message);
+  }
+};
+var EncryptionError = class extends SecenvError {
+  constructor(message = "Failed to encrypt value.") {
+    super(SECENV_ERROR_CODES.ENCRYPTION_FAILED, message);
+  }
+};
+
+// src/filesystem.ts
+import * as fs from "fs";
+import * as path from "path";
+function safeReadFile(filePath) {
+  try {
+    const stats = fs.lstatSync(filePath);
+    if (stats.isSymbolicLink()) {
+      throw new FileError(`Symlink detected at ${filePath}. Security policy prohibits following symlinks.`);
+    }
+    return fs.readFileSync(filePath, "utf-8");
+  } catch (error) {
+    if (error instanceof FileError) throw error;
+    throw new FileError(`Failed to read file ${filePath}: ${error.message}`);
+  }
+}
+function sanitizePath(filePath, baseDir) {
+  const absolutePath = path.resolve(filePath);
+  try {
+    if (fs.existsSync(filePath)) {
+      const stats = fs.lstatSync(filePath);
+      if (stats.isSymbolicLink()) {
+        throw new FileError(
+          `Symlink detected at ${filePath}. Security policy prohibits following symlinks.`
+        );
+      }
+    }
+  } catch (error) {
+    if (error instanceof FileError) throw error;
+  }
+  if (baseDir) {
+    const absoluteBaseDir = path.resolve(baseDir);
+    if (!absolutePath.startsWith(absoluteBaseDir)) {
+      throw new FileError(`Directory traversal detected: ${filePath} is outside of ${baseDir}`);
+    }
+  }
+  return absolutePath;
+}
+
+// src/age.ts
+var SECENV_DIR = ".secenvs";
+var KEYS_DIR = "keys";
+var DEFAULT_KEY_FILE = "default.key";
+function stream(a) {
+  return new ReadableStream({
+    start(controller) {
+      controller.enqueue(a);
+      controller.close();
+    }
+  });
+}
+async function readAll(stream2) {
+  if (!(stream2 instanceof ReadableStream)) {
+    throw new Error("readAll expects a ReadableStream<Uint8Array>");
+  }
+  return new Uint8Array(await new Response(stream2).arrayBuffer());
+}
+function getKeysDir() {
+  const baseDir = process.env.SECENV_HOME || os.homedir();
+  const sanitizedBase = sanitizePath(baseDir);
+  return path2.join(sanitizedBase, SECENV_DIR, KEYS_DIR);
+}
+function getDefaultKeyPath() {
+  return path2.join(getKeysDir(), DEFAULT_KEY_FILE);
+}
+async function loadIdentity() {
+  const keyPath = getDefaultKeyPath();
+  if (!fs2.existsSync(keyPath)) {
+    throw new IdentityNotFoundError(keyPath);
+  }
+  return fs2.readFileSync(keyPath, "utf-8");
+}
+async function decrypt(identity, encryptedMessage) {
+  try {
+    const decrypter = new age.Decrypter();
+    decrypter.addIdentity(identity);
+    const armoredStream = stream(Buffer.from(encryptedMessage, "base64"));
+    const decryptedStream = await decrypter.decrypt(armoredStream);
+    const decryptedBytes = await readAll(decryptedStream);
+    return new TextDecoder().decode(decryptedBytes);
+  } catch (error) {
+    throw new DecryptionError(`Failed to decrypt value: ${error}`);
+  }
+}
+function identityExists() {
+  const keyPath = getDefaultKeyPath();
+  return fs2.existsSync(keyPath);
+}
+
+// src/parse.ts
+import * as fs3 from "fs";
+import * as path3 from "path";
+
+// src/validators.ts
+var KEY_REGEX = /^[A-Z0-9_]+$/;
+var MAX_VALUE_SIZE = 5 * 1024 * 1024;
+var WINDOWS_RESERVED_NAMES = /* @__PURE__ */ new Set([
+  "CON",
+  "PRN",
+  "AUX",
+  "NUL",
+  "COM1",
+  "COM2",
+  "COM3",
+  "COM4",
+  "COM5",
+  "COM6",
+  "COM7",
+  "COM8",
+  "COM9",
+  "LPT1",
+  "LPT2",
+  "LPT3",
+  "LPT4",
+  "LPT5",
+  "LPT6",
+  "LPT7",
+  "LPT8",
+  "LPT9"
+]);
+function validateKey(key) {
+  if (!key) {
+    throw new ValidationError("Key cannot be empty");
+  }
+  if (!KEY_REGEX.test(key)) {
+    throw new ValidationError(
+      `Invalid key: '${key}'. Keys must only contain uppercase letters, numbers, and underscores (^[A-Z0-9_]+$).`
+    );
+  }
+  if (WINDOWS_RESERVED_NAMES.has(key)) {
+    throw new ValidationError(`Invalid key: '${key}' is a reserved system name.`);
+  }
+}
+
+// src/crypto-utils.ts
+import { timingSafeEqual } from "crypto";
+function constantTimeEqual(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+function constantTimeHas(keys, target) {
+  let found = false;
+  const targetBuffer = Buffer.from(target);
+  for (const key of keys) {
+    const keyBuffer = Buffer.from(key);
+    if (keyBuffer.length === targetBuffer.length) {
+      if (timingSafeEqual(keyBuffer, targetBuffer)) {
+        found = true;
+      }
+    }
+  }
+  return found;
+}
+
+// src/parse.ts
+var ENCRYPTED_PREFIX = "enc:age:";
+function isEncryptedValue(value) {
+  return value.startsWith(ENCRYPTED_PREFIX);
+}
+function parseEnvFile(filePath) {
+  if (!fs3.existsSync(filePath)) {
+    return { lines: [], keys: /* @__PURE__ */ new Set(), encryptedCount: 0, plaintextCount: 0 };
+  }
+  let content = safeReadFile(filePath);
+  if (content.startsWith("\uFEFF")) {
+    content = content.slice(1);
+  }
+  const lines = content.split("\n");
+  const parsedLines = [];
+  const keys = /* @__PURE__ */ new Set();
+  let encryptedCount = 0;
+  let plaintextCount = 0;
+  for (let i = 0; i < lines.length; i++) {
+    const lineNumber = i + 1;
+    const raw = lines[i];
+    const trimmed = raw.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      parsedLines.push({
+        key: "",
+        value: trimmed,
+        encrypted: false,
+        lineNumber,
+        raw
+      });
+      continue;
+    }
+    const eqIndex = trimmed.indexOf("=");
+    if (eqIndex === -1) {
+      throw new ParseError(lineNumber, raw, `Invalid line: missing '=' separator`);
+    }
+    const key = trimmed.slice(0, eqIndex);
+    const value = trimmed.slice(eqIndex + 1);
+    if (!key) {
+      throw new ParseError(lineNumber, raw, `Invalid line: missing key before '='`);
+    }
+    validateKey(key);
+    if (keys.has(key)) {
+      throw new ParseError(lineNumber, raw, `Duplicate key '${key}'`);
+    }
+    const encrypted = isEncryptedValue(value);
+    parsedLines.push({
+      key,
+      value,
+      encrypted,
+      lineNumber,
+      raw
+    });
+    keys.add(key);
+    if (encrypted) {
+      encryptedCount++;
+    } else {
+      plaintextCount++;
+    }
+  }
+  return {
+    lines: parsedLines,
+    keys,
+    encryptedCount,
+    plaintextCount
+  };
+}
+function findKey(env2, key) {
+  let result = null;
+  for (const line of env2.lines) {
+    if (constantTimeEqual(line.key, key)) {
+      result = line;
+    }
+  }
+  return result;
+}
+function getEnvPath() {
+  return path3.join(process.cwd(), ".secenvs");
+}
+
+// src/env.ts
+var SecenvSDK = class {
+  #identity = null;
+  #identityPromise = null;
+  #cache = /* @__PURE__ */ new Map();
+  #cacheTimestamp = 0;
+  #cacheSize = 0;
+  #envPath = "";
+  #parsedEnv = null;
+  constructor() {
+    this.#envPath = getEnvPath();
+  }
+  async loadIdentity() {
+    if (this.#identity) {
+      return this.#identity;
+    }
+    if (this.#identityPromise) {
+      return this.#identityPromise;
+    }
+    if (process.env.SECENV_ENCODED_IDENTITY) {
+      try {
+        const decoded = Buffer.from(process.env.SECENV_ENCODED_IDENTITY, "base64");
+        const privateKey = decoded.toString("utf-8");
+        this.#identity = privateKey;
+        return this.#identity;
+      } catch (error) {
+        throw new IdentityNotFoundError("SECENV_ENCODED_IDENTITY");
+      }
+    }
+    if (!identityExists()) {
+      throw new IdentityNotFoundError(getDefaultKeyPath());
+    }
+    this.#identityPromise = loadIdentity().then((identity) => {
+      this.#identity = identity;
+      this.#identityPromise = null;
+      return this.#identity;
+    });
+    return this.#identityPromise;
+  }
+  reloadEnv() {
+    if (!fs4.existsSync(this.#envPath)) {
+      this.#parsedEnv = null;
+      this.#cache.clear();
+      this.#cacheTimestamp = 0;
+      this.#cacheSize = 0;
+      return;
+    }
+    const stats = fs4.statSync(this.#envPath);
+    const newTimestamp = stats.mtimeMs;
+    const newSize = stats.size;
+    if (newTimestamp !== this.#cacheTimestamp || newSize !== this.#cacheSize) {
+      this.#parsedEnv = parseEnvFile(this.#envPath);
+      this.#cacheTimestamp = newTimestamp;
+      this.#cacheSize = newSize;
+      this.#cache.clear();
+    }
+  }
+  async get(key) {
+    let envValue = void 0;
+    for (const k in process.env) {
+      if (k === key) {
+        envValue = process.env[k];
+      }
+    }
+    if (envValue !== void 0) {
+      return envValue;
+    }
+    this.reloadEnv();
