@dotenvx/dotenvx-ops 0.40.0 → 0.42.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.40.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.42.0...main)
+
+## [0.42.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.41.0...v0.42.0) (2026-04-26)
+
+### Added
+
+* Add `armor down` ([#59](https://github.com/dotenvx/dotenvx-ops/pull/59)) 
+
+## [0.41.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.40.0...v0.41.0) (2026-04-26)
+
+### Added
+
+* Add `armor up` ([#58](https://github.com/dotenvx/dotenvx-ops/pull/58))
 
 ## [0.40.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.39.1...v0.40.0) (2026-04-24)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.40.0",
+  "version": "0.42.0",
   "name": "@dotenvx/dotenvx-ops",
   "description": "Secrets for agents–from the creator of `dotenv` and `dotenvx`",
   "author": "@motdotla",

package/src/cli/actions/armor/down.js

@@ -1,14 +1,32 @@
 const { logger } = require('@dotenvx/dotenvx')
-
 const Session = require('./../../../db/session')
+const ArmorDown = require('./../../../lib/services/armorDown')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function down () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'dearmoring' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
 
-function down () {
   try {
-    const sesh = new Session()
-    sesh.notifyUpdate()
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorDown(hostname, token, devicePublicKey, options.envFile).run()
 
-    logger.success('⛨ coming soon')
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◇ dearmored ${privateKeyName} (.env.keys)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (.env.keys)`)
+    }
   } catch (error) {
+    if (spinner) spinner.stop()
     logger.error(error.message)
     process.exit(1)
   }

package/src/cli/actions/armor/up.js

@@ -1,14 +1,32 @@
 const { logger } = require('@dotenvx/dotenvx')
-
 const Session = require('./../../../db/session')
+const ArmorUp = require('./../../../lib/services/armorUp')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function up () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'armoring' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
 
-function up () {
   try {
-    const sesh = new Session()
-    sesh.notifyUpdate()
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName } = await new ArmorUp(hostname, token, devicePublicKey, options.envFile).run()
 
-    logger.success('⛨ coming soon')
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◈ armored ${privateKeyName} (armored ⛨)`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (armored ⛨)`)
+    }
   } catch (error) {
+    if (spinner) spinner.stop()
     logger.error(error.message)
     process.exit(1)
   }

package/src/cli/commands/armor.js

@@ -16,14 +16,16 @@ armor
 const upAction = require('./../actions/armor/up')
 armor
   .command('up')
-  .description('harden private key')
+  .description('armor private key')
+  .option('-f, --env-file <path>', 'path to your env file')
   .action(upAction)
 
 // dotenvx-ops armor down
 const downAction = require('./../actions/armor/down')
 armor
   .command('down')
-  .description('soften private key')
+  .description('dearmor private key')
+  .option('-f, --env-file <path>', 'path to your env file')
   .action(downAction)
 
 // dotenvx-ops armor push

package/src/lib/api/postArmorDown.js

@@ -0,0 +1,45 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorDown {
+  constructor (hostname, token, devicePublicKey, publicKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const url = `${this.hostname}/api/armor/down`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      public_key: publicKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorDown

package/src/lib/api/postArmorUp.js

@@ -0,0 +1,48 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorUp {
+  constructor (hostname, token, devicePublicKey, publicKey, privateKey) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+    this.privateKey = privateKey
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const privateKey = this.privateKey
+    const url = `${this.hostname}/api/armor/up`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      public_key: publicKey,
+      private_key: privateKey
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorUp

package/src/lib/helpers/removeEnvKey.js

@@ -0,0 +1,50 @@
+const fs = require('fs')
+const path = require('path')
+
+function escapeForRegex (value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+}
+
+function removeEnvKey (key, keysFilepath = '.env.keys') {
+  const resolvedKeysFilepath = path.resolve(keysFilepath)
+
+  if (!fs.existsSync(resolvedKeysFilepath)) {
+    return {
+      changed: false,
+      key,
+      filepath: keysFilepath
+    }
+  }
+
+  const src = fs.readFileSync(resolvedKeysFilepath, 'utf8')
+  const eol = src.includes('\r\n') ? '\r\n' : '\n'
+  const keyPattern = new RegExp(`^\\s*(?:export\\s+)?${escapeForRegex(key)}\\s*=`)
+  const envKeyPattern = /^\s*(?:export\s+)?[A-Za-z_][A-Za-z0-9_]*\s*=/
+  const lines = src.length > 0 ? src.split(/\r?\n/) : []
+
+  while (lines.length > 0 && lines[lines.length - 1] === '') {
+    lines.pop()
+  }
+
+  const nextLines = lines.filter((line) => !keyPattern.test(line))
+  const changed = nextLines.length !== lines.length
+
+  if (changed) {
+    const hasRemainingKeys = nextLines.some((line) => envKeyPattern.test(line))
+
+    if (hasRemainingKeys) {
+      const nextSrc = `${nextLines.join(eol)}${eol}`
+      fs.writeFileSync(resolvedKeysFilepath, nextSrc, 'utf8')
+    } else {
+      fs.rmSync(resolvedKeysFilepath, { force: true })
+    }
+  }
+
+  return {
+    changed,
+    key,
+    filepath: keysFilepath
+  }
+}
+
+module.exports = removeEnvKey

package/src/lib/services/armorDown.js

@@ -0,0 +1,39 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorDown = require('../api/postArmorDown')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+const upsertEnvKey = require('../helpers/upsertEnvKey')
+
+class ArmorDown {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const json = await new PostArmorDown(hostname, token, devicePublicKey, publicKey).run()
+
+    upsertEnvKey(privateKeyName, json.private_key)
+
+    return {
+      ...json,
+      changed: json.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorDown

package/src/lib/services/armorUp.js

@@ -0,0 +1,39 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const PostArmorUp = require('../api/postArmorUp')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+const removeEnvKey = require('../helpers/removeEnvKey')
+
+class ArmorUp {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true, ignore: ['MISSING_KEY'] })
+    const json = await new PostArmorUp(hostname, token, devicePublicKey, publicKey, privateKey).run()
+    removeEnvKey(privateKeyName)
+
+    return {
+      ...json,
+      changed: json.changed,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorUp