feat: Added --color flag.

Allows printing data in tabular or json format.

.envrc

@@ -1,3 +1 @@
 use flake
-
-export PATH="$PATH:./vendor/bin"

.github/workflows/odin.yml

@@ -0,0 +1,32 @@
+name: Odin
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libsodium-dev sqlite3 libsqlite3-dev libsodium-dev
+
+      - name: Install Odin
+        run: |
+          git clone https://github.com/odin-lang/Odin.git /opt/odin
+          cd /opt/odin
+          ./build_odin.sh release
+          echo "/opt/odin" >> "$GITHUB_PATH"
+
+      - name: Build
+        run: |
+          odin build . -o:speed -out:envr
+
+      - name: Test
+        run: odin test .

.github/workflows/release-please.yml

@@ -0,0 +1,26 @@
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+name: release-please
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: googleapis/release-please-action@v5
+        with:
+          # this assumes that you have created a personal access token
+          # (PAT) and configured it as a GitHub action secret named
+          # `MY_RELEASE_PLEASE_TOKEN` (this secret name is not important).
+          token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }}
+          # this is a built-in strategy in release-please, see "Action Inputs"
+          # for more options
+          release-type: simple
+          target-branch: ${{ github.ref_name }}

.gitignore

@@ -1,3 +1,19 @@
+# dev env
 .direnv
-node_modules
-vendor
+
+list.json
+
+# docs
+man 
+
+# build artifacts
+*.spall
+builds
+envr
+envr-go
+envr-prof
+findr/findr
+findr/findr-prof
+findr/bench-*.md
+result
+version.odin

.tokeignore

@@ -0,0 +1 @@
+**/*_test.{odin,go}

CHANGELOG.md

@@ -0,0 +1,73 @@
+# Changelog
+
+## [0.3.0](https://github.com/sbrow/envr/compare/v0.2.1...v0.3.0) (2026-06-16)
+
+Version 0.3.0 represents a significant departure (and improvement) for envr.
+The entire codebase was rewritten in [Odin](https://odin-lang.org/) (from Go).
+This reduced the binary size from over 17MB to under 600k, improved performance,
+and significantly reduced the number of project dependencies from 69 to just 2.
+
+### ⚠ BREAKING CHANGES
+
+* The encryption format of databases has changed. Age encryption is no longer supported, and no automatic migration path was implemented.
+
+### Features
+
+* All encryption/decryption now happens in-memory. ([fe2b256](https://github.com/sbrow/envr/commit/fe2b256bd61eaf551d53faf3893b473a64a94667))
+* Config can be loaded from any path with `--config-file (-c)` flag. ([4a26ee8](https://github.com/sbrow/envr/commit/4a26ee814591e6aab0eb99d2359d51b31011edfe))
+* Switched from age to libsodium. ([23b8c2d](https://github.com/sbrow/envr/commit/23b8c2dc671a23cf76cf6746b33806ded9381486))
+
+
+### Performance Improvements
+
+* Improved writer performance. ([365e914](https://github.com/sbrow/envr/commit/365e9149b1a738ac9119bb5f74dc7e047ecfed5b))
+
+## [0.2.1](https://github.com/sbrow/envr/compare/v0.2.0...v0.2.1) (2026-01-12)
+
+
+### Bug Fixes
+
+* Added `add` as an alias for backup. ([cf363ab](https://github.com/sbrow/envr/commit/cf363abc4d8cec208d23c6acedbb7e0dd6900332))
+
+## [0.2.0](https://github.com/sbrow/envr/compare/v0.1.1...v0.2.0) (2025-11-10)
+
+
+### ⚠ BREAKING CHANGES
+
+* Dir is now derived from Path rather than stored in the DB. Your DB will need to be updated.
+* **scan:** The config value `scan.Exclude` is now a list rather than a string.
+* **check:** Renamed the `check` command to `deps`.
+* The config value `scan.Include` is now a list rather than a string.
+
+### Features
+
+* Added new `check` command. ([cbd74f3](https://github.com/sbrow/envr/commit/cbd74f387e2e330b2557d07dd82ba05cc91300ac))
+* **config:** The default config now filters out more junk. ([15be62b](https://github.com/sbrow/envr/commit/15be62b5a2a5a735b90b074497d645c5a2cfced8))
+* **init:** Added a `--force` flag for overwriting an existing config. ([169653d](https://github.com/sbrow/envr/commit/169653d7566f63730fb9da80a18330a566223be9))
+* Multiple scan includes are now supported. ([4273fa5](https://github.com/sbrow/envr/commit/4273fa58956d8736271a0af66202dca481126fe4))
+* **scan:** Added support for multiple exports. ([f43705c](https://github.com/sbrow/envr/commit/f43705cd53c6d87aef1f69df4e474441f25c1dc7))
+* **sync:** envr can now detect if directories have moved. ([4db0a4d](https://github.com/sbrow/envr/commit/4db0a4d33d2b6a79d13b36a8e8631f895e8fef8d))
+* **sync:** Now checks files for mismatched hashes before replacing. ([8074f7a](https://github.com/sbrow/envr/commit/8074f7ae6dfa54e931a198257f3f8e6d0cfe353a))
+
+
+### Bug Fixes
+
+* **check:** `fd` now correctly gets marked as found. ([17ce49c](https://github.com/sbrow/envr/commit/17ce49cd2d33942282c6f54ce819ac25978f6b7c))
+
+
+### Code Refactoring
+
+* **check:** Renamed the `check` command to `deps`. ([c9c34ce](https://github.com/sbrow/envr/commit/c9c34ce771653da214635f1df1fef1f23265c552))
+* Dir is no longer stored in the database. ([0fef74a](https://github.com/sbrow/envr/commit/0fef74a9bba0fbf3c34b66c2095955e6eee7047b))
+
+## [0.1.1](https://github.com/sbrow/envr/compare/v0.1.0...v0.1.1) (2025-11-05)
+
+
+### Features
+
+* **sync:** Results are now displayed in a table. ([42796ec](https://github.com/sbrow/envr/commit/42796ec77b1817e1b9f09068d76a7b6e30da246b))
+
+
+### Bug Fixes
+
+* **sync:** Fixed an issue where deleted folders would be restored. ([9ab72a2](https://github.com/sbrow/envr/commit/9ab72a25faf1af0eedb2f4574166c6ee47450ebb))

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Spencer Reid Brower
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,99 @@
+# Makefile for envr - Environment file manager
+# Builds release artifacts for GitHub releases
+
+APP_NAME := envr
+VERSION := $(shell grep 'version = ' flake.nix | head -1 | sed 's/.*version = "\(.*\)";/\1/')
+BUILD_DIR := builds
+
+# Binary names
+LINUX_AMD64_BIN := $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-amd64
+LINUX_ARM64_BIN := $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-arm64
+DARWIN_ARM64_BIN := $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-darwin-arm64
+
+.PHONY: all clean cleanall build-linux build-darwin compress release profile help
+
+# Default target
+all: release clean
+
+# Create build directory
+$(BUILD_DIR):
+	@mkdir -p $(BUILD_DIR)
+
+# Build Linux AMD64
+$(LINUX_AMD64_BIN): $(BUILD_DIR)
+	@echo "Building for Linux AMD64..."
+	odin build . -target:linux_amd64 -o:speed -out:$(LINUX_AMD64_BIN)
+	@echo "Built $(LINUX_AMD64_BIN)"
+
+# Build Linux ARM64
+$(LINUX_ARM64_BIN): $(BUILD_DIR)
+	@echo "Building for Linux ARM64..."
+	odin build . -target:linux_arm64 -o:speed -out:$(LINUX_ARM64_BIN)
+	@echo "Built $(LINUX_ARM64_BIN)"
+
+# Build Darwin ARM64 (Mac)
+$(DARWIN_ARM64_BIN): $(BUILD_DIR)
+	@echo "Building for Darwin ARM64..."
+	odin build . -target:darwin_arm64 -o:speed -out:$(DARWIN_ARM64_BIN)
+	@echo "Built $(DARWIN_ARM64_BIN)"
+
+# Build all binaries
+build-linux: $(LINUX_AMD64_BIN) # $(LINUX_ARM64_BIN)
+build-darwin: $(DARWIN_ARM64_BIN)
+
+# Compress Linux artifacts with gzip
+$(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-amd64.tar.gz: $(LINUX_AMD64_BIN)
+	@echo "Compressing Linux AMD64 artifact..."
+	cd $(BUILD_DIR) && tar -czf $(APP_NAME)-$(VERSION)-linux-amd64.tar.gz --transform 's|.*|$(APP_NAME)|' $(shell basename $(LINUX_AMD64_BIN))
+
+$(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-arm64.tar.gz: $(LINUX_ARM64_BIN)
+	@echo "Compressing Linux ARM64 artifact..."
+	cd $(BUILD_DIR) && tar -czf $(APP_NAME)-$(VERSION)-linux-arm64.tar.gz --transform 's|.*|$(APP_NAME)|' $(shell basename $(LINUX_ARM64_BIN))
+
+# Compress Darwin artifacts with zip
+$(BUILD_DIR)/$(APP_NAME)-$(VERSION)-darwin-arm64.zip: $(DARWIN_ARM64_BIN)
+	@echo "Compressing Darwin ARM64 artifact..."
+	cd $(BUILD_DIR) && cp $(shell basename $(DARWIN_ARM64_BIN)) $(APP_NAME) && zip $(APP_NAME)-$(VERSION)-darwin-arm64.zip $(APP_NAME) && rm $(APP_NAME)
+
+# Compress all artifacts
+compress: $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-amd64.tar.gz \
+          # $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-linux-arm64.tar.gz \
+          # $(BUILD_DIR)/$(APP_NAME)-$(VERSION)-darwin-arm64.zip
+
+# Build and compress all release artifacts
+# release: build-linux build-darwin compress
+release: build-linux compress
+	@echo "Release artifacts created:"
+	@ls -la $(BUILD_DIR)/*.tar.gz $(BUILD_DIR)/*.zip 2>/dev/null || echo "No compressed artifacts found"
+
+# Build with spall profiling instrumentation
+profile:
+	@echo "Building with spall profiling..."
+	odin build . -define:SPALL=true -o:speed -out:envr-prof
+	@echo "Built envr-prof (run it to generate envr.spall)"
+
+# Clean binary files only
+clean:
+	@echo "Cleaning binary files..."
+	@rm -f $(LINUX_AMD64_BIN) $(LINUX_ARM64_BIN) $(DARWIN_ARM64_BIN)
+
+# Clean everything in build directory
+cleanall:
+	@echo "Cleaning build directory..."
+	@rm -rf $(BUILD_DIR)
+
+# Show available targets
+help:
+	@echo "Available targets:"
+	@echo "  all         - Build all release artifacts (default)"
+	@echo "  release     - Build and compress all release artifacts"
+	@echo "  build-linux  - Build Linux binaries only"
+	@echo "  build-darwin - Build Darwin binaries only"
+	@echo "  compress    - Compress all built binaries"
+	@echo "  profile     - Build with spall profiling instrumentation"
+	@echo "  clean       - Remove binary files only"
+	@echo "  cleanall    - Remove entire build directory"
+	@echo "  help        - Show this help message"
+	@echo ""
+	@echo "Release artifacts will be created in $(BUILD_DIR)/"
+	@echo "Version: $(VERSION)"

README.md

@@ -1,4 +1,135 @@
-## TODOS
+# envr - Backup your env files
 
-- [ ] `envr sync` - Restore missing .env files, and update backed up ones.
-- [ ] `envr scan` - Search for missing / moved .env files.
+Have you ever wanted to back up all your .env files in case your hard drive gets
+nuked? `envr` makes it easier.
+
+`envr` is a binary application that tracks your `.env` files
+in an encyrpted sqlite database. Changes can be effortlessly synced with
+`envr sync`, and restored with `envr restore`.
+
+`envr` puts all your .env files in one safe place, so you can back them up with
+the tool [of your choosing](#backup-options).
+
+## Features
+
+- **Encrypted Storage**: All `.env` files are encrypted using your ssh key and
+[libsodium](https://github.com/jedisct1/libsodium). 
+- **Automatic Sync**: Update the database with one command, which can easily
+be run on a cron.
+- **Smart Scanning**: Automatically discover and import `.env` files in your
+home directory.
+- **Rename Detection**: Automatically find and updates renamed/moved
+repositories.
+
+## TODOS
+- [x] Rename Detection: automatically update moved files.
+- [ ] Allow use of keys from `ssh-agent`
+- [x] Allow configuration of ssh key.
+- [x] Allow multiple ssh keys.
+
+## Installation
+
+You will need an SSH key pair for encryption and decryption. You can generate one
+with `ssh-keygen -t ed25519`. It will be saved to `~/.ssh/id_ed25519`.
+
+### With Odin
+
+If you already have `odin` installed:
+
+```bash
+# You'll need libsodium and sqlite
+odin build -o:speed
+envr init
+```
+
+### With Nix
+
+If you are a [nix](https://nixos.org/) user
+
+#### Try it out
+
+```bash
+nix run github.com:sbrow/envr --
+```
+
+#### Install it
+
+```nix
+# /etc/nixos/configuration.nix
+{ config, envr, system, ... }: {
+  environment.systemPackages = [
+    envr.packages.${system}.default
+  ];
+}
+```
+
+## Quick Start
+
+Check out the [man page](./docs/cli/envr.md) for the quick setup guide.
+
+## Disclaimers
+
+> [!CAUTION]
+> Do not lose your SSH key pair! Your backup will be **lost forever**.
+
+## Commands
+
+See [the docs](./docs/cli) for the current list of available commands.
+
+## Configuration
+
+The configuration file is created during initialization:
+
+```jsonc
+# Example ~/.envr/config.json
+{
+  "keys": [
+    {
+      "private": "/home/ubuntu/.ssh/id_ed25519",
+      "public": "/home/ubuntu/.ssh/id_ed25519.pub"
+    }
+  ],
+  "scan": {
+    "matcher": "\\.env",
+    "exclude": [
+      "*\\.envrc",
+      "\\.local/",
+      "node_modules",
+      "vendor"       
+    ],
+    "include": "~"
+  }
+}
+```
+
+## Backup Options
+
+`envr` merely gathers your `.env` files in one local place. It is up to you to
+back up the database (found at `~/.envr/data.envr`) to a *secure* and *remote*
+location.
+
+### Git
+
+`envr` preserves inodes when updating the database, so you can safely hardlink
+`~/.envr/data.envr` into your [GNU Stow](https://www.gnu.org/software/stow/),
+[Home Manager](https://github.com/nix-community/home-manager), or
+[NixOS](https://nixos.wiki/wiki/flakes) repository.
+
+> [!CAUTION]
+> For **maximum security**, only save your `data.envr` file to a local
+(i.e. non-cloud) git server that **you personally control**.
+>
+> I take no responsibility if you push all your secrets to a public GitHub repo.
+
+### restic
+
+[restic](https://restic.readthedocs.io/en/latest/010_introduction.html).
+
+## License
+
+This project is licensed under the [MIT License](./LICENSE).
+
+## Support
+
+For issues, feature requests, or questions, please
+[open an issue](https://github.com/sbrow/envr/issues).

TEST_PLAN.md

@@ -0,0 +1,63 @@
+# Test Coverage Plan
+
+## Current State
+
+- 104 tests, all passing
+- Strong coverage: crypto, ssh, db CRUD + env_file + update_dir, config save/load + paths, scan, features, cant_scan, parse_args, `-c`/`--config-file` flag
+- Misleading test files: `cmd_check_test`, `cmd_list_test`, `cmd_nushell_completion_test` don't test their namesake procs
+- Biggest remaining gap: all `cmd_*` handlers untested
+
+## Command handler tests
+
+Stdout will be captured by redirecting `os.stdout` to a pipe.
+
+### `cmd_version` (cmd_version.odin)
+- Test default output (prints VERSION)
+
+### `cmd_list` (cmd_list.odin)
+- Test TTY path: fixture DB with rows, capture table output
+- Test non-TTY path: capture JSON output, unmarshal and verify keys/values
+- Test empty DB: verify clean output (empty table or `[]`)
+
+### `cmd_backup` (cmd_backup.odin)
+- Test successful backup: valid path, verify `db_insert` called
+- Test missing file: verify error message
+- Test duplicate backup: verify rejection or update behavior
+
+### `cmd_remove` (cmd_remove.odin)
+- Test successful removal: existing entry, verify `db_delete` called
+- Test removal of non-existent entry: verify error or no-op
+
+### `cmd_restore` (cmd_restore.odin)
+- Test successful restore: entry exists in DB, verify file written to correct path
+- Test restore of missing entry: verify error
+- Test directory creation: restore to path with missing parent dirs
+
+## Hard to test (interactive / external deps)
+
+### `cmd_scan` (cmd_scan.odin)
+- Test with fixture git repo containing `.env` files
+- Test `find_unbacked` integration (already partially tested in `cmd_check_test.odin`)
+- Non-TTY JSON output path
+
+### `cmd_edit_config` (cmd_edit_config.odin)
+- Needs refactoring: extract `$EDITOR` parsing into testable helper (TODO 12)
+- Test multi-word editor values (`"code -w"`)
+- Test missing `$EDITOR`
+
+### `cmd_init` (cmd_init.odin)
+- Interactive prompt makes this hard
+- Needs refactoring: extract SSH key discovery and config generation into testable procs
+- Test `--force` flag behavior
+
+### `prompt.odin`
+- Needs refactoring to be testable
+- `render_options` could be tested if it accepted an `io.Writer`
+- `read_key` could be tested with a pipe/redirect instead of raw stdin
+- `multi_select` is end-to-end interactive, likely integration test only
+
+## Notes
+
+- DB integration tests should use in-memory SQLite (`:memory:`) where possible.
+- Temp dir fixtures should follow the pattern in `scan_test.odin`.
+- Tests that manipulate the `HOME` env var must use a mutex to prevent races with parallel test execution.

TODOS.md

@@ -0,0 +1,77 @@
+# TODOs
+
+1. Bring back windows support / cross-compilation.
+
+2. Commands are still leaking. (Write tests for everything first)
+
+3. procedures should be ordered by use, main at the top, then in the order they are called from main.
+
+4. Check for prealloc opportunities. i.e. `make([dynamic]string)` -> `make([dynamic]string, 5)`.
+
+5. Test all cmds / terminal branches.
+
+6. Generate md and man pages again.
+
+7. Shell completion
+
+8. Add tests for untested commands.
+
+9. Update `read_wire_string` to use a slice.
+
+10. Pass allocator to findr?
+
+11. Smarter flag parsing?
+
+12. Rewrite `write_command_help` to use text/tables
+
+13. Instead of using a writer to strip colors, just don't print the colors.
+
+14. Add a text filter to the multi_select.
+
+15. init -h doesn't show --force flag. Separate into multiple structs: Global_FLags, and Init_Flags?
+
+## Double-check AI output
+
+- [ ] cli.odin
+- [ ] cli_test.odin
+- [x] colors.odin
+- [x] cmd_backup.odin
+- [x] cmd_check.odin
+- [ ] cmd_check_test.odin
+- [x] cmd_edit_config.odin
+- [x] cmd_init.odin
+- [x] cmd_list.odin
+- [ ] cmd_list_test.odin
+- [x] cmd_nushell_completion.odin
+- [x] cmd_nushell_completion_test.odin
+- [x] cmd_remove.odin
+- [x] cmd_restore.odin
+- [x] cmd_scan.odin
+- [x] cmd_sync.odin
+- [x] cmd_version.odin
+- [x] config.odin
+- [ ] config_test.odin
+- [ ] crypto.odin
+- [ ] crypto_test.odin
+- [ ] db.odin
+- [ ] db_integration_test.odin
+- [ ] db_test.odin
+- [ ] flags.odin
+- [x] main.odin
+- [x] prompt.odin
+- [x] scan.odin
+- [ ] scan_test.odin
+- [ ] sodium.odin
+- [x] sqlite/sqlite.odin
+- [ ] ssh.odin
+- [ ] ssh_test.odin
+- [ ] table.odin
+- [ ] table_test.odin
+- [ ] findr/findr_test.odin
+- [ ] findr/gitignore.odin
+- [ ] findr/gitignore_test.odin
+- [ ] findr/glob.odin
+- [ ] findr/glob_test.odin
+- [ ] findr/repos.odin
+- [ ] findr/test_env.odin
+- [ ] findr/walker.odin

cli.odin

@@ -0,0 +1,318 @@
+package main
+
+import "core:bufio"
+import "core:fmt"
+import "core:io"
+import "core:os"
+import "core:strings"
+import "core:terminal"
+import "core:text/table"
+
+Command :: struct {
+	name:    string,
+	args:    [dynamic]string,
+	flags:   Flags,
+	out_buf: ^bufio.Writer,
+	out:     io.Writer,
+	err:     io.Writer,
+}
+
+// TODO: Put help test in usage:"whatever" tag.
+Flags :: struct {
+	help:        bool `args:"short=h"`,
+	config_file: string `args:"name=config-file,short=c"`,
+	output:      Output_Format `args:"short=o"`,
+	color:       Color_Mode,
+	force:       bool `args:"short=f"`,
+}
+
+Output_Format :: enum {
+	Auto,
+	Table,
+	JSON,
+}
+
+Color_Mode :: enum {
+	Auto,
+	Always,
+	Never,
+}
+
+CommandInfo :: struct {
+	name:    string,
+	usage:   string,
+	short:   string,
+	long:    string,
+	aliases: []string,
+}
+
+COMMANDS := []CommandInfo {
+	{
+		"init",
+		"envr init",
+		"Set up envr",
+		`The init command generates your initial config and saves it to
+~/.envr/config in JSON format.\n\nDuring setup, you will be prompted to select one or more ssh keys with which to
+encrypt your databse. **Make 100% sure** that you have **a remote copy** of this
+key somewhere, otherwise your data could be lost forever.`,
+		{},
+	},
+	{"scan", "envr scan", "Find and select .env files for backup", "", {}},
+	{"sync", "envr sync", "Update or restore your env backups", "", {}},
+	{"backup", "envr backup <path>", "Import a .env file into envr", "", {"add"}},
+	{"restore", "envr restore <path>", "Restore a .env file from the database", "", {}},
+	{"list", "envr list", "View your tracked files", "", {}},
+	{"remove", "envr remove <path>", "Remove a .env file from your database", "", {}},
+	{"check", "envr check [path]", "Check if files are backed up", "", {}},
+	{"version", "envr version", "Show envr's version", "", {}},
+	{"edit-config", "envr edit-config", "Edit your config with your default editor", "", {}},
+	{
+		"nushell-completion",
+		"envr nushell-completion",
+		"Generate custom completions for nushell",
+		"",
+		{},
+	},
+}
+
+// Caller is responsible for calling delete_command(cmd).
+// FIXME: Works in kinda a wonky and awkward way.
+parse_args :: proc(args: []string, out: io.Stream, err: io.Stream) -> (cmd: Command, ok: bool) {
+	{
+		cmd.out_buf = new(bufio.Writer)
+		bufio.writer_init(cmd.out_buf, out, allocator = context.allocator)
+		cmd.out = bufio.writer_to_writer(cmd.out_buf)
+		cmd.err = err
+	}
+
+	if len(args) < 2 || args[1] == "--help" || args[1] == "-h" {
+		write_usage(cmd.out)
+		return cmd, false
+	}
+
+	cmd.name = args[1]
+	cmd.args = make([dynamic]string)
+
+	overflow := parse_flags(&cmd.flags, args[2:])
+	for arg in overflow {
+		append(&cmd.args, arg)
+	}
+
+	if cmd.flags.output == .Auto {
+		cmd.flags.output = terminal.is_terminal(os.stdout) ? .Table : .JSON
+	}
+
+	if cmd.flags.color == .Auto {
+		cmd.flags.color = terminal.is_terminal(os.stdout) ? .Always : .Never
+	}
+	if cmd.flags.color == .Never {
+		cmd.out = make_ansi_strip_writer(cmd.out)
+	}
+
+	if cmd.flags.config_file == "" {
+		// FIXME: Handle err
+		// TODO: Is this right?
+		home, _ := os.user_home_dir(context.temp_allocator)
+		// TODO: should we copy out of the temp_allocator?
+		cmd.flags.config_file = default_config_path(home, context.temp_allocator)
+	}
+
+	if cmd.flags.help {
+		print_command_help(&cmd)
+		return cmd, false
+	}
+
+	return cmd, true
+}
+
+print_command_help :: proc(cmd: ^Command) {
+	ok := write_command_help(cmd.name, cmd.out)
+	if !ok {
+		fmt.wprintf(cmd.err, "Unknown command: %s\n", cmd.name)
+		write_usage(cmd.out)
+	}
+}
+
+write_command_help :: proc(name: string, w: io.Writer) -> bool {
+	info, found := find_command(name)
+	if !found {
+		return false
+	}
+
+	fmt.wprintf(
+		w,
+		"%s\n\n\n" +
+		COLOR_HEADINGS +
+		"Usage:" +
+		ANSI_RESET +
+		"\n\n  " +
+		COLOR_FLAGS +
+		"%s" +
+		ANSI_RESET +
+		" [flags]\n\n",
+		info.short,
+		info.usage,
+		flush = false,
+	)
+
+	if len(info.aliases) > 0 {
+		fmt.wprintf(
+			w,
+			"\n" +
+			COLOR_HEADINGS +
+			"Aliases:" +
+			ANSI_RESET +
+			"\n\n  " +
+			COLOR_COMMANDS +
+			"%s" +
+			ANSI_RESET,
+			info.name,
+			flush = false,
+		)
+		for a in info.aliases {
+			fmt.wprintf(w, ", " + COLOR_COMMANDS + "%s" + ANSI_RESET, a, flush = false)
+		}
+		fmt.wprintf(w, "\n", flush = false)
+	}
+
+	if len(info.long) > 0 {
+		fmt.wprintf(w, "\n%s\n", info.long, flush = false)
+	}
+
+	fmt.wprintf(
+		w,
+		"\n" +
+		COLOR_HEADINGS +
+		"Flags:" +
+		ANSI_RESET +
+		"\n\n  " +
+		COLOR_FLAGS +
+		"-h, --help" +
+		ANSI_RESET +
+		"   help for %s\n  " +
+		COLOR_FLAGS +
+		"-c, --config-file" +
+		ANSI_RESET +
+		` <path>   config file (default "~/.envr/config.json")
+`,
+		info.name,
+		flush = false,
+	)
+	return true
+}
+
+find_command :: proc(name: string) -> (CommandInfo, bool) {
+	for c in COMMANDS {
+		if c.name == name {
+			return c, true
+		}
+		for a in c.aliases {
+			if a == name {
+				return c, true
+			}
+		}
+	}
+	return CommandInfo{}, false
+}
+
+// TODO: command args should be shown in usage.
+write_usage :: proc(w: io.Writer) {
+	fmt.wprintf(
+		w,
+		`envr keeps your .env synced to a local, encrypted database.
+Is a safe and easy way to gather all your .env files in one place where they can
+easily be backed by another tool such as restic or git.
+
+All your data is stored in ~/.envr/data.envr
+
+Getting started is easy:
+
+1. Create your configuration file and set up encrypted storage:
+
+> envr init
+
+2. Scan for existing .env files:
+
+> envr scan
+
+Select the files you want to back up from the interactive list.
+
+3. Verify that it worked:
+
+> envr list
+
+4. After changing any of your .env files, update the backup with:
+
+> envr sync
+
+5. If you lose a repository, after re-cloning the repo into the same path it was
+at before, restore your backup with:
+
+> envr restore ~/<path to repository>/.env
+
+%sUsage:%s
+
+  %senvr%s [command]
+
+`,
+		COLOR_HEADINGS,
+		ANSI_RESET,
+		COLOR_FLAGS,
+		ANSI_RESET,
+		flush = false,
+	)
+
+	tbl: table.Table
+	table.init(&tbl, context.temp_allocator, context.temp_allocator)
+	table.padding(&tbl, 2, 0)
+
+	table.caption(&tbl, "Available Commands:")
+
+	for c in COMMANDS {
+		name := c.name
+		// TODO: Can we do better?
+		for a in c.aliases {
+			name = strings.join([]string{name, a}, ", ", tbl.format_allocator)
+		}
+		table.row(&tbl, table.format(&tbl, "%s%s%s", COLOR_COMMANDS, name, ANSI_RESET), c.short)
+	}
+
+	write_borderless_table(w, &tbl)
+	table_reset(&tbl)
+
+	table.caption(&tbl, "Flags:")
+
+	table.row(&tbl, COLOR_FLAGS + "-h, --help" + ANSI_RESET, `show this documentation`)
+	table.row(
+		&tbl,
+		COLOR_FLAGS + "-c, --config-file" + ANSI_RESET + " <path>",
+		`config file (default "~/.envr/config.json")`,
+	)
+	table.row(
+		&tbl,
+		COLOR_FLAGS + "-o, --output" + ANSI_RESET + " 'table'|'json'",
+		`the format of output data. (default 'table')`,
+	)
+	table.row(
+		&tbl,
+		COLOR_FLAGS + "--color" + ANSI_RESET + " 'auto'|'always'|'never'",
+		`Whether or not to colorize output. (default 'auto')`,
+	)
+	write_borderless_table(w, &tbl)
+
+	fmt.wprintf(
+		w,
+		`Use "%senvr%s [command] --help" for more information about a command.`,
+		COLOR_FLAGS,
+		ANSI_RESET,
+		flush = false,
+	)
+}
+
+delete_command :: proc(cmd: ^Command) {
+	bufio.writer_flush(cmd.out_buf)
+	delete(cmd.args)
+	bufio.writer_destroy(cmd.out_buf)
+	free(cmd.out_buf)
+}
+

cli_test.odin

@@ -0,0 +1,343 @@
+#+feature dynamic-literals
+#+test
+package main
+
+import "core:bufio"
+import "core:fmt"
+import "core:strings"
+import "core:testing"
+
+@(test)
+test_usage_text_contains_all_commands :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	write_usage(strings.to_writer(&b))
+	text := strings.to_string(b)
+
+	for c in COMMANDS {
+		testing.expect(
+			t,
+			strings.contains(text, c.name),
+			fmt.tprintf("usage missing command %q", c.name),
+		)
+		for a in c.aliases {
+			testing.expect(t, strings.contains(text, a), fmt.tprintf("usage missing alias %q", a))
+		}
+	}
+}
+
+@(test)
+test_usage_text_contains_steps :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	write_usage(strings.to_writer(&b))
+	text := strings.to_string(b)
+
+	testing.expect(t, strings.contains(text, "1."), "missing step 1")
+	testing.expect(t, strings.contains(text, "2."), "missing step 2")
+	testing.expect(t, strings.contains(text, "3."), "missing step 3")
+	testing.expect(t, strings.contains(text, "4."), "missing step 4")
+	testing.expect(t, strings.contains(text, "5."), "missing step 5")
+	testing.expect(t, strings.contains(text, "> envr sync\n"), "step 4 missing 'envr sync'")
+	testing.expect(t, strings.contains(text, "> envr restore"), "step 5 missing 'envr restore'")
+}
+
+@(test)
+test_usage_text_contains_flags_and_help_hint :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	write_usage(strings.to_writer(&b))
+	text := strings.to_string(b)
+
+	testing.expect(t, strings.contains(text, "Flags:"), "missing Flags section")
+	testing.expect(t, strings.contains(text, "--help"), "missing --help flag")
+	testing.expect(t, strings.contains(text, "[command] --help"), "missing help hint")
+}
+
+@(test)
+test_command_help_backup :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	ok := write_command_help("backup", strings.to_writer(&b))
+	testing.expect(t, ok, "write_command_help(\"backup\") returned false")
+
+	text := strings.to_string(b)
+	testing.expect(t, strings.contains(text, "Usage:"), "missing Usage line")
+	testing.expect(t, strings.contains(text, "envr backup <path>"), "missing usage pattern")
+	testing.expect(t, strings.contains(text, "Aliases:"), "missing Aliases section")
+	testing.expect(t, strings.contains(text, "add"), "missing 'add' alias")
+	testing.expect(t, strings.contains(text, "Flags:"), "missing Flags section")
+	testing.expect(t, strings.contains(text, "--help"), "missing --help in flags")
+}
+
+@(test)
+test_command_help_add_alias :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	ok := write_command_help("add", strings.to_writer(&b))
+	testing.expect(t, ok, "write_command_help(\"add\") returned false")
+
+	text := strings.to_string(b)
+	testing.expect(
+		t,
+		strings.contains(text, "envr backup <path>"),
+		"'add' alias should resolve to backup usage",
+	)
+	testing.expect(t, strings.contains(text, "Aliases:"), "missing Aliases section")
+}
+
+@(test)
+test_command_help_init_no_aliases :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	ok := write_command_help("init", strings.to_writer(&b))
+	testing.expect(t, ok, "write_command_help(\"init\") returned false")
+
+	text := strings.to_string(b)
+	testing.expect(t, strings.contains(text, "Usage:"), "missing Usage line")
+	testing.expect(t, !strings.contains(text, "Aliases:"), "init should not have Aliases section")
+	testing.expect(t, strings.contains(text, "Flags:"), "missing Flags section")
+	testing.expect(t, strings.contains(text, "help for init"), "missing 'help for init'")
+}
+
+@(test)
+test_command_help_unknown :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	ok := write_command_help("nonexistent", strings.to_writer(&b))
+	testing.expect(t, !ok, "write_command_help(\"nonexistent\") should return false")
+
+	text := strings.to_string(b)
+	testing.expect_value(t, len(text), 0)
+}
+
+@(test)
+test_command_help_version :: proc(t: ^testing.T) {
+	b: strings.Builder
+	strings.builder_init(&b)
+	defer strings.builder_destroy(&b)
+
+	ok := write_command_help("version", strings.to_writer(&b))
+	testing.expect(t, ok, "write_command_help(\"version\") returned false")
+
+	text := strings.to_string(b)
+	testing.expect(t, strings.contains(text, "Usage:"), "missing Usage line")
+	testing.expect(
+		t,
+		!strings.contains(text, "Aliases:"),
+		"version should not have Aliases section",
+	)
+}
+
+test_parse_args :: proc(
+	args: []string,
+) -> (
+	cmd: Command,
+	ok: bool,
+	out_text: string,
+	err_text: string,
+) {
+	out_b: strings.Builder
+	strings.builder_init(&out_b)
+	defer strings.builder_destroy(&out_b)
+	err_b: strings.Builder
+	strings.builder_init(&err_b)
+	defer strings.builder_destroy(&err_b)
+
+	cmd, ok = parse_args(args, strings.to_stream(&out_b), strings.to_stream(&err_b))
+
+	if ok {
+		bufio.writer_flush(cmd.out_buf)
+		out_text = strings.to_string(out_b)
+		err_text = strings.to_string(err_b)
+	}
+
+	return
+}
+
+@(test)
+test_parse_args_bare_command :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.name, "list")
+	testing.expect_value(t, len(cmd.args), 0)
+}
+
+@(test)
+test_parse_args_positional :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "backup", "/project/.env"})
+	defer delete_command(&cmd)
+	testing.expect(t, ok, "should succeed")
+
+	testing.expect_value(t, cmd.name, "backup")
+	testing.expect_value(t, len(cmd.args), 1)
+	testing.expect_value(t, cmd.args[0], "/project/.env")
+}
+
+@(test)
+test_parse_args_config_file_long_flag :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args(
+		[]string{"envr", "sync", "--config-file", "x.json"},
+	)
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.config_file, "x.json")
+}
+
+@(test)
+test_parse_args_config_file_short_flag :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "sync", "-c", "x.json"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.config_file, "x.json")
+}
+
+@(test)
+test_parse_args_force_long_flag :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "init", "--force"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.force, true)
+}
+
+@(test)
+test_parse_args_force_short_flag :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "init", "-f"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.force, true)
+}
+
+@(test)
+test_parse_args_multiple_positionals :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "backup", "a", "b"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, len(cmd.args), 2)
+	testing.expect_value(t, cmd.args[0], "a")
+	testing.expect_value(t, cmd.args[1], "b")
+}
+
+@(test)
+test_parse_args_mixed_flags_and_positionals :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "backup", "/project/.env", "--force"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.force, true)
+	testing.expect_value(t, len(cmd.args), 1)
+	testing.expect_value(t, cmd.args[0], "/project/.env")
+}
+
+@(test)
+test_parse_args_no_args :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr"})
+	defer delete_command(&cmd)
+	testing.expect(t, !ok, "no args should return false")
+}
+
+@(test)
+test_parse_args_flag_then_positional_then_flag :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "backup", "--force", "a.env", "--output", "json"})
+	defer delete_command(&cmd)
+	testing.expect(t, ok, "should succeed")
+
+	testing.expect_value(t, cmd.flags.force, true)
+	testing.expect_value(t, cmd.flags.output, Output_Format.JSON)
+	testing.expect_value(t, len(cmd.args), 1)
+	testing.expect_value(t, cmd.args[0], "a.env")
+}
+
+@(test)
+test_parse_args_config_file_default :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect(t, len(cmd.flags.config_file) > 0, "config_file should default to non-empty path")
+	testing.expect(
+		t,
+		strings.contains(cmd.flags.config_file, ".envr"),
+		"default config_file should contain .envr dir, got %s",
+	)
+}
+
+@(test)
+test_parse_args_output_long_json :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list", "--output", "json"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.output, Output_Format.JSON)
+}
+
+@(test)
+test_parse_args_output_short_json :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list", "-o", "json"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.output, Output_Format.JSON)
+}
+
+@(test)
+test_parse_args_output_long_table :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list", "--output", "table"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.output, Output_Format.Table)
+}
+
+@(test)
+test_parse_args_output_short_table :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list", "-o", "table"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.output, Output_Format.Table)
+}
+
+@(test)
+test_parse_args_output_equals_syntax :: proc(t: ^testing.T) {
+	cmd, ok, _, _ := test_parse_args([]string{"envr", "list", "--output=json"})
+	testing.expect(t, ok, "should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	testing.expect_value(t, cmd.flags.output, Output_Format.JSON)
+}
+

cmd_backup.odin

@@ -0,0 +1,38 @@
+package main
+
+import "core:fmt"
+import "core:strings"
+
+cmd_backup :: proc(cmd: ^Command) {
+	if len(cmd.args) != 1 {
+		print_command_help(cmd)
+		return
+	}
+
+	path := cmd.args[0]
+	if len(strings.trim_space(path)) == 0 {
+		fmt.wprintln(cmd.err, "Error: No path provided", flush = false)
+		return
+	}
+
+	// TODO: allow new_env_file to accept allocator?
+	// TODO: Write a test that covers this leak
+	file, ok := new_env_file(path)
+	defer delete_envfile(&file)
+	if !ok {
+		return
+	}
+
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	if !db_insert(&db, file) {
+		return
+	}
+
+	fmt.wprintf(cmd.out, "Saved %s into the database\n", path, flush = false)
+}
+

cmd_check.odin

@@ -0,0 +1,79 @@
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+
+// TODO: What happens if you pass a non existent path to cmd_check?
+// TODO: UX could be improved, so "run envr add ." if file not exists.
+cmd_check :: proc(cmd: ^Command) {
+	_check_path: string
+	if len(cmd.args) > 0 {
+		_check_path = cmd.args[0]
+	} else {
+		cwd, cwd_err := os.get_working_directory(context.temp_allocator)
+		if cwd_err != nil {
+			fmt.wprintf(cmd.err, "Error getting current directory: %v\n", cwd_err, flush = false)
+			return
+		}
+		_check_path = cwd
+	}
+	check_path, abs_err := filepath.abs(_check_path, context.temp_allocator)
+	if abs_err != nil {
+		fmt.wprintf(cmd.err, "Error getting absolute path: %v\n", abs_err, flush = false)
+		return
+	}
+
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	is_dir := os.is_directory(check_path)
+
+	// TODO: set a reasonable default
+	files_in_path := make([dynamic]string, context.temp_allocator)
+
+	if is_dir {
+		scanned, scan_ok := scan_path(check_path, db.cfg)
+		if !scan_ok {
+			fmt.wprintln(cmd.err, "Error scanning directory for .env files", flush = false)
+			return
+		}
+		files_in_path = scanned
+	} else {
+		append(&files_in_path, check_path)
+	}
+
+	db_files, list_ok := db_list(&db)
+	if !list_ok {
+		return
+	}
+
+	not_backed := find_unbacked(files_in_path[:], db_files[:])
+
+	if len(not_backed) == 0 {
+		if len(files_in_path) == 0 {
+			fmt.wprintln(cmd.out, "No .env files found in the specified directory.", flush = false)
+		} else {
+			fmt.wprintln(
+				cmd.out,
+				"✓ All .env files in the directory are backed up.",
+				flush = false,
+			)
+		}
+	} else {
+		fmt.wprintf(
+			cmd.out,
+			"Found %d .env file(s) that are not backed up:\n",
+			len(not_backed),
+			flush = false,
+		)
+		for file in not_backed {
+			fmt.wprintf(cmd.out, "  %s\n", file, flush = false)
+		}
+		fmt.wprintln(cmd.out, "\nRun 'envr sync' to back up these files.", flush = false)
+	}
+}
+

cmd_check_test.odin

@@ -0,0 +1,44 @@
+#+test
+package main
+
+import "core:testing"
+
+@(test)
+test_find_unbacked_finds_missing :: proc(t: ^testing.T) {
+	local := []string{"/a/.env", "/b/.env", "/c/.env"}
+	db := []EnvFile{{path = "/a/.env"}, {path = "/b/.env"}}
+
+	result := find_unbacked(local, db[:])
+	testing.expect_value(t, len(result), 1)
+	if len(result) > 0 {
+		testing.expect_value(t, result[0], "/c/.env")
+	}
+}
+
+@(test)
+test_find_unbacked_all_backed :: proc(t: ^testing.T) {
+	local := []string{"/a/.env", "/b/.env"}
+	db := []EnvFile{{path = "/a/.env"}, {path = "/b/.env"}}
+
+	result := find_unbacked(local, db[:])
+	testing.expect_value(t, len(result), 0)
+}
+
+@(test)
+test_find_unbacked_no_local :: proc(t: ^testing.T) {
+	local: []string
+	db := []EnvFile{{path = "/a/.env"}}
+
+	result := find_unbacked(local, db[:])
+	testing.expect_value(t, len(result), 0)
+}
+
+@(test)
+test_find_unbacked_none_backed :: proc(t: ^testing.T) {
+	local := []string{"/a/.env", "/b/.env"}
+	db: []EnvFile
+
+	result := find_unbacked(local, db[:])
+	testing.expect_value(t, len(result), 2)
+}
+

cmd_edit_config.odin

@@ -0,0 +1,50 @@
+package main
+
+import "core:fmt"
+import "core:os"
+
+cmd_edit_config :: proc(cmd: ^Command) {
+	editor := os.get_env("EDITOR", context.allocator)
+	if len(editor) == 0 {
+		fmt.wprintln(cmd.err, "Error: $EDITOR environment variable is not set", flush = false)
+		return
+	}
+
+	config_path := cmd.flags.config_file
+
+	if !os.exists(config_path) {
+		fmt.wprintf(
+			cmd.err,
+			"Config file does not exist at %s. Run 'envr init' first.\n",
+			config_path,
+			flush = false,
+		)
+		return
+	}
+
+	args := []string{editor, config_path}
+	desc := os.Process_Desc {
+		command = args,
+		stdin   = os.stdin,
+		stdout  = os.stdout,
+		stderr  = os.stderr,
+	}
+
+	p, start_err := os.process_start(desc)
+	if start_err != nil {
+		fmt.wprintf(cmd.err, "Error running editor: %v\n", start_err, flush = false)
+		return
+	}
+
+	state, wait_err := os.process_wait(p)
+	if wait_err != nil {
+		fmt.wprintf(cmd.err, "Error waiting for editor: %v\n", wait_err, flush = false)
+		return
+	}
+
+	// TODO: Should we call exit inside of commands?
+	if state.exit_code != 0 {
+		os.exit(int(state.exit_code))
+	}
+}
+

cmd_init.odin

@@ -0,0 +1,73 @@
+package main
+
+import "core:fmt"
+import "core:terminal/ansi"
+
+cmd_init :: proc(cmd: ^Command) {
+	force := cmd.flags.force
+	config_file := cmd.flags.config_file
+
+	fmt.wprintln(cmd.out, cmd.flags.config_file, flush = false)
+
+	_, cfg_exists := load_config(config_file)
+	if cfg_exists && !force {
+		fmt.wprintln(
+			cmd.out,
+			`You have already initialized envr.
+Run again with the --force flag if you want to reinitialize.`,
+			flush = false,
+		)
+		return
+	}
+
+	keys, ok := find_ssh_private_keys()
+	if !ok {
+		return
+	}
+
+	if len(keys) == 0 {
+		fmt.wprintln(
+			cmd.err,
+			`No ssh-ed25519 keys found in ~/.ssh
+Generate one with: ssh-keygen -t ed25519`,
+			flush = false,
+		)
+		return
+	}
+
+	selected, result := multi_select("Select SSH private keys:", keys[:])
+	defer delete(selected)
+	if result == .Cancel {
+		fmt.wprintln(
+			cmd.out,
+			ansi.CSI + ansi.FAINT + ansi.SGR + "Cancelled." + ANSI_RESET,
+			flush = false,
+		)
+		return
+	}
+
+	selected_paths := make([dynamic]string, 0, min(1, len(keys) / 2))
+	for i in 0 ..< len(keys) {
+		if selected[i] {
+			append(&selected_paths, keys[i])
+		}
+	}
+
+	if len(selected_paths) == 0 {
+		fmt.wprintln(cmd.err, "No SSH keys selected - Config not created", flush = false)
+		return
+	}
+
+	cfg := new_config(selected_paths[:], config_file)
+	if !save_config(cfg, force = force) {
+		return
+	}
+
+	fmt.wprintf(
+		cmd.out,
+		"Config initialized with %d SSH key(s). You are ready to use envr.\n",
+		len(selected_paths),
+		flush = false,
+	)
+}
+

cmd_list.odin

@@ -0,0 +1,76 @@
+package main
+
+import "core:encoding/json"
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+import "core:text/table"
+
+ListEntry :: struct {
+	dir:  string `json:"directory"`,
+	path: string `json:"path"`,
+}
+
+// TODO: Improve table rendering
+cmd_list :: proc(cmd: ^Command) {
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	rows, list_ok := db_list(&db)
+	if !list_ok {
+		return
+	}
+
+	if cmd.flags.output == .Table {
+		t: table.Table
+		table.init(&t, context.temp_allocator, context.temp_allocator)
+		table.padding(&t, 1, 1)
+		table.aligned_header_of_values(
+			&t,
+			.Center,
+			COLOR_TABLE_HEADING + "Directory" + ANSI_RESET,
+			COLOR_TABLE_HEADING + "Path" + ANSI_RESET,
+		)
+
+		for row in rows {
+			dir_str := strings.concatenate(
+				{row.dir, os.Path_Separator_String},
+				context.temp_allocator,
+			)
+			filename := filepath.base(row.path)
+
+			table.row(&t, dir_str, filename)
+		}
+
+		table.write_decorated_table(cmd.out, &t, decorations, ansi_aware_width)
+	} else {
+		// TODO: Should we instead print full entries here?
+		entries := make([dynamic]ListEntry, 0, len(rows), context.temp_allocator)
+		for row in rows {
+			filename := filepath.base(row.path)
+			append(
+				&entries,
+				ListEntry {
+					dir = strings.concatenate(
+						{row.dir, os.Path_Separator_String},
+						context.temp_allocator,
+					),
+					path = filename,
+				},
+			)
+		}
+
+
+		data, marshal_err := json.marshal(entries[:], allocator = context.temp_allocator)
+		if marshal_err != nil {
+			fmt.wprintf(cmd.err, "Error marshaling JSON: %v\n", marshal_err, flush = false)
+			return
+		}
+		fmt.wprintln(cmd.out, string(data), flush = false)
+	}
+}
+

cmd_list_test.odin

@@ -0,0 +1,115 @@
+#+feature dynamic-literals
+#+test
+package main
+
+import "core:bufio"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+import "core:testing"
+
+@(test)
+test_filepath_base_equals_rel :: proc(t: ^testing.T) {
+	cases := []string{"/home/user/.env", "/home/user/project/.envrc", "/tmp/foo", "/a/b/c/d.txt"}
+
+	for path in cases {
+		dir := filepath.dir(path)
+		rel, rel_err := filepath.rel(dir, path, context.temp_allocator)
+		testing.expect_value(t, rel_err, nil)
+		base := filepath.base(path)
+		testing.expect_value(t, rel, base)
+	}
+}
+
+@(test)
+test_cmd_list_output_json :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-list-json-*")
+	defer os.remove_all(base)
+
+	cfg_path, _ := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
+	testing.expect(t, save_config(cfg, force = true), "save should succeed")
+	delete_config(&cfg)
+
+	db, db_ok := db_open(cfg_path)
+	testing.expect(t, db_ok, "db should open")
+	if !db_ok do return
+	f := make_test_env_file("/project/.env", "abc123", "SECRET=value")
+	defer delete(f.remotes)
+	testing.expect(t, db_insert(&db, f), "insert should succeed")
+	db_close(&db)
+
+	out_b: strings.Builder
+	strings.builder_init(&out_b)
+	defer strings.builder_destroy(&out_b)
+	err_b: strings.Builder
+	strings.builder_init(&err_b)
+	defer strings.builder_destroy(&err_b)
+
+	cmd, ok := parse_args(
+		[]string{"envr", "list", "--output", "json", "--config-file", cfg_path},
+		strings.to_stream(&out_b),
+		strings.to_stream(&err_b),
+	)
+	testing.expect(t, ok, "parse_args should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	cmd_list(&cmd)
+	bufio.writer_flush(cmd.out_buf)
+	output := strings.to_string(out_b)
+
+	testing.expect(t, strings.contains(output, "["), "json output should contain '['")
+	testing.expect(
+		t,
+		strings.contains(output, "\"directory\""),
+		"json output should contain directory key",
+	)
+}
+
+@(test)
+test_cmd_list_output_table :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-list-table-*")
+	defer os.remove_all(base)
+
+	cfg_path, _ := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
+	testing.expect(t, save_config(cfg, force = true), "save should succeed")
+	delete_config(&cfg)
+
+	db, db_ok := db_open(cfg_path)
+	testing.expect(t, db_ok, "db should open")
+	if !db_ok do return
+	f := make_test_env_file("/project/.env", "abc123", "SECRET=value")
+	defer delete(f.remotes)
+	testing.expect(t, db_insert(&db, f), "insert should succeed")
+	db_close(&db)
+
+	out_b: strings.Builder
+	strings.builder_init(&out_b)
+	defer strings.builder_destroy(&out_b)
+	err_b: strings.Builder
+	strings.builder_init(&err_b)
+	defer strings.builder_destroy(&err_b)
+
+	cmd, ok := parse_args(
+		[]string{"envr", "list", "--output", "table", "--config-file", cfg_path},
+		strings.to_stream(&out_b),
+		strings.to_stream(&err_b),
+	)
+	testing.expect(t, ok, "parse_args should succeed")
+	if !ok do return
+	defer delete_command(&cmd)
+
+	cmd_list(&cmd)
+	bufio.writer_flush(cmd.out_buf)
+	output := strings.to_string(out_b)
+
+	testing.expect(t, strings.contains(output, "│"), "table output should contain border chars")
+	testing.expect(
+		t,
+		strings.contains(output, "Directory"),
+		"table output should contain Directory header",
+	)
+}
+

cmd_nushell_completion.odin

@@ -0,0 +1,10 @@
+package main
+
+import "core:fmt"
+
+COMPLETION_SCRIPT: string : string(#load("mod.nu"))
+
+cmd_nushell_completion :: proc(cmd: ^Command) {
+	fmt.wprint(cmd.out, COMPLETION_SCRIPT, flush = false)
+}
+

cmd_nushell_completion_test.odin

@@ -0,0 +1,37 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:strings"
+import "core:testing"
+
+@(test)
+test_nushell_completion_nonempty :: proc(t: ^testing.T) {
+	testing.expect(t, len(COMPLETION_SCRIPT) > 0, "completion script should not be empty")
+}
+
+@(test)
+test_nushell_completion_contains_externs :: proc(t: ^testing.T) {
+	expected := []string{
+		"tracked-paths",
+		"untracked-paths",
+		"envr backup",
+		"envr check",
+		"envr edit-config",
+		"envr help",
+		"envr init",
+		"envr list",
+		"envr remove",
+		"envr restore",
+		"envr scan",
+		"envr sync",
+		"envr nushell-completion",
+	}
+	for ext in expected {
+		testing.expect(
+			t,
+			strings.contains(COMPLETION_SCRIPT, ext),
+			fmt.tprintf("expected script to contain %q", ext),
+		)
+	}
+}

cmd_remove.odin

@@ -0,0 +1,37 @@
+package main
+
+import "core:fmt"
+import "core:path/filepath"
+import "core:strings"
+
+cmd_remove :: proc(cmd: ^Command) {
+	if len(cmd.args) != 1 {
+		print_command_help(cmd)
+		return
+	}
+
+	path := cmd.args[0]
+	if len(strings.trim_space(path)) == 0 {
+		fmt.wprintln(cmd.err, "Error: No path provided", flush = false)
+		return
+	}
+
+	abs_path, abs_err := filepath.abs(path, context.temp_allocator)
+	if abs_err != nil {
+		fmt.wprintf(cmd.err, "Error getting absolute path: %v\n", abs_err, flush = false)
+		return
+	}
+
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	if !db_delete(&db, abs_path) {
+		return
+	}
+
+	fmt.wprintf(cmd.out, "Removed %s from the database\n", abs_path, flush = false)
+}
+

cmd_restore.odin

@@ -0,0 +1,53 @@
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+
+cmd_restore :: proc(cmd: ^Command) {
+	if len(cmd.args) != 1 {
+		print_command_help(cmd)
+		return
+	}
+
+	path := cmd.args[0]
+	if len(strings.trim_space(path)) == 0 {
+		fmt.wprintln(cmd.err, "Error: No path provided", flush = false)
+		return
+	}
+	abs_path, abs_err := filepath.abs(path, context.temp_allocator)
+	if abs_err != nil {
+		fmt.wprintf(cmd.err, "Error getting absolute path: %v\n", abs_err, flush = false)
+
+		return
+	}
+
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	file, fetch_ok := db_fetch(&db, abs_path)
+	if !fetch_ok {
+		return
+	}
+
+	dir := filepath.dir(file.path)
+	if err := os.mkdir_all(dir); err != nil {
+		fmt.wprintf(cmd.err, "Failed to create directory: %v\n", err, flush = false)
+
+		return
+	}
+
+	write_err := os.write_entire_file(file.path, file.contents)
+	if write_err != nil {
+		fmt.wprintf(cmd.err, "Error writing file: %v\n", write_err, flush = false)
+
+		return
+	}
+
+	fmt.wprintf(cmd.out, "Restored %s\n", file.path, flush = false)
+}
+

cmd_scan.odin

@@ -0,0 +1,124 @@
+package main
+
+import "core:encoding/json"
+import "core:fmt"
+import "core:os"
+import "core:terminal"
+import "core:terminal/ansi"
+
+cmd_scan :: proc(cmd: ^Command) {
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	search_dirs := search_paths(db.cfg, context.temp_allocator)
+	if len(search_dirs) == 0 {
+		fmt.wprintln(
+			cmd.err,
+			"No search paths configured. Please run `envr init -f` or edit your config.",
+			flush = false,
+		)
+		return
+	}
+
+	// TODO: Figure out a sane default
+	// Can't use temp allocator becuase strings inside are copied to context.allocator
+	all_files := make([dynamic]string)
+	defer {
+		for &f in all_files {delete(f)}
+		delete(all_files)
+	}
+	for dir in search_dirs {
+		found, scan_ok := scan_path(dir, db.cfg)
+		defer delete(found)
+		if !scan_ok {
+			fmt.wprintf(cmd.err, "Error scanning %s\n", dir, flush = false)
+			continue
+		}
+		for f in found {
+			append(&all_files, f)
+		}
+	}
+
+	db_files, list_ok := db_list(&db)
+	if !list_ok {
+		return
+	}
+
+	files := find_unbacked(all_files[:], db_files[:])
+
+	if len(files) == 0 {
+		fmt.wprintln(cmd.out, "No .env files found to add.", flush = false)
+		return
+	}
+
+	if !terminal.is_terminal(os.stdout) {
+		output, marshal_err := json.marshal(files[:])
+		if marshal_err != nil {
+			fmt.wprintf(
+				cmd.err,
+				"Error marshaling files to JSON: %v\n",
+				marshal_err,
+				flush = false,
+			)
+			return
+		}
+		fmt.wprintln(cmd.out, string(output), flush = false)
+		return
+	}
+
+	selected, result := multi_select("Select .env files to backup:", files[:])
+	defer delete(selected)
+	if result == .Cancel {
+		fmt.wprintln(
+			cmd.out,
+			ansi.CSI + ansi.FAINT + ansi.SGR + "Cancelled." + ANSI_RESET,
+			flush = false,
+		)
+		return
+	}
+
+	added_count: int
+	for i in 0 ..< len(files) {
+		if !selected[i] {
+			continue
+		}
+		// TODO: Test cover this leak
+		env_file, ok := new_env_file(files[i])
+		defer delete_envfile(&env_file)
+		if !ok {
+			fmt.wprintf(cmd.err, "Error reading %s\n", files[i], flush = false)
+			continue
+		}
+		if !db_insert(&db, env_file) {
+			fmt.wprintf(cmd.err, "Error adding %s\n", files[i], flush = false)
+			continue
+		}
+		added_count += 1
+	}
+
+	if added_count > 0 {
+		fmt.wprintf(
+			cmd.out,
+			ansi.CSI +
+			ansi.BOLD +
+			";" +
+			ansi.FG_GREEN +
+			ansi.SGR +
+			"Successfully added %d file(s) to backup." +
+			ANSI_RESET +
+			"\n",
+			added_count,
+			flush = false,
+		)
+	} else {
+		fmt.wprintln(
+			cmd.out,
+			ansi.CSI + ansi.FAINT + ansi.SGR + "No files were added." + ANSI_RESET,
+			flush = false,
+		)
+	}
+}
+

cmd_sync.odin

@@ -0,0 +1,95 @@
+package main
+
+import "core:encoding/json"
+import "core:fmt"
+import "core:text/table"
+
+SyncEntry :: struct {
+	path:   string `json:"path"`,
+	status: string `json:"status"`,
+}
+
+// TODO: Check for quiet failures.
+cmd_sync :: proc(cmd: ^Command) {
+	db, db_ok := db_open(cmd.flags.config_file)
+	if !db_ok {
+		return
+	}
+	defer db_close(&db)
+
+	files, list_ok := db_list(&db)
+	if !list_ok {
+		return
+	}
+
+	results := make([]SyncEntry, len(files), context.temp_allocator)
+
+	for &file, i in files {
+		result, err := db_sync(&db, &file)
+
+		status: string
+		if err != .None {
+			status = sync_error_message(err)
+		} else if .BackedUp in result {
+			status = .DirUpdated in result ? "Moved & Backed Up" : "Backed Up"
+		} else if .Restored in result {
+			status = .DirUpdated in result ? "Moved & Restored" : "Restored"
+		} else if .DirUpdated in result {
+			status = "Moved"
+		} else {
+			status = "OK"
+		}
+
+		results[i] = SyncEntry {
+			path   = file.path,
+			status = status,
+		}
+	}
+
+	if cmd.flags.output == .Table {
+		t: table.Table
+		table.init(&t, context.temp_allocator, context.temp_allocator)
+		table.padding(&t, 1, 1)
+
+		table.aligned_header_of_values(
+			&t,
+			.Center,
+			COLOR_TABLE_HEADING + "File" + ANSI_RESET,
+			COLOR_TABLE_HEADING + "Status" + ANSI_RESET,
+		)
+
+		for res in results {
+			table.row(&t, res.path, res.status)
+		}
+
+		table.write_decorated_table(cmd.out, &t, decorations, ansi_aware_width)
+	} else {
+		data, marshal_err := json.marshal(results[:], allocator = context.temp_allocator)
+		if marshal_err != nil {
+			fmt.wprintf(cmd.err, "Error marshaling JSON: %v\n", marshal_err, flush = false)
+			return
+		}
+		fmt.wprintln(cmd.out, string(data), flush = false)
+	}
+}
+
+sync_error_message :: proc(e: SyncError) -> string {
+	switch e {
+	case .None:
+		return ""
+	case .DirMissing:
+		return "directory missing"
+	case .MultipleDirs:
+		return "multiple directories found"
+	case .GitRootFailed:
+		return "failed to find git roots"
+	case .WriteFailed:
+		return "failed to write file"
+	case .ReadFailed:
+		return "failed to read file"
+	case .DbFailed:
+		return "failed to update database"
+	}
+	return "unknown error"
+}
+

cmd_version.odin

@@ -0,0 +1,10 @@
+package main
+
+import "core:fmt"
+
+VERSION :: #load("version.txt", string)
+
+cmd_version :: proc(cmd: ^Command) {
+	fmt.wprintln(cmd.out, VERSION, flush = false)
+}
+

