@dotenvx/dotenvx-vlt 0.49.0

package/LICENSE

@@ -0,0 +1,71 @@
+Dotenvx Ops End-User License Agreement (EULA)
+
+Applies to: Dotenvx Ops (CLI, SDKs, and related software)
+
+---
+
+Summary
+
+Dotenvx Ops is a commercial product. This agreement outlines your rights to use the software, and our expectations in return. It’s written to be understandable, developer-friendly, and fair.
+
+By installing, accessing, or using Dotenvx Ops, you agree to these terms.
+
+---
+
+1. License
+
+You are granted a non-exclusive, non-transferable, revocable license to use Dotenvx Ops as long as:
+- You have an active license (via paid subscription or evaluation, including time-limited free trials)
+- You do not distribute or sublicense the software
+- You do not attempt to bypass license enforcement or API restrictions
+
+---
+
+2. Use
+
+You may:
+- Use Dotenvx Ops internally for your own development or production workflows
+- Install the CLI or SDKs on machines you or your team control
+
+You may not:
+- Share the software or source with third parties
+- Offer it as a hosted service, SaaS platform, or similar product
+- Use it in a way that competes with dotenvx.com
+
+---
+
+3. Ownership
+
+All rights, title, and interest in Dotenvx Ops remain with DOTENVX LLC. You’re granted limited usage rights, not ownership.
+
+---
+
+4. Termination
+
+We may revoke your license if you:
+- Violate these terms
+- Fail to pay your subscription
+
+You must stop using the software immediately if your license is terminated.
+
+---
+
+5. Warranty Disclaimer
+
+Dotenvx Ops is provided as-is, with no guarantees that it will work for your specific use case. You assume all risk.
+
+---
+
+6. Limitation of Liability
+
+We are not liable for any indirect or consequential damages, including loss of data, downtime, or lost profits. Our total liability is limited to the amount you paid us for your license.
+
+---
+
+7. Contact
+
+Have questions? Email us at ops@dotenvx.com
+
+---
+
+© 2025 DOTENVX LLC. All rights reserved.

package/README.md

@@ -0,0 +1,11 @@
+[![dotenvx-ops](https://dotenvx.com/dotenvx-ops-banner.png?v=6)](https://dotenvx.com/ops)
+
+```
+⛨ ARMORED KEYS: Harden your private keys.
+⮕ install [curl -sfS https://dotenvx.sh/ops | sh]
+⮕ then run [dotenvx-ops login]
+```
+
+[Learn more](https://dotenvx.com/ops)
+
+ 

package/package.json

@@ -0,0 +1,77 @@
+{
+  "version": "0.49.0",
+  "name": "@dotenvx/dotenvx-vlt",
+  "description": "Secrets for agents–from the creator of `dotenv` and `dotenvx`",
+  "author": "@motdotla",
+  "keywords": [
+    "dotenv",
+    "dotenvx",
+    "ops",
+    "vlt",
+    "vault",
+    "env"
+  ],
+  "homepage": "https://dotenvx.com/ops",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/dotenvx/dotenvx-ops.git"
+  },
+  "license": "See LICENSE",
+  "files": [
+    "src/**/*",
+    "CHANGELOG.md"
+  ],
+  "main": "src/lib/main.js",
+  "exports": {
+    ".": {
+      "types": "./src/lib/main.d.ts",
+      "require": "./src/lib/main.js",
+      "default": "./src/lib/main.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "bin": {
+    "dotenvx-ops": "./src/cli/dotenvx-ops.js",
+    "dotenvx-vlt": "./src/cli/dotenvx-ops.js"
+  },
+  "scripts": {
+    "build": "node esbuild.js",
+    "build:minify": "node esbuild.js --minify",
+    "standard": "standard",
+    "standard:fix": "standard --fix",
+    "test": "tap run --allow-empty-coverage --disable-coverage --timeout=60000",
+    "test-coverage": "tap run --show-full-coverage --timeout=60000",
+    "prerelease": "npm test",
+    "release": "standard-version"
+  },
+  "dependencies": {
+    "@clack/core": "^0.4.2",
+    "@dotenvx/dotenvx": "^1.68.0",
+    "arch": "^2.1.1",
+    "commander": "^11.1.0",
+    "conf": "^10.2.0",
+    "dotenv": "^17.2.0",
+    "eciesjs": "^0.4.7",
+    "enquirer": "^2.4.1",
+    "execa": "^5.1.1",
+    "express": "^5.2.1",
+    "open": "^8.4.2",
+    "playwright": "^1.57.0",
+    "semver": "^7.7.4",
+    "systeminformation": "^5.22.11",
+    "undici": "^7.11.0",
+    "yocto-spinner": "^1.1.0"
+  },
+  "devDependencies": {
+    "@yao-pkg/pkg": "^6.14.2",
+    "capture-console": "^1.0.2",
+    "esbuild": "^0.25.8",
+    "sinon": "^14.0.1",
+    "standard": "^17.1.2",
+    "standard-version": "^9.5.0",
+    "tap": "^21.6.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/cli/actions/armor/down.js

