envx-secure 0.1.3

A CLI for .env file management: diff, audit, and encrypt
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

//! Command-line interface definitions.
//!
//! All argument parsing is handled by [`clap`] via the derive API.
//! Add new subcommands here by extending [`Command`] and wiring them up in
//! `main.rs`.

use clap::{Parser, Subcommand};
use std::path::PathBuf;

/// Top-level CLI entry point.
#[derive(Parser)]
#[command(name = "envx", about = "A CLI tool for .env file management")]
pub struct Cli {
    /// The subcommand to run.
    #[command(subcommand)]
    pub command: Command,
}

/// Available subcommands.
#[derive(Subcommand)]
pub enum Command {
    /// Show a semantic diff between two `.env` files.
    ///
    /// Values for keys that match common sensitive patterns (`SECRET`, `KEY`,
    /// `TOKEN`, `PASSWORD`, `PASS`, `PWD`) are redacted in the output.
    /// Exits with code `1` when any difference is found.
    Diff {
        /// Reference env file (shown as `---`).
        file_a: PathBuf,
        /// Target env file (shown as `+++`).
        file_b: PathBuf,
    },

    /// Validate a `.env` file against a schema.
    ///
    /// The schema is a plain-text file with one key name per line; lines
    /// starting with `#` and blank lines are ignored.  Missing or empty
    /// required keys cause an exit code of `1`.
    Audit {
        /// Path to the schema file.
        #[arg(long)]
        schema: PathBuf,
        /// Path to the `.env` file to audit.
        env_file: PathBuf,
    },

    /// Encrypt a `.env` file with a passphrase using [age].
    ///
    /// Prompts for a passphrase twice (confirmation).  Writes the ciphertext
    /// to `<file>.age` next to the original.
    ///
    /// [age]: https://age-encryption.org
    Encrypt {
        /// Path to the plaintext `.env` file to encrypt.
        file: PathBuf,
    },

    /// Decrypt an age-encrypted `.env` file.
    ///
    /// The input file must have an `.age` extension.  The plaintext is written
    /// to the path obtained by stripping the `.age` suffix.
    Decrypt {
        /// Path to the `.age` encrypted file.
        file: PathBuf,
    },
}