envx_secure/cli.rs
1//! Command-line interface definitions.
2//!
3//! All argument parsing is handled by [`clap`] via the derive API.
4//! Add new subcommands here by extending [`Command`] and wiring them up in
5//! `main.rs`.
6
7use clap::{Parser, Subcommand};
8use std::path::PathBuf;
9
10/// Top-level CLI entry point.
11#[derive(Parser)]
12#[command(name = "envx", about = "A CLI tool for .env file management")]
13pub struct Cli {
14 /// The subcommand to run.
15 #[command(subcommand)]
16 pub command: Command,
17}
18
19/// Available subcommands.
20#[derive(Subcommand)]
21pub enum Command {
22 /// Show a semantic diff between two `.env` files.
23 ///
24 /// Values for keys that match common sensitive patterns (`SECRET`, `KEY`,
25 /// `TOKEN`, `PASSWORD`, `PASS`, `PWD`) are redacted in the output.
26 /// Exits with code `1` when any difference is found.
27 Diff {
28 /// Reference env file (shown as `---`).
29 file_a: PathBuf,
30 /// Target env file (shown as `+++`).
31 file_b: PathBuf,
32 },
33
34 /// Validate a `.env` file against a schema.
35 ///
36 /// The schema is a plain-text file with one key name per line; lines
37 /// starting with `#` and blank lines are ignored. Missing or empty
38 /// required keys cause an exit code of `1`.
39 Audit {
40 /// Path to the schema file.
41 #[arg(long)]
42 schema: PathBuf,
43 /// Path to the `.env` file to audit.
44 env_file: PathBuf,
45 },
46
47 /// Encrypt a `.env` file with a passphrase using [age].
48 ///
49 /// Prompts for a passphrase twice (confirmation). Writes the ciphertext
50 /// to `<file>.age` next to the original.
51 ///
52 /// [age]: https://age-encryption.org
53 Encrypt {
54 /// Path to the plaintext `.env` file to encrypt.
55 file: PathBuf,
56 },
57
58 /// Decrypt an age-encrypted `.env` file.
59 ///
60 /// The input file must have an `.age` extension. The plaintext is written
61 /// to the path obtained by stripping the `.age` suffix.
62 Decrypt {
63 /// Path to the `.age` encrypted file.
64 file: PathBuf,
65 },
66}