@@ -0,0 +1,37 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorDown = require('./../../../lib/services/armorDown')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+const armoredKeyDisplay = require('../../../lib/helpers/armoredKeyDisplay')
+
+async function down () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'dearmoring' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName, publicKeyValue } = await new ArmorDown(hostname, token, devicePublicKey, options.envFile, options.team).run()
+    const keyDisplay = armoredKeyDisplay(publicKeyValue) || privateKeyName
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◇ dearmored to .env.keys (${keyDisplay})`)
+    } else {
+      logger.info(`○ no change (${keyDisplay})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = down

package/src/cli/actions/armor/move.js

@@ -0,0 +1,42 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorMove = require('./../../../lib/services/armorMove')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+const armoredKeyDisplay = require('../../../lib/helpers/armoredKeyDisplay')
+
+async function move () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'moving' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const {
+      changed,
+      privateKeyName,
+      publicKeyValue,
+      team
+    } = await new ArmorMove(hostname, token, devicePublicKey, options.envFile).run()
+    const keyDisplay = armoredKeyDisplay(publicKeyValue) || privateKeyName
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`⛨ moved to ${team} (${keyDisplay})`)
+    } else {
+      logger.info(`○ no change (${keyDisplay})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = move

package/src/cli/actions/armor/pull.js

@@ -0,0 +1,37 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPull = require('./../../../lib/services/armorPull')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+const armoredKeyDisplay = require('../../../lib/helpers/armoredKeyDisplay')
+
+async function pull () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pulling' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName, publicKeyValue } = await new ArmorPull(hostname, token, devicePublicKey, options.envFile, options.team).run()
+    const keyDisplay = armoredKeyDisplay(publicKeyValue) || privateKeyName
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`◇ pulled to .env.keys (${keyDisplay})`)
+    } else {
+      logger.info(`○ no change (${keyDisplay})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = pull

package/src/cli/actions/armor/push.js

@@ -0,0 +1,37 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorPush = require('./../../../lib/services/armorPush')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+const armoredKeyDisplay = require('../../../lib/helpers/armoredKeyDisplay')
+
+async function push () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'pushing' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName, publicKeyValue } = await new ArmorPush(hostname, token, devicePublicKey, options.envFile, options.team).run()
+    const keyDisplay = armoredKeyDisplay(publicKeyValue) || privateKeyName
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`⛨ pushed (${keyDisplay})`)
+    } else {
+      logger.info(`○ no change (${keyDisplay})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = push

package/src/cli/actions/armor/rotate.js

@@ -0,0 +1,25 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+
+async function rotate () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'rotating' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+
+  try {
+    if (spinner) spinner.stop()
+
+    logger.info('◇ coming soon')
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = rotate

package/src/cli/actions/armor/up.js

@@ -0,0 +1,37 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../../db/session')
+const ArmorUp = require('./../../../lib/services/armorUp')
+const createSpinner = require('../../../lib/helpers/createSpinner2')
+const armoredKeyDisplay = require('../../../lib/helpers/armoredKeyDisplay')
+
+async function up () {
+  const options = this.opts()
+  const spinner = await createSpinner({ ...options, text: 'armoring' })
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const { changed, privateKeyName, publicKeyValue } = await new ArmorUp(hostname, token, devicePublicKey, options.envFile, options.team).run()
+    const keyDisplay = armoredKeyDisplay(publicKeyValue) || privateKeyName
+
+    if (spinner) spinner.stop()
+    if (changed) {
+      logger.success(`⛨ armored (${keyDisplay})`)
+    } else {
+      logger.info(`○ no change (${keyDisplay})`)
+    }
+  } catch (error) {
+    if (spinner) spinner.stop()
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = up

