@elding/sdk 0.6.2 → 0.6.4

package/README.md

@@ -1,67 +1,95 @@
 # @elding/sdk
 
-Utilise tes clés API sans jamais les écrire dans ton code. Elding garde la clé
-hors de ton app : ton code manipule un placeholder, la vraie valeur est injectée
-au dernier moment et verrouillée à un seul domaine (anti-exfiltration).
+Your API keys are never in your code or in a `.env` file. Elding keeps them, your code calls the API normally, and the real key is injected at the last moment.
+
+**The same code works in dev and in prod.** You change nothing.
 
 ```bash
 npm install @elding/sdk
 ```
 
-## Pour une clé API HTTP : `configure()`
+> ⚠️ **Elding warning:** always use the **scoped** name `@elding/sdk`. `npm install elding` (without the `@elding/` scope) installs an unrelated third-party package, not Elding.
+
+## Quickstart (2 min)
+
+### 1. Sign in and choose your set
+
+```bash
+npx elding login      # opens the browser, signs you in
+npx elding init       # creates .elding.json (links this project to a set)
+```
+
+### 2. Write your code
 
-Utilise `configure()` pour **toute clé d'API HTTP** (OpenAI, Mistral, Stripe,
-Resend, etc.). Retourne de quoi faire un `fetch` normal, sans jamais exposer la clé.
+`configure()` replaces your real key. 1st argument = the secret name in Elding, 2nd = the API domain.
 
 ```ts
+import OpenAI from "openai";
 import { configure } from "@elding/sdk";
 
-// "MISTRAL_KEY" = nom du secret dans ton vault Elding.
-// 2e arg = le domaine de l'API (verrouillage anti-fuite).
-const { apiKey, baseURL } = await configure("MISTRAL_KEY", "https://api.mistral.ai");
+const openai = new OpenAI(
+  await configure("OPENAI_API_KEY", "https://api.openai.com")
+);
 
-const res = await fetch(`${baseURL}/v1/chat/completions`, {
-  method: "POST",
-  headers: { Authorization: `Bearer ${apiKey}`, "Content-Type": "application/json" },
-  body: JSON.stringify({ model: "mistral-small-latest", messages: [...] }),
-});
+// use openai normally, the real key is never in your code
 ```
 
-Important :
-- **Utilise toujours `baseURL`** dans ton `fetch`, jamais l'URL de l'API en dur.
-  En dev, `baseURL` pointe vers le proxy local qui injecte la vraie clé.
-- Mets `apiKey` dans un **header** (`Authorization`, `x-api-key`…), jamais dans l'URL.
-- `configure()` est réservé aux **API HTTP**. Pour autre chose, voir `secret()`.
+### 3. Run
 
-## Pour un secret non-HTTP : `secret()`
+```bash
+npx elding proxy -- npm run dev
+```
 
-`DATABASE_URL`, `REDIS_URL`, `JWT_SECRET`… tout ce qui n'est pas une API HTTP.
-Retourne la valeur brute. Jamais dans `process.env`, effacée de la mémoire après
-5 min (réglable via `ELDING_CACHE_TTL_MS`).
+That's it. The key **never** enters your application.
 
-```ts
-import { secret } from "@elding/sdk";
+## In production (Vercel, server, CI)
 
-const dbUrl = await secret("DATABASE_URL");
+No proxy in prod. Elding fetches the key at runtime. **You don't change your code**, you just add **2 environment variables**:
+
+```bash
+ELDING_REFRESH_TOKEN=eld_rt_...   # generate it in the dashboard → API keys
+ELDING_SET_ID=...                 # your set's id (set page)
 ```
 
-## Plusieurs secrets d'un coup : `client()`
+And... that's all. The same `configure("OPENAI_API_KEY", "https://api.openai.com")` works.
+
+> The SDK reads these 2 variables automatically. Keep these exact names (`ELDING_REFRESH_TOKEN`, `ELDING_SET_ID`) and you have **no option** to pass.
+
+### How to get the 2 keys
+
+| Variable | Where to find it |
+|---|---|
+| `ELDING_REFRESH_TOKEN` | Dashboard → **API keys** → New key (shown only once) |
+| `ELDING_SET_ID` | Open your set in the dashboard, the id is in the URL |
+
+## The 2 functions
+
+**`configure(name, domain)`** — for any **HTTP API** key (OpenAI, Mistral, Stripe, Resend…).
+You pass it directly to the provider's SDK:
 
 ```ts
-import { client } from "@elding/sdk";
+const openai = new OpenAI(await configure("OPENAI_API_KEY", "https://api.openai.com"));
+```
+
+**`secret(name)`** — for everything **else** (`DATABASE_URL`, `JWT_SECRET`, `REDIS_URL`…).
+Returns the raw value, wiped from memory after 5 min.
 
-const elding = await client();
-const dbUrl = elding.secret("DATABASE_URL");
+```ts
+import { secret } from "@elding/sdk";
+const dbUrl = await secret("DATABASE_URL");
 ```
 
-## Règle simple
+## Dev vs prod, at a glance
 
-- Clé qui part dans une **requête HTTP** → `configure(nom, "https://api.exemple.com")`.
-- N'importe quel **autre secret** → `secret(nom)`.
-- **Jamais** de clé en dur, jamais dans `process.env`, jamais dans l'URL.
+| | Dev | Prod |
+|---|---|---|
+| Command | `elding proxy -- npm run dev` | `npm run build && npm start` |
+| Mechanism | local proxy | runtime fetch |
+| To configure | `elding login` + `elding init` | `ELDING_REFRESH_TOKEN` + `ELDING_SET_ID` |
+| Your code | identical | **identical** |
 
-## Dev vs prod
+## Rules
 
-- **Dev** (`elding proxy -- npm run dev`) : la clé n'entre jamais dans ton process.
-- **Prod** (serverless) : la clé est récupérée du vault au runtime. Elle reste
-  verrouillée au domaine, surveillée, révocable en un clic.
+- **Never** hardcode a key, never in `process.env`, never in the URL.
+- A key that goes into an HTTP request → `configure(name, "https://…")`.
+- Any other secret → `secret(name)`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elding/sdk",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "description": "Elding SDK — accès aux secrets depuis le code, zéro .env",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",