@dotenvx/dotenvx-ops 0.39.0 → 0.40.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.40.0...main)
+
+## [0.40.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.1...v0.40.0) (2026-04-24)
+
+### Added
+
+* Add `armor push` and `armor pull` ([#56](https://github.com/dotenvx/dotenvx-ops/pull/56))
+
+## [0.39.1](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.0...v0.39.1) (2026-04-23)
+
+### Added
+
+* Display install command with update notification ([#54](https://github.com/dotenvx/dotenvx-ops/pull/54))
 
 ## [0.39.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.38.3...v0.39.0) (2026-04-23)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.39.0",
+  "version": "0.40.0",
   "name": "@dotenvx/dotenvx-ops",
   "description": "Secrets for agents–from the creator of `dotenv` and `dotenvx`",
   "author": "@motdotla",

package/src/cli/actions/armor/pull.js

@@ -0,0 +1,35 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPull = require('./../../../lib/services/armorPull')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function pull () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pulling' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorPull(hostname, token, devicePublicKey, options.envFile).run()
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◇ pulled ${privateKeyName} (.env.keys)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (.env.keys)`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = pull

package/src/cli/actions/armor/push.js

@@ -0,0 +1,35 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPush = require('./../../../lib/services/armorPush')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function push () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pushing' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorPush(hostname, token, devicePublicKey, options.envFile).run()
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◈ pushed ${privateKeyName} (armored ⛨)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (armored ⛨)`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = push

package/src/cli/commands/armor.js

@@ -1,10 +1,16 @@
 const { Command } = require('commander')
+const Session = require('./../../db/session')
 
 const armor = new Command('armor')
 
 armor
   .description('ARMORED KEYS ⛨')
   .allowUnknownOption()
+  .action(async function () {
+    const sesh = new Session()
+    await sesh.notifyUpdate()
+    this.help()
+  })
 
 // dotenvx-ops armor up
 const upAction = require('./../actions/armor/up')
@@ -13,10 +19,27 @@ armor
   .description('harden private key')
   .action(upAction)
 
+// dotenvx-ops armor down
 const downAction = require('./../actions/armor/down')
 armor
   .command('down')
   .description('soften private key')
   .action(downAction)
 
+// dotenvx-ops armor push
+const pushAction = require('./../actions/armor/push')
+armor
+  .command('push')
+  .description('push armored key (from .env.keys)')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(pushAction)
+
+// dotenvx-ops armor pull
+const pullAction = require('./../actions/armor/pull')
+armor
+  .command('pull')
+  .description('pull armored key (into .env.keys)')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(pullAction)
+
 module.exports = armor

package/src/cli/dotenvx-ops.js

@@ -7,6 +7,7 @@ const program = new Command()
 const { setLogLevel } = require('@dotenvx/dotenvx')
 
 const packageJson = require('./../lib/helpers/packageJson')
+const Session = require('./../db/session')
 const argv = process.argv.slice(2)
 const firstArg = argv[0]
 
@@ -150,4 +151,10 @@ program.helpInformation = function () {
 }
 
 /* c8 ignore stop */
-program.parse(process.argv)
+program.action(async function () {
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  this.help()
+})
+
+program.parseAsync(process.argv)

package/src/db/session.js

@@ -6,6 +6,7 @@ const { logger } = require('@dotenvx/dotenvx')
 
 const Device = require('./device')
 const jsonToEnv = require('./../lib/helpers/jsonToEnv')
+const likelyUpdateCommand = require('./../lib/helpers/likelyUpdateCommand')
 const packageJson = require('./../lib/helpers/packageJson')
 const GetVersion = require('./../lib/api/getVersion')
 
@@ -85,6 +86,8 @@ class Session {
   //
   async notifyUpdate () {
     try {
+      logger.debug('checking if update available')
+
       const lastCheck = Number(this.store.get('DOTENVX_OPS_VERSION_LAST_CHECK') || 0)
       const now = Date.now()
 
@@ -94,7 +97,10 @@ class Session {
         let remote = local // in case of http fetch error
 
         try {
+          logger.debug('fetching latest available version')
           const VERSION = await new GetVersion().run()
+          logger.debug(`latest version: ${VERSION}`)
+
           remote = VERSION
           this.store.set('DOTENVX_OPS_VERSION', VERSION) // remote version
         } catch (err) {
@@ -106,7 +112,7 @@ class Session {
 
         if (semver.gt(remote, local)) {
           const diff = semver.diff(local, remote)
-          console.error(`⛆ update available (${diff})`)
+          console.error(`⛆ update available (${diff}) [${likelyUpdateCommand()}]`)
         }
       }
     } catch (err) {

package/src/lib/api/postArmorPull.js

@@ -0,0 +1,45 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorPull {
+  constructor (hostname, token, devicePublicKey, publicKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const url = `${this.hostname}/api/armor/pull`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      public_key: publicKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorPull

package/src/lib/api/postArmorPush.js

@@ -0,0 +1,45 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorPush {
+  constructor (hostname, token, devicePublicKey, privateKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.privateKey = privateKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const privateKey = this.privateKey
+    const url = `${this.hostname}/api/armor/push`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      private_key: privateKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorPush

package/src/lib/helpers/canonicalEnvFilename.js

@@ -0,0 +1,13 @@
+const path = require('path')
+
+function canonicalEnvFilename (filepath) {
+  let filename = path.basename(filepath).toLowerCase()
+
+  if (filename.startsWith('.env') && filename.endsWith('.txt')) {
+    filename = filename.slice(0, -4)
+  }
+
+  return filename
+}
+
+module.exports = canonicalEnvFilename

package/src/lib/helpers/keyNamesForEnvFile.js

@@ -0,0 +1,43 @@
+const canonicalEnvFilename = require('./canonicalEnvFilename')
+
+function environment (filepath) {
+  const filename = canonicalEnvFilename(filepath)
+
+  const parts = filename.split('.')
+  const possibleEnvironmentList = [...parts.slice(2)]
+
+  if (possibleEnvironmentList.length === 0) {
+    // handle .env1 -> development1
+    return filename.replace('.env', 'development')
+  }
+
+  if (possibleEnvironmentList.length === 1) {
+    return possibleEnvironmentList[0]
+  }
+
+  if (possibleEnvironmentList.length === 2) {
+    return possibleEnvironmentList.join('_')
+  }
+
+  return possibleEnvironmentList.slice(0, 2).join('_')
+}
+
+function keyNamesForEnvFile (filepath = '.env') {
+  const filename = canonicalEnvFilename(filepath)
+
+  if (filename === '.env') {
+    return {
+      publicKeyName: 'DOTENV_PUBLIC_KEY',
+      privateKeyName: 'DOTENV_PRIVATE_KEY'
+    }
+  }
+
+  const resolvedEnvironment = environment(filename).toUpperCase()
+
+  return {
+    publicKeyName: `DOTENV_PUBLIC_KEY_${resolvedEnvironment}`,
+    privateKeyName: `DOTENV_PRIVATE_KEY_${resolvedEnvironment}`
+  }
+}
+
+module.exports = keyNamesForEnvFile

