dotenvage 0.6.0

Dotenv with age encryption: encrypt/decrypt secrets in .env files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390

//! Integration tests for dynamic dimension recomputation.
//!
//! These tests verify that dimension configuration values (like NODE_ENV
//! or VARIANT) discovered in loaded files can cause additional files to
//! be loaded.

use std::env;

use serial_test::serial;

/// Standard list of environment variables to clear before each test
const CLEAR_ALL_DIMENSION_VARS: &[&str] = &[
    "DOTENVAGE_ENV",
    "EKG_ENV",
    "VERCEL_ENV",
    "NODE_ENV",
    "DOTENVAGE_OS",
    "EKG_OS",
    "DOTENVAGE_ARCH",
    "EKG_ARCH",
    "CARGO_CFG_TARGET_ARCH",
    "TARGET",
    "TARGETARCH",
    "TARGETPLATFORM",
    "RUNNER_ARCH",
    "DOTENVAGE_USER",
    "EKG_USER",
    "GITHUB_ACTOR",
    "GITHUB_TRIGGERING_ACTOR",
    "GITHUB_REPOSITORY_OWNER",
    "USER",
    "USERNAME",
    "DOTENVAGE_VARIANT",
    "EKG_VARIANT",
    "VARIANT",
    "GITHUB_EVENT_NAME",
    "GITHUB_REF",
    "PR_NUMBER",
];

fn clear_env(keys: &[&str]) {
    for k in keys {
        unsafe { env::remove_var(k) };
    }
}

#[test]
#[serial]
fn dynamic_env_discovery_from_base_file() {
    // Test: NODE_ENV=production in .env causes .env.production to load
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env sets NODE_ENV=production
    std::fs::write(tmp.path().join(".env"), "NODE_ENV=production\nBASE=1\n").unwrap();

    // .env.production should be loaded because NODE_ENV is discovered
    std::fs::write(tmp.path().join(".env.production"), "PROD=1\n").unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify both files were loaded
    assert_eq!(env::var("BASE").unwrap(), "1");
    assert_eq!(env::var("PROD").unwrap(), "1");
    assert_eq!(env::var("NODE_ENV").unwrap(), "production");
}

#[test]
#[serial]
fn dynamic_variant_discovery_triggers_reload() {
    // Test: VARIANT=docker in .env causes .env.docker to load
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env sets VARIANT=docker
    std::fs::write(tmp.path().join(".env"), "VARIANT=docker\nBASE=1\n").unwrap();

    // .env.docker should be loaded because VARIANT is discovered
    std::fs::write(tmp.path().join(".env.docker"), "DOCKER_CONFIG=enabled\n").unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify both files were loaded
    assert_eq!(env::var("BASE").unwrap(), "1");
    assert_eq!(env::var("DOCKER_CONFIG").unwrap(), "enabled");
    assert_eq!(env::var("VARIANT").unwrap(), "docker");
}

#[test]
#[serial]
fn dynamic_arch_discovery_from_env_file() {
    // Test: DOTENVAGE_ARCH=arm64 in .env causes .env.local.arm64 to load
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env sets DOTENVAGE_ARCH=arm64
    std::fs::write(tmp.path().join(".env"), "DOTENVAGE_ARCH=arm64\nBASE=1\n").unwrap();

    // .env.local and .env.local.arm64 should be loaded
    std::fs::write(tmp.path().join(".env.local"), "LOCAL=1\n").unwrap();
    std::fs::write(
        tmp.path().join(".env.local.arm64"),
        "ARM64_CONFIG=enabled\n",
    )
    .unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify all files were loaded
    assert_eq!(env::var("BASE").unwrap(), "1");
    assert_eq!(env::var("LOCAL").unwrap(), "1");
    assert_eq!(env::var("ARM64_CONFIG").unwrap(), "enabled");
}

#[test]
#[serial]
fn no_double_loading() {
    // Test: Files are not loaded twice even if they match multiple
    // recomputation rounds
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env sets NODE_ENV, COUNTER starts at 0
    std::fs::write(tmp.path().join(".env"), "NODE_ENV=prod\nCOUNTER=0\n").unwrap();

    // .env.prod overrides COUNTER - if loaded twice, this would be
    // problematic for the test logic
    std::fs::write(tmp.path().join(".env.prod"), "COUNTER=1\nPROD_LOADED=yes\n").unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify .env.prod was loaded (COUNTER=1 overrides COUNTER=0)
    assert_eq!(env::var("COUNTER").unwrap(), "1");
    assert_eq!(env::var("PROD_LOADED").unwrap(), "yes");
}

