implement only/except in diff and export

Author: jszobody

docs/guide/cli-reference.md

@@ -312,8 +312,6 @@ Combine secrets with template files to create complete configuration files.
 | `--append` | boolean | `false` | Append to output file instead of overwriting |
 | `--overwrite` | boolean | `false` | Overwrite output file without confirmation |
 | `--missing` | string | `fail` | How to handle missing secrets: `fail`, `skip`, `blank`, `remove` |
-| `--only` | string | | Only process these placeholders (comma-separated) |
-| `--except` | string | | Skip these placeholders (comma-separated) |
 
 **Arguments:**
 - `[template]` - Path to template file (required)

docs/guide/managing-secrets/cross-environment.md

@@ -118,7 +118,7 @@ keep copy DB_USERNAME --from=development --to=staging
 keep set API_URL "https://staging-api.example.com" --stage=staging
 
 # 4. Verify the promotion
-keep diff --stage=development,staging --keys-only
+keep diff --stage=development,staging
 ```
 
 ### Cross-Vault Promotion

src/Commands/DiffCommand.php

@@ -3,6 +3,7 @@
 namespace STS\Keep\Commands;
 
 use Illuminate\Support\Collection;
+use STS\Keep\Commands\Concerns\GathersInput;
 use STS\Keep\Data\Context;
 use STS\Keep\Data\SecretDiff;
 use STS\Keep\Facades\Keep;
@@ -13,10 +14,12 @@
 
 class DiffCommand extends BaseCommand
 {
+    use GathersInput;
     public $signature = 'diff 
         {--stage= : Comma-separated list of stages to compare (defaults to all configured stages)}
         {--vault= : Comma-separated list of vaults to compare (defaults to all configured vaults)}'
-        .self::UNMASK_SIGNATURE;
+        .self::UNMASK_SIGNATURE
+        .self::ONLY_EXCLUDE_SIGNATURE;
 
     public $description = 'Compare secrets across multiple stages and vaults in a matrix view';
 
@@ -34,7 +37,7 @@ public function process()
         }
 
         $diffService = new DiffService;
-        $diffs = spin(fn () => $diffService->compare($vaults, $stages), 'Gathering secrets for comparison...');
+        $diffs = spin(fn () => $diffService->compare($vaults, $stages, $this->option('only'), $this->option('except')), 'Gathering secrets for comparison...');
 
         if ($diffs->isNotEmpty()) {
             $this->displayTable($diffs, $vaults, $stages, $diffService);

src/Commands/ExportCommand.php

@@ -2,18 +2,22 @@
 
 namespace STS\Keep\Commands;
 
+use STS\Keep\Commands\Concerns\GathersInput;
 use STS\Keep\Data\Collections\SecretCollection;
 use STS\Keep\Facades\Keep;
 
 class ExportCommand extends BaseCommand
 {
+    use GathersInput;
+    
     public $signature = 'export 
         {--format=env : json|env} 
         {--output= : File where to save the output (defaults to stdout)} 
         {--overwrite : Overwrite the output file if it exists} 
         {--append : Append to the output file if it exists} 
         {--stage= : The stage to export secrets for}
-        {--vault= : The vault(s) to export from (comma-separated, defaults to all configured vaults)}';
+        {--vault= : The vault(s) to export from (comma-separated, defaults to all configured vaults)}'
+        .self::ONLY_EXCLUDE_SIGNATURE;
 
     public $description = 'Export stage secrets from vault(s)';
 
@@ -63,7 +67,10 @@ protected function loadSecretsFromVaults(array $vaultNames, string $stage): Secr
 
         foreach ($vaultNames as $vaultName) {
             $vault = Keep::vault($vaultName, $stage);
-            $vaultSecrets = $vault->list();
+            $vaultSecrets = $vault->list()->filterByPatterns(
+                only: $this->option('only'),
+                except: $this->option('except')
+            );
 
             // Merge secrets, later vaults override earlier ones for duplicate keys
             $allSecrets = $allSecrets->merge($vaultSecrets);

src/Services/DiffService.php

@@ -9,9 +9,9 @@
 
 class DiffService
 {
-    public function compare(array $vaults, array $stages): Collection
+    public function compare(array $vaults, array $stages, ?string $only = null, ?string $except = null): Collection
     {
-        $allSecrets = $this->gatherSecrets($vaults, $stages);
+        $allSecrets = $this->gatherSecrets($vaults, $stages, $only, $except);
         $allKeys = $this->extractAllKeys($allSecrets);
 
         return $allKeys->map(function (string $key) use ($allSecrets) {
@@ -46,7 +46,7 @@ public function generateSummary(Collection $diffs, array $vaults, array $stages)
         ];
     }
 
-    protected function gatherSecrets(array $vaults, array $stages): array
+    protected function gatherSecrets(array $vaults, array $stages, ?string $only = null, ?string $except = null): array
     {
         $allSecrets = [];
 
@@ -55,7 +55,8 @@ protected function gatherSecrets(array $vaults, array $stages): array
                 $vaultStageKey = "{$vaultName}.{$stage}";
 
                 try {
-                    $allSecrets[$vaultStageKey] = Keep::vault($vaultName, $stage)->list();
+                    $secrets = Keep::vault($vaultName, $stage)->list();
+                    $allSecrets[$vaultStageKey] = $secrets->filterByPatterns(only: $only, except: $except);
                 } catch (\Exception $e) {
                     // If we can't access a vault/stage combination, treat it as empty
                     $allSecrets[$vaultStageKey] = new SecretCollection([]);

tests/Feature/DiffCommandTest.php

@@ -363,6 +363,48 @@
         });
     });
 
+    describe('filtering options', function () {
+        it('accepts only option for filtering keys', function () {
+            $commandTester = runCommand('diff', [
+                '--only' => 'API_*',
+                '--stage' => 'testing',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept --only option without validation error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+
+        it('accepts except option for excluding keys', function () {
+            $commandTester = runCommand('diff', [
+                '--except' => 'SECRET_*',
+                '--stage' => 'testing',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept --except option without validation error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+
+        it('accepts both only and except options together', function () {
+            $commandTester = runCommand('diff', [
+                '--only' => 'API_*,DB_*',
+                '--except' => 'SECRET_*',
+                '--stage' => 'testing,production',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept both filtering options without error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+    });
+
     // Tests migrated from Laravel-style tests to new architecture.
     // Focus on command structure, parameter validation, error handling, and output format
     // rather than full integration tests that depend on external AWS services and pre-populated data.

tests/Feature/ExportCommandTest.php

@@ -401,6 +401,64 @@
         });
     });
 
+    describe('filtering options', function () {
+        it('accepts only option for filtering keys', function () {
+            $commandTester = runCommand('export', [
+                '--only' => 'API_*',
+                '--stage' => 'testing',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept --only option without validation error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+
+        it('accepts except option for excluding keys', function () {
+            $commandTester = runCommand('export', [
+                '--except' => 'SECRET_*',
+                '--stage' => 'testing',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept --except option without validation error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+
+        it('accepts both only and except options together', function () {
+            $commandTester = runCommand('export', [
+                '--only' => 'API_*,DB_*',
+                '--except' => 'SECRET_*',
+                '--stage' => 'testing',
+                '--format' => 'json',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should accept both filtering options without error
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+
+        it('combines filtering with other options correctly', function () {
+            $commandTester = runCommand('export', [
+                '--only' => 'APP_*',
+                '--format' => 'env',
+                '--vault' => 'test',
+                '--stage' => 'testing',
+            ]);
+
+            $output = stripAnsi($commandTester->getDisplay());
+
+            // Should handle filtering with other options
+            expect($output)->not->toMatch('/(invalid.*option|unknown.*option)/i');
+            expect($commandTester->getStatusCode())->toBeGreaterThanOrEqual(0);
+        });
+    });
+
     // Tests migrated from Laravel-style tests to new architecture.
     // Focus on command structure, parameter validation, file handling, and format options
     // rather than full integration tests that depend on external AWS services and pre-populated data.