colors.odin

@@ -0,0 +1,86 @@
+package main
+
+import "core:io"
+import "core:terminal/ansi"
+
+COLOR_HEADINGS ::
+	ansi.CSI + ansi.FG_BRIGHT_GREEN + ";" + ansi.BOLD + ";" + ansi.UNDERLINE + ansi.SGR
+
+COLOR_COMMANDS :: ansi.CSI + ansi.FG_BRIGHT_CYAN + ";" + ansi.BOLD + ansi.SGR
+
+COLOR_EXAMPLE :: ansi.CSI + ansi.ITALIC + ansi.SGR
+
+COLOR_FLAGS :: ansi.CSI + ansi.BOLD + ";" + ansi.FG_BRIGHT_WHITE + ansi.SGR
+
+COLOR_TABLE_HEADING :: ansi.CSI + ansi.FG_BRIGHT_GREEN + ansi.SGR
+
+ANSI_RESET :: ansi.CSI + ansi.RESET + ansi.SGR
+
+ANSI_Strip_State :: enum { Normal, GotESC, InCSI }
+
+ANSI_Strip_Data :: struct {
+	inner: io.Writer,
+	state: ANSI_Strip_State,
+}
+
+ansi_strip_proc :: proc(
+	stream_data: rawptr,
+	mode:        io.Stream_Mode,
+	p:           []byte,
+	offset:      i64,
+	whence:      io.Seek_From,
+) -> (n: i64, err: io.Error) {
+	data := cast(^ANSI_Strip_Data) stream_data
+
+	#partial switch mode {
+	case .Write:
+		start := 0
+		for i in 0..<len(p) {
+			b := p[i]
+
+			switch data.state {
+			case .Normal:
+				if b == 0x1b {
+					if i > start {
+						io.write(data.inner, p[start:i])
+					}
+					data.state = .GotESC
+				}
+
+			case .GotESC:
+				if b == '[' {
+					data.state = .InCSI
+				} else {
+					start = i
+					data.state = .Normal
+				}
+
+			case .InCSI:
+				if b >= 0x40 && b <= 0x7E {
+					start = i + 1
+					data.state = .Normal
+				}
+			}
+		}
+
+		if data.state == .Normal && len(p) > start {
+			io.write(data.inner, p[start:])
+		}
+
+		n = i64(len(p))
+		return
+
+	case .Flush:
+		return 0, io.flush(data.inner)
+	case .Close:
+		return 0, io.close(data.inner)
+	case:
+		return data.inner.procedure(data.inner.data, mode, p, offset, whence)
+	}
+}
+
+make_ansi_strip_writer :: proc(inner: io.Writer) -> io.Writer {
+	data := new(ANSI_Strip_Data, context.temp_allocator)
+	data.inner = inner
+	return io.Writer{procedure = ansi_strip_proc, data = rawptr(data)}
+}

config.odin

@@ -0,0 +1,247 @@
+package main
+
+import "base:runtime"
+import "core:encoding/json"
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+
+import "findr"
+
+Config :: struct {
+	keys:        [dynamic]SshKeyPair `json:"keys"`,
+	scan_config: ScanConfig `json:"scan"`,
+	config_path: string `json:"-"`,
+}
+
+SshKeyPair :: struct {
+	private: string `json:"private"`,
+	public:  string `json:"public"`,
+}
+
+ScanConfig :: struct {
+	matcher: string `json:"matcher"`,
+	exclude: [dynamic]string `json:"exclude"`,
+	include: [dynamic]string `json:"include"`,
+}
+
+load_config :: proc(config_path: string, allocator := context.allocator) -> (Config, bool) {
+	// TODO: Should we use context.allocator + defer delete()?
+	data, read_err := os.read_entire_file_from_path(config_path, context.temp_allocator)
+	if read_err != nil {
+		fmt.eprintln("No config file found. Please run `envr init` to generate one.")
+		return Config{}, false
+	}
+
+	cfg: Config
+	err := json.unmarshal(data, &cfg, .JSON5, allocator)
+	if err != nil {
+		fmt.eprintf("Error parsing config: %v\n", err)
+		return Config{}, false
+	}
+	cfg.config_path = config_path
+
+	return cfg, true
+}
+
+default_config_path :: proc(home: string, allocator := context.allocator) -> string {
+	path, err := filepath.join([]string{home, ".envr", "config.json"}, allocator)
+	if err != nil {
+		panic("Ran out of memory when building config path")
+	}
+	return path
+}
+
+delete_config :: proc(cfg: ^Config, allocator := context.allocator) {
+	for key in cfg.keys {
+		delete(key.private, allocator)
+		delete(key.public, allocator)
+	}
+	delete(cfg.keys)
+
+	delete(cfg.scan_config.matcher, allocator)
+
+	for exclude in cfg.scan_config.exclude {
+		delete(exclude, allocator)
+	}
+	delete(cfg.scan_config.exclude)
+
+	for include in cfg.scan_config.include {
+		delete(include, allocator)
+	}
+	delete(cfg.scan_config.include)
+}
+
+save_config :: proc(cfg: Config, force: bool = false) -> bool {
+	config_dir := envr_dir(cfg.config_path)
+
+	if !os.exists(config_dir) {
+		mkdir_err := os.make_directory(config_dir)
+		if mkdir_err != nil {
+			fmt.eprintf("Error creating %s directory: %v\n", config_dir, mkdir_err)
+			return false
+		}
+	}
+
+	if os.exists(cfg.config_path) && !force {
+		info, stat_err := os.stat(cfg.config_path, context.temp_allocator)
+		if stat_err == nil {
+			defer os.file_info_delete(info, context.temp_allocator)
+			if info.size > 0 {
+				fmt.eprintln("Config file already exists. Run again with --force to reinitialize.")
+				return false
+			}
+		}
+	}
+
+	data, marshal_err := json.marshal(
+		cfg,
+		{pretty = true, use_spaces = true, spaces = 2},
+		context.temp_allocator,
+	)
+	if marshal_err != nil {
+		fmt.eprintf("Error marshaling config: %v\n", marshal_err)
+		return false
+	}
+
+	write_err := os.write_entire_file(cfg.config_path, data)
+	if write_err != nil {
+		fmt.eprintf("Error writing config: %v\n", write_err)
+		return false
+	}
+
+	return true
+}
+
+// Caller is responsible for calling delete_config()
+new_config :: proc(
+	private_key_paths: []string,
+	cfg_path: string = "~/.envr/config.json",
+) -> Config {
+	keys := make([dynamic]SshKeyPair, 0, len(private_key_paths))
+	for priv in private_key_paths {
+		// TODO: Is this bad?
+		priv_key := strings.clone(priv)
+		pub := strings.concatenate([]string{priv_key, ".pub"})
+		append(&keys, SshKeyPair{private = priv_key, public = pub})
+	}
+
+	// If we don't clone the strings, the cleanup semantics differ for Db created
+	// configs vs user created configs.
+	exclude := make([dynamic]string, 0, 4)
+	append(&exclude, strings.clone("*\\.envrc"))
+	append(&exclude, strings.clone("\\.local/"))
+	append(&exclude, strings.clone("node_modules"))
+	append(&exclude, strings.clone("vendor"))
+
+	include := make([dynamic]string, 0, 1)
+	append(&include, strings.clone("~"))
+
+	scan_cfg := ScanConfig {
+		matcher = strings.clone("\\.env"),
+		exclude = exclude,
+		include = include,
+	}
+
+	return Config{keys = keys, scan_config = scan_cfg, config_path = cfg_path}
+}
+
+find_ssh_private_keys :: proc() -> (keys: [dynamic]string, ok: bool) {
+	home, home_err := os.user_home_dir(context.allocator)
+	if home_err != nil {
+		fmt.eprintf("Error getting home dir: %v\n", home_err)
+		return
+	}
+
+	ssh_dir, join_err := filepath.join([]string{home, ".ssh"})
+	if join_err != nil {
+		fmt.eprintf("Error building ssh path: %v\n", join_err)
+		return
+	}
+
+	entries, dir_err := os.read_all_directory_by_path(ssh_dir, context.allocator)
+	if dir_err != nil {
+		fmt.eprintf("Could not read ~/.ssh directory: %v\n", dir_err)
+		return
+	}
+	defer os.file_info_slice_delete(entries, context.allocator)
+
+	for entry in entries {
+		name := entry.name
+		if entry.type == .Directory {
+			continue
+		}
+		if strings.has_suffix(name, ".pub") {
+			continue
+		}
+		if strings.contains(name, "known_hosts") {
+			continue
+		}
+		if strings.contains(name, "config") {
+			continue
+		}
+
+		full_path, _ := filepath.join([]string{ssh_dir, name})
+		if !is_ed25519_key(full_path) {
+			continue
+		}
+		append(&keys, full_path)
+	}
+
+	ok = true
+	return
+}
+
+find_git_roots :: proc(
+	cfg: Config,
+	allocator := context.temp_allocator,
+) -> (
+	roots: [dynamic]string,
+	ok: bool,
+) {
+	paths := search_paths(cfg, allocator)
+	// TODO: Pass allocator to findr
+	findr.find_repos(paths[:], &roots, os.get_processor_core_count())
+	ok = true
+	return
+}
+
+search_paths :: proc(cfg: Config, allocator := context.allocator) -> [dynamic]string {
+	home, err := os.user_home_dir(context.temp_allocator)
+	if err != nil {
+		panic("Failed to find home directory")
+	}
+
+	paths := new_clone(cfg.scan_config.include, allocator)
+
+	for &include in paths {
+		expanded, _ := strings.replace(include, "~", home, 1, allocator)
+		if filepath.is_abs(expanded) {
+			include = expanded
+		} else {
+			// TODO: show errors?
+			resolved, err := filepath.abs(expanded, allocator)
+			if err == nil {
+				include = resolved
+			}
+		}
+	}
+	return paths^
+}
+
+envr_dir :: proc(config_path: string) -> string {
+	return filepath.dir(config_path)
+}
+
+// User is responsible for freeing the path
+data_path :: proc(
+	config_path: string,
+	allocator := context.allocator,
+) -> (
+	string,
+	runtime.Allocator_Error,
+) #optional_allocator_error {
+	return filepath.join([]string{envr_dir(config_path), "data.envr"}, allocator)
+}
+

config_test.odin

@@ -0,0 +1,196 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+import "core:sync"
+import "core:testing"
+
+home_mutex: sync.Mutex
+
+@(test)
+test_new_config_single_key :: proc(t: ^testing.T) {
+	paths := []string{"/home/user/.ssh/id_ed25519"}
+	cfg := new_config(paths)
+	defer delete_config(&cfg)
+
+	testing.expect_value(t, len(cfg.keys), 1)
+	testing.expect_value(t, cfg.keys[0].private, "/home/user/.ssh/id_ed25519")
+	testing.expect_value(t, cfg.keys[0].public, "/home/user/.ssh/id_ed25519.pub")
+}
+
+@(test)
+test_new_config_multiple_keys :: proc(t: ^testing.T) {
+	paths := []string{"/home/user/.ssh/id_ed25519", "/home/user/.ssh/id_rsa"}
+	cfg := new_config(paths)
+	defer delete_config(&cfg)
+
+	testing.expect_value(t, len(cfg.keys), 2)
+	testing.expect_value(t, cfg.keys[0].private, "/home/user/.ssh/id_ed25519")
+	testing.expect_value(t, cfg.keys[1].private, "/home/user/.ssh/id_rsa")
+}
+
+@(test)
+test_new_config_empty_keys :: proc(t: ^testing.T) {
+	paths: []string
+	cfg := new_config(paths)
+	defer delete_config(&cfg)
+
+	testing.expect_value(t, len(cfg.keys), 0)
+}
+
+@(test)
+test_new_config_scan_defaults :: proc(t: ^testing.T) {
+	paths := []string{"/home/user/.ssh/id_ed25519"}
+	cfg := new_config(paths)
+	defer delete_config(&cfg)
+
+	testing.expect_value(t, cfg.scan_config.matcher, "\\.env")
+	testing.expect_value(t, len(cfg.scan_config.exclude), 4)
+	testing.expect_value(t, len(cfg.scan_config.include), 1)
+	testing.expect_value(t, cfg.scan_config.include[0], "~")
+}
+
+@(test)
+test_new_config_exclude_patterns :: proc(t: ^testing.T) {
+	paths := []string{"/home/user/.ssh/id_ed25519"}
+	cfg := new_config(paths)
+	defer delete_config(&cfg)
+
+	expected := []string{"*\\.envrc", "\\.local/", "node_modules", "vendor"}
+	for i in 0 ..< len(expected) {
+		testing.expect_value(t, cfg.scan_config.exclude[i], expected[i])
+	}
+}
+
+@(test)
+test_save_load_config_roundtrip :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-cfg-rt-*")
+	defer os.remove_all(base)
+
+	cfgPath, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	testing.expect_value(t, err, nil)
+
+	cfg := new_config([]string{"/home/user/.ssh/id_ed25519"}, cfgPath)
+	defer delete_config(&cfg)
+
+	testing.expect(t, save_config(cfg, force = true), "save should succeed")
+
+	loaded, ok := load_config(cfg.config_path)
+	testing.expect(t, ok, "load should succeed")
+	if !ok do return
+	defer delete_config(&loaded)
+
+	testing.expect_value(t, len(loaded.keys), 1)
+	testing.expect_value(t, loaded.keys[0].private, "/home/user/.ssh/id_ed25519")
+	testing.expect_value(t, loaded.keys[0].public, "/home/user/.ssh/id_ed25519.pub")
+	testing.expect_value(t, loaded.scan_config.matcher, "\\.env")
+	testing.expect_value(t, len(loaded.scan_config.exclude), 4)
+	testing.expect_value(t, len(loaded.scan_config.include), 1)
+	testing.expect_value(t, loaded.scan_config.include[0], "~")
+}
+
+@(test)
+test_load_config_missing :: proc(t: ^testing.T) {
+	_, ok := load_config("/tmp/envr-test-cfg-nonexistent/config.json")
+	testing.expect(t, !ok, "missing config should return false")
+}
+
+@(test)
+test_save_config_no_clobber :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-cfg-noclobber-*")
+	defer os.remove_all(base)
+
+	cfgPath, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	testing.expect_value(t, err, nil)
+
+	cfg := new_config([]string{"/home/user/.ssh/key1"}, cfgPath)
+	defer delete_config(&cfg)
+	testing.expect(t, save_config(cfg, force = true), "first save should succeed")
+
+	cfg2 := new_config([]string{"/home/user/.ssh/key2"}, cfgPath)
+	defer delete_config(&cfg2)
+	testing.expect(t, !save_config(cfg2), "second save without force should fail")
+}
+
+@(test)
+test_save_config_force_overwrites :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-cfg-force-*")
+	defer os.remove_all(base)
+
+	cfgPath, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	testing.expect_value(t, err, nil)
+
+	cfg := new_config([]string{"/home/user/.ssh/key1"}, cfgPath)
+	defer delete_config(&cfg)
+	testing.expect(t, save_config(cfg, force = true), "first save should succeed")
+
+	cfg2 := new_config([]string{"/home/user/.ssh/key2"}, cfgPath)
+	defer delete_config(&cfg2)
+	testing.expect(t, save_config(cfg2, force = true), "force save should overwrite")
+
+	loaded, ok := load_config(cfgPath)
+	testing.expect(t, ok, "load should succeed")
+	if !ok do return
+	defer delete_config(&loaded)
+
+	testing.expect_value(t, len(loaded.keys), 1)
+	testing.expect_value(t, loaded.keys[0].private, "/home/user/.ssh/key2")
+}
+
+@(test)
+test_envr_dir :: proc(t: ^testing.T) {
+	dir := envr_dir("/tmp/envr-fake-home-envrdir/.envr/config.json")
+	testing.expectf(t, strings.has_suffix(dir, ".envr"), "dir should end with .envr, got %s", dir)
+	testing.expectf(
+		t,
+		strings.contains(dir, "envr-fake-home-envrdir"),
+		"dir should contain home dir, got %s",
+		dir,
+	)
+}
+
+@(test)
+test_data_path :: proc(t: ^testing.T) {
+	p := data_path("/tmp/envr-fake-home-datapath/config.json")
+	defer delete(p)
+	testing.expectf(t, strings.has_suffix(p, "data.envr"), "should end with data.envr, got %s", p)
+	testing.expectf(t, strings.contains(p, ".envr"), "should contain .envr dir, got %s", p)
+}
+
+@(test)
+test_search_paths_expands_tilde :: proc(t: ^testing.T) {
+	sync.mutex_lock(&home_mutex)
+	defer sync.mutex_unlock(&home_mutex)
+
+	old_home := os.get_env("HOME", context.temp_allocator)
+	defer {
+		if old_home != "" {
+			os.set_env("HOME", old_home)
+		}
+	}
+
+	os.set_env("HOME", "/tmp/envr-fake-home-search")
+
+	cfg := Config {
+		scan_config = ScanConfig{include = make([dynamic]string, 0, 1)},
+	}
+	append(&cfg.scan_config.include, "~")
+	defer delete(cfg.scan_config.include)
+
+	paths := search_paths(cfg, context.temp_allocator)
+
+	testing.expect_value(t, len(paths), 1)
+	if len(paths) > 0 {
+		testing.expectf(
+			t,
+			strings.contains(paths[0], "envr-fake-home-search"),
+			"should expand ~ to home, got %s",
+			paths[0],
+		)
+		testing.expect(t, !strings.contains(paths[0], "~"), "should not contain literal ~")
+	}
+}
+

crypto.odin

@@ -0,0 +1,325 @@
+package main
+
+import "core:fmt"
+import "core:mem"
+import "core:os"
+
+MAGIC :: "ENVR"
+MAGIC_BYTES := [4]u8{u8('E'), u8('N'), u8('V'), u8('R')}
+
+RECIPIENT_ENTRY_SIZE ::
+	CRYPTO_BOX_PUBLICKEY_BYTES +
+	CRYPTO_BOX_NONCE_BYTES +
+	CRYPTO_SECRETBOX_KEY_BYTES +
+	CRYPTO_BOX_MAC_BYTES
+
+HEADER_SIZE :: 4 + CRYPTO_BOX_PUBLICKEY_BYTES + CRYPTO_SECRETBOX_NONCE_BYTES + 4
+
+RecipientEntry :: struct {
+	PublicKey:    [CRYPTO_BOX_PUBLICKEY_BYTES]u8,
+	Nonce:        [CRYPTO_BOX_NONCE_BYTES]u8,
+	EncryptedKey: [CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES]u8,
+}
+
+X25519Keypair :: struct {
+	Public:  [CRYPTO_BOX_PUBLICKEY_BYTES]u8,
+	Private: [CRYPTO_BOX_SECRETKEY_BYTES]u8,
+}
+
+@(init)
+init_sodium :: proc "contextless" () {
+	if sodium_init() < 0 {
+		os.exit(1)
+	}
+}
+
+// TODO: Optimize performance
+encrypt :: proc(plaintext: []u8, keys: []SshKeyPair) -> (ciphertext: []u8, ok: bool) {
+	x25519_pairs, pairs_ok := ssh_to_x25519(keys, context.temp_allocator)
+	if !pairs_ok {
+		return
+	}
+
+	sym_key: [CRYPTO_SECRETBOX_KEY_BYTES]u8
+	randombytes_buf(&sym_key[0], CRYPTO_SECRETBOX_KEY_BYTES)
+
+	main_nonce: [CRYPTO_SECRETBOX_NONCE_BYTES]u8
+	randombytes_buf(&main_nonce[0], CRYPTO_SECRETBOX_NONCE_BYTES)
+
+	ct_len := len(plaintext) + CRYPTO_SECRETBOX_MAC_BYTES
+	secret_ct := make([]u8, ct_len, context.temp_allocator)
+	pt_ptr: [^]u8
+	if len(plaintext) > 0 {
+		pt_ptr = &plaintext[0]
+	}
+	rc := crypto_secretbox_easy(
+		&secret_ct[0],
+		pt_ptr,
+		u64(len(plaintext)),
+		&main_nonce[0],
+		&sym_key[0],
+	)
+	if rc != 0 {
+		fmt.eprintln("Error: symmetric encryption failed")
+		delete(secret_ct)
+		return
+	}
+
+	num_recipients := u32(len(x25519_pairs))
+	entries := make([]RecipientEntry, num_recipients, context.temp_allocator)
+
+	for i in 0 ..< len(x25519_pairs) {
+		for j in 0 ..< CRYPTO_BOX_PUBLICKEY_BYTES {
+			entries[i].PublicKey[j] = x25519_pairs[i].Public[j]
+		}
+
+		randombytes_buf(&entries[i].Nonce[0], CRYPTO_BOX_NONCE_BYTES)
+
+		rc = crypto_box_easy(
+			&entries[i].EncryptedKey[0],
+			&sym_key[0],
+			CRYPTO_SECRETBOX_KEY_BYTES,
+			&entries[i].Nonce[0],
+			&x25519_pairs[i].Public[0],
+			&x25519_pairs[0].Private[0],
+		)
+		if rc != 0 {
+			fmt.eprintf("Error: failed to encrypt for recipient %d\n", i)
+			delete(entries)
+			delete(secret_ct)
+			return
+		}
+	}
+
+	total_len := HEADER_SIZE + int(num_recipients) * RECIPIENT_ENTRY_SIZE + ct_len
+	ciphertext = make([]u8, total_len)
+
+	pos := 0
+
+	mem.copy(&ciphertext[pos], &MAGIC_BYTES[0], 4)
+	pos += 4
+
+	mem.copy(&ciphertext[pos], &x25519_pairs[0].Public[0], CRYPTO_BOX_PUBLICKEY_BYTES)
+	pos += CRYPTO_BOX_PUBLICKEY_BYTES
+
+	mem.copy(&ciphertext[pos], &main_nonce[0], CRYPTO_SECRETBOX_NONCE_BYTES)
+	pos += CRYPTO_SECRETBOX_NONCE_BYTES
+
+	ciphertext[pos] = u8((num_recipients >> 24) & 0xff)
+	ciphertext[pos + 1] = u8((num_recipients >> 16) & 0xff)
+	ciphertext[pos + 2] = u8((num_recipients >> 8) & 0xff)
+	ciphertext[pos + 3] = u8(num_recipients & 0xff)
+	pos += 4
+
+	for i in 0 ..< int(num_recipients) {
+		mem.copy(&ciphertext[pos], &entries[i].PublicKey[0], CRYPTO_BOX_PUBLICKEY_BYTES)
+		pos += CRYPTO_BOX_PUBLICKEY_BYTES
+		mem.copy(&ciphertext[pos], &entries[i].Nonce[0], CRYPTO_BOX_NONCE_BYTES)
+		pos += CRYPTO_BOX_NONCE_BYTES
+		mem.copy(
+			&ciphertext[pos],
+			&entries[i].EncryptedKey[0],
+			CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES,
+		)
+		pos += CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES
+	}
+
+	mem.copy(&ciphertext[pos], &secret_ct[0], ct_len)
+
+	ok = true
+	return
+}
+
+decrypt :: proc(ciphertext: []u8, keys: []SshKeyPair) -> (plaintext: []u8, ok: bool) {
+	if len(ciphertext) < HEADER_SIZE {
+		fmt.eprintln("Error: ciphertext too short (header)")
+		return
+	}
+
+	for i in 0 ..< 4 {
+		if ciphertext[i] != MAGIC_BYTES[i] {
+			fmt.eprintln("Error: invalid magic bytes")
+			return
+		}
+	}
+
+	offset := 4
+
+	sender_pk: [CRYPTO_BOX_PUBLICKEY_BYTES]u8
+	for i in 0 ..< CRYPTO_BOX_PUBLICKEY_BYTES {
+		sender_pk[i] = ciphertext[offset + i]
+	}
+	offset += CRYPTO_BOX_PUBLICKEY_BYTES
+
+	main_nonce: [CRYPTO_SECRETBOX_NONCE_BYTES]u8
+	for i in 0 ..< CRYPTO_SECRETBOX_NONCE_BYTES {
+		main_nonce[i] = ciphertext[offset + i]
+	}
+	offset += CRYPTO_SECRETBOX_NONCE_BYTES
+
+	num_recipients :=
+		u32(ciphertext[offset]) << 24 |
+		u32(ciphertext[offset + 1]) << 16 |
+		u32(ciphertext[offset + 2]) << 8 |
+		u32(ciphertext[offset + 3])
+	offset += 4
+
+	recipients_end := offset + int(num_recipients) * RECIPIENT_ENTRY_SIZE
+	if recipients_end > len(ciphertext) {
+		fmt.eprintln("Error: ciphertext too short (recipient data)")
+		return
+	}
+
+	enc_sym_key: [CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES]u8
+	enc_nonce: [CRYPTO_BOX_NONCE_BYTES]u8
+	enc_pub: [CRYPTO_BOX_PUBLICKEY_BYTES]u8
+
+	x25519_pairs, pairs_ok := ssh_to_x25519(keys, context.temp_allocator)
+	if !pairs_ok {
+		return
+	}
+
+	found := false
+	matched_pi := 0
+	for pi in 0 ..< len(x25519_pairs) {
+		scan_offset := offset
+		for _ in 0 ..< int(num_recipients) {
+			for i in 0 ..< CRYPTO_BOX_PUBLICKEY_BYTES {
+				enc_pub[i] = ciphertext[scan_offset + i]
+			}
+			scan_offset += CRYPTO_BOX_PUBLICKEY_BYTES
+
+			match := true
+			for i in 0 ..< CRYPTO_BOX_PUBLICKEY_BYTES {
+				if enc_pub[i] != x25519_pairs[pi].Public[i] {
+					match = false
+					break
+				}
+			}
+			if !match {
+				scan_offset +=
+					CRYPTO_BOX_NONCE_BYTES + CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES
+				continue
+			}
+
+			for i in 0 ..< CRYPTO_BOX_NONCE_BYTES {
+				enc_nonce[i] = ciphertext[scan_offset + i]
+			}
+			scan_offset += CRYPTO_BOX_NONCE_BYTES
+
+			for i in 0 ..< CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES {
+				enc_sym_key[i] = ciphertext[scan_offset + i]
+			}
+			scan_offset += CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES
+
+			found = true
+			matched_pi = pi
+			break
+		}
+		if found {
+			break
+		}
+	}
+
+	if !found {
+		fmt.eprintln("Error: no matching recipient found")
+		return
+	}
+
+	sym_key: [CRYPTO_SECRETBOX_KEY_BYTES]u8
+	rc := crypto_box_open_easy(
+		&sym_key[0],
+		&enc_sym_key[0],
+		CRYPTO_SECRETBOX_KEY_BYTES + CRYPTO_BOX_MAC_BYTES,
+		&enc_nonce[0],
+		&sender_pk[0],
+		&x25519_pairs[matched_pi].Private[0],
+	)
+	if rc != 0 {
+		fmt.eprintln("Error: failed to decrypt symmetric key")
+		return
+	}
+
+	ct_data := ciphertext[recipients_end:]
+	pt_len := len(ct_data) - CRYPTO_SECRETBOX_MAC_BYTES
+	if pt_len < 0 {
+		fmt.eprintln("Error: ciphertext too short (no encrypted data)")
+		return
+	}
+
+	plaintext = make([]u8, pt_len)
+	pt_ptr: [^]u8
+	if len(plaintext) > 0 {
+		pt_ptr = &plaintext[0]
+	}
+	rc = crypto_secretbox_open_easy(
+		pt_ptr,
+		&ct_data[0],
+		u64(len(ct_data)),
+		&main_nonce[0],
+		&sym_key[0],
+	)
+	if rc != 0 {
+		fmt.eprintln("Error: symmetric decryption failed")
+		delete(plaintext)
+		return
+	}
+
+	ok = true
+	return
+}
+
+ssh_to_x25519 :: proc(
+	keys: []SshKeyPair,
+	allocator := context.temp_allocator,
+) -> (
+	[]X25519Keypair,
+	bool,
+) {
+	if len(keys) == 0 {
+		return {}, false
+	}
+
+	pairs := make([]X25519Keypair, len(keys), allocator)
+
+	for i in 0 ..< len(keys) {
+		ssh_kp, parse_ok := parse_ssh_private_key(keys[i].private)
+		if !parse_ok {
+			fmt.eprintf("Error: failed to parse SSH private key: %s\n", keys[i].private)
+			delete(pairs)
+			return pairs, false
+		}
+
+		ssh_pub, pub_ok := parse_ssh_public_key(keys[i].public)
+		if !pub_ok {
+			fmt.eprintf("Error: failed to parse SSH public key: %s\n", keys[i].public)
+			delete(pairs)
+			return pairs, false
+		}
+
+		pk_rc := crypto_sign_ed25519_pk_to_curve25519(&pairs[i].Public[0], &ssh_pub[0])
+		if pk_rc != 0 {
+			fmt.eprintln("Error: failed to convert ed25519 public key to curve25519")
+			delete(pairs)
+			return pairs, false
+		}
+
+		ed25519_sk: [64]u8
+		for j in 0 ..< 32 {
+			ed25519_sk[j] = ssh_kp.Private[j]
+		}
+		for j in 0 ..< 32 {
+			ed25519_sk[32 + j] = ssh_kp.Public[j]
+		}
+
+		sk_rc := crypto_sign_ed25519_sk_to_curve25519(&pairs[i].Private[0], &ed25519_sk[0])
+		if sk_rc != 0 {
+			fmt.eprintln("Error: failed to convert ed25519 private key to curve25519")
+			delete(pairs)
+			return pairs, false
+		}
+	}
+
+	return pairs, true
+}
+

crypto_test.odin

@@ -0,0 +1,126 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:testing"
+
+CRYPTO_TEST_KEY_DIR :: "fixtures" + os.Path_Separator_String + "keys"
+
+make_test_key_pair :: proc(name: string) -> SshKeyPair {
+	priv := fmt.tprintf("%s/%s", CRYPTO_TEST_KEY_DIR, name)
+	pub := fmt.tprintf("%s/%s.pub", CRYPTO_TEST_KEY_DIR, name)
+	return SshKeyPair{private = priv, public = pub}
+}
+
+@(test)
+test_encrypt_decrypt_roundtrip :: proc(t: ^testing.T) {
+	key := make_test_key_pair("test_ed25519")
+	original := []u8{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key})
+	testing.expect(t, enc_ok, "encryption should succeed")
+	testing.expect(t, len(encrypted) > 0, "ciphertext should not be empty")
+	defer delete(encrypted)
+
+	decrypted, dec_ok := decrypt(encrypted, []SshKeyPair{key})
+	testing.expect(t, dec_ok, "decryption should succeed")
+	defer delete(decrypted)
+
+	testing.expect_value(t, len(decrypted), len(original))
+	// TODO: Should this be a loop?
+	for i in 0 ..< len(original) {
+		testing.expect_value(t, decrypted[i], original[i])
+	}
+}
+
+@(test)
+test_encrypt_decrypt_multi_recipient :: proc(t: ^testing.T) {
+	key1 := make_test_key_pair("test_ed25519")
+	key2 := make_test_key_pair("test_ed25519_second")
+	original := []u8{42, 43, 44, 45}
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key1, key2})
+	testing.expect(t, enc_ok, "encryption with 2 keys should succeed")
+	defer delete(encrypted)
+
+	decrypted1, dec1_ok := decrypt(encrypted, []SshKeyPair{key1})
+	testing.expect(t, dec1_ok, "decryption with key1 should succeed")
+	defer delete(decrypted1)
+
+	decrypted2, dec2_ok := decrypt(encrypted, []SshKeyPair{key2})
+	testing.expect(t, dec2_ok, "decryption with key2 should succeed")
+	defer delete(decrypted2)
+
+	for i in 0 ..< len(original) {
+		testing.expect_value(t, decrypted1[i], original[i])
+		testing.expect_value(t, decrypted2[i], original[i])
+	}
+}
+
+@(test)
+test_decrypt_wrong_key_fails :: proc(t: ^testing.T) {
+	key1 := make_test_key_pair("test_ed25519")
+	key2 := make_test_key_pair("test_ed25519_second")
+	original := []u8{1, 2, 3}
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key1})
+	testing.expect(t, enc_ok, "encryption should succeed")
+	defer delete(encrypted)
+
+	_, dec_ok := decrypt(encrypted, []SshKeyPair{key2})
+	testing.expect(t, !dec_ok, "decryption with wrong key should fail")
+}
+
+@(test)
+test_encrypt_empty_plaintext :: proc(t: ^testing.T) {
+	key := make_test_key_pair("test_ed25519")
+	original: []u8
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key})
+	testing.expect(t, enc_ok, "encryption of empty data should succeed")
+	defer delete(encrypted)
+
+	decrypted, dec_ok := decrypt(encrypted, []SshKeyPair{key})
+	testing.expect(t, dec_ok, "decryption should succeed")
+	defer delete(decrypted)
+
+	testing.expect_value(t, len(decrypted), 0)
+}
+
+@(test)
+test_recipient_can_decrypt_senders_data :: proc(t: ^testing.T) {
+	key1 := make_test_key_pair("test_ed25519")
+	key2 := make_test_key_pair("test_ed25519_second")
+	original := []u8{10, 20, 30, 40, 50}
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key1, key2})
+	testing.expect(t, enc_ok, "encryption with 2 keys should succeed")
+	defer delete(encrypted)
+
+	decrypted, dec_ok := decrypt(encrypted, []SshKeyPair{key2})
+	testing.expect(t, dec_ok, "second recipient should decrypt without the sender key present")
+	defer delete(decrypted)
+
+	// TODO: Should this be a loop?
+	for i in 0 ..< len(original) {
+		testing.expect_value(t, decrypted[i], original[i])
+	}
+}
+
+@(test)
+test_ciphertext_has_magic :: proc(t: ^testing.T) {
+	key := make_test_key_pair("test_ed25519")
+	original := []u8{1, 2, 3}
+
+	encrypted, enc_ok := encrypt(original, []SshKeyPair{key})
+	testing.expect(t, enc_ok, "encryption should succeed")
+	defer delete(encrypted)
+
+	testing.expect(t, len(encrypted) >= 4, "ciphertext should have at least 4 bytes")
+	testing.expect_value(t, encrypted[0], u8('E'))
+	testing.expect_value(t, encrypted[1], u8('N'))
+	testing.expect_value(t, encrypted[2], u8('V'))
+	testing.expect_value(t, encrypted[3], u8('R'))
+}
+