#[test]
#[serial]
fn chained_discovery() {
    // Test: .env sets ENV, .env.staging sets VARIANT, .env.staging.canary
    // loads
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // Chain: .env -> .env.staging -> .env.staging.canary
    std::fs::write(tmp.path().join(".env"), "NODE_ENV=staging\nSTEP=1\n").unwrap();
    std::fs::write(tmp.path().join(".env.staging"), "VARIANT=canary\nSTEP=2\n").unwrap();
    std::fs::write(
        tmp.path().join(".env.staging.canary"),
        "STEP=3\nCANARY=yes\n",
    )
    .unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify the chain was followed
    assert_eq!(env::var("NODE_ENV").unwrap(), "staging");
    assert_eq!(env::var("VARIANT").unwrap(), "canary");
    assert_eq!(env::var("STEP").unwrap(), "3"); // Last file wins
    assert_eq!(env::var("CANARY").unwrap(), "yes");
}

#[test]
#[serial]
fn encrypted_dimension_config_ignored_in_discovery() {
    // Test: Encrypted dimension config values are skipped during discovery
    // phase. We test this at the discovery level, not the full load level,
    // because load_env_file will fail on invalid encrypted values.
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    // Test discover_dimensions_from_vars directly by checking that resolve
    // functions don't pick up encrypted values from the environment
    let tmp = tempfile::tempdir().unwrap();

    // .env has a plaintext VARIANT but no ENV set
    std::fs::write(tmp.path().join(".env"), "VARIANT=docker\nBASE=1\n").unwrap();

    // .env.local should be loaded (default ENV=local)
    std::fs::write(tmp.path().join(".env.local"), "LOCAL=1\n").unwrap();

    // .env.docker should be loaded (VARIANT=docker was discovered)
    std::fs::write(tmp.path().join(".env.docker"), "DOCKER=1\n").unwrap();

    // .env.local.docker should also be loaded
    std::fs::write(tmp.path().join(".env.local.docker"), "LOCAL_DOCKER=1\n").unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify correct files were loaded
    assert_eq!(env::var("BASE").unwrap(), "1");
    assert_eq!(env::var("LOCAL").unwrap(), "1");
    assert_eq!(env::var("DOCKER").unwrap(), "1");
    assert_eq!(env::var("LOCAL_DOCKER").unwrap(), "1");
}

#[test]
#[serial]
fn env_var_determines_file_selection() {
    // Test: Environment variables set BEFORE loading determine which files
    // are selected for loading (via resolve_* functions). The file's value
    // may still override the env var after loading.
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    // Set NODE_ENV=production via environment BEFORE loading
    unsafe {
        env::set_var("NODE_ENV", "production");
    }

    let tmp = tempfile::tempdir().unwrap();

    // .env has NODE_ENV=staging, but dimension discovery should use the
    // existing env var (production)
    std::fs::write(tmp.path().join(".env"), "NODE_ENV=staging\nBASE=1\n").unwrap();

    // .env.production should be loaded (env var determines file selection)
    std::fs::write(tmp.path().join(".env.production"), "PROD=1\n").unwrap();

    // .env.staging should NOT be loaded (env var takes precedence for
    // discovery)
    std::fs::write(tmp.path().join(".env.staging"), "STAGING=1\n").unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    loader.load_from_dir(tmp.path()).unwrap();

    // Verify that .env.production was loaded (not staging)
    assert_eq!(env::var("BASE").unwrap(), "1");
    assert_eq!(env::var("PROD").unwrap(), "1");
    assert!(
        env::var("STAGING").is_err(),
        "Env var should determine file selection, staging should not load"
    );

    // Note: NODE_ENV may be overwritten by .env file content after loading
    // (that's expected behavior - files can override env vars)
}

// =============================================================================
// Tests for collect_all_vars_from_dir (used by CLI list/dump commands)
// =============================================================================
// These tests ensure the CLI code path correctly handles dynamic discovery.
// A bug was found where CLI commands called resolve_env_paths once without
// iterating, missing files that should be loaded based on dimensions
// discovered in intermediate files.

#[test]
#[serial]
fn collect_vars_discovers_variant_from_intermediate_file() {
    // Test: collect_all_vars_from_dir discovers VARIANT from .env.local
    // and loads .env.local.oxigraph (the real-world bug scenario)
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env - base file (no VARIANT set here)
    std::fs::write(tmp.path().join(".env"), "BASE=from_env\n").unwrap();

    // .env.local - sets EKG_VARIANT=oxigraph
    std::fs::write(
        tmp.path().join(".env.local"),
        "LOCAL=from_local\nEKG_VARIANT=oxigraph\n",
    )
    .unwrap();

    // .env.local.oxigraph - should be loaded because VARIANT is discovered
    std::fs::write(
        tmp.path().join(".env.local.oxigraph"),
        "OXIGRAPH_CONFIG=from_oxigraph\n",
    )
    .unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    let (vars, paths) = loader.collect_all_vars_from_dir(tmp.path()).unwrap();

    // Verify all three files were loaded
    assert_eq!(vars.get("BASE").unwrap(), "from_env");
    assert_eq!(vars.get("LOCAL").unwrap(), "from_local");
    assert_eq!(vars.get("EKG_VARIANT").unwrap(), "oxigraph");
    assert_eq!(
        vars.get("OXIGRAPH_CONFIG").unwrap(),
        "from_oxigraph",
        "VARIANT discovered in .env.local should trigger loading .env.local.oxigraph"
    );

    // Verify the paths include all three files
    assert_eq!(paths.len(), 3, "Should load exactly 3 files");
    assert!(paths[0].ends_with(".env"));
    assert!(paths[1].ends_with(".env.local"));
    assert!(paths[2].ends_with(".env.local.oxigraph"));
}

#[test]
#[serial]
fn collect_vars_chained_discovery() {
    // Test: collect_all_vars_from_dir handles chained discovery
    // .env -> .env.staging -> .env.staging.canary
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // Chain: .env sets ENV, .env.staging sets VARIANT, .env.staging.canary loads
    std::fs::write(tmp.path().join(".env"), "NODE_ENV=staging\nSTEP=1\n").unwrap();
    std::fs::write(tmp.path().join(".env.staging"), "VARIANT=canary\nSTEP=2\n").unwrap();
    std::fs::write(
        tmp.path().join(".env.staging.canary"),
        "STEP=3\nCANARY_FLAG=yes\n",
    )
    .unwrap();

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    let (vars, paths) = loader.collect_all_vars_from_dir(tmp.path()).unwrap();

    // Verify the chain was followed
    assert_eq!(vars.get("NODE_ENV").unwrap(), "staging");
    assert_eq!(vars.get("VARIANT").unwrap(), "canary");
    assert_eq!(vars.get("STEP").unwrap(), "3"); // Last file wins
    assert_eq!(
        vars.get("CANARY_FLAG").unwrap(),
        "yes",
        "Chained discovery should load .env.staging.canary"
    );

    // Verify all three files were loaded in order
    assert_eq!(paths.len(), 3, "Should load exactly 3 files");
}

#[test]
#[serial]
fn collect_vars_does_not_modify_environment() {
    // Test: collect_all_vars_from_dir should not permanently modify
    // the process environment (important for CLI commands)
    clear_env(CLEAR_ALL_DIMENSION_VARS);

    let tmp = tempfile::tempdir().unwrap();

    // .env sets NODE_ENV which triggers discovery
    std::fs::write(
        tmp.path().join(".env"),
        "NODE_ENV=production\nTEST_VAR=test_value\n",
    )
    .unwrap();
    std::fs::write(tmp.path().join(".env.production"), "PROD_VAR=prod_value\n").unwrap();

    // Set a non-dimension var that should NOT be modified
    unsafe {
        env::set_var("UNRELATED_VAR", "original_value");
    }

    let loader = dotenvage::EnvLoader::with_manager(dotenvage::SecretManager::generate().unwrap());
    let (vars, _paths) = loader.collect_all_vars_from_dir(tmp.path()).unwrap();

    // Verify vars were collected (including from .env.production via discovery)
    assert_eq!(vars.get("PROD_VAR").unwrap(), "prod_value");
    assert_eq!(vars.get("TEST_VAR").unwrap(), "test_value");

    // Verify unrelated environment was not touched
    assert_eq!(
        env::var("UNRELATED_VAR").unwrap(),
        "original_value",
        "collect_all_vars_from_dir should not touch unrelated vars"
    );

    // Verify collected vars are NOT in process environment
    assert!(
        env::var("TEST_VAR").is_err(),
        "collect_all_vars_from_dir should not set vars in process environment"
    );
    assert!(
        env::var("PROD_VAR").is_err(),
        "collect_all_vars_from_dir should not set vars in process environment"
    );

    // Verify dimension vars are restored (NODE_ENV was temporarily set during
    // discovery) After collect_all_vars_from_dir, it should be unset (was not
    // set before)
    assert!(
        env::var("NODE_ENV").is_err(),
        "collect_all_vars_from_dir should restore dimension vars to original state"
    );
}