+    let cachedValue = void 0;
+    for (const [k, entry] of this.#cache.entries()) {
+      if (k === key) {
+        cachedValue = entry.value;
+      }
+    }
+    if (cachedValue !== void 0) {
+      return cachedValue;
+    }
+    if (!this.#parsedEnv) {
+      throw new SecretNotFoundError(key);
+    }
+    const line = findKey(this.#parsedEnv, key);
+    if (!line) {
+      throw new SecretNotFoundError(key);
+    }
+    if (!line.encrypted) {
+      const value = line.value;
+      this.#cache.set(key, { value, decryptedAt: Date.now() });
+      return value;
+    }
+    const identity = await this.loadIdentity();
+    const encryptedMessage = line.value.slice(ENCRYPTED_PREFIX.length);
+    const decrypted = await decrypt(identity, encryptedMessage);
+    this.#cache.set(key, { value: decrypted, decryptedAt: Date.now() });
+    return decrypted;
+  }
+  has(key) {
+    let found = false;
+    for (const k in process.env) {
+      if (k === key) {
+        found = true;
+      }
+    }
+    this.reloadEnv();
+    if (this.#parsedEnv) {
+      if (constantTimeHas(this.#parsedEnv.keys, key)) {
+        found = true;
+      }
+    }
+    return found;
+  }
+  keys() {
+    const allKeys = new Set(Object.keys(process.env));
+    this.reloadEnv();
+    if (this.#parsedEnv) {
+      for (const key of this.#parsedEnv.keys) {
+        allKeys.add(key);
+      }
+    }
+    return Array.from(allKeys);
+  }
+  clearCache() {
+    this.#cache.clear();
+    this.#cacheTimestamp = 0;
+    this.#cacheSize = 0;
+    this.#parsedEnv = null;
+  }
+};
+var globalSDK = new SecenvSDK();
+function createSecenv() {
+  return new SecenvSDK();
+}
+var env = globalSDK;
+export {
+  DecryptionError,
+  EncryptionError,
+  FileError,
+  IdentityNotFoundError,
+  ParseError,
+  SECENV_ERROR_CODES,
+  SecenvError,
+  SecenvSDK,
+  SecretNotFoundError,
+  ValidationError,
+  createSecenv,
+  env,
+  getDefaultKeyPath,
+  getEnvPath,
+  identityExists,
+  loadIdentity,
+  parseEnvFile
+};

package/package.json

@@ -0,0 +1,67 @@
+{
+   "name": "secenvs",
+   "version": "0.1.0",
+   "description": "The Breeze: Secret management without the overhead",
+   "repository": {
+      "type": "git",
+      "url": "git+https://github.com/secenv-org/secenvs.git"
+   },
+   "bugs": {
+      "url": "https://github.com/secenv-org/secenvs/issues"
+   },
+   "homepage": "https://github.com/secenv-org/secenvs#readme",
+   "type": "module",
+   "bin": {
+      "secenvs": "./bin/secenvs"
+   },
+   "main": "./lib/index.js",
+   "types": "./lib/index.d.ts",
+   "exports": {
+      ".": {
+         "types": "./lib/index.d.ts",
+         "import": "./lib/index.js",
+         "require": "./lib/index.cjs"
+      }
+   },
+   "files": [
+      "bin",
+      "lib",
+      "README.md"
+   ],
+   "scripts": {
+      "build": "bun run scripts/build.js",
+      "prepare": "bun run scripts/build.js",
+      "test": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js --runInBand",
+      "test:unit": "node --experimental-vm-modules node_modules/jest/bin/jest.js tests/unit",
+      "test:integration": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js tests/integration",
+      "test:e2e": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js tests/e2e --runInBand",
+      "test:performance": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js tests/performance --runInBand",
+      "test:security": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js tests/security",
+      "test:coverage": "npm run build && node --experimental-vm-modules node_modules/jest/bin/jest.js --coverage",
+      "dev": "tsc --watch",
+      "prepublishOnly": "npm run build",
+      "pretty": "prettier --config .prettierrc --write './src/*'"
+   },
+   "keywords": [
+      "secrets",
+      "encryption",
+      "environment",
+      "age",
+      "dotenv"
+   ],
+   "author": "",
+   "license": "MIT",
+   "dependencies": {
+      "age-encryption": "^0.3.0"
+   },
+   "devDependencies": {
+      "@types/jest": "^29.5.5",
+      "@types/node": "^20.10.0",
+      "esbuild": "^0.19.0",
+      "execa": "^6.1.0",
+      "jest": "^29.7.0",
+      "ts-jest": "^29.1.1",
+      "tsup": "^8.5.1",
+      "typescript": "^5.3.0"
+   }
+}