db.odin

@@ -0,0 +1,651 @@
+package main
+
+import "base:runtime"
+import "core:crypto/hash"
+import "core:encoding/hex"
+import "core:encoding/ini"
+import "core:encoding/json"
+import "core:fmt"
+import "core:mem"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+
+import "sqlite"
+
+SyncFlagEnum :: enum {
+	DirUpdated,
+	Restored,
+	BackedUp,
+}
+
+SyncFlag :: bit_set[SyncFlagEnum]
+
+SyncError :: enum {
+	None,
+	DirMissing,
+	MultipleDirs,
+	GitRootFailed,
+	WriteFailed,
+	ReadFailed,
+	DbFailed,
+}
+
+Db :: struct {
+	conn:    sqlite.Db,
+	cfg:     Config,
+	changed: bool,
+	arena:   mem.Dynamic_Arena,
+}
+
+EnvFile :: struct {
+	path:     string,
+	dir:      string,
+	remotes:  [dynamic]string,
+	sha256:   string,
+	contents: string,
+}
+
+@(deprecated = "call db_close to clean up EnvFiles")
+delete_envfile :: proc(f: ^EnvFile) {
+	delete(f.path)
+	for &remote in f.remotes {
+		delete(remote)
+	}
+	delete(f.remotes)
+	delete(f.sha256)
+	delete(f.contents)
+}
+
+db_open :: proc(cfg_path: string) -> (db: Db, ok: bool) {
+	db = db_init() or_return
+	db.cfg = load_config(cfg_path, db_allocator(&db)) or_return
+
+	if len(db.cfg.keys) == 0 {
+		fmt.eprintf("Error: no SSH keys configured in %s\n", cfg_path)
+		db_close(&db)
+		return db, false
+	}
+
+	_, keys_ok := ssh_to_x25519(db.cfg.keys[:], context.temp_allocator)
+	if !keys_ok {
+		db_close(&db)
+		return db, false
+	}
+
+	// TODO: Use different allocators?
+	data_path := data_path(db.cfg.config_path, context.temp_allocator)
+	if os.exists(data_path) {
+		if ok = db_restore_from_encrypted(&db, data_path); !ok {
+			sqlite.close(db.conn)
+			return db, false
+		}
+	} else {
+		// DB was created
+		db.changed = true
+	}
+
+	return db, true
+}
+
+// Creates a database an allocator and fresh, empty table, with zero encryption.
+// In production, you most likely want to use `db_open`.
+db_init :: proc() -> (db: Db, ok: bool) {
+	conn: sqlite.Db
+	rc := sqlite.open(":memory:", &conn)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error opening in-memory database: %s\n", sqlite.errmsg(conn))
+		return
+	}
+
+	create_sql: cstring = "CREATE TABLE IF NOT EXISTS envr_env_files (path TEXT PRIMARY KEY NOT NULL, remotes TEXT, sha256 TEXT NOT NULL, contents TEXT NOT NULL)"
+	rc = sqlite.exec(conn, create_sql, nil, nil, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error creating table: %s\n", sqlite.errmsg(conn))
+		sqlite.close(conn)
+		return
+	}
+	db.conn = conn
+
+	mem.dynamic_arena_init(&db.arena)
+
+	return db, true
+}
+
+db_allocator :: proc(db: ^Db) -> mem.Allocator {
+	return mem.dynamic_arena_allocator(&db.arena)
+}
+
+db_restore_from_encrypted :: proc(db: ^Db, data_path: string) -> bool {
+	encrypted_data, read_err := os.read_entire_file_from_path(data_path, context.temp_allocator)
+	if read_err != nil {
+		fmt.eprintf("Error reading encrypted database: %v\n", read_err)
+		return false
+	}
+
+	// TODO: Use context.temp_allocator
+	plaintext, dec_ok := decrypt(encrypted_data, db.cfg.keys[:])
+	if !dec_ok {
+		fmt.eprintln("Error: decryption failed")
+		return false
+	}
+	defer delete(plaintext)
+
+	n := i64(len(plaintext))
+	buf := sqlite.malloc64(n)
+	if buf == nil {
+		fmt.eprintln("Error: failed to allocate buffer for deserialization")
+		return false
+	}
+	copy(buf[:len(plaintext)], plaintext)
+
+	flags: sqlite.DESERIALIZE_FLAGS = {.FREEONCLOSE, .RESIZEABLE}
+
+	rc := sqlite.deserialize(db.conn, "main", buf, n, n, flags)
+	if rc != sqlite.OK {
+		sqlite.free(buf)
+		fmt.eprintf("Error deserializing database: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	return true
+}
+
+// db_close will fail silently if cfg.keys is empty. If you want to save the
+// Db, be sure to use db_open rather than db_init
+db_close :: proc(db: ^Db) {
+	allocator := db_allocator(db)
+
+	defer {
+		sqlite.close(db.conn)
+
+		delete_config(&db.cfg, allocator)
+
+		mem.dynamic_arena_destroy(&db.arena)
+	}
+
+	if db.changed && len(db.cfg.keys) > 0 {
+		rc := sqlite.exec(db.conn, "VACUUM", nil, nil, nil)
+		if rc != sqlite.OK {
+			fmt.eprintf("Error vacuuming database: %s\n", sqlite.errmsg(db.conn))
+			return
+		}
+
+		sz: i64
+		data := sqlite.serialize(db.conn, "main", &sz, {})
+		if data == nil {
+			fmt.eprintln("Error: failed to serialize database")
+			return
+		}
+		defer sqlite.free(data)
+
+		sqlite_data := data[:sz]
+		// TODO: PAss allocator chain
+		encrypted, enc_ok := encrypt(sqlite_data, db.cfg.keys[:])
+		if !enc_ok {
+			fmt.eprintln("Database encryption failed")
+
+			return
+		}
+
+		data_path := data_path(db.cfg.config_path, allocator)
+		envr_d := envr_dir(db.cfg.config_path)
+		os.mkdir_all(envr_d)
+
+		write_err := os.write_entire_file(data_path, encrypted)
+		delete(encrypted)
+		if write_err != nil {
+			fmt.eprintf("Error writing encrypted database: %v\n", write_err)
+			return
+		}
+
+		db.changed = false
+	}
+}
+
+// Results will be freed when `db_close` is called.
+db_list :: proc(db: ^Db) -> ([]EnvFile, bool) {
+	stmt: sqlite.Stmt
+	rc := sqlite.prepare_v2(
+		db.conn,
+		"SELECT path, remotes, sha256, contents FROM envr_env_files",
+		-1,
+		&stmt,
+		nil,
+	)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error preparing query: %s\n", sqlite.errmsg(db.conn))
+		return []EnvFile{}, false
+	}
+	defer sqlite.finalize(stmt)
+
+	allocator := db_allocator(db)
+	results := make([dynamic]EnvFile, 0, 10, allocator)
+
+	migrate := false
+	for {
+		rc = sqlite.step(stmt)
+		if rc == sqlite.DONE {
+			break
+		}
+		if rc != sqlite.ROW {
+			fmt.eprintf("Error stepping query: %s\n", sqlite.errmsg(db.conn))
+			#no_bounds_check return results[:], false
+		}
+
+		// TODO: Remove json support after next major release
+		remotes: [dynamic]string = ---
+		remotes_raw := string(sqlite.column_text(stmt, 1))
+		if len(remotes_raw) > 0 {
+			if remotes_raw[0] == '[' {
+				err := json.unmarshal_string(remotes_raw, &remotes, allocator = allocator)
+				if err != nil {
+					fmt.eprintf("Warning: malformed remotes JSON: %v\n", err)
+				}
+				migrate = true
+			} else {
+				split := strings.split_lines(remotes_raw, context.temp_allocator)
+				remotes = make([dynamic]string, 0, len(split), allocator = allocator)
+				for s in split {
+					append(&remotes, strings.clone(s, allocator))
+				}
+			}
+		}
+		path := clone_cstring(sqlite.column_text(stmt, 0), allocator)
+
+		append(
+			&results,
+			EnvFile {
+				path = path,
+				dir = filepath.dir(path),
+				remotes = remotes,
+				sha256 = clone_cstring(sqlite.column_text(stmt, 2), allocator),
+				contents = clone_cstring(sqlite.column_text(stmt, 3), allocator),
+			},
+		)
+	}
+
+	if migrate {
+		migrate_remotes(db)
+	}
+
+	#no_bounds_check return results[:], true
+}
+
+// TODO: Should we use context.temp_allocator for proc scoped lifetimes?
+db_insert :: proc(db: ^Db, file: EnvFile) -> bool {
+	remotes := strings.join(file.remotes[:], "\n", allocator = context.temp_allocator)
+
+	sql: cstring =
+		"INSERT OR REPLACE INTO " +
+		"envr_env_files (path, remotes, sha256, contents) VALUES (?, ?, ?, ?)"
+	stmt: sqlite.Stmt
+	rc := sqlite.prepare_v2(db.conn, sql, -1, &stmt, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error preparing insert: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+	defer sqlite.finalize(stmt)
+
+	// TODO: deal with elsewhere?
+	cpath := to_cstring(file.path)
+	defer delete(cpath)
+	rc = sqlite.bind_text(stmt, 1, cpath, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding path: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	cremotes := to_cstring(remotes)
+	defer delete(cremotes)
+	rc = sqlite.bind_text(stmt, 2, cremotes, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding remotes: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	csha := to_cstring(file.sha256)
+	defer delete(csha)
+	rc = sqlite.bind_text(stmt, 3, csha, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding sha256: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	ccontents := to_cstring(file.contents)
+	defer delete(ccontents)
+	rc = sqlite.bind_text(stmt, 4, ccontents, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding contents: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	rc = sqlite.step(stmt)
+	if rc != sqlite.DONE {
+		fmt.eprintf("Error inserting: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	db.changed = true
+	return true
+}
+
+// Result will be freed when `db_close` is called.
+//
+// Expects an absolute path
+db_fetch :: proc(db: ^Db, path: string) -> (EnvFile, bool) {
+	assert(os.is_absolute_path(path))
+
+	sql: cstring = "SELECT path, remotes, sha256, contents FROM envr_env_files WHERE path = ?"
+	stmt: sqlite.Stmt
+	rc := sqlite.prepare_v2(db.conn, sql, -1, &stmt, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error preparing fetch: %s\n", sqlite.errmsg(db.conn))
+		return EnvFile{}, false
+	}
+	defer sqlite.finalize(stmt)
+
+	allocator := db_allocator(db)
+
+	cpath := to_cstring(path, allocator)
+	defer delete(cpath, allocator)
+	rc = sqlite.bind_text(stmt, 1, cpath, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding path: %s\n", sqlite.errmsg(db.conn))
+		return EnvFile{}, false
+	}
+	rc = sqlite.step(stmt)
+	if rc == sqlite.DONE {
+		fmt.eprintf("No file found with path: %s\n", path)
+		return EnvFile{}, false
+	}
+	if rc != sqlite.ROW {
+		fmt.eprintf("Error fetching: %s\n", sqlite.errmsg(db.conn))
+		return EnvFile{}, false
+	}
+
+	// TODO: Remove json support after next major release
+	migrate := false
+	remotes: [dynamic]string = ---
+	remotes_raw := string(sqlite.column_text(stmt, 1))
+	if len(remotes_raw) > 0 {
+		if remotes_raw[0] == '[' {
+			err := json.unmarshal_string(remotes_raw, &remotes, allocator = allocator)
+			if err != nil {
+				fmt.eprintf("Warning: malformed remotes JSON: %v\n", err)
+			}
+
+			migrate = true
+		} else {
+			split := strings.split_lines(remotes_raw, context.temp_allocator)
+			remotes = make([dynamic]string, 0, len(split), allocator = allocator)
+			for s in split {
+				append(&remotes, strings.clone(s, allocator))
+			}
+		}
+	}
+
+	file_path := clone_cstring(sqlite.column_text(stmt, 0), allocator)
+
+	if migrate {
+		migrate_remotes(db)
+	}
+
+	return EnvFile {
+			path = file_path,
+			dir = filepath.dir(file_path),
+			remotes = remotes,
+			sha256 = clone_cstring(sqlite.column_text(stmt, 2), allocator),
+			contents = clone_cstring(sqlite.column_text(stmt, 3), allocator),
+		},
+		true
+}
+
+db_delete :: proc(db: ^Db, path: string) -> bool {
+	sql: cstring = "DELETE FROM envr_env_files WHERE path = ?"
+	stmt: sqlite.Stmt
+	rc := sqlite.prepare_v2(db.conn, sql, -1, &stmt, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error preparing delete: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+	defer sqlite.finalize(stmt)
+
+	cpath := to_cstring(path)
+	defer delete(cpath)
+	rc = sqlite.bind_text(stmt, 1, cpath, -1, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Error binding path: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+	rc = sqlite.step(stmt)
+	if rc != sqlite.DONE {
+		fmt.eprintf("Error deleting: %s\n", sqlite.errmsg(db.conn))
+		return false
+	}
+
+	if sqlite.changes(db.conn) == 0 {
+		fmt.eprintf("No file found with path: %s\n", path)
+		return false
+	}
+
+	db.changed = true
+	return true
+}
+
+// Caller is responsible for the returned memory
+new_env_file :: proc(path: string) -> (EnvFile, bool) {
+	abs_path, abs_err := filepath.abs(path)
+	if abs_err != nil {
+		fmt.eprintf("Error getting absolute path: %v\n", abs_err)
+		return EnvFile{}, false
+	}
+
+	dir := filepath.dir(abs_path)
+
+	// TODO: Should we use the db allocator here?
+	remotes := get_git_remotes(dir, context.allocator)
+
+	data, read_err := os.read_entire_file_from_path(abs_path, context.allocator)
+	if read_err != nil {
+		fmt.eprintf("Error reading file %s: %v\n", abs_path, read_err)
+		return EnvFile{}, false
+	}
+
+	digest := hash.hash_bytes(hash.Algorithm.SHA256, data, context.temp_allocator)
+	hex_bytes := hex.encode(digest, context.allocator)
+	return EnvFile {
+			path = abs_path,
+			dir = dir,
+			remotes = remotes,
+			sha256 = string(hex_bytes),
+			contents = string(data),
+		},
+		true
+}
+
+// Reconciles `f` with the filesystem and persists changes to the database.
+db_sync :: proc(db: ^Db, f: ^EnvFile) -> (SyncFlag, SyncError) {
+	allocator := db_allocator(db)
+	result: SyncFlag = {}
+	old_path := f.path
+
+	if !os.exists(f.dir) {
+		moved, err := try_move_dir(db, f, allocator)
+		if !moved {
+			return {}, err
+		}
+		result += {.DirUpdated}
+	}
+
+	if !os.exists(f.path) {
+		write_err := os.write_entire_file(f.path, f.contents)
+		if write_err != nil {
+			fmt.eprintf("db_sync: failed to write %s: %v\n", f.path, write_err)
+			return result, .WriteFailed
+		}
+
+		if !db_persist(db, f, old_path) {
+			return result, .DbFailed
+		}
+		return result + {.Restored}, .None
+	}
+
+	data, read_err := os.read_entire_file_from_path(f.path, allocator)
+	if read_err != nil {
+		fmt.eprintf("db_sync: failed to read %s: %v\n", f.path, read_err)
+		return result, .ReadFailed
+	}
+
+	digest := hash.hash_bytes(hash.Algorithm.SHA256, data, context.temp_allocator)
+	hex_bytes := hex.encode(digest, allocator)
+	current_sha := string(hex_bytes)
+
+	if current_sha == f.sha256 {
+		if !db_persist(db, f, old_path) {
+			return result, .DbFailed
+		}
+		return result, .None
+	}
+
+	f.contents = string(data)
+	f.sha256 = current_sha
+	if !db_persist(db, f, old_path) {
+		return result, .DbFailed
+	}
+	return result + {.BackedUp}, .None
+}
+
+db_persist :: proc(db: ^Db, f: ^EnvFile, old_path: string) -> bool {
+	if f.path != old_path {
+		if !db_delete(db, old_path) {
+			return false
+		}
+	}
+	return db_insert(db, f^)
+}
+
+// TODO: Remove after the next major release
+migrate_remotes :: proc(db: ^Db) {
+	sql ::
+		"UPDATE envr_env_files " +
+		"SET remotes = COALESCE((" +
+		"  SELECT group_concat(atom, char(10)) " +
+		"  FROM json_each(envr_env_files.remotes)" +
+		"), '') " +
+		"WHERE remotes LIKE '[%'"
+
+	rc := sqlite.exec(db.conn, sql, nil, nil, nil)
+	if rc != sqlite.OK {
+		fmt.eprintf("Warning: failed to migrate remotes: %s\n", sqlite.errmsg(db.conn))
+		return
+	}
+
+	if sqlite.changes(db.conn) > 0 {
+		db.changed = true
+	}
+}
+
+try_move_dir :: proc(db: ^Db, f: ^EnvFile, allocator: mem.Allocator) -> (bool, SyncError) {
+	roots, ok := find_git_roots(db.cfg)
+	if !ok {
+		return false, .GitRootFailed
+	}
+	defer {
+		for root in roots {
+			delete(root)
+		}
+		delete(roots)
+	}
+
+	match_count := 0
+	matched_dir: string
+	for root in roots {
+		remotes := get_git_remotes(root, context.temp_allocator)
+		if shares_remote(f, remotes[:]) {
+			match_count += 1
+			matched_dir = root
+		}
+	}
+
+	switch match_count {
+	case 0:
+		return false, .DirMissing
+	case 1:
+		f.dir = strings.clone(matched_dir, allocator)
+		base := filepath.base(f.path)
+		new_path, _ := filepath.join({f.dir, base}, allocator)
+		f.path = new_path
+		f.remotes = get_git_remotes(f.dir, allocator)
+		return true, .None
+	case:
+		return false, .MultipleDirs
+	}
+}
+
+shares_remote :: proc(f: ^EnvFile, remotes: []string) -> bool {
+	for r1 in f.remotes {
+		for r2 in remotes {
+			if r1 == r2 {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+get_git_remotes :: proc(dir: string, allocator: mem.Allocator) -> [dynamic]string {
+	config_path, _ := filepath.join({dir, ".git", "config"}, context.temp_allocator)
+	// TODO: Handle error
+	m, _, read_ok := ini.load_map_from_path(config_path, context.temp_allocator)
+	if !read_ok {
+		return nil
+	}
+
+	remotes := make([dynamic]string, 0, 1, allocator)
+
+	for section_name, section in m {
+		if strings.has_prefix(section_name, "remote ") {
+			if url, ok := section["url"]; ok {
+				found := false
+				for r in remotes {
+					if r == url {found = true; break}
+				}
+				if !found {
+					// FIXME: Currently leaks when adding a file with envr scan
+					cloned := strings.clone(url, allocator)
+					append(&remotes, cloned)
+				}
+			}
+		}
+	}
+
+	return remotes
+}
+
+to_cstring :: proc {
+	string_to_cstring,
+	strings.to_cstring,
+}
+
+string_to_cstring :: proc(s: string, allocator := context.allocator) -> cstring {
+	cs, err := strings.clone_to_cstring(s, allocator)
+	if err != nil {
+		fmt.eprintf("Failed to convert string to cstring: %v\n", err)
+		panic("Allocation Exception")
+	}
+	return cs
+}
+
+// Unless an explicit allocator is passed, caller is responsible for freeing the result
+clone_cstring :: proc(c: cstring, allocator := context.allocator) -> string {
+	str, err := strings.clone_from_cstring(c, allocator)
+	if err != nil {
+		fmt.eprintf("Failed to convert string to cstring: %v\n", err)
+		delete(str)
+		panic("Allocation Exception")
+	}
+
+	return str
+}
+

db_integration_test.odin

@@ -0,0 +1,335 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+import "core:testing"
+
+import "sqlite"
+
+FIXTURES :: "fixtures"
+
+test_temp_dir :: proc(t: ^testing.T, prefix: string) -> string {
+	dir, err := os.mkdir_temp("", prefix, context.temp_allocator)
+	if err != nil {
+		testing.fail_now(t, fmt.tprintf("Failed to create temp dir: %v", err))
+	}
+	return dir
+}
+
+fixture_key :: proc() -> SshKeyPair {
+	priv, _ := strings.concatenate(
+		[]string{FIXTURES, "/keys/insecure-test-key"},
+		context.temp_allocator,
+	)
+	pub, _ := strings.concatenate(
+		[]string{FIXTURES, "/keys/insecure-test-key.pub"},
+		context.temp_allocator,
+	)
+	return SshKeyPair{private = priv, public = pub}
+}
+
+fixture_db_path :: proc() -> string {
+	p, _ := strings.concatenate([]string{FIXTURES, "/single-file.db"}, context.temp_allocator)
+	return p
+}
+
+fixture_config :: proc() -> Config {
+	cfg := Config {
+		keys = make([dynamic]SshKeyPair, 0, 1),
+	}
+	append(&cfg.keys, fixture_key())
+	return cfg
+}
+
+@(test)
+test_encrypt_decrypt_sqlite_roundtrip :: proc(t: ^testing.T) {
+	cfg := fixture_config()
+	defer {
+		delete(cfg.keys)
+	}
+
+	db_path := fixture_db_path()
+	sqlite_data, read_err := os.read_entire_file_from_path(db_path, context.allocator)
+	testing.expectf(t, read_err == nil, "failed to read fixture db: %v", read_err)
+	if read_err != nil {
+		return
+	}
+	defer delete(sqlite_data)
+
+	encrypted, enc_ok := encrypt(sqlite_data, cfg.keys[:])
+	testing.expect(t, enc_ok, "encryption should succeed")
+	if !enc_ok {
+		return
+	}
+	defer delete(encrypted)
+
+	testing.expect(t, len(encrypted) >= HEADER_SIZE, "ciphertext should have header")
+	testing.expect_value(t, encrypted[0], u8('E'))
+	testing.expect_value(t, encrypted[1], u8('N'))
+	testing.expect_value(t, encrypted[2], u8('V'))
+	testing.expect_value(t, encrypted[3], u8('R'))
+
+	plaintext, dec_ok := decrypt(encrypted, cfg.keys[:])
+	testing.expect(t, dec_ok, "decryption should succeed")
+	if !dec_ok {
+		return
+	}
+	defer delete(plaintext)
+
+	testing.expectf(
+		t,
+		len(plaintext) == len(sqlite_data),
+		"round-trip size mismatch: expected %d, got %d",
+		len(sqlite_data),
+		len(plaintext),
+	)
+
+	match := true
+	for i in 0 ..< len(sqlite_data) {
+		if plaintext[i] != sqlite_data[i] {
+			match = false
+			break
+		}
+	}
+	testing.expect(t, match, "decrypted data should match original")
+}
+
+@(test)
+test_encrypt_write_read_decrypt :: proc(t: ^testing.T) {
+	cfg := fixture_config()
+	defer {
+		delete(cfg.keys)
+	}
+
+	db_path := fixture_db_path()
+	sqlite_data, read_err := os.read_entire_file_from_path(db_path, context.allocator)
+	testing.expectf(t, read_err == nil, "failed to read fixture db: %v", read_err)
+	if read_err != nil {
+		return
+	}
+	defer delete(sqlite_data)
+
+	encrypted, enc_ok := encrypt(sqlite_data, cfg.keys[:])
+	testing.expect(t, enc_ok, "encryption should succeed")
+	if !enc_ok {
+		return
+	}
+	defer delete(encrypted)
+
+	ewrd_dir := test_temp_dir(t, "envr-test-ewrd-*")
+	defer os.remove_all(ewrd_dir)
+	tmp_enc_path, _ := filepath.join([]string{ewrd_dir, "data.envr"}, context.temp_allocator)
+	write_err := os.write_entire_file(tmp_enc_path, encrypted)
+	testing.expectf(t, write_err == nil, "failed to write encrypted file: %v", write_err)
+	if write_err != nil {
+		return
+	}
+
+	read_back, rb_err := os.read_entire_file_from_path(tmp_enc_path, context.allocator)
+	testing.expectf(t, rb_err == nil, "failed to read back encrypted file: %v", rb_err)
+	if rb_err != nil {
+		return
+	}
+	defer delete(read_back)
+
+	plaintext, dec_ok := decrypt(read_back, cfg.keys[:])
+	testing.expect(t, dec_ok, "decryption after write/read should succeed")
+	if !dec_ok {
+		return
+	}
+	defer delete(plaintext)
+
+	testing.expect_value(t, len(plaintext), len(sqlite_data))
+}
+
+@(test)
+test_decrypt_then_deserialize_sqlite :: proc(t: ^testing.T) {
+	cfg := fixture_config()
+	defer {
+		delete(cfg.keys)
+	}
+
+	db_path := fixture_db_path()
+	sqlite_data, read_err := os.read_entire_file_from_path(db_path, context.allocator)
+	testing.expectf(t, read_err == nil, "failed to read fixture db: %v", read_err)
+	if read_err != nil {
+		return
+	}
+	defer delete(sqlite_data)
+
+	encrypted, enc_ok := encrypt(sqlite_data, cfg.keys[:])
+	testing.expect(t, enc_ok, "encryption should succeed")
+	if !enc_ok {
+		return
+	}
+	defer delete(encrypted)
+
+	plaintext, dec_ok := decrypt(encrypted, cfg.keys[:])
+	testing.expect(t, dec_ok, "decryption should succeed")
+	if !dec_ok {
+		return
+	}
+	defer delete(plaintext)
+
+	mem_db: sqlite.Db
+	rc := sqlite.open(":memory:", &mem_db)
+	testing.expectf(t, rc == sqlite.OK, "failed to open in-memory db")
+	if rc != sqlite.OK {
+		return
+	}
+	defer sqlite.close(mem_db)
+
+	n := i64(len(plaintext))
+	buf := sqlite.malloc64(n)
+	testing.expect(t, buf != nil, "malloc64 should succeed")
+	if buf == nil do return
+	copy(buf[:len(plaintext)], plaintext)
+
+	rc = sqlite.deserialize(mem_db, "main", buf, n, n, {.FREEONCLOSE, .RESIZEABLE})
+	testing.expect_value(t, rc, sqlite.OK)
+	if rc != sqlite.OK {
+		sqlite.free(buf)
+		return
+	}
+
+	sql: cstring = "SELECT path FROM envr_env_files"
+	stmt: sqlite.Stmt
+	rc = sqlite.prepare_v2(mem_db, sql, -1, &stmt, nil)
+	testing.expect_value(t, rc, sqlite.OK)
+	if rc != sqlite.OK {
+		return
+	}
+	defer sqlite.finalize(stmt)
+
+	rc = sqlite.step(stmt)
+	testing.expect_value(t, rc, sqlite.ROW)
+	if rc == sqlite.ROW {
+		path := string(sqlite.column_text(stmt, 0))
+		testing.expect(t, len(path) > 0, "path should not be empty")
+	}
+}
+
+@(test)
+test_full_db_cycle :: proc(t: ^testing.T) {
+	cfg := fixture_config()
+	defer delete(cfg.keys)
+
+	db_path := fixture_db_path()
+	original_data, read_err := os.read_entire_file_from_path(db_path, context.allocator)
+	testing.expectf(t, read_err == nil, "failed to read fixture db: %v", read_err)
+	if read_err != nil {
+		return
+	}
+	defer delete(original_data)
+
+	encrypted, enc_ok := encrypt(original_data, cfg.keys[:])
+	testing.expect(t, enc_ok, "first encryption should succeed")
+	if !enc_ok {
+		return
+	}
+	defer delete(encrypted)
+
+	cycle_dir := test_temp_dir(t, "envr-test-cycle-*")
+	defer os.remove_all(cycle_dir)
+	envr_dir_path, _ := filepath.join([]string{cycle_dir, ".envr"}, context.temp_allocator)
+	{
+		err := os.mkdir_all(envr_dir_path)
+		testing.expect_value(t, err, nil)
+	}
+
+	data_path, _ := filepath.join([]string{envr_dir_path, "data.envr"}, context.temp_allocator)
+	write_err := os.write_entire_file(data_path, encrypted)
+	testing.expectf(t, write_err == nil, "failed to write data.envr: %v", write_err)
+	if write_err != nil {
+		return
+	}
+
+	read_back, rb_err := os.read_entire_file_from_path(data_path, context.allocator)
+	testing.expectf(t, rb_err == nil, "failed to read data.envr: %v", rb_err)
+	if rb_err != nil {
+		return
+	}
+	defer delete(read_back)
+
+	plaintext, dec_ok := decrypt(read_back, cfg.keys[:])
+	testing.expect(t, dec_ok, "decryption should succeed")
+	if !dec_ok {
+		return
+	}
+	defer delete(plaintext)
+
+	encrypted2, enc2_ok := encrypt(plaintext, cfg.keys[:])
+	testing.expect(t, enc2_ok, "re-encryption should succeed")
+	if !enc2_ok {
+		return
+	}
+	defer delete(encrypted2)
+
+	plaintext2, dec2_ok := decrypt(encrypted2, cfg.keys[:])
+	testing.expect(t, dec2_ok, "second decryption should succeed")
+	if !dec2_ok {
+		return
+	}
+	defer delete(plaintext2)
+
+	testing.expect_value(t, len(plaintext2), len(original_data))
+
+	os.remove(data_path)
+	os.remove(envr_dir_path)
+	home := filepath.dir(filepath.dir(envr_dir_path))
+	os.remove(home)
+}
+
+@(test)
+test_ssh_key_parse_from_fixtures :: proc(t: ^testing.T) {
+	key := fixture_key()
+
+	priv_kp, priv_ok := parse_ssh_private_key(key.private)
+	testing.expect(t, priv_ok, "should parse private key from fixtures")
+	if !priv_ok {
+		return
+	}
+
+	pub_key, pub_ok := parse_ssh_public_key(key.public)
+	testing.expect(t, pub_ok, "should parse public key from fixtures")
+	if !pub_ok {
+		return
+	}
+
+	for i in 0 ..< 32 {
+		testing.expectf(t, priv_kp.Public[i] == pub_key[i], "public key mismatch at byte %d", i)
+	}
+
+	x25519_pairs, x_ok := ssh_to_x25519([]SshKeyPair{key})
+	testing.expect(t, x_ok, "ssh_to_x25519 should succeed")
+	if !x_ok {
+		return
+	}
+
+	testing.expect_value(t, len(x25519_pairs), 1)
+}
+
+@(test)
+test_config_load_with_fixture_key :: proc(t: ^testing.T) {
+	cfg := fixture_config()
+	defer {
+		delete(cfg.keys)
+	}
+
+	testing.expect_value(t, len(cfg.keys), 1)
+
+	key := cfg.keys[0]
+
+	testing.expectf(t, len(key.private) > 0, "private key path should not be empty")
+	testing.expectf(t, len(key.public) > 0, "public key path should not be empty")
+
+	_, priv_ok := parse_ssh_private_key(key.private)
+	testing.expect(t, priv_ok, "should parse private key using config paths")
+	if !priv_ok {
+		fmt.printf("  private key path was: '%s'\n", key.private)
+	}
+}
+

db_test.odin

@@ -0,0 +1,561 @@
+#+test
+package main
+
+import "core:crypto/hash"
+import "core:encoding/hex"
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:strings"
+import "core:testing"
+
+import "sqlite"
+
+make_test_env_file :: proc(path, sha, contents: string, remotes: []string = {}) -> EnvFile {
+	f := EnvFile {
+		path     = path,
+		dir      = "",
+		sha256   = sha,
+		contents = contents,
+		remotes  = make([dynamic]string, 0, len(remotes), context.temp_allocator),
+	}
+	for r in remotes {
+		append(&f.remotes, r)
+	}
+	return f
+}
+
+@(test)
+test_db_insert_and_fetch :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	path := "/project/.env"
+	sha := "abc123"
+	contents := "SECRET=value"
+
+	f := make_test_env_file(path, sha, contents, []string{"git@github.com:user/repo.git"})
+	defer delete(f.remotes)
+
+	testing.expect(t, db_insert(&db, f), "insert should succeed")
+
+	fetched, fetch_ok := db_fetch(&db, "/project/.env")
+	// defer delete_envfile(&fetched)
+	testing.expect(t, fetch_ok, "fetch should succeed")
+	if !fetch_ok do return
+
+	testing.expect_value(t, fetched.path, path)
+	testing.expect_value(t, fetched.sha256, sha)
+	testing.expect_value(t, fetched.contents, contents)
+	testing.expect_value(t, len(fetched.remotes), 1)
+	testing.expect_value(t, fetched.remotes[0], "git@github.com:user/repo.git")
+}
+
+@(test)
+test_db_fetch_missing :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	_, fetch_ok := db_fetch(&db, "/nonexistent/.env")
+	testing.expect(t, !fetch_ok, "fetch missing should return false")
+}
+
+@(test)
+test_db_insert_or_replace :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	defer db_close(&db)
+	testing.expect(t, ok, "failed to create test db")
+
+	f1 := make_test_env_file("/project/.env", "sha1", "KEY=old")
+	defer delete(f1.remotes)
+	testing.expect(t, db_insert(&db, f1), "first insert should succeed")
+
+	f2 := make_test_env_file("/project/.env", "sha2", "KEY=new")
+	defer delete(f2.remotes)
+	testing.expect(t, db_insert(&db, f2), "second insert should succeed")
+
+	results, list_ok := db_list(&db)
+	testing.expect(t, list_ok, "list should succeed")
+
+	testing.expect_value(t, len(results), 1)
+
+	fetched, fetch_ok := db_fetch(&db, "/project/.env")
+	testing.expect(t, fetch_ok, "fetch should succeed")
+	if !fetch_ok do return
+	// defer delete_envfile(&fetched)
+
+	testing.expect_value(t, fetched.contents, "KEY=new")
+	testing.expect_value(t, fetched.sha256, "sha2")
+}
+
+@(test)
+test_db_delete_existing :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	f := make_test_env_file("/project/.env", "sha", "KEY=val")
+	defer delete(f.remotes)
+	db_insert(&db, f)
+
+	testing.expect(t, db_delete(&db, "/project/.env"), "delete should return true")
+
+	_, fetch_ok := db_fetch(&db, "/project/.env")
+	testing.expect(t, !fetch_ok, "row should be gone after delete")
+}
+
+@(test)
+test_db_delete_missing :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	testing.expect(t, !db_delete(&db, "/nonexistent/.env"), "delete missing should return false")
+}
+
+@(test)
+test_db_list_multiple :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	f1 := make_test_env_file("/proj1/.env", "sha1", "A=1", []string{"git@github.com:a/repo.git"})
+	defer delete(f1.remotes)
+	f2 := make_test_env_file("/proj2/.env", "sha2", "B=2", []string{"git@github.com:b/repo.git"})
+	defer delete(f2.remotes)
+	f3 := make_test_env_file("/proj3/.env", "sha3", "C=3")
+
+	db_insert(&db, f1)
+	db_insert(&db, f2)
+	db_insert(&db, f3)
+
+	results, list_ok := db_list(&db)
+	testing.expect(t, list_ok, "list should succeed")
+
+	testing.expect_value(t, len(results), 3)
+}
+
+@(test)
+test_db_list_empty :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	results, list_ok := db_list(&db)
+	testing.expect(t, list_ok, "list should succeed on empty db")
+	testing.expect_value(t, len(results), 0)
+}
+
+@(test)
+test_db_insert_sets_changed :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	testing.expect(t, !db.changed, "changed should start false")
+
+	f := make_test_env_file("/project/.env", "sha", "KEY=val")
+	defer delete(f.remotes)
+	db_insert(&db, f)
+
+	testing.expect(t, db.changed, "changed should be true after insert")
+}
+
+@(test)
+test_db_delete_sets_changed :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	f := make_test_env_file("/project/.env", "sha", "KEY=val")
+	defer delete(f.remotes)
+	db_insert(&db, f)
+	db.changed = false
+
+	db_delete(&db, "/project/.env")
+	testing.expect(t, db.changed, "changed should be true after delete")
+}
+
+@(test)
+test_db_serialize :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	if !ok do return
+	defer db_close(&db)
+
+	f := make_test_env_file("/project/.env", "sha", "KEY=val")
+	defer delete(f.remotes)
+	db_insert(&db, f)
+
+	sz: i64
+	data := sqlite.serialize(db.conn, "main", &sz, {})
+	testing.expect(t, data != nil, "serialize should return non-nil")
+	if data == nil do return
+	defer sqlite.free(data)
+
+	testing.expect(t, sz > 0, "serialized size should be > 0")
+}
+
+@(test)
+test_shares_remote_overlap :: proc(t: ^testing.T) {
+	f := EnvFile {
+		remotes = make([dynamic]string, 2, context.temp_allocator),
+	}
+	append(&f.remotes, "git@github.com:user/repo.git")
+	append(&f.remotes, "git@gitlab.com:user/repo.git")
+
+	remotes := []string{"git@github.com:user/repo.git"}
+	testing.expect(t, shares_remote(&f, remotes), "should share remote")
+}
+
+@(test)
+test_shares_remote_no_overlap :: proc(t: ^testing.T) {
+	f := EnvFile {
+		remotes = make([dynamic]string, 1, context.temp_allocator),
+	}
+	append(&f.remotes, "git@github.com:user/repo.git")
+
+	remotes := []string{"git@github.com:other/repo.git"}
+	testing.expect(t, !shares_remote(&f, remotes), "should not share remote")
+}
+
+@(test)
+test_shares_remote_empty_file_remotes :: proc(t: ^testing.T) {
+	f := EnvFile {
+		remotes = make([dynamic]string, 0, context.temp_allocator),
+	}
+
+	remotes := []string{"git@github.com:user/repo.git"}
+	testing.expect(t, !shares_remote(&f, remotes), "empty file remotes should not share")
+}
+
+@(test)
+test_shares_remote_empty_check_remotes :: proc(t: ^testing.T) {
+	f := EnvFile {
+		remotes = make([dynamic]string, 1, context.temp_allocator),
+	}
+	append(&f.remotes, "git@github.com:user/repo.git")
+
+	remotes: []string
+	testing.expect(t, !shares_remote(&f, remotes), "empty check remotes should not share")
+}
+
+@(test)
+test_shares_remote_both_empty :: proc(t: ^testing.T) {
+	f := EnvFile {
+		remotes = make([dynamic]string, 0),
+	}
+
+	remotes: []string
+	testing.expect(t, !shares_remote(&f, remotes), "both empty should not share")
+}
+
+delete_remotes :: proc(remotes: [dynamic]string) {
+	for &r in remotes {
+		delete(r)
+	}
+	delete(remotes)
+}
+
+@(test)
+test_get_git_remotes_single :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-remotes-*")
+	defer os.remove_all(base)
+
+	git_dir := fmt.tprintf("%s/.git", base)
+	os.mkdir_all(git_dir)
+
+	config_content := "[core]\n\trepositoryformatversion = 0\n[remote \"origin\"]\n\turl = git@github.com:user/repo.git\n\tfetch = +refs/heads/*:refs/remotes/origin/*\n"
+	config_path := fmt.tprintf("%s/config", git_dir)
+	err := os.write_entire_file(config_path, transmute([]u8)config_content)
+	testing.expect_value(t, err, nil)
+
+	remotes := get_git_remotes(base, context.temp_allocator)
+
+	testing.expect_value(t, len(remotes), 1)
+	if len(remotes) != 1 do return
+	testing.expect_value(t, remotes[0], "git@github.com:user/repo.git")
+}
+
+@(test)
+test_get_git_remotes_multiple :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-remotes-multi-*")
+	defer os.remove_all(base)
+
+	git_dir := fmt.tprintf("%s/.git", base)
+	os.mkdir_all(git_dir)
+
+	config_content := "[remote \"origin\"]\n\turl = git@github.com:user/repo.git\n[remote \"upstream\"]\n\turl = https://gitlab.com/upstream/repo.git\n"
+	config_path := fmt.tprintf("%s/config", git_dir)
+	err := os.write_entire_file(config_path, transmute([]u8)config_content)
+	testing.expect_value(t, err, nil)
+
+	remotes := get_git_remotes(base, context.temp_allocator)
+
+	testing.expect_value(t, len(remotes), 2)
+}
+
+@(test)
+test_get_git_remotes_no_config :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-remotes-none-*")
+	defer os.remove_all(base)
+
+	remotes := get_git_remotes(base, context.temp_allocator)
+
+	testing.expect_value(t, len(remotes), 0)
+}
+
+@(test)
+test_get_git_remotes_no_remotes :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-remotes-empty-*")
+	defer os.remove_all(base)
+
+	git_dir := fmt.tprintf("%s/.git", base)
+	os.mkdir_all(git_dir)
+
+	config_content := "[core]\n\trepositoryformatversion = 0\n\tbare = false\n"
+	config_path := fmt.tprintf("%s/config", git_dir)
+	err := os.write_entire_file(config_path, transmute([]u8)config_content)
+	testing.expect_value(t, err, nil)
+
+	remotes := get_git_remotes(base, context.temp_allocator)
+
+	testing.expect_value(t, len(remotes), 0)
+}
+
+@(test)
+test_new_env_file :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-envfile-*")
+	defer os.remove_all(base)
+
+	env_path := fmt.tprintf("%s/.env", base)
+	err := os.write_entire_file(env_path, "SECRET=value\n")
+	testing.expect_value(t, err, nil)
+
+	file, ok := new_env_file(env_path)
+	testing.expect(t, ok, "new_env_file should succeed")
+	if !ok do return
+	defer delete(file.contents)
+	defer delete(file.remotes)
+	defer delete(file.sha256)
+	defer delete(file.path)
+
+	testing.expect(t, filepath.is_abs(file.path), "path should be absolute")
+	testing.expect(t, strings.has_suffix(file.path, "/.env"), "path should end with /.env")
+	testing.expect_value(t, file.contents, "SECRET=value\n")
+	testing.expect_value(t, len(file.sha256), 64)
+}
+
+@(test)
+test_new_env_file_missing :: proc(t: ^testing.T) {
+	_, ok := new_env_file("/tmp/envr-nonexistent-envfile/path/.env")
+	testing.expect(t, !ok, "missing file should return false")
+}
+
+@(test)
+test_closing_db_has_no_leaks :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-leak-*")
+	defer os.remove_all(base)
+
+	cfg_path, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	testing.expect_value(t, err, nil)
+
+	{
+		cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
+		testing.expect(t, save_config(cfg, force = true), "save should succeed")
+		delete_config(&cfg)
+	}
+
+	db, ok := db_open(cfg_path)
+	testing.expect(t, ok, "db should open")
+	db_close(&db)
+}
+
+@(test)
+test_open_existing_db_has_no_leaks :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-leak-existing-*")
+	defer os.remove_all(base)
+
+	cfg_path, err := filepath.join([]string{base, "config.json"}, context.temp_allocator)
+	testing.expect_value(t, err, nil)
+
+	{
+		cfg := new_config([]string{"fixtures/keys/insecure-test-key"}, cfg_path)
+		testing.expect(t, save_config(cfg, force = true), "save should succeed")
+		delete_config(&cfg)
+	}
+
+	// First open/close creates data.envr on disk
+	db, ok := db_open(cfg_path)
+	testing.expect(t, ok, "db should open")
+	if !ok do return
+	f := make_test_env_file(
+		"/project/.env",
+		"abc123",
+		"SECRET=value",
+		[]string{"git@github.com:user/repo.git"},
+	)
+	defer delete(f.remotes)
+	testing.expect(t, db_insert(&db, f), "insert should succeed")
+	db_close(&db)
+
+	// Second open exercises db_restore_from_encrypted
+	db2, ok2 := db_open(cfg_path)
+	testing.expect(t, ok2, "db should open existing")
+	if !ok2 do return
+	db_close(&db2)
+}
+
+@(test)
+test_db_sync_noop :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-sync-noop-*")
+	defer os.remove_all(base)
+
+	env_path := fmt.tprintf("%s/.env", base)
+	content := "KEY=value\n"
+	write_err := os.write_entire_file(env_path, transmute([]u8)content)
+	testing.expect_value(t, write_err, nil)
+
+	digest := hash.hash_bytes(
+		hash.Algorithm.SHA256,
+		transmute([]u8)content,
+		context.temp_allocator,
+	)
+	hex_bytes := hex.encode(digest, context.temp_allocator)
+	sha := string(hex_bytes)
+
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	f := make_test_env_file(env_path, sha, content)
+	f.dir = base
+	db_insert(&db, f)
+
+	result, sync_err := db_sync(&db, &f)
+	testing.expect_value(t, sync_err, SyncError.None)
+	testing.expect_value(t, result, nil)
+}
+
+@(test)
+test_db_sync_backed_up :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-sync-backup-*")
+	defer os.remove_all(base)
+
+	env_path := fmt.tprintf("%s/.env", base)
+	changed_content := "KEY=changed\n"
+	write_err := os.write_entire_file(env_path, transmute([]u8)changed_content)
+	testing.expect_value(t, write_err, nil)
+
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	f := make_test_env_file(env_path, "old_sha", "KEY=original")
+	f.dir = base
+	db_insert(&db, f)
+
+	result, sync_err := db_sync(&db, &f)
+	testing.expect_value(t, sync_err, SyncError.None)
+	testing.expect(t, .BackedUp in result, "should be backed up")
+}
+
+@(test)
+test_db_sync_restored :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-sync-restore-*")
+	defer os.remove_all(base)
+
+	env_path := fmt.tprintf("%s/.env", base)
+
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	f := make_test_env_file(env_path, "some_sha", "SECRET=value")
+	f.dir = base
+	defer delete(f.remotes)
+	db_insert(&db, f)
+
+	result, err := db_sync(&db, &f)
+	testing.expect_value(t, err, SyncError.None)
+	testing.expect(t, .Restored in result, "should be restored")
+
+	data, read_err := os.read_entire_file_from_path(env_path, context.temp_allocator)
+	testing.expect_value(t, read_err, nil)
+	if read_err == nil {
+		testing.expect_value(t, string(data), "SECRET=value")
+	}
+}
+
+@(test)
+test_db_sync_dir_missing :: proc(t: ^testing.T) {
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	f := make_test_env_file("/nonexistent/path/.env", "sha", "KEY=val")
+	db_insert(&db, f)
+
+	result, err := db_sync(&db, &f)
+	testing.expect_value(t, err, SyncError.DirMissing)
+	testing.expect_value(t, result, nil)
+}
+
+@(test)
+test_db_sync_moved :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-test-sync-moved-*")
+	search_root := fmt.tprintf("%s/search", base)
+	repo_dir := fmt.tprintf("%s/myproject", search_root)
+	git_dir := fmt.tprintf("%s/.git", repo_dir)
+	defer os.remove_all(base)
+
+	os.mkdir_all(git_dir)
+
+	config_content := "[remote \"origin\"]\n\turl = git@github.com:user/repo.git\n"
+	config_path := fmt.tprintf("%s/config", git_dir)
+	write_err := os.write_entire_file(config_path, transmute([]u8)config_content)
+	testing.expect_value(t, write_err, nil)
+
+	db, ok := db_init()
+	testing.expect(t, ok, "failed to create test db")
+	defer db_close(&db)
+
+	db.cfg.scan_config.include = make([dynamic]string, 0, 1, context.temp_allocator)
+	append(&db.cfg.scan_config.include, search_root)
+
+	f := make_test_env_file(
+		"/old/nonexistent/path/.env",
+		"some_sha",
+		"SECRET=value",
+		[]string{"git@github.com:user/repo.git"},
+	)
+	testing.expect(t, db_insert(&db, f), "insert should succeed")
+
+	result, err := db_sync(&db, &f)
+	testing.expect_value(t, err, SyncError.None)
+	if err != .None do return
+	testing.expect(t, .DirUpdated in result, "should have DirUpdated flag")
+	testing.expect(t, .Restored in result, "should have Restored flag")
+
+	expected_path := fmt.tprintf("%s/.env", repo_dir)
+	testing.expect_value(t, f.path, expected_path)
+	testing.expect_value(t, f.dir, repo_dir)
+
+	_, old_exists := db_fetch(&db, "/old/nonexistent/path/.env")
+	testing.expect(t, !old_exists, "old path should be deleted from db")
+
+	new_fetched, new_ok := db_fetch(&db, expected_path)
+	testing.expect(t, new_ok, "new path should exist in db")
+	if new_ok {
+		testing.expect_value(t, new_fetched.contents, "SECRET=value")
+	}
+}
+

docs/cli/envr.md

@@ -0,0 +1,57 @@
+## envr
+
+Manage your .env files.
+
+### Synopsis
+
+envr keeps your .env synced to a local, encrypted database.
+Is a safe and eay way to gather all your .env files in one place where they can
+easily be backed by another tool such as restic or git.
+
+All your data is stored in ~/.envr/data.envr
+
+Getting started is easy:
+
+1. Create your configuration file and set up encrypted storage:
+
+> envr init
+
+2. Scan for existing .env files:
+
+> envr scan
+
+Select the files you want to back up from the interactive list.
+
+3. Verify that it worked:
+
+> envr list
+
+4. After changing any of your .env files, update the backup with:
+
+> envr sync
+
+5. If you lose a repository, after re-cloning the repo into the same path it was
+at before, restore your backup with:
+
+> envr restore ~/<path to repository>/.env
+
+### Options
+
+```
+  -h, --help   help for envr
+```
+
+### SEE ALSO
+
+* [envr backup](envr_backup.md)	 - Import a .env file into envr
+* [envr check](envr_check.md)	 - check if files in the current directory are backed up
+* [envr edit-config](envr_edit-config.md)	 - Edit your config with your default editor
+* [envr init](envr_init.md)	 - Set up envr
+* [envr list](envr_list.md)	 - View your tracked files
+* [envr nushell-completion](envr_nushell-completion.md)	 - Generate custom completions for nushell
+* [envr remove](envr_remove.md)	 - Remove a .env file from your database
+* [envr restore](envr_restore.md)	 - Install a .env file from the database into your file system
+* [envr scan](envr_scan.md)	 - Find and select .env files for backup
+* [envr sync](envr_sync.md)	 - Update or restore your env backups
+* [envr version](envr_version.md)	 - Show envr's version
+

docs/cli/envr_backup.md

@@ -0,0 +1,18 @@
+## envr backup
+
+Import a .env file into envr
+
+```
+envr backup <path> [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for backup
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_check.md

@@ -0,0 +1,18 @@
+## envr check
+
+check if files in the current directory are backed up
+
+```
+envr check [path] [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for check
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_edit-config.md

@@ -0,0 +1,18 @@
+## envr edit-config
+
+Edit your config with your default editor
+
+```
+envr edit-config [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for edit-config
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_init.md

@@ -0,0 +1,28 @@
+## envr init
+
+Set up envr
+
+### Synopsis
+
+The init command generates your initial config and saves it to
+~/.envr/config in JSON format.
+
+During setup, you will be prompted to select one or more ssh keys with which to
+encrypt your databse. **Make 100% sure** that you have **a remote copy** of this
+key somewhere, otherwise your data could be lost forever.
+
+```
+envr init [flags]
+```
+
+### Options
+
+```
+  -f, --force   Overwrite an existing config
+  -h, --help    help for init
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_list.md

@@ -0,0 +1,18 @@
+## envr list
+
+View your tracked files
+
+```
+envr list [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for list
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_nushell-completion.md

@@ -0,0 +1,23 @@
+## envr nushell-completion
+
+Generate custom completions for nushell
+
+### Synopsis
+
+At time of writing, cobra does not natively support nushell,
+so a custom command had to be written
+
+```
+envr nushell-completion [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for nushell-completion
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_remove.md

@@ -0,0 +1,18 @@
+## envr remove
+
+Remove a .env file from your database
+
+```
+envr remove [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for remove
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_restore.md

@@ -0,0 +1,18 @@
+## envr restore
+
+Install a .env file from the database into your file system
+
+```
+envr restore [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for restore
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_scan.md

@@ -0,0 +1,18 @@
+## envr scan
+
+Find and select .env files for backup
+
+```
+envr scan [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for scan
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_sync.md

@@ -0,0 +1,18 @@
+## envr sync
+
+Update or restore your env backups
+
+```
+envr sync [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for sync
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

docs/cli/envr_version.md

@@ -0,0 +1,19 @@
+## envr version
+
+Show envr's version
+
+```
+envr version [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for version
+  -l, --long   Show all version information
+```
+
+### SEE ALSO
+
+* [envr](envr.md)	 - Manage your .env files.
+

findr/findr_test.odin

@@ -0,0 +1,299 @@
+package findr
+
+import "core:os"
+import "core:sort"
+import "core:strings"
+import "core:sys/linux"
+import "core:testing"
+
+// ============================================================================
+// Gitignored file emission tests (emit ONLY gitignored files, descend everywhere)
+// ============================================================================
+
+@(test)
+test_basic_gitignored :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n")
+	create_file(env, "repo/.env")
+	create_file(env, "repo/secrets.env")
+	create_file(env, "repo/normal.txt")
+
+	assert_output(t, env, nil, {}, {"repo/.env", "repo/secrets.env"})
+}
+
+@(test)
+test_non_repo_not_scanned :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_dir(env, "norepo")
+	create_file(env, "norepo/.gitignore", "*.env\n")
+	create_file(env, "norepo/.env")
+
+	assert_output_empty(t, env, nil, {})
+}
+
+@(test)
+test_negation_pattern :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n!prod.env\n")
+	create_file(env, "repo/.env")
+	create_file(env, "repo/secrets.env")
+	create_file(env, "repo/prod.env")
+
+	assert_output(t, env, nil, {}, {"repo/.env", "repo/secrets.env"})
+}
+
+@(test)
+test_multiple_repos :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo1")
+	create_file(env, "repo1/.gitignore", "*.env\n")
+	create_file(env, "repo1/a.env")
+
+	create_git_repo(env, "repo2")
+	create_file(env, "repo2/.gitignore", "*.key\n")
+	create_file(env, "repo2/secret.key")
+
+	assert_output(t, env, nil, {}, {"repo1/a.env", "repo2/secret.key"})
+}
+
+@(test)
+test_nested_repos :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "parent")
+	create_file(env, "parent/.gitignore", "*.env\n")
+	create_file(env, "parent/top.env")
+
+	create_git_repo(env, "parent/child")
+	create_file(env, "parent/child/.gitignore", "*.key\n")
+	create_file(env, "parent/child/api.key")
+
+	assert_output(t, env, nil, {}, {"parent/top.env", "parent/child/api.key"})
+}
+
+@(test)
+test_nested_gitignore_read :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n")
+	create_dir(env, "repo/sub")
+	create_file(env, "repo/sub/.gitignore", "*.txt\n")
+	create_file(env, "repo/sub/secret.txt")
+	create_file(env, "repo/sub/.env")
+
+	assert_output(t, env, nil, {}, {"repo/sub/secret.txt", "repo/sub/.env"})
+}
+
+@(test)
+test_nested_gitignore_negation :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.log\n")
+	create_dir(env, "repo/sub")
+	create_file(env, "repo/sub/.gitignore", "!important.log\n")
+	create_file(env, "repo/sub/important.log")
+	create_file(env, "repo/sub/debug.log")
+
+	assert_output(t, env, nil, {}, {"repo/sub/debug.log"})
+}
+
+@(test)
+test_multisegment_pattern :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "build/output.txt\n")
+	create_dir(env, "repo/build")
+	create_file(env, "repo/build/output.txt")
+	create_file(env, "repo/build/other.txt")
+	create_file(env, "repo/output.txt")
+
+	assert_output(t, env, nil, {}, {"repo/build/output.txt"})
+}
+
+@(test)
+test_no_gitignore_file :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.env")
+
+	assert_output_empty(t, env, nil, {})
+}
+
+@(test)
+test_empty_gitignore :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "\n\n# comment\n\n")
+	create_file(env, "repo/.env")
+
+	assert_output_empty(t, env, nil, {})
+}
+
+@(test)
+test_multiple_search_dirs :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "dir1/repo")
+	create_file(env, "dir1/repo/.gitignore", "*.env\n")
+	create_file(env, "dir1/repo/a.env")
+	create_file(env, "dir1/repo/normal.txt")
+
+	create_git_repo(env, "dir2/repo")
+	create_file(env, "dir2/repo/.gitignore", "*.env\n")
+	create_file(env, "dir2/repo/b.env")
+
+	dir1 := join_path(env.temp_dir, "dir1")
+	defer delete(dir1)
+	dir2 := join_path(env.temp_dir, "dir2")
+	defer delete(dir2)
+
+	results := make([dynamic]string)
+	defer {
+		for r in results {delete(r)}
+		delete(results)
+	}
+
+	opts := WalkOptions{}
+	thread_count := os.get_processor_core_count()
+	walk({dir1, dir2}, &results, opts, thread_count)
+
+	testing.expect_value(t, len(results), 2)
+
+	actual := make([dynamic]string, 0, len(results))
+	for r in results {
+		stripped := r
+		if strings.has_prefix(stripped, env.temp_dir) {
+			stripped = stripped[len(env.temp_dir):]
+			if len(stripped) > 0 && stripped[0] == os.Path_Separator {
+				stripped = stripped[1:]
+			}
+		}
+		append(&actual, stripped)
+	}
+	defer delete(actual)
+
+	expected := []string{"dir1/repo/a.env", "dir2/repo/b.env"}
+
+	sort.quick_sort(actual[:])
+	sort.quick_sort(expected[:])
+
+	for i in 0 ..< len(expected) {
+		testing.expect_value(t, actual[i], expected[i])
+	}
+}
+
+// ============================================================================
+// Ignored directory recursion tests
+// ============================================================================
+
+@(test)
+test_ignored_dir_descended :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "secrets/\n")
+	create_dir(env, "repo/secrets")
+	create_file(env, "repo/secrets/.env")
+	create_file(env, "repo/secrets/api.key")
+
+	// Ignored dir's contents are emitted AND descended into
+	assert_output(t, env, nil, {}, {"repo/secrets/", "repo/secrets/.env", "repo/secrets/api.key"})
+}
+
+@(test)
+test_nested_ignored_dir :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "build/\n")
+	create_dir(env, "repo/build")
+	create_dir(env, "repo/build/sub")
+	create_file(env, "repo/build/output.txt")
+	create_file(env, "repo/build/sub/deep.env")
+
+	assert_output(
+		t,
+		env,
+		nil,
+		{},
+		{"repo/build/", "repo/build/output.txt", "repo/build/sub/", "repo/build/sub/deep.env"},
+	)
+}
+
+// ============================================================================
+// Filter tests (excludes, pattern)
+// ============================================================================
+
+@(test)
+test_excludes_prune_dirs :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n")
+	create_file(env, "repo/.env")
+	create_dir(env, "repo/vendor")
+	create_file(env, "repo/vendor/lib.env")
+
+	assert_output(t, env, nil, {excludes = {"vendor"}}, {"repo/.env"})
+}
+
+@(test)
+test_pattern_filters_results :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n*.key\n")
+	create_file(env, "repo/.env")
+	create_file(env, "repo/secrets.env")
+	create_file(env, "repo/master.key")
+
+	assert_output(t, env, nil, {pattern = "\\.env$"}, {"repo/.env", "repo/secrets.env"})
+}
+
+// ============================================================================
+// Special file type tests
+// ============================================================================
+
+@(test)
+test_fifo_emitted :: proc(t: ^testing.T) {
+	env := create_test_env()
+	defer destroy_test_env(&env)
+
+	create_git_repo(env, "repo")
+	create_file(env, "repo/.gitignore", "*.env\n*.fifo\n")
+
+	fifo_path := join_path(env.temp_dir, "repo/test.fifo")
+	defer delete(fifo_path)
+	cpath := strings.clone_to_cstring(fifo_path)
+	defer delete(cpath)
+	linux.mknod(cpath, linux.S_IFIFO | linux.Mode{.IRUSR, .IWUSR}, 0)
+
+	assert_output(t, env, nil, {pattern = "\\.fifo$"}, {"repo/test.fifo"})
+}
+

findr/gitignore.odin

@@ -0,0 +1,88 @@
+package findr
+
+import "core:strings"
+
+Gitignore :: struct {
+	rules: [dynamic]Rule,
+}
+
+Rule :: struct {
+	pattern:  GlobPattern,
+	negated:  bool,
+	dir_only: bool,
+}
+
+Match :: enum {
+	None,
+	Ignored,
+	Unignored,
+}
+
+is_ignored :: proc(gi: ^Gitignore, path: string, is_dir: bool) -> bool {
+	return check_match(gi, path, is_dir) == .Ignored
+}
+
+check_match :: proc(gi: ^Gitignore, path: string, is_dir: bool) -> Match {
+	result := Match.None
+	for &rule in gi.rules {
+		if rule.dir_only && !is_dir do continue
+		if glob_match_compiled(&rule.pattern, path) {
+			result = rule.negated ? .Unignored : .Ignored
+		}
+	}
+	return result
+}
+
+parse :: proc(content: string) -> Gitignore {
+	gi: Gitignore
+	gi.rules = make([dynamic]Rule)
+
+	remaining := content
+	for {
+		line, ok := strings.split_lines_iterator(&remaining)
+		if !ok do break
+
+		s := strings.trim_space(line)
+		if len(s) == 0 do continue
+		if s[0] == '#' do continue
+
+		negated := false
+		if s[0] == '!' {
+			negated = true
+			s = s[1:]
+		}
+
+		if len(s) > 0 && s[0] == '\\' {
+			if len(s) > 1 && (s[1] == '#' || s[1] == '!') {
+				s = s[1:]
+			}
+		}
+
+		dir_only := false
+		if len(s) > 0 && s[len(s) - 1] == '/' {
+			dir_only = true
+			s = s[:len(s) - 1]
+		}
+
+		anchored := false
+		if len(s) > 0 && s[0] == '/' {
+			anchored = true
+			s = s[1:]
+		}
+
+		if len(s) == 0 do continue
+
+		gp := glob_compile(s, anchored)
+		append(&gi.rules, Rule{pattern = gp, negated = negated, dir_only = dir_only})
+	}
+
+	return gi
+}
+
+destroy :: proc(gi: ^Gitignore) {
+	for &rule in gi.rules {
+		glob_destroy(&rule.pattern)
+	}
+	delete(gi.rules)
+}
+

findr/gitignore_test.odin

@@ -0,0 +1,118 @@
+package findr
+
+import "core:testing"
+
+@(test)
+test_is_ignored_basic :: proc(t: ^testing.T) {
+	gi := parse("*.env\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, ".env", false), true)
+	testing.expect_value(t, is_ignored(&gi, "foo.env", false), true)
+	testing.expect_value(t, is_ignored(&gi, ".env.local", false), false)
+	testing.expect_value(t, is_ignored(&gi, "config.yaml", false), false)
+}
+
+@(test)
+test_is_ignored_negation :: proc(t: ^testing.T) {
+	gi := parse("*.env\n!.env.production\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, ".env", false), true)
+	testing.expect_value(t, is_ignored(&gi, ".env.production", false), false)
+}
+
+@(test)
+test_is_ignored_dir_only :: proc(t: ^testing.T) {
+	gi := parse("node_modules/\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, "node_modules", true), true)
+	testing.expect_value(t, is_ignored(&gi, "node_modules", false), false)
+}
+
+@(test)
+test_is_ignored_anchored :: proc(t: ^testing.T) {
+	gi := parse("/secret.key\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, "secret.key", false), true)
+}
+
+@(test)
+test_is_ignored_comments_skipped :: proc(t: ^testing.T) {
+	gi := parse("# this is a comment\n#another\n*.tmp\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, len(gi.rules), 1)
+	testing.expect_value(t, is_ignored(&gi, "file.tmp", false), true)
+}
+
+@(test)
+test_is_ignored_blank_lines_skipped :: proc(t: ^testing.T) {
+	gi := parse("\n\n  \n*.log\n\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, len(gi.rules), 1)
+}
+
+@(test)
+test_is_ignored_last_match_wins :: proc(t: ^testing.T) {
+	gi := parse("*.env\n!*.env\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, ".env", false), false)
+}
+
+@(test)
+test_is_ignored_no_rules :: proc(t: ^testing.T) {
+	gi := parse("")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, "anything", false), false)
+}
+
+@(test)
+test_is_ignored_env_pattern :: proc(t: ^testing.T) {
+	gi := parse(".env*\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, ".env", false), true)
+	testing.expect_value(t, is_ignored(&gi, ".env.local", false), true)
+	testing.expect_value(t, is_ignored(&gi, ".envrc", false), true)
+}
+
+@(test)
+test_is_ignored_globstar :: proc(t: ^testing.T) {
+	gi := parse("**/cache\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, "cache", false), true)
+	testing.expect_value(t, is_ignored(&gi, "foo/cache", false), true)
+	testing.expect_value(t, is_ignored(&gi, "foo/bar/cache", false), true)
+}
+
+@(test)
+test_star_negation_subpath :: proc(t: ^testing.T) {
+	gi := parse("*\n!public/\n")
+	defer destroy(&gi)
+
+	// public dir itself is un-ignored
+	testing.expect_value(t, is_ignored(&gi, "public", true), false)
+	// children of public/ should still be ignored by *
+	testing.expect_value(t, is_ignored(&gi, "public/uuid-dir", true), true)
+	testing.expect_value(t, is_ignored(&gi, "public/uuid-dir/file.txt", false), true)
+}
+
+@(test)
+test_is_ignored_hash_pattern :: proc(t: ^testing.T) {
+	gi := parse("\\#*\\#\n")
+	defer destroy(&gi)
+
+	testing.expect_value(t, is_ignored(&gi, "#foo#", false), true)
+	testing.expect_value(t, is_ignored(&gi, "#test#", false), true)
+	testing.expect_value(t, is_ignored(&gi, "AUTHORS", false), false)
+	testing.expect_value(t, is_ignored(&gi, "build.zig", false), false)
+	testing.expect_value(t, is_ignored(&gi, "ChangeLog", false), false)
+}
+

findr/glob.odin

@@ -0,0 +1,203 @@
+package findr
+
+Range :: struct {
+	lo: u8,
+	hi: u8,
+}
+
+Class_Data :: struct {
+	negated: bool,
+	ranges:  [dynamic]Range,
+}
+
+Token_Kind :: enum u8 { Char, Star, Globstar, Question, Class }
+
+Token :: struct {
+	kind:      Token_Kind,
+	byte:      u8,
+	class_idx: u16,
+}
+
+GlobPattern :: struct {
+	tokens:   [dynamic]Token,
+	classes:  [dynamic]Class_Data,
+	anchored: bool,
+}
+
+glob_compile :: proc(pattern: string, anchored: bool) -> GlobPattern {
+	gp: GlobPattern
+	gp.tokens = make([dynamic]Token)
+	gp.classes = make([dynamic]Class_Data)
+	gp.anchored = anchored
+
+	i := 0
+	for i < len(pattern) {
+		c := pattern[i]
+
+		if c == '*' {
+			if i + 1 < len(pattern) && pattern[i + 1] == '*' {
+				prev_slash := i == 0 || pattern[i - 1] == '/'
+				at_end := i + 2 >= len(pattern)
+				next_slash := !at_end && pattern[i + 2] == '/'
+
+				if prev_slash && (next_slash || at_end) {
+					append(&gp.tokens, Token{kind = .Globstar})
+					if next_slash {
+						i += 3
+					} else {
+						i += 2
+					}
+				} else {
+					append(&gp.tokens, Token{kind = .Star})
+					i += 2
+				}
+			} else {
+				append(&gp.tokens, Token{kind = .Star})
+				i += 1
+			}
+		} else if c == '?' {
+			append(&gp.tokens, Token{kind = .Question})
+			i += 1
+		} else if c == '[' {
+			i += 1
+			negated := false
+			if i < len(pattern) && pattern[i] == '!' {
+				negated = true
+				i += 1
+			}
+
+			ranges := make([dynamic]Range)
+
+			if i < len(pattern) && pattern[i] == ']' {
+				append(&ranges, Range{lo = ']', hi = ']'})
+				i += 1
+			}
+
+			for i < len(pattern) && pattern[i] != ']' {
+				if i + 2 < len(pattern) && pattern[i + 1] == '-' && pattern[i + 2] != ']' {
+					append(&ranges, Range{lo = pattern[i], hi = pattern[i + 2]})
+					i += 3
+				} else {
+					append(&ranges, Range{lo = pattern[i], hi = pattern[i]})
+					i += 1
+				}
+			}
+
+			if i < len(pattern) {
+				i += 1
+			}
+
+			class_idx := u16(len(gp.classes))
+			append(&gp.classes, Class_Data{negated = negated, ranges = ranges})
+			append(&gp.tokens, Token{kind = .Class, class_idx = class_idx})
+		} else if c == '\\' {
+			i += 1
+			if i < len(pattern) {
+				append(&gp.tokens, Token{kind = .Char, byte = pattern[i]})
+				i += 1
+			}
+		} else {
+			append(&gp.tokens, Token{kind = .Char, byte = c})
+			i += 1
+		}
+	}
+
+	return gp
+}
+
+match_tokens :: proc(tokens: []Token, classes: []Class_Data, ti: int, path: string, pi: int) -> bool {
+	if ti >= len(tokens) {
+		return pi == len(path)
+	}
+
+	tok := tokens[ti]
+	switch tok.kind {
+	case .Char:
+		if pi < len(path) && path[pi] == tok.byte {
+			return match_tokens(tokens, classes, ti + 1, path, pi + 1)
+		}
+		return false
+
+	case .Question:
+		if pi < len(path) && path[pi] != '/' {
+			return match_tokens(tokens, classes, ti + 1, path, pi + 1)
+		}
+		return false
+
+	case .Star:
+		max_end := pi
+		for max_end < len(path) && path[max_end] != '/' {
+			max_end += 1
+		}
+		for end := max_end; end >= pi; end -= 1 {
+			if match_tokens(tokens, classes, ti + 1, path, end) {
+				return true
+			}
+		}
+		return false
+
+	case .Globstar:
+		if ti + 1 >= len(tokens) {
+			return true
+		}
+		if match_tokens(tokens, classes, ti + 1, path, pi) {
+			return true
+		}
+		for end := pi + 1; end <= len(path); end += 1 {
+			if path[end - 1] == '/' {
+				if match_tokens(tokens, classes, ti + 1, path, end) {
+					return true
+				}
+			}
+		}
+		return false
+
+	case .Class:
+		if pi >= len(path) {
+			return false
+		}
+		cd := classes[tok.class_idx]
+		ch := path[pi]
+		in_range := false
+		for r in cd.ranges {
+			if ch >= r.lo && ch <= r.hi {
+				in_range = true
+				break
+			}
+		}
+		if in_range != cd.negated {
+			return match_tokens(tokens, classes, ti + 1, path, pi + 1)
+		}
+		return false
+	}
+	return false
+}
+
+glob_match_compiled :: proc(gp: ^GlobPattern, path: string) -> bool {
+	tokens := gp.tokens[:]
+	classes := gp.classes[:]
+
+	if gp.anchored {
+		return match_tokens(tokens, classes, 0, path, 0)
+	}
+
+	if match_tokens(tokens, classes, 0, path, 0) {
+		return true
+	}
+	for i := 1; i < len(path); i += 1 {
+		if path[i - 1] == '/' {
+			if match_tokens(tokens, classes, 0, path, i) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+glob_destroy :: proc(gp: ^GlobPattern) {
+	for &cd in gp.classes {
+		delete(cd.ranges)
+	}
+	delete(gp.classes)
+	delete(gp.tokens)
+}

findr/glob_test.odin

@@ -0,0 +1,111 @@
+package findr
+
+import "core:testing"
+
+glob_match :: proc(pattern: string, path: string, anchored: bool) -> bool {
+	gp := glob_compile(pattern, anchored)
+	result := glob_match_compiled(&gp, path)
+	glob_destroy(&gp)
+	return result
+}
+
+@(test)
+test_glob_simple :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("foo", "foo", false))
+	testing.expect(t, glob_match("foo", "bar/foo", false))
+	testing.expect(t, !glob_match("foo", "foobar", false))
+	testing.expect(t, !glob_match("foo", "foo/bar", false))
+}
+
+@(test)
+test_glob_anchored :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("foo", "foo", true))
+	testing.expect(t, !glob_match("foo", "bar/foo", true))
+	testing.expect(t, !glob_match("foo", "foobar", true))
+}
+
+@(test)
+test_glob_star :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("*.log", "test.log", false))
+	testing.expect(t, glob_match("*.log", ".log", false))
+	testing.expect(t, !glob_match("*.log", "test.txt", false))
+	testing.expect(t, !glob_match("*.log", "dir/test", false))
+}
+
+@(test)
+test_glob_question :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("?.log", "a.log", false))
+	testing.expect(t, !glob_match("?.log", "ab.log", false))
+	testing.expect(t, !glob_match("?.log", ".log", false))
+}
+
+@(test)
+test_glob_char_class :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("[abc].log", "a.log", false))
+	testing.expect(t, glob_match("[abc].log", "b.log", false))
+	testing.expect(t, !glob_match("[abc].log", "d.log", false))
+}
+
+@(test)
+test_glob_negated_class :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("[!abc].log", "d.log", false))
+	testing.expect(t, !glob_match("[!abc].log", "a.log", false))
+}
+
+@(test)
+test_glob_dot_literal :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match(".env", ".env", false))
+	testing.expect(t, glob_match(".env", "dir/.env", false))
+	testing.expect(t, !glob_match(".env", "env", false))
+	testing.expect(t, !glob_match(".env", "x.env", false))
+}
+
+@(test)
+test_glob_globstar_prefix :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("**/foo", "foo", false))
+	testing.expect(t, glob_match("**/foo", "a/b/foo", false))
+	testing.expect(t, !glob_match("**/foo", "foobar", false))
+	testing.expect(t, !glob_match("**/foo", "a/foobar", false))
+}
+
+@(test)
+test_glob_globstar_suffix :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("abc/**", "abc/x", false))
+	testing.expect(t, glob_match("abc/**", "abc/x/y", false))
+	testing.expect(t, !glob_match("abc/**", "abc", false))
+	testing.expect(t, !glob_match("abc/**", "abcd/x", false))
+}
+
+@(test)
+test_glob_globstar_middle :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("foo/**/bar", "foo/bar", false))
+	testing.expect(t, glob_match("foo/**/bar", "foo/x/bar", false))
+	testing.expect(t, !glob_match("foo/**/bar", "foo/barx", false))
+	testing.expect(t, !glob_match("foo/**/bar", "foo/x/y/baz", false))
+}
+
+@(test)
+test_glob_backslash_escape :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("\\!foo", "!foo", false))
+	testing.expect(t, !glob_match("\\!foo", "foo", false))
+}
+
+@(test)
+test_glob_hash_literal :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("#foo", "#foo", false))
+	testing.expect(t, !glob_match("#foo", "foo", false))
+}
+
+@(test)
+test_glob_hash_pattern :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("#*#", "#test#", false))
+	testing.expect(t, glob_match("#*#", "##", false))
+	testing.expect(t, !glob_match("#*#", "test", false))
+	testing.expect(t, !glob_match("#*#", "#test", false))
+}
+
+@(test)
+test_glob_empty :: proc(t: ^testing.T) {
+	testing.expect(t, glob_match("", "", false))
+	testing.expect(t, !glob_match("", "foo", false))
+}

findr/repos.odin

@@ -0,0 +1,128 @@
+package findr
+
+import "core:strings"
+import "core:sync"
+import "core:sys/linux"
+import "core:thread"
+
+RepoPool :: struct {
+	queue:        [dynamic]string,
+	queue_mutex:  sync.Mutex,
+	queue_sema:   sync.Atomic_Sema,
+	results:      ^[dynamic]string,
+	results_lock: sync.Mutex,
+	active:       i64,
+	done:         sync.One_Shot_Event,
+	threads:      []^thread.Thread,
+}
+
+find_repos :: proc(roots: []string, results: ^[dynamic]string, thread_count: int) {
+	if len(roots) == 0 do return
+
+	pool := new(RepoPool)
+	pool.queue = make([dynamic]string)
+	pool.results = results
+	pool.active = i64(len(roots))
+	pool.threads = make([]^thread.Thread, thread_count)
+
+	for root in roots {
+		root_clone := strings.clone(root)
+		append(&pool.queue, root_clone)
+		sync.atomic_sema_post(&pool.queue_sema)
+	}
+
+	for i in 0 ..< thread_count {
+		t := thread.create(repo_worker)
+		t.data = rawptr(pool)
+		t.init_context = context
+		thread.start(t)
+		pool.threads[i] = t
+	}
+
+	sync.one_shot_event_wait(&pool.done)
+
+	for _ in 0 ..< thread_count {
+		sync.atomic_sema_post(&pool.queue_sema)
+	}
+
+	for t in pool.threads {
+		thread.destroy(t)
+	}
+	delete(pool.threads)
+
+	for path in pool.queue {
+		delete(path)
+	}
+	delete(pool.queue)
+
+	free(pool)
+}
+
+repo_worker :: proc(t: ^thread.Thread) {
+	pool := cast(^RepoPool)t.data
+
+	for {
+		sync.atomic_sema_wait(&pool.queue_sema)
+
+		sync.mutex_lock(&pool.queue_mutex)
+		if len(pool.queue) == 0 {
+			sync.mutex_unlock(&pool.queue_mutex)
+			if sync.atomic_load_explicit(&pool.active, .Acquire) == 0 {
+				sync.one_shot_event_signal(&pool.done)
+			}
+			break
+		}
+		last := len(pool.queue) - 1
+		dir_path := pool.queue[last]
+		ordered_remove(&pool.queue, last)
+		sync.mutex_unlock(&pool.queue_mutex)
+
+		process_repo_dir(pool, dir_path)
+		delete(dir_path)
+
+		old := sync.atomic_sub_explicit(&pool.active, 1, .Release)
+		if old == 1 {
+			sync.one_shot_event_signal(&pool.done)
+		}
+	}
+}
+
+process_repo_dir :: proc(pool: ^RepoPool, dir_path: string) {
+	cpath := strings.clone_to_cstring(dir_path)
+	if cpath == nil do return
+	defer delete(cpath)
+
+	fd, open_err := linux.open(cpath, {.DIRECTORY, .CLOEXEC})
+	if open_err != .NONE do return
+	defer linux.close(fd)
+
+	if has_git_dir(fd) {
+		cloned := strings.clone(dir_path)
+		sync.mutex_lock(&pool.results_lock)
+		append(pool.results, cloned)
+		sync.mutex_unlock(&pool.results_lock)
+	}
+
+	buf: [32 * 1024]u8
+
+	for {
+		n, errno := linux.getdents(fd, buf[:])
+		if n <= 0 || errno != .NONE do break
+
+		offs := 0
+		for d in linux.dirent_iterate_buf(buf[:n], &offs) {
+			name := linux.dirent_name(d)
+			if name == "." || name == ".." do continue
+			if name == ".git" do continue
+
+			if d.type == .DIR {
+				child_path := join_path(dir_path, name)
+				sync.atomic_add_explicit(&pool.active, 1, .Relaxed)
+				sync.mutex_lock(&pool.queue_mutex)
+				append(&pool.queue, child_path)
+				sync.mutex_unlock(&pool.queue_mutex)
+				sync.atomic_sema_post(&pool.queue_sema)
+			}
+		}
+	}
+}

findr/test_env.odin

@@ -0,0 +1,148 @@
+package findr
+
+import "core:fmt"
+import "core:log"
+import "core:os"
+import "core:sort"
+import "core:strings"
+import "core:testing"
+
+TestEnv :: struct {
+	temp_dir: string,
+}
+
+create_test_env :: proc() -> (env: TestEnv) {
+	tmp, err := os.mkdir_temp("", "findr-test-*", context.allocator)
+	if err != nil {
+		log.error("Failed to create temp dir:", err)
+		panic("Failed to create temp dir")
+	}
+
+	env.temp_dir = tmp
+	return
+}
+
+destroy_test_env :: proc(env: ^TestEnv) {
+	os.remove_all(env.temp_dir)
+	delete(env.temp_dir)
+}
+
+create_dir :: proc(env: TestEnv, path: string) {
+	full := join_path(env.temp_dir, path)
+	defer delete(full)
+	os.mkdir_all(full, os.Permissions_Default_Directory)
+}
+
+create_file :: proc(env: TestEnv, path: string, content: string = "") {
+	full := join_path(env.temp_dir, path)
+	defer delete(full)
+
+	dir_end := strings.last_index(full, os.Path_Separator_String)
+	if dir_end >= 0 {
+		dir_path := full[:dir_end]
+		os.mkdir_all(dir_path, os.Permissions_Default_Directory)
+	}
+
+	f, err := os.create(full)
+	if err != nil {
+		log.error("Failed to create file:", full, err)
+		return
+	}
+	if len(content) > 0 {
+		os.write_string(f, content)
+	}
+	os.close(f)
+}
+
+create_git_repo :: proc(env: TestEnv, path: string) {
+	sub := join_path(path, ".git")
+	defer delete(sub)
+	create_dir(env, sub)
+}
+
+assert_output :: proc(
+	t: ^testing.T,
+	env: TestEnv,
+	args: []string,
+	opts: WalkOptions,
+	expected: []string,
+) {
+	results := collect_results(env, args, opts)
+	defer {
+		for r in results {delete(r)}
+		delete(results)
+	}
+
+	sorted_expected := make([dynamic]string, 0, len(expected))
+	for e in expected {append(&sorted_expected, e)}
+	defer delete(sorted_expected)
+
+	sorted_actual := make([dynamic]string, 0, len(results))
+	for a in results {append(&sorted_actual, a)}
+	defer delete(sorted_actual)
+
+	sort.quick_sort(sorted_expected[:])
+	sort.quick_sort(sorted_actual[:])
+
+	if len(sorted_expected) != len(sorted_actual) {
+		testing.fail(t)
+		log.error(
+			fmt.tprintf("Expected %d results, got %d", len(sorted_expected), len(sorted_actual)),
+		)
+		log.error("Expected:", sorted_expected[:])
+		log.error("Actual:  ", sorted_actual[:])
+		return
+	}
+
+	for i in 0 ..< len(sorted_expected) {
+		if sorted_expected[i] != sorted_actual[i] {
+			testing.fail(t)
+			log.error(fmt.tprintf("Mismatch at index %d", i))
+			log.error("Expected:", sorted_expected[:])
+			log.error("Actual:  ", sorted_actual[:])
+			return
+		}
+	}
+}
+
+assert_output_empty :: proc(t: ^testing.T, env: TestEnv, args: []string, opts: WalkOptions) {
+	results := collect_results(env, args, opts)
+	defer {
+		for r in results {delete(r)}
+		delete(results)
+	}
+	if len(results) > 0 {
+		testing.fail(t)
+		log.error(fmt.tprintf("Expected no results, got %d:", len(results)))
+		for r in results {
+			log.error("  ", r)
+		}
+	}
+}
+
+collect_results :: proc(env: TestEnv, args: []string, opts: WalkOptions) -> [dynamic]string {
+	results := make([dynamic]string)
+
+	full_args := make([dynamic]string, 0, len(args) + 1, context.temp_allocator)
+	append(&full_args, env.temp_dir)
+	for a in args {append(&full_args, a)}
+
+	thread_count := os.get_processor_core_count()
+	walk(full_args[:], &results, opts, thread_count)
+
+	for i in 0 ..< len(results) {
+		r := results[i]
+		if strings.has_prefix(r, env.temp_dir) {
+			stripped := r[len(env.temp_dir):]
+			if len(stripped) > 0 && stripped[0] == os.Path_Separator {
+				stripped = stripped[1:]
+			}
+			new_r := strings.clone(stripped)
+			delete(r)
+			results[i] = new_r
+		}
+	}
+
+	return results
+}
+

findr/walker.odin

@@ -0,0 +1,460 @@
+package findr
+
+import "core:bytes"
+import "core:fmt"
+import "core:os"
+import "core:strings"
+import "core:sync"
+import "core:sync/chan"
+import "core:sys/linux"
+import "core:text/regex"
+import "core:thread"
+
+OUTPUT_BUF_SIZE :: 64 * 1024
+
+WalkOptions :: struct {
+	pattern:  string, // regex on basename; "" = match all
+	excludes: []string, // glob patterns to skip entirely
+}
+
+GIContext :: struct {
+	gi:       ^Gitignore, // nil if this dir had no .gitignore
+	base_rel: string, // relative path from repo root to this dir
+	parent:   ^GIContext, // parent context (nil if repo root)
+}
+
+WorkItem :: struct {
+	path:       string, // absolute directory path
+	rel:        string, // relative path from repo root ("" = root)
+	gi_ctx:     ^GIContext, // gitignore chain (nil = outside any repo)
+	in_repo:    bool, // true if inside a git repo
+	in_ignored: bool, // true if inside a gitignored directory
+}
+
+WalkerPool :: struct {
+	queue:         [dynamic]WorkItem,
+	queue_mutex:   sync.Mutex,
+	queue_sema:    sync.Atomic_Sema,
+	result_chan:   chan.Chan([]u8),
+	active:        i64,
+	done:          sync.One_Shot_Event,
+	threads:       []^thread.Thread,
+	opts:          WalkOptions,
+	pattern_re:    regex.Regular_Expression,
+	has_pattern:   bool,
+	exclude_gi:    ^Gitignore,
+	all_contexts:  [dynamic]^GIContext,
+	contexts_lock: sync.Mutex,
+}
+
+Collector_Data :: struct {
+	ch:      chan.Chan([]u8),
+	results: ^[dynamic]string,
+}
+
+collect_worker :: proc(t: ^thread.Thread) {
+	data := cast(^Collector_Data)t.data
+	for {
+		batch := chan.recv(data.ch) or_break
+		defer delete(batch)
+
+		start := 0
+		for {
+			remaining: []u8
+			#no_bounds_check {remaining = batch[start:]}
+
+			idx := bytes.index_byte(remaining, '\n')
+			if idx < 0 do break
+
+			i := start + idx
+			if i > start {
+				segment: []u8
+				#no_bounds_check {segment = batch[start:i]}
+				s, _ := strings.clone(string(segment))
+				append(data.results, s)
+			}
+			start = i + 1
+		}
+	}
+}
+
+walk :: proc(roots: []string, results: ^[dynamic]string, opts: WalkOptions, thread_count: int) {
+	if len(roots) == 0 do return
+
+	ch, _ := chan.create(chan.Chan([]u8), max(2 * thread_count, 2), context.allocator)
+	defer chan.destroy(ch)
+
+	data := new(Collector_Data)
+	data.ch = ch
+	data.results = results
+	defer free(data)
+
+	collector := thread.create(collect_worker)
+	collector.data = rawptr(data)
+	collector.init_context = context
+	thread.start(collector)
+
+	pool := new(WalkerPool)
+	pool.queue = make([dynamic]WorkItem)
+	pool.result_chan = ch
+	pool.active = i64(len(roots))
+	pool.threads = make([]^thread.Thread, thread_count)
+	pool.all_contexts = make([dynamic]^GIContext)
+	pool.opts = opts
+	pool.exclude_gi = nil
+	pool.has_pattern = false
+
+	if len(opts.pattern) > 0 {
+		re, err := regex.create(opts.pattern, {regex.Flag.No_Capture})
+		if err == nil {
+			pool.pattern_re = re
+			pool.has_pattern = true
+		}
+	}
+
+	if len(opts.excludes) > 0 {
+		sb: strings.Builder
+		strings.builder_init(&sb)
+		for ex in opts.excludes {
+			fmt.sbprintf(&sb, "%s\n", ex)
+		}
+		content := strings.to_string(sb)
+		pool.exclude_gi = new(Gitignore)
+		pool.exclude_gi^ = parse(content)
+		strings.builder_destroy(&sb)
+	}
+
+	for root in roots {
+		root_clone, _ := strings.clone(root)
+		append(&pool.queue, WorkItem{path = root_clone})
+		sync.atomic_sema_post(&pool.queue_sema)
+	}
+
+	for i in 0 ..< thread_count {
+		t := thread.create(walk_worker)
+		t.data = rawptr(pool)
+		t.init_context = context
+		thread.start(t)
+		pool.threads[i] = t
+	}
+
+	sync.one_shot_event_wait(&pool.done)
+
+	for _ in 0 ..< thread_count {
+		sync.atomic_sema_post(&pool.queue_sema)
+	}
+
+	for t in pool.threads {
+		thread.destroy(t)
+	}
+	delete(pool.threads)
+	for item in pool.queue {
+		delete(item.path)
+		if len(item.rel) > 0 {delete(item.rel)}
+	}
+	delete(pool.queue)
+
+	for ctx in pool.all_contexts {
+		if ctx.gi != nil {
+			destroy(ctx.gi)
+			free(ctx.gi)
+		}
+		if len(ctx.base_rel) > 0 {
+			delete(ctx.base_rel)
+		}
+		free(ctx)
+	}
+	delete(pool.all_contexts)
+
+	if pool.has_pattern {
+		regex.destroy(pool.pattern_re)
+	}
+	if pool.exclude_gi != nil {
+		destroy(pool.exclude_gi)
+		free(pool.exclude_gi)
+	}
+
+	free(pool)
+
+	chan.close(ch)
+	thread.join(collector)
+	thread.destroy(collector)
+}
+
+flush_buf :: proc(ch: chan.Chan([]u8), local: ^[dynamic]u8) {
+	if len(local) == 0 do return
+	batch := local[:]
+	local^ = make([dynamic]u8, 0, OUTPUT_BUF_SIZE)
+	chan.send(ch, batch)
+}
+
+append_path :: proc(buf: ^[dynamic]u8, parent, name: string, trailing_slash: bool) {
+	need_sep := len(parent) > 0 && parent[len(parent) - 1] != os.Path_Separator
+	size := len(parent) + len(name) + 1
+	if need_sep do size += 1
+	if trailing_slash do size += 1
+
+	old_len := len(buf)
+	reserve(buf, old_len + size)
+	resize(buf, old_len + size)
+
+	pos := old_len
+	pos += copy(buf[pos:], parent)
+	if need_sep {buf[pos] = os.Path_Separator; pos += 1}
+	pos += copy(buf[pos:], name)
+	if trailing_slash {buf[pos] = os.Path_Separator; pos += 1}
+	buf[pos] = '\n'
+}
+
+walk_worker :: proc(t: ^thread.Thread) {
+	pool := cast(^WalkerPool)t.data
+
+	local_buf := make([dynamic]u8, 0, OUTPUT_BUF_SIZE)
+	defer {
+		if len(local_buf) > 0 {
+			flush_buf(pool.result_chan, &local_buf)
+		}
+		delete(local_buf)
+	}
+
+	for {
+		sync.atomic_sema_wait(&pool.queue_sema)
+
+		sync.mutex_lock(&pool.queue_mutex)
+		if len(pool.queue) == 0 {
+			sync.mutex_unlock(&pool.queue_mutex)
+			if sync.atomic_load_explicit(&pool.active, .Acquire) == 0 {
+				sync.one_shot_event_signal(&pool.done)
+			}
+			break
+		}
+		last := len(pool.queue) - 1
+		item := pool.queue[last]
+		ordered_remove(&pool.queue, last)
+		sync.mutex_unlock(&pool.queue_mutex)
+
+		process_dir(pool, item, &local_buf)
+		delete(item.path)
+		if len(item.rel) > 0 {delete(item.rel)}
+
+		if len(local_buf) >= OUTPUT_BUF_SIZE {
+			flush_buf(pool.result_chan, &local_buf)
+		}
+
+		old := sync.atomic_sub_explicit(&pool.active, 1, .Release)
+		if old == 1 {
+			sync.one_shot_event_signal(&pool.done)
+		}
+	}
+}
+
+process_dir :: proc(pool: ^WalkerPool, item: WorkItem, local_buf: ^[dynamic]u8) {
+	dir_path := item.path
+
+	cpath := strings.clone_to_cstring(dir_path)
+	if cpath == nil do return
+	defer delete(cpath)
+
+	fd, open_err := linux.open(cpath, {.DIRECTORY, .CLOEXEC})
+	if open_err != .NONE do return
+	defer linux.close(fd)
+
+	has_git := false
+	if !item.in_ignored {
+		has_git = has_git_dir(fd)
+	}
+
+	gi_ctx := item.gi_ctx
+	rel := item.rel
+
+	if has_git {
+		gi_ctx = nil
+		rel = ""
+	}
+
+	child_in_repo := has_git || item.in_repo
+
+	gi: ^Gitignore = nil
+	if !item.in_ignored {
+		gi = load_ignore_patterns(dir_path, child_in_repo)
+	}
+	if gi != nil {
+		new_ctx := new(GIContext)
+		new_ctx.gi = gi
+		if len(rel) > 0 {
+			new_ctx.base_rel, _ = strings.clone(rel)
+		}
+		new_ctx.parent = gi_ctx
+
+		sync.mutex_lock(&pool.contexts_lock)
+		append(&pool.all_contexts, new_ctx)
+		sync.mutex_unlock(&pool.contexts_lock)
+
+		gi_ctx = new_ctx
+	}
+
+	buf: [32 * 1024]u8
+	rel_buf: [4096]u8
+
+	for {
+		n, errno := linux.getdents(fd, buf[:])
+		if n <= 0 || errno != .NONE do break
+
+		offs := 0
+		for d in linux.dirent_iterate_buf(buf[:n], &offs) {
+			name := linux.dirent_name(d)
+			if name == "." || name == ".." do continue
+			if name == ".git" do continue
+
+			is_dir := d.type == .DIR
+			is_nondir := d.type != .DIR
+
+			if pool.exclude_gi != nil && is_ignored(pool.exclude_gi, name, is_dir) {
+				continue
+			}
+
+			entry_rel := build_rel(rel_buf[:], rel, name)
+
+			ignored := false
+			if item.in_ignored {
+				ignored = true
+			} else if gi_ctx != nil {
+				ignored = check_chain(gi_ctx, entry_rel, is_dir)
+			}
+
+			if is_dir {
+				if ignored && matches_pattern(pool, name) {
+					append_path(local_buf, dir_path, name, true)
+				}
+				child_rel, _ := strings.clone(entry_rel)
+				child_path := join_path(dir_path, name)
+				push_work(
+					pool,
+					WorkItem {
+						path = child_path,
+						rel = child_rel,
+						gi_ctx = gi_ctx,
+						in_repo = child_in_repo,
+						in_ignored = ignored,
+					},
+				)
+			} else if is_nondir {
+				if ignored && matches_pattern(pool, name) {
+					append_path(local_buf, dir_path, name, false)
+				}
+			}
+		}
+	}
+}
+
+check_chain :: proc(ctx: ^GIContext, entry_rel: string, is_dir: bool) -> bool {
+	c := ctx
+	for c != nil {
+		if c.gi != nil {
+			rel := relative_to(entry_rel, c.base_rel)
+			match := check_match(c.gi, rel, is_dir)
+			if match != .None {
+				return match == .Ignored
+			}
+		}
+		c = c.parent
+	}
+	return false
+}
+
+// TODO: Is this a copy of something in the core packages?
+relative_to :: proc(entry_rel, base_rel: string) -> string {
+	if len(base_rel) == 0 do return entry_rel
+	prefix_len := len(base_rel)
+	if len(entry_rel) > prefix_len &&
+	   entry_rel[prefix_len] == '/' &&
+	   strings.has_prefix(entry_rel, base_rel) {
+		return entry_rel[prefix_len + 1:]
+	}
+	return entry_rel
+}
+
+build_rel :: proc(buf: []u8, rel, name: string) -> string {
+	if len(rel) == 0 do return name
+	pos := copy(buf, rel)
+	if pos < len(buf) {
+		buf[pos] = '/'
+		pos += 1
+		pos += copy(buf[pos:], name)
+	}
+	return string(buf[:pos])
+}
+
+matches_pattern :: proc(pool: ^WalkerPool, name: string) -> bool {
+	if !pool.has_pattern do return true
+	cap, ok := regex.match(pool.pattern_re, name)
+	regex.destroy(cap)
+	return ok
+}
+
+push_work :: proc(pool: ^WalkerPool, item: WorkItem) {
+	sync.atomic_add_explicit(&pool.active, 1, .Relaxed)
+	sync.mutex_lock(&pool.queue_mutex)
+	append(&pool.queue, item)
+	sync.mutex_unlock(&pool.queue_mutex)
+	sync.atomic_sema_post(&pool.queue_sema)
+}
+
+has_git_dir :: proc(fd: linux.Fd) -> bool {
+	git_fd, err := linux.openat(fd, ".git", {.DIRECTORY, .CLOEXEC})
+	if err == .NONE {
+		linux.close(git_fd)
+		return true
+	}
+	return false
+}
+
+load_ignore_patterns :: proc(dir_path: string, in_repo: bool) -> ^Gitignore {
+	has_patterns := false
+	sb: strings.Builder
+	strings.builder_init(&sb)
+	defer strings.builder_destroy(&sb)
+
+	if in_repo {
+		gi_path := join_path(dir_path, ".gitignore")
+		data, err := os.read_entire_file_from_path(gi_path, context.allocator)
+		delete(gi_path)
+		if err == .NONE {
+			fmt.sbprintf(&sb, "%s", string(data))
+			delete(data)
+			has_patterns = true
+		}
+	}
+
+	ig_path := join_path(dir_path, ".ignore")
+	idata, ierr := os.read_entire_file_from_path(ig_path, context.allocator)
+	delete(ig_path)
+	if ierr == .NONE {
+		fmt.sbprintf(&sb, "%s", string(idata))
+		delete(idata)
+		has_patterns = true
+	}
+
+	if !has_patterns do return nil
+
+	content := strings.to_string(sb)
+	gi := new(Gitignore)
+	gi^ = parse(content)
+	return gi
+}
+
+// TODO: Is this a copy of core package behavior?
+join_path :: proc(parent, child: string) -> string {
+	need_sep := len(parent) == 0 || parent[len(parent) - 1] != os.Path_Separator
+	total := len(parent) + len(child)
+	if need_sep do total += 1
+	buf := make([]u8, total, context.allocator)
+	pos := copy(buf, parent)
+	if need_sep {
+		buf[pos] = os.Path_Separator
+		pos += 1
+	}
+	copy(buf[pos:], child)
+	return string(buf)
+}
+

