@dotenvx/dotenvx-ops 0.39.1 → 0.40.0

package/CHANGELOG.md

@@ -2,7 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.1...main)
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.40.0...main)
+
+## [0.40.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.1...v0.40.0) (2026-04-24)
+
+### Added
+
+* Add `armor push` and `armor pull` ([#56](https://github.com/dotenvx/dotenvx-ops/pull/56))
 
 ## [0.39.1](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.0...v0.39.1) (2026-04-23)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.39.1",
+  "version": "0.40.0",
   "name": "@dotenvx/dotenvx-ops",
   "description": "Secrets for agents–from the creator of `dotenv` and `dotenvx`",
   "author": "@motdotla",

package/src/cli/actions/armor/pull.js

@@ -0,0 +1,35 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPull = require('./../../../lib/services/armorPull')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function pull () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pulling' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorPull(hostname, token, devicePublicKey, options.envFile).run()
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◇ pulled ${privateKeyName} (.env.keys)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (.env.keys)`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = pull

package/src/cli/actions/armor/push.js

@@ -0,0 +1,35 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPush = require('./../../../lib/services/armorPush')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function push () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pushing' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorPush(hostname, token, devicePublicKey, options.envFile).run()
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◈ pushed ${privateKeyName} (armored ⛨)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (armored ⛨)`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = push

package/src/cli/commands/armor.js

@@ -19,10 +19,27 @@ armor
   .description('harden private key')
   .action(upAction)
 
+// dotenvx-ops armor down
 const downAction = require('./../actions/armor/down')
 armor
   .command('down')
   .description('soften private key')
   .action(downAction)
 
+// dotenvx-ops armor push
+const pushAction = require('./../actions/armor/push')
+armor
+  .command('push')
+  .description('push armored key (from .env.keys)')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(pushAction)
+
+// dotenvx-ops armor pull
+const pullAction = require('./../actions/armor/pull')
+armor
+  .command('pull')
+  .description('pull armored key (into .env.keys)')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(pullAction)
+
 module.exports = armor

package/src/lib/api/postArmorPull.js

@@ -0,0 +1,45 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorPull {
+  constructor (hostname, token, devicePublicKey, publicKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const url = `${this.hostname}/api/armor/pull`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      public_key: publicKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorPull

package/src/lib/api/postArmorPush.js

@@ -0,0 +1,45 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorPush {
+  constructor (hostname, token, devicePublicKey, privateKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.privateKey = privateKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const privateKey = this.privateKey
+    const url = `${this.hostname}/api/armor/push`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      private_key: privateKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorPush

package/src/lib/helpers/canonicalEnvFilename.js

@@ -0,0 +1,13 @@
+const path = require('path')
+
+function canonicalEnvFilename (filepath) {
+  let filename = path.basename(filepath).toLowerCase()
+
+  if (filename.startsWith('.env') && filename.endsWith('.txt')) {
+    filename = filename.slice(0, -4)
+  }
+
+  return filename
+}
+
+module.exports = canonicalEnvFilename

package/src/lib/helpers/keyNamesForEnvFile.js

@@ -0,0 +1,43 @@
+const canonicalEnvFilename = require('./canonicalEnvFilename')
+
+function environment (filepath) {
+  const filename = canonicalEnvFilename(filepath)
+
+  const parts = filename.split('.')
+  const possibleEnvironmentList = [...parts.slice(2)]
+
+  if (possibleEnvironmentList.length === 0) {
+    // handle .env1 -> development1
+    return filename.replace('.env', 'development')
+  }
+
+  if (possibleEnvironmentList.length === 1) {
+    return possibleEnvironmentList[0]
+  }
+
+  if (possibleEnvironmentList.length === 2) {
+    return possibleEnvironmentList.join('_')
+  }
+
+  return possibleEnvironmentList.slice(0, 2).join('_')
+}
+
+function keyNamesForEnvFile (filepath = '.env') {
+  const filename = canonicalEnvFilename(filepath)
+
+  if (filename === '.env') {
+    return {
+      publicKeyName: 'DOTENV_PUBLIC_KEY',
+      privateKeyName: 'DOTENV_PRIVATE_KEY'
+    }
+  }
+
+  const resolvedEnvironment = environment(filename).toUpperCase()
+
+  return {
+    publicKeyName: `DOTENV_PUBLIC_KEY_${resolvedEnvironment}`,
+    privateKeyName: `DOTENV_PRIVATE_KEY_${resolvedEnvironment}`
+  }
+}
+
+module.exports = keyNamesForEnvFile

package/src/lib/helpers/upsertEnvKey.js

@@ -0,0 +1,61 @@
+const fs = require('fs')
+const path = require('path')
+
+function escapeForRegex (value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+function upsertEnvKey (key, value, keysFilepath = '.env.keys') {
+  const resolvedKeysFilepath = path.resolve(keysFilepath)
+  const keyValueLine = `${key}=${value}`
+  const created = !fs.existsSync(resolvedKeysFilepath)
+
+  let src = ''
+  if (!created) {
+    src = fs.readFileSync(resolvedKeysFilepath, 'utf8')
+  }
+
+  const eol = src.includes('\r\n') ? '\r\n' : '\n'
+  const keyPattern = new RegExp(`^\\s*(?:export\\s+)?${escapeForRegex(key)}\\s*=`)
+  const lines = src.length > 0 ? src.split(/\r?\n/) : []
+
+  while (lines.length > 0 && lines[lines.length - 1] === '') {
+    lines.pop()
+  }
+
+  let replaced = false
+  const nextLines = []
+
+  for (const line of lines) {
+    if (keyPattern.test(line)) {
+      if (!replaced) {
+        nextLines.push(keyValueLine)
+        replaced = true
+      }
+      continue
+    }
+
+    nextLines.push(line)
+  }
+
+  if (!replaced) {
+    nextLines.push(keyValueLine)
+  }
+
+  const nextSrc = `${nextLines.join(eol)}${eol}`
+  const changed = created || nextSrc !== src
+
+  if (changed) {
+    fs.writeFileSync(resolvedKeysFilepath, nextSrc, 'utf8')
+  }
+
+  return {
+    changed,
+    key,
+    value,
+    created,
+    filepath: keysFilepath
+  }
+}
+
+module.exports = upsertEnvKey

package/src/lib/services/armorPull.js

@@ -0,0 +1,39 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorPull = require('../api/postArmorPull')
+const upsertEnvKey = require('../helpers/upsertEnvKey')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+
+class ArmorPull {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const json = await new PostArmorPull(hostname, token, devicePublicKey, publicKey).run()
+
+    const result = upsertEnvKey(privateKeyName, json.private_key)
+
+    return {
+      ...json,
+      changed: result.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorPull

package/src/lib/services/armorPush.js

@@ -0,0 +1,33 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorPush = require('../api/postArmorPush')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+
+class ArmorPush {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const { privateKeyName } = keyNamesForEnvFile(envFile)
+
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true })
+    const json = await new PostArmorPush(hostname, token, devicePublicKey, privateKey).run()
+
+    return {
+      ...json,
+      changed: json.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorPush