@dotenvx/dotenvx-ops 0.42.0 → 0.43.0

package/CHANGELOG.md

@@ -2,7 +2,19 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
-[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.42.0...main)
+[Unreleased](https://github.com/dotenvx/dotenvx-ops/compare/v0.43.0...main)
+
+## [0.43.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.42.1...v0.43.0) (2026-05-06)
+
+### Added
+
+* Add `armor move` for moving keys between teams ([#64](https://github.com/dotenvx/dotenvx-ops/pull/64))
+
+## [0.42.1](https://github.com/dotenvx/dotenvx-ops/compare/v0.42.0...v0.42.1) (2026-04-26)
+
+### Changed
+
+* Patch `.get` ([#60](https://github.com/dotenvx/dotenvx-ops/pull/60))
 
 ## [0.42.0](https://github.com/dotenvx/dotenvx-ops/compare/v0.41.0...v0.42.0) (2026-04-26)
 

package/package.json

@@ -1,5 +1,5 @@
 {
-  "version": "0.42.0",
+  "version": "0.43.0",
   "name": "@dotenvx/dotenvx-ops",
   "description": "Secrets for agents–from the creator of `dotenv` and `dotenvx`",
   "author": "@motdotla",

package/src/cli/actions/armor/move.js

@@ -0,0 +1,39 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorMove = require('./../../../lib/services/armorMove')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function move () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'moving' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const {
+      changed,
+      privateKeyName,
+      team
+    } = await new ArmorMove(hostname, token, devicePublicKey, options.envFile).run()
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◈ moved ${privateKeyName} (${team})`)
+    } else {
+      logger.info(`○ no change ${privateKeyName} (${team})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = move

package/src/cli/actions/armor/rotate.js

@@ -0,0 +1,25 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function rotate () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'rotating' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+
+  try {
+    if (spinner) spinner.stop()
+
+    logger.info('◇ coming soon')
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = rotate

package/src/cli/actions/backup.js

@@ -18,7 +18,6 @@ const Backup = require('./../../lib/services/backup')
 const spinner = createSpinner('waiting on browser authorization')
 
 async function backup () {
-  // debug opts
   const options = this.opts()
 
   const sesh = new Session()

package/src/cli/commands/armor.js

@@ -44,4 +44,20 @@ armor
   .option('-f, --env-file <path>', 'path to your env file')
   .action(pullAction)
 
+// dotenvx-ops armor rotate
+const rotateAction = require('./../actions/armor/rotate')
+armor
+  .command('rotate')
+  .description('rotate armored key and re-encrypt .env file')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(rotateAction)
+
+// dotenvx-ops armor move
+const moveAction = require('./../actions/armor/move')
+armor
+  .command('move')
+  .description('move armored key (to other team)')
+  .option('-f, --env-file <path>', 'path to your env file')
+  .action(moveAction)
+
 module.exports = armor

package/src/lib/api/postArmorMove.js

@@ -0,0 +1,48 @@
+const { http } = require('../../lib/helpers/http')
+const buildApiError = require('../../lib/helpers/buildApiError')
+const packageJson = require('../../lib/helpers/packageJson')
+const normalizeToken = require('../../lib/helpers/normalizeToken')
+
+class PostArmorMove {
+  constructor (hostname, token, devicePublicKey, publicKey, team) {
+    this.hostname = hostname || 'https://ops.dotenvx.com'
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.publicKey = publicKey
+    this.team = team
+  }
+
+  async run () {
+    const token = normalizeToken(this.token)
+    const devicePublicKey = this.devicePublicKey
+    const publicKey = this.publicKey
+    const team = this.team
+    const url = `${this.hostname}/api/armor/move`
+
+    const body = {
+      device_public_key: devicePublicKey,
+      cli_version: packageJson.version,
+      public_key: publicKey,
+      team
+    }
+
+    const resp = await http(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${token}`,
+        'Content-Type': 'application/json'
+      },
+      body: JSON.stringify(body)
+    })
+
+    const json = await resp.body.json()
+
+    if (resp.statusCode >= 400) {
+      throw buildApiError(resp.statusCode, json)
+    }
+
+    return json
+  }
+}
+
+module.exports = PostArmorMove

package/src/lib/services/armorDown.js

@@ -22,7 +22,7 @@ class ArmorDown {
       privateKeyName
     } = keyNamesForEnvFile(envFile)
 
-    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'], noOps: true })
     const json = await new PostArmorDown(hostname, token, devicePublicKey, publicKey).run()
 
     upsertEnvKey(privateKeyName, json.private_key)

package/src/lib/services/armorMove.js

@@ -0,0 +1,50 @@
+const dotenvx = require('@dotenvx/dotenvx')
+const prompts = require('@inquirer/prompts')
+const PostArmorMove = require('../api/postArmorMove')
+const GetAccount = require('../api/getAccount')
+const keyNamesForEnvFile = require('../helpers/keyNamesForEnvFile')
+
+class ArmorMove {
+  constructor (hostname, token, devicePublicKey, envFile = '.env') {
+    this.hostname = hostname
+    this.token = token
+    this.devicePublicKey = devicePublicKey
+    this.envFile = envFile
+
+    this.team = null // implement
+  }
+
+  async run () {
+    const hostname = this.hostname
+    const token = this.token
+    const devicePublicKey = this.devicePublicKey
+    const envFile = this.envFile
+    let team = this.team
+
+    const {
+      publicKeyName,
+      privateKeyName
+    } = keyNamesForEnvFile(envFile)
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'], noOps: true })
+
+    const accountJson = await new GetAccount(hostname, token).run()
+    const choices = accountJson.organizations.map(o => ({
+      name: o.provider_slug,
+      value: o.provider_slug
+    }))
+    team = await prompts.select({
+      message: 'Select team',
+      choices
+    })
+
+    const json = await new PostArmorMove(hostname, token, devicePublicKey, publicKey, team).run()
+
+    return {
+      ...json,
+      privateKeyName,
+      privateKeyValue: json.private_key
+    }
+  }
+}
+
+module.exports = ArmorMove

package/src/lib/services/armorPull.js

@@ -22,7 +22,7 @@ class ArmorPull {
       privateKeyName
     } = keyNamesForEnvFile(envFile)
 
-    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'], noOps: true })
     const json = await new PostArmorPull(hostname, token, devicePublicKey, publicKey).run()
 
     const result = upsertEnvKey(privateKeyName, json.private_key)

package/src/lib/services/armorPush.js

@@ -18,7 +18,7 @@ class ArmorPush {
 
     const { privateKeyName } = keyNamesForEnvFile(envFile)
 
-    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true })
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true, noOps: true })
     const json = await new PostArmorPush(hostname, token, devicePublicKey, privateKey).run()
 
     return {

package/src/lib/services/armorUp.js

@@ -22,8 +22,8 @@ class ArmorUp {
       privateKeyName
     } = keyNamesForEnvFile(envFile)
 
-    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'] })
-    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true, ignore: ['MISSING_KEY'] })
+    const publicKey = dotenvx.get(publicKeyName, { path: envFile, strict: true, ignore: ['MISSING_PRIVATE_KEY'], noOps: true })
+    const privateKey = dotenvx.get(privateKeyName, { path: '.env.keys', strict: true, ignore: ['MISSING_KEY'], noOps: true })
     const json = await new PostArmorUp(hostname, token, devicePublicKey, publicKey, privateKey).run()
     removeEnvKey(privateKeyName)