package/src/cli/actions/backup.js

@@ -0,0 +1,93 @@
+const fs = require('fs')
+
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../db/session')
+
+const { createSpinner } = require('./../../lib/helpers/createSpinner')
+const clipboardy = require('./../../lib/helpers/clipboardy')
+const confirm = require('./../../lib/helpers/confirm')
+const formatCode = require('./../../lib/helpers/formatCode')
+const truncate = require('./../../lib/helpers/truncate')
+const openUrl = require('./../../lib/helpers/openUrl')
+
+const LoggedIn = require('./../../lib/services/loggedIn')
+const Login = require('./../../lib/services/login')
+const LoginPoll = require('./../../lib/services/loginPoll')
+const Backup = require('./../../lib/services/backup')
+
+const spinner = createSpinner('waiting on browser authorization')
+
+async function backup () {
+  const options = this.opts()
+
+  const sesh = new Session()
+  const hostname = options.hostname || sesh.hostname()
+
+  try {
+    logger.debug(`options: ${JSON.stringify(options)}`)
+
+    const loggedIn = await new LoggedIn(hostname).run()
+    if (!loggedIn) {
+      const {
+        deviceCode,
+        userCode,
+        verificationUri,
+        verificationUriComplete,
+        interval
+      } = await new Login(hostname).run()
+
+      try { clipboardy.writeSync(userCode) } catch (_e) {}
+
+      logger.debug(`POST ${hostname} with deviceCode ${deviceCode} at interval ${interval}`)
+      logger.info(`press Enter to open [${verificationUri}] and enter code [${formatCode(userCode)}]...`)
+
+      // begin polling
+      const pollPromise = new LoginPoll(hostname, deviceCode, interval).run()
+      spinner.start()
+
+      // optionally allow user to open browser
+      confirm({ message: `press Enter to open [${verificationUri}] and enter code [${formatCode(userCode)}]...` })
+        .then(answer => answer && openUrl(verificationUriComplete))
+        .catch(() => {}) // ignore
+
+      const data = await pollPromise
+      spinner.succeed(`logged in [${data.username}] to this device and activated token [${truncate(data.access_token, 11)}]`)
+    }
+
+    spinner.start('backing up')
+
+    const {
+      projectUsernameName,
+      projectEnvXSrc,
+      projectEnvXFileNeedsWrite
+    } = await new Backup(hostname, options.org).run()
+
+    // write .env.x
+    if (projectEnvXFileNeedsWrite) {
+      logger.debug('writing .env.x')
+      fs.writeFileSync('.env.x', projectEnvXSrc, 'utf8')
+    }
+
+    spinner.stop()
+
+    logger.success(`✔ backed up [${projectUsernameName}]`)
+    logger.help('⮕ next run [dotenvx-ops open] to view')
+  } catch (error) {
+    spinner.stop()
+    if (error.message) {
+      logger.error(error.message)
+    } else {
+      logger.error(error)
+    }
+    if (error.help) {
+      logger.help(error.help)
+    }
+    if (error.stack) {
+      logger.debug(error.stack)
+    }
+
+    process.exit(1)
+  }
+}
+
+module.exports = backup

package/src/cli/actions/gateway/start.js

@@ -0,0 +1,17 @@
+const { logger } = require('@dotenvx/dotenvx')
+
+const GatewayStart = require('./../../../lib/services/gatewayStart')
+
+async function start () {
+  try {
+    const options = this.opts()
+    logger.debug(`options: ${JSON.stringify(options)}`)
+
+    await new GatewayStart({ port: options.port, hostname: options.hostname }).run()
+  } catch (error) {
+    logger.error(error.message)
+    process.exit(1)
+  }
+}
+
+module.exports = start

package/src/cli/actions/get.js

@@ -0,0 +1,34 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../db/session')
+
+const main = require('./../../lib/main')
+
+async function get (uri) {
+  // debug opts
+  const options = this.opts()
+  logger.debug(`options: ${JSON.stringify(options)}`)
+
+  const sesh = new Session()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token
+
+  try {
+    const value = await main.get(uri, { hostname, token })
+    console.log(value)
+  } catch (error) {
+    if (error.message) {
+      logger.error(error.message)
+    } else {
+      logger.error(error)
+    }
+    if (error.help) {
+      logger.help(error.help)
+    }
+    if (error.stack) {
+      logger.debug(error.stack)
+    }
+    process.exit(1)
+  }
+}
+
+module.exports = get

package/src/cli/actions/keypair.js

@@ -0,0 +1,59 @@
+const { logger } = require('@dotenvx/dotenvx')
+const Session = require('./../../db/session')
+const createSpinner = require('../../lib/helpers/createSpinner2')
+const Keypair = require('../../lib/services/keypair')
+
+function printKeypair (json, options) {
+  const output = {
+    public_key: json.public_key,
+    private_key: json.private_key
+  }
+
+  let space = 0
+  if (options.prettyPrint) {
+    space = 2
+  }
+
+  console.log(JSON.stringify(output, null, space))
+}
+
+async function keypair (publicKey) {
+  // debug opts
+  const options = this.opts()
+
+  logger.debug(`options: ${JSON.stringify(options)}`)
+  if (publicKey) {
+    logger.debug(`publicKey: ${publicKey}`)
+  }
+
+  const spinner = await createSpinner({ ...options, text: 'retrieving' })
+  const sesh = new Session()
+  await sesh.notifyUpdate()
+  const hostname = options.hostname || sesh.hostname()
+  const token = options.token || sesh.token()
+  try {
+    const devicePublicKey = sesh.devicePublicKey()
+
+    const args = [hostname, token, devicePublicKey, publicKey, options.team]
+    if (options.envFile !== undefined) {
+      args.push(options.envFile)
+    }
+    const json = await new Keypair(...args).run()
+
+    if (spinner) spinner.stop()
+    printKeypair(json, options)
+  } catch (error) {
+    if (spinner) spinner.stop()
+    if (error.message) {
+      logger.error(error.message)
+    } else {
+      logger.error(error)
+    }
+    if (error.stack) {
+      logger.debug(error.stack)
+    }
+    process.exit(1)
+  }
+}
+
+module.exports = keypair