fixtures/keys/insecure-test-key

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCbll0MJper9prPwGn2wwikH3hTByL8tlzmhViuvfrryAAAAJCkxfzapMX8
+2gAAAAtzc2gtZWQyNTUxOQAAACCbll0MJper9prPwGn2wwikH3hTByL8tlzmhViuvfrryA
+AAAEDXQExhs89b3fjqJHkhuo9QX4JEjXiEC+vSnCAYc8OxcpuWXQwml6v2ms/AafbDCKQf
+eFMHIvy2XOaFWK69+uvIAAAACnNwZW5jZXJAZncBAgM=
+-----END OPENSSH PRIVATE KEY-----

fixtures/keys/insecure-test-key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJuWXQwml6v2ms/AafbDCKQfeFMHIvy2XOaFWK69+uvI spencer@fw

fixtures/keys/test_ed25519

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC4CdhiPHmU44cyy9UZV1ISnDq9RbYl1m1qTYOXaSNougAAAIg+8A82PvAP
+NgAAAAtzc2gtZWQyNTUxOQAAACC4CdhiPHmU44cyy9UZV1ISnDq9RbYl1m1qTYOXaSNoug
+AAAEAalxEoCavixCImtND1I0YHZZjhOrBLxk//t9v0sjYNVLgJ2GI8eZTjhzLL1RlXUhKc
+Or1FtiXWbWpNg5dpI2i6AAAABHRlc3QB
+-----END OPENSSH PRIVATE KEY-----

fixtures/keys/test_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILgJ2GI8eZTjhzLL1RlXUhKcOr1FtiXWbWpNg5dpI2i6 test

fixtures/keys/test_ed25519_encrypted

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABD342Kol/
+iE3kW3alqJTPVpAAAAGAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIF29NuS3O0JUKCj4
+j/NmmJJyJk6n/MwI37WtVeWAC5c/AAAAoPFp0zRQufp8S+f68atSqFT1FYMUvGqL2cmmtJ
+r+kXEeEvSGdi3xAxCSLuoe0tMeUYP8aUP1M5L9VzTpFoi8jBIfcPl/ZRX8F/+J4dhp5jno
+3nQuo1AN0D60r+UmmX+Z0IzIrD2jIpZ/Y7P2kXT8OErIhtC4ZJs3nIIOKFY7ZzlM1IqbYH
+dSSlpUnsAoMPjMb0eD0Q6s6JaldfiNshckauU=
+-----END OPENSSH PRIVATE KEY-----

fixtures/keys/test_ed25519_encrypted.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF29NuS3O0JUKCj4j/NmmJJyJk6n/MwI37WtVeWAC5c/ encrypted test key

fixtures/keys/test_ed25519_second

@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCZhSOlxHj1zxd+P7adxHOjo3tqqe68AVQ1itJ96nJ95wAAAIh6gz6PeoM+
+jwAAAAtzc2gtZWQyNTUxOQAAACCZhSOlxHj1zxd+P7adxHOjo3tqqe68AVQ1itJ96nJ95w
+AAAEAEsVzs6egkWMZolD/pZCX5ZcZVXfd5wZ6Ja12f+PxAQJmFI6XEePXPF34/tp3Ec6Oj
+e2qp7rwBVDWK0n3qcn3nAAAABXRlc3Qy
+-----END OPENSSH PRIVATE KEY-----

fixtures/keys/test_ed25519_second.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmFI6XEePXPF34/tp3Ec6Oje2qp7rwBVDWK0n3qcn3n test2

fixtures/keys/test_rsa

@@ -0,0 +1,27 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
+NhAAAAAwEAAQAAAQEAjwq/ISeK/TmKiV1NABIq+tFwevArpTRTyZ9eC5JyGvDzDB03buVl
+6bXd6+cwv+h0AZa7BZN60ayv8zAUmyGpSxFN2gMFiJ/0iFYpTHiLZD4VUH8mCPllIehOdr
+epchmlh14BeShJjlGzwBAlgiEON5V62gCWWLmkIzcAgUd3R2NUQfajl74wA0JBkaNeFwUp
+nUARyPUeMVX8ZVUvbpE/WOFTZYfFZDkul6aSkAzEeyZq9s4qJ2mWt5acuXcMcUl6YtuAGM
+Xii+uV1nJyQpNgHRdEZ2Ch1zmtiTrqjutdBUOfyQZJ3Ln9h/nPJDerUHZboyhu654dLbac
+0P3pYciW8wAAA8BvZFJ5b2RSeQAAAAdzc2gtcnNhAAABAQCPCr8hJ4r9OYqJXU0AEir60X
+B68CulNFPJn14LknIa8PMMHTdu5WXptd3r5zC/6HQBlrsFk3rRrK/zMBSbIalLEU3aAwWI
+n/SIVilMeItkPhVQfyYI+WUh6E52t6lyGaWHXgF5KEmOUbPAECWCIQ43lXraAJZYuaQjNw
+CBR3dHY1RB9qOXvjADQkGRo14XBSmdQBHI9R4xVfxlVS9ukT9Y4VNlh8VkOS6XppKQDMR7
+Jmr2zionaZa3lpy5dwxxSXpi24AYxeKL65XWcnJCk2AdF0RnYKHXOa2JOuqO610FQ5/JBk
+ncuf2H+c8kN6tQdlujKG7rnh0ttpzQ/elhyJbzAAAAAwEAAQAAAQAVAR96x1s1/vaUYDJ3
+4bMU/J83NkA6dJofH7tIGLuPsDUIYNvseVwDOxT42IyEiaZLO26ADZ1535FAtR05gHJjFw
+nnCw2Ld+2I/Zn35DWXxTQNC3ay16hdl8a50RNdMV3oqEmwGFXgw6eQ+u3/E0qKp/UPwQlS
+wwPStfdphGyD+15BxNcc/ZTAByKe9JMi7KkygE02jUn9OMPjJJT9RR+oRXZHLq+yU8Fayl
+QUDgmU5Vq8Mhp0P4JrmCMVeZuRhMPrk3XaDJFPgfSMY1fKEapW6itwsG9VTh6xUMxks26t
+hk/GuGNjhmt5NOKpQDLLOTKd22u+PZ6kJJQcJjsj47ktAAAAgGcWjHLNm6T0Dp1p5hgfPy
+QK019Xp24V1zlejyC0iykzBaC+ZFFS9JOBkqfdrrEE1nAzLvJblhUeWpmLBaqOF+PpPxkF
+oAGXzYck2axVcXhpvgB71uOARGZntVDoxVoOC7vT6I2h8eL75pZNGYJZt1K9Zufr4UwNR4
+F+FY194pSLAAAAgQDEx1MSFuVZ5sfAH7RteSHWjvyD/CWwbhVzL3IWeUXCMsf9HwUZZd8e
+zgyqE6Dh65GTXviuy8Tpb4gT4Gne/QblMHGvdbFMlXNOfzz9U5VkF0q1Y/D4rN0Sa7+nzR
+lZx/LKM20egfypNeJWBQT5KzZ8gEOamL7Qyyk5YG2q5evWnwAAAIEAuhdRyPjXaCM2NyvO
+dPxvbnpEJZDWRw6iVWtzPAXgwIiI6ngEUVXK2O8T8j0Ufssk3AVbVj1OH8/KJonyWUbedM
+mDaFhs4Uvd9iuSZdpS7PbLqHYonurg3m6dz4TrtoWUQuBATdGuIGrtkN+Y83e6UqOGT7lY
+Vqw7lPqhNUowAy0AAAAIdGVzdC1yc2EBAgM=
+-----END OPENSSH PRIVATE KEY-----

fixtures/keys/test_rsa.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCPCr8hJ4r9OYqJXU0AEir60XB68CulNFPJn14LknIa8PMMHTdu5WXptd3r5zC/6HQBlrsFk3rRrK/zMBSbIalLEU3aAwWIn/SIVilMeItkPhVQfyYI+WUh6E52t6lyGaWHXgF5KEmOUbPAECWCIQ43lXraAJZYuaQjNwCBR3dHY1RB9qOXvjADQkGRo14XBSmdQBHI9R4xVfxlVS9ukT9Y4VNlh8VkOS6XppKQDMR7Jmr2zionaZa3lpy5dwxxSXpi24AYxeKL65XWcnJCk2AdF0RnYKHXOa2JOuqO610FQ5/JBkncuf2H+c8kN6tQdlujKG7rnh0ttpzQ/elhyJbz test-rsa

flags.odin

@@ -0,0 +1,134 @@
+package main
+
+import "base:runtime"
+import "core:reflect"
+import "core:strings"
+
+get_subtag :: proc(tag: string, id: string) -> (value: string, ok: bool) {
+	parts := strings.split(tag, ",", context.temp_allocator)
+	for part in parts {
+		trimmed := strings.trim_space(part)
+		if strings.has_prefix(trimmed, id) && len(trimmed) > len(id) && trimmed[len(id)] == '=' {
+			return trimmed[len(id) + 1:], true
+		}
+		if trimmed == id {
+			return "", true
+		}
+	}
+	return "", false
+}
+
+is_bool_type :: proc(field: reflect.Struct_Field) -> bool {
+	base_ti := runtime.type_info_base(field.type)
+	_, is_bool := base_ti.variant.(runtime.Type_Info_Boolean)
+	return is_bool
+}
+
+set_field :: proc(model: rawptr, field: reflect.Struct_Field, value: string) -> bool {
+	ptr := rawptr(uintptr(model) + field.offset)
+	base_ti := runtime.type_info_base(field.type)
+
+	if _, is_bool := base_ti.variant.(runtime.Type_Info_Boolean); is_bool {
+		(cast(^bool)ptr)^ = true
+		return true
+	}
+
+	if _, is_string := base_ti.variant.(runtime.Type_Info_String); is_string {
+		(cast(^string)ptr)^ = value
+		return true
+	}
+
+	if enum_ti, is_enum := base_ti.variant.(runtime.Type_Info_Enum); is_enum {
+		for name, i in enum_ti.names {
+			if strings.equal_fold(value, name) {
+				v := enum_ti.values[i]
+				switch base_ti.size {
+				case 1: (cast(^u8)ptr)^  = cast(u8)v
+				case 2: (cast(^u16)ptr)^ = cast(u16)v
+				case 4: (cast(^u32)ptr)^ = cast(u32)v
+				case 8: (cast(^u64)ptr)^ = cast(u64)v
+				}
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
+parse_flags :: proc(model: ^$T, args: []string) -> (overflow: []string) {
+	field_count := reflect.struct_field_count(T)
+	long_map := make(map[string]reflect.Struct_Field, field_count, context.temp_allocator)
+	short_map := make(map[string]reflect.Struct_Field, field_count, context.temp_allocator)
+
+	for i in 0..<field_count {
+		field := reflect.struct_field_at(T, i)
+
+		name, _ := strings.replace(field.name, "_", "-", -1, context.temp_allocator)
+		args_tag := reflect.struct_tag_get(field.tag, "args")
+		if n, ok := get_subtag(args_tag, "name"); ok {
+			name = n
+		}
+		long_map[name] = field
+
+		if s, ok := get_subtag(args_tag, "short"); ok {
+			short_map[s] = field
+		}
+	}
+
+	overflow_dyn := make([dynamic]string, 0, len(args), context.temp_allocator)
+
+	i := 0
+	for i < len(args) {
+		arg := args[i]
+
+		if strings.starts_with(arg, "--") {
+			key := arg[2:]
+			value := ""
+			has_value := false
+
+			if eq_idx := strings.index(key, "="); eq_idx >= 0 {
+				value = key[eq_idx + 1:]
+				key = key[:eq_idx]
+				has_value = true
+			}
+
+			if field, ok := long_map[key]; ok {
+				if is_bool_type(field) {
+					set_field(model, field, "")
+					i += 1
+				} else if has_value {
+					set_field(model, field, value)
+					i += 1
+				} else if i + 1 < len(args) && !strings.starts_with(args[i + 1], "-") {
+					set_field(model, field, args[i + 1])
+					i += 2
+				} else {
+					i += 1
+				}
+			} else {
+				i += 1
+			}
+		} else if strings.starts_with(arg, "-") && len(arg) == 2 {
+			short := arg[1:2]
+			if field, ok := short_map[short]; ok {
+				if is_bool_type(field) {
+					set_field(model, field, "")
+					i += 1
+				} else if i + 1 < len(args) && !strings.starts_with(args[i + 1], "-") {
+					set_field(model, field, args[i + 1])
+					i += 2
+				} else {
+					i += 1
+				}
+			} else {
+				i += 1
+			}
+		} else {
+			append(&overflow_dyn, arg)
+			i += 1
+		}
+	}
+
+	return overflow_dyn[:]
+}

flake.lock

@@ -5,11 +5,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1778716662,
+        "narHash": "sha256-m1Yf0wZ8j1OHjTc2UwHwyQRSnNeSgLJOd7q5Y45hzi4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "f7c1a2d347e4c52d5fb8d10cb4d94b5884e546fb",
         "type": "github"
       },
       "original": {
@@ -20,25 +20,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1761594641,
-        "narHash": "sha256-sImk6SJQASDLQo8l+0zWWaBgg7TueLS6lTvdH5pBZpo=",
+        "lastModified": 1767313136,
+        "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1666250dbe4141e4ca8aaf89b40a3a51c2e36144",
+        "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1754788789,
-        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
+        "lastModified": 1777168982,
+        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
+        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
         "type": "github"
       },
       "original": {
@@ -49,11 +51,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1761594641,
-        "narHash": "sha256-sImk6SJQASDLQo8l+0zWWaBgg7TueLS6lTvdH5pBZpo=",
+        "lastModified": 1781173989,
+        "narHash": "sha256-fnzKKPvS+oieI/pTzotA5tkoM47EB1NpaBcgk4R97hE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1666250dbe4141e4ca8aaf89b40a3a51c2e36144",
+        "rev": "8c91a71d13451abc40eb9dae8910f972f979852f",
         "type": "github"
       },
       "original": {
@@ -63,27 +65,11 @@
         "type": "github"
       }
     },
-    "process-compose-flake": {
-      "locked": {
-        "lastModified": 1761063998,
-        "narHash": "sha256-l14CiQZM2ZpWp6leugJ5/GKU1aydT/xrvyKRMgYc0ak=",
-        "owner": "Platonic-Systems",
-        "repo": "process-compose-flake",
-        "rev": "d1839830cd4a814830a27b3cb58437306747bbd3",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Platonic-Systems",
-        "repo": "process-compose-flake",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "flake-parts": "flake-parts",
         "nixpkgs": "nixpkgs",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "process-compose-flake": "process-compose-flake",
         "treefmt-nix": "treefmt-nix"
       }
     },
@@ -94,11 +80,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1761311587,
-        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
+        "lastModified": 1780220602,
+        "narHash": "sha256-eynAfOmbmxJnkp7YewvCEbShNnnYJ9gLLqkzsYtBPeM=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
+        "rev": "db947814a175b7ca6ded66e21383d938df01c227",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,44 +1,57 @@
 {
-  description = "A dev environment";
+  description = "Manage your .env files.";
 
   inputs = {
-    # nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
-    process-compose-flake.url = "github:Platonic-Systems/process-compose-flake";
     treefmt-nix.url = "github:numtide/treefmt-nix";
     treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
   };
 
   outputs =
-    inputs@{ self
-    , flake-parts
-    , nixpkgs
-    , nixpkgs-unstable
-    , process-compose-flake
-    , treefmt-nix
+    inputs@{
+      flake-parts,
+      nixpkgs,
+      nixpkgs-unstable,
+      self,
+      treefmt-nix,
     }:
     flake-parts.lib.mkFlake { inherit inputs; } {
       imports = [
         inputs.treefmt-nix.flakeModule
-        # inputs.process-compose-flake.flakeModule
       ];
-      systems = [ "x86_64-linux" ];
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
+
+        "aarch64-darwin"
+      ];
 
       perSystem =
-        { pkgs, system, inputs', ... }: {
+        {
+          pkgs,
+          system,
+          inputs',
+          ...
+        }:
+        let
+          mysqlite = pkgs.sqlite.overrideAttrs (old: {
+            configureFlags = (old.configureFlags or [ ]) ++ [ "--enable-deserialize" ];
+          });
+        in
+        {
           _module.args.pkgs = import nixpkgs {
             inherit system;
             config.allowUnfree = true;
 
             overlays = [
-              (final: prev: { unstable = inputs'.nixpkgs-unstable.legacyPackages; })
+              (_final: _prev: { unstable = inputs'.nixpkgs-unstable.legacyPackages; })
             ];
           };
 
           treefmt = {
-            # Used to find the project root
             projectRootFile = "flake.nix";
             settings.global.excludes = [
               ".direnv/**"
@@ -48,30 +61,62 @@
               ".env.local"
             ];
 
-
-            # Format nix files
             programs.nixpkgs-fmt.enable = true;
-            programs.deadnix.enable = true;
+          };
 
-            # Format js, json, and yaml files
-            programs.prettier.enable = true;
-            settings.formatter.prettier =
-              {
-                excludes = [
-                  "public/**"
-                  "resources/js/modernizr.js"
-                  "storage/app/caniuse.json"
-                  "*.md"
+          packages.default = pkgs.stdenv.mkDerivation rec {
+            pname = "envr";
+            version = "0.3.0";
+            src = ./.;
+
+            nativeBuildInputs = [
+              pkgs.unstable.odin
+              pkgs.pkg-config
             ];
-              };
+
+            buildInputs = [
+              pkgs.git
+
+              pkgs.libsodium
+              mysqlite
+            ];
+
+            doCheck = true;
+            checkPhase = ''
+              runHook preCheck
+              odin test . -all-packages
+              runHook postCheck
+            '';
+
+            buildPhase = ''
+              runHook preBuild
+              echo '${version}' > version.txt
+              odin build . -o:speed -out:${pname}
+              runHook postBuild
+            '';
+
+            installPhase = ''
+              runHook preInstall
+              install -Dm755 ${pname} $out/bin/${pname}
+              runHook postInstall
+            '';
           };
 
-          devShells.default = pkgs.mkShell
-            {
+          devShells.default = pkgs.mkShell {
             buildInputs = with pkgs; [
-                age
               nushell
-                sqlite
+
+              libsodium
+              mysqlite
+              unstable.odin
+              unstable.ols
+
+              # Build tools
+              zip
+
+              # Helper tools
+              delta
+              hyperfine
 
               # IDE
               unstable.helix

main.odin

@@ -0,0 +1,106 @@
+package main
+
+import "base:runtime"
+import "core:fmt"
+import "core:mem"
+import "core:os"
+import "core:prof/spall"
+import "core:sync"
+
+SPALL :: #config(SPALL, false)
+when SPALL {
+	spall_ctx: spall.Context
+	@(thread_local)
+	spall_buffer: spall.Buffer
+}
+
+main :: proc() {
+	when SPALL {
+		ctx, spall_ok := spall.context_create_with_scale("envr.spall", false, 1.0)
+		if !spall_ok {
+			fmt.eprintln("Failed to create spall trace file")
+			os.exit(1)
+		}
+		spall_ctx = ctx
+		defer spall.context_destroy(&spall_ctx)
+
+		spall_backing := make([]u8, spall.BUFFER_DEFAULT_SIZE)
+		defer delete(spall_backing)
+
+		spall_buffer = spall.buffer_create(spall_backing, u32(sync.current_thread_id()))
+		defer spall.buffer_destroy(&spall_ctx, &spall_buffer)
+	}
+
+	when ODIN_DEBUG {
+		heap_track: mem.Tracking_Allocator
+		mem.tracking_allocator_init(&heap_track, context.allocator)
+		defer mem.tracking_allocator_destroy(&heap_track)
+		defer if len(heap_track.allocation_map) > 0 {
+			for _, leak in heap_track.allocation_map {
+				fmt.eprintf("LEAK: %v leaked %m\n", leak.location, leak.size)
+			}
+		}
+		context.allocator = mem.tracking_allocator(&heap_track)
+
+		temp_track: mem.Tracking_Allocator
+		mem.tracking_allocator_init(&temp_track, context.temp_allocator)
+		defer mem.tracking_allocator_destroy(&temp_track)
+		context.temp_allocator = mem.tracking_allocator(&temp_track)
+	}
+
+	defer free_all(context.temp_allocator)
+
+	cmd, ok := parse_args(os.args, os.to_writer(os.stdout), os.to_writer(os.stderr))
+	defer delete_command(&cmd) // delete flushes automatically
+	if !ok {
+		return
+	}
+
+	switch cmd.name {
+	case "init":
+		cmd_init(&cmd)
+	case "version":
+		cmd_version(&cmd)
+	case "list":
+		cmd_list(&cmd)
+	case "backup", "add":
+		cmd_backup(&cmd)
+	case "remove":
+		cmd_remove(&cmd)
+	case "restore":
+		cmd_restore(&cmd)
+	case "edit-config":
+		cmd_edit_config(&cmd)
+	case "check":
+		cmd_check(&cmd)
+	case "scan":
+		cmd_scan(&cmd)
+	case "sync":
+		cmd_sync(&cmd)
+	case "nushell-completion":
+		cmd_nushell_completion(&cmd)
+	case:
+		fmt.wprintf(cmd.err, "Unknown command: %s\n", cmd.name)
+		write_usage(cmd.out)
+		os.exit(1)
+	}
+}
+
+when SPALL {
+	@(instrumentation_enter)
+	spall_enter :: proc "contextless" (
+		proc_address, call_site_return_address: rawptr,
+		loc: runtime.Source_Code_Location,
+	) {
+		spall._buffer_begin(&spall_ctx, &spall_buffer, "", "", loc)
+	}
+
+	@(instrumentation_exit)
+	spall_exit :: proc "contextless" (
+		proc_address, call_site_return_address: rawptr,
+		loc: runtime.Source_Code_Location,
+	) {
+		spall._buffer_end(&spall_ctx, &spall_buffer)
+	}
+}
+

mod.nu

@@ -1,201 +1,71 @@
-#!/usr/bin/env nu
+# envr command extern definitions for Nushell
+# A tool for managing environment files and backups
 
-use std assert;
-
-# Manage your .env files with ease
-export def envr [] {
-  help envr
-}
-
-# Import a .env file into envr
-export def "envr backup" [
-  file: path
-] {
-  cd (dirname $file);
-
-  let contents = (open $file --raw)
-
-  open db
-
-  let row = {
-    path: $file
-    dir: (pwd)
-    remotes: (git remote | lines | each { git remote get-url $in } | to json)
-    sha256: ($contents | hash sha256)
-    contents: $contents
-  };
-
-  try {
-    $row | stor insert -t envr_env_files
-  } catch {
-    $row | stor update -t envr_env_files -w $'path == "($row.path)"'
-  }
-
-  close db
-
-  $"file '($file)' backed up!"
-}
-
-const db_path = '~/.envr/data.age'
-
-# Create or load the database
-def "open db" [] {
-  if (not ($db_path | path exists)) {
-    create-db
-  } else {
-    # Open the db
-    let dec = mktemp -p ~/.envr;
-    let priv_key = ((envr config show).priv_key | path expand);
-    age -d -i $priv_key ($db_path | path expand) | save -f $dec
-    stor import -f $dec
-    rm $dec
-  }
-
-  stor open
-}
-
-def "create-db" []: nothing -> any {
-  let dec = mktemp -p ~/.envr;
-
-  sqlite3 $dec 'create table envr_env_files (
-      path text primary key not null
-    , dir text not null
-    , remotes text -- JSON
-    , sha256 text not null
-    , contents text not null
-  );'
-
-  let pub_key = ((envr config show).pub_key | path expand);
-  age -R $pub_key $dec | save -f $db_path
-
-  stor import -f $dec
-  rm $dec;
-}
-
-def "close db" [] {
-  let dec = mktemp -p ~/.envr;
-
-  stor export --file-name $dec;
-
-  # Encrypt the file
-  let pub_key = ((envr config show).pub_key | path expand);
-  age -R $pub_key $dec | save -f $db_path
-
-  rm $dec
-}
-
-# Restore a .env file from backup.
-export def "envr restore" [
-  path?: path # The path of the file to restore. Will be prompted if left blank.
-]: nothing -> string {
-  let files = (files)
-  let $path = if ($path | is-empty) {
+export def tracked-paths [] {
   (
-      $files
-      | select path dir remotes
-      | input list -f "Please select a file to restore"
-      | get path
+    ^envr list
+    | from json
+    | each {
+      [$in.directory $in.path] | path join
+    }
   )
-  } else {
-    $path
 }
 
-  let file = ($files | where path == $path | first);
-  assert ($file | is-not-empty) "File must be found"
-
-  let response = if (($path | path type) == 'file') {
-    if (open --raw $file.path | hash sha256 | $in == $file.sha256) {
-      # File matches
-      $'(ansi yellow)file is already up to date.(ansi reset)';
-    } else {
-      # File exists, but doesn't match
-      let continue = (
-        [No Yes]
-        | input list $"File '($path)' already exists, are you sure you want to overwrite it?"
-        | $in == 'Yes'
-      );
-
-      if ($continue) {
-        null
-      } else {
-        $'(ansi yellow)No action was taken(ansi reset)'
-      }
-    }
-  };
-
-  if ($response | is-empty) {
-    # File should be restored
-    $file.contents | save -f $path
-    return $'(ansi green)($path) restored!(ansi reset)'
-  } else {
-    return $response
-  }
+export def untracked-paths [] {
+  (
+    ^envr scan
+    | from json
+  )
 }
 
-# Supported config formats
-const available_formats = [
-  json
-  toml
-  yaml
-  ini
-  xml
-  nuon
+export extern envr [
+  ...args: any
+  --help(-h)              # Show help information
 ]
 
-# Create your initial config
-export def "envr config init" [
-  format?: string
-  #identity?: path
-] {
-  mkdir ~/.envr
+export extern "envr backup" [
+  --help(-h) # Show help for backup command
+  path: path@untracked-paths # Path to .env file to backup
+]
 
-  let format = if ($format | is-empty) {
-    $available_formats | input list 'Please select the desired format for your config file'
-  }
+export extern "envr check" [
+  --help(-h)              # Show help for check command
+]
 
-  let identity = '~/.ssh/id_ed25519';
+export extern "envr edit-config" [
+  --help(-h)              # Show help for edit-config command
+]
 
-  # The path to the config file.
-  let source = $'~/.envr/config.($format)'
+export extern "envr help" [
+  command?: string        # Show help for specific command
+]
 
-  {
-    source: $source
-    priv_key: $identity
-    pub_key: $'($identity).pub'
-  } | tee {
-    save $source
-  }
-}
+export extern "envr init" [
+  --help(-h)              # Show help for init command
+]
 
-# View your tracked files
-export def "envr list" [] {
-  (files | reject contents)
-}
+export extern "envr list" [
+  --help(-h)              # Show help for list command
+]
 
-# List all the files in the database
-def files [] {
-  (
-    open db
-    | query db 'select * from envr_env_files'
-    | update remotes { from json }
-  )
-}
+export extern "envr remove" [
+  --help(-h)              # Show help for remove command
+  path: path@tracked-paths
+]
 
-# Update your env backups
-export def "envr sync" [] {
-  'TODO:' 
-}
+export extern "envr restore" [
+  --help(-h)              # Show help for restore command
+  path: path@tracked-paths
+]
 
-# Edit your config
-export def "envr config edit" [] {
-  ^$env.EDITOR (config-file)
-}
+export extern "envr scan" [
+  --help(-h)              # Show help for scan command
+]
 
-def "config-file" []: [nothing -> path nothing -> nothing] {
-  ls ~/.envr/config.* | get 0.name -o
-}
+export extern "envr sync" [
+  --help(-h)              # Show help for sync command
+]
 
-# show your current config
-export def "envr config show" []: nothing -> record<source: path, priv_key: path, pub_key: path> {
-  open (config-file)
-}
+export extern "envr nushell-completion" [
+  --help(-h)              # Show help for nushell-completion command
+]

prompt.odin

@@ -0,0 +1,202 @@
+package main
+
+import "core:fmt"
+import "core:sys/posix"
+import "core:terminal/ansi"
+
+MultiSelect_Result :: enum {
+	Confirm,
+	Cancel,
+}
+
+Key :: enum {
+	Up,
+	Down,
+	Space,
+	Enter,
+	Escape,
+	Unknown,
+}
+
+Raw_State :: struct {
+	original: posix.termios,
+	fd:       posix.FD,
+}
+
+MAX_VISIBLE :: 7
+
+// Caller is responsible for deleting the responses.
+multi_select :: proc(
+	prompt: string,
+	options: []string,
+) -> (
+	selected: [dynamic]bool,
+	result: MultiSelect_Result,
+) {
+	if len(options) == 0 {
+		return
+	}
+
+	selected = make([dynamic]bool, len(options))
+	cursor: int = 0
+	scroll_offset: int = 0
+
+	fmt.printf(ansi.CSI + ansi.DECTCEM_HIDE)
+	visible := render_options(prompt, options, selected[:], cursor, scroll_offset)
+
+	raw, ok := enable_raw_mode(posix.STDIN_FILENO)
+	if !ok {
+		fmt.printf(ansi.CSI + ansi.DECTCEM_SHOW)
+		return
+	}
+	defer disable_raw_mode(&raw)
+
+	for {
+		key := read_key()
+
+		switch key {
+		case .Up:
+			if cursor > 0 {
+				cursor -= 1
+			}
+		case .Down:
+			if cursor < len(options) - 1 {
+				cursor += 1
+			}
+		case .Space:
+			selected[cursor] = !selected[cursor]
+		case .Enter:
+			fmt.printf(ansi.CSI + "%d" + ansi.CUU + ansi.CSI + ansi.ED + ansi.CSI + ansi.DECTCEM_SHOW, visible + 1)
+			result = .Confirm
+			return
+		case .Escape:
+			fmt.printf(ansi.CSI + "%d" + ansi.CUU + ansi.CSI + ansi.ED + ansi.CSI + ansi.DECTCEM_SHOW, visible + 1)
+			result = .Cancel
+			return
+		case .Unknown:
+		}
+
+		scroll_offset = max(0, min(cursor - MAX_VISIBLE / 2, len(options) - MAX_VISIBLE))
+		fmt.printf(ansi.CSI + "%d" + ansi.CUU + ansi.CSI + ansi.RESET + ansi.ED, visible + 1)
+		visible = render_options(prompt, options, selected[:], cursor, scroll_offset)
+	}
+}
+
+render_options :: proc(
+	prompt: string,
+	options: []string,
+	selected: []bool,
+	cursor: int,
+	scroll_offset: int,
+) -> int {
+	fmt.printf(ansi.CSI + ansi.BOLD + ";" + ansi.FG_CYAN + ansi.SGR + "%s" + ANSI_RESET + " (↑/↓ move, space select, enter confirm)\r\n", prompt)
+
+	end := scroll_offset + MAX_VISIBLE
+	if end > len(options) {
+		end = len(options)
+	}
+
+	for i in scroll_offset ..< end {
+		checkbox := " "
+		if selected[i] {
+			checkbox = "x"
+		}
+		if i == cursor {
+			fmt.printf(ansi.CSI + ansi.BOLD + ";" + ansi.FG_GREEN + ansi.SGR + "> " + ANSI_RESET + "[" + ansi.CSI + ansi.FG_GREEN + ansi.SGR + "%s" + ANSI_RESET + "] %s\r\n", checkbox, options[i])
+		} else {
+			fmt.printf("  [" + ansi.CSI + ansi.FAINT + ansi.SGR + "%s" + ANSI_RESET + "] %s\r\n", checkbox, options[i])
+		}
+	}
+
+	return end - scroll_offset
+}
+
+enable_raw_mode :: proc(fd: posix.FD) -> (Raw_State, bool) {
+	state: Raw_State
+	state.fd = fd
+
+	if posix.tcgetattr(fd, &state.original) != .OK {
+		return state, false
+	}
+
+	attr: posix.termios = state.original
+	attr.c_lflag -= {.ICANON, .ECHO, .ISIG, .IEXTEN}
+	attr.c_iflag -= {.IXON, .ICRNL, .BRKINT, .INPCK, .ISTRIP}
+	attr.c_oflag -= {.OPOST}
+	attr.c_cflag += {.CS8}
+	attr.c_cc[.VMIN] = 1
+	attr.c_cc[.VTIME] = 0
+
+	if posix.tcsetattr(fd, .TCSAFLUSH, &attr) != .OK {
+		return state, false
+	}
+
+	return state, true
+}
+
+disable_raw_mode :: proc(state: ^Raw_State) {
+	posix.tcsetattr(state.fd, .TCSAFLUSH, &state.original)
+}
+
+read_key :: proc() -> Key {
+	buf: [3]u8
+
+	n := posix.read(posix.STDIN_FILENO, &buf[0], 1)
+	if n <= 0 {
+		return .Unknown
+	}
+
+	switch buf[0] {
+	case ' ':
+		return .Space
+	case '\n', '\r':
+		return .Enter
+	case 0x03:
+		return .Escape
+	case 0x1b:
+		tv: posix.timeval
+		tv.tv_sec = 0
+		tv.tv_usec = posix.suseconds_t(100000)
+
+		set: posix.fd_set
+		posix.FD_ZERO(&set)
+		posix.FD_SET(posix.STDIN_FILENO, &set)
+
+		ready := posix.select(1, &set, nil, nil, &tv)
+		if ready <= 0 {
+			return .Escape
+		}
+
+		n2 := posix.read(posix.STDIN_FILENO, &buf[1], 1)
+		if n2 <= 0 || buf[1] != '[' {
+			return .Escape
+		}
+
+		posix.FD_ZERO(&set)
+		posix.FD_SET(posix.STDIN_FILENO, &set)
+		tv.tv_sec = 0
+		tv.tv_usec = posix.suseconds_t(100000)
+
+		ready = posix.select(1, &set, nil, nil, &tv)
+		if ready <= 0 {
+			return .Escape
+		}
+
+		n3 := posix.read(posix.STDIN_FILENO, &buf[2], 1)
+		if n3 <= 0 {
+			return .Escape
+		}
+
+		switch buf[2] {
+		case 'A':
+			return .Up
+		case 'B':
+			return .Down
+		case:
+			return .Escape
+		}
+	case:
+		return .Unknown
+	}
+}
+

scan.odin

@@ -0,0 +1,33 @@
+package main
+
+import "core:os"
+
+import "findr"
+
+// Caller is responsible for freeing paths
+scan_path :: proc(search_path: string, cfg: Config) -> (paths: [dynamic]string, ok: bool) {
+	opts := findr.WalkOptions {
+		pattern  = cfg.scan_config.matcher,
+		excludes = cfg.scan_config.exclude[:],
+	}
+	findr.walk({search_path}, &paths, opts, os.get_processor_core_count())
+	ok = true
+	return
+}
+
+// The returned values live on the temp_allocator
+find_unbacked :: proc(local_files: []string, db_files: []EnvFile) -> []string {
+	backed_set := make(map[string]bool, len(db_files), context.temp_allocator)
+	for file in db_files {
+		backed_set[file.path] = true
+	}
+
+	unbacked := make([dynamic]string, 0, len(db_files) / 2, context.temp_allocator)
+	for file in local_files {
+		if !(file in backed_set) {
+			append(&unbacked, file)
+		}
+	}
+	return unbacked[:]
+}
+

scan_test.odin

@@ -0,0 +1,88 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:path/filepath"
+import "core:testing"
+
+@(test)
+test_scan_path_finds_gitignored_env_files :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-scan-test-*")
+	defer os.remove_all(base)
+
+	git_init := os.Process_Desc {
+		command     = []string{"git", "-c", "advice.defaultBranchName=false", "init", "-q"},
+		working_dir = base,
+		stdout      = os.stderr,
+		stderr      = os.stderr,
+	}
+	p, err := os.process_start(git_init)
+	testing.expectf(t, err == nil, "Failed to run git: %v", err)
+	if err != nil do return
+	state, wait_err := os.process_wait(p)
+	testing.expectf(t, wait_err == nil, "Failed to wait: %v", wait_err)
+	if wait_err != nil do return
+	testing.expect(t, state.success, "command should succeed")
+
+	gitignore_path := fmt.tprintf("%s/.gitignore", base)
+	err = os.write_entire_file(gitignore_path, ".env*\n")
+	testing.expectf(t, err == nil, "Failed: %v", err)
+
+	err = os.write_entire_file(fmt.tprintf("%s/.env", base), "SECRET=1")
+	testing.expectf(t, err == nil, "Failed: %v", err)
+	err = os.write_entire_file(fmt.tprintf("%s/.env.testing", base), "TEST=1")
+	testing.expectf(t, err == nil, "Failed: %v", err)
+	err = os.write_entire_file(fmt.tprintf("%s/config.yaml", base), "key: value")
+	testing.expectf(t, err == nil, "Failed: %v", err)
+
+	cfg := Config {
+		scan_config = ScanConfig{matcher = "\\.env"},
+	}
+
+	results, ok := scan_path(base, cfg)
+	defer {
+		for path in results {
+			delete(path)
+		}
+		delete(results)
+	}
+	testing.expect(t, ok, "scan_path should succeed")
+
+	found_env := false
+	found_testing := false
+	found_config := false
+
+	for path in results {
+		_, filename := filepath.split(path)
+		if filename == ".env" {
+			found_env = true
+		}
+		if filename == ".env.testing" {
+			found_testing = true
+		}
+		if filename == "config.yaml" {
+			found_config = true
+		}
+	}
+
+	testing.expect(t, found_env, "should find .env (gitignored)")
+	testing.expect(t, found_testing, "should find .env.testing (gitignored)")
+	testing.expect(t, !found_config, "should NOT find config.yaml (not gitignored)")
+}
+
+@(test)
+test_scan_path_empty_dir :: proc(t: ^testing.T) {
+	base := test_temp_dir(t, "envr-scan-empty-*")
+	defer os.remove_all(base)
+
+	cfg := Config {
+		scan_config = ScanConfig{matcher = "\\.env"},
+	}
+
+	results, ok := scan_path(base, cfg)
+	defer delete(results)
+	testing.expect(t, ok, "scan_path should succeed")
+	testing.expect_value(t, len(results), 0)
+}
+

sodium.odin

@@ -0,0 +1,31 @@
+package main
+
+import "core:c"
+
+foreign import libsodium "system:sodium"
+
+CRYPTO_BOX_PUBLICKEY_BYTES :: 32
+CRYPTO_BOX_SECRETKEY_BYTES :: 32
+CRYPTO_BOX_NONCE_BYTES :: 24
+CRYPTO_BOX_MAC_BYTES :: 16
+
+CRYPTO_SECRETBOX_KEY_BYTES :: 32
+CRYPTO_SECRETBOX_NONCE_BYTES :: 24
+CRYPTO_SECRETBOX_MAC_BYTES :: 16
+
+CRYPTO_SIGN_PUBLICKEY_BYTES :: 32
+CRYPTO_SIGN_SECRETKEY_BYTES :: 64
+
+@(default_calling_convention = "c")
+foreign libsodium {
+	sodium_init :: proc() -> c.int ---
+	// crypto_box_keypair :: proc(pk: [^]u8, sk: [^]u8) -> c.int ---
+	crypto_box_easy :: proc(ciphertext: [^]u8, plaintext: [^]u8, mlen: c.ulong, nonce: [^]u8, pk: [^]u8, sk: [^]u8) -> c.int ---
+	crypto_box_open_easy :: proc(plaintext: [^]u8, ciphertext: [^]u8, clen: c.ulong, nonce: [^]u8, pk: [^]u8, sk: [^]u8) -> c.int ---
+	crypto_secretbox_easy :: proc(ciphertext: [^]u8, plaintext: [^]u8, mlen: c.ulong, nonce: [^]u8, key: [^]u8) -> c.int ---
+	crypto_secretbox_open_easy :: proc(plaintext: [^]u8, ciphertext: [^]u8, clen: c.ulong, nonce: [^]u8, key: [^]u8) -> c.int ---
+	crypto_sign_ed25519_pk_to_curve25519 :: proc(curve25519_pk: [^]u8, ed25519_pk: [^]u8) -> c.int ---
+	crypto_sign_ed25519_sk_to_curve25519 :: proc(curve25519_sk: [^]u8, ed25519_sk: [^]u8) -> c.int ---
+	randombytes_buf :: proc(buf: [^]u8, size: c.ulong) ---
+}
+

sqlite/sqlite.odin

@@ -0,0 +1,60 @@
+package sqlite
+
+import "core:c"
+
+foreign import lib "system:sqlite3"
+
+Db :: distinct rawptr
+Stmt :: distinct rawptr
+
+// TODO: Use an enum?
+OK :: 0
+ROW :: 100
+DONE :: 101
+
+
+DESERIALIZE_FLAGS :: bit_set[DESERIALIZE_FLAG]
+DESERIALIZE_FLAG :: enum u32 {
+	FREEONCLOSE = 1,
+	RESIZEABLE  = 2,
+	READONLY    = 4,
+}
+
+SERIALIZE_FLAGS :: bit_set[SERIALIZE_FLAG]
+SERIALIZE_FLAG :: enum u32 {
+	NOCOPY = 1,
+}
+
+foreign lib {
+	@(link_name = "sqlite3_open")
+	open :: proc(filename: cstring, ppDb: ^Db) -> c.int ---
+	@(link_name = "sqlite3_close")
+	close :: proc(db: Db) -> c.int ---
+	@(link_name = "sqlite3_errmsg")
+	errmsg :: proc(db: Db) -> cstring ---
+	@(link_name = "sqlite3_exec")
+	exec :: proc(db: Db, sql: cstring, callback: rawptr, callback_arg: rawptr, errmsg: ^cstring) -> c.int ---
+	@(link_name = "sqlite3_prepare_v2")
+	prepare_v2 :: proc(db: Db, sql: cstring, nByte: c.int, ppStmt: ^Stmt, pzTail: ^cstring) -> c.int ---
+	@(link_name = "sqlite3_step")
+	step :: proc(stmt: Stmt) -> c.int ---
+	@(link_name = "sqlite3_finalize")
+	finalize :: proc(stmt: Stmt) -> c.int ---
+	@(link_name = "sqlite3_column_text")
+	column_text :: proc(stmt: Stmt, iCol: c.int) -> cstring ---
+	@(link_name = "sqlite3_column_bytes")
+	column_bytes :: proc(stmt: Stmt, iCol: c.int) -> c.int ---
+	@(link_name = "sqlite3_bind_text")
+	bind_text :: proc(stmt: Stmt, idx: c.int, val: cstring, n: c.int, destructor: rawptr) -> c.int ---
+	@(link_name = "sqlite3_changes")
+	changes :: proc(db: Db) -> c.int ---
+	@(link_name = "sqlite3_serialize")
+	serialize :: proc(db: Db, zSchema: cstring, piSize: ^i64, mFlags: SERIALIZE_FLAGS) -> [^]u8 ---
+	@(link_name = "sqlite3_deserialize")
+	deserialize :: proc(db: Db, zSchema: cstring, pData: [^]u8, szDb: i64, szBuf: i64, mFlags: DESERIALIZE_FLAGS) -> c.int ---
+	@(link_name = "sqlite3_malloc64")
+	malloc64 :: proc(n: i64) -> [^]u8 ---
+	@(link_name = "sqlite3_free")
+	free :: proc(p: rawptr) ---
+}
+

ssh.odin

@@ -0,0 +1,201 @@
+package main
+
+import "base:runtime"
+import "core:encoding/base64"
+import "core:encoding/endian"
+import "core:fmt"
+import "core:mem"
+import "core:os"
+import "core:strings"
+
+SSH_ED25519 :: "ssh-ed25519"
+
+Ed25519Keypair :: struct {
+	Public:  [32]u8,
+	Private: [32]u8,
+}
+
+parse_ssh_public_key :: proc(pub_path: string) -> (pub: [32]u8, ok: bool) {
+	data, err := os.read_entire_file_from_path(pub_path, context.temp_allocator)
+	if err != nil {
+		return
+	}
+
+	text := strings.trim_right(string(data), "\n")
+	parts := strings.split(text, " ", context.temp_allocator)
+	if len(parts) < 2 {
+		return
+	}
+	if parts[0] != SSH_ED25519 {
+		return
+	}
+
+	decoded, decode_err := base64.decode(parts[1], allocator = context.temp_allocator)
+	if decode_err != nil || len(decoded) < 51 {
+		return
+	}
+
+	offset := 0
+	key_type, type_ok := read_wire_string(decoded, &offset)
+	if !type_ok || key_type != SSH_ED25519 {
+		return
+	}
+
+	pk_data, pk_ok := read_wire_string(decoded, &offset)
+	if !pk_ok || len(pk_data) != 32 {
+		return
+	}
+
+	mem.copy_non_overlapping(&pub[0], raw_data(pk_data), 32)
+
+	ok = true
+	return
+}
+
+parse_ssh_private_key :: proc(priv_path: string) -> (kp: Ed25519Keypair, ok: bool) {
+	data, err := os.read_entire_file_from_path(priv_path, context.temp_allocator)
+	if err != nil {
+		return
+	}
+
+	text := string(data)
+	lines := strings.split(text, "\n", context.temp_allocator)
+
+	b: strings.Builder
+	strings.builder_init(&b, context.temp_allocator)
+	defer strings.builder_destroy(&b)
+
+	in_block := false
+	for line in lines {
+		trimmed := strings.trim_space(line)
+		if trimmed == "-----BEGIN OPENSSH PRIVATE KEY-----" {
+			in_block = true
+			continue
+		}
+		if trimmed == "-----END OPENSSH PRIVATE KEY-----" {
+			break
+		}
+		if in_block && len(trimmed) > 0 {
+			fmt.sbprintf(&b, "%s", trimmed)
+		}
+	}
+
+	b64_str := strings.to_string(b)
+	decoded, decode_err := base64.decode(b64_str, allocator = context.temp_allocator)
+	if decode_err != nil {
+		return
+	}
+
+	magic :: "openssh-key-v1\x00"
+	if !strings.has_prefix(string(decoded), magic) {
+		return
+	}
+
+	offset := len(magic)
+
+	ciphername, cipher_ok := read_wire_string(decoded, &offset)
+	if !cipher_ok || ciphername != "none" {
+		return
+	}
+
+	kdfname, kdf_ok := read_wire_string(decoded, &offset)
+	if !kdf_ok || kdfname != "none" {
+		return
+	}
+
+	_, opts_ok := read_wire_string(decoded, &offset)
+	if !opts_ok {
+		return
+	}
+
+	if offset + 4 > len(decoded) {
+		return
+	}
+
+	num_keys := endian.get_u32(decoded[offset:offset + 4], .Big) or_return
+	offset += 4
+
+	if num_keys != 1 {
+		return
+	}
+
+	_, pub_blob_ok := read_wire_string(decoded, &offset)
+	if !pub_blob_ok {
+		return
+	}
+
+	priv_blob, priv_blob_ok := read_wire_string(decoded, &offset)
+	if !priv_blob_ok {
+		return
+	}
+
+	inner_offset := 0
+	if inner_offset + 8 > len(priv_blob) {
+		return
+	}
+
+	check1 := endian.get_u32(
+		transmute([]u8)(priv_blob)[inner_offset:inner_offset + 4],
+		.Big,
+	) or_return
+	inner_offset += 4
+	check2 := endian.get_u32(
+		transmute([]u8)(priv_blob)[inner_offset:inner_offset + 4],
+		.Big,
+	) or_return
+	inner_offset += 4
+
+	if check1 != check2 {
+		return
+	}
+
+	priv_type, type_ok := read_wire_string(transmute([]u8)priv_blob, &inner_offset)
+	if !type_ok || priv_type != SSH_ED25519 {
+		return
+	}
+
+	pub_wire, pub_ok := read_wire_string(transmute([]u8)priv_blob, &inner_offset)
+	if !pub_ok || len(pub_wire) != 32 {
+		return
+	}
+	mem.copy_non_overlapping(&kp.Public[0], raw_data(pub_wire), 32)
+
+	priv_wire, priv_ok := read_wire_string(transmute([]u8)priv_blob, &inner_offset)
+	if !priv_ok || len(priv_wire) != 64 {
+		return
+	}
+
+	mem.copy_non_overlapping(&kp.Private[0], raw_data(priv_wire), 32)
+
+	ok = true
+	return
+}
+
+is_ed25519_key :: proc(
+	priv_path: string,
+) -> (
+	ok: bool,
+	err: runtime.Allocator_Error,
+) #optional_allocator_error {
+	pub_path := strings.concatenate([]string{priv_path, ".pub"}, context.temp_allocator) or_return
+	_, ok = parse_ssh_public_key(pub_path)
+	return ok, nil
+}
+
+read_wire_string :: proc(data: []u8, offset: ^int) -> (s: string, ok: bool) {
+	if offset^ + 4 > len(data) {
+		return
+	}
+	length := endian.get_u32(data[offset^:offset^ + 4], .Big) or_return
+	offset^ += 4
+
+	if offset^ + int(length) > len(data) {
+		return
+	}
+
+	s = string(data[offset^:offset^ + int(length)])
+	offset^ += int(length)
+	ok = true
+	return
+}
+

ssh_test.odin

@@ -0,0 +1,66 @@
+#+test
+package main
+
+import "core:fmt"
+import "core:os"
+import "core:testing"
+
+TEST_KEY_DIR :: "fixtures" + os.Path_Separator_String + "keys"
+
+@(test)
+test_parse_ed25519_public_key :: proc(t: ^testing.T) {
+	pub, ok := parse_ssh_public_key(TEST_KEY_DIR + "/test_ed25519.pub")
+	testing.expect(t, ok, "expected ed25519 public key to parse")
+	testing.expect(t, pub != [32]u8{}, fmt.tprintf("expected non-zero public key"))
+}
+
+@(test)
+test_parse_ed25519_private_key :: proc(t: ^testing.T) {
+	kp, ok := parse_ssh_private_key(TEST_KEY_DIR + "/test_ed25519")
+	testing.expect(t, ok, "expected ed25519 private key to parse")
+	testing.expect(t, kp.Public != [32]u8{}, "expected non-zero public key")
+	testing.expect(t, kp.Private != [32]u8{}, "expected non-zero private key")
+}
+
+@(test)
+test_parse_rsa_public_key_fails :: proc(t: ^testing.T) {
+	_, ok := parse_ssh_public_key(TEST_KEY_DIR + "/test_rsa.pub")
+	testing.expect(t, !ok, "expected RSA key parsing to fail")
+}
+
+@(test)
+test_is_ed25519_key_true :: proc(t: ^testing.T) {
+	testing.expect(t, is_ed25519_key(TEST_KEY_DIR + "/test_ed25519"))
+}
+
+@(test)
+test_is_ed25519_key_false_for_rsa :: proc(t: ^testing.T) {
+	testing.expect(t, !is_ed25519_key(TEST_KEY_DIR + "/test_rsa"))
+}
+
+@(test)
+test_private_key_pub_matches_public_key :: proc(t: ^testing.T) {
+	pub_from_pub, pub_ok := parse_ssh_public_key(TEST_KEY_DIR + "/test_ed25519.pub")
+	testing.expect(t, pub_ok, "expected public key to parse")
+
+	kp, priv_ok := parse_ssh_private_key(TEST_KEY_DIR + "/test_ed25519")
+	testing.expect(t, priv_ok, "expected private key to parse")
+
+	testing.expect_value(t, pub_from_pub, kp.Public)
+}
+
+@(test)
+test_read_wire_string :: proc(t: ^testing.T) {
+	data := []u8{0, 0, 0, 5, u8('h'), u8('e'), u8('l'), u8('l'), u8('o'), 0, 0, 0, 0}
+	offset := 0
+
+	s, ok := read_wire_string(data, &offset)
+	testing.expect(t, ok, "expected read_wire_string to succeed")
+	testing.expect_value(t, s, "hello")
+	testing.expect_value(t, offset, 9)
+
+	s2, ok2 := read_wire_string(data, &offset)
+	testing.expect(t, ok2, "expected second read to succeed")
+	testing.expect_value(t, s2, "")
+}
+

table.odin

@@ -0,0 +1,75 @@
+package main
+
+import "core:fmt"
+import "core:io"
+import "core:text/table"
+
+decorations := table.Decorations {
+	"┌",
+	"┬",
+	"┐",
+	"├",
+	"┼",
+	"┤",
+	"└",
+	"┴",
+	"┘",
+	"│",
+	"─",
+}
+
+ansi_aware_width :: proc(str: string) -> int #no_bounds_check {
+	width := 0
+	for i := 0; i < len(str); {
+		if i + 1 < len(str) && str[i] == 0x1b && str[i + 1] == '[' {
+			i += 2
+			for i < len(str) {c := str[i]; i += 1; if c >= 0x40 && c <= 0x7E {break}}
+		} else {
+			width += 1
+			i += 1
+		}
+	}
+	return width
+}
+
+write_borderless_table :: proc(w: io.Writer, t: ^table.Table) {
+	table.build(t, ansi_aware_width)
+
+	write_table_separator :: proc(w: io.Writer, tbl: ^table.Table) {
+		io.write_byte(w, '\n')
+	}
+
+	if t.caption != "" {
+		table.write_text_align(
+			w,
+			fmt.tprintf("%s%s%s", COLOR_HEADINGS, t.caption, ANSI_RESET),
+			.Left,
+			0, //t.lpad,
+			0, //t.rpad,
+			t.tblw + t.nr_cols - 1 - ansi_aware_width(t.caption) - t.lpad - t.rpad,
+		)
+		io.write_byte(w, '\n')
+	}
+
+	write_table_separator(w, t)
+	for row in 0 ..< t.nr_rows {
+		for col in 0 ..< t.nr_cols {
+			table.write_table_cell(w, t, row, col)
+		}
+		io.write_byte(w, '\n')
+		if t.has_header_row && row == table.header_row(t) {
+			write_table_separator(w, t)
+		}
+	}
+	write_table_separator(w, t)
+}
+
+table_reset :: proc(t: ^table.Table) {
+	clear(&t.cells)
+	clear(&t.colw)
+	t.caption = ""
+	t.tblw = 0
+	t.nr_cols = 0
+	t.nr_rows = 0
+}
+

table_test.odin

@@ -0,0 +1,33 @@
+#+test
+
+package main
+
+import "core:testing"
+
+@(test)
+test_ansi_aware_width_plain_ascii :: proc(t: ^testing.T) {
+	testing.expect_value(t, ansi_aware_width("hello"), 5)
+}
+
+@(test)
+test_ansi_aware_width_empty :: proc(t: ^testing.T) {
+	testing.expect_value(t, ansi_aware_width(""), 0)
+}
+
+@(test)
+test_ansi_aware_width_with_color_codes :: proc(t: ^testing.T) {
+	colored := COLOR_TABLE_HEADING + "Directory" + ANSI_RESET
+	testing.expect_value(t, ansi_aware_width(colored), 9)
+}
+
+@(test)
+test_ansi_aware_width_multibyte :: proc(t: ^testing.T) {
+	testing.expect_value(t, ansi_aware_width("\u2713 Available"), 13)
+	testing.expect_value(t, ansi_aware_width("\u2717 Missing"), 11)
+}
+
+@(test)
+test_ansi_aware_width_multiple_escape_sequences :: proc(t: ^testing.T) {
+	colored := COLOR_TABLE_HEADING + "a" + ANSI_RESET + "b" + COLOR_TABLE_HEADING + "c" + ANSI_RESET
+	testing.expect_value(t, ansi_aware_width(colored), 3)
+}

version.txt

@@ -0,0 +1 @@
+0.3.0