ultraenv 1.0.0

package/dist/vault-diff-B3ZOQTWI.js

@@ -0,0 +1,132 @@
+import {
+  readVaultFile
+} from "./chunk-NBOABPHM.js";
+import {
+  maskValue
+} from "./chunk-TE7HPLA6.js";
+import {
+  parseEnvFile
+} from "./chunk-HFXQGJY3.js";
+import {
+  bold,
+  cyan,
+  green,
+  red,
+  yellow
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists,
+  readFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  isEncryptedValue
+} from "./chunk-2USZPWLZ.js";
+import "./chunk-XC65ORJ5.js";
+import "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-diff.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const envName = args.flags["--env"] ?? "production";
+    writeLine(bold(`\u{1F4CA} Comparing .env.${envName} vs vault`));
+    writeLine("");
+    const vaultPath = join(baseDir, ".env.vault");
+    if (!await exists(vaultPath)) {
+      writeError(red("  .env.vault not found."));
+      return 1;
+    }
+    const vault = await readVaultFile(vaultPath);
+    const entry = vault.get(envName.toLowerCase());
+    if (!entry) {
+      writeError(red(`  Environment "${envName}" not found in vault.`));
+      return 1;
+    }
+    const envPath = join(baseDir, `.env.${envName}`);
+    if (!await exists(envPath)) {
+      writeError(red(`  .env.${envName} not found.`));
+      return 1;
+    }
+    const envContent = await readFile(envPath);
+    const parsed = parseEnvFile(envContent, envPath);
+    const vaultVars = {};
+    for (const line of entry.encrypted.split("\n")) {
+      const eqIdx = line.indexOf("=");
+      if (eqIdx === -1) continue;
+      const key = line.slice(0, eqIdx);
+      const value = line.slice(eqIdx + 1);
+      vaultVars[key] = value;
+    }
+    const envKeys = new Set(parsed.vars.map((v) => v.key));
+    const vaultKeys = new Set(Object.keys(vaultVars));
+    const onlyInEnv = [];
+    const onlyInVault = [];
+    const different = [];
+    const same = [];
+    for (const key of envKeys) {
+      if (!vaultKeys.has(key)) {
+        onlyInEnv.push(key);
+      }
+    }
+    for (const key of vaultKeys) {
+      if (!envKeys.has(key)) {
+        onlyInVault.push(key);
+      }
+    }
+    for (const key of envKeys) {
+      if (!vaultKeys.has(key)) continue;
+      const envVal = parsed.vars.find((v) => v.key === key)?.value ?? "";
+      const vaultVal = vaultVars[key] ?? "";
+      if (!isEncryptedValue(vaultVal) && envVal !== vaultVal) {
+        different.push(key);
+      } else if (isEncryptedValue(vaultVal)) {
+        same.push(key);
+      } else {
+        same.push(key);
+      }
+    }
+    if (onlyInEnv.length > 0) {
+      writeLine(yellow(`  Only in .env (${onlyInEnv.length}):`));
+      for (const key of onlyInEnv) {
+        const val = parsed.vars.find((v) => v.key === key)?.value ?? "";
+        writeLine(`    + ${key}=${maskValue(val)}`);
+      }
+      writeLine("");
+    }
+    if (onlyInVault.length > 0) {
+      writeLine(yellow(`  Only in vault (${onlyInVault.length}):`));
+      for (const key of onlyInVault) {
+        writeLine(`    - ${key}`);
+      }
+      writeLine("");
+    }
+    if (different.length > 0) {
+      writeLine(yellow(`  Different (${different.length}):`));
+      for (const key of different) {
+        writeLine(`    ~ ${key}`);
+      }
+      writeLine("");
+    }
+    if (onlyInEnv.length === 0 && onlyInVault.length === 0 && different.length === 0) {
+      writeLine(green(`  \u2713 .env.${envName} and vault are in sync (${same.length} variables)`));
+    } else {
+      writeLine(cyan(`  ${same.length} variable(s) matched.`));
+      writeLine(yellow(`  Run "ultraenv vault encrypt --env ${envName}" to sync.`));
+    }
+    writeLine("");
+    return 0;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    writeError(red(`  Vault diff error: ${msg}`));
+    return 1;
+  }
+}
+export {
+  run
+};

package/dist/vault-encrypt-GUSLCSKS.js

@@ -0,0 +1,112 @@
+import {
+  readVaultFile,
+  writeVaultFile
+} from "./chunk-NBOABPHM.js";
+import {
+  parseEnvFile
+} from "./chunk-HFXQGJY3.js";
+import {
+  bold,
+  cyan,
+  green,
+  red,
+  yellow
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists,
+  readFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  parseKey
+} from "./chunk-UEWYFN6A.js";
+import {
+  encryptValue,
+  isEncryptedValue
+} from "./chunk-2USZPWLZ.js";
+import "./chunk-XC65ORJ5.js";
+import {
+  getErrorMessage
+} from "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-encrypt.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const envName = args.flags["--env"] ?? "production";
+    const keyInput = args.flags["--key"];
+    writeLine(bold(`\u{1F510} Encrypting "${envName}" environment \u2192 vault`));
+    writeLine("");
+    const envFilePath = join(baseDir, `.env.${envName}`);
+    if (!await exists(envFilePath)) {
+      writeError(red(`  .env.${envName} not found.`));
+      return 1;
+    }
+    let rawKey;
+    if (keyInput) {
+      rawKey = parseKey(keyInput);
+    } else {
+      const keysPath = join(baseDir, ".env.keys");
+      if (!await exists(keysPath)) {
+        writeError(red("  No encryption key provided and .env.keys not found."));
+        writeError(yellow('  Run "ultraenv vault init" first.'));
+        return 1;
+      }
+      const keysContent = await readFile(keysPath);
+      const { parseKeysFile } = await import("./key-manager-O3G55WPU.js");
+      const keys = parseKeysFile(keysContent);
+      const envKey = keys.get(envName.toLowerCase());
+      if (!envKey) {
+        writeError(red(`  No key found for environment "${envName}" in .env.keys`));
+        return 1;
+      }
+      rawKey = parseKey(envKey);
+    }
+    const envContent = await readFile(envFilePath);
+    const parsed = parseEnvFile(envContent, envFilePath);
+    writeLine(cyan("  Encrypting variables..."));
+    const encryptedLines = [];
+    for (const envVar of parsed.vars) {
+      if (isEncryptedValue(envVar.value)) {
+        encryptedLines.push(`${envVar.key}=${envVar.value}`);
+        continue;
+      }
+      const encrypted = encryptValue(envVar.value, rawKey);
+      encryptedLines.push(`${envVar.key}=${encrypted}`);
+    }
+    const vaultPath = join(baseDir, ".env.vault");
+    let existingVault = /* @__PURE__ */ new Map();
+    if (await exists(vaultPath)) {
+      existingVault = await readVaultFile(vaultPath);
+    }
+    const entry = {
+      name: envName,
+      varCount: parsed.vars.length,
+      lastModified: (/* @__PURE__ */ new Date()).toISOString(),
+      keyIds: ["v1"],
+      encrypted: encryptedLines.join("\n")
+    };
+    existingVault.set(envName.toLowerCase(), entry);
+    await writeVaultFile(vaultPath, existingVault);
+    writeLine(green(`  \u2713 Encrypted ${parsed.vars.length} variables`));
+    writeLine(green(`  \u2713 Vault updated: ${vaultPath}`));
+    writeLine("");
+    writeLine(green(bold("  \u2705 Encryption complete!")));
+    writeLine("");
+    writeLine(yellow("  Reminder: The original .env file is unchanged."));
+    writeLine(yellow("  Consider adding encrypted files to .gitignore."));
+    writeLine("");
+    return 0;
+  } catch (error) {
+    writeError(red(`  Encrypt error: ${getErrorMessage(error)}`));
+    return 1;
+  }
+}
+export {
+  run
+};

package/dist/vault-init-GUBOTOUL.js

@@ -0,0 +1,106 @@
+import {
+  confirm
+} from "./chunk-YTICOB5M.js";
+import {
+  bold,
+  cyan,
+  green,
+  red,
+  yellow
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists,
+  writeFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  formatKey,
+  generateKeysFile,
+  parseKey
+} from "./chunk-UEWYFN6A.js";
+import "./chunk-2USZPWLZ.js";
+import "./chunk-XC65ORJ5.js";
+import "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-init.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const envName = args.flags["--env"] ?? "production";
+    writeLine(bold("\u{1F510} Vault Initialization"));
+    writeLine("");
+    const vaultPath = join(baseDir, ".env.vault");
+    const keysPath = join(baseDir, ".env.keys");
+    if (await exists(vaultPath)) {
+      writeLine(yellow("  \u26A0 Vault already exists."));
+      if (!args.flags["--force"]) {
+        const overwrite = await confirm("  Overwrite existing vault?", false);
+        if (!overwrite) {
+          writeLine(green("  Cancelled."));
+          return 0;
+        }
+      }
+    }
+    const key = args.flags["--key"];
+    let masterKeyFormatted;
+    if (key) {
+      masterKeyFormatted = key;
+      try {
+        parseKey(masterKeyFormatted);
+      } catch {
+        writeError(red('  Invalid key format. Key must start with "ultraenv_key_v1_"'));
+        return 1;
+      }
+    } else {
+      writeLine(cyan("  Generating encryption key..."));
+      const { generateMasterKey } = await import("./key-manager-O3G55WPU.js");
+      const rawKey = generateMasterKey();
+      masterKeyFormatted = formatKey(rawKey);
+    }
+    writeLine(cyan("  Creating keys file..."));
+    const keysContent = generateKeysFile([envName]);
+    const envVarName = `ULTRAENV_KEY_${envName.toUpperCase()}`;
+    const keysLines = keysContent.split("\n");
+    const updatedKeysLines = keysLines.map((line) => {
+      if (line.startsWith(`${envVarName}=`)) {
+        return `${envVarName}="${masterKeyFormatted}"`;
+      }
+      return line;
+    });
+    await writeFile(keysPath, updatedKeysLines.join("\n"));
+    writeLine(green(`  \u2713 Keys written to ${keysPath}`));
+    writeLine(cyan("  Creating vault file..."));
+    const vaultHeader = [
+      "# ultraenv encrypted vault \u2014 safe to commit",
+      `# Generated: ${(/* @__PURE__ */ new Date()).toISOString()}`,
+      `# Environments: ${envName}`,
+      ""
+    ].join("\n");
+    await writeFile(vaultPath, vaultHeader);
+    writeLine(green(`  \u2713 Vault created at ${vaultPath}`));
+    writeLine("");
+    writeLine(green(bold("  \u2705 Vault initialized successfully!")));
+    writeLine("");
+    writeLine(yellow("  \u26A0 IMPORTANT:"));
+    writeLine(yellow(`    - Add ${keysPath} to .gitignore`));
+    writeLine(yellow("    - Never commit your keys file"));
+    writeLine(yellow("    - Store keys securely (e.g., CI secrets manager)"));
+    writeLine("");
+    writeLine(cyan("  Next steps:"));
+    writeLine(`    ultraenv vault encrypt --env ${envName}`);
+    writeLine("");
+    return 0;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    writeError(red(`  Vault init error: ${msg}`));
+    return 1;
+  }
+}
+export {
+  run
+};

package/dist/vault-rekey-DAHT7JCN.js

@@ -0,0 +1,132 @@
+import {
+  readVaultFile,
+  writeVaultFile
+} from "./chunk-NBOABPHM.js";
+import {
+  bold,
+  cyan,
+  green,
+  red,
+  yellow
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists,
+  readFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  formatKey,
+  generateMasterKey,
+  maskKey,
+  parseKey
+} from "./chunk-UEWYFN6A.js";
+import {
+  decryptValue,
+  encryptValue,
+  isEncryptedValue
+} from "./chunk-2USZPWLZ.js";
+import "./chunk-XC65ORJ5.js";
+import {
+  getErrorMessage
+} from "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-rekey.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const envName = args.flags["--env"] ?? "production";
+    const oldKeyInput = args.flags["--old-key"];
+    const newKeyInput = args.flags["--new-key"];
+    writeLine(bold(`\u{1F511} Rotating encryption key for "${envName}"`));
+    writeLine("");
+    let oldKey;
+    let newKey;
+    if (oldKeyInput && newKeyInput) {
+      oldKey = parseKey(oldKeyInput);
+      newKey = parseKey(newKeyInput);
+    } else {
+      const keysPath = join(baseDir, ".env.keys");
+      if (!await exists(keysPath)) {
+        writeError(red("  .env.keys not found."));
+        return 1;
+      }
+      const keysContent = await readFile(keysPath);
+      const { parseKeysFile } = await import("./key-manager-O3G55WPU.js");
+      const keys = parseKeysFile(keysContent);
+      const envKey = keys.get(envName.toLowerCase());
+      if (!envKey) {
+        writeError(red(`  No key found for environment "${envName}"`));
+        return 1;
+      }
+      oldKey = parseKey(envKey);
+      newKey = generateMasterKey();
+    }
+    const vaultPath = join(baseDir, ".env.vault");
+    if (!await exists(vaultPath)) {
+      writeError(red("  .env.vault not found."));
+      return 1;
+    }
+    const vault = await readVaultFile(vaultPath);
+    const entry = vault.get(envName.toLowerCase());
+    if (!entry) {
+      writeError(red(`  Environment "${envName}" not found in vault.`));
+      return 1;
+    }
+    writeLine(cyan("  Re-encrypting with new key..."));
+    const lines = entry.encrypted.split("\n");
+    const reencryptedLines = [];
+    for (const line of lines) {
+      const eqIdx = line.indexOf("=");
+      if (eqIdx === -1) {
+        reencryptedLines.push(line);
+        continue;
+      }
+      const key = line.slice(0, eqIdx);
+      const value = line.slice(eqIdx + 1);
+      if (isEncryptedValue(value)) {
+        const decrypted = decryptValue(value, oldKey);
+        const reencrypted = encryptValue(decrypted, newKey);
+        reencryptedLines.push(`${key}=${reencrypted}`);
+      } else {
+        reencryptedLines.push(line);
+      }
+    }
+    entry.encrypted = reencryptedLines.join("\n");
+    entry.lastModified = (/* @__PURE__ */ new Date()).toISOString();
+    entry.keyIds = ["v1"];
+    vault.set(envName.toLowerCase(), entry);
+    await writeVaultFile(vaultPath, vault);
+    if (!newKeyInput) {
+      const keysPath = join(baseDir, ".env.keys");
+      const keysContent = await readFile(keysPath);
+      const envVarName = `ULTRAENV_KEY_${envName.toUpperCase()}`;
+      const newFormatted = formatKey(newKey);
+      const updatedLines = keysContent.split("\n").map((line) => {
+        if (line.startsWith(`${envVarName}=`)) {
+          return `${envVarName}="${newFormatted}"`;
+        }
+        return line;
+      });
+      const { writeFile } = await import("./fs-VH7ATUS3.js");
+      await writeFile(keysPath, updatedLines.join("\n"));
+      writeLine(yellow(`  \u26A0 New key written to ${keysPath}`));
+      writeLine(yellow(`    New key: ${maskKey(newFormatted)}`));
+    }
+    writeLine(green(`  \u2713 Key rotated for ${entry.varCount} variables`));
+    writeLine("");
+    writeLine(green(bold("  \u2705 Key rotation complete!")));
+    writeLine("");
+    return 0;
+  } catch (error) {
+    writeError(red(`  Rekey error: ${getErrorMessage(error)}`));
+    return 1;
+  }
+}
+export {
+  run
+};

package/dist/vault-status-GDLRU2OK.js

@@ -0,0 +1,90 @@
+import {
+  drawTable
+} from "./chunk-WMHN5RW2.js";
+import {
+  readVaultFile
+} from "./chunk-NBOABPHM.js";
+import {
+  bold,
+  green,
+  red,
+  yellow
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeJson,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists
+} from "./chunk-3VYXPTYV.js";
+import "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-status.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const vaultPath = join(baseDir, ".env.vault");
+    const keysPath = join(baseDir, ".env.keys");
+    const vaultExists = await exists(vaultPath);
+    const keysExists = await exists(keysPath);
+    if (ctx.outputFormat === "json") {
+      const environments = {};
+      if (vaultExists) {
+        const vault2 = await readVaultFile(vaultPath);
+        for (const [name, entry] of vault2) {
+          environments[name] = {
+            vars: entry.varCount,
+            modified: entry.lastModified,
+            keyIds: [...entry.keyIds]
+          };
+        }
+      }
+      writeJson({
+        vaultExists,
+        keysExists,
+        encrypted: vaultExists,
+        environments
+      });
+      return 0;
+    }
+    writeLine(bold("\u{1F510} Vault Status"));
+    writeLine("");
+    writeLine(`  Vault file:   ${vaultExists ? green("exists") : red("not found")} (${vaultPath})`);
+    writeLine(`  Keys file:    ${keysExists ? green("exists") : red("not found")} (${keysPath})`);
+    writeLine("");
+    if (!vaultExists) {
+      writeLine(yellow('  No vault initialized. Run "ultraenv vault init" to create one.'));
+      writeLine("");
+      return 0;
+    }
+    const vault = await readVaultFile(vaultPath);
+    if (vault.size === 0) {
+      writeLine(yellow("  Vault is empty. No environments encrypted yet."));
+      writeLine("");
+      return 0;
+    }
+    const headers = ["Environment", "Variables", "Key IDs", "Last Modified"];
+    const rows = [];
+    for (const [name, entry] of vault) {
+      rows.push([
+        name,
+        String(entry.varCount),
+        entry.keyIds.join(", "),
+        entry.lastModified.slice(0, 19).replace("T", " ")
+      ]);
+    }
+    writeLine(drawTable(headers, rows, { maxWidth: 100 }));
+    writeLine("");
+    return 0;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    writeError(red(`  Vault status error: ${msg}`));
+    return 1;
+  }
+}
+export {
+  run
+};

package/dist/vault-verify-CD76FJSF.js

@@ -0,0 +1,102 @@
+import {
+  computeIntegrity
+} from "./chunk-N5PAV4NM.js";
+import {
+  readVaultFile
+} from "./chunk-NBOABPHM.js";
+import {
+  bold,
+  cyan,
+  green,
+  red
+} from "./chunk-OMAOROL4.js";
+import {
+  writeError,
+  writeJson,
+  writeLine
+} from "./chunk-YN2KGTCB.js";
+import {
+  exists,
+  readFile
+} from "./chunk-3VYXPTYV.js";
+import {
+  parseKey
+} from "./chunk-UEWYFN6A.js";
+import "./chunk-2USZPWLZ.js";
+import "./chunk-XC65ORJ5.js";
+import {
+  getErrorMessage
+} from "./chunk-5G2DU52U.js";
+
+// src/cli/commands/vault-verify.ts
+import { resolve, join } from "path";
+async function run(args, ctx) {
+  try {
+    const cwd = args.flags["--cwd"] ?? ctx.cwd;
+    const baseDir = resolve(cwd);
+    const envName = args.flags["--env"] ?? "production";
+    const keyInput = args.flags["--key"];
+    writeLine(bold(`\u{1F512} Verifying vault integrity for "${envName}"`));
+    writeLine("");
+    const vaultPath = join(baseDir, ".env.vault");
+    if (!await exists(vaultPath)) {
+      writeError(red("  .env.vault not found."));
+      return 1;
+    }
+    const vault = await readVaultFile(vaultPath);
+    const entry = vault.get(envName.toLowerCase());
+    if (!entry) {
+      writeError(red(`  Environment "${envName}" not found in vault.`));
+      return 1;
+    }
+    let rawKey;
+    if (keyInput) {
+      rawKey = parseKey(keyInput);
+    } else {
+      const keysPath = join(baseDir, ".env.keys");
+      if (!await exists(keysPath)) {
+        writeError(red("  No key provided and .env.keys not found."));
+        return 1;
+      }
+      const keysContent = await readFile(keysPath);
+      const { parseKeysFile } = await import("./key-manager-O3G55WPU.js");
+      const keys = parseKeysFile(keysContent);
+      const envKey = keys.get(envName.toLowerCase());
+      if (!envKey) {
+        writeError(red(`  No key for "${envName}"`));
+        return 1;
+      }
+      rawKey = parseKey(envKey);
+    }
+    const digest = computeIntegrity(entry.encrypted, rawKey);
+    writeLine(cyan("  Integrity check:"));
+    writeLine(`    Environment:    ${cyan(envName)}`);
+    writeLine(`    Variables:       ${cyan(String(entry.varCount))}`);
+    writeLine(`    Integrity hash: ${cyan(digest.slice(0, 16))}...`);
+    writeLine(`    Last modified:  ${cyan(entry.lastModified)}`);
+    writeLine("");
+    if (ctx.outputFormat === "json") {
+      writeJson({
+        valid: true,
+        environment: envName,
+        digest: digest.slice(0, 32),
+        varCount: entry.varCount,
+        lastModified: entry.lastModified
+      });
+    } else {
+      writeLine(green(bold("  \u2705 Vault integrity verified successfully")));
+    }
+    writeLine("");
+    return 0;
+  } catch (error) {
+    if (ctx.outputFormat === "json") {
+      writeJson({ valid: false, error: getErrorMessage(error) });
+    } else {
+      writeError(red(`  Vault verify error: ${getErrorMessage(error)}`));
+    }
+    return 1;
+  }
+}
+export {
+  run
+};