package/src/lib/helpers/likelyUpdateCommand.js

@@ -0,0 +1,33 @@
+const normalizePath = require('./normalizePath')
+const safeRealpath = require('./safeRealpath')
+
+const NPM_COMMAND = 'npm i @dotenvx/dotenvx-ops'
+const CURL_COMMAND = 'curl -sfS https://dotenvx.sh/ops | sh'
+
+function likelyUpdateCommand () {
+  const isPackaged = Boolean(process.pkg)
+  const executablePath = isPackaged ? process.execPath : (process.argv[1] || process.execPath)
+  const resolvedExecutablePath = safeRealpath(executablePath)
+  const normalizedPath = normalizePath(resolvedExecutablePath || executablePath || '')
+
+  if (
+    normalizedPath.includes('/node_modules/@dotenvx/dotenvx-ops/') ||
+    normalizedPath.includes('/node_modules/.bin/dotenvx-ops')
+  ) {
+    return NPM_COMMAND
+  }
+
+  if (
+    isPackaged ||
+    normalizedPath.endsWith('/usr/local/bin/dotenvx-ops') ||
+    normalizedPath.endsWith('/opt/homebrew/bin/dotenvx-ops') ||
+    normalizedPath.endsWith('/usr/bin/dotenvx-ops') ||
+    normalizedPath.endsWith('/bin/dotenvx-ops')
+  ) {
+    return CURL_COMMAND
+  }
+
+  return NPM_COMMAND
+}
+
+module.exports = likelyUpdateCommand

package/src/lib/helpers/normalizePath.js

@@ -0,0 +1,5 @@
+function normalizePath (value) {
+  return String(value || '').replace(/\\/g, '/').toLowerCase()
+}
+
+module.exports = normalizePath

package/src/lib/helpers/safeRealpath.js

@@ -0,0 +1,13 @@
+const fs = require('fs')
+
+function safeRealpath (filePath) {
+  if (!filePath) return filePath
+
+  try {
+    return fs.realpathSync(filePath)
+  } catch (e) {
+    return filePath
+  }
+}
+
+module.exports = safeRealpath

package/src/lib/helpers/upsertEnvKey.js

@@ -0,0 +1,61 @@
+const fs = require('fs')
+const path = require('path')
+
+function escapeForRegex (value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+function upsertEnvKey (key, value, keysFilepath = '.env.keys') {
+  const resolvedKeysFilepath = path.resolve(keysFilepath)
+  const keyValueLine = `${key}=${value}`
+  const created = !fs.existsSync(resolvedKeysFilepath)
+
+  let src = ''
+  if (!created) {
+    src = fs.readFileSync(resolvedKeysFilepath, 'utf8')
+  }
+
+  const eol = src.includes('\r\n') ? '\r\n' : '\n'
+  const keyPattern = new RegExp(`^\\s*(?:export\\s+)?${escapeForRegex(key)}\\s*=`)
+  const lines = src.length > 0 ? src.split(/\r?\n/) : []
+
+  while (lines.length > 0 && lines[lines.length - 1] === '') {
+    lines.pop()
+  }
+
+  let replaced = false
+  const nextLines = []
+
+  for (const line of lines) {
+    if (keyPattern.test(line)) {
+      if (!replaced) {
+        nextLines.push(keyValueLine)
+        replaced = true
+      }
+      continue
+    }
+
+    nextLines.push(line)
+  }
+
+  if (!replaced) {
+    nextLines.push(keyValueLine)
+  }
+
+  const nextSrc = `${nextLines.join(eol)}${eol}`
+  const changed = created || nextSrc !== src
+
+  if (changed) {
+    fs.writeFileSync(resolvedKeysFilepath, nextSrc, 'utf8')
+  }
+
+  return {
+    changed,
+    key,
+    value,
+    created,
+    filepath: keysFilepath
+  }
+}
+
+module.exports = upsertEnvKey

package/src/lib/services/armorPull.js

@@ -0,0 +1,39 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorPull = require('../api/postArmorPull')
+const upsertEnvKey = require('../helpers/upsertEnvKey')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+
+class ArmorPull {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const json = await new PostArmorPull(hostname, token, devicePublicKey, publicKey).run()
+
+    const result = upsertEnvKey(privateKeyName, json.private_key)
+
+    return {
+      ...json,
+      changed: result.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorPull

package/src/lib/services/armorPush.js

@@ -0,0 +1,33 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorPush = require('../api/postArmorPush')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+
+class ArmorPush {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const { privateKeyName } = keyNamesForEnvFile(envFile)
+
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true })
+    const json = await new PostArmorPush(hostname, token, devicePublicKey, privateKey).run()
+
+    return {
+      ...json,
+      changed